Professional Documents
Culture Documents
PlotWave-ColorWave Security 2020-07 Administration Guide en - GB
PlotWave-ColorWave Security 2020-07 Administration Guide en - GB
Administration guide
Security information
Language
Original instructions that are in British English.
Trademarks
Canon is a registered trademark of Canon Inc. ColorWave, PlotWave are trademarks or registered
trademarks of Canon Production Printing Netherlands B.V.
Adobe, PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated
in the United States and/or other countries.
Internet Explorer, Microsoft, Windows, Windows Server are trademarks or registered trademarks
of Microsoft Corp. incorporated in the United States and/or other countries.
McAfee is a trademark or registered trademark of McAfee, Inc. in the United States and other
countries.
All other trademarks are the property of their respective owners and hereby acknowledged.
Edition 2020-07 GB
Contents
Contents
Chapter 1
Introduction.......................................................................................................................11
The Security policy ........................................................................................................................................12
Downloads and support for your product....................................................................................................14
Overview of the security features available per system ............................................................................ 15
The use of software names and releases in this manual............................................................................23
Chapter 2
Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
............................................................................................................................................ 25
Security on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300................................................... 26
Overview...................................................................................................................................................26
Security overview for the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and the
ColorWave 300 systems ...................................................................................................................26
System and Network security................................................................................................................. 27
Ports - Protocols.................................................................................................................................27
Security Patches................................................................................................................................ 32
Security levels....................................................................................................................................35
Prevent any outgoing connection to the Internet .......................................................................... 38
Security of the USB connection (PlotWave 300/350, ColorWave 300).......................................... 39
Antivirus ............................................................................................................................................ 40
Roles and Passwords........................................................................................................................ 41
Data Security ........................................................................................................................................... 44
E-Shredding....................................................................................................................................... 44
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)........................ 47
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave 300)........................65
HTTPS with PlotWave 900 R1.x........................................................................................................ 68
Smart Inbox management................................................................................................................ 76
Security on PlotWave 750 and PlotWave 900 R2.x .....................................................................................77
Overview...................................................................................................................................................77
Security overview for the PlotWave 750 and the PlotWave 900 R2.x systems............................ 77
System and Network security................................................................................................................. 78
Ports - Protocols.................................................................................................................................78
Security Patches................................................................................................................................ 83
Security levels....................................................................................................................................86
Prevent any outgoing connection to the Internet .......................................................................... 88
Antivirus ............................................................................................................................................ 89
Roles and Passwords........................................................................................................................ 90
Audit log............................................................................................................................................. 92
Data Security ........................................................................................................................................... 93
E-Shredding....................................................................................................................................... 93
IPsec ...................................................................................................................................................96
HTTPS (on PlotWave 750 and PlotWave 900 R2.x)....................................................................... 102
Smart Inbox management and job management.........................................................................113
Chapter 3
Security on PlotWave 500 and PlotWave 340/360.......................................................115
Overview....................................................................................................................................................... 116
Security overview for the PlotWave 500 and PlotWave 340/360 systems........................................ 116
3
Contents
Chapter 4
Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500.................... 173
Overview....................................................................................................................................................... 174
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500.................... 174
System and Network security..................................................................................................................... 176
Ports - Protocols..................................................................................................................................... 176
Applications, protocols and ports ................................................................................................. 176
Security Patches.....................................................................................................................................180
Install Operating system patch for PW345/365/450/550............................................................... 180
Install Operating system patch for PW3000/3500/5000/5500/7500.............................................. 182
Protocol protection................................................................................................................................ 184
Network protocols protection ........................................................................................................184
Prevent any outgoing connection to the Internet ...............................................................................186
Security of the USB connection ...........................................................................................................187
The USB connection on the printer user interface ...................................................................... 187
Port based authentication (IEEE 802.1X)..............................................................................................188
Port-based authentication (IEEE 802.1X) - explained................................................................... 188
IEEE802.1X - Configuration steps...................................................................................................193
Configure a Certification Authority (example on Windows Server 2016)...................................194
Prepare the RADIUS server (example on Windows Server 2016)............................................... 196
Prepare the switch........................................................................................................................... 200
Configure the printer controller......................................................................................................202
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'......... 209
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-
TLS)'..................................................................................................................................................219
4
Contents
Troubleshoot....................................................................................................................................236
Antivirus .................................................................................................................................................242
User access/LDAP authentication......................................................................................................... 243
Roles................................................................................................................................................. 243
Local users....................................................................................................................................... 244
Domain users (LDAP authentication): for PW3000/3500/5000/5500/7500 and for
PW345/365/450/550 R1.2 and higher versions...............................................................................245
Configure the Domain users (LDAP authentication over Kerberos)............................................246
Validate the configuration (Kerberos)............................................................................................249
Configure the Domain users (LDAP authentication over SSL).................................................... 251
Configure the trusted certificates .................................................................................................. 254
Configure the trusted certificates .................................................................................................. 255
Validate the configuration (SSL).................................................................................................... 256
User access on the user panel........................................................................................................257
User access with Express Webtools.............................................................................................. 259
Password policy...............................................................................................................................261
Disabling local user access............................................................................................................. 262
Troubleshooting LDAP authentication over Kerberos..................................................................263
Troubleshooting LDAP authentication over SSL.......................................................................... 264
Permissions for Service operations......................................................................................................265
Passwords policy................................................................................................................................... 266
Access control........................................................................................................................................ 268
Audit log................................................................................................................................................. 269
SNMPv3: for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher
versions...................................................................................................................................................271
Secure Boot (PW3000/3500/5000/5500/7500) ...................................................................................... 272
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500) .................................... 273
Data security................................................................................................................................................. 275
User authentication................................................................................................................................275
Secure printing, copying and scanning operations with the User authentication.....................275
User authentication: the standard workflows............................................................................... 279
Authentication by Smart card ........................................................................................................286
Authentication by Contactless card .............................................................................................. 293
Authentication by user name and password................................................................................ 298
Log out .............................................................................................................................................304
Troubleshooting.............................................................................................................................. 307
Hard disk encryption (for PW345/365/450/550)....................................................................................310
Hard disk encryption (PW3000/3500/5000/5500/7500).........................................................................313
E-Shredding............................................................................................................................................315
E-shredding presentation................................................................................................................315
Enable the e-shredding in Express WebTools.............................................................................. 316
E-shredding process and system behaviour................................................................................. 318
IPsec ....................................................................................................................................................... 319
IPsec presentation .......................................................................................................................... 319
Configure the IPsec settings in the controller .............................................................................. 321
Configure the IPsec settings on a workstation or a print server..................................................323
Troubleshooting: Disable 'Access control' and IPsec...................................................................336
HTTPS .................................................................................................................................................... 338
Encrypt print data and manage the system configuration using HTTPS....................................338
Request and import a CA-signed certificate..................................................................................346
TLSv1.2 / Strong cipher...................................................................................................................352
HTTPS recommendations for Certificate creation........................................................................ 354
Scan to Home folder / Print from Home folder....................................................................................355
Troubleshooting.............................................................................................................................. 356
Prevent 'Print from USB' and/or 'Scan to USB' ..................................................................................357
How to prevent 'Print from USB' and/or 'Scan to USB'............................................................... 357
Smart Inbox management and job management............................................................................... 358
Data protection for template export (for PW3000/3500/5000/5500/7500 and
PW345/365/450/550 R1.2 and higher versions)....................................................................................359
5
Contents
Chapter 5
Security on ColorWave 550/600/650 (and Poster Printer).......................................... 361
Security on ColorWave 550 R2.x, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster
Printer)...........................................................................................................................................................362
Overview.................................................................................................................................................362
Security overview for the ColorWave 600/650 (Poster Printer) and the ColorWave 550
systems.............................................................................................................................................362
System and Network security............................................................................................................... 364
Ports - Protocols...............................................................................................................................364
Security Patches.............................................................................................................................. 367
Protocol protection.......................................................................................................................... 370
Prevent any outgoing connection to the Internet ........................................................................ 371
Security of the USB connection .................................................................................................... 372
Operating System and software protection.................................................................................. 373
Roles and Passwords...................................................................................................................... 374
Access control..................................................................................................................................376
Data Security.......................................................................................................................................... 377
E-Shredding on ColorWave 600 and ColorWave 650 (PP) and ColorWave 550......................... 377
IPsec on ColorWave 550 v2.3.1 and higher and ColorWave 650 (PP) v2.3.1 and higher...........380
How to prevent 'Print from USB' on ColorWave 550/650 (and PP) ............................................ 396
Smart Inbox management and job management.........................................................................397
Security on ColorWave 550 R3.x, ColorWave 650 R3.x.............................................................................398
Overview.................................................................................................................................................398
Security overview for the ColorWave 550 R3.x, ColorWave 650 R3.x system........................... 398
System and Network security............................................................................................................... 399
Ports - Protocols...............................................................................................................................399
Security Patches.............................................................................................................................. 402
Protocol protection.......................................................................................................................... 404
Prevent any outgoing connection to the Internet ........................................................................ 406
Security of the USB connection .................................................................................................... 407
Antivirus .......................................................................................................................................... 408
Roles and Passwords...................................................................................................................... 409
Access control..................................................................................................................................411
Audit log........................................................................................................................................... 412
Data security...........................................................................................................................................413
E-Shredding..................................................................................................................................... 413
IPsec .................................................................................................................................................414
HTTPS (on ColorWave 550 R3.x and ColorWave 650 R3.x)......................................................... 420
How to prevent 'Print from USB' on ColorWave 550/650 (and PP) ............................................ 430
Smart Inbox management and job management.........................................................................431
Chapter 6
Security on ColorWave 500, 700, 3500, 3600, 3700, 3800............................................433
Overview....................................................................................................................................................... 434
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems...... 434
System and Network security..................................................................................................................... 437
Ports - Protocols..................................................................................................................................... 437
Applications, protocols and ports ................................................................................................. 437
Security Patches.....................................................................................................................................441
Install Operating system patch for CW500/700............................................................................. 441
Install Operating system patch for CW3500/3600/3700/3800....................................................... 443
Protocol protection................................................................................................................................ 445
Network protocols protection ........................................................................................................445
Prevent any outgoing connection to the Internet ...............................................................................447
Security of the USB connection ...........................................................................................................448
The USB connection on the printer user interface ...................................................................... 448
Port based authentication (IEEE 802.1X)..............................................................................................449
Port-based authentication (IEEE 802.1X) - explained................................................................... 449
6
Contents
7
Contents
Chapter 7
Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave
910 (lower than R1.4)......................................................................................................619
Overview....................................................................................................................................................... 620
Security overview for the ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave
910 (lower than R1.4) systems.............................................................................................................. 620
System and Network security..................................................................................................................... 621
Ports - Protocols..................................................................................................................................... 621
Applications, protocols and ports ................................................................................................. 621
Security Patches.....................................................................................................................................623
Install Operating system patch.......................................................................................................623
Protocol protection................................................................................................................................ 625
Network protocols protection ........................................................................................................625
Prevent any outgoing connection to the Internet ...............................................................................627
Security of the USB connection ...........................................................................................................628
The USB connection on the printer user interface ...................................................................... 628
Roles and Passwords.............................................................................................................................629
Roles and profiles............................................................................................................................ 629
Audit log ................................................................................................................................................ 631
Data security................................................................................................................................................. 632
HTTPS .................................................................................................................................................... 632
Encrypt print data and manage the system configuration using HTTPS....................................632
Request and import a CA-signed certificate..................................................................................640
Chapter 8
Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and
higher versions).............................................................................................................. 647
Overview....................................................................................................................................................... 648
Security overview for the ColorWave 9000 and ColorWave 810/910 R1.4 (and higher versions)
................................................................................................................................................................. 648
System and Network security..................................................................................................................... 649
Ports - Protocols..................................................................................................................................... 649
Applications, protocols and ports ................................................................................................. 649
Security Patches.....................................................................................................................................652
Install Operating system patch for CW810/910 ............................................................................ 652
Install Operating system patch for CW9000.................................................................................. 654
Protocol protection................................................................................................................................ 656
Network protocols protection ........................................................................................................656
Prevent any outgoing connection to the Internet ...............................................................................658
Security of the USB connection ...........................................................................................................659
The USB connection on the printer user interface ...................................................................... 659
Port based authentication (IEEE 802.1X)..............................................................................................660
Port-based authentication (IEEE 802.1X) - explained................................................................... 660
IEEE802.1X - Configuration steps...................................................................................................665
Configure a Certification Authority (example on Windows Server 2016)...................................666
Prepare the RADIUS server (example on Windows Server 2016)............................................... 668
Prepare the switch........................................................................................................................... 672
Configure the printer controller......................................................................................................674
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'......... 681
8
Contents
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-
TLS)'..................................................................................................................................................691
Troubleshoot....................................................................................................................................708
User access/LDAP authentication......................................................................................................... 714
Roles................................................................................................................................................. 714
Local users....................................................................................................................................... 715
Domain users (LDAP authentication).............................................................................................716
Configure the Domain users (LDAP authentication over Kerberos)............................................717
Validate the configuration (Kerberos)............................................................................................720
Configure the Domain users (LDAP authentication over SSL).................................................... 722
Configure the trusted certificates .................................................................................................. 725
Validate the configuration (SSL).................................................................................................... 726
User access on the user panel........................................................................................................727
User access with Express Webtools.............................................................................................. 729
Password policy...............................................................................................................................731
Disabling local user access............................................................................................................. 732
Troubleshooting LDAP authentication over Kerberos..................................................................733
Troubleshooting LDAP authentication over SSL.......................................................................... 734
Audit log ................................................................................................................................................ 735
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5 and higher versions)...........736
Data security................................................................................................................................................. 737
E-Shredding............................................................................................................................................737
E-shredding presentation................................................................................................................737
Enable the e-shredding in Express WebTools.............................................................................. 738
E-shredding process and system behaviour................................................................................. 741
IPsec ....................................................................................................................................................... 742
IPsec presentation .......................................................................................................................... 742
Configure the IPsec settings in the controller .............................................................................. 744
Configure the IPsec settings on a workstation or a print server..................................................746
Troubleshooting: Disable 'Access control' and IPsec...................................................................759
HTTPS .................................................................................................................................................... 761
Encrypt print data and manage the system configuration using HTTPS....................................761
Request and import a CA-signed certificate..................................................................................769
TLSv1.2 / Strong cipher...................................................................................................................775
HTTPS recommendations for Certificate creation........................................................................ 777
Data protection for template export..................................................................................................... 778
Index.................................................................................................................................779
9
Contents
10
Chapter 1
Introduction
The Security policy
NOTE
See the Table of the security features on page 15 to get an overview of the security features
available per print system.
NOTE
The availability of the security features depends on the products. See the Overview of the
security features available per system on page 15.
Data security
To ensure the security of the print data, Canon Production Printing has implemented:
12 Chapter 1 - Introduction
The Security policy
• The user authentication to allow only the owner of a job to print it or perform actions on it
(copy / scan), after authentication on the system user panel.
Find all information about the user authentication in the section Secure printing, copying and
scanning operations with the User authentication on page 534.
• The Scan to Home feature that allows an authenticated user to send scanned files from the
print system directly to the Microsoft Active Directory Home folder.
• The HTTPS (HTTP over SSL) protocol to encrypt the configuration management data,
submitted print data and saved scan data.
• The disk encryption capability.
• The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from
the system.
This feature prevents the recovery of any deleted user data.
• The IPsec configuration, that provides authentication, data confidentiality and integrity in the
network communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan
data on the network.
• The Smart Inbox and job protection by:
- Limiting and restricting the access to the print and scan job data with the Smart Inbox
management capability.
- Managing the visibility of jobs and their availability through job submission tools with the job
management settings.
NOTE
The availability of the security features depends on the products. See the Overview of the
security features available per system on page 15.
Chapter 1 - Introduction 13
Downloads and support for your product
Support
For support information please contact your Canon local representative.
Find your local contact for support from:
"http://www.canon.com/support/"
From the Canon support page, you can also download the printer drivers for the Canon printers,
their related user guides and other resources.
14 Chapter 1 - Introduction
Overview of the security features available per system
Security features in PlotWave 300, 340, 345, 350, 360, 365, 450, 500, 550, 750, 900 R2.x systems
and in the ColorWave 300, 500 and 700 systems
Chapter 1 - Introduction 15
Overview of the security features available per system
16 Chapter 1 - Introduction
Overview of the security features available per system
Chapter 1 - Introduction 17
Overview of the security features available per system
MS security patches
Security logging Auditing of security related events
Antivirus Yes
User authentication Yes, by:
- User name and password
- Smart card
- Contactless card
Scan to Home folder Yes, when User authentication by user name and pass-
word is enabled
Hard Disk encryption Yes (standard), 1 mode:
used space encryption with AES256 encryption
IPv6 Yes (IPV6 only or in combination with IPv4)
Access control IP filtering
Data overwrite E-shredding
Data encryption on the network IPsec
HTTPS for administration (Express WebTools) and for
Job submission through Publisher Express
HTTPS for Job submission via Publisher Select
Device authentication IEEE802.1X
User access (Local User Interface/ - Local accounts (Key Operator, System Administrator,
Express Web Tools) Power User, Service)
- LDAP authentication: Domain accounts via LDAP over
Kerberos or LDAP over SSL
Password protection Yes for:
- User settings
- Administration settings
- Settings on the printer user panel
SMB authentication NTLMV2
Smart Inbox management - Smart Inbox capability can be disabled
- Remote view restriction
Publisher Express access Access restriction
Control over actions on jobs Remote action restriction
Control over Service operations Operations made by Service under the control of the
System Administrator
SNMPv3 support Yes
Secure boot Yes
McAfee Application Control Yes
18 Chapter 1 - Introduction
Overview of the security features available per system
Security features in the ColorWave 550, ColorWave 600 (PP) and ColorWave 650 (PP) systems
Chapter 1 - Introduction 19
Overview of the security features available per system
Security features in the ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910
(lower than R1.4) systems
Security features in the ColorWave 9000 and ColorWave 810/910 R1.4 (and higher versions)
systems
20 Chapter 1 - Introduction
Overview of the security features available per system
User access (Local User Interface/ - Local accounts (Key Operator, System Administrator,
Express WebTools) Power User, Service)
- LDAP authentication : Domain accounts via LDAP over
Kerberos or LDAP over SSL
IPv6 Yes (IPV6 only or in combination with IPv4) (for CW9000
2.1 and higher and for CW810/910 1.5 and higher)
Access control IP filtering
Data overwrite E-shredding
Data encryption on the network IPsec
HTTPS for administration (Express WebTools) and for
job submission through Publisher Express
Device authentication IEEE802.1X (for CW9000 2.1 and higher and for
CW810/910 1.5 and higher)
Password protection Yes for:
- User settings
- Administration settings
- Settings on the printer user panel
SNMPv3 support Yes (for CW9000 2.1 and higher and for CW810/910 1.5
and higher)
Chapter 1 - Introduction 21
Overview of the security features available per system
22 Chapter 1 - Introduction
The use of software names and releases in this manual
Chapter 1 - Introduction 23
The use of software names and releases in this manual
24 Chapter 1 - Introduction
Chapter 2
Security on PlotWave 300/350,
PlotWave 750, PlotWave 900 and
ColorWave 300
Security on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300
Overview
Security overview for the PlotWave 300, the PlotWave 350, the PlotWave 900
R1.x and the ColorWave 300 systems
Introduction
The PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and the ColorWave 300 are equipped
with the following security features:
Security overview
26 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
System and Network security
Ports - Protocols
Applications, protocols and ports used in the PlotWave 300, the PlotWave
350, the PlotWave 900 R1.x and ColorWave 300 systems
Printing applications: security levels, ports and protocols used by the print systems
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 27
Applications, protocols and ports used in the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and ColorWave 300
systems
Notes:
• * Levels: N: Normal - M: Medium - H: High
• (**) Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
• (1) LPR printing with back-channel and advanced accounting
• (2) LPR printing. No back-channel. No advanced accounting
• (3) Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for iOS
• (4) Only for Publisher Mobile v 2.0 to v 2.2 for iOS
• (5) FTP active mode only
• (6) Data channel for FTP passive mode
28 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used in the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and ColorWave 300
systems
Scanning / copying applications: security levels, ports and protocols used by the print systems
Notes:
• * Levels: N: Normal - M: Medium - H: High
• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive
mode
• (2) FTP active mode only
• (3) Data channel for FTP passive mode
Control management: security levels, ports and protocols used by the print systems
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 29
Applications, protocols and ports used in the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and ColorWave 300
systems
30 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used in the PlotWave 300, the PlotWave 350, the PlotWave 900 R1.x and ColorWave 300
systems
Notes:
• * Levels: N: Normal - M: Medium - H: High
• (**) The name resolution is mainly used to determine the IP address of the scan destination
during Scan fo File operation
• (1) FTP active mode only
• (2) Data channel for FTP passive mode
• (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure
firewall.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 31
Security Patches
Security Patches
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and
ColorWave 300)
Introduction
You can install the Remote patches (Security patches) in the following versions of the systems:
• PlotWave 300 1.2.1 and higher
• PlotWave 350 1.0 and higher
• PlotWave 900 1.x
• ColorWave 300 1.2.1 and higher
Procedure
1. Open Express Webtools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
32 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300)
5. Click on the 'Update' icon (top right corner) to open the wizard
6. Click OK
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 33
Install the Remote patch (on PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300)
34 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security levels
Security levels
Introduction
Canon Production Printing defined 3 levels of security according to the customer needs. The
presentation below can help you to select the most suitable level.
Set the security level in PlotWave 300, PlotWave 350 and ColorWave 300
Introduction
The [Security] wizard on the printer user panel gives the option to check or change the security
level of the system.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 35
Protect the security level by a password
When the protection is activated, you must type the password in the printer user panel before
you can change the security level.
Procedure
1. From the [HOME] screen select the [System] tab.
2. Select the [Setup] tab.
3. Use the scroll wheel to go to the [Security]([Configure settings]) wizard.
Procedure
1. Open the Express Webtools in a web browser (http://Printer IP address or hostname)
2. In the 'Preferences' tab, select 'System settings'
3. In the 'Printer Properties', goes to 'Password to change security level'
4. Click on the value to edit it
5. Log in as the System Administrator or as a Power User
6. Select 'New'
7. Type and re-type a numeric password
36 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Set the security level in PlotWave 900 R1.1 and higher R1.x versions
Result
You must type the password in the printer user panel when you want change the security level.
Set the security level in PlotWave 900 R1.1 and higher R1.x versions
Introduction
The security user interface is available through the Express WebTools application.
NOTE
You need to be logged on as the System Administrator to access the security level interface and
change the security levels.
Procedure
1. Open the Express Webtools in a web browser (http://Printer IP address or hostname)
2. On the [Configuration] tab, select [Connectivity]
3. Go to the Security section
4. Click on 'Edit' or double click on the value to open the [Security level] window
5. Set the security level and click 'OK'
6. Restart the printer when prompted
Result
After you set the Security level to 'High', you must open Express Web Tools by means of the
HTTPS protocol: type https://Printer IP address or hostname in the web browser.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 37
Prevent any outgoing connection to the Internet
Introduction
Some features of the following systems allow or request a connection over the Internet to work
properly:
• PlotWave 300 R1.5 and higher
• PlotWave 350 R1.5 and higher
• ColorWave 300 R1.5 and higher
When the Security Policy in a company prevents any outgoing network traffic over the Internet,
perform all the following actions in Express WebTools:
38 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security of the USB connection (PlotWave 300/350, ColorWave 300)
Introduction
A USB connection is available on the PlotWave 300, PlotWave 350 and ColorWave 300 Local user
interface.
This USB connection is used to:
• Install and upgrade the controller software
• Backup and restore the controller configuration
• Scan to the USB storage device
• Print from the USB storage device
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 39
Antivirus
Antivirus
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
40 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Roles and Passwords
Roles and profiles in the PlotWave 300/350, Plotwave 900 R1.x and
ColorWave 300
Roles description
In the system, the main network and system settings are protected against change. Only
authorised users can configure/change these settings.
4 roles are available:
• Key operator:
The Key operator can manage the jobs and the device settings
• System administrator
The System administrator can manage the Configuration settings such as the Network settings,
scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software
configuration settings...
• Power user
The Power user has both the rights of the Key operator and the System administrator
• Service
This role is used exclusively by the Canon Service technician
Passwords policy and behaviour in the PlotWave 300/350 and ColorWave 300
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used in the printer user panel (also named Local User Interface)
Password policy
A password can be made of 256 characters maximum.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 41
Passwords policy and behaviour in the PlotWave 300/350 and ColorWave 300
For PlotWave 300 v1.2.1 and higher, PlotWave 350 and ColorWave 300 1.2.1 and higher, all MS
Windows characters are allowed in a password.
For previous versions of PlotWave 300 and ColorWave 300 the passwords can be made of:
• Any number [0-9]
• Any letter lowercase/uppercase [a-z][A-Z]
• the following special characters:
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
Passwords used on the printer user panel (Plotwave 300/350 and ColorWave 300)
Important: These passwords can only be made of numbers.
NOTE
Keep these passwords. The loss of these passwords may require the intervention of Canon
Service.
Printer panel passwords modification table for PlotWave 300/350 and ColorWave 300
Printer user panel password for Can be changed by
Change of the Network Settings
Change of the security level
Clear of the system
System administrator or Power user
Print of demo and test prints
Change of the hardware/software configuration
Start of the scanner calibration
42 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Passwords policy and behaviour in the PlotWave 900 R1.x
Password / pincode for Backup with 'Save set'? Restore with 'Open set'?
System administrator No -
Power user No -
(1):
- When a password is configured as 'No password', the information 'Auto' (meaning 'No
password') is stored in the backup file. It is not encrypted
- The passwords are stored in the backup file whatever the login used when making the 'Save
Set' operation (System administrator, the Key operator, or the Power user)
(2)
- The passwords are restored only when the System administrator or the Power user makes the
'Open Set' operation
- When a password has been stored with 'Auto' value, it is restored with the 'No password' value
Password policy
• 256 characters maximum
• Any 'Microsoft Windows' characters
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 43
Data Security
Data Security
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/
scan) when it is deleted from the system.
This feature prevents the recovery of any deleted user data (files' content and attributes)
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
NOTE
When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a
Smart Inbox' setting. The jobs previously printed and stored in the Smart Inbox are deleted.
They are not e-shredded.
44 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Enable the e-shredding
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section
3. Click Edit
4. Check 'E-shredding' feature to enable it
Result
When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system:
• On the printer user panel (PlotWave 300/350 and ColorWave 300), an indication is displayed in
the System menu: 'E-shredding enabled'
• In the Express WebTools window, a new icon is added to the list of icons (bottom right)
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns as 'busy':
• On the printer user panel (PlotWave 300/350 and ColorWave 300), an indication is displayed in
the System menu: 'E-shredding busy'
• In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data processed is complete, the status comes back to:
• 'E-shredding enabled' in the printer user panel (PlotWave 300/350 and ColorWave 300)
• 'E-shredding ready' in the Express WebTools (roll over the icon)
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 45
E-shredding process and system behaviour
NOTE
In case some scanned files have a 'Scan destination file name' composed of more than 256
characters, on the controller or on the remote destination, they will be deleted, but they will not
be e-shredded (too long name).
46 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)
IPsec (on PlotWave 300/350, PlotWave 900 1.2 and higher 1.x, ColorWave 300)
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
IPsec is particularly suitable in a configuration where you need to create a dedicated secure link
between the printer/copier system and a workstation which can be dedicated as a Print Server (or
a Scan Server).
You can connect up to 5 IPsec stations to the printer/copier system.
