YSoft SafeQ 6 Build 50 Documentation

YSOFT SAFEQ 6
DOCUMENTATION
THE SETUP, SERVICE, AND FUNCTIONS
OF THE YSOFT SAFEQ 6
Y SOFT SAFEQ 6 DOCUMENTATION WWW.YSOFT.COM

CONTENT
1 YSoft SafeQ Build 50 24

2 About YSoft SafeQ 6 25
2.1 What is YSoft SafeQ 6? 25
2.1.1 A Workflow Solutions Platform 25
2.1.2 Suites and Modules 25
2.2 Architecture Overview 26
2.2.1 Component overview 26
2.2.2 Network Communication 27
2.2.2.1 Security configuration 27
2.2.2.2 Firewall Configuration Best Practices 27
2.2.2.3 Bandwidth and Latency 28
2.2.2.4 Network communication overview 28
2.3 Early Access Program 45
2.3.1 What is Early Access Program? 45
2.3.2 How can I join the Early Access Program? 46
2.3.3 What if? 46
2.4 Feature Overview 46
2.4.1 Accounting 46
2.4.1.1 Overview 46
2.4.1.2 Online Accounting 47
2.4.1.3 Offline Accounting 49
2.4.1.4 Device Dependent Accounting 50
2.4.1.5 Price Lists 56
2.4.2 Billing Codes - project tracking 59
2.4.3 Card and PIN Management 59
2.4.3.1 Overview 59
2.4.3.2 Required Access Rights for Managing PIN and Card Activation Codes and Cards 59
2.4.3.3 PIN (Personal Identification Number) 59
2.4.3.4 Card Numbers 61
2.4.3.5 Card Activation Code 61
2.4.4 Embedded Terminals 63
2.4.4.1 About Embedded Terminals 63
2.4.4.2 YSoft SafeQ 6 Embedded Terminal Overview 63
2.4.4.3 Fax access restrictions support 65
2.4.4.4 Showing Personal and Virtual Balance 65
2.4.5 Enhanced Password Protection 67
2.4.5.1 Encryption of passwords in database and configuration files 67
2.4.5.2 Protecting the key 69
2.4.5.3 Key management 70
2.4.5.4 Using enhanced password protection with Management cluster 70
2.4.5.5 Technical details of protection 71
2.4.5.6 Terminology table 71
2.4.5.7 Enhanced Password Protection - Troubleshooting 72
2.4.5.8 Password Protection Tool Manual 74
2.4.5.9 Setup and Configuration of the Enhanced Password Protection 79
2.4.6 External Terminals 86
2.4.6.1 Hardware terminals 86
2.4.6.2 Comments and limitations 87
2.4.6.3 External Terminal Authentication Matrix 87
2.4.6.4 Terminal monitoring via SNMP 88
2.4.6.5 Terminal Professional specification 92
2.4.6.6 Terminal UltraLight specification 93
2.4.7 Identity Management 93
2.4.7.1 Overview 93
2.4.7.2 Adding Identities (users) to YSoft SafeQ 6 94
2.4.7.3 Add Users with Web Administration 94
2.4.7.4 Import Users with LDAP User Replicator 94
2.4.7.5 Import Users via the CSV File User Replicator 95
2.4.8 Managed Workflows 95
2.4.8.1 Overview 95
2.4.8.2 Core Workflows 96
2.4.8.3 Advanced Workflows 97
2.4.8.4 Technical Notes 98
2.4.9 Mobile Print 98
2.4.9.1 Mobile Print overview 98
2.4.10 Print Roaming 99
2.4.10.1 Overview 99
2.4.10.2 Description 99
2.4.10.3 Dependencies / Non-functional Requirements 100
2.4.10.4 Caveats and Limitations 101
2.4.10.5 Client Based Print Roaming 102
2.4.10.6 Universal Print Driver 106
2.4.10.7 VPSX - Print Management Connector Integration 108
2.4.11 Reporting 110
2.4.11.1 Web Reports Overview 110
2.4.11.2 Management Reports Overview 110
2.4.11.3 Counter Reports Overview 110
2.4.11.4 Green (Purged Pages) Reports Overview 111
2.4.11.5 Terminal Access Reports Overview 111
2.4.12 Rule-Based Engine 112
2.4.12.1 Rule-Based Engine Overview 112
2.4.12.2 How Rules Work 113
2.4.12.3 How Triggers Work 113
2.4.12.4 Conditions for Actions or Notifications 114
2.4.12.5 Actions - Force Duplex Printing and More 114
2.4.12.6 Notifications 115
2.4.13 YSoft be3D eDee 115
2.4.13.1 Overview 115
2.4.14 YSoft Payment System 115
2.4.14.1 Overview 115
2.4.14.2 Paying for Print/Copy/Scan Services 116
2.4.14.3 Quotas 116
2.4.15 YSoft SafeQ Mobile Integration Gateway 117
2.4.15.1 Overview 117
2.4.15.2 Licensing 117
2.4.15.3 Technical Overview 117
2.4.15.4 References 118
2.4.16 YSoft SafeQ Mobile Terminal 119
2.4.16.1 YSoft SafeQ Mobile Terminal Overview 119
2.4.17 YSoft SafeQ Client v3 119
2.4.17.1 Feature comparison and overview 121
2.4.17.2 Basic Architecture 125
2.4.17.3 Deployment instructions 128
2.4.17.4 Configuration 145
2.4.17.5 Troubleshooting 159
2.4.17.6 Features 163
2.4.17.7 Limitations 176
2.4.18 YSoft SafeQ Universal Print Connector 177
2.4.18.1 Architecture 177
2.4.18.2 UP Connector Deployment 179
2.4.18.3 Configuration and logs 184
2.4.18.4 Troubleshooting UP Connector service 185
2.4.18.5 Import users from Azure Active Directory - Azure AD 186
2.4.18.6 UP Connector Known Issues and Limitations 188
2.4.19 YSoft SafeQ USB Card Readers 188
2.4.19.1 YSoft SafeQ USB Card Reader v2 189
2.5 Licensing 190
2.5.1 License Model Overview 190
2.5.2 Types of YSoft SafeQ 6 License 190
2.5.3 Suite Overview 191
2.5.3.1 YSoft SafeQ Enterprise Suite 191
2.5.3.2 YSoft SafeQ Print Management Suite 191
2.5.3.3 YSoft SafeQ Workflow Suite 192
2.5.3.4 YSoft SafeQ Print Management Suite LD 192
2.5.4 Module Overview 193
2.5.4.1 Authentication 193
2.5.4.2 Rule-based Engine 193
2.5.4.3 Print Roaming 193
2.5.4.4 Mobile Print 193
2.5.4.5 Core Workflows 193
2.5.4.6 Advanced Workflows 194
2.5.4.7 Credit and Billing 194
2.5.4.8 Reporting 194
2.5.5 License Consumption 198
2.5.6 Subscription Licensing 198
2.5.6.1 How to set up subscription licensing: 199
2.5.7 General License Data 199
2.5.8 License expiration 199
2.5.9 Multitenancy Licensing 199
2.6 Product Lifecycle 200
2.6.1 YSoft SafeQ 201
2.6.2 New Accessories 201
2.6.3 Legacy Accessories 202
2.7 Security Overview 204
2.7.1 Communication Paths 205
2.7.2 Data security options 206
2.7.3 TLS Based Data encryption 207
2.7.4 Authentication 208
2.7.4.1 Password storage 209
2.7.5 Authorization model 209
2.7.6 Impact to system response speed 209
2.7.7 Internal System Audit log 209
2.7.8 Data Storage Methods and Access to the System 210
2.7.9 Used technologies 210
2.7.10 Additional notes 210
2.7.11 LDAP Integration Security 211
2.7.11.1 Introduction to LDAP Directory Services 211
2.7.11.2 YSoft SafeQ LDAP Replication 211
2.7.11.3 YSoft SafeQ 6 LDAP Replication Concerns 212
2.7.11.4 Recommended Configuration 213
2.7.11.5 Securing LDAP via SSL/TLS 214
2.7.12 Personal User Information in YSoft SafeQ 6 214
2.7.12.1 Personal User Information in YSoft SafeQ 6 214
2.8 Supported Languages 218
2.8.1 YSoft SafeQ 6 Localization 218
3 Release Notes 219
3.1 YSoft SafeQ 6 - Release Notes Build 50 219
3.1.1 New Features 219
3.1.1.1 YSoft SAFEQ Client v3: Emergency print 219
3.1.1.2 YSoft SafeQ Client v3: Authentication option - STORED_USERNAME 219
3.1.1.3 YSoft SafeQ Client v3: Print job notifications on embedded terminal when CBPR job is not
available 220
3.1.2 Fixes and Improvements 220
3.1.2.1 Client Application and Terminals 220
3.1.2.2 Installation and Administration 221
3.1.2.3 Product extensions (formerly known as customizations) 221
3.2 Release Notes - Archive 222
3.2.1 YSoft SafeQ 6 Fall 2020 Release - Release Notes Build 49 222
3.2.1.1 New Features 222
3.2.1.2 Fixes and Improvements 224
3.2.2 YSoft SafeQ 6 - Release Notes Build 48 225
3.2.2.1 Infrastructure and other changes 225
3.2.3.1 Limited Device List Extended 227
3.2.4 YSoft SafeQ 6 Summer 2020 Release - Release Notes Build 46 230
3.2.7 YSoft SafeQ 6 Spring 2020 Release - Release Notes Build 43 234
3.2.8.1 Automated Scan Workflows 238
3.2.8.2 IPP Testing Tool 239
3.2.8.3 Far Roaming 240
3.2.8.4 Cluster Licensing 240
3.2.10 YSoft SafeQ 6 Winter 2020 Release - Release Notes Build 40 245
3.2.10.1 New Product and New Features 245
3.2.12.1 Infrastructure changes 251
3.2.13 YSoft SafeQ 6 Fall 2019 Release - Release Notes Build 37 254
3.2.14.2 Known Limitations 259
3.2.15.1 Infrastructure changes 263
3.2.16 YSoft SafeQ 6 Summer 2019 Release - Release Notes Build 34 269