In this configuration below:
• The printer/copier system is physically connected to the network but communicates only with a
dedicated station (a Print Server or Scan Server for example)
• The Print Server receives the print request from the workstations via IP on the network
• The Print Server send the print requests to the printer/copier system via IPsec
• The workstations cannot communicate directly with the printer/copier system
NOTE
In this configuration, the back-channel communication between a workstation and the printer is
unavailable (the back-channel information is not displayed in the WPD driver).
NOTE
IPsec is compatible with IPv4 only.
Make sure IPv6 is 'Disabled' before you configure IPsec on the controller.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 47
IPsec presentation
Illustration
48 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Configure the IPsec settings in the controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 49
Configure the IPsec settings in the controller
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down, this preshared key will be required during the IPsec configuration on the
workstation.
NOTE
In the 'TCP/IP: IPv6' section, make sure TCP/IP (IPv6) is disabled.
50 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Configure the IPsec settings on a workstation or a print server
Result
The IPsec settings are configured on the controller for a connection to a workstation (which can
be a print server).
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 6 following actions:
1- Add the security snap-in on page 51
2- Create the security policy on page 53
3- Create the filter list on page 54
4- Define the filter actions and security negotiation on page 56
5- Define the security rule on page 58
6- Assign the security policy on page 61
NOTE
The procedure below shows the configuration steps on Windows server 2008.
The procedure is similar on other Operating Systems (Windows 7).
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 51
Add the security snap-in
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
52 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Create the security policy
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 53
Create the filter list
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
54 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Create the filter list
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 55
Define the filter actions and security negotiation
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
56 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Define the filter actions and security negotiation
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 57
Define the security rule
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
58 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Define the security rule
4. As the Network type, select 'All network connections' and click 'Next'
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 59
Define the security rule
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 49), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
60 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Assign the security policy
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
NOTE
In case you use the WPD driver, see The impact of IPsec when you print through a print
server on page 61.
Introduction
This topic concerns the drivers: WPD, WPD2 and Driver Select.
When you use a driver on a print server, with advanced accounting activated, the use of IPsec has
an impact on the workflow.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 61
Troubleshooting: emergency procedure to disable IPsec
Pre-requisites
When advanced accounting is required, make sure you configured Account Center BEFORE
disabling the 'Failsafe mode' on the printer controller.
NOTE
To be able to enter the accounting information and print directly from the workstation, enable
the 'Failsafe mode' on the controller.
Then, the accounting window will be displayed on the client workstation, and the accounting
information can be entered to print the job.
Introduction
In the following case:
• IPsec is enabled and activated on the printer/scanner controller
and
• The 'Failsafe mode' is disabled
and
• The communication between the controller and the IPsec stations fails
You cannot open remotely Express WebTools to change the settings. The system is unreachable.
Then you can use the emergency procedure to disable IPsec:
• Via the printer User panel on the printer/scanner system, for PlotWave 300/350 and ColorWave
300
• Via Express WebTools on the printer controller monitor for PlotWave 900 R1.2 and higher 1.x
Disable IPsec on the printer user panel (PlotWave 300/350 and ColorWave 300)
Procedure
1. On the printer printer user panel, click on 'System'
62 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Troubleshooting: emergency procedure to disable IPsec
2. Select 'Setup'
3. Roll down to the Security item and open the Security menu
The status is 'IPsec is enabled'
NOTE
Enter the password if required (Password to change the security level - depends on the
configuration of the access to the Security menu).
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 63
Disable IPsec on the controller monitor (PlotWave 900 R1.2 and higher 1.x)
Result
IPsec is disabled.
After the restart, you will be able to open Express WebTools remotely from a workstation (HTTP).
Disable IPsec on the controller monitor (PlotWave 900 R1.2 and higher 1.x)
When to do
When communication fails between the controller and the identified hosts, you can disable IPsec
in Express WebTools only via the printer controller monitor.
Procedure
1. On the printer controller, open Express WebTools and log in as System administrator.
2. Open the Configuration - Connectivity tab.
3. Go to the IPsec section
4. Click on Edit, in the upper right hand corner of the section.
5. Change the IPsec setting from 'Enabled' to 'Disabled':
Result
IPsec is disabled.
You can open Express WebTools remotely from a workstation (HTTP).
64 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave 300)
Prevent USB Direct Print and Scan to USB (PlotWave 300/350, ColorWave
300)
Introduction
You can disable any access to the USB device by preventing printing from / scanning to the USB
device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Preferences' - 'System settings' page and select the 'Printer properties' section
3. Go to the 'USB direct print' setting
4. Click on the value to open the 'USB direct print' window
5. Log in
6. Select 'Disabled' and 'Ok'
Introduction
You can neutralize the 'Scan to File to USB storage device' capability.
Introduction
You can neutralize the 'Scan to File to USB storage device' capability.
To prevent scanning to USB destination you must:
1. Disable any 'USB stick' scan destination
2. Remove the USB destination from all Scan templates
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 65
2- Remove the USB destination from all Scan templates
Purpose
Prevent any user from scanning to a USB device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Scan destinations' page
3. Edit the 'Scan destination 2: Local to USB storage device'
4. Uncheck the setting 'Scan destination 2 enabled' and click 'Ok'
5. For each scan destination from 'Scan destination 3' to 'Scan destination 10', make sure that the
scan destination type is NOT 'Local to USB storage device'
Procedure
1. In Express WebTools open the 'Preferences' - 'Scan job defaults' page
2. In each 'Scan template: File' section, check that the 'Destination' is not 'USB stick'
66 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
2- Remove the USB destination from all Scan templates
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 67
HTTPS with PlotWave 900 R1.x
Introduction
On the PlotWave 900 you can use the HTTPS protocol with the self-signed certificate of the
printer:
- to send encrypted print data to the printer controller via Publisher Express
- to securely manage the configuration of the system through Express WebTools
The HTTPS protocol is available with all security levels.
All settings and options available through HTTP are also available through HTTPS.
NOTE
Only the self-signed certificate is supported (this excludes the Certificate Authority signed
certificates).
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
68 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 69
Use the self-signed certificate with Internet Explorer
70 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 71
Use the self-signed certificate with Internet Explorer
72 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 73
Use the self-signed certificate with Mozilla Firefox
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
74 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Mozilla Firefox
2. Select 'Advanced'.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 75
Smart Inbox management
76 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security on PlotWave 750 and PlotWave 900 R2.x
Overview
Security overview for the PlotWave 750 and the PlotWave 900 R2.x systems
Introduction
The PlotWave 750 and the PlotWave 900 R2.x are equipped with the following security features:
Security overview
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 77
System and Network security
Ports - Protocols
Applications, protocols and ports used on the PlotWave 750 and the
PlotWave 900 R2.x systems
Printing applications: security levels, ports and protocols used by the print systems
Application /Function‐ System Supported security levels (x) and Port used on the
ality open port controller: proto‐
col
N* M* M-H* H*
Wide-format Printer PlotWave x x(1) x(2) x(2) TCP 515: LPR
Driver for Microsoft 750 / TCP 515 TCP 515 TCP TCP TCP 65200: back-
Windows (WPD, WPD2 PlotWave TCP TCP 515 515 channel(**)
or Driver Select) 900 R2.x 65200 65200 UDP TCP 80: HTTP (for
TCP 80 TCP 80 515 advanced ac-
UDP UDP counting)
515 515 UDP 515: propriet-
ary protocol (for
printer discovery)
PostScript 3 driver PlotWave x x x x TCP 515: LPR
Driver Express 750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
Publisher Express PlotWave x x TCP 80: HTTP
750 / TCP 80 TCP 80
PlotWave
900 R2.x
Publisher Express over PlotWave x x x x TCP 443: HTTPS
SSL 750 / TCP 443 TCP 443 TCP TCP
PlotWave 443 443
900 R2.x
Publisher Select PlotWave x x TCP 80: HTTP
750 / TCP 515 TCP 515 TCP 65200: back-
PlotWave TCP TCP channel(**)
900 R2.x 65200 65200 TCP 515: LPR
TCP 80 TCP 80 UDP 515: propriet-
UDP UDP ary protocol (for
515 515 printer discovery) 4
78 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used on the PlotWave 750 and the PlotWave 900 R2.x systems
Application /Function‐ System Supported security levels (x) and Port used on the
ality open port controller: proto‐
col
N* M* M-H* H*
Publisher Mobile PlotWave x TCP 21: FTP
750 / TCP 21 TCP 4242: FTP
PlotWave TCP passive mode(6)
900 R2.x 4242 ICMP: ping
ICMP UDP 515: propriet-
UDP ary protocol (for
515 printer discovery)
Mobile WebTools PlotWave x x TCP 80: HTTP
750 / TCP 80 TCP 80
PlotWave
900 R2.x
ReproDesk Studio PlotWave x x TCP 515: LPR
750 / TCP 515 TCP 515 TCP 65200: back-
PlotWave TCP TCP channel(**)
900 R2.x 65200 65200
Novell NDPS printing PlotWave x x x x TCP 515: LPR
750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
LPR printing (com- PlotWave x x x x TCP 515: LPR
mand line) 750 / TCP 515 TCP 515 TCP TCP
PlotWave 515 515
900 R2.x
FTP printing PlotWave x x(3) TCP 21: FTP
750 / TCP 21 TCP 21 TCP 4242: FTP (4)
PlotWave TCP
900 R2.x 4242
Notes:
• * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High
• (**) Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
• (1) LPR printing with back-channel and advanced accounting
• (2) LPR printing. No back-channel. No advanced accounting
• (3) FTP active mode only
• (4) Data channel for FTP passive mode
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 79
Applications, protocols and ports used on the PlotWave 750 and the PlotWave 900 R2.x systems
Application /Function‐ System Supported security levels (x) and Port used on the
ality open port controller: proto‐
col
N* M* M-H* H*
Scan to File Remote PlotWave 750 / x -
SMB PlotWave 900
R2.x
Scan to File Remote PlotWave 750 / x x(1) x(1) x(1) -
FTP PlotWave 900
R2.x
Scan data retrieval by PlotWave 750 / x x(2) TCP 21: FTP
FTP PlotWave 900 TCP 21 TCP 21 TCP 4242: FTP (3)
R2.x TCP
4242
Scan data retrieval PlotWave 750 / x x TCP 80: HTTP
from Smart Inbox PlotWave 900 TCP 80 TCP 80
(Scans) R2.x
Scan data retrieval PlotWave 750 / x x x x TCP 443: HTTPS
from Smart Inbox PlotWave 900 TCP 443 TCP 443 TCP TCP
(Scans) over SSL R2.x 443 443
Notes:
• * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High
• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive
mode
• (2) FTP active mode only
• (3) Data channel for FTP passive mode
Application /Func‐ System Supported security levels (x) Port used on the
tionality and open port controller: pro‐
tocol
N* M* M-H* H*
PING PlotWave 750 / x x x x ICMP
PlotWave 900 R2.x
SNMP based applica- PlotWave 750 / x UDP 161: SNMP
tions PlotWave 900 R2.x UDP
161
Express WebTools PlotWave 750 / x x TCP 80: HTTP
PlotWave 900 R2.x TCP 80 TCP
80
Express WebTools PlotWave 750 / x x x x TCP 443: HTTPS
over SSL PlotWave 900 R2.x TCP TCP TCP TCP
443 443 443 443 4
80 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used on the PlotWave 750 and the PlotWave 900 R2.x systems
Application /Func‐ System Supported security levels (x) Port used on the
tionality and open port controller: pro‐
tocol
N* M* M-H* H*
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 81
Applications, protocols and ports used on the PlotWave 750 and the PlotWave 900 R2.x systems
Application /Func‐ System Supported security levels (x) Port used on the
tionality and open port controller: pro‐
tocol
N* M* M-H* H*
WSD print / WSD dis- PlotWave 750 x x x UDP 3702
covery TCP 5357
Notes:
• * Levels: N: Normal - M: Medium - M-H: Medium/High - H: High
• (**) The name resolution is mainly used to determine the IP address of the scan destination
during Scan to File operation
• (1) FTP active mode only
• (2) Data channel for FTP passive mode
• (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure
firewall.
82 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security Patches
Security Patches
Install the Remote patch on PlotWave 750 and PlotWave 900 R2.x
Introduction
You can install the Remote patches (Security patches) in the following versions of the systems:
• PlotWave 750
• PlotWave 900 R2.x
Procedure
1. Open Express Webtools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 83
Install the Remote patch on PlotWave 750 and PlotWave 900 R2.x
5. Click on the 'Update' icon (top right corner) to open the wizard
6. Click OK
84 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Install the Remote patch on PlotWave 750 and PlotWave 900 R2.x
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 85
Security levels
Security levels
Introduction
On the PlotWave 750 and PlotWave 900 R2.x, there are defined 4 levels of security according to
the customer needs. The presentation below can help you to select the most suitable level
NOTE
Attention when you set the Medium high or High security level through the HTTP protocol, the
communication immediately stops.
Open Express WebTools by means of the HTTPS protocol (type https://Printer IP address or
hostname in the web browser) and restart the system. Then use the HTTPS protocol.
86 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security levels presentation
Set the security level on the PlotWave 750 or PlotWave 900 R2.x
Refer to Set the security level in PlotWave 900 R1.1 and higher R1.x versions on page 37.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 87
Prevent any outgoing connection to the Internet
Introduction
Some features of the following systems allow or request a connection over the Internet to work
properly:
• PlotWave 750
• PlotWave 900 R2.x
When the Security Policy in a company prevents any outgoing network traffic over the Internet,
perform all the following actions in Express WebTools:
88 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Antivirus
Antivirus
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 89
Roles and Passwords
Roles and profiles in the PlotWave 750 and Plotwave 900 R2.x
Roles description
In the system, the main network and system settings are protected against change. Only
authorised users can configure/change these settings.
4 roles are available:
• Key operator:
The Key operator can manage the jobs and the device settings
• System administrator
The System administrator can manage the Configuration settings such as the Network settings,
scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software
configuration settings...
• Power user
The Power user has both the rights of the Key operator and the System administrator
• Service
This role is used exclusively by the Canon Service technician
Passwords policy and behaviour for PlotWave 750 and PlotWave 900 R2.x
Introduction
In Express WebTools the passwords protect:
• The roles
• The Scan to File remote user name
• The security settings (preshared key for IPsec)
• The mobile printing password
On the printer panel, a password protects the administration settings.
Password modification table for PlotWave 750 and PlotWave 900 R2.x
Password for Can be changed by Stored in the back up set*
Key operator Key operator or Power user No
System administrator System administrator or Power No
user
Power user Power user No
Service System administrator or Power No
user
Mobile printing password (for System administrator or Power No
Mobile WebTools) user
Any Scan To File remote user System administrator or Power No
name user
Any preshared key for IPsec System administrator or Power No
user 4
90 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Printer panel protection
* When you make a back up set of your system settings using the 'Save Set' feature in Express
WebTools ('Preferences' tab).
The passwords are stored in the backup file whatever the role used when making the 'Save Set'
operation (as System administrator, Key operator, or Power user). However, the passwords are
restored only when the System administrator or the Power user performs the 'Open Set'
operation.
Password policy
• 256 characters maximum
• Any number [0-9]
• Any letter lowercase/uppercase [a-z][A-Z]
• the following special characters:
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
Introduction
From Express WebTools, you can disable the access to some administration and network settings
from the printer panel.
When the 'System administration from Printer Panel' feature is disabled in the Configuration -
Connectivity settings in Express WebTools, the 'Administrator only' menu is no more displayed
on the printer panel.
Therefore, the following settings are no more accessible from the printer panel:
• Network adaptor settings
• ‘Clear memory’ (job removal)
• Activate deactivate buzzer
• Activate deactivate password (on the printer panel)
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 91
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
NOTE
In columns from left to right.
92 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Data Security
Data Security
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/
scan) when it is deleted from the system.
This feature prevents the recovery of any deleted user data (files' content and attributes)
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
NOTE
When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a
Smart Inbox' setting.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 93
Enable the e-shredding
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section
3. Click Edit
4. Check 'E-shredding' feature to enable it
Result
When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system:
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled'
• In the Express WebTools window, a new icon is added to the list of icons (bottom right)
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns as 'busy':
Once the e-shredding data processed is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon) on a workstation or on the controller monitor
NOTE
In case some scanned files have a 'Scan destination file name' composed of more than 256
characters, on the controller or on the remote destination, they will be deleted, but they will not
be e-shredded (too long name).
94 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
E-shredding process and system behaviour
Example
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 95
IPsec
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
IPsec is particularly suitable in a configuration where you need to create a dedicated secure link
between the printer/copier system and a workstation which can be dedicated as a Print Server (or
a Scan Server).
You can connect up to 5 IPsec stations to the printer/copier system.
In this configuration below:
• The printer/copier system is physically connected to the network but communicates only with a
dedicated station (a Print Server or Scan Server for example)
• The Print Server receives the print request from the workstations via IP on the network
• The Print Server send the print requests to the printer/copier system via IPsec
• The workstations cannot communicate directly with the printer/copier system
NOTE
In this configuration, the back-channel communication between a workstation and the printer is
unavailable (the back-channel information is not displayed in the WPD driver).
NOTE
IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both enabled').
In the Connectivity - Network adapter section, the IPsec settings are not available when 'IPv6
only' is selected.
96 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
IPsec presentation
Illustration
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 97
Configure the IPsec settings in the controller
You can configure a maximum of 5 IPsec communications between the printer/copier system and
5 workstations.
Enable and configure the parameters for each required station.
The parameters can be different for each different workstation:
- the IP address
- the preshared key (keep the generic default one or set a custom one)
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page
98 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Configure the IPsec settings in the controller
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down, this preshared key will be required during the IPsec configuration on the
workstation.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 99
Configure the IPsec settings on a workstation or a print server
NOTE
IPsec can be used only with IPv4 (IP type set to 'IPv4 only' or 'IPV4 and IPv6 both
enabled').
In the Connectivity - Network adapter section, make sure 'IPv6 only' is NOT enabled
before you configure IPsec on the controller.
Result
The IPsec settings are configured on the controller for a connection to a workstation (which can
be a print server).
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 6 following actions:
1- Add the security snap-in on page 51
2- Create the security policy on page 53
3- Create the filter list on page 54
4- Define the filter actions and security negotiation on page 56
5- Define the security rule on page 58
6- Assign the security policy on page 61
NOTE
The procedure below shows the configuration steps on Windows server 2008.
The procedure is similar on other Operating Systems (Windows 7).
Introduction
This topic concerns the drivers: WPD, WPD2 and Driver Select.
When you use a driver on a print server, with advanced accounting activated, the use of IPsec has
an impact on the workflow.
100 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Troubleshooting: emergency procedure to disable IPsec
• The client workstation uses the shared driver installed on the print server (Point & Print) to
print jobs.
Pre-requisites
When advanced accounting is required, make sure you configured Account Center BEFORE
disabling the 'Failsafe mode' on the printer controller.
NOTE
To be able to enter the accounting information and print directly from the workstation, enable
the 'Failsafe mode' on the controller.
Then, the accounting window will be displayed on the client workstation, and the accounting
information can be entered to print the job.
Introduction
In the following case:
• IPsec is enabled and activated on the printer/scanner controller
and
• The 'Failsafe mode' is disabled
and
• The communication between the controller and the IPsec stations fails
You cannot open remotely Express WebTools to change the settings. The system is unreachable.
Solution to disable IPsec:
Connect to the printer system through the controller monitor (configuration where a keyboard
and monitor are plugged on the printer controller) to open Express WebTools and disable IPsec.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 101
HTTPS (on PlotWave 750 and PlotWave 900 R2.x)
Encrypt print data and manage the system configuration using HTTPS
Introduction
On the PlotWave 750 and PlotWave 900 R2.x systems, you can use the HTTPS protocol to:
- to send encrypted print data to the printer controller via Publisher Express
- to save encrypted scan jobs from the printer controller (Scans Inbox)
- to securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
NOTE
On the controller monitor (screen/keyboard connected directly to the controller) only the 'Reset
Certificate' item is displayed on the Remote security page.
102 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 103
Use the self-signed certificate with Internet Explorer
104 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 105
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
106 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Internet Explorer
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 107
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
108 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Use the self-signed certificate with Mozilla Firefox
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 109
Request and import a CA-signed certificate
2. Select 'Advanced'.
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trustful authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
110 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Description of the overall procedure to request and import a CA-signed certificate
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and a private key on page 165.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate request on
page 166.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and a private key on page 165.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA-signed certificate (into the controller
and workstations) on page 167.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the Root certificate into the work-
stations browser on page 168. 4
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 111
Description of the overall procedure to request and import a CA-signed certificate
Step Description
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and a private key on page 165.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate and a private key on page 169
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset the current certificate on page 169
112 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Smart Inbox management and job management
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to 'Disa-
('Smart Inbox capability') bled' the incoming jobs are temporary displayed
grey out in the Smart Inbox and sent to the print
job queue. The jobs are removed from the Smart
Inbox as soon as they are printed.
Recommendation
Before disabling the “Smart Inbox capability” it is
advised to cleanup the jobs:
• Clear the temporary store
• Clear the system
The remote view of the Smart Inboxes When set to 'Login needed', you restrict the view
('Remote Smart Inbox view') on the Smart Inboxes to the Key operator or Power
user only (logging needed to view the Smart In-
box).
The ability to print from Smart Inbox and When set to 'Login needed', all remote actions on
to make queue operations jobs in the Smart Inboxes and queue are restricted
('Printing from Smart Inbox and queue to the Key Operator or Power user only.
operations')
The use of Publisher Express to create When set to 'no one', the job submission capability
jobs (through Express WebTools) is completely deacti-
('Create print job via Publisher Express') vated.
When the login is needed, only the System admin-
istrator, the Power user or the Key operator can log
to use Publisher Express.
The ability to delete scans from the Smart When set to 'Login needed', only the Key Operator
Inbox or Power user can log to delete scans from an in-
('Delete scans from the Smart Inbox') box.
Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 113
Smart Inbox management and job management
114 Chapter 2 - Security on PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Chapter 3
Security on PlotWave 500 and
PlotWave 340/360
Overview
Overview
Security overview
Ports - Protocols
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR UDP 515: proprietary protocol
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- (for printer discovery)
Driver Select nel* and Advanced accounting
UDP 515: proprietary protocol
(for printer discovery)
PostScript 3 driver TCP 515: LPR
Driver Express
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
UDP 515: proprietary protocol
(for printer discovery)
Publisher Mobile TCP 515: LPR (1)
TCP 4242: FTP passive mode
(for data channel in FTP pas-
sive mode)
ICMP: ping
UDP 515: proprietary protocol
(for printer discovery)
TCP 21: FTP (2)
Reprodesk Studio TCP 515: LPR
TCP 80: back-channel (WAVE)
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Print from SMB TCP 139, 445
UDP 138, 445
Print from FTP FTP command(3) :
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any 4
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Print from Cloud: WebDAV TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (4)
TCP WebDAV port
Notes:
* back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
(1)
For Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for
iOS
(2) Only for Publisher Mobile v 2.0 to v2.2 for iOS
(3) FTP passive mode only (FTP active mode not supported).
(4) When there is a proxy.
Scanning applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Scan to File: SMB TCP 139, 445
UDP 137, 138, 445
Scan to File: FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Scan to File: Cloud (WebDAV) TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (2)
TCP WebDAV port
Scan data retrieval from Smart TCP 80: HTTP
Inbox (Scans) TCP 443: HTTPS
Notes:
(1) FTP passive mode only (FTP active mode not supported).
(2) When there is a proxy.
Control management: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
PING IPv6 ICMPv6 4
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval
Meter Manager UDP 161: SNMP
Back-channel TCP 65200 for OCI back-chan-
nel
On Remote Service TCP 443: HTTPS
TCP web proxy port (1)
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:
(1) When there is a proxy.
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
Protocol protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled.
Introduction
A USB connection is available on the touch panel.
This USB connection is used to:
• Install / upgrade the controller software
• Backup and restore the controller configuration
• Scan to the USB storage device
• Print from the USB storage device
Antivirus
Compatibility and recommendations
The following antivirus software can be installed on your PlotWave/ColorWave systems:
• Symantec AntiVirus Endpoint Protection
• McAfee VirusScan Enterprise Edition / ePolicy Orchestrator for AntiVirus update
Contact your Canon representative to know which antivirus version to install on your PlotWave/
ColorWave systems and get the installation procedure.
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key operator:
The Key operator can manage the jobs and the device settings.
• System administrator
The System administrator can manage the configuration settings, such as the network and
security settings.
• Power user
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
Passwords policy and behaviour in the PlotWave 500 and PlotWave 340/360
systems
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used on the printer user panel
Password policy
• 256 characters maximum
• all MS Windows characters are allowed
NOTE
Keep this password. The reset of this password may require the intervention of a Service
technician.
Passwords modification
Access control
Introduction
Access control allows to limit the access to the print system according to IP filtering method.
Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able
to communicate with the printer. This action sets the IP filtering. The access restriction is then
applied to print operations (for which a host workstation contacts the printer) as well as scan
operations (the scanner contacts the external location).
In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
NOTE
When configuring the 'Access control station: IPv6 address', use the IPv6 static address (instead
of a dynamic stateless or stateful one)
NOTE
• 'Configuration' of the 'Access control' settings is only available to the 'System administrator'
and 'Power user'.
• To prevent unauthorised access to these settings via the printer user panel:
- on PlotWave 340/360, ensure that the 'Password to change network settings' is set
- on PlotWave 500, you must log in as a System administrator to edit the network settings
• When you enable Access control and/or IPsec, configure the path of the external locations
with the IP address instead of a hostname (the DNS protocol is disabled).
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
Data security
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data and
any user print/copy/scan data when it is deleted from the system.
This feature prevents the recovery of any deleted user data (file's content and attributes).
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
Procedure
1. In Express Webtools, open the 'Configuration' - 'Connectivity' page and select the 'E-shredding'
section
2. Click Edit
3. Check 'E-shredding' feature to enable it
Result
When the E-shredding feature is enabled:
• A new icon is added to the list of icons (bottom right) in the Express WebTools window:
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled':
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns 'busy'.
In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon).
NOTE
When you enable the e-shredding feature, the 'Save received job data for Service' feature (in
Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage
of job data that would not be automatically deleted.
The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes
are performed in background.
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
You can connect up to 5 IPsec stations to the print/scan system.
Illustration
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encpasulation type : Transport
• Protocol SA lifetime : 3600 s
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools.
2. Open the 'Configuration' - 'Connectivity' page.
3. In the 'Access control' section, click on the general 'Edit':
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.
8. Restart the controller
Result
The IPsec settings are configured on the controller for a connection to a workstation.
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 7 following actions:
1- Add the security snap-in on page 140
2- Create the security policy on page 142
3- Create the filter list on page 143
4- Define the filter actions and security negotiation on page 145
5- Define the security rule on page 147
6- Assign the security policy on page 150
7- Customize the IPsec settings on page 150
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems (Windows 7) and for other ColorWave/
PlotWave printers.
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
'Data and address integrity without encryption (AH)' setting is not mandatory.
8. Click 'OK' and 'Next', then 'Finish'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
4. As the Network type, select 'All network connections' and click 'Next'
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 138), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
Procedure
1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows
Firewall with Advanced Security' window
2. In the 'Actions' section on the right hand side, click on 'Windows Firewall with Advanced Security
on Local Computer' to expand the menu
3. Select 'Properties'
4. In the 'IPsec Settings' tab, click on the 'Customize...' button of the 'IPsec defaults'
5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...'
6. Check the 'Require encryption for all connection security rules that use these settings.' box
Remove your workstation from the IPsec/Access control configuration when it must not remain in
the list of connected stations.
For all other printers
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
Introduction
In the following case:
• Access control and IPsec have been enabled without any station defined
and
• The communication between the controller and the host stations fails
Any remote connection to Express WebTools is impossible. The system is unreachable.
Then, use the emergency procedure to disable IPsec and Access control via the printer user
panel.
Procedure
1. On the user panel, tap the upper right corner, to display the menu
2. Select 'Security'
3. For PlotWave 500, enter the System administrator (or Power user) password
For PlotWave 340/360 enter the 'Password to change networks settings' if set.
Result
Access control and IPsec functions are disabled.
After the restart, you will be able to remotely open Express WebTools from any workstation
(HTTP).
HTTPS
Encrypt print data and manage the system configuration using HTTPS
Introduction
In the print systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- save encrypted scan jobs from the printer controller (Scans Inbox)
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
Before the import or when the import fails, the certificate status will look like:
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
2. Select 'Advanced'.
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trustful authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and a private key on page 165.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate request on
page 166.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller 4
Step Description
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and a private key on page 165.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA-signed certificate (into the controller
and workstations) on page 167.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the Root certificate into the work-
stations browser on page 168.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and a private key on page 165.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate and a private key on page 169
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset the current certificate on page 169
When to do
You must back up the certificate and private key:
• BEFORE the generation of a certificate request (step A1 of the Description of the overall
procedure to request and import a CA-signed certificate on page 110):
To save your current certificate and private key.
• AFTER the generation of the certificate request:
To save the private key linked to the certificate request.
• AFTER the import of the new certificate (step B5):
To save your new certificate and private key, in order to be able to restore them if needed.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the Configuration - Remote Security page, select [Backup certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and a private key on page 165).
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the Configuration - Remote Security page, select 'Generate a certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'PlotWave360' or 'PlotWave360.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the Description of the overall procedure to request and import a CA-signed certificate
on page 110.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the Configuration - Remote Security page, select 'Import CA-signed certificate'
3. Select [Root certificate]
4. Browse to the Root certificate file and click [Import]
NOTE
The Root certificate may already exist in the web server certificates list.
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
Step B4 of the Description of the overall procedure to request and import a CA-signed certificate
on page 110.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.
When to do
You can restore the certificate and the private key at any moment, in case of need.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the Configuration - Remote security page, select [Restore certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Purpose
This procedure creates a new Océ self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and a private key on page 165):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the Configuration - Remote security page, select [Reset certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)
Introduction
You can disable any access to the USB device by preventing printing from / scanning to the USB
device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'External locations' page
3. Log in as a System administrator or Power user
4. Edit the 'USB' type
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to
('Smart Inbox capability') 'Disabled', all the jobs currently present in the
Smart Inboxes are deleted. All incoming print
jobs are directly and solely sent to the print job
queue.
The use of Publisher Express When disabled, the job submission capability
('Publisher Express' or 'Enable Publisher Ex- (through Express WebTools) is completely de-
press') activated.
The remote actions on jobs to the Operator When enabled, all remote actions on jobs in
('Restrict remote actions on jobs to the Key the queue are restricted to the Key Operator or
Operator') Power user only.
The display of Smart Inboxes in Express When enabled, all users of Express WebTools
WebTools can see the Smart Inboxes. When disabled, the
Key operator or Power user only can see them
(logging needed).
Keep completed jobs in the Smart Inbox When enabled, a copy of jobs is kept in the
Keep a copy of scanned jobs in the Smart In- Smart Inbox for later use, until the expiration
box time-out.
Keep a copy of copy jobs in the Smart Inbox Disable these settings to delete all jobs from
(Public) the Smart Inboxes after they are processed.
Keep a copy of local print jobs in the Smart In-
box
Overview
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500,
5000, 5500, 7500
Introduction
The PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 systems are equipped with the
following security features:
Security overview
174 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Security overview for the PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 175
System and Network security
Ports - Protocols
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR UDP 515: proprietary protocol
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- for Printer Discovery
Driver Select nel* and Advanced accounting
UDP 515: proprietary protocol
for Printer Discovery
PostScript 3 driver TCP 515: LPR
Driver Express
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
UDP 515: proprietary protocol
for Printer Discovery
TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
Publisher Mobile TCP 515: LPR (1)
TCP 4242: FTP passive mode
(for data channel in FTP pas-
sive mode)
ICMP: ping
UDP 515: proprietary protocol
for Printer Discovery
TCP 21: FTP (2)
Reprodesk Studio TCP 515: LPR
TCP 80: back-channel (WAVE)
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Print from SMB TCP 139, 445
UDP 138, 445 4
176 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Print from FTP FTP command(3) :
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any
Print from Cloud: WebDAV TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (4)
TCP WebDAV port
Notes:
* Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
(1)
For Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for
iOS
(2) Only for Publisher Mobile v 2.0 to v2.2 for iOS
(3) FTP passive mode only (FTP active mode not supported).
(4) When there is a proxy.
Scanning applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Scan to File: SMB TCP 139, 445
UDP 137, 138, 445
Scan to File: FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Scan to File: Cloud (WebDAV) TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (2)
TCP WebDAV port
Scan to Home folder TCP 88 /UDP 88: Kerberos
TCP 389 /UDP 389: LDAP
TCP 139, 445
UDP 137, 138, 445
Scan data retrieval from Smart TCP 80: HTTP
Inbox (Scans) TCP 443: HTTPS
Notes:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 177
Applications, protocols and ports
(1) FTP passive mode only (FTP active mode not supported).
(2) When there is a proxy.
Control management: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
PING IPv6 ICMPv6
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
User authentication by user TCP 88 /UDP 88: Kerberos
name and password TCP 389 /UDP 389: LDAP
User authentication by smart TCP 80: OCSP
card TCP 80: HTTP or TCP 443:
HTTPS
Meter Manager UDP 161: SNMP
Back-channel TCP 65200 for OCI back-chan-
nel
On Remote Service TCP 443: HTTPS
TCP web proxy port (1)
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
TCP 443: HTTPS
(PW3000/3500/5000/5500/7500)
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
TCP 443: HTTPS for back chan-
nel
(PW3000/3500/5000/5500/7500) 4
178 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
IPsec UDP 500
UDP 4500
LDAP authentication over Ker- TCP 88/ UDP any: for Kerberos
beros TCP 389 (configurable)/ UDP
any: for LDAP
LDAP authentication over SSL Customer configurable
TCP port 636 by default/ UDP
any
Time synchronisation UDP 123: Network Time Proto- UDP 123: Network Time Proto-
col col
(PW3000/3500/5000/5500/7500) (PW3000/3500/5000/5500/7500)
Notes:
(1) When there is a proxy.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 179
Security Patches
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
180 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Install Operating system patch for PW345/365/450/550
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 181
Install Operating system patch for PW3000/3500/5000/5500/7500
Introduction
Install Windows updates, also called security patches, when they are available for your product.
Functional description
1. In WebTools Express, the user selects the Operating system patch file that he previously
retrieved.
2. The system downloads this patch file and checks its integrity.
3. The printer starts the patch installation.
4. A reboot is necessary to complete the installation.
Install a patch
Procedure
1. Open WebTools Express.
2. Open the [Support] tab.
3. Select [Update].
4. Click on [Install] in the [Operating system patches] section.
After a warning popup window, the following window is displayed:
5. Browse to the downloaded patch file (*.msu) and click OK to install it.
There are 2 options available:
• Option 1 : Automatically install the operating system patch after the file has been uploaded
• Option 2 : Restart the system automatically to finish the installation of the operating system
Here are the useful scenarios:
182 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Install Operating system patch for PW3000/3500/5000/5500/7500
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 183
Protocol protection
Protocol protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled.
184 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Network protocols protection
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 185
Prevent any outgoing connection to the Internet
186 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Security of the USB connection
Introduction
A USB connection is available on the touch panel.
This USB connection is used to:
• Install / upgrade the controller software
• Backup and restore the controller configuration
• Scan to the USB storage device
• Print from the USB storage device
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 187
Port based authentication (IEEE 802.1X)
A. B.
802.1x
802.1x
LAN LAN
LAN
188 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Port-based authentication (IEEE 802.1X) - explained
EAP
In general IEEE 802.1X uses the EAP (Extensible Authentication Protocol) protocol to negotiate
the way to authenticate the supplicant and the authentication server. In general, the supplicant
can have a certificate, a smart card, or credentials for identification.
EAP collaborates with additional authentication protocols, such as Transport Layer Security (TLS)
and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
• EAP-TLS
EAP-TLS is used in certificate-based security environments. It provides the strongest
authentication and key determination method. EAP-TLS requires that the supplicant has an
identity certificate.
• EAP-MS-CHAP v2
EAP-MS-CHAP v2 is a mutual authentication method that supports password-based endpoint
authentication.
NOTE
Not all authentication servers, supplicants and LDAP directory servers support all authentication
methods.
PEAP
PEAP (Protected EAP) is a protocol to increase the security of EAP-MS-CHAP v2 and EAP-TLS.
PEAP builds an encrypted channel during the second part of the EAP handshake process. Inside
this secure channel a new EAP negotiation takes place to authenticate the supplicant.
EAP-MS-
PEAP EAP-TLS EAP-TLS
CHAP v2
The authentication methods the printer supports are: PEAP with EAP-TLS, PEAP with EAP-MS-
CHAP v2 and EAP-TLS.
Identity certificates
All authentication methods require that the trusted CA certificates of the authentication server are
available on the supplicant to authenticate the authentication server to the controller's list of
trusted certificate. We will use the same identity certificate for HTTPS, IPsec and for IEEE 802.1x
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 189
Port-based authentication (IEEE 802.1X) - explained
EAP-TLS requires a valid Identity certificate of the supplicant that is mapped to a user account or
computer account in the LDAP directory server (Active Directory Domain Services (AD DS)).
• When the certificate refers to a computer account, the Subject Alternative Name
(SubjectAltName) field in the certificate must contain the Fully Qualified Domain Name (FQDN)
of the client, which is also called the DNS name.
• When the certificate refers to a user account, the Subject Alternative Name (SubjectAltName)
field in the certificate must contain the User Principal Name (UPN).
NOTE
EAP-MS-CHAP v2 does not need an Identity certificate of the supplicant.
• When the printer uses IEEE 802.1X the CA certificates of the RADIUS server must be imported
into the list of trusted certfificates.
• The printer Identity certificate that is valid for HTTPS can be used for IEEE 802.1X.
• One of the Subject Alternative Name fields of the printer Identity certificate must be equal to
the Fully Qualified Domain Name (FQDN).
NOTE
EAP-MS-CHAP v2 requires an MS-CHAP v2 username and a MS-CHAP v2 password
that are configured in Express Webtools.
EAP-TLS
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the authentication method, the authenticator sends the Identity of the
Authentication server.
190 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its Identity certificate through the channel.
5. The Authentication server verifies the Identity certificate. The directory service of the domain
controller is used to query the user account or computer account reference of the certificate.
6. The Authentication server authenticates the Identity certificate of the supplicant.
7. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 191
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Identify certificate
MS-CHAPv2 login
2. Certificate 2. Certificate
6. Data
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its MS-CHAP v2 login information through the channel.
5. The Authentication server validates the MS-CHAP v2 login information.
6. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
192 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
IEEE802.1X - Configuration steps
Prerequisites
• A printer
• A switch supporting port-based authentication for IEEE802.1X
• A RADIUS server
Introduction
2 main different port-based authentication methods are supported:
• With username from domain (requires a username/password)
• With printer name from domain (requires a client certificate)
The configuration of IEEE802.1X includes several procedures, some of them depending on the
authentication method.
Configuration procedures
1. IEEE802.1X environment preparation
1. Configure a Certification Authority
see Configure a Certification Authority (example on Windows Server 2016) on page 194
2. Prepare the RADIUS server
see Prepare the RADIUS server (example on Windows Server 2016) on page 196
3. Prepare the switch
see Prepare the switch on page 200
2. Configure the printer controller
see Configure the printer controller on page 202
3. Configure the Radius server
• for username from domain
see Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
on page 209
• for printer name from domain
see Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with
EAP-TLS)' on page 219
Troubleshoot
For more information about troubleshooting the configuration of IEEE802.1X see Troubleshoot on
page 236.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 193
Configure a Certification Authority (example on Windows Server 2016)
Introduction
As Certificates (Server and/or Client Certificates) are required for the IEEE802.1X configuration, it
is customary to configure your own Certification Authority rather than using a commercial
Certification Authority.
To configure such an environment on a Windows server 2016:
• Active Directory Certificate Services must be installed, and
• Certificate Authority (Default) must be installed
• It is recommended to install Certification Authority Web Enrollment, which will provide an
easy way for Certification with a web interface.
Once configured, you can see the local Certification Authority like in the example below:
Check that you have a certificate template for Client Authentication or create one:
194 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure a Certification Authority (example on Windows Server 2016)
NOTE
For complete Certification Authority configuration, please check relevant documentation. For
example 'How to configure Certification Authority on Windows Server 2016'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 195
Prepare the RADIUS server (example on Windows Server 2016)
Procedure
1. Install Network Policy and Access Services as a role on Windows Server 2016
2. Manage 'Network Policy Server' (NPS) and create a Radius client which is related to the switch
used:
• IP address of the switch
• It is recommended to add a 'Shared secret' which will also be set on the switch.
Example:
196 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Prepare the RADIUS server (example on Windows Server 2016)
3. Check there is a Connection Request policy enabled with NAS port type = Ethernet.
Example:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 197
Prepare the RADIUS server (example on Windows Server 2016)
198 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Prepare the RADIUS server (example on Windows Server 2016)
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 199
Prepare the switch
Introduction
The switch must be configured, but the configuration depends on the switch chosen. We give
here an example of a Cisco SG-350:
Procedure
1. Configure IEEE802.1X on the switch.
2. Configure the port on the switch supporting IEEE802.1X where the printer will be plugged in (for
example port 'GE2' in the picture below).
200 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Prepare the switch
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 201
Configure the printer controller
Introduction
The settings for IEEE802.1X on the printer controller are accessible through:
• Express WebTools (for settings configuration)
• Printer user panel (for IEEE802.1X status and disable in case of trouble)
Procedure
1. Open Express WebTools - Security - Trusted certificates.
2. Click on 'Create new' to import the Radius Server Root certificate on the controller.
This is the root certificate you defined when you created the Certification Authority (see Configure
a Certification Authority (example on Windows Server 2016) on page 194)
202 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the printer controller
4. Click 'Ok'.
5. Edit the settings for IEEE802.1X on the printer controller in Express WebTools - Security -
Configuration - Network-based configuration (IEEE 802.1X)
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 203
Configure the printer controller
2. Enter the DNS name of the printer in at least one of the Subject alternative name (SAN). In
this example : cw3700.sns.ocegr.fr
3. Click on 'OK' and wait for the following window to appear:
4. Copy the content (all the text including ' ----- BEGIN NEW CERTIFICATE REQUEST -----' and
'----- END NEW CERTIFICATE REQUEST -----')
5. Submit this certificate request to a Certification Authority (CA). See the following example
with an internal Certification Authority, realized with an Enrollment Web Server with
Windows Server 2016).
NOTE
A certificate template compatible with client authentication is required.
204 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the printer controller
9. Click on 'Submit'.
The following window appears:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 205
Configure the printer controller
12. Select 'Root certificate' in Certificate type to import the Root certificate.
13. Select 'CA-signed certificate' in Certificate type to import the certificate previously
downloaded.
206 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the printer controller
8. To see the IEEE802.1X status and to disable IEEE802.1X in case of network trouble, tap on the
printer user panel - System - Security.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 207
Configure the printer controller
208 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
Configure the Radius server for 'Username from domain; PEAP with EAP-
MSCHAPv2'
Introduction
This procedure describes how to configure the Radius server for 'Username from domain; PEAP
with EAP-MSCHAPv2' (example on Windows Server 2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 188
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 209
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
3. Create a user for the printer belonging to the aforementioned group with the same <username>
and <password> defined on the controller.
210 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Username from domain' - Network Policy
5. At the Dial-in tab, give access permission to 'Control access through NPS Network Policy'.
6. Configure a Network Policy, see Configure the Radius server for 'Username from domain' -
Network Policy on page 211
Configure the Radius server for 'Username from domain' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for
'Username from domain; PEAP with EAP-MSCHAPv2' (example on Windows Server 2016).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 211
Configure the Radius server for 'Username from domain' - Network Policy
Procedure
1. Create a Network Policy.
212 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Username from domain' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 213
Configure the Radius server for 'Username from domain' - Network Policy
8. Click on 'OK'.
214 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Username from domain' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'EAP-
MSCHAP v2 '.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 215
Configure the Radius server for 'Username from domain' - Network Policy
15. Keep the default values in the 'Configure Constraints' window and click on 'Next'.
The 'Configure Settings' window opens.
216 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Username from domain' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 217
Configure the Radius server for 'Username from domain' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
218 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP
with EAP-TLS)'
Introduction
This procedure describes how to configure the Radius server for 'Printer name from domain;
EAP-TLS' and 'Printer name from domain; PEAP with EAP-TLS' (example on Windows Server
2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 188
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
3. Create a computer for the printer with the computer name equal to the Subject Alternative name
(without the DNS suffix) you entered when creating the certificate request. See the step '... create
a (client) certificate on the controller' in Configure the printer controller on page 202:
In this example, the Subject Alternative name was : 'cw3700.sns.ocegr.fr', so the computer name
is 'cw3700'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 219
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
220 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
5. At the Dial-in tab, give 'Network Access Permission' to 'Control access through NPS Network
Policy'.
6. At the Attribute Editor tab, set the Attribute 'servicePrincipalName' with the syntax:
servicePrincipalName=host/<computername>.<domainsuffix>
Example: servicePrincipalName=host/cw3700.sns.ocegr.fr
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 221
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
Configure the Radius server for 'Printer name from domain; EAP-TLS' -
Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; EAP-TLS' (example on Windows Server 2016).
Procedure
1. Create a Network Policy.
222 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
2. Click on 'Add' in 'Specify Conditions' to add the group you defined before.
4. Click on 'Next'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 223
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add 'Microsoft: Smart Card or other certificate'.
224 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
8. Click on 'OK'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 225
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
226 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 227
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Configure the Radius server for 'Printer name from domain; PEAP with EAP-
TLS' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; PEAP with EAP-TLS' (example on Windows Server 2016).
228 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Procedure
1. Create a Network Policy.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 229
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
230 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
8. Click on 'OK'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 231
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'Smart Card
or other certificate'.
232 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
12. Click on 'Edit' to define the certificate which will be used as Server certificate (the certificate you
imported into the controller).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 233
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
18. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
234 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 235
Troubleshoot
Troubleshoot
Introduction
As IEEE802.1X involves the printer, the switch, and the Radius Server, there are several tools for
troubleshooting.
3. On the switch
Generally:
• Some logging is present.
• Some switches have a test feature to check communication with the Radius server.
4. On the Radius Server
• Check the event viewer of Network Policy and Access Services.
236 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshoot
Example of a network protocol capture with IEEE802.1X frames (PEAP with EAP-TLS):
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 237
Troubleshoot
Reminder: This tool tests the configuration only locally, it does not test the connection with the
switch or the radius server.
238 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshoot
No communication with the Radi- Radius Server not Check the Radius Server name in Ex-
us Server while the Printer sent its correctly set press WebTools (caution: it must
identity correctly to the Switch contain at least one '*' character)
(seen with network protocol ana-
lyser)
4
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 239
Troubleshoot
240 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshoot
Event viewer NPAS (Radius serv- Mismatch in the Check Network Policy (on the Net-
er) mentions: 'No credentials are EAP type setting in work policy server), section 'Authen-
available in the security package.' Network Policy tication methods' (see relevant sec-
tion corresponding to the Authenti-
cation method chosen)
Event viewer NPAS (Radius serv- User not defined • Check username or printer name
er) mentions: 'The specified user (username or printer on controller
account does not exist.' name) • Check username or printer name
in Active Directory
Event viewer NPAS (Radius serv- • Bad configuration Check the Radius client settings:
er) mentions: 'An Access-Request of the Radius Cli- • on the switch
message was received from RADI- ent (on the Radius • on the Network policy server
US client <IP address of radius cli- Server)
ent -the switch- configured on the • Secret mismatch
Radius Server> with a Message- between the
Authenticator attribute that is not switch and the
valid.' Radius client
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 241
Antivirus
Antivirus
Compatibility and recommendations
The following antivirus software can be installed on your PlotWave/ColorWave systems:
• Symantec AntiVirus Endpoint Protection
• McAfee VirusScan Enterprise Edition / ePolicy Orchestrator for AntiVirus update
Contact your Canon representative to know which antivirus version to install on your PlotWave/
ColorWave systems and get the installation procedure.
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
242 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
User access/LDAP authentication
Roles
Introduction
The "User access" feature allows to access the Local User Interface as well as Express WebTools
with different roles,
Each role gives permission to edit and change some parameters.
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key Operator:
The Key Operator can manage the jobs and the device settings.
• System Administrator
The System Administrator can manage the configuration settings, such as the network and
security settings.
• Power User
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 243
Local users
Local users
These users are built-in users and cannot be changed, there are 4 local users:
• Key Operator (acting as Key Operator role)
• System Administrator (acting as System Administrator role)
• Power User (acting as Power User role)
• Service (acting as Service role)
NOTE
It is possible to disable one or more local users depending on the users and roles defined in
Domain users.
244 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Domain users (LDAP authentication): for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher versions
Introduction
This feature allows the IT manager to define which user, member of a domain, can logon to the
system with which role (Key Operator/ System Administrator/ Power User/ Service), valid for
Express WebTools as well as the Local User Interface.
This feature, called LDAP authentication, is based on secure LDAP protocol with 2 flavors:
• LDAP over Kerberos for Microsoft Windows environment
• LDAP over TLS mainly for non-Microsoft environment
Functional description
• On Server:
• The IT manager defines in each domain (several domains are possible):
• A domain group for System administrator role
• A domain group for Key Operator roole
• A domain group for Power User role
• A domain group for Service
• For each group, the IT manager defines which user (member of a domain) will belong to
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express Web Tools
• Any authorized user defined in a specific domain group can authenticate on Express Web
Tools and the Local User Interface with the dedicated role.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 245
Configure the Domain users (LDAP authentication over Kerberos)
Introduction
Perform the following steps to configure LDAP authentication over Kerberos.
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
246 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Domain users (LDAP authentication over Kerberos)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• Kerberos (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for Kerberos, the port number is usually 389
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 247
Configure the Domain users (LDAP authentication over Kerberos)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
248 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Validate the configuration (Kerberos)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 249
Validate the configuration (Kerberos)
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over Kerberos
on page 263
250 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Domain users (LDAP authentication over SSL)
Introduction
Perform the following steps to configure LDAP authentication over SSL
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 251
Configure the Domain users (LDAP authentication over SSL)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• SSL (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for SSL, the port number is usually 636
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
252 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Domain users (LDAP authentication over SSL)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 253
Configure the trusted certificates
When to do
After you configured the domains for LDAP over SSL, it is mandatory to configure the trusted
certificate chain since the LDAP server will send the complete certificate to the printer, and the
printer needs to check the validity of certificates by checking all the Root and/or intermediate
certificates embedded in this complete certificate.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the LDAP server certificate.
It is recommended to leave the field 'Forced URL of OCSP responder' empty as LDAP server
certificates must always be valid. Please check this with the IT administrator.
3. Repeat the creation operation for every root and intermediate certificate.
254 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the trusted certificates
When to do
After you configured the domains for LDAP over SSL, it is mandatory to configure the trusted
certificate chain since the LDAP server will send the complete certificate to the printer, and the
printer needs to check the validity of certificates by checking all the Root and/or intermediate
certificates embedded in this complete certificate.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the LDAP server certificate.
It is recommended to leave the field 'Forced URL of OCSP responder' empty as LDAP server
certificates must always be valid. Please check this with the IT administrator.
3. Repeat the creation operation for every root and intermediate certificate.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 255
Validate the configuration (SSL)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over SSL on
page 264
256 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
User access on the user panel
No domain configured
When a user wants to access the settings on the Local UI, the following window opens when
there is no domain configured:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 257
User access on the user panel
When 'local users' is selected, you can select the local user according to the desired role.
When a domain is selected, the 'User name' field is empty. It is up to the user to select his
username (the associated role has been setup by the IT administrator in the LDAP server)
NOTE
'Local users' may not appear, in case the local users are disabled.
258 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
User access with Express Webtools
No domain configured
When a user wants to access the settings with Express WebTools, the following window opens
when there is no domain configured:
When selecting the Domain 'Local Users', one or more of the 4 built-in users (Key operator,
System Administrator, Power User or Service) are available, and you can enter the password for
login.
NOTE
'Local users' may not appear, in case the local users are disabled.
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
When selecting a Domain that was previously configured, you have to enter the username which
has the appropriate role (as defined in the LDAP server).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 259
User access with Express Webtools
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
260 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Password policy
Password policy
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 261
Disabling local user access
NOTE
A local user can be disabled ONLY if a valid domain user (with the same role) exists (in order to
avoid locking the settings access).
CAUTION :
Keep the domain users passwords in a safe place. Since if you disable ALL local users, and if you
cannot log in as a Domain User for any reason (password lost), you'll need to call Service to
install again the complete system.
262 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting LDAP authentication over Kerberos
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 263
Troubleshooting LDAP authentication over SSL
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
264 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Permissions for Service operations
NOTE
This feature is applicable when LDAP authentication has been setup and when the
system administrator has disabled the local System Administrator and the local
Power user account. In this case, if domain users are not accessible anymore for any
reason, it is not possible to login locally on Express Webtools to change settings.
The only way is to re-enable the local users (System Administrator and Power user).
ONLY if the setting "Allow Service Technician to enable local users" is set to
"enabled", this operation can be performed by the Service technician on site. If the
setting "Allow Service Technician to enable local users" is set to "disable", a re-
installation of the printer software by the service technician is mandatory.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 265
Passwords policy
Passwords policy
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used on the printer user panel
Password policy
• 256 characters maximum
• all MS Windows characters are allowed
NOTE
Keep this password. The reset of this password may require the intervention of a Service
technician.
Passwords modification
266 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Passwords policy
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 267
Access control
Access control
Introduction
Access control allows to limit the access to the print system based on the IP filtering method.
In Express WebTools, find the 'Access control' settings on the Security - Configuration page.
Pre-requisites
• The configuration of the 'Access control' settings is only available to the 'System
administrator' and 'Power user'.
To prevent unauthorised access to these settings via the printer panel, the System
administrator must log in to access the network settings.
• Important: ALWAYS define the hosts before enabling 'Access control'.
In case 'Access control' is enabled without any host configured, communication is blocked. Go
to the printer panel to disable 'Access control'.
In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
NOTE
When configuring the 'Access control station: IPv6 address', use the IPv6 static address (instead
of a dynamic stateless or stateful one)
NOTE
268 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 269
Audit log
270 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
SNMPv3: for PW3000/3500/5000/5500/7500 and for PW345/365/450/550 R1.2 and higher versions
SNMPv3 implementation
The current implementation of SNMP v3 offers user authentication only to ensure identity of the
user, this corresponds to the SNMP security level "Auth, NoPriv" in the SNMP applications.
Encryption in the data transfer is not supported (the security level "Auth, Priv" is not supported)
For the Authentication, the Authentication protocol is fixed to MD5 only.
SNMPv3 settings
You can access to the SNMPv3 settings by mean of the settings Editor : section Configuration |
Connectivity |SNMP v3
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 271
Secure Boot (PW3000/3500/5000/5500/7500)
272 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500)
Pre-requisite
• A license for the option: 'Whitelisting (McAfee) License'
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 273
Whitelisting (McAfee Application Control) (PW3000/3500/5000/5500/7500)
NOTE
The Whitelisting process needs 30-60 minutes to create the 'fingerprint' (on new
installed systems this process is faster than on systems in use for some time, as the
amount of data on the disks will have increased). The setting 'Current protection
status' stays at 'Protection not activated'.