3.2.16.1 New Product, New Features 269
3.2.19 YSoft SafeQ 6 - Release Notes MU31 292
3.2.19.1 New Features and Benefits 292
3.2.20 YSoft SafeQ 6 - Release Notes MU30 299
3.2.21 YSoft SafeQ 6 MU29 - Release Notes 307
3.2.29.2 Highlighted Improvements 370
3.2.30.2 Fixes and General Improvements in MU20 379
3.2.33.2 Early Access Program 397
3.2.33.3 Additional Releases 397
3.2.33.4 Fixes and Improvements in MU17 398
3.2.34.2 Additional Releases 406
3.2.39.3 Outlook 444
3.2.40.3 Outlook 449
3.2.43 YSoft SafeQ 6 MU7 - Release notes 464
3.2.44.1 Release Notes 470
3.2.49.1 Release notes 499
3.2.50 YSoft SafeQ 6 GA - Release notes 503
3.2.50.1 Release notes 503
3.2.50.2 Known limitations 504
3.3 YSoft SafeQ 6 - Known Limitations 507
3.3.1 Installation and deployment 507
3.3.2 Accounting and reporting 508
3.3.3 Management interface 508
3.3.4 Embedded, External and Mobile Terminals 508
3.3.5 Printing and print processing 510
3.3.6 Scan Workflows 511
3.3.7 Printing through Mobile Print Server 511
3.3.8 YSoft SafeQube 2 511
4 User Guides 512
4.1 Quick Guide for Users 512
4.1.1 Embedded and External Terminals 512
4.1.2 Mobile Terminal 513
4.1.3 YSoft SafeQ Management Interface for Users 513
4.1.3.1 YSoft SafeQ Management Interface for Users 513
4.1.3.2 Job List 514
4.1.3.3 Manage Selected Print Jobs 514
4.1.3.4 Job List - Filtering Specific Jobs 515
4.1.3.5 Job List - Filtering Specific Jobs (Advanced) 516
4.1.3.6 Display Individual Job details, Preview, Requeue, or Delete 516
4.1.3.7 Change Your Access Credentials 516
4.1.3.8 Choose Your Default Billing (Project, Matter) Code 518
4.1.3.9 Other Widgets 518
4.1.3.10 Logging Out from YSoft SafeQ Management Interface for Users 519
4.2 Software - User Guides 519
4.2.1 Using Mopria Print Service on Android Device 519
4.2.1.1 Prerequisites 520
4.2.1.2 Enabling Mopria Print Service on Android 521
4.2.2 Using the Cash Desk Web Interface 523
4.2.2.2 Types of Cash Desks 523
4.2.2.3 Logging In/Logging Out 523
4.2.2.4 Operating Cash Desks 525
4.2.2.5 Operating Customer Accounts 530
4.2.3 Using the YSoft SafeQ Desktop Interface 537
4.2.3.1 Printing with the YSoft SafeQ Desktop Interface 537
4.2.3.2 The Desktop Interface Tray Icon and Its Options 542
4.2.3.3 Direct Queues Deployment 544
4.2.3.4 Offline Print 544
4.2.3.5 Sending 3D Jobs via FlexiSpooler 546
4.2.3.6 Possible Printing Issues 547
4.2.4 Using the YSoft SafeQ End User Interface 547
4.2.4.2 Logging In 547
4.2.4.3 User Profile 548
4.2.4.4 Dashboard 549
4.2.4.5 Upload Job 551
4.2.4.6 Payment 553
4.2.4.7 Account Connection 559
4.2.4.8 Related Documentation 560
4.2.5 Using YSoft SafeQ Mobile Integration Gateway to Print from iOS or OS X 560
4.2.5.1 Send a Print Job to a Secure Queue on Devices with a Mac OS X Operating System 560
4.3 Terminals - User Guides 564
4.3.1 Using YSoft Payment Machine terminal 564
4.3.1.1 Recharging account using YSoft Payment Machine 564
4.3.2 Using YSoft SafeQ Embedded Terminals 567
4.3.2.1 Using YSoft SafeQ Embedded Terminal for Brother 567
4.3.2.2 Using YSoft SafeQ Embedded Terminal for Epson 580
4.3.2.3 Using YSoft SafeQ Embedded Terminal for Fuji Xerox - 1st Gen. 608
4.3.2.4 Using YSoft SafeQ Embedded Terminal for Fuji Xerox - 2nd Gen. 636
4.3.2.5 Using YSoft SafeQ Embedded Terminal for Fuji Xerox XCP - 1st Gen. 670
4.3.2.6 Using YSoft SafeQ Embedded Terminal for HP 697
4.3.2.7 Using YSoft SafeQ Embedded Terminal for Konica Minolta - 1st Gen. 725
4.3.2.8 Using YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen. 755
4.3.2.9 Using YSoft SafeQ Embedded Terminal for Konica Minolta Native 791
4.3.2.10 Using YSoft SafeQ Embedded Terminal for Lexmark 824
4.3.2.11 Using YSoft SafeQ Embedded Terminal for OKI 843
4.3.2.12 Using YSoft SafeQ Embedded Terminal for OKI sXP2 861
4.3.2.13 Using YSoft SafeQ Embedded Terminal for Ricoh 879
4.3.2.14 Using YSoft SafeQ Embedded Terminal for Samsung 905
4.3.2.15 Using YSoft SafeQ Embedded Terminal for Sharp 924
4.3.2.16 Using YSoft SafeQ Embedded Terminal for Toshiba 953
4.3.2.17 Using YSoft SafeQ Embedded Terminal for Xerox - 1st Gen. 972
4.3.2.18 Using YSoft SafeQ Embedded Terminal for Xerox - 2nd Gen. 1003
4.3.2.19 Using YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen. 1033
4.3.2.20 Using YSoft SafeQ Embedded Terminal for Ricoh SOP - 2nd Gen. 1071
4.3.2.21 Using YSoft SafeQ Embedded Terminal for Sharp-eSF 1099
4.3.3 Using YSoft SafeQ Mobile Terminal 1120
4.3.3.1 Using YSoft SafeQ Mobile Terminal for Android 1120
4.3.3.2 Using YSoft SafeQ Mobile Terminal for iOS 1132
4.3.3.3 Using YSoft SafeQ Mobile Terminal for Windows 1144
4.3.4 Using YSoft Terminal Pro 4 1153
4.3.4.1 Accessing and Logging In and Logging Out at a Terminal Pro 4 1153
4.3.4.2 Activating a New ID Card at a Terminal Pro 4 1157
4.3.4.3 Copying at a Terminal Pro 4 1161
4.3.4.4 Printing at a Terminal Pro 4 1162
4.3.4.5 Scanning at a Terminal Pro 4 1167
4.3.4.6 Using Billing Codes at a Terminal Pro 4 1171
4.3.5 Using YSoft SafeQ Terminal UltraLight 1177
4.3.5.1 Overview 1177
4.3.5.2 Using the Keypad 1179
4.3.5.3 YSoft SafeQ Terminal UltraLight Beep and LED Code Sequences 1180
4.3.5.4 FCC statements 1180
4.3.5.5 Logging In and Logging Out at YSoft SafeQ Terminal UltraLight 1180
4.3.5.6 Printing All Your Print Jobs at YSoft SafeQ Terminal UltraLight 1182
4.3.5.7 Copying at YSoft SafeQ Terminal UltraLight 1183
4.3.5.8 Scanning at YSoft SafeQ Terminal UltraLight 1184
4.3.6 Using YSoft SafeQ Terminal Professional 1186
4.3.6.1 Overview 1186
4.3.6.3 Changing the language of terminal at Terminal Professional 1187
4.3.6.4 Copying and scanning at Terminal Professional 1188
4.3.6.5 Deleting a print job at Terminal Professional 1190
4.3.6.6 Incompatible jobs at Terminal Professional 1192
4.3.6.7 Logging In and Logging Out at YSoft SafeQ Terminal Professional 1193
4.3.6.8 Print and Copy and Scan with Credit Balance at Terminal Professional 1196
4.3.6.9 Printing all your print jobs in the queue at Terminal Professional 1199
4.3.6.10 Registering a new card at Terminal Professional 1201
4.3.6.11 Selecting a billing code at Terminal Professional 1203
4.3.6.12 Selecting jobs to print at Terminal Professional 1207
5 Administrative Guides 1210
5.1 Quick Administration Guide 1210
5.1.1 What You Get When You Download YSoft SafeQ 1210
5.1.2 Installing YSoft SafeQ - Prerequisites 1210
5.1.3 Installing YSoft SafeQ 1211
5.1.4 Installation Procedure 1211
5.1.4.1 Choose Language 1211
5.1.4.2 Welcome Page 1211
5.1.4.3 Server Environment 1212
5.1.4.4 Optional Features 1212
5.1.4.5 Pre-installation Check 1212
5.1.4.6 Installation Folder Path 1213
5.1.4.7 Database Configuration 1213
5.1.4.8 Embedded Database Configuration 1213
5.1.4.9 Installation Progress Page 1213
5.1.4.10 Installation Finished 1213
5.1.4.11 Logging Into YSoft SafeQ 1214
5.1.5 Activating YSoft SafeQ 1214
5.1.6 You Are Now Ready 1215
5.1.7 Adding Users 1215
5.1.8 Adding a Printer 1217
5.1.8.1 Adding a Printer to YSoft SafeQ 1217
5.1.9 Configuring Roles and Access Definitions 1218
5.1.9.1 Configuring Roles 1218
5.1.10 Basic Troubleshooting 1218
5.2 YSoft SafeQ Mobile Print SDK 1219
5.2.1 YSoft SafeQ Mobile Print SDK - Android 1219
5.2.1.1 Delivering Print job via MiG 1219
5.2.1.2 Service discovery 1221
5.2.2 YSoft SafeQ Mobile Print SDK - iOS 1222
5.2.2.1 Delivering Print job via MiG 1222
5.2.2.2 Client certificate support 1225
5.3 External Scripts and Tools 1227
5.3.1 CLI Device Replicator 1227
5.3.1.1 At a Glance 1227
5.3.1.2 CLI Device Replicator 1227
5.3.1.3 File Structure 1228