5. After 60 minutes reboot the printer. After the reboot the setting 'Current protection status' will
change to 'Protection activated'.
NOTE
If the reboot is done before the Whitelisting process is finished, the process will
start again after the reboot. When the process then finishes, the setting 'Current
protection status' will change to 'Protection activated'.
274 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Data security
Data security
User authentication
Introduction
In order to increase document confidentiality, the users can secure printing/copying/scanning
operations with the user authentication.
The 'User authentication' feature is an option.
When the 'User authentication' feature is enabled:
• The jobs are not printed until the owner of the job authenticates on the system user panel.
The print jobs are stored in the printer and only the owner of the jobs can access them.
• Copying and scanning operations are accessible only after the user authenticates on the
system user panel.
• You cannot retrieve scanned files that are stored locally on the controller.
User authentication methods
One of the three following methods can be used for user authentication:
• User name and password
The user name and password are required on the printer panel. This authentication method is
mainly targeted to Windows based environment (Microsoft Active Directory).
• Smart card (PKI card compatible with MS Active Directory Certificates Services)
A valid smart card must be inserted into the smart card reader (plugged into the USB outlet).
• Contactless card
A valid card without contact must be passed over a contactless card reader (plugged into the
USB outlet). The authentication method is mainly targeted to a Windows based environment
(Microsoft Active Directory).
NOTE
It is possible to mix some authentication methods:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 275
Secure printing, copying and scanning operations with the User authentication
Functional description
3 4
276 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Impact of the user authentication on the system features and Express WebTools
The Scan and Copy features are accessible only after the user authenticates on the user panel.
Introduction
When the user authentication is activated, and in order to guarantee the data confidentiality:
• Some features of the system are disabled (see below).
• The related settings are no more accessible (see below).
• The time-out set for the 'Remove completed jobs from the Smart Inbox after' setting in
'Preferences' - 'System defaults' - 'Job management' applies and deletes:
- the jobs that are submitted without valid authentication information.
- the jobs that are not accessed during this period of time.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 277
Impact of the user authentication on the system features and Express WebTools
NO user, even users with privileges such as System Administrator, Key Operator, Power user or
Service, can see the content of the jobs or act on them.
Additional information
To secure the job data and job ownership on the network, during the job submission / the job
scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
278 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
User authentication: the standard workflows
Introduction
Find below the standard workflow for printing and the standard workflow for scanning/copying
when the user authentication is activated and configured on the print system.
Step Action
1- Logging on a work- The user logs in with his/her credentials.
station Example: 'user1' on 'domain.com' and the associated password.
2- Job submission The user submits jobs using a printer driver (e.g. WPD2/ Driver Select)
or a job submitter (example: Publisher Select 3)
3- Authentication on The user logs in on the printer:
the printer
• either by typing his/her user name and password on the printer pan-
el
• or by using his/her smart card
The credentials used on the printer must be the same as the ones used
at the job submission time.
Example: 'user1' belonging to the domain 'domain.com'. 4
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 279
User authentication: the standard workflows
Step Action
4- Job management On the bottom right part of the panel (Smart Access), the user can see
the jobs submitted with his/her user credentials.
The user can check the jobs and change the settings.
5- Job print The user prints the jobs by clicking the green button.
6- Print queue The user can open the print queue and follow the progress of the jobs.
NOTE
All the jobs in 'Ready to print' state are printed, even when
the users logs out in the meanwhile.
Recommendation: For complete security of the printed data,
we recommend that the user stays close to the printer until
all the jobs are completely printed.
The jobs in 'Processing' state are not printed if the user logs
out before they are in 'Ready to print' status.
280 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
User authentication: the standard workflows
Step Action
1- Logging on the The user logs in on the printer:
printer • either by typing his/her user name and password on the printer pan-
el.
• or by using his/her smart card.
Example: 'user1' on 'domain.com'
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 281
The user authentication in the main job submission workflows
Step Action
2- Workflow selection The user selects Copy or Scan in the menu.
NOTE
For scan operations, it is recommended to scan to an external
location (not locally on the controller).
When the user logs to an external location, the login name in
the top menu is replaced by the login name to the external lo-
cation. The 'User session time-out' set in the 'Security' - 'Con-
figuration' tab applies for both the user authentication on the
user panel and the authentication on the external locations.
The files scanned locally to the controller can be used only
for reprint purpose. They cannot be retrieved or saved from
the network.
3- Job copy or scan The user loads the original and starts the copy or scan of the job to an
external location.
Introduction
There are several ways to submit print jobs to the printer.
Find below the recommendations for benefiting from the protection by the user authentication in
the recommended job submission workflows:
• Job submission with Publisher Select (from version 1.17)
• Job submission from an application with the WPD2 (from version 2.11) or Driver Select
• Job submission from an application with the PS3 driver (from version 1.24) or Driver Express
282 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
The user authentication in the main job submission workflows
NOTE
In Publisher Select, the user account name cannot be
changed.
NOTE
If the user account name is not displayed, open the 'Options'
- 'Advanced options' window and check the option 'Require
user authentication' in 'Troubleshooting'. 4
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 283
Other submission workflows
NOTE
In the driver, the user name cannot be changed.
NOTE
The user name of the user logged on the system does not overwrite the 'Username' embedded
into the job ticket.
284 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Other submission workflows
If there is no ticket or no 'Username' in the ticket, then the user name 'anonymous' is attached to
the job and stored in the system controller. Only an user with a user account name 'anonymous'
is then able to see and perform actions on these jobs.
NOTE
The job owner declared in Publisher Express does not overwrite the 'Username' embedded into
the job ticket.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 285
Authentication by Smart card
Requirements
Introduction
To use the authentication by smart card, the smart card and the smart card reader must comply
with the following requirements:
Additional information
- Contact your Canon representative in case you want to use a smart card or a smart card reader
which is not recorded in the above lists.
- Plug the smart card reader into the USB port (contact your local Canon representative).
- The only network communication performed during authentication with a smart card is the one
with the revocation server. The information on the smart card and the information on the Express
WebTools settings are checked against the one which is stored in the revocation server.
286 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the Smart card authentication
Introduction
Perform the following steps to activate the user authentication and configure the smart card
authentication.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 287
Configure the Smart card authentication
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the certificate chain for the authentication.
When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL
of OCSP responder' field empty.
Enter the URL of the revocation server only if this URL is not already embedded into the smart
cards.
4. Repeat the creation operation for every root and intermediate certificate.
5. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
6. Set the user access settings:
288 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Validate the smart card configuration
When this setting is not activated, only the user name (without the suffix) is used for the job
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, whatever their
domain. When logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@domain.com'
• 'user1'
• 'user1@anydomain.net'
When to do
After you configured the user access mode via smart card, validate it.
Procedure
1. Insert a valid smart card in the smart card reader.
2. Below the 'User access mode' section, click 'Validate the configuration'.
3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings.
4. Click 'OK'.
A report is generated:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 289
Authentication on the user panel
Introduction
Insert the smart card into the card reader.
• The authentication is automatic when the smart card contains a valid user name (and no
password is needed).
• A login window is displayed when the authentication with the smart card requires a PIN. Enter
the PIN in the password field.
• A login window is displayed when there is more than one user registered into the smart card.
Select the user name and enter the PIN in the password field
After authentication, the name of the user is displayed in the top menu.
290 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting of authentication by smart card
Introduction
When an error occurs during the configuration of the authentication by smart card, go to the
'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card
configuration').
Find below the list of possible causes of errors that can occur during the validation of the smart
card configuration.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 291
Troubleshooting of authentication by smart card
292 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Authentication by Contactless card
Requirements
Introduction
To use the authentication by contactless card, the contactless card and the contactless card
reader must comply with the following requirements:
Additional information
- Contact your Canon representative in case you want to use a contactless card or a contactless
card reader which is not recorded in the above lists.
- Plug the contactless card reader into the USB port (contact your local Canon representative).
Introduction
Perform the following steps to activate the user authentication and configure the contactless card
authentication.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 293
Configure the Contactless card authentication
Create the domain(s) and set the user access configuration settings
Procedure
1. Open the 'Security' - 'Domains' page.
2. Click 'Create new' to create a domain:
294 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Validate the contactless card configuration
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
5. Repeat the creation operation for every domain needed.
6. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
7. Set the user access settings:
• The 'User session time-out', in minutes. This is the duration of a user session before automatic
log out on the system user panel.
Note: It is recommended to increase this duration for big jobs or heavy print files.
• Whether the PIN of the contactless card is requested at logging time.
• Whether the fully qualified name of the job owner is used for job filtering.
('Require the fully qualified name of the job owner' setting). The user then sees only the jobs
that have been submitted with this FQDN.
• The type of the contactless card: Felica or Mifare or both.
When to do
After you configured the authentication by contactless card, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration of the user access mode'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 295
Authentication by contactless card on the user panel
Introduction
Approach the contactless card reader with the contactless card.
• The authentication is automatic when the contactless card contains valid credentials.
• A login window is displayed when the authentication with the contactless card requires a PIN.
Enter the PIN in the password field.
After authentication, the name of the user is displayed in the top menu.
Introduction
When an error occurs during the configuration of the authentication by contactless card, go to the
'Security' - 'Configuration' page and start the validation tool (See Validate the contactless card
configuration on page 295).
Find below the list of possible causes of errors that can occur during the validation of the
contactless card configuration.
296 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting of authentication by contactless card
If a red cross is not reported with the 'Validate configuration' tool, but there is an error during
authentication with the card, please check:
• If the PIN code is correct but authentication fails, check that the LDAP attribute for card ID is
correctly set in the domain created (this may occur in case PIN code setting is setup AFTER the
domain has been created).
• If the account has been disabled in Active Directory
• If the account has been locked in Active Directory
• If the account has been expired in Active Directory
• If the account password has expired
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 297
Authentication by user name and password
Introduction
Perform the following steps to activate and configure the user authentication by user name and
password
Create the domain(s) and set the user access configuration settings
Procedure
1. Open the 'Security' - 'Domains' page
298 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the user authentication by user name and password
3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it
is recommended to give it a clear name.
4. Enter a description.
5. Enter the exact fully qualified domain name (FQDN):
6. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
• 'LDAP lookup account': enter the credentials if different from the account of the authenticated
user (which is the default).
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
• 'LDAP attribute for Home folder' : by default the Home directory (for product with the 'Scan to
Home folder' feature).
7. Repeat the creation operation for every domain needed.
8. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
9. Set the user access settings:
• The 'User session time-out' to configure, in minutes, the duration of a user session before
automatic log out on the printer panel.
Note that it is recommended to increase this duration for big jobs or heavy print files.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 299
Validate the configuration
• Whether the fully qualified name of the job owner is used for job filtering ('Require the fully
qualified name of the job owner' setting).
When this setting is activated, the FQDN of the user is requested when the user logs in on the
printer panel. The user then sees only the jobs that have been submitted with this FQDN.
Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs
that have been submitted by 'user1@mydomain.com'. So the user must make sure that the
submission process embedded this information.
When this setting is not activated, only the user name (without the suffix) is used for the job
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, if several. When
logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@mydomain.com'
• 'user1'
• 'user1@anydomain.net'
When to do
After you configured the authentication by user name and password, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration'.
300 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Authentication on the system user panel
4. Click 'OK'.
A report is generated:
Introduction
On the system user panel, tap the 'log in' icon to display the window.
• Select the domain.
• Type in the user name and the password.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 301
Troubleshooting
After authentication, the name of the user is displayed in the top menu.
Troubleshooting
Introduction
When an error occurs during the process of authentication by user name and password, go to the
'Security' - 'Configuration' page and Validate the configuration on page 559.
Find below the list of possible causes of errors that can occur during the validation of the
configuration.
302 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 303
Log out
Log out
Introduction
A session can be manually interrupted by a manual log out, or automatically interrupted by the
session time-out, in any conditions (normal working condition or in an error status).
A warning message announces the session time-out 10 seconds before the session closes.
When the session time-out expires the user session is automatically closed, even when a smart
card is inserted.
For security reasons, it is recommended to log out after the job completion, before leaving the
system place.
NOTE
The session is automatically closed when the time-out occurs, even if the smart card is still in the
card reader.
Pull the card out of the reader and insert it again to start a new session.
Introduction
Find below some cases where the time-out can interact with the behaviour of the system.
NOTE
The time-out starts when no operation is made on the printer panel.
A job remains 24 hours maximum in the system. After this period of time, the jobs that are not
processed are automatically deleted.
304 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Special cases: a time-out, pause, or error occurs
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 305
Special cases: a time-out, pause, or error occurs
An error occurs
306 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting
Troubleshooting
- In case of authentication by user name and password check the domain, and the user name
used to log in on the printer user panel.
2. Check the exact user name of the owner of the job. Set or change it when needed.
Refer to the user authentication according to the job submission workflow, see The user
authentication in the main job submission workflows on page 282.
• For a job submitted with the PS3 driver, Driver Express or Publisher Select, the user name
and the domain of the user logged in on the workstation are used to submit the job
(including the domain when detected). If needed, log in on the workstation with the
relevant user name on the relevant domain (example: 'user1' on domain 'domain.com')
• For a job submitted with WPD2 or Driver Select , the 'user account name' displayed in the
top right part of the window is used. Change it if needed (example: user1@domain.com).
Note: If the user account name is not displayed, open the 'Options' - 'Advanced options'
window and check the option 'Require user authentication' in 'Troubleshooting'.
• For a job submitted with Publisher Express, or via FTP, or via LPR, that contains a job ticket,
open the job ticket to check the 'Username' field.
• For a job submitted with Publisher Express, that does not contain a job ticket, check the
content of the 'Job owner' field in the Publisher Express (Express WebTools) application.
Set or change the 'Job owner' to the user Fully Qualified Name (example:
user1@domain.com)
• For a job submitted via LPR that does not contain a job ticket, check the user name used for
logging on the workstation, and uncheck the setting, 'Require the fully qualified name of
the job owner' (in Express WebTools - Security - 'Configuration' - 'User access
configuration').
The authentication is successful, I can see the jobs I submitted to the system but not all of them
are printed.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 307
Disable the user authentication
Possible cause:
The time for the processing of the jobs exceeds the user session time-out. All the jobs have not
reached the 'Ready to print' or 'Printing' status.
Action:
Increase the 'User session time-out' (in Express WebTools - Security - 'Configuration' - 'User
access configuration').
Introduction
In case you are locked because the user access mode is enabled and you cannot access Express
WebTools, you can disable it on the system panel.
Procedure
1. On the user panel, tap the upper right corner, to display the menu.
2. Select 'Security'.
308 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Disable the user authentication
6. Tap 'Finish'.
7. Restart the system.
Result
The user authentication is disabled.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 309
Hard disk encryption (for PW345/365/450/550)
Pre-requisite
• The hard disk encryption licence
Contact your Canon representative.
• A TPM (Trusted Platform Module) board installed in the controller
A Service technician installs the license and the TPM board. Make sure the System Administrator
grants him the permission by setting 'Allow Service to access licenses information' (in Express
WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
2 encryption modes
There are 2 encryption modes:
310 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Hard disk encryption (for PW345/365/450/550)
NOTE
The encryption method for PW345/365/450/550 1.2 and higher version is fixed to AES-256 while
the encryption method for other PW345/365/450/550 versions is fixed to AES-128.
When upgrading a PW345/365/450/550 1.1 version with an encrypted disk to a
PW345/365/450/550 1.2 version, it is mandatory to first purge the encrypted disk of the
PW345/365/450/550 1.1 before installing the version R1.2 and to encrypt the disk in order to
benefit the AES256 method on the new version (Please contact your Canon local representative).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 311
Hard disk encryption (for PW345/365/450/550)
NOTE
Important remark: when the system is purged, the system and the print/scan data are
decommissioned.
To use the system again, it must be completely reinstalled. The reinstallation will start
automatically when the system is powered on again. Contact your Service representative.
312 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Hard disk encryption (PW3000/3500/5000/5500/7500)
NOTE
Disk encryption has no impact on the performance. It should only be suspended in exceptional
cases.
After suspending it, you can re-enable encryption again. Re-enabling disk encryption should be
done by your local (Canon) representative, as the printer software needs to be reinstalled after
re-enabling encryption.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 313
Hard disk encryption (PW3000/3500/5000/5500/7500)
It is particularly recommended:
• In case of leasing, before the system is given back.
• At the system's end of life, before it is recycled.
To purge the system from the printer operating panel:
1. In the system settings, select 'Security'.
2. In the 'Current Security Configuration' window, tap 'Next'.
3. Now you get a window with possible operations.
Select 'Purge the System' and tap 'Next'.
4. A warning window is displayed.
Tap ‘Start’ to start the purging process.
5. When the purge process is ready, power off the system (by using the black power button at
the back of the printer, or by pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, all the data and the configuration are deleted.
To use the system again, it must be completely reinstalled.
314 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
E-Shredding
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data and
any user print/copy/scan data when it is deleted from the system.
This feature prevents the recovery of any deleted user data (file's content and attributes).
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 315
Enable the e-shredding in Express WebTools
Procedure
1. In Express Webtools, open the 'Security' - 'Configuration' page and select the 'E-shredding'
section.
2. Click 'Edit.'
3. Check 'E-shredding' feature to enable it
4. Select the algorithm.
Result
When the E-shredding feature is enabled:
• A new icon is added to the list of icons (bottom right) in the Express WebTools window:
316 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Enable the e-shredding in Express WebTools
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled':
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns 'busy'.
In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
the Express WebTools (roll over the icon).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 317
E-shredding process and system behaviour
NOTE
When you enable the e-shredding feature, the 'Save received job data for Service' feature (in
Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage
of job data that would not be automatically deleted.
The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes
are performed in background.
318 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
IPsec
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
You can connect up to 5 IPsec stations to the print/scan system.
Illustration
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 319
IPsec presentation
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encpasulation type : Transport
• Protocol SA lifetime : 3600 s
320 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the IPsec settings in the controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools.
2. Open the 'Security' - 'Configuration' page.
3. In the 'Access control' section, click on the general 'Edit':
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 321
Configure the IPsec settings in the controller
Result
The IPsec settings are configured on the controller for a connection to a workstation.
322 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Configure the IPsec settings on a workstation or a print server
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 7 following actions:
1- Add the security snap-in on page 140
2- Create the security policy on page 142
3- Create the filter list on page 143
4- Define the filter actions and security negotiation on page 145
5- Define the security rule on page 147
6- Assign the security policy on page 150
7- Customize the IPsec settings on page 150
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems (Windows 7) and for other ColorWave/
PlotWave printers.
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 323
Add the security snap-in
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
324 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Create the security policy
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 325
Create the filter list
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
326 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Create the filter list
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 327
Define the filter actions and security negotiation
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
328 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Define the filter actions and security negotiation
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 329
Define the security rule
'Data and address integrity without encryption (AH)' setting is not mandatory.
8. Click 'OK' and 'Next', then 'Finish'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
330 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Define the security rule
4. As the Network type, select 'All network connections' and click 'Next'
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 331
Define the security rule
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 138), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
332 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Assign the security policy
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
Procedure
1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows
Firewall with Advanced Security' window
2. In the 'Actions' section on the right hand side, click on 'Windows Firewall with Advanced Security
on Local Computer' to expand the menu
3. Select 'Properties'
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 333
Customize the IPsec settings
4. In the 'IPsec Settings' tab, click on the 'Customize...' button of the 'IPsec defaults'
5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...'
6. Check the 'Require encryption for all connection security rules that use these settings.' box
334 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Customize the IPsec settings
Remove your workstation from the IPsec/Access control configuration when it must not remain in
the list of connected stations.
For all other printers
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 335
Troubleshooting: Disable 'Access control' and IPsec
Introduction
In the following case:
• Access control and IPsec have been enabled without any station defined
and
• The communication between the controller and the host stations fails
Any remote connection to Express WebTools is impossible. The system is unreachable.
Then, use the emergency procedure to disable IPsec and Access control via the printer user
panel.
Procedure
1. On the user panel, tap the upper right corner, to display the menu
2. Select 'Security'
336 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Troubleshooting: Disable 'Access control' and IPsec
Result
Access control and IPsec functions are disabled.
After the restart, you will be able to remotely open Express WebTools from any workstation
(HTTP).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 337
HTTPS
HTTPS
Encrypt print data and manage the system configuration using HTTPS
Introduction
In the PlotWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- send encrypted print data to the printer controller via Publisher Select 3 (for
PW3000/3500/5000/5500/7500)
- save encrypted scan jobs from the printer controller (Scans Inbox)
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
338 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Use the self-signed certificate with Internet Explorer
In order to easily and securely use the self-signed certificate in your web browser, you must:
- View and check the self-signed certificate in your web browser
- Configure your web browser to trust the self-signed certificate
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 339
Use the self-signed certificate with Internet Explorer
340 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 341
Use the self-signed certificate with Internet Explorer
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
342 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 343
Use the self-signed certificate with Mozilla Firefox
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
344 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Use the self-signed certificate with Mozilla Firefox
2. Select 'Advanced'.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 345
Request and import a CA-signed certificate
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trusted authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and private key on page 347.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate on page 348.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller 4
346 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Back up a certificate and a private key
Step Description
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and private key on page 347.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA signed certificate on page 349.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the root certificate on page 350.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and private key on page 347.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate on page 351
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset a certificate on page 351.
When to do
You must back up the certificate and private key:
• BEFORE the generation of a certificate request (step A1 of the HTTPS Description of the overall
procedure on page 346):
To save your current certificate and private key.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 347
Generate a CA-signed certificate request
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Backup
certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and private key on page 347).
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Generate a
certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'ColorWave700' or 'ColorWave700.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.
348 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Save and send the request
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname]).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 349
Import the [Intermediate certificate]
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Import CA-
signed certificate'.
3. Select [Root certificate].
4. Browse to the Root certificate file and click [Import].
NOTE
The Root certificate may already exist in the web server certificates list.
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
Step B4 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.
350 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Restore a certificate and a private key
When to do
You can restore the certificate and the private key at any moment, in case of need.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Restore
certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Purpose
This procedure creates a new self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and private key on page 347):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Reset
certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 351
TLSv1.2 / Strong cipher
Cipher algorithms
• When the setting 'Less strong cipher suites allowed' is set to 'No', the following weak ciphers
are NOT used:
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA
• The strong available ciphers are:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
352 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
TLSv1.2 / Strong cipher
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 353
HTTPS recommendations for Certificate creation
354 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Scan to Home folder / Print from Home folder
Pre-requisites
To allow a user to scan files to his/her Home folder, the following configurations are required:
• In the Microsoft Active Directory:
- A Home folder, that is a UNC path location, exists for each user
- Users have the Read and Write rights to their private Home folder
• In the printer configuration:
- The User authentication is enabled
- The User authentication is configured with 'User name and password' (no Smart card or
Contactless card)
The 'Home folder' location is then automatically created as an 'External location'. You can
open the 'External locations' tab in 'Configuration' to see this 'Home folder' new location.
- The domain is created and configured
In the domain 'Advanced settings' keep the default 'homeDirectory' value in the 'LDAP
attribute for Home folder'.
- Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
WebTools, Configuration - System defaults)
Refer to Configure the user authentication by user name and password on page 557 for the
detailed procedure.
It is recommended that the System Administrator validates this new configuration by clicking
'Validate this configuration' in 'Security' - 'Configuration' (see Validate the configuration on
page 559).
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 355
Troubleshooting
Result
Both methods send the scanned files to the users' private Home folder (root directory).
Troubleshooting
When an error occurs during the process of authentication by user name and password follow
the procedures below to test and troubleshoot:
• Use the validation tool to validate the configuration. See Validate the configuration on
page 300
• Apply the corrective actions when needed. SeeTroubleshooting on page 302
In case the home folder is not accessible
• Use the validation tool and check in the report that the path to the Home folder is correct:
356 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Prevent 'Print from USB' and/or 'Scan to USB'
Introduction
You can disable any access to the USB device by preventing printing from / scanning to the USB
device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'External locations' page
3. Log in as a System administrator or Power user
4. Edit the 'USB' type
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 357
Smart Inbox management and job management
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to
('Smart Inbox capability') 'Disabled', all the jobs currently present in the
Smart Inboxes are deleted. All incoming print
jobs are directly and solely sent to the print job
queue.
The use of Publisher Express to create jobs When 'No one' is selected, the job submission
('Create print job via Publisher Express') capability through Express WebTools is com-
pletely deactivated.
The remote actions on submitted jobs to the When set to 'Login needed', only the Key oper-
Key operator or Power user ator or Power user can remotely delete or
('Perform job actions in the print queue') move a submitted job.
The display of Smart Inboxes in Express When enabled, all users of Express WebTools
WebTools can see the Smart Inboxes. When disabled, the
Key operator or Power user only can see them.
Keep completed jobs in the Smart Inbox When enabled, a copy of jobs is kept in the
Keep a copy of scanned jobs in the Smart In- Smart Inbox for later use, until the expiration
box time-out.
Keep a copy of copy jobs in the Smart Inbox Disable these settings to delete all jobs from
(Public) the Smart Inboxes after they are processed.
Keep a copy of local print jobs in the Smart In-
box
358 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Data protection for template export (for PW3000/3500/5000/5500/7500 and PW345/365/450/550 R1.2 and higher versions)
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Configuration' - 'Connectivity' page.
3. Go to the 'Passwords' section and define the 'Password encryption key'.
NOTE
To import a template it is mandatory to use the SAME 'Password encryption key' on the printer
where the template will be imported as the 'Password encryption key' that was used to export
the template, otherwise the import of the template will fail.
Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500 359
Data protection for template export (for PW3000/3500/5000/5500/7500 and PW345/365/450/550 R1.2 and higher versions)
360 Chapter 4 - Security on PlotWave 345, 365, 450, 550, 3000, 3500, 5000, 5500, 7500
Chapter 5
Security on ColorWave 550/600/650
(and Poster Printer)
Security on ColorWave 550 R2.x, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer)
Overview
Security overview for the ColorWave 600/650 (Poster Printer) and the
ColorWave 550 systems
Introduction
The ColorWave 550 and ColorWave 600 (Poster Printer) / ColorWave 650 (Poster Printer) have
been designed around the secured Linux Operating System. However any new release of the
Linux operating system always embeds the latest security fixes.
The ColorWave 650 and ColorWave 550 use Windows Embedded Standard 2009 (WES 2009)
operating system for scanning operations. This operating system is not accessible from the
network.
For ColorWave 550 R3.x and ColorWave 650 R3.x, refer to Security on ColorWave 550 R3.x,
ColorWave 650 R3.x on page 398.
The ColorWave 600 (Poster Printer) / ColorWave 650/ ColorWave 550 offer the following security
features:
Security overview
Ports - Protocols
Applications, protocols and ports used in the ColorWave 600 (Poster Printer) /
ColorWave 650 (Poster Printer) / ColorWave 550 systems
* Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver. For IPv4
(1) Back-channel
for ColorWave 600 1.5 and lower, and ColorWave 650 2.0.1 and lower, and
ColorWave 550 2.2 and lower.
(2) Back-channel
for ColorWave 600 R1.6.1 and higher, ColorWave 650 2.3.1 and higher,
ColorWave 550 2.3.1 and higher.
(3)
For Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for
iOS
(4) Only for Publisher Mobile v 2.0 to v2.2 for iOS
Scanning applications in ColorWave 650 and ColorWave 550 only: ports and protocols used by
the system
Notes:
• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive
mode
Notes:
(1) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall.
Security Patches
Introduction
You can install the Canon Production Printing released security patches in the following (versions
of the) systems:
• ColorWave 650 multifunctional (printer and scanner)
• ColorWave 550 multifunctional (printer and scanner)
Procedure
1. Open Express Webtools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
Protocol protection
Introduction
In the ColorWave 600 (Poster Printer), ColorWave 650 (Poster Printer) and ColorWave 550
systems, you can completely disable some protocols in order to protect them against attacks.
Introduction
Some features of the following systems allow or request a connection over the Internet to work
properly:
• ColorWave 550 R2.3 and higher
• ColorWave 550 R3 and higher
• ColorWave 600 R1.6 and higher
• ColorWave 650 R2.3 and higher
• ColorWave 650 R3 and higher
When the Security Policy in a company prevents any outgoing network traffic over the Internet,
perform all the following actions in Express WebTools:
Introduction
A USB connection is available on the ColorWave 650/550 printer panel.
This USB connection is used to print from the USB storage device
Roles and profiles in the ColorWave 600 (Poster Printer) / ColorWave 650
(Poster Printer) / ColorWave 550 systems
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key operator:
The Key operator can manage the jobs and the device settings
• System administrator
The System administrator can manage the Configuration settings, such as the Network settings
• Power user
The Power User has both the rights of the Key operator and the System administrator
• Service
This role is used exclusively by the Canon Service technician
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used in the Printer Operator Panel
Password modification table for ColorWave 600, ColorWave 650 and ColorWave 550
Password for Can be changed by
Key operator Key operator or Power user
System administrator System administrator or Power user
Power user Power user
Any ScanToFile remote user name Key operator or System administrator or Power user
(ColorWave 550 / 650 only)
Password policy
• 256 characters maximum
• Any number [0-9]
• Any letter lowercase/uppercase [a-z][A-Z]
• the following special characters:
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
- When a password is configured as 'No password', the information 'Auto' (meaning 'No
password') is stored in the backup file. It is not encrypted
- The passwords are stored in the backup file whatever the login used when making the 'Save
Set' operation (System administrator, the Key operator, or the Power user)
- The passwords are restored only when the System administrator or the Power user makes the
'Open Set' operation
- When a password has been stored with 'Auto' value, it is restored with the 'No password' value
Access control
Introduction
The 'Access control' feature is available on the following printers and versions:
- ColorWave 550 v2.3.1 and higher
- ColorWave 650 v2.3.1 and higher
- ColorWave 650 PP v2.3.1 and higher
NOTE
- In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
- 'Configuration' of the 'Access control' settings is only available to the 'System administrator'.
- To prevent unauthorised access to these settings via the printer user panel, ensure that the
'Password to change network settings' is set.
Data Security
E-Shredding on ColorWave 600 and ColorWave 650 (PP) and ColorWave 550
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data (for
ColorWave 600 / 650 PP) and any user print/copy/scan data (for ColorWave 650 / 550) when it is
deleted from the system.
This feature prevents the recovery of any deleted user data (files' content and attributes)
A deleted job is a job that cannot be retrieved from any user interface.
The e-shredding functionality is available on:
- ColorWave 600 R1.5 and higher
- ColorWave 600 PP R1.6.1 and higher
- ColorWave 650
- ColorWave 650 Poster Printer
- ColorWave 550
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open the Express
WebTools
2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section
3. Click Edit
4. Check 'E-shredding' feature to enable it
Result
When the E-shredding feature is enabled, a new icon is added to the list of icons (bottom right) in
the Express WebTools window.
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns 'busy'.
In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon).
IPsec on ColorWave 550 v2.3.1 and higher and ColorWave 650 (PP) v2.3.1 and
higher
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
IPsec is particularly suitable in a configuration where you need to create a dedicated secure link
between the printer/copier system and a workstation which can be dedicated as a Print Server (or
a Scan Server).
IPsec can be enabled only when 'Access Control' is enabled.
You can connect up to 5 IPsec stations to the printer/copier system.
In this configuration below:
• The printer/copier system is physically connected to the network but communicates only with a
dedicated station (a print server or scan server for example)
• The print server receives the print request from the workstations via IP on the network
• The print server send the print requests to the printer/copier system via IPsec
• The workstations cannot communicate directly with the printer/copier system
• The printer/copier system cannot communicate directly with the workstations.
NOTE
In this configuration, the back-channel communication between a workstation and the printer is
unavailable (the back-channel information is not displayed in WPD/ Driver Select).
NOTE
- DHCP must be disabled to allow the display and the configuration of the IPsec settings.
Illustration
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page
3. In 'Network security' section, click on the general Edit
_ - ~ ! @ # $ % ^ * ? { }
( ) = + , . ; : [ ] / | \
NOTE
Write it down. This preshared key will be required during the IPsec configuration on the
workstation.
Result
The IPsec settings are configured on the controller for a connection to a workstation (which can
be a print server).
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 6 following actions:
1- Add the security snap in on page 383
2- Create the security policy on page 385
3- Create the filter list on page 386
4- Define the filter actions and security negotiation on page 388
5- Define the security rule on page 390
6- Assign the security policy on page 393
NOTE
The procedure below shows the configuration steps on Windows server 2008.
The procedure is similar on other Operating Systems (Windows 7).
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
4. As the Network type, select 'All network connections' and click 'Next'
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 49), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
NOTE
In case you use the WPD driver, see The impact of IPsec when you print through a print
server on page 61.
Introduction
In the following case:
• Access control is enabled and activated on the printer/scanner controller of ColorWave 650/550
v2.3.1 and higher
and
• The communication between the controller and the host stations fails
You cannot open remotely Express WebTools to change the settings. The system is unreachable.
Then you can use the emergency procedure to disable Access control Via the printer user panel
on the printer/scanner system
Procedure
1. On the printer user panel, click on 'System'
2. Select 'Setup'
5. Press 'Finish'
Result
Access control is disabled.
If IPsec was also activated on the controller, it is also disabled with this operation.
After the restart, you will be able to open Express WebTools remotely from a workstation (HTTP).
Introduction
You can disable any access to the USB device by preventing printing from the USB device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Preferences' - 'System properties' page and select the 'Printer properties' section
3. Go to the 'USB direct print' setting
4. Click on the value to open the 'USB direct print' window
5. Log in as a 'Key Operator' or 'Power User'
6. Select 'Disabled' and 'Ok'
Overview
Security overview for the ColorWave 550 R3.x, ColorWave 650 R3.x system
Introduction
The ColorWave 550 R3.x and ColorWave 650 R3.x systems are equipped with the following
security features:
Security overview
Ports - Protocols
Applications, protocols and ports used in the ColorWave 550/650 R3.x system
Printing applications with ColorWave 550/650 R3.x: INBOUND and OUTBOUND ports and
protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan-
Driver Select nel* and Advanced accounting
UDP 515: proprietary protocol
for Printer Discovery
PostScript 3 driver TCP 515: LPR
Driver Express
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
UDP 515: proprietary protocol
for Printer Discovery
Publisher Mobile TCP 21: FTP
TCP 4242: FTP passive mode
(for data channel in FTP pas-
sive mode)
ICMP: ping
UDP 515: proprietary protocol
for Printer Discovery
Reprodesk Studio TCP 515: LPR
TCP 65200: back-channel
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Print from SMB TCP 139, 445
UDP 138, 445
Print from FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Notes:
* back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
(1) FTP passive mode only (FTP active mode not supported).
Scanning applications with ColorWave 550/650 R3.x: INBOUND and OUTBOUND ports and
protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Scan to File: SMB TCP 139, 445
UDP 137, 138, 445
Scan to File: FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Scan data retrieval from Smart TCP 80: HTTP
Inbox (Scans) TCP 443: HTTPS
Notes:
(1) FTP passive mode only (FTP active mode not supported).
Control management with ColorWave 550/650 R3.x0: INBOUND and OUTBOUND ports and
protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
PING IPv6 ICMPv6
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval
Meter Manager UDP 161: SNMP
Back-channel TCP 65200 for back-channel
On Remote Service TCP 443: HTTPS
TCP web proxy port (1) 4
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:
(1) When there is a proxy.
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
Protocol protection
Introduction
In the ColorWave 550/650 R3.x system, you can completely disable some protocols in order to
protect them against attacks.
HTTPS, ICMP (ping), DNS protocols cannot be completely disabled.
Introduction
Some features of the following systems allow or request a connection over the Internet to work
properly:
• ColorWave 550 R2.3 and higher
• ColorWave 550 R3 and higher
• ColorWave 600 R1.6 and higher
• ColorWave 650 R2.3 and higher
• ColorWave 650 R3 and higher
When the Security Policy in a company prevents any outgoing network traffic over the Internet,
perform all the following actions in Express WebTools:
Introduction
A USB connection is available on the ColorWave 650/550 printer panel.
This USB connection is used to print from the USB storage device
Antivirus
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key operator:
The Key operator can manage the jobs and the device settings.
• System administrator
The System administrator can manage the configuration settings, such as the network and
security settings.
• Power user
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used in the printer user panel
Password policy
• 256 characters maximum
• all MS Windows characters are allowed
NOTE
Keep this password. The reset of this password may require the intervention of an Canon
Service technician.
Passwords modification
NOTE
- When a password is configured as 'No password', the information 'Auto' (meaning 'No
password') is stored in the backup file. It is not encrypted
- The passwords are stored in the backup file whatever the login used when making the 'Save
Set' operation (System administrator, Key operator, or Power user)
- The passwords are restored only when the System administrator or the Power user makes the
'Open Set' operation
- When a password has been stored with 'Auto' value, it is restored with the 'No password' value
Access control
Introduction
Access control allows to limit the access to the system according to IP filtering method.
Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able
to communicate with the printer. This action sets the IP filtering. The access restriction is then
applied to print operations (for which a host workstation contacts the printer) as well as scan
operations (the scanner contacts the external location).
You can define up to 5 hosts.
For each of the hosts you can decide whether the communication from this host to the system
needs to be encrypted by IPsec (see IPsec presentation on page 414)
You enable 'Access control' in Express WebTools. You can disable it in Express WebTools or via
the printer user panel.
NOTE
- In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
- 'Configuration' of the 'Access control' settings is only available to the 'System administrator'.
- To prevent unauthorised access to these settings via the printer user panel, ensure that the
'Password to change network settings' is set.
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
Data security
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data and
any user print/copy/scan data when it is deleted from the system.
This feature prevents the recovery of any deleted user data (files' content and attributes)
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
You can connect up to 5 IPsec stations to the print/scan system.
Illustration
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encapsulation type : Transport
• Protocol SA lifetime : 3600 s
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'Connectivity' page
3. In the 'Access control' section, click on the general 'Edit'
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.
8. Restart the controller
Result
The IPsec settings are configured on the controller for a connection to a workstation.
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 7 following actions:
1- Add the security snap-in on page 140
2- Create the security policy on page 142
3- Create the filter list on page 143
4- Define the filter actions and security negotiation on page 145
5- Define the security rule on page 147
6- Assign the security policy on page 150
7- Customize the IPsec settings on page 150
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems (Windows 7) and for other ColorWave/
PlotWave printers.
Introduction
In the following case:
• Access control is enabled and activated on the printer/scanner controller of ColorWave 650/550
v2.3.1 and higher
and
• The communication between the controller and the host stations fails
You cannot open remotely Express WebTools to change the settings. The system is unreachable.
Then you can use the emergency procedure to disable Access control Via the printer user panel
on the printer/scanner system
Procedure
1. On the printer user panel, click on 'System'
2. Select 'Setup'
5. Press 'Finish'
Result
Access control is disabled.
If IPsec was also activated on the controller, it is also disabled with this operation.
After the restart, you will be able to open Express WebTools remotely from a workstation (HTTP).
Encrypt print data and manage the system configuration using HTTPS
Introduction
On the ColorWave 550/650 R3.x systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- save encrypted scan jobs from the printer controller (Scans Inbox)
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
Before the import or when the import fails, the certificate status will look like:
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
2. Select 'Advanced'.
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trustful authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and a private key on page 165.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate request on
page 166.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and a private key on page 165.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA-signed certificate (into the controller
and workstations) on page 167.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the Root certificate into the work-
stations browser on page 168.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and a private key on page 165.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate and a private key on page 169
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset the current certificate on page 169
Introduction
You can disable any access to the USB device by preventing printing from the USB device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Preferences' - 'System properties' page and select the 'Printer properties' section
3. Go to the 'USB direct print' setting
4. Click on the value to open the 'USB direct print' window
5. Log in as a 'Key Operator' or 'Power User'
6. Select 'Disabled' and 'Ok'
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to
('Smart Inbox capability') 'Disabled', all the jobs currently present in the
Smart Inboxes are deleted. All incoming print
jobs are directly and solely sent to the print job
queue.
The use of Publisher Express When disabled, the job submission capability
('Publisher Express' or 'Enable Publisher Ex- (through Express WebTools) is completely de-
press') activated.
The remote actions on jobs to the Operator When enabled, all remote actions on jobs in
('Restrict remote actions on jobs to the Key the queue are restricted to the Key Operator or
Operator') Power user only.
The display of Smart Inboxes in Express When enabled, all users of Express WebTools
WebTools can see the Smart Inboxes. When disabled, the
Key operator or Power user only can see them
(logging needed).
Keep completed jobs in the Smart Inbox When enabled, a copy of jobs is kept in the
Keep a copy of scanned jobs in the Smart In- Smart Inbox for later use, until the expiration
box time-out.
Keep a copy of copy jobs in the Smart Inbox Disable these settings to delete all jobs from
(Public) the Smart Inboxes after they are processed.
Keep a copy of local print jobs in the Smart In-
box
Overview
Security overview
434 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 435
Security overview for the ColorWave 3500/3600/3700/3800 and ColorWave 500/700 systems
436 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
System and Network security
Ports - Protocols
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR UDP 515: proprietary protocol
Microsoft Windows (WPD2) TCP 80: HTTP for back-chan- for Printer Discovery
Driver Select nel* and Advanced accounting
UDP 515: proprietary protocol
for Printer Discovery
PostScript 3 driver TCP 515: LPR
Driver Select
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
UDP 515: proprietary protocol
for Printer Discovery
TCP 443: HTTPS
(CW3600/3800)
Publisher Mobile TCP 515: LPR (1)
TCP 4242: FTP passive mode
(for data channel in FTP pas-
sive mode)
ICMP: ping
UDP 515: proprietary protocol
for Printer Discovery
TCP 21: FTP (2)
Reprodesk Studio TCP 515: LPR
TCP 80: back-channel (WAVE)
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Print from SMB TCP 139, 445
UDP 138, 445 4
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 437
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Print from FTP FTP command(3) :
- Local: TCP any
- Remote: TCP 21
FTP Data(3) :
- Local : TCP any
- Remote: TCP any
Print from Cloud: WebDAV TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (4)
TCP WebDAV port
Notes:
* Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
(1)
For Publisher Mobile v 2.2 and later for Android, and for Publisher Mobile v 2.3 and later for
iOS.
(2) Only for Publisher Mobile v 2.0 to v2.2 for iOS.
(3) FTP passive mode only (FTP active mode not supported).
(4) When there is a proxy.
Scanning applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Scan to File: SMB TCP 139, 445
UDP 137, 138, 445
Scan to File: FTP FTP command(1) :
- Local: TCP any
- Remote: TCP 21
FTP Data(1) :
- Local : TCP any
- Remote: TCP any
Scan to File: Cloud (WebDAV) TCP 80: HTTP
TCP 443: HTTPS
TCP web proxy port (2)
TCP WebDAV port
Notes:
438 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Applications, protocols and ports
(1) FTP passive mode only (FTP active mode not supported).
(2) When there is a proxy.
(3) Available on ColorWave 500/700 R4.1 and higher and ColorWave 3500/3600/3700/3800.
Control management: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
PING IPv6 ICMPv6
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval TCP 443: HTTPS
(CW3600/3800)
User authentication by user TCP 88 /UDP 88: Kerberos
name and password TCP 389 /UDP 389: LDAP
User authentication by smart TCP 80: OCSP
card TCP 80: HTTP or TCP 443:
HTTPS
Meter Manager UDP 161: SNMP
back-channel TCP 65200 for OCI back-chan-
nel
Remote Service TCP 443: HTTPS
TCP web proxy port (1)
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
TCP 443: HTTPS
(CW3600/3800)
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
TCP 443: HTTPS for back-
channel (CW3600/3800) 4
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 439
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
IPsec UDP 500
UDP 4500
LDAP authentication over Ker- TCP 88/ UDP any: for Kerberos
beros TCP 389 (configurable)/ UDP
any: for LDAP
LDAP authentication over SSL Customer configurable
TCP port 636 by default/ UDP
any
Time synchronisation UDP 123: Network Time Proto- UDP 123: Network Time Proto-
col (CW3600/3800) col (CW3600/3800)
Notes:
(1) When there is a proxy.
440 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Security Patches
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The Authentication window opens.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 441
Install Operating system patch for CW500/700
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
442 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Install Operating system patch for CW3500/3600/3700/3800
Introduction
Install Windows updates, also called security patches, when they are available for your product.
Functional description
1. In Express WebTools, the user selects the Operating system patch file that he previously
retrieved.
2. The system downloads this patch file and checks its integrity.
3. The printer starts the patch installation.
4. A reboot is necessary to complete the installation.
Install a patch
Procedure
1. Open Express WebTools .
2. Open the [Support] tab.
3. Select [Update].
4. Click on [Install] in the [Operating system patches] section.
After a warning popup window, the following window is displayed:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 443
Install Operating system patch for CW3500/3600/3700/3800
5. Browse to the downloaded patch file (*.msu) and click OK to install it.
There are 2 options available:
• Option 1 : Automatically install the operating system patch after the file has been uploaded
• Option 2 : Restart the system automatically to finish the installation of the operating system
Here are the useful scenarios:
444 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Protocol protection
Protocol protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 445
Network protocols protection
446 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Prevent any outgoing connection to the Internet
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 447
Security of the USB connection
Introduction
A USB connection is available on the touch panel.
This USB connection is used to:
• Install / upgrade the controller software
• Backup and restore the controller configuration
• Scan to the USB storage device
• Print from the USB storage device
• Connect a Smart card reader or a Contactless card reader
448 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Port based authentication (IEEE 802.1X)
A. B.
802.1x
802.1x
LAN LAN
LAN
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 449
Port-based authentication (IEEE 802.1X) - explained
EAP
In general IEEE 802.1X uses the EAP (Extensible Authentication Protocol) protocol to negotiate
the way to authenticate the supplicant and the authentication server. In general, the supplicant
can have a certificate, a smart card, or credentials for identification.
EAP collaborates with additional authentication protocols, such as Transport Layer Security (TLS)
and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
• EAP-TLS
EAP-TLS is used in certificate-based security environments. It provides the strongest
authentication and key determination method. EAP-TLS requires that the supplicant has an
identity certificate.
• EAP-MS-CHAP v2
EAP-MS-CHAP v2 is a mutual authentication method that supports password-based endpoint
authentication.
NOTE
Not all authentication servers, supplicants and LDAP directory servers support all authentication
methods.
PEAP
PEAP (Protected EAP) is a protocol to increase the security of EAP-MS-CHAP v2 and EAP-TLS.
PEAP builds an encrypted channel during the second part of the EAP handshake process. Inside
this secure channel a new EAP negotiation takes place to authenticate the supplicant.
EAP-MS-
PEAP EAP-TLS EAP-TLS
CHAP v2
The authentication methods the printer supports are: PEAP with EAP-TLS, PEAP with EAP-MS-
CHAP v2 and EAP-TLS.
Identity certificates
All authentication methods require that the trusted CA certificates of the authentication server are
available on the supplicant to authenticate the authentication server to the controller's list of
trusted certificate. We will use the same identity certificate for HTTPS, IPsec and for IEEE 802.1x
450 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Port-based authentication (IEEE 802.1X) - explained
EAP-TLS requires a valid Identity certificate of the supplicant that is mapped to a user account or
computer account in the LDAP directory server (Active Directory Domain Services (AD DS)).
• When the certificate refers to a computer account, the Subject Alternative Name
(SubjectAltName) field in the certificate must contain the Fully Qualified Domain Name (FQDN)
of the client, which is also called the DNS name.
• When the certificate refers to a user account, the Subject Alternative Name (SubjectAltName)
field in the certificate must contain the User Principal Name (UPN).
NOTE
EAP-MS-CHAP v2 does not need an Identity certificate of the supplicant.
• When the printer uses IEEE 802.1X the CA certificates of the RADIUS server must be imported
into the list of trusted certfificates.
• The printer Identity certificate that is valid for HTTPS can be used for IEEE 802.1X.
• One of the Subject Alternative Name fields of the printer Identity certificate must be equal to
the Fully Qualified Domain Name (FQDN).
NOTE
EAP-MS-CHAP v2 requires an MS-CHAP v2 username and a MS-CHAP v2 password
that are configured in Express Webtools.
EAP-TLS
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the authentication method, the authenticator sends the Identity of the
Authentication server.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 451
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its Identity certificate through the channel.
5. The Authentication server verifies the Identity certificate. The directory service of the domain
controller is used to query the user account or computer account reference of the certificate.
6. The Authentication server authenticates the Identity certificate of the supplicant.
7. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
452 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Identify certificate
MS-CHAPv2 login
2. Certificate 2. Certificate
6. Data
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its MS-CHAP v2 login information through the channel.
5. The Authentication server validates the MS-CHAP v2 login information.
6. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 453
IEEE802.1X - Configuration steps
Prerequisites
• A printer
• A switch supporting port-based authentication for IEEE802.1X
• A RADIUS server
Introduction
2 main different port-based authentication methods are supported:
• With username from domain (requires a username/password)
• With printer name from domain (requires a client certificate)
The configuration of IEEE802.1X includes several procedures, some of them depending on the
authentication method.
Configuration procedures
1. IEEE802.1X environment preparation
1. Configure a Certification Authority
see Configure a Certification Authority (example on Windows Server 2016) on page 194
2. Prepare the RADIUS server
see Prepare the RADIUS server (example on Windows Server 2016) on page 196
3. Prepare the switch
see Prepare the switch on page 200
2. Configure the printer controller
see Configure the printer controller on page 202
3. Configure the Radius server
• for username from domain
see Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
on page 209
• for printer name from domain
see Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with
EAP-TLS)' on page 219
Troubleshoot
For more information about troubleshooting the configuration of IEEE802.1X see Troubleshoot on
page 236.
454 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure a Certification Authority (example on Windows Server 2016)
Introduction
As Certificates (Server and/or Client Certificates) are required for the IEEE802.1X configuration, it
is customary to configure your own Certification Authority rather than using a commercial
Certification Authority.
To configure such an environment on a Windows server 2016:
• Active Directory Certificate Services must be installed, and
• Certificate Authority (Default) must be installed
• It is recommended to install Certification Authority Web Enrollment, which will provide an
easy way for Certification with a web interface.
Once configured, you can see the local Certification Authority like in the example below:
Check that you have a certificate template for Client Authentication or create one:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 455
Configure a Certification Authority (example on Windows Server 2016)
NOTE
For complete Certification Authority configuration, please check relevant documentation. For
example 'How to configure Certification Authority on Windows Server 2016'.
456 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Prepare the RADIUS server (example on Windows Server 2016)
Procedure
1. Install Network Policy and Access Services as a role on Windows Server 2016
2. Manage 'Network Policy Server' (NPS) and create a Radius client which is related to the switch
used:
• IP address of the switch
• It is recommended to add a 'Shared secret' which will also be set on the switch.
Example:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 457
Prepare the RADIUS server (example on Windows Server 2016)
3. Check there is a Connection Request policy enabled with NAS port type = Ethernet.
Example:
458 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Prepare the RADIUS server (example on Windows Server 2016)
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 459
Prepare the RADIUS server (example on Windows Server 2016)
460 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Prepare the switch
Introduction
The switch must be configured, but the configuration depends on the switch chosen. We give
here an example of a Cisco SG-350:
Procedure
1. Configure IEEE802.1X on the switch.
2. Configure the port on the switch supporting IEEE802.1X where the printer will be plugged in (for
example port 'GE2' in the picture below).
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 461
Prepare the switch
462 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the printer controller
Introduction
The settings for IEEE802.1X on the printer controller are accessible through:
• Express WebTools (for settings configuration)
• Printer user panel (for IEEE802.1X status and disable in case of trouble)
Procedure
1. Open Express WebTools - Security - Trusted certificates.
2. Click on 'Create new' to import the Radius Server Root certificate on the controller.
This is the root certificate you defined when you created the Certification Authority (see Configure
a Certification Authority (example on Windows Server 2016) on page 194)
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 463
Configure the printer controller
4. Click 'Ok'.
5. Edit the settings for IEEE802.1X on the printer controller in Express WebTools - Security -
Configuration - Network-based configuration (IEEE 802.1X)
464 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the printer controller
2. Enter the DNS name of the printer in at least one of the Subject alternative name (SAN). In
this example : cw3700.sns.ocegr.fr
3. Click on 'OK' and wait for the following window to appear:
4. Copy the content (all the text including ' ----- BEGIN NEW CERTIFICATE REQUEST -----' and
'----- END NEW CERTIFICATE REQUEST -----')
5. Submit this certificate request to a Certification Authority (CA). See the following example
with an internal Certification Authority, realized with an Enrollment Web Server with
Windows Server 2016).
NOTE
A certificate template compatible with client authentication is required.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 465
Configure the printer controller
9. Click on 'Submit'.
The following window appears:
466 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the printer controller
12. Select 'Root certificate' in Certificate type to import the Root certificate.
13. Select 'CA-signed certificate' in Certificate type to import the certificate previously
downloaded.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 467
Configure the printer controller
8. To see the IEEE802.1X status and to disable IEEE802.1X in case of network trouble, tap on the
printer user panel - System - Security.
468 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the printer controller
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 469
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
Configure the Radius server for 'Username from domain; PEAP with EAP-
MSCHAPv2'
Introduction
This procedure describes how to configure the Radius server for 'Username from domain; PEAP
with EAP-MSCHAPv2' (example on Windows Server 2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 188
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
470 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
3. Create a user for the printer belonging to the aforementioned group with the same <username>
and <password> defined on the controller.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 471
Configure the Radius server for 'Username from domain' - Network Policy
5. At the Dial-in tab, give access permission to 'Control access through NPS Network Policy'.
6. Configure a Network Policy, see Configure the Radius server for 'Username from domain' -
Network Policy on page 211
Configure the Radius server for 'Username from domain' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for
'Username from domain; PEAP with EAP-MSCHAPv2' (example on Windows Server 2016).
472 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Username from domain' - Network Policy
Procedure
1. Create a Network Policy.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 473
Configure the Radius server for 'Username from domain' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
474 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Username from domain' - Network Policy
8. Click on 'OK'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 475
Configure the Radius server for 'Username from domain' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'EAP-
MSCHAP v2 '.
476 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Username from domain' - Network Policy
15. Keep the default values in the 'Configure Constraints' window and click on 'Next'.
The 'Configure Settings' window opens.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 477
Configure the Radius server for 'Username from domain' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
478 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Username from domain' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 479
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP
with EAP-TLS)'
Introduction
This procedure describes how to configure the Radius server for 'Printer name from domain;
EAP-TLS' and 'Printer name from domain; PEAP with EAP-TLS' (example on Windows Server
2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 188
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
3. Create a computer for the printer with the computer name equal to the Subject Alternative name
(without the DNS suffix) you entered when creating the certificate request. See the step '... create
a (client) certificate on the controller' in Configure the printer controller on page 202:
In this example, the Subject Alternative name was : 'cw3700.sns.ocegr.fr', so the computer name
is 'cw3700'.