5.3.2 CLI User Replicator 1230
5.3.2.1 At a Glance 1231
5.3.2.2 CLI User Replicator 1231
5.3.2.3 File Structure 1232
5.3.3 DB Validator Tool 1236
5.3.3.1 Where to Find the DB Validator 1236
5.3.3.2 How to Configure the Tool 1236
5.3.3.3 How to Run the DB Validator 1236
5.3.4 GDPR Tools 1237
5.3.4.1 Executive Summary 1237
5.3.4.3 Right to be Forgotten 1238
5.3.4.4 Right to Access 1239
5.3.4.5 Right to Restriction of Processing 1240
5.3.4.6 Right to Access - rta.exe 1240
5.3.4.7 Right to be Forgotten - rtbf.exe 1242
5.3.4.8 Right to Restriction of Processing - rtr.exe 1243
5.3.5 Replicator Email Configuration 1245
5.3.6 The YSoft SafeQ 5 to YSoft SafeQ 6 Upgrade Tool 1246
5.3.6.1 Overview 1246
5.3.6.2 The "Upgrade" Command 1248
5.3.6.3 The "Rules Import" Command 1250
5.3.6.4 The Upgrade Tool File Structure and Logs 1250
5.3.7 YSoft SafeQ 6 Embedded Terminal Migration Tool 1251
5.3.7.1 Requirements 1251
5.3.7.2 Screens 1251
5.3.7.3 Required User Rights 1252
5.3.7.4 Login Screen 1253
5.3.7.5 Type of Migration 1254
5.3.7.6 Model of Migration 1254
5.3.7.7 Migration Screen 1258
5.3.7.8 The Reports Screen 1261
5.3.7.9 Migration Configuration 1261
5.3.8 YSoft Shell 1262
5.3.8.2 How to Run 1262
5.3.8.3 YSoft Shell Plugins (commands) 1263
5.3.8.4 Security 1263
5.4 How to Guides 1263
5.4.1 Configuration of a Reverse Proxy for Mobile Terminal with YSoft SafeQ 6 in a DMZ 1263
5.4.1.2 A Step-by-step Guide 1264
5.4.2 Configuring Database Pool of Management and LDAP Replicator 1271
5.4.2.1 Tomcat JDBC Connection Pool Configuration 1271
5.4.3 Configuring MS SQL Server Database Snapshot Isolation 1273
5.4.3.1 How to check snapshot isolation current state 1274
5.4.3.2 How to set up the database 1274
5.4.4 How and When to Restart a Standalone SPOC and SPOC Group 1275
5.4.4.1 SPOC Maintenance Scenarios: 1275
5.4.4.2 SPOC Restart Procedures: 1277
5.4.5 How to Change the IP Address of YSoft SafeQ Management Server 1279
5.4.5.1 Verification of the IP Address 1279
5.4.5.2 Reconfiguration of Management Server 1280
5.4.5.3 Reconfiguration of the Site Servers – Connection to the New IP Address of the Management
Server 1292
5.4.5.4 Other Required Configuration 1293
5.4.6 How to change the IP address of YSoft SafeQ Management Service 1294
5.4.6.2 Reconfiguration of Management Service 1295
5.4.6.3 Reconfigure Site Servers to connect to the new IP of the Management Service 1303
5.4.7 How to Change the IP Address of YSoft SafeQ Site Server 1305
5.4.7.2 Stopping YSoft SafeQ Services 1306
5.4.7.3 Update Steps 1306
5.4.7.4 Other Required Configurations 1309
5.4.8 How to Change the Password of a Database User 1310
5.4.8.1 How to Encrypt Password 1311
5.4.8.2 YSoft SafeQ 6 Management Service 1311
5.4.8.3 YSoft SafeQ 6 Payment System 1317
5.4.9 How to Delete the YSoft SafeQ Spooler Controller Cache 1317
5.4.9.1 What Is the YSoft SafeQ Spooler Controller Cache? 1317
5.4.9.2 About YSoft SafeQ Spooler Controller Cache Deletion 1318
5.4.9.3 How to delete the YSoft SafeQ Spooler Controller Cache 1318
5.4.10 How to Manage Finishing Options and System Tags 1320
5.4.10.1 A List of Basic and Advanced Finishing Options 1320
5.4.10.2 Configuring Finishing Options 1320
5.4.10.3 System Tags 1321
5.4.10.4 Configuring the Displaying of Incompatible Jobs 1322
5.4.10.5 Displaying the Tags in Job Information on the Web Interface 1322
5.4.11 How to Single Sign-On for the YSoft SafeQ 1323
5.4.11.1 Central Authentication Service 1324
5.4.11.2 Security Assertion Markup Language SAML 1328
5.4.11.3 Windows Integrated Authentication 1340
5.4.12 Upgrading from YSoft SafeQ 5 to YSoft SafeQ 6 1346
5.4.12.1 Summary 1346
5.4.12.2 General Prerequisites 1346
5.4.12.3 Upgrading a YSoft SafeQ 5 Single Server Installation (Without ORS Servers) 1347
5.4.12.4 Upgrading a YSoft SafeQ 5 Cluster Server Installation with a Non-trivial Environment Setup
1347
5.4.12.5 Manual Upgrading of YSoft SafeQ 5 – Migration of the Database 1347
5.4.12.6 Activating YSoft SafeQ 6 with a License After Upgrading 1348
5.4.12.7 A Detailed Description of the Upgrade Steps 1348
5.4.12.8 The Manual Upgrading of YSoft Safe 5 - Migrating the Database 1353
5.4.12.9 Upgrade of YSoft SafeQ 5 single server installation without ORS servers 1355
5.4.12.10 Upgrading a YSoft SafeQ 5 Cluster Server Installation with a Non-trivial Environment Setup
1357
5.4.13 Using Card Number Conversion 1360
5.4.13.1 The Conversion Function 1360
5.4.13.2 A Description of Rules 1360
5.4.13.3 An Example of Usage 1368
5.4.14 YSoft SafeQ Mobile Integration Gateway - print across multiple subnets 1368
5.4.14.1 Document description 1368
5.4.14.2 Configuration 1369
5.4.15 How to connect to Data Mart 1375
5.4.15.1 Enable Enterprise Reporting 1375
5.4.15.2 Connect Business Intelligence tool to Data Mart 1376
5.4.15.3 Microsoft SQL Server Analysis Services 1376
5.4.15.4 Power BI 1386
5.4.16 YSoft SafeQ Performance and Availability Monitoring Guidelines 1408
5.4.16.1 Executive Summary 1408
5.4.16.2 Best Practices 1408
5.4.17 How to Configure a Print Device in SAP to Inject a Username into a PJL Header 1423
5.4.17.1 How SAP Prints 1423
5.4.17.2 Frequently asked questions 1429
5.4.18 Green reporting - Purged Pages 1430
5.4.18.1 Green reporting calculations 1430
5.4.18.2 Configuring Green (Purged Pages) Reports 1430
5.4.18.3 Predefined Green (Purged Pages) Reports 1431
5.4.18.4 Report Samples 1432
5.4.18.5 My Savings Widget 1433
5.4.19 How to Restart a YSoft SafeQ Environment 1433
5.4.19.1 Management Server Restart Guidelines 1434
5.4.19.2 Site Server Restart Guidelines 1435
5.4.19.3 How to Safely Restart a Spooler Controller Group with Cache Deletion 1435
5.4.20 Tips for collecting of YSoft SafeQ 6 log files 1436
5.4.20.1 Script body 1436
5.4.21 How to upgrade PostgreSQL from version 9.4 to version 11 1441
5.4.21.2 A Step-by-step Guide 1442
5.4.22 How to Remove a Spooler Controller 1446
5.4.22.1 Overview 1446
5.4.22.2 Process description 1446
5.5 Installation and Deployment 1448
5.5.1 Software 1448
5.5.1.1 Installing YSoft SafeQ 6 Server 1448
5.5.1.2 YSoft SafeQ as a printer at Windows and Mac and Linux 1623
5.5.1.3 YSoft SafeQ 6 Pre-installation Checklists 1648
5.5.1.4 YSoft SafeQ 6 Workstation Installation 1650
5.5.1.5 Installing Security Certificates 1660
5.5.1.6 First server installation with an external Database 1666
5.5.1.7 Configuring the PostgreSQL Time Zone for Correct Print Job and Report Data 1670
5.5.1.8 First server installation with standalone data warehouse database 1670
5.5.1.9 Configuring MS SQL for Server link 1676
5.5.1.10 Configuring PostgreSQL for remote database connection 1679
5.5.1.11 Configuring PostgreSQL SSL/TLS connection 1679
5.5.1.12 Configuring MS SQL for SSL/TLS 1681
5.5.1.13 YSoft SafeQ Workstation Queues Overview 1682
5.5.1.14 PostgreSQL cluster 1695
5.5.2 Hardware 1727
5.5.2.1 Guide for Hardware Administrators 1727
5.5.2.2 Card Reader Installation Guide 1768
5.5.2.3 YSoft USB reader v2 installation and configuration 1806
5.5.2.4 YSoft SafeQube 2 1808
5.5.2.5 YSoft SafeQ Terminal Pro 4 installation guide 1822
5.5.2.6 YSoft SafeQ Terminal Professional Installation Guide 1846
5.5.2.7 YSoft SafeQ Terminal UltraLight Installation Guide 1869
5.5.2.8 Configuring MFDs for Scanning with YSoft SafeQ hardware terminals 1884
5.5.2.9 Remote configuration tool for hardware terminals 1908
5.5.2.10 How to connect Smart Cable to MFD 1929
5.5.3 Backup and Recovery Scenarios 2000
5.5.3.1 Backup 2000
5.5.3.2 Recovery Scenarios 2014
5.5.3.3 System Sanity Checks 2089