480 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 481
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
5. At the Dial-in tab, give 'Network Access Permission' to 'Control access through NPS Network
Policy'.
6. At the Attribute Editor tab, set the Attribute 'servicePrincipalName' with the syntax:
servicePrincipalName=host/<computername>.<domainsuffix>
Example: servicePrincipalName=host/cw3700.sns.ocegr.fr
482 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
Configure the Radius server for 'Printer name from domain; EAP-TLS' -
Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; EAP-TLS' (example on Windows Server 2016).
Procedure
1. Create a Network Policy.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 483
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
2. Click on 'Add' in 'Specify Conditions' to add the group you defined before.
4. Click on 'Next'.
484 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add 'Microsoft: Smart Card or other certificate'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 485
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
8. Click on 'OK'.
486 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 487
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
488 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Configure the Radius server for 'Printer name from domain; PEAP with EAP-
TLS' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; PEAP with EAP-TLS' (example on Windows Server 2016).
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 489
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Procedure
1. Create a Network Policy.
490 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 491
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
8. Click on 'OK'.
492 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'Smart Card
or other certificate'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 493
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
12. Click on 'Edit' to define the certificate which will be used as Server certificate (the certificate you
imported into the controller).
494 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
18. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 495
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
496 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshoot
Troubleshoot
Introduction
As IEEE802.1X involves the printer, the switch, and the Radius Server, there are several tools for
troubleshooting.
3. On the switch
Generally:
• Some logging is present.
• Some switches have a test feature to check communication with the Radius server.
4. On the Radius Server
• Check the event viewer of Network Policy and Access Services.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 497
Troubleshoot
Example of a network protocol capture with IEEE802.1X frames (PEAP with EAP-TLS):
498 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshoot
Reminder: This tool tests the configuration only locally, it does not test the connection with the
switch or the radius server.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 499
Troubleshoot
No communication with the Radi- Radius Server not Check the Radius Server name in Ex-
us Server while the Printer sent its correctly set press WebTools (caution: it must
identity correctly to the Switch contain at least one '*' character)
(seen with network protocol ana-
lyser)
4
500 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshoot
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 501
Troubleshoot
Event viewer NPAS (Radius serv- Mismatch in the Check Network Policy (on the Net-
er) mentions: 'No credentials are EAP type setting in work policy server), section 'Authen-
available in the security package.' Network Policy tication methods' (see relevant sec-
tion corresponding to the Authenti-
cation method chosen)
Event viewer NPAS (Radius serv- User not defined • Check username or printer name
er) mentions: 'The specified user (username or printer on controller
account does not exist.' name) • Check username or printer name
in Active Directory
Event viewer NPAS (Radius serv- • Bad configuration Check the Radius client settings:
er) mentions: 'An Access-Request of the Radius Cli- • on the switch
message was received from RADI- ent (on the Radius • on the Network policy server
US client <IP address of radius cli- Server)
ent -the switch- configured on the • Secret mismatch
Radius Server> with a Message- between the
Authenticator attribute that is not switch and the
valid.' Radius client
502 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Antivirus
Antivirus
Compatibility and recommendations
The following antivirus software can be installed on your PlotWave/ColorWave systems:
• Symantec AntiVirus Endpoint Protection
• McAfee VirusScan Enterprise Edition / ePolicy Orchestrator for AntiVirus update
Contact your Canon representative to know which antivirus version to install on your PlotWave/
ColorWave systems and get the installation procedure.
NOTE
Canon shall not be liable for damages of any kind attributable to the use of an antivirus on its
controllers.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 503
User access/LDAP authentication
Roles
Introduction
The "User access" feature allows to access the Local User Interface as well as Express WebTools
with different roles,
Each role gives permission to edit and change some parameters.
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key Operator:
The Key Operator can manage the jobs and the device settings.
• System Administrator
The System Administrator can manage the configuration settings, such as the network and
security settings.
• Power User
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
504 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Local users
Local users
These users are built-in users and cannot be changed, there are 4 local users:
• Key Operator (acting as Key Operator role)
• System Administrator (acting as System Administrator role)
• Power User (acting as Power User role)
• Service (acting as Service role)
NOTE
It is possible to disable one or more local users depending on the users and roles defined in
Domain users.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 505
Domain users (LDAP authentication): for CW3500/3600/3700/3800 and CW500/700 R4.2 and higher versions
Introduction
This feature allows the IT manager to define which user, member of a domain, can logon to the
system with which role (Key Operator/ System Administrator/ Power User/ Service), valid for
Express WebTools as well as the Local User Interface.
This feature, called LDAP authentication, is based on secure LDAP protocol with 2 flavors:
• LDAP over Kerberos for Microsoft Windows environment
• LDAP over TLS mainly for non-Microsoft environment
Functional description
• On Server:
• The IT manager defines in each domain (several domains are possible):
• A domain group for System administrator role
• A domain group for Key Operator roole
• A domain group for Power User role
• A domain group for Service
• For each group, the IT manager defines which user (member of a domain) will belong to
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express Web Tools
• Any authorized user defined in a specific domain group can authenticate on Express Web
Tools and the Local User Interface with the dedicated role.
506 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Domain users (LDAP authentication over Kerberos)
Introduction
Perform the following steps to configure LDAP authentication over Kerberos.
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 507
Configure the Domain users (LDAP authentication over Kerberos)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• Kerberos (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for Kerberos, the port number is usually 389
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
508 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Domain users (LDAP authentication over Kerberos)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 509
Validate the configuration (Kerberos)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over Kerberos
on page 263
510 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Domain users (LDAP authentication over SSL)
Introduction
Perform the following steps to configure LDAP authentication over SSL
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 511
Configure the Domain users (LDAP authentication over SSL)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• SSL (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for SSL, the port number is usually 636
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
512 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Domain users (LDAP authentication over SSL)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 513
Configure the trusted certificates
When to do
After you configured the domains for LDAP over SSL, it is mandatory to configure the trusted
certificate chain since the LDAP server will send the complete certificate to the printer, and the
printer needs to check the validity of certificates by checking all the Root and/or intermediate
certificates embedded in this complete certificate.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the LDAP server certificate.
It is recommended to leave the field 'Forced URL of OCSP responder' empty as LDAP server
certificates must always be valid. Please check this with the IT administrator.
3. Repeat the creation operation for every root and intermediate certificate.
514 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Validate the configuration (SSL)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over SSL on
page 264
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 515
User access on the user panel
No domain configured
When a user wants to access the settings on the Local UI, the following window opens when
there is no domain configured:
516 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
User access on the user panel
When 'local users' is selected, you can select the local user according to the desired role.
When a domain is selected, the 'User name' field is empty. It is up to the user to select his
username (the associated role has been setup by the IT administrator in the LDAP server)
NOTE
'Local users' may not appear, in case the local users are disabled.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 517
User access with Express Webtools
No domain configured
When a user wants to access the settings with Express WebTools, the following window opens
when there is no domain configured:
When selecting the Domain 'Local Users', one or more of the 4 built-in users (Key operator,
System Administrator, Power User or Service) are available, and you can enter the password for
login.
NOTE
'Local users' may not appear, in case the local users are disabled.
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
When selecting a Domain that was previously configured, you have to enter the username which
has the appropriate role (as defined in the LDAP server).
518 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
User access with Express Webtools
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 519
Password policy
Password policy
520 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Disabling local user access
NOTE
A local user can be disabled ONLY if a valid domain user (with the same role) exists (in order to
avoid locking the settings access).
CAUTION :
Keep the domain users passwords in a safe place. Since if you disable ALL local users, and if you
cannot log in as a Domain User for any reason (password lost), you'll need to call Service to
install again the complete system.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 521
Troubleshooting LDAP authentication over Kerberos
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
522 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshooting LDAP authentication over SSL
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 523
Permissions for Service operations
NOTE
This feature is applicable when LDAP authentication has been setup and when the
system administrator has disabled the local System Administrator and the local
Power user account. In this case, if domain users are not accessible anymore for any
reason, it is not possible to login locally on Express Webtools to change settings.
The only way is to re-enable the local users (System Administrator and Power user).
ONLY if the setting "Allow Service Technician to enable local users" is set to
"enabled", this operation can be performed by the Service technician on site. If the
setting "Allow Service Technician to enable local users" is set to "disable", a re-
installation of the printer software by the service technician is mandatory.
524 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Passwords policy
Passwords policy
Introduction
There are 2 groups of passwords:
• The passwords used in Express WebTools
• The passwords used on the printer user panel
Password policy
• 256 characters maximum
• all MS Windows characters are allowed
NOTE
Keep this password. The reset of this password may require the intervention of a Service
technician.
Passwords modification
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 525
Passwords policy
526 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Access control
Access control
Introduction
Access control allows to limit the access to the print system based on the IP filtering method.
In Express WebTools, find the 'Access control' settings on the Security - Configuration page.
Pre-requisites
• The configuration of the 'Access control' settings is only available to the 'System
administrator' and 'Power user'.
To prevent unauthorised access to these settings via the printer panel, the System
administrator must log in to access the network settings.
• Important: ALWAYS define the hosts before enabling 'Access control'.
In case 'Access control' is enabled without any host configured, communication is blocked. Go
to the printer panel to disable 'Access control'.
In case DHCP and DNS servers are used:
• Add the DHCP server in the list of the Access control stations.
Otherwise the DHCP protocol is disabled: you can disable the DHCP settings in the
Configuration - Connectivity settings and configure the network settings manually.
• Add the DNS server in the list of the Access control stations.
Otherwise the DNS protocol is disabled: you can configure the path of the external locations
with the IP address instead of a hostname.
NOTE
When configuring the 'Access control station: IPv6 address', use the IPv6 static address (instead
of a dynamic stateless or stateful one)
NOTE
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 527
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
528 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Audit log
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 529
SNMPv3: for CW3600/3800, CW3500/3700 (R5.1 and higher versions) and CW500/700 R4.3 and higher versions)
SNMPv3 implementation
The current implementation of SNMP v3 offers user authentication only to ensure identity of the
user, this corresponds to the SNMP security level "Auth, NoPriv" in the SNMP applications.
Encryption in the data transfer is not supported (the security level "Auth, Priv" is not supported)
For the Authentication, the Authentication protocol is fixed to MD5 only.
SNMPv3 settings
You can access to the SNMPv3 settings by mean of the settings Editor : section Configuration |
Connectivity |SNMP v3
530 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Secure Boot (CW3600/3800)
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 531
Whitelisting (McAfee Application Control) (CW3600/3800)
Pre-requisite
• A license for the option: 'Whitelisting (McAfee) License'
532 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Whitelisting (McAfee Application Control) (CW3600/3800)
NOTE
The Whitelisting process needs 30-60 minutes to create the 'fingerprint' (on new
installed systems this process is faster than on systems in use for some time, as the
amount of data on the disks will have increased). The setting 'Current protection
status' stays at 'Protection not activated'.
5. After 60 minutes reboot the printer. After the reboot the setting 'Current protection status' will
change to 'Protection activated'.
NOTE
If the reboot is done before the Whitelisting process is finished, the process will
start again after the reboot. When the process then finishes, the setting 'Current
protection status' will change to 'Protection activated'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 533
Data security
Data security
User authentication
Introduction
In order to increase document confidentiality, the users can secure printing/copying/scanning
operations with the user authentication.
The 'User authentication' feature is an option.
When the 'User authentication' feature is enabled:
• The jobs are not printed until the owner of the job authenticates on the system user panel.
The print jobs are stored in the printer and only the owner of the jobs can access them.
• Copying and scanning operations are accessible only after the user authenticates on the
system user panel.
• You cannot retrieve scanned files that are stored locally on the controller.
User authentication methods
One of the two following methods can be used for user authentication:
• User name and password
The sser name and password are required on the printer panel. This authentication method is
mainly targeted to Windows based environment (Microsoft Active Directory).
• Smart card (PKI card compatible with MS Active Directory Certificates Services)
A valid smart card must be inserted into the smart card reader (plugged into the USB outlet).
• Contactless card
A valid card without contact must be passed over a contactless card reader (plugged into the
USB outlet). The authentication method is mainly targeted to a Windows based environment
(Microsoft Active Directory).
NOTE
It is possible to mix some authentication methods:
534 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Secure printing, copying and scanning operations with the User authentication
Functional description
3 4
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 535
Impact of the user authentication on the system features and Express WebTools
The Scan and Copy features are accessible only after the user authenticates on the user panel.
Introduction
When the user authentication is activated, and in order to guarantee the data confidentiality:
• Some features of the system are disabled (see below).
• The related settings are no more accessible (see below).
• The time-out set for the 'Remove completed jobs from the Smart Inbox after' setting in
'Preferences' - 'System defaults' - 'Job management' applies and deletes:
- the jobs that are submitted without valid authentication information.
- the jobs that are not accessed during this period of time.
536 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Impact of the user authentication on the system features and Express WebTools
NO user, even users with privileges such as System Administrator, Key Operator, Power user or
Service, can see the content of the jobs or act on them.
Additional information
To secure the job data and job ownership on the network, during the job submission / the job
scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 537
User authentication: the standard workflows
Introduction
Find below the standard workflow for printing and the standard workflow for scanning/copying
when the user authentication is activated and configured on the print system.
Step Action
1- Logging on a work- The user logs in with his/her credentials.
station Example: 'user1' on 'domain.com' and the associated password.
2- Job submission The user submits jobs using a printer driver (e.g. WPD2/ Driver Select)
or a job submitter (example: Publisher Select 3)
3- Authentication on The user logs in on the printer:
the printer
• either by typing his/her user name and password on the printer pan-
el
• or by using his/her smart card
The credentials used on the printer must be the same as the ones used
at the job submission time.
Example: 'user1' belonging to the domain 'domain.com'. 4
538 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
User authentication: the standard workflows
Step Action
4- Job management On the bottom right part of the panel (Smart Access), the user can see
the jobs submitted with his/her user credentials.
The user can check the jobs and change the settings.
5- Job print The user prints the jobs by clicking the green button.
6- Print queue The user can open the print queue and follow the progress of the jobs.
NOTE
All the jobs in 'Ready to print' state are printed, even when
the users logs out in the meanwhile.
Recommendation: For complete security of the printed data,
we recommend that the user stays close to the printer until
all the jobs are completely printed.
The jobs in 'Processing' state are not printed if the user logs
out before they are in 'Ready to print' status.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 539
User authentication: the standard workflows
Step Action
1- Logging on the The user logs in on the printer:
printer • either by typing his/her user name and password on the printer pan-
el.
• or by using his/her smart card.
Example: 'user1' on 'domain.com'
540 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
The user authentication in the main job submission workflows
Step Action
2- Workflow selection The user selects Copy or Scan in the menu.
NOTE
For scan operations, it is recommended to scan to an external
location (not locally on the controller).
When the user logs to an external location, the login name in
the top menu is replaced by the login name to the external lo-
cation. The 'User session time-out' set in the 'Security' - 'Con-
figuration' tab applies for both the user authentication on the
user panel and the authentication on the external locations.
The files scanned locally to the controller can be used only
for reprint purpose. They cannot be retrieved or saved from
the network.
3- Job copy or scan The user loads the original and starts the copy or scan of the job to an
external location.
Introduction
There are several ways to submit print jobs to the printer.
Find below the recommendations for benefiting from the protection by the user authentication in
the recommended job submission workflows:
• Job submission with Publisher Select (from version 1.17)
• Job submission from an application with the WPD2 (from version 2.11) or Driver Select
• Job submission from an application with the PS3 driver (from version 1.24) or Driver Express
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 541
The user authentication in the main job submission workflows
NOTE
In Publisher Select, the user account name cannot be
changed.
NOTE
If the user account name is not displayed, open the 'Options'
- 'Advanced options' window and check the option 'Require
user authentication' in 'Troubleshooting'. 4
542 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Other submission workflows
NOTE
In the driver, the user name cannot be changed.
NOTE
The user name of the user logged on the system does not overwrite the 'Username' embedded
into the job ticket.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 543
Other submission workflows
If there is no ticket or no 'Username' in the ticket, then the user name 'anonymous' is attached to
the job and stored in the system controller. Only an user with a user account name 'anonymous'
is then able to see and perform actions on these jobs.
NOTE
The job owner declared in Publisher Express does not overwrite the 'Username' embedded into
the job ticket.
544 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Authentication by Smart card
Requirements
Introduction
To use the authentication by smart card, the smart card and the smart card reader must comply
with the following requirements:
Additional information
- Contact your Canon representative in case you want to use a smart card or a smart card reader
which is not recorded in the above lists.
- Plug the smart card reader into the USB port (contact your local Canon representative).
- The only network communication performed during authentication with a smart card is the one
with the revocation server. The information on the smart card and the information on the Express
WebTools settings are checked against the one which is stored in the revocation server.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 545
Configure the Smart card authentication
Introduction
Perform the following steps to activate the user authentication and configure the smart card
authentication.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
546 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Smart card authentication
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the certificate chain for the authentication.
When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL
of OCSP responder' field empty.
Enter the URL of the revocation server only if this URL is not already embedded into the smart
cards.
4. Repeat the creation operation for every root and intermediate certificate.
5. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
6. Set the user access settings:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 547
Validate the smart card configuration
When this setting is not activated, only the user name (without the suffix) is used for the job
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, whatever their
domain. When logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@domain.com'
• 'user1'
• 'user1@anydomain.net'
When to do
After you configured the user access mode via smart card, validate it.
Procedure
1. Insert a valid smart card in the smart card reader.
2. Below the 'User access mode' section, click 'Validate the configuration'.
3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings.
4. Click 'OK'.
A report is generated:
548 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Authentication on the user panel
Introduction
Insert the smart card into the card reader.
• The authentication is automatic when the smart card contains a valid user name (and no
password is needed).
• A login window is displayed when the authentication with the smart card requires a PIN. Enter
the PIN in the password field.
• A login window is displayed when there is more than one user registered into the smart card.
Select the user name and enter the PIN in the password field
After authentication, the name of the user is displayed in the top menu.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 549
Troubleshooting of authentication by smart card
Introduction
When an error occurs during the configuration of the authentication by smart card, go to the
'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card
configuration').
Find below the list of possible causes of errors that can occur during the validation of the smart
card configuration.
550 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshooting of authentication by smart card
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 551
Authentication by Contactless card (for CW3500/3600/3700/3800 and CW500/700 4.2 and higher versions)
Requirements
Introduction
To use the authentication by contactless card, the contactless card and the contactless card
reader must comply with the following requirements:
Additional information
- Contact your Canon representative in case you want to use a contactless card or a contactless
card reader which is not recorded in the above lists.
- Plug the contactless card reader into the USB port (contact your local Canon representative).
Introduction
Perform the following steps to activate the user authentication and configure the contactless card
authentication.
552 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the Contactless card authentication
3. In the 'User access mode' section, select 'Contactless card' as the 'User authentication':
Create the domain(s) and set the user access configuration settings
Procedure
1. Open the 'Security' - 'Domains' page.
2. Click 'Create new' to create a domain:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 553
Validate the contactless card configuration
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
5. Repeat the creation operation for every domain needed.
6. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
7. Set the user access settings:
• The 'User session time-out', in minutes. This is the duration of a user session before automatic
log out on the system user panel.
Note: It is recommended to increase this duration for big jobs or heavy print files.
• Whether the PIN of the contactless card is requested at logging time.
• Whether the fully qualified name of the job owner is used for job filtering.
('Require the fully qualified name of the job owner' setting). The user then sees only the jobs
that have been submitted with this FQDN.
• The type of the contactless card: Felica or Mifare or both.
When to do
After you configured the authentication by contactless card, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration of the user access mode'.
554 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Authentication by contactless card on the user panel
Introduction
Approach the contactless card reader with the contactless card.
• The authentication is automatic when the contactless card contains valid credentials.
• A login window is displayed when the authentication with the contactless card requires a PIN.
Enter the PIN in the password field.
After authentication, the name of the user is displayed in the top menu.
Introduction
When an error occurs during the configuration of the authentication by contactless card, go to the
'Security' - 'Configuration' page and start the validation tool (See Validate the contactless card
configuration on page 295).
Find below the list of possible causes of errors that can occur during the validation of the
contactless card configuration.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 555
Troubleshooting of authentication by contactless card
If a red cross is not reported with the 'Validate configuration' tool, but there is an error during
authentication with the card, please check:
• If the PIN code is correct but authentication fails, check that the LDAP attribute for card ID is
correctly set in the domain created (this may occur in case PIN code setting is setup AFTER the
domain has been created).
• If the account has been disabled in Active Directory
• If the account has been locked in Active Directory
• If the account has been expired in Active Directory
• If the account password has expired
556 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Authentication by user name and password
Introduction
Perform the following steps to activate and configure the user authentication by user name and
password
Create the domain(s) and set the user access configuration settings
Procedure
1. Open the 'Security' - 'Domains' page
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 557
Configure the user authentication by user name and password
3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it
is recommended to give it a clear name.
4. Enter a description.
5. Enter the exact fully qualified domain name (FQDN):
6. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
• 'LDAP lookup account': enter the credentials if different from the account of the authenticated
user (which is the default).
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
• 'LDAP attribute for Home folder' : by default the Home directory (for product with the 'Scan to
Home folder' feature).
7. Repeat the creation operation for every domain needed.
8. Go to the 'Security' - 'Configuration' - 'User access configuration' section.
9. Set the user access settings:
• The 'User session time-out' to configure, in minutes, the duration of a user session before
automatic log out on the printer panel.
Note that it is recommended to increase this duration for big jobs or heavy print files.
558 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Validate the configuration
• Whether the fully qualified name of the job owner is used for job filtering ('Require the fully
qualified name of the job owner' setting).
When this setting is activated, the FQDN of the user is requested when the user logs in on the
printer panel. The user then sees only the jobs that have been submitted with this FQDN.
Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs
that have been submitted by 'user1@mydomain.com'. So the user must make sure that the
submission process embedded this information.
When this setting is not activated, only the user name (without the suffix) is used for the job
filtering.
Example: 'user1' only is used for filtering the job sent by all 'user1' users, if several. When
logged in on the printer, 'user1' will have access to all jobs submitted by:
• 'user1@mydomain.com'
• 'user1'
• 'user1@anydomain.net'
When to do
After you configured the authentication by user name and password, validate it.
Procedure
1. Below the 'User access mode' section, click 'Validate the configuration'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 559
Authentication on the system user panel
4. Click 'OK'.
A report is generated:
Introduction
On the system user panel, tap the 'log in' icon to display the window.
• Select the domain.
• Type in the user name and the password.
560 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshooting
After authentication, the name of the user is displayed in the top menu.
Troubleshooting
Introduction
When an error occurs during the process of authentication by user name and password, go to the
'Security' - 'Configuration' page and Validate the configuration on page 559.
Find below the list of possible causes of errors that can occur during the validation of the
configuration.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 561
Troubleshooting
562 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Log out
Log out
Introduction
A session can be manually interrupted by a manual log out, or automatically interrupted by the
session time-out, in any conditions (normal working condition or in an error status).
A warning message announces the session time-out 10 seconds before the session closes.
When the session time-out expires the user session is automatically closed, even when a smart
card is inserted.
For security reasons, it is recommended to log out after the job completion, before leaving the
system place.
NOTE
The session is automatically closed when the time-out occurs, even if the smart card is still in the
card reader.
Pull the card out of the reader and insert it again to start a new session.
Introduction
Find below some cases where the time-out can interact with the behaviour of the system.
NOTE
The time-out starts when no operation is made on the printer panel.
A job remains 24 hours maximum in the system. After this period of time, the jobs that are not
processed are automatically deleted.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 563
Special cases: a time-out, pause, or error occurs
564 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Special cases: a time-out, pause, or error occurs
An error occurs
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 565
Troubleshooting
Troubleshooting
- In case of authentication by user name and password check the domain, and the user name
used to log in on the printer user panel.
2. Check the exact user name of the owner of the job. Set or change it when needed.
Refer to the user authentication according to the job submission workflow, see The user
authentication in the main job submission workflows on page 282.
• For a job submitted with the PS3 driver, Driver Express or Publisher Select, the user name
and the domain of the user logged in on the workstation are used to submit the job
(including the domain when detected). If needed, log in on the workstation with the
relevant user name on the relevant domain (example: 'user1' on domain 'domain.com')
• For a job submitted with WPD2/ Driver Select, the 'user account name' displayed in WPD2,
in the top right part of the window is used. Change it if needed (example:
user1@domain.com).
Note: If the user account name is not displayed, open the 'Options' - 'Advanced options'
window and check the option 'Require user authentication' in 'Troubleshooting'.
• For a job submitted with Publisher Express, or via FTP, or via LPR, that contains a job ticket,
open the job ticket to check the 'Username' field.
• For a job submitted with Publisher Express, that does not contain a job ticket, check the
content of the 'Job owner' field in the Publisher Express (Express WebTools) application.
Set or change the 'Job owner' to the user Fully Qualified Name (example:
user1@domain.com)
• For a job submitted via LPR or with ONYX, that does not contain a job ticket, check the user
name used for logging on the workstation, and uncheck the setting, 'Require the fully
qualified name of the job owner' (in Express WebTools - Security - 'Configuration' - 'User
access configuration').
566 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Disable the user authentication
The authentication is successful, I can see the jobs I submitted to the system but not all of them
are printed.
Possible cause:
The time for the processing of the jobs exceeds the user session time-out. All the jobs have not
reached the 'Ready to print' or 'Printing' status.
Action:
Increase the 'User session time-out' (in Express WebTools - Security - 'Configuration' - 'User
access configuration').
Introduction
In case you are locked because the user access mode is enabled and you cannot access Express
WebTools, you can disable it on the system panel.
Procedure
1. On the user panel, tap the upper right corner, to display the menu.
2. Select 'Security'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 567
Disable the user authentication
6. Tap 'Finish'.
7. Restart the system.
Result
The user authentication is disabled.
568 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Hard disk encryption (for CW500/700/3500/3700)
Pre-requisite
• The release of the ColorWave 3500/3700 or ColorWave 500/700 system R4.1 or higher.
• The hard disk encryption licence.
Contact your Canon representative.
• A TPM (Trusted Platform Module) board installed in the controller.
A Service technician installs the license and the TPM board. Make sure the System Administrator
grants him the permission by setting 'Allow Service to access licenses information' (in Express
WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
2 encryption modes
There are 2 encryption modes:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 569
Hard disk encryption (for CW500/700/3500/3700)
NOTE
Encryption method for CW3500/3700 and CW500/700 4.2 and higher version is fixed
to AES256 while encryption method for other CW500/700 versions is fixed to
AES128
When upgrading a CW500/700 R4.1 version with an encrypted disk to a CW500/700
R4.2, it is mandatory to purge first the encrypted disk of the CW500/700 R4.1 before
installing the version R4.2 and encrypting the disk in order to benefit the AES256
method on the new version (Please contact you Canon local representative).
570 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Hard disk encryption (for CW500/700/3500/3700)
5. Power off the system (by using the black power button at the back of the printer, or by
pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, the system and the print/scan data are
decommissioned.
To use the system again, it must be completely reinstalled. The reinstallation will start
automatically when the system is powered on again. Contact your Service representative.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 571
Hard disk encryption (CW3600/3800)
NOTE
Disk encryption has no impact on the performance. It should only be suspended in exceptional
cases.
After suspending it, you can re-enable encryption again. Re-enabling disk encryption should be
done by your local (Canon) representative, as the printer software needs to be reinstalled after
re-enabling encryption.
572 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Hard disk encryption (CW3600/3800)
It is particularly recommended:
• In case of leasing, before the system is given back.
• At the system's end of life, before it is recycled.
To purge the system from the printer operating panel:
1. In the system settings, select 'Security'.
2. In the 'Current Security Configuration' window, tap 'Next'.
3. Now you get a window with possible operations.
Select 'Purge the System' and tap 'Next'.
4. A warning window is displayed.
Tap ‘Start’ to start the purging process.
5. When the purge process is ready, power off the system (by using the black power button at
the back of the printer, or by pushing the button on the front of the printer for a few seconds).
NOTE
Important remark: when the system is purged, all the data and the configuration are deleted.
To use the system again, it must be completely reinstalled.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 573
E-Shredding
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data and
any user print/copy/scan data when it is deleted from the system.
This feature prevents the recovery of any deleted user data (file's content and attributes).
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
574 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Enable the e-shredding in Express WebTools
Procedure
1. In Express Webtools, open the 'Security' - 'Configuration' page and select the 'E-shredding'
section.
2. Click 'Edit.'
3. Check 'E-shredding' feature to enable it
4. Select the algorithm.
Result
When the E-shredding feature is enabled:
• A new icon is added to the list of icons (bottom right) in the Express WebTools window:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 575
Enable the e-shredding in Express WebTools
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled':
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
For a while, the E-shredding feedback returns 'busy'.
In the Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-
shredding busy' status
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
the Express WebTools (roll over the icon).
576 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
E-shredding process and system behaviour
NOTE
When you enable the e-shredding feature, the 'Save received job data for Service' feature (in
Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage
of job data that would not be automatically deleted.
The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes
are performed in background.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 577
IPsec
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data
on the network.
You can connect up to 5 IPsec stations to the print/scan system.
Illustration
578 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
IPsec presentation
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encpasulation type : Transport
• Protocol SA lifetime : 3600 s
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 579
Configure the IPsec settings in the controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools.
2. Open the 'Security' - 'Configuration' page.
3. In the 'Access control' section, click on the general 'Edit':
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.
580 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Configure the IPsec settings in the controller
Result
The IPsec settings are configured on the controller for a connection to a workstation.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 581
Configure the IPsec settings on a workstation or a print server
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Purpose
Complete the IPsec configuration for a secure connection between the printer/copier system and
a workstation.
On the workstation, perform the 7 following actions:
1- Add the security snap-in on page 140
2- Create the security policy on page 142
3- Create the filter list on page 143
4- Define the filter actions and security negotiation on page 145
5- Define the security rule on page 147
6- Assign the security policy on page 150
7- Customize the IPsec settings on page 150
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems (Windows 7) and for other ColorWave/
PlotWave printers.
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
582 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Add the security snap-in
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 583
Create the security policy
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
584 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Create the filter list
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 585
Create the filter list
586 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Define the filter actions and security negotiation
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 587
Define the filter actions and security negotiation
588 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Define the security rule
'Data and address integrity without encryption (AH)' setting is not mandatory.
8. Click 'OK' and 'Next', then 'Finish'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 589
Define the security rule
4. As the Network type, select 'All network connections' and click 'Next'
590 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Define the security rule
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 138), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 591
Assign the security policy
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
Procedure
1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows
Firewall with Advanced Security' window
2. In the 'Actions' section on the right hand side, click on 'Windows Firewall with Advanced Security
on Local Computer' to expand the menu
3. Select 'Properties'
592 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Customize the IPsec settings
4. In the 'IPsec Settings' tab, click on the 'Customize...' button of the 'IPsec defaults'
5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...'
6. Check the 'Require encryption for all connection security rules that use these settings.' box
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 593
Customize the IPsec settings
Remove your workstation from the IPsec/Access control configuration when it must not remain in
the list of connected stations.
For all other printers
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
594 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshooting: Disable 'Access control' and IPsec
Introduction
In the following case:
• Access control and IPsec have been enabled without any station defined
and
• The communication between the controller and the host stations fails
Any remote connection to Express WebTools is impossible. The system is unreachable.
Then, use the emergency procedure to disable IPsec and Access control via the printer user
panel.
Procedure
1. On the user panel, tap the upper right corner, to display the menu
2. Select 'Security'
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 595
Troubleshooting: Disable 'Access control' and IPsec
Result
Access control and IPsec functions are disabled.
After the restart, you will be able to remotely open Express WebTools from any workstation
(HTTP).
596 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
HTTPS
HTTPS
Encrypt print data and manage the system configuration using HTTPS
Introduction
In the ColorWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- send encrypted print data to the printer controller via Publisher Select 3 (for CW3600/3800)
- save encrypted scan jobs from the printer controller (Scans Inbox)
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 597
Use the self-signed certificate with Internet Explorer
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
598 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Use the self-signed certificate with Internet Explorer
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 599
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
600 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Use the self-signed certificate with Internet Explorer
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 601
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
602 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Use the self-signed certificate with Mozilla Firefox
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 603
Use the self-signed certificate with Mozilla Firefox
2. Select 'Advanced'.
604 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Request and import a CA-signed certificate
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trusted authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and private key on page 347.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate on page 348.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller 4
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 605
Back up a certificate and a private key
Step Description
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and private key on page 347.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA signed certificate on page 349.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the root certificate on page 350.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and private key on page 347.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate on page 351
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset a certificate on page 351.
When to do
You must back up the certificate and private key:
• BEFORE the generation of a certificate request (step A1 of the HTTPS Description of the overall
procedure on page 346):
To save your current certificate and private key.
606 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Generate a CA-signed certificate request
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Backup
certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and private key on page 347).
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Generate a
certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'ColorWave700' or 'ColorWave700.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 607
Save and send the request
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname]).
608 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Import the [Intermediate certificate]
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Import CA-
signed certificate'.
3. Select [Root certificate].
4. Browse to the Root certificate file and click [Import].
NOTE
The Root certificate may already exist in the web server certificates list.
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
Step B4 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 609
Restore a certificate and a private key
When to do
You can restore the certificate and the private key at any moment, in case of need.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Restore
certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Purpose
This procedure creates a new self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and private key on page 347):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Reset
certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)
610 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
TLSv1.2 / Strong cipher
Cipher algorithms
• When the setting 'Less strong cipher suites allowed' is set to 'No', the following weak ciphers
are NOT used:
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA
• The strong available ciphers are:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 611
TLSv1.2 / Strong cipher
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
612 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
HTTPS recommendations for Certificate creation
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 613
Scan to Home folder / Print from Home folder
Pre-requisites
To allow a user to scan files to his/her Home folder, the following configurations are required:
• In the Microsoft Active Directory:
- A Home folder, that is a UNC path location, exists for each user
- Users have the Read and Write rights to their private Home folder
• In the printer configuration:
- The User authentication is enabled
- The User authentication is configured with 'User name and password' (no Smart card or
Contactless card)
The 'Home folder' location is then automatically created as an 'External location'. You can
open the 'External locations' tab in 'Configuration' to see this 'Home folder' new location.
- The domain is created and configured
In the domain 'Advanced settings' keep the default 'homeDirectory' value in the 'LDAP
attribute for Home folder'.
- Check that the printer 'Current date and time' and 'Time zone' values are correct (in Express
WebTools, Configuration - System defaults)
Refer to Configure the user authentication by user name and password on page 557 for the
detailed procedure.
It is recommended that the System Administrator validates this new configuration by clicking
'Validate this configuration' in 'Security' - 'Configuration' (see Validate the configuration on
page 559).
614 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Troubleshooting
Result
Both methods send the scanned files to the users' private Home folder (root directory).
Troubleshooting
When an error occurs during the process of authentication by user name and password follow
the procedures below to test and troubleshoot:
• Use the validation tool to validate the configuration. See Validate the configuration on
page 300
• Apply the corrective actions when needed. SeeTroubleshooting on page 302
In case the home folder is not accessible
• Use the validation tool and check in the report that the path to the Home folder is correct:
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 615
Prevent 'Print from USB' and/or 'Scan to USB'
Introduction
You can disable any access to the USB device by preventing printing from / scanning to the USB
device.
Illustration
Procedure
1. Open a web browser and enter the system URL: http://<hostname>, to open Express WebTools
2. Open the 'Configuration' - 'External locations' page
3. Log in as a System administrator or Power user
4. Edit the 'USB' type
616 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Smart Inbox management and job management
The use of the Smart Inboxes When the 'Smart Inbox capability' is set to
('Smart Inbox capability') 'Disabled', all the jobs currently present in the
Smart Inboxes are deleted. All incoming print
jobs are directly and solely sent to the print job
queue.
The use of Publisher Express When disabled, the job submission capability
('Publisher Express' or 'Enable Publisher Ex- (through Express WebTools) is completely de-
press') activated.
The remote actions on jobs to the Operator When enabled, all remote actions on jobs in
('Restrict remote actions on jobs to the Key the queue are restricted to the Key Operator or
Operator') Power user only.
The display of Smart Inboxes in Express When enabled, all users of Express WebTools
WebTools can see the Smart Inboxes. When disabled, the
Key operator or Power user only can see them
(logging needed).
Keep completed jobs in the Smart Inbox When enabled, a copy of jobs is kept in the
Keep a copy of scanned jobs in the Smart In- Smart Inbox for later use, until the expiration
box time-out.
Keep a copy of copy jobs in the Smart Inbox Disable these settings to delete all jobs from
(Public) the Smart Inboxes after they are processed.
Keep a copy of local print jobs in the Smart In-
box
Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800 617
Data protection for template export (for CW3500/3600/3700/3800 and CW500/700 R4.2 and higher versions)
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Configuration' - 'Connectivity' page.
3. Go to the 'Passwords' section and define the 'Password encryption key'.
NOTE
To import a template it is mandatory to use the SAME 'Password encryption key' on the printer
where the template will be imported as the 'Password encryption key' that was used to export
the template, otherwise the import of the template will fail.
618 Chapter 6 - Security on ColorWave 500, 700, 3500, 3600, 3700, 3800
Chapter 7
Security on ColorWave 810 (lower
than R1.4), ColorWave 900 and
ColorWave 910 (lower than R1.4)
Overview
Overview
Security overview
620 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
System and Network security
Ports - Protocols
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PostScript 3 driver TCP 515: LPR
Driver Express
Publisher Express TCP 80: HTTP
TCP 443: HTTPS
Publisher Select TCP 80: HTTP
UDP 515: proprietary protocol
for Printer Discovery
ONYX UDP 161: SNMP
TCP 515: LPR
TCP 80: HTTP
Reprodesk Studio TCP 515: LPR
TCP 80: back-channel (WAVE)
Novell NDPS printing TCP 515: LPR
LPR printing TCP 515: LPR
FTP printing TCP 21: FTP
TCP 4242 (for data channel in
FTP passive mode)
Notes:
Back-channel is a proprietary protocol used to retrieve information from the printer (status, media
loaded...) and to display it in the application or driver.
Control management: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value> 4
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 621
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval
Meter Manager UDP 161: SNMP
On Remote Service TCP 443: HTTPS
TCP web proxy port (1)
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WAVE TCP 80: HTTP
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
622 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Security Patches
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The authentication window opens.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 623
Install Operating system patch
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
624 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Protocol protection
Protocol protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS, LPR protocols cannot be disabled.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 625
Network protocols protection
626 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Prevent any outgoing connection to the Internet
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 627
Security of the USB connection
Introduction
A USB connection is available on the touch panel.
This USB connection is used to:
• Install / upgrade the controller software
• Backup and restore the controller configuration
• Collect log files into a USB device ('Get logfiles to USB stick' button in the 'Launcher'
application)
628 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Roles and Passwords
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key operator:
The Key operator can manage the jobs and the device settings.
• System administrator
The System administrator can manage the configuration settings, such as the network and
security settings.
• Power user
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
Passwords policy in the ColorWave 810 (lower than R1.4) and ColorWave 910
(lower than R1.4) systems
Password policy
• 256 characters maximum
• all MS Windows characters are allowed
Passwords modification
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 629
Passwords policy in the ColorWave 810 (lower than R1.4) and ColorWave 910 (lower than R1.4) systems
630 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 631
Data security
Data security
HTTPS
Encrypt print data and manage the system configuration using HTTPS
Introduction
In the PlotWave/ColorWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
632 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Use the self-signed certificate with Internet Explorer
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 633
Use the self-signed certificate with Internet Explorer
634 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 635
Use the self-signed certificate with Internet Explorer
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
636 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 637
Use the self-signed certificate with Mozilla Firefox
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
638 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Use the self-signed certificate with Mozilla Firefox
2. Select 'Advanced'.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 639
Request and import a CA-signed certificate
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trusted authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and private key on page 347.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate on page 348.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller 4
640 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Back up a certificate and a private key
Step Description
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and private key on page 347.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA signed certificate on page 349.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the root certificate on page 350.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and private key on page 347.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate on page 351
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset a certificate on page 351.
When to do
You must back up the certificate and private key:
• BEFORE the generation of a certificate request (step A1 of the HTTPS Description of the overall
procedure on page 346):
To save your current certificate and private key.
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 641
Generate a CA-signed certificate request
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Backup
certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and private key on page 347).
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Generate a
certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'ColorWave700' or 'ColorWave700.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.
642 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Save and send the request
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname]).
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 643
Import the [Intermediate certificate]
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Import CA-
signed certificate'.
3. Select [Root certificate].
4. Browse to the Root certificate file and click [Import].
NOTE
The Root certificate may already exist in the web server certificates list.
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
Step B4 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.
644 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Restore a certificate and a private key
When to do
You can restore the certificate and the private key at any moment, in case of need.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Restore
certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Purpose
This procedure creates a new self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and private key on page 347):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Reset
certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)
Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4) 645
Reset the current certificate
646 Chapter 7 - Security on ColorWave 810 (lower than R1.4), ColorWave 900 and ColorWave 910 (lower than R1.4)
Chapter 8
Security on ColorWave 9000 (R2.x and
R 3.x) and ColorWave 810/910 (R1.4
and higher versions)
Overview
Overview
Security overview
648 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
System and Network security
Ports - Protocols
Printing applications: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
Wide-format Printer Driver for TCP 515: LPR UDP 515: proprietary protocol
Microsoft Windows (WPD2) TCP 80: HTTP for back-channel for Printer Discovery
Driver Select 1 and Advanced accounting
Notes:
1Back-channel is a proprietary protocol used to retrieve information from the printer (status,
media loaded...) and to display it in the application or driver.
Control management: INBOUND and OUTBOUND ports and protocols used by the system
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
PING IPv4 ICMPv4
PING IPv6 ICMPv6 4
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 649
Applications, protocols and ports
Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the
troller: protocol controller: protocol
nslookup UDP local port : any
UDP remote port : 53
SNMP based applications UDP 161: SNMP
Name resolution Outgoing connection: Remote port (on DNS server):
Local port (on controller): UDP(/TCP) 53
UDP(/TCP) <dynamic value>
Express WebTools TCP 80: HTTP
TCP 443: HTTPS
Account Center TCP 80: HTTP
Accounting information re- TCP 80: HTTP
trieval
Back-channel TCP 65200 for OCI back-chan-
nel
Meter Manager UDP 161: SNMP
On Remote Service TCP 443: HTTPS
TCP web proxy port (1)
LDAP authentication over Ker- TCP 88 /UDP any: for Kerberos
beros TCP 389 (configurable)/ UDP
any: for LDAP
LDAP authentication over SSL Customer configurable
TCP port 636 by default/ UDP
any
NetBios over TCP/IP UDP 137 TCP 139, 445
UDP 138
WSD TCP 80: HTTP
UDP 3702 for WSD discovery
TCP 5357 for WSD eventing
WAVE TCP 80: HTTP
OBIS TCP 80: HTTP for back-channel
(Publisher Select)
IPsec UDP 500
UDP 4500
Notes:
(1) When there is a proxy.
650 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Applications, protocols and ports
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 651
Security Patches
Security Patches
Introduction
You can install the Canon Production Printing released security patches in your print system.
Install a patch
Procedure
1. Open Express WebTools
2. Open the 'Support' tab
3. Select 'Update'
The authentication window opens.
652 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Install Operating system patch for CW810/910
5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the
wizard
6. Click OK
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 653
Install Operating system patch for CW9000
Introduction
Install Windows updates, also called security patches, when they are available for your product.
Functional description
1. In Express WebTools, the user selects the Operating system patch file that he previously
retrieved.
2. The system downloads this patch file and checks its integrity.
3. The printer starts the patch installation.
4. A reboot is necessary to complete the installation.
Install a patch
Procedure
1. Open Express WebTools .
2. Open the [Support] tab.
3. Select [Update].
4. Click on [Install] in the [Operating system patches] section.
After a warning popup window, the following window is displayed:
5. Browse to the downloaded patch file (*.msu) and click OK to install it.
There are 2 options available:
• Option 1 : Automatically install the operating system patch after the file has been uploaded
• Option 2 : Restart the system automatically to finish the installation of the operating system
Here are the useful scenarios:
654 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Install Operating system patch for CW9000
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 655
Protocol protection
Protocol protection
Introduction
In these systems, you can completely disable some protocols in order to protect them against
attacks.
HTTPS (inbound), ICMP (ping), DNS, LPR protocols cannot be disabled.
656 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Network protocols protection
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 657
Prevent any outgoing connection to the Internet
658 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Security of the USB connection
Introduction
A USB connection is available on the touch panel.
This USB connection is used to:
• Install / upgrade the controller software
• Backup and restore the controller configuration
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 659
Port based authentication (IEEE 802.1X)
A. B.
802.1x
802.1x
LAN LAN
LAN
660 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Port-based authentication (IEEE 802.1X) - explained
EAP
In general IEEE 802.1X uses the EAP (Extensible Authentication Protocol) protocol to negotiate
the way to authenticate the supplicant and the authentication server. In general, the supplicant
can have a certificate, a smart card, or credentials for identification.
EAP collaborates with additional authentication protocols, such as Transport Layer Security (TLS)
and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).
• EAP-TLS
EAP-TLS is used in certificate-based security environments. It provides the strongest
authentication and key determination method. EAP-TLS requires that the supplicant has an
identity certificate.
• EAP-MS-CHAP v2
EAP-MS-CHAP v2 is a mutual authentication method that supports password-based endpoint
authentication.
NOTE
Not all authentication servers, supplicants and LDAP directory servers support all authentication
methods.
PEAP
PEAP (Protected EAP) is a protocol to increase the security of EAP-MS-CHAP v2 and EAP-TLS.
PEAP builds an encrypted channel during the second part of the EAP handshake process. Inside
this secure channel a new EAP negotiation takes place to authenticate the supplicant.
EAP-MS-
PEAP EAP-TLS EAP-TLS
CHAP v2
The authentication methods the printer supports are: PEAP with EAP-TLS, PEAP with EAP-MS-
CHAP v2 and EAP-TLS.
Identity certificates
All authentication methods require that the trusted CA certificates of the authentication server are
available on the supplicant to authenticate the authentication server to the controller's list of
trusted certificate. We will use the same identity certificate for HTTPS, IPsec and for IEEE 802.1x
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 661
Port-based authentication (IEEE 802.1X) - explained
EAP-TLS requires a valid Identity certificate of the supplicant that is mapped to a user account or
computer account in the LDAP directory server (Active Directory Domain Services (AD DS)).
• When the certificate refers to a computer account, the Subject Alternative Name
(SubjectAltName) field in the certificate must contain the Fully Qualified Domain Name (FQDN)
of the client, which is also called the DNS name.
• When the certificate refers to a user account, the Subject Alternative Name (SubjectAltName)
field in the certificate must contain the User Principal Name (UPN).
NOTE
EAP-MS-CHAP v2 does not need an Identity certificate of the supplicant.
• When the printer uses IEEE 802.1X the CA certificates of the RADIUS server must be imported
into the list of trusted certfificates.
• The printer Identity certificate that is valid for HTTPS can be used for IEEE 802.1X.
• One of the Subject Alternative Name fields of the printer Identity certificate must be equal to
the Fully Qualified Domain Name (FQDN).
NOTE
EAP-MS-CHAP v2 requires an MS-CHAP v2 username and a MS-CHAP v2 password
that are configured in Express Webtools.
EAP-TLS
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the authentication method, the authenticator sends the Identity of the
Authentication server.
662 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Domain controller
7. Data directory service
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its Identity certificate through the channel.
5. The Authentication server verifies the Identity certificate. The directory service of the domain
controller is used to query the user account or computer account reference of the certificate.
6. The Authentication server authenticates the Identity certificate of the supplicant.
7. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 663
Port-based authentication (IEEE 802.1X) - explained
Authenticator
Identify certificate
MS-CHAPv2 login
2. Certificate 2. Certificate
6. Data
Supplicant Authentication
(Printer) server
LAN
1. The supplicant (for example the printer) sends IEEE 802.1X request to authenticator.
2. After negotiating the first part of the authentication method, the authenticator sends the
Identity of the Authentication server.
3. The supplicant authenticates the Identity certificate of the Authentication server.
4. The supplicant builds a PEAP encrypted channel to negotiate the second part of the
authentication. Thereafter, it sends its MS-CHAP v2 login information through the channel.
5. The Authentication server validates the MS-CHAP v2 login information.
6. The Authenticator enables the IEEE 802.1X configured port and the supplicant can access the
network.
664 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
IEEE802.1X - Configuration steps
Prerequisites
• A printer
• A switch supporting port-based authentication for IEEE802.1X
• A RADIUS server
Introduction
2 main different port-based authentication methods are supported:
• With username from domain (requires a username/password)
• With printer name from domain (requires a client certificate)
The configuration of IEEE802.1X includes several procedures, some of them depending on the
authentication method.
Configuration procedures
1. IEEE802.1X environment preparation
1. Configure a Certification Authority
see Configure a Certification Authority (example on Windows Server 2016) on page 666
2. Prepare the RADIUS server
see Prepare the RADIUS server (example on Windows Server 2016) on page 668
3. Prepare the switch
see Prepare the switch on page 672
2. Configure the printer controller
see Configure the printer controller on page 674
3. Configure the Radius server
• for username from domain
see Configure the Radius server for 'Username from domain' - Network Policy on
page 683
• for printer name from domain
see Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with
EAP-TLS)' on page 691
Troubleshoot
For more information about troubleshooting the configuration of IEEE802.1X see Troubleshoot on
page 708.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 665
Configure a Certification Authority (example on Windows Server 2016)
Introduction
As Certificates (Server and/or Client Certificates) are required for the IEEE802.1X configuration, it
is customary to configure your own Certification Authority rather than using a commercial
Certification Authority.
To configure such an environment on a Windows server 2016:
• Active Directory Certificate Services must be installed, and
• Certificate Authority (Default) must be installed
• It is recommended to install Certification Authority Web Enrollment, which will provide an
easy way for Certification with a web interface.
Once configured, you can see the local Certification Authority like in the example below:
Check that you have a certificate template for Client Authentication or create one:
666 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure a Certification Authority (example on Windows Server 2016)
NOTE
For complete Certification Authority configuration, please check relevant documentation. For
example 'How to configure Certification Authority on Windows Server 2016'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 667
Prepare the RADIUS server (example on Windows Server 2016)
Procedure
1. Install Network Policy and Access Services as a role on Windows Server 2016
2. Manage 'Network Policy Server' (NPS) and create a Radius client which is related to the switch
used:
• IP address of the switch
• It is recommended to add a 'Shared secret' which will also be set on the switch.
Example:
668 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Prepare the RADIUS server (example on Windows Server 2016)
3. Check there is a Connection Request policy enabled with NAS port type = Ethernet.
Example:
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 669
Prepare the RADIUS server (example on Windows Server 2016)
670 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Prepare the RADIUS server (example on Windows Server 2016)
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 671
Prepare the switch
Introduction
The switch must be configured, but the configuration depends on the switch chosen. We give
here an example of a Cisco SG-350:
Procedure
1. Configure IEEE802.1X on the switch.
2. Configure the port on the switch supporting IEEE802.1X where the printer will be plugged in (for
example port 'GE2' in the picture below).
672 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Prepare the switch
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 673
Configure the printer controller
Introduction
The settings for IEEE802.1X on the printer controller are accessible through:
• Express WebTools (for settings configuration)
• Printer user panel (for IEEE802.1X status and disable in case of trouble)
Procedure
1. Open Express WebTools - Security - Trusted certificates.
2. Click on 'Create new' to import the Radius Server Root certificate on the controller.
This is the root certificate you defined when you created the Certification Authority (see Configure
a Certification Authority (example on Windows Server 2016) on page 666)
674 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the printer controller
4. Click 'Ok'.
5. Edit the settings for IEEE802.1X on the printer controller in Express WebTools - Security -
Configuration - Network-based configuration (IEEE 802.1X)
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 675
Configure the printer controller
2. Enter the DNS name of the printer in at least one of the Subject alternative name (SAN). In
this example : cw3700.sns.ocegr.fr
3. Click on 'OK' and wait for the following window to appear:
4. Copy the content (all the text including ' ----- BEGIN NEW CERTIFICATE REQUEST -----' and
'----- END NEW CERTIFICATE REQUEST -----')
5. Submit this certificate request to a Certification Authority (CA). See the following example
with an internal Certification Authority, realized with an Enrollment Web Server with
Windows Server 2016).
NOTE
A certificate template compatible with client authentication is required.
676 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the printer controller
9. Click on 'Submit'.
The following window appears:
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 677
Configure the printer controller
12. Select 'Root certificate' in Certificate type to import the Root certificate.
13. Select 'CA-signed certificate' in Certificate type to import the certificate previously
downloaded.
678 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the printer controller
8. To see the IEEE802.1X status and to disable IEEE802.1X in case of network trouble, tap on the
printer user panel - System - Security.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 679
Configure the printer controller
680 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
Configure the Radius server for 'Username from domain; PEAP with EAP-
MSCHAPv2'
Introduction
This procedure describes how to configure the Radius server for 'Username from domain; PEAP
with EAP-MSCHAPv2' (example on Windows Server 2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 660
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 681
Configure the Radius server for 'Username from domain; PEAP with EAP-MSCHAPv2'
3. Create a user for the printer belonging to the aforementioned group with the same <username>
and <password> defined on the controller.
682 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Username from domain' - Network Policy
5. At the Dial-in tab, give access permission to 'Control access through NPS Network Policy'.
6. Configure a Network Policy, see Configure the Radius server for 'Username from domain' -
Network Policy on page 683
Configure the Radius server for 'Username from domain' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for
'Username from domain; PEAP with EAP-MSCHAPv2' (example on Windows Server 2016).
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 683
Configure the Radius server for 'Username from domain' - Network Policy
Procedure
1. Create a Network Policy.
684 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Username from domain' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 685
Configure the Radius server for 'Username from domain' - Network Policy
8. Click on 'OK'.
686 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Username from domain' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'EAP-
MSCHAP v2 '.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 687
Configure the Radius server for 'Username from domain' - Network Policy
15. Keep the default values in the 'Configure Constraints' window and click on 'Next'.
The 'Configure Settings' window opens.
688 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Username from domain' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 689
Configure the Radius server for 'Username from domain' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
690 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP
with EAP-TLS)'
Introduction
This procedure describes how to configure the Radius server for 'Printer name from domain;
EAP-TLS' and 'Printer name from domain; PEAP with EAP-TLS' (example on Windows Server
2016).
For more information about this port-based authentication method see Port-based authentication
(IEEE 802.1X) - explained on page 660
Procedure
1. Open Windows Server Active Directory Users and Computers.
2. Create a Group for the printer:
3. Create a computer for the printer with the computer name equal to the Subject Alternative name
(without the DNS suffix) you entered when creating the certificate request. See the step '... create
a (client) certificate on the controller' in Configure the printer controller on page 674:
In this example, the Subject Alternative name was : 'cw3700.sns.ocegr.fr', so the computer name
is 'cw3700'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 691
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
692 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain (EAP-TLS or PEAP with EAP-TLS)'
5. At the Dial-in tab, give 'Network Access Permission' to 'Control access through NPS Network
Policy'.