5.5.4 Embedded Terminals installation and configuration 2092
5.5.4.1 Configuring supported languages in Embedded Terminal 2093
5.5.4.2 Device Configuration for YSoft SafeQ Embedded Terminal 2096
5.5.4.3 Embedded Terminal installation 2452
5.5.5 Configuring Terminal Failover 2459
5.5.5.1 Application-level failover 2459
5.5.5.2 Network-level failover 2461
5.5.5.3 Configuring a Third-party Load Balancer for Terminal Failover 2462
5.5.5.4 Configuring etcd for failover support in Terminal Server 2466
5.5.5.5 Configuring Windows Network Load Balancing for Terminal Failover 2466
5.5.5.6 Configuring YSoft SafeQ for Network-level Terminal Failover 2473
5.5.5.7 Enabling application failover on YSoft SafeQ Embedded Terminal for Konica Minolta 2475
5.5.5.8 Enabling application failover on YSoft SafeQ Embedded Terminal for Ricoh 2477
5.6 Update Guide 2478
5.6.1 Updating Terminals 2479
5.6.1.1 Updating YSoft be3D eDee 2479
5.6.1.2 Updating YSoft SafeQ Embedded Terminal 2481
5.6.1.3 Updating YSoft SafeQ Terminal Pro 4 2482
5.6.2 Updating Client Components 2485
5.6.2.1 Performing a GUI Wizard Update 2486
5.6.2.2 Performing a Silent (Unattended) Update 2486
5.6.2.3 After Updating 2487
5.6.3 Updating from MU/Build to Build 2487
5.6.3.1 Before the Update 2487
5.6.3.2 Updating Procedure 2489
5.6.3.3 Rollback 2494
5.6.4 Updating YSoft SafeQube 2 2495
5.6.4.1 Before Reinstallation 2495
5.6.4.2 Updating via YSoft SafeQ Management Interface 2495
5.6.5 Updating Mobile Integration Gateway 2497
5.6.5.1 Step-by-step Guide 2497
5.7 Requirements 2497
5.7.1 Hardware Requirements 2497
5.7.1.1 How to Measure Storage Throughput and IOPS 2499
5.7.1.2 Workflow Processing System with OCR hardware requirements 2502
5.7.2 Software Requirements 2503
5.7.2.1 Requirements and Limitations of Embedded Terminals 2503
5.7.2.2 YSoft SafeQ Mobile Integration Gateway Requirements 2527
5.7.2.3 YSoft SafeQ Mobile Terminal requirements and known limitations 2528
5.7.2.4 YSoft SafeQ server requirements 2529
5.7.2.5 YSoft SafeQ Terminal UltraLight and Terminal Professional v3.5 requirements and limitation
2537
5.7.2.6 YSoft SafeQ Workstation Requirements 2538
5.7.3 Requirements for third party load balancer 2541
5.8 Troubleshooting Guides 2542
5.8.1 An Overview of YSoft SafeQ 6 Services 2542
5.8.1.1 About 2542
5.8.1.2 Default Installation Paths and Registry 2543
5.8.2 Credit Handling on Terminals 2544
5.8.2.1 Credit Handling 2544
5.8.2.2 Credit Handling on Fuji Xerox 2544
5.8.2.3 Credit Handling on Fuji Xerox XCP 2547
5.8.2.4 Credit Handling on Ricoh 2554
5.8.2.5 Credit handling on Samsung 2555
5.8.2.6 Credit Handling on Sharp 2555
5.8.2.7 Credit Handling on Sharp-eSF 2558
5.8.2.8 Credit Handling on Xerox 2559
5.8.2.9 Credit Handling on Konica Minolta 2559
5.8.2.10 Credit Handling on Lexmark 2562
5.8.2.11 Credit Handling on HP 2563
5.8.2.12 Credit Handling on Epson 2577
5.8.3 Log File Overview 2588
5.8.3.1 Audit log 2588
5.8.3.2 Terminal Server Logs 2591
5.8.3.3 YSoft Infrastructure Service Logs 2604
5.8.3.4 YSoft Payment System Logs 2606
5.8.3.5 YSoft SafeQ End User Interface Logs 2610
5.8.3.6 YSoft SafeQ FlexiSpooler Logs 2611
5.8.3.7 YSoft SafeQ Management Service Logs 2616
5.8.3.8 YSoft SafeQ Mobile Integration Gateway Logs 2622
5.8.3.9 YSoft SafeQ Mobile Print Server Logs 2623
5.8.3.10 YSoft SafeQ Mobile Terminal Logs 2625
5.8.3.11 YSoft SafeQ Spooler Controller Logs 2627
5.8.3.12 YSoft SafeQ Workflow Processing System Logs 2631
5.8.4 SSL/TLS Secure Channel - SCHANNEL - Troubleshooting 2633
5.8.4.1 Terminal/MFD Cannot Be installed, the Error "Could not create SSL/TLS secure channel"
Appears in the terminalserver.log Log File 2633
5.8.4.2 Communication with YSoft Payment System Fails with the Error "Could not create SSL/TLS
secure channel" in the terminalserver.log Log File 2637
5.8.4.3 The Device Supporting Only Higher Versions of the SSL/TLS Protocol Cannot Connect to
YSoft SafeQ Server 2637
5.8.4.4 The Device Is Installed Correctly, but Cannot Connect to YSoft SafeQ Server 2639
5.8.5 Troubleshooting Billing Codes 2639
5.8.5.1 Common Problems with Billing Codes 2639
5.8.6 Troubleshooting Embedded Terminals 2640
5.8.6.1 Configuring OKI/Toshiba to Support the At Sign in a Username 2640
5.8.6.2 Printing from USB on YSoft SafeQ Embedded Terminal for Konica Minolta 2641
5.8.6.3 Troubleshooting WebDAV delivery of scanned data from Xerox devices 2643
5.8.6.4 Troubleshooting YSoft SafeQ Embedded Terminal for Ricoh SOP 2643
5.8.7 Troubleshooting YSoft SafeQ Mobile Terminal 2651
5.8.7.1 How to Find Out the Version of the Installed Application 2652
5.8.7.2 YSoft SafeQ Server Is Not Reachable 2652
5.8.7.3 Google Play Update Failed 2653
5.8.7.4 NFC Tag Does Not Launch the Android Application 2654
5.8.7.5 The User Is Unable to Log In When YSoft Payment System Is Not Configured Correctly or
Not Installed 2654
5.8.7.6 Refreshing the Job List Does Not Work (Pull-to-Refresh) 2655
5.8.8 YSoft SafeQ FlexiSpooler troubleshooting 2655
5.8.8.1 Broken encoding in job name 2655
5.8.8.2 FlexiSpooler on Windows 7/Windows 2008 2658
5.8.8.3 Konica Minolta device freezes when the spooling client goes to sleep or hibernates 2658
5.8.8.4 Printing BW Jobs with User Access restriction for Color on Sharp 2658
5.8.8.5 Problems with Finishing Options on Epson 2659
5.8.8.6 Problems with job delivery via LPR 2659
5.8.8.7 Problems with job delivery via RAW 2660
5.8.8.8 Troubleshooting YSoft SafeQ FlexiSpooler high resource usage 2661
5.8.8.9 Xerox WorkCentre 6655 does not print when bidirectional communication is set on the device
2663
5.8.9 YSoft SafeQ Mobile Integration Gateway troubleshooting 2664
5.8.9.1 Slow printing using IPPS from Linux 2664
5.8.10 YSoft SafeQ services are not started after reboot 2665
5.8.10.1 Situation 2665
5.8.10.2 Solution 2665
5.9 YSoft SafeQ 6 Administration and Configuration 2666
5.9.1 Management Interface 2666
5.9.1.1 Management Interface - Overview 2666
5.9.1.2 Management Interface - Cloud 2670
5.9.1.3 Management Interface - Dashboard 2674
5.9.1.4 Management Interface - Reports 2685
5.9.1.5 Management Interface - Devices 2723
5.9.1.6 Management Interface - Billing 2747
5.9.1.7 Management Interface - Users 2768
5.9.1.8 Management Interface - Rules 2786
5.9.1.9 Management Interface - System 2805
5.9.1.10 Management Interface - Scan Workflows 2822
5.9.1.11 Management Interface - License Activation 2937
5.9.2 YSoft SafeQ Payment System administration 2951
5.9.2.1 Configuring Payment System 2951
5.9.2.2 YSoft SafeQ Payment System Administration web interface 2973
5.9.2.3 Working with Payment System 3008
5.9.2.4 YSoft Payment Machine 3014
5.9.3 Configuring YSoft SafeQ end user interface 3065
5.9.3.1 Installation 3065
5.9.3.2 Enable YSoft SafeQ end user interface features 3066
5.9.3.3 Advanced configuration 3068
5.9.3.4 Related documentation 3069
5.9.4 Mobile Integration Gateway administration 3069
5.9.4.1 Logging into the system 3070
5.9.4.2 Automatic logout 3070
5.9.4.3 Turning Mobile Iintegration Gateway on and off 3070
5.9.4.4 Updating announced name, location and supported paper sizes 3071
5.9.4.5 Certificates 3071
5.9.5 Configuring Mobile Print Server 3074
5.9.5.1 Overview 3074
5.9.5.2 Configuring Mobile Print Sever via web interface 3074
5.9.5.3 Local configuration - mps.config and controllerIPs.config 3079
5.9.5.4 Mobile Print Server - Configure access to GMail IMAP using OAuth 3090
5.9.5.5 Mobile Print Server - User mail notification composition 3096
5.9.5.6 Mobile Print Server - Configure access to Microsoft Exchange Online IMAP using OAuth 3100
5.9.6 Configuring YSoft SafeQ with Azure AD 3106
5.9.7 Configuring FlexiSpooler 3106
5.9.7.1 Configuration and usage of JobStore 3106
5.9.7.2 Configuring Authentication 3109
5.9.7.3 Configuring Offline Print 3112
5.9.7.4 Configuring Spool cleaning 3113
5.9.7.5 Configuring Spooler Controller Discovery 3115
5.9.7.6 Configuring YSoft SafeQ FlexiSpooler Modes 3117
5.9.7.7 YSoft SafeQ Client failover mechanism 3121
5.9.7.8 FlexiSpooler Server HTTP authentication configuration - Azure AD 3123
5.9.7.9 How to set receiving print jobs from YSoft SafeQ Client Enterprise 2.x via port 9100 3127
5.9.7.10 Job compression 3148
5.9.7.11 Job recovery feature 3148
5.9.7.12 Parsing username from print job 3149
5.9.7.13 Print language support and limitations 3151
5.9.7.14 Using FlexiSpooler with multiple users on one computer 3152
5.9.7.15 FlexiSpooler local configuration through spooler.config file 3153
5.9.7.16 FlexiSpooler locations configuration with locations.config file 3164
5.9.7.17 Advanced direct print configuration 3165
5.9.7.18 YSoft SafeQ FlexiSpooler Security considerations 3166
5.9.7.19 YSoft SafeQ Server FlexiSpooler failover mechanism 3167
5.9.8 NFC Administration app 3168
5.9.8.1 About NFC Administration app 3168
5.9.8.2 Programming NFC using the NFC Administration app 3168
5.9.8.3 Programming NFC tag using NFC Administration app 3168
5.9.9 System communication hardening 3178
5.9.9.2 Generating certification authority 3179
5.9.9.3 Installing your Root CA to truststores of YSoft SafeQ machines 3180
5.9.9.4 Generating key/certificate in Java Keystore format 3182
5.9.9.5 Generating key/certificate in the Personal Information Exchange format 3184
5.9.9.6 Communication paths 3187
5.9.9.7 Configuring SSL/TLS for Management web interface 3189
5.9.9.8 Configuring secured connection to the LDAP server 3192
5.9.9.9 Setting the secure connection between cluster nodes 3197
5.9.9.10 Setting secured communication between YSoft SafeQ Management and Spooler Controller
3199
5.9.9.11 Setting secured communication with Spooler Controller 3203
5.9.9.12 Setting server spooler authentication for job transfer 3211
5.9.9.13 Configuring secured connection between terminals and Terminal Server 3214
5.9.9.14 Setting custom certificate on YSoft SafeQ Mobile Integration Gateway web interface 3217
5.9.9.15 Configuring SSL/TLS for YSoft SafeQ Payment System 3221
5.9.9.16 Configuring SSL/TLS for End User Interface 3225
5.9.9.17 Getting certificate for setting up SharePoint 2013 add-in environment 3228
5.9.9.18 Configuring cryptographic protocols for outbound communication 3229
5.9.9.19 Conversions between different keystores and certificate types 3230
5.9.9.20 Configuring security for Infrastructure Management Server 3232
5.9.9.21 How to Secure Distributed Layer Communication 3232
5.9.9.22 Configuring SSL/TLS for communication from server to MFD 3234
5.9.10 Eddystone configuration 3235
5.9.10.1 General 3235
5.9.10.2 Setting up Eddystone for YSoft SafeQ Mobile Terminal 3235
5.9.11 YSoft hardware administrator guide 3239
5.9.11.1 How to login 3240
5.9.11.2 How to change manager password 3241
5.9.11.3 Connection to YSoft Infrastructure Service (IMS) 3242
5.9.11.4 Operating system update 3244
5.9.11.5 Applications 3245
5.9.12 Configuring Workflow Integrity Check Logger 3252
5.9.12.1 To log errors from validation into a separate log file 3252
5.9.13 Configuring logging using Nlog.config 3253
5.9.13.1 How to change logging level to Trace 3253
5.9.13.2 Other configuration options: 3253
5.9.14 Configuring YSoft Universal Print Driver 3254
5.9.14.1 YSoft Printer Driver PCL 3254
5.9.14.2 Vendor specific driver 3254
5.9.14.3 Creating a Direct or Secure Print Queue Using a Vendor Driver 3254
5.9.14.4 YSoft Universal Print Driver 3255
5.9.15 YSoft SafeQ Mobile Print Application Configuration 3257
5.9.15.1 Minimal requirements 3258
5.9.15.2 Installation of infrastructure 3258
5.9.15.3 Using Mobile Print applications 3260
5.9.15.4 Security considerations 3261
5.9.15.5 Support 3261
6 YSoft be3D eDee documentation 3263
6.1 DeeControl 2 - Quick Guide 3263
6.1.1 Main screen 3263
6.1.2 Typical workflow 3263
6.2 DeeControl 2 - User Guide 3267
6.2.1 Introduction 3267
6.2.2 What Is YSoft be3D DeeControl 2 3267
6.2.3 Requirements 3267
6.2.3.1 Software 3267
6.2.3.2 Hardware 3267
6.2.4 Installation of YSoft be3D DeeControl 2 3267
6.2.4.1 Windows Installation 3267
6.2.4.2 Windows Silent Installation 3271
6.2.4.3 Windows Uninstallation 3272
6.2.4.4 Mac Installation 3274
6.2.5 How to Set Up a connection to YSoft SafeQ Server 3275
6.2.6 Select language 3277
6.2.7 Print Job Preparation 3278
6.2.7.1 Lay model on selected face 3278
6.2.8 Using 3D Viewport 3279
6.2.8.1 View Mode 3279
6.2.8.2 Controlling the View 3279
6.2.9 DeeControl 2 project 3280
6.2.10 Print Settings 3281
6.2.10.1 Basic Settings 3281
6.2.10.2 Advanced settings 3282
6.2.10.3 Saving a Print Profile 3285
6.2.11 Preparing a Model for Print 3286
6.2.12 Viewing GCode and Sending the Print Job to the YSoft SafeQ Server 3286
6.2.12.1 Viewing a Specific Part of GCode 3288
6.2.12.2 Sending to the YSoft SafeQ Server 3288
6.2.12.3 Exporting the Print Job 3289
6.3 Using YSoft be3D eDee 3290
6.3.1 Introduction 3290
6.3.2 Sending a print job to YSoft SafeQ 3290
6.3.2.2 DeeControl 2 3290
6.3.3 User authentication on YSoft be3D eDee printer 3291
6.3.3.1 Log out 3292
6.3.3.2 Unknown user 3292
6.3.4 Job list and job management on YSoft be3D eDee printer 3293
6.3.5 Printing a model on YSoft be3D eDee printer 3296
6.3.6 Printing 3301
6.3.7 Printing finished 3302
6.3.8 Send a request to administrator 3305
6.3.9 Stop print 3307
6.4 YSoft be3D eDee Installation Guide 3310
6.4.1 Purpose of this document 3310
6.4.2 Hardware overview 3311
6.4.2.1 YSoft be3D eDee printer 3311
6.4.3 SW overview 3312
6.4.4 Unboxing 3313
6.4.5 Network and power cord connection 3314
6.4.6 Terminal extraction 3316
6.4.7 Login to service menu 3317
6.4.8 Open all doors 3318
6.4.9 Remove fixing foams and accessory box 3319
6.4.10 Unpack accessory box 3323
6.4.11 Place the glass print bed into the printing chamber 3324
6.4.12 Attach the card reader - optional 3325
6.4.13 Load filament 3329
6.4.14 Motion test 3334
6.4.15 Offset test 3337
6.4.16 Closing the eDee printer 3340
6.4.17 Configure the network address 3341
6.4.18 Adding eDee device to YSoft SafeQ 6 3342
6.4.19 Accounting 3346
6.4.20 Locking the device - optional 3346
6.5 YSoft be3D eDee requirements and known limitations 3346
6.5.1 Requirements 3346
6.5.2 Known limitations 3346
7 YSoft SafeQ Demo 3347
7.1 About YSoft SafeQ Demo 3347
7.2 References: 3347
7.3 How to run YSoft SafeQ Demo 3347
7.3.1 YSoft SafeQ Demo on Windows 3347
7.3.2 Preconditions 3347
7.3.3 YSoft SafeQ Demo Installation 3347
7.3.4 YSoft SafeQ Demo User Interface (Recommended) 3348
7.3.4.1 Starting Demo management 3348
7.3.5 YSoft SafeQ Demo - Without User Interface 3350
7.3.5.1 Starting YSoft SafeQ Demo 3350
7.3.5.2 Cleaning database data 3351
7.4 Limitations of YSoft SafeQ Demo 3351
7.4.1 PostgreSQL database only 3351
7.4.2 Adding new items 3351
7.4.3 Removing generated items 3351
7.4.4 Currency 3351
7.4.5 Cleanup script 3352
7.4.6 Jobs on local printers 3352
7.4.7 Deleting jobs 3352
7.5 Troubleshooting YSoft SafeQ Demo 3352
1 YSOFT SAFEQ BUILD 50
Download the YSoft SafeQ Build 50 installation packages and YSoft SafeQ Build 50 Release
Notes for additional information about all the new features and improvements.
Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 24

2 ABOUT YSOFT SAFEQ 6
2.1 WHAT IS YSOFT SAFEQ 6?
2.1.1 A WORKFLOW SOLUTIONS PLATFORM
As a platform, YSoft SafeQ 6 includes three main pillars:
Print Management,
Document Capture/Automated Workflows,
3D Printers/3D Print Management.
The three main pillars enable customers to:
Centralize print management across 2D and 3D printers:
Embedded in the world's most popular MFD brands,
Embedded in 3D printers from Y Soft Corporation, a.s.
Reduce costs on print, scan, and copy services.
Increase document and 3D object security.
Improve productivity through automated scan workflows and pull-printing.
Contribute to organization sustainability initiatives.
2.1.2 SUITES AND MODULES
YSoft SafeQ 6 follows a simple approach to modularity. Customers can choose from a set of
modules or combination of modules (suites) in order to drive operational efficiencies, streamline
workflows, and strengthen device and content security while improving worker productivity.
Modularity enables customers to use truly what their business will benefit from.
Patent protected. YSoft SafeQ is protected, among others, by US patents 9,030,688. Additional
patents pending.

2.2 ARCHITECTURE OVERVIEW
2.2.1 COMPONENT OVERVIEW
Comments
In the top part of the diagram four user types interacting with SafeQ System are depicted with
arrows that show typical use cases
End User that prints, authenticates, selects jobs at the terminal and uses the system in
various ways through web interfaces

Administrator and Local Administrator that set configuration, do operations to all users' jobs
and manage devices and terminals
Managers that use web and other reports
Every component is depicted with its responsibilities and communication with other components
including the protocol being used like
SafeQ specific protocols - YMQ, Communicator and MessagingV1
Generic protocols like http(s), IPP, RAW TCP/IP and system specific protocols
The bottom line contains 3rd party systems the whole SafeQ system communicates with
including MFDs, mail servers, 3rd party Document Systems, File Systems, LDAP servers and
others.
2.2.2 NETWORK COMMUNICATION
This page provides information about ports and protocols that must be enabled on firewalls and
other related security aspects to ensure safe usage of YSoft SafeQ 6.
2.2.2.1 Security configuration
Secured network communication must always be considered when using YSoft SafeQ 6. Most
important links are encrypted by default right after the installation using pre-installed certificates.
Pre-installed certificates naturally do not ensure highest level of security and they should be
replaced by customer ones.
Some links are by default unencrypted. In order to make all the securable path encrypted and
subsystems authenticated, continue with the configuration on the following page: Communication
paths
2.2.2.2 Firewall Configuration Best Practices
In accordance to the "least privilege" security principle, it is strongly advised to configure a firewall
to (1) only allow communication from trusted components and/or networks and (2) only open ports
required by actual YSoft SafeQ deployment and configuration. When communication with
untrusted networks is needed (e.g. public Internet), additional security measures should be
considered.
JMX Ports Threat
JMX is used mainly for system monitoring and proactive care. While these functions are helpful,
having ports opened publicly without any authentication mechanism is a high-security risk and
customers should only open them with proper configuration or/and understanding the risks. Since
MU38 JMX ports in SafeQ are by default accessible only from localhost.

2.2.2.3 Bandwidth and Latency
Bandwidth and latency must be considered for each implementation:
Latency is important to be kept under 100ms for metadata synchronization in Site Server
cluster locations (Spooler Controller Group) and for user experience on all browser based
terminal (i.e. between where the MFD is and its respective Terminal Server).
Bandwidth required is vastly dependent on print job data size and path: from workstation to
FlexiSpooler (which can reside on the very same workstation or on a remote Site Server) and
from FlexiSpooler to the device. Print job metadata traveling among components average
around 40–60 kB per print job.
2.2.2.4 Network communication overview
Following table provides a complete list of the ports and protocols that must be enabled on
firewalls in order to ensure YSoft SafeQ 6 system functionality.
This documents describes the communication that has to be allowed on the network level, it
does not describe communication that takes place via loopback interface (localhost)
Management
Client Server Unsecured Secured Applicati Networ Transferred data

side side server side server on k
port side port protocols protoco
ls
User Manage 80 443 HTTP TCP User credentials, settings,

ment /HTTPS GUID
Manageme Manage 2379 n/a HTTP TCP Database password

nt ment
(ETCD)
Manageme Manage 2380 n/a HTTP TCP Database password

nt (ETCD) ment
(ETCD)
Manageme Manage 6020 6020 Proprieta TCP Synchronization info, system

nt ment ry properties values
Spooler Manage 6010 6010 Proprieta TCP Configuration

Controller ment ry
Payment Manage 4096 n/a Proprieta TCP Firmware update

machine ment ry
(SPM)

Client Server Unsecured Secured Applicati Networ Transferred data
side side server side server on k
ls
Payment Manage 64099 n/a Proprieta UDP Server discovery

machine ment ry
(SPM)
User Manage 80 443 HTTP TCP Credentials, availability status,

ment /HTTPS LDAP settings, Device
information
ProactiveC Manage 19898 n/a JMX, TCP System state

are ment JMX RMI
– Manage 4099 n/a ServerSync

ment
Spooler Controller
Client side Server Unsecured Secured Applicat Netwo