6. At the Attribute Editor tab, set the Attribute 'servicePrincipalName' with the syntax:
servicePrincipalName=host/<computername>.<domainsuffix>
Example: servicePrincipalName=host/cw3700.sns.ocegr.fr
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 693
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
Configure the Radius server for 'Printer name from domain; EAP-TLS' -
Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; EAP-TLS' (example on Windows Server 2016).
Procedure
1. Create a Network Policy.
694 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
2. Click on 'Add' in 'Specify Conditions' to add the group you defined before.
4. Click on 'Next'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 695
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
6. Click on 'Next'.
7. In 'Configure Authentication Methods', add 'Microsoft: Smart Card or other certificate'.
696 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
8. Click on 'OK'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 697
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
698 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; EAP-TLS' - Network Policy
16. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 699
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Configure the Radius server for 'Printer name from domain; PEAP with EAP-
TLS' - Network Policy
Introduction
This procedure describes how to configure the Network Policy on the Radius server for 'Printer
name from domain; PEAP with EAP-TLS' (example on Windows Server 2016).
700 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Procedure
1. Create a Network Policy.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 701
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
4. Click on 'Next'.
5. In 'Specify Access Permission', select 'Access granted'.
6. Click on 'Next'.
702 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
8. Click on 'OK'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 703
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
10. Define the certificate the server will use (the certificate you imported into the controller)
11. Click on 'Add' in the window 'Edit Protected EAP Properties' and select the EAP Type 'Smart Card
or other certificate'.
704 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
12. Click on 'Edit' to define the certificate which will be used as Server certificate (the certificate you
imported into the controller).
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 705
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
18. Keep the default values in the 'Configure Settings' window and click on 'Next'.
A window with the 'Network Policy' is displayed.
706 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Radius server for 'Printer name from domain; PEAP with EAP-TLS' - Network Policy
Result
The configuration is ready now. You can connect the printer to an IEEE802.1X network port on the
switch.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 707
Troubleshoot
Troubleshoot
Introduction
As IEEE802.1X involves the printer, the switch, and the Radius Server, there are several tools for
troubleshooting.
3. On the switch
Generally:
• Some logging is present.
• Some switches have a test feature to check communication with the Radius server.
4. On the Radius Server
• Check the event viewer of Network Policy and Access Services.
708 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Troubleshoot
Example of a network protocol capture with IEEE802.1X frames (PEAP with EAP-TLS):
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 709
Troubleshoot
Reminder: This tool tests the configuration only locally, it does not test the connection with the
switch or the radius server.
710 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Troubleshoot
No communication with the Radi- Radius Server not Check the Radius Server name in Ex-
us Server while the Printer sent its correctly set press WebTools (caution: it must
identity correctly to the Switch contain at least one '*' character)
(seen with network protocol ana-
lyser)
4
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 711
Troubleshoot
712 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Troubleshoot
Event viewer NPAS (Radius serv- Mismatch in the Check Network Policy (on the Net-
er) mentions: 'No credentials are EAP type setting in work policy server), section 'Authen-
available in the security package.' Network Policy tication methods' (see relevant sec-
tion corresponding to the Authenti-
cation method chosen)
Event viewer NPAS (Radius serv- User not defined • Check username or printer name
er) mentions: 'The specified user (username or printer on controller
account does not exist.' name) • Check username or printer name
in Active Directory
Event viewer NPAS (Radius serv- • Bad configuration Check the Radius client settings:
er) mentions: 'An Access-Request of the Radius Cli- • on the switch
message was received from RADI- ent (on the Radius • on the Network policy server
US client <IP address of radius cli- Server)
ent -the switch- configured on the • Secret mismatch
Radius Server> with a Message- between the
Authenticator attribute that is not switch and the
valid.' Radius client
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 713
User access/LDAP authentication
Roles
Introduction
The "User access" feature allows to access the Local User Interface as well as Express WebTools
with different roles,
Each role gives permission to edit and change some parameters.
Roles description
4 different roles exist in the product. Each of them has the ability to configure or modify some
system settings.
The roles are:
• Key Operator:
The Key Operator can manage the jobs and the device settings.
• System Administrator
The System Administrator can manage the configuration settings, such as the network and
security settings.
• Power User
The Power User has both the rights of the Key operator and the System administrator.
• Service
This role is used exclusively by the Service technician.
714 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Local users
Local users
These users are built-in users and cannot be changed, there are 4 local users:
• Key Operator (acting as Key Operator role)
• System Administrator (acting as System Administrator role)
• Power User (acting as Power User role)
• Service (acting as Service role)
NOTE
It is possible to disable one or more local users depending on the users and roles defined in
Domain users.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 715
Domain users (LDAP authentication)
Introduction
This feature allows the IT manager to define which user, member of a domain, can logon to the
system with which role (Key Operator/ System Administrator/ Power User/ Service), valid for
Express WebTools as well as the Local User Interface.
This feature, called LDAP authentication, is based on secure LDAP protocol with 2 flavors:
• LDAP over Kerberos for Microsoft Windows environment
• LDAP over TLS mainly for non-Microsoft environment
Functional description
• On Server:
• The IT manager defines in each domain (several domains are possible):
• A domain group for System administrator role
• A domain group for Key Operator roole
• A domain group for Power User role
• A domain group for Service
• For each group, the IT manager defines which user (member of a domain) will belong to
which group
• On the Printer:
• The IT manager defines the aforementioned domain(s) by mean of Express WebTools
• Any authorized user defined in a specific domain group can authenticate on Express WebTools
and the Local User Interface with the dedicated role.
716 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Domain users (LDAP authentication over Kerberos)
Introduction
Perform the following steps to configure LDAP authentication over Kerberos.
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 717
Configure the Domain users (LDAP authentication over Kerberos)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• Kerberos (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for Kerberos, the port number is usually 389
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
718 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Domain users (LDAP authentication over Kerberos)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 719
Validate the configuration (Kerberos)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
720 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Validate the configuration (Kerberos)
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over Kerberos
on page 263
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 721
Configure the Domain users (LDAP authentication over SSL)
Introduction
Perform the following steps to configure LDAP authentication over SSL
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Security' - 'Domains' page.
3. Click 'Create new' to create a domain.
722 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the Domain users (LDAP authentication over SSL)
6. In LDAP settings,
• enter the LDAP group name(s) defined in the LDAP server.
Note: you can leave some fields empty.
• define the protocol type according to LDAP policy.
• SSL (in this section)
7. When the security policy requires it, set the advanced settings:
• 'Suffix for the User Principal Name (UPN)': if there is a custom suffix, select 'Custom' and enter
it (if there are several suffixes in the same domain, create as many domains as existing
suffixes).
• 'Locate LDAP server': enter the LDAP server name (Fully Qualified Domain Name) or IP address
and port number (if not automatically retrieved by the DNS server).
NOTE : for SSL, the port number is usually 636
• 'LDAP attribute to display on the user panel': by default it is 'displayName', but another
attribute is possible.
• 'LDAP search filter': by default it is based on the user principal name
(userPrincipalName=(upn)), but it can be based on another attribute.
• 'LDAP search base': by default the complete LDAP database (defaultNamingContext attribute).
In case of several LDAP databases, it can be worthwhile for performance improvement to
indicate another LDAP search base (Custom LDAP search base).
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 723
Configure the Domain users (LDAP authentication over SSL)
8. When you click on "OK" a verification is performed, and an error is displayed in case of a domain
creation problem.
NOTE
It is always possible to save the configuration in case of failure and to edit it later on
(e.g. if changes must be performed on LDAP server).
724 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the trusted certificates
When to do
After you configured the domains for LDAP over SSL, it is mandatory to configure the trusted
certificate chain since the LDAP server will send the complete certificate to the printer, and the
printer needs to check the validity of certificates by checking all the Root and/or intermediate
certificates embedded in this complete certificate.
Procedure
1. Open the 'Security' - 'Trusted certificates' page.
2. Click 'Create new' to create one certificate for each of the root and intermediate certificates used
in the LDAP server certificate.
It is recommended to leave the field 'Forced URL of OCSP responder' empty as LDAP server
certificates must always be valid. Please check this with the IT administrator.
3. Repeat the creation operation for every root and intermediate certificate.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 725
Validate the configuration (SSL)
Introduction
After you configured the domains, validate it.
Procedure
1. Go to the 'Security' - 'Configuration'.
2. Click on 'Validate the configuration of the user access mode'.
3. Select the domain name, enter a valid username and the associated password.
4. Click 'OK.
A report is generated:
5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the
solutions in the troubleshooting section. See Troubleshooting LDAP authentication over SSL on
page 264
726 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
User access on the user panel
No domain configured
When a user wants to access the settings on the Local UI, the following window opens when
there is no domain configured:
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 727
User access on the user panel
When 'local users' is selected, you can select the local user according to the desired role.
When a domain is selected, the 'User name' field is empty. It is up to the user to select his
username (the associated role has been setup by the IT administrator in the LDAP server)
NOTE
'Local users' may not appear, in case the local users are disabled.
728 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
User access with Express Webtools
No domain configured
When a user wants to access the settings with Express WebTools, the following window opens
when there is no domain configured:
When selecting the Domain 'Local Users', one or more of the 4 built-in users (Key operator,
System Administrator, Power User or Service) are available, and you can enter the password for
login.
NOTE
'Local users' may not appear, in case the local users are disabled.
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
When selecting a Domain that was previously configured, you have to enter the username which
has the appropriate role (as defined in the LDAP server).
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 729
User access with Express Webtools
Once logged in, a message mentioning the user has logged in is displayed on top right of the
screen:
730 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Password policy
Password policy
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 731
Disabling local user access
NOTE
A local user can be disabled ONLY if a valid domain user (with the same role) exists (in order to
avoid locking the settings access).
CAUTION :
Keep the domain users passwords in a safe place. Since if you disable ALL local users, and if you
cannot log in as a Domain User for any reason (password lost), you'll need to call Service to
install again the complete system.
732 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Troubleshooting LDAP authentication over Kerberos
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 733
Troubleshooting LDAP authentication over SSL
Introduction
Find below the list of possible causes of errors that can occur during the process of creating a
domain or when using the tool 'Validate the configuration of the user access mode'.
734 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Audit log
Audit log
Introduction
All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 735
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5 and higher versions)
SNMPv3: for CW9000 (2.1 and higher versions) and CW810/910 (1.5
and higher versions)
Introduction
SNMPv3 offers a secure version of SNMP protocol that provides user authentication and data
encryption.
SNMPv3 implementation
The current implementation of SNMPv3 offers user authentication only to ensure identity of the
user, this corresponds to the SNMP security level "Auth, NoPriv" in the SNMP applications.
Encryption in the data transfer is not supported (the security level "Auth, Priv" is not supported)
For the Authentication, the Authentication protocol is fixed to MD5 only.
SNMPv3 settings
You can access to the SNMPv3 settings via the settings Editor : section Preferences - Connectivity
- SNMP v3
736 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Data security
Data security
E-Shredding
E-shredding presentation
Introduction
The e-shredding feature is a security feature which allows to overwrite any user print data when it
is deleted from the system.
This feature prevents the recovery of any deleted user data (file's content and attributes).
A deleted job is a job that cannot be retrieved from any user interface.
E-shredding algorithms
Select one of the three e-shredding behaviours:
• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense
directive):
• Gutmann: 35-pass overwriting algorithm with random data
• Custom: set the number of passes, from 1 to 35.
NOTE
The e-shredding feature has been designed to minimise impact of the global system
performance.
However the more passes selected, the more impact it has on general performance.
It is recommended to minimise the number of passes when document production is required.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 737
Enable the e-shredding in Express WebTools
Procedure
1. In Express Webtools, open the 'Security' - 'Configuration' page and select the 'E-shredding'
section.
2. Click 'Edit.'
3. Check 'E-shredding' feature to enable it
4. Select the algorithm.
738 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Enable the e-shredding in Express WebTools
Result
When the E-shredding feature is enabled:
• A new icon is added to the list of icons (bottom right) in the Express WebTools window:
• On the printer user panel, an indication is displayed in the System menu: 'E-shredding
enabled':
Each time data (file's content or attributes) is deleted from the system, the e-shredding process
occurs.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 739
Enable the e-shredding in Express WebTools
Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in
Express WebTools (roll over the icon).
740 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
E-shredding process and system behaviour
NOTE
When you enable the e-shredding feature, the 'Save received job data for Service' feature (in
Preferences - System defaults - In case of errors) is automatically disabled, to avoid any storage
of job data that would not be automatically deleted.
The first e-shredding pass is performed immediately after the job is deleted. Subsequent passes
are performed in background.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 741
IPsec
IPsec
IPsec presentation
Introduction
IPsec is a protocol that provides authentication, data confidentiality and integrity in the network
communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print data on the
network.
You can connect up to 5 IPsec stations to the print system.
Illustration
742 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
IPsec presentation
NOTE
The following IPsec parameters cannot be changed:
• IKE Diffie-Hellman group : 2 then 1
• IKE SA lifetime : 28800 s
• IKE security method : 3DES then MD5
• IKE hash : SHA1 then MD5
• ESP encryption : 3DESthen DES
• ESP hash : SHA1 then MD5 then None
• AH hash : SHA1 the MD5
• Encpasulation type : Transport
• Protocol SA lifetime : 3600 s
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 743
Configure the IPsec settings in the controller
Procedure
1. Open a web browser and enter the system URL: https://<hostname>, to open Express WebTools.
2. Open the 'Security' - 'Configuration' page.
3. In the 'Access control' section, click on the general 'Edit':
744 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Configure the IPsec settings in the controller
6. Enter the IPsec preshared key or keep it empty to use the default preshared key. The 'IPsec default
preshared key' setting is available at the bottom of the 'Access control' section.
• 256 characters maximum
• Any MS character
NOTE
Write down this preshared key. It will be required during the IPsec configuration on the
workstation.
7. Click OK
Note: The settings are applied as soon as 'OK' is validated (and before the restart). You may lose
the remote connection to the system when your workstation is not part of the configured stations.
8. Restart the controller
Result
The IPsec settings are configured on the controller for a connection to a workstation.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 745
Configure the IPsec settings on a workstation or a print server
When to do
After the IPsec configuration on the controller.
Pre-requisites
Log on the workstation with the Administration rights.
Procedure
Complete the IPsec configuration for a secure connection between the printer system and a
workstation.
On the workstation, perform the 7 following actions:
1. Add the security snap-in
2. Create the security policy
3. Create the filter list
4. Define the filter actions and security negotiation
5. Define the security rule
6. Assign the security policy
7. Customize the IPsec settings
NOTE
The procedure below shows the configuration steps on Windows server 2008 for a ColorWave
300 system.
The procedure is similar on other Operating Systems and for other PlotWave/ColorWave
printers.
Procedure
1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console
746 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Add the security snap-in
3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 747
Create the security policy
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security
Policy'
748 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Create the filter list
Procedure
1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter
lists and filter actions…'
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 749
Create the filter list
750 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Define the filter actions and security negotiation
Procedure
1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.
2. Click 'Next'
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 751
Define the filter actions and security negotiation
752 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Define the security rule
'Data and address integrity without encryption (AH)' setting is not mandatory.
8. Click 'OK' and 'Next', then 'Finish'
Procedure
1. In the console, right click on the IP security policy just created and select 'Properties' to open the
wizard
(On Windows 7, a new window opens: check that "Use Add Wizard" is checked, then click on
"Add")
2. Click 'Next'
3. Select 'This rule does not specify a tunnel', and click 'Next'
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 753
Define the security rule
4. As the Network type, select 'All network connections' and click 'Next'
754 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Define the security rule
7. In the 'Authentication method' window, check 'Use this string to protect the key exchange
(preshared key)'
8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the
controller on page 138), then click 'Next'
9. Click 'Finish'
10. Click 'OK' to validate the Security rule
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 755
Assign the security policy
Procedure
1. In the console, right click on the security policy just created and select 'Assign'
2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec
station to the printer/scanner controller
Procedure
1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows
Firewall with Advanced Security' window
2. In the 'Actions' section on the right hand side, click on 'Windows Firewall with Advanced Security
on Local Computer' to expand the menu
3. Select 'Properties'
756 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Customize the IPsec settings
4. In the 'IPsec Settings' tab, click on the 'Customize...' button of the 'IPsec defaults'
5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...'
6. Check the 'Require encryption for all connection security rules that use these settings.' box
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 757
Customize the IPsec settings
Remove your workstation from the IPsec/Access control configuration when it must not remain in
the list of connected stations.
For all other printers
When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/
scanner controller. So, only the IPsec station is allowed to communicate with the printer/scanner
system.
758 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Troubleshooting: Disable 'Access control' and IPsec
Introduction
In the following case:
• Access control and IPsec have been enabled without any station defined
and
• The communication between the controller and the host stations fails
Any remote connection to Express WebTools is impossible. The system is unreachable.
Then, use the emergency procedure to disable IPsec and Access control via the printer user
panel.
Procedure
1. On the user panel, tap in 'System' menu : 'System settings'.
2. Select 'Security'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 759
Troubleshooting: Disable 'Access control' and IPsec
Result
Access control and IPsec functions are disabled.
After the restart, you will be able to remotely open Express WebTools from any workstation
(HTTP).
760 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
HTTPS
HTTPS
Encrypt print data and manage the system configuration using HTTPS
Introduction
In the PlotWave/ColorWave systems, you can use the HTTPS protocol to:
- send encrypted print data to the printer controller via Publisher Express
- securely manage the configuration of the system through Express WebTools
Certificates are used to check the identity of the workstations and controller during the
communication.
The HTTPS protocol is always available.
All settings and options available through HTTP are also available through HTTPS.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 761
Use the self-signed certificate with Internet Explorer
Procedure
1. On a workstation, type the URL address of the printer in Internet Explorer: https://[printer
hostname or Printer IP address].
A warning window opens:
762 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Use the self-signed certificate with Internet Explorer
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 763
Use the self-signed certificate with Internet Explorer
7. Choose either 'Current User' or 'Local Machine' (check with your IT department) and click on
'Next'.
764 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Use the self-signed certificate with Internet Explorer
8. Select 'Place all certificates in the following store' and click on 'Browse...'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 765
Use the self-signed certificate with Internet Explorer
Before the import or when the import fails, the certificate status will look like:
766 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Use the self-signed certificate with Mozilla Firefox
13. In the Security section, uncheck the option 'Warn about certificate address mismatch':
14. Click on 'Apply' and next on 'OK' and close all instances of Internet Explorer.
15. Restart the browser and type the URL of the printer in Internet Explorer (https://[printer hostname
or Printer IP address].
Result
The padlock is displayed on the address bar. The self-signed certificate guarantees:
• The identity of the remote computer (controller)
• The encryption of the print data on the network
Procedure
1. On a workstation, type the URL address of the printer in Mozilla Firefox: https://[printer hostname
or Printer IP address].
A warning window opens:
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 767
Use the self-signed certificate with Mozilla Firefox
2. Select 'Advanced'.
768 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Request and import a CA-signed certificate
Introduction
By default the first certificate delivered for the use of HTTPS is the self-signed certificate of the
printer.
To ensure a fully trusted authentication, you can request and import a certificate delivered by a
Certification Authority (CA-signed certificate).
Step Description
A1- Back up the current certificate The current certificate can be:
and private key (if any) • the self-signed certificate of the printer
• a CA-signed certificate (delivered by a Certification
Authority) you previously installed
See Back up a certificate and private key on page 347.
A2- Generate the certificate request Make this step when you want to request and install a
CA-signed certificate.
During the creation of the request, a new private key is
created.
See Generate a CA-signed certificate on page 348.
A3- Save the content of the certifi- Send this content to the Certification Authority to re-
cate request quest a (CA-signed) certificate
The Certification Authority will check the request and re-
ply.
- If the request is valid, go to step A4
- if the request is not valid, make a new request (A2) ac-
cording to the remarks/corrections suggested by the CA
request feedback
A4- Restart the controller 4
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 769
Back up a certificate and a private key
Step Description
A5- Back up the private key Save a back up of the private key associated to the certif-
icate you will receive.
See Back up a certificate and private key on page 347.
Step Description
B1- Save and store the new CA-sign- Save the CA-signed certificate you received from the
ed certificate Certification Authority.
B2- Import the new CA-signed certifi- Import the CA-signed certificate (Root and/or Intermedi-
cate into the controller ate and CA-signed certificates).
See Import a CA signed certificate on page 349.
B3- Restart the controller
B4- Import the Root certificate into The Root certificate identifies the Certification Authority.
the web browsers of the worksta- By default, the web browsers contain a list of well-
tions known and trusted Root certificates.
In case the Root certificate of the Certification Authority
is not in this list, install the CA Root certificate in the
'Trusted Root certificates' list of the web browser, on
each workstation.
See Check and import the root certificate on page 350.
B5- Back up the certificate and pri- Back up and store the certificate and the private key.
vate key Note: It is highly recommended to back up the CA-sign-
ed certificate and the private key since they are not
saved in any system backup.
See Back up a certificate and private key on page 347.
Other procedures
Procedure When to do
Restore a certificate and a private You can restore the certificate and the private key at any
key moment, in case of need.
See Restore a certificate on page 351
Reset the current certificate You can reset the certificate after a certificate request or
at any moment when you want to restore a self-signed
certificate.
This procedure creates a new self-signed certificate.
See Reset a certificate on page 351.
When to do
You must back up the certificate and private key:
• BEFORE the generation of a certificate request (step A1 of the HTTPS Description of the overall
procedure on page 346):
To save your current certificate and private key.
770 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Generate a CA-signed certificate request
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. Log on as the printer system administrator
3. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Backup
certificate and private key]
4. To save the server certificate and private key, enter a password made of 6 characters at least
([Password used to encrypt the private key])
5. Confirm the password
6. Click 'Save'
7. Download and store the back up file (.jks).
Purpose
Create a certificate request.
Use this function only when you want to request a new CA-certificate.
Pre-requisites
Back up the current Certificate and Private key already installed on the controller (see Back up a
certificate and private key on page 347).
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Generate a
certificate request'
3. Fill out the form with the requested information
NOTE
Attention : In the certificate request:
• The Common name MUST be the hostname or the Fully Qualified Domain Name
(FQDN) of the printer (e.g.: or 'ColorWave700' or 'ColorWave700.mycompany.com').
This Common Name will be used in the URL (e.g.: 'https://[CommonName]).
• The country name MUST follow the ISO 3166 standard and be composed of 2
characters (e.g.: 'us' for United States)
4. Click 'Generate'.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 771
Save and send the request
Result
The web server generates a certificate request. The content of the request is displayed (plain
text).
Example (fake request):
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV
J
TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M
DAtNzQw
LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM
d
HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o
W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4
yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=-
-----END NEW CERTIFICATE REQUEST-----
When to do
NOTE
Step A3 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. Copy and paste the content of the request in a .csr file (named 'certificate_request.csr' by default)
2. Send the content of this request to the Certification Authority.
Procedure
1. In a web browser, open Express WebTools (https:\\[IP address or hostname]).
772 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Import the [Intermediate certificate]
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select 'Import CA-
signed certificate'.
3. Select [Root certificate].
4. Browse to the Root certificate file and click [Import].
NOTE
The Root certificate may already exist in the web server certificates list.
Procedure
1. Select [Intermediate certificate]
2. Browse to the Intermediate certificate file and click [Import]
3. When the message [Certificate successfully imported.] pops up, go back to the main page to
import the [CA-signed certificate]
Procedure
1. Select [CA-signed certificate]
2. Browse to the certificate file
3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'
4. When the message [Certificate successfully imported.] pops up, restart the controller.
Result
Result: The certificate is now installed on the server.
Check and import (if needed) the CA Root certificate also into the workstations web browser. That
will secure the complete data workflow between the workstations and the server.
Check and import the [Root certificate] into the workstations browser
When to do
NOTE
Step B4 of the HTTPS Description of the overall procedure on page 346.
Procedure
1. On each workstation, open the web browser
2. In the Tools - Internet Options - Content window, open the 'Certificates'
3. Check if the CA [Root certificate] is already displayed in the 'Trusted Root Certification
Authorities' list
4. If it is not in the list, import the CA Root certificate.
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 773
Restore a certificate and a private key
When to do
You can restore the certificate and the private key at any moment, in case of need.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Restore
certificate and private key]
3. Browse to the back up file
4. Enter the password of the back up file
5. Click 'Restore'
6. A dialog box opens: [This action will overwrite the current certificate. Continue?]
Click 'OK'
7. When the key and the certificate are successfully restored, restart the controller.
Purpose
This procedure creates a new self-signed certificate.
When to do
You can reset the certificate after a certificate request or at any moment when you want to restore
a self-signed certificate.
NOTE
Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of
the original self-signed certificate. See Back up a certificate and private key on page 347):
Each 'Reset certificate' action generates a new self-signed certificate (with a new private and
public key). So each time you reset the certificate, you must import the new certificate into the
web browser.
Procedure
1. In a web browser, open Express WebTools (http(s):\\[IP address or hostname])
2. On the 'Security' - 'HTTPS' page or the 'Security' - 'Printer certificates' page, select [Reset
certificate]
3. Click the 'Reset' button
4. When the reset is successful ([Certificate successfully reset]), restart the controller
Result
A new self-signed certificate has been generated on the controller.
Configure your web browser to use it (see Use the self-signed certificate with Internet Explorer on
page 68)
774 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
TLSv1.2 / Strong cipher
Cipher algorithms
• When the setting 'Less strong cipher suites allowed' is set to 'No', the following weak ciphers
are NOT used:
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA
• The strong available ciphers are:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 775
TLSv1.2 / Strong cipher
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
776 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
HTTPS recommendations for Certificate creation
Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions) 777
Data protection for template export
Procedure
1. In a web browser, enter the URL or IP address of the printer to open Express WebTools.
2. Open the 'Preferences' - 'Connectivity' page.
3. Go to the 'Passwords' section and define the 'Password encryption key'.
NOTE
To import a template it is mandatory to use the SAME 'Password encryption key' on the printer
where the template will be imported as the 'Password encryption key' that was used to export
the template, otherwise the import of the template will fail.
778 Chapter 8 - Security on ColorWave 9000 (R2.x and R 3.x) and ColorWave 810/910 (R1.4 and higher versions)
Index
Index
R
I
Remote Patch....................................................32, 83
IPsec
Roles.......... 41, 90, 127, 243, 374, 409, 504, 629, 714
Controller configuration...49, 98, 138, 321,
381, 416, 580, 744
Express WebTools settings.... 48, 97, 137,
320, 381, 415, 579, 743
779
Index
S
Scan to Home............................................... 355, 614
Scan to USB
Neutralize....................................................65, 66
Security................................................................... 37
Security levels
Available applications.... 27, 78, 117, 176,
364, 399, 437, 621, 649
Available protocols...27, 78, 117, 176, 364,
399, 437, 621, 649
Ports............................................................ 27, 78
Presentation................................................35, 86
Security policy........................................................ 12
Service operations........................................265, 524
Smart Inbox............ 76, 113, 171, 358, 397, 431, 617
Smart Inbox management .. 76, 113, 171, 358,
397, 431, 617
Support
Downloads........................................................14
Manuals............................................................ 14
Printer drivers...................................................14
U
USB direct print
Disabled.................... 65, 170, 357, 396, 430, 616
User authentication...................................... 275, 534
Contactless card..................................... 293, 552
Smart card.............................................. 286, 545
Troubleshooting.....................................307, 566
User name/ password............................298, 557
Workflow.................................................282, 541
W
Whitelisting................................................... 273, 532
Wizard: Security......................................................35
780
Canon Inc.
canon.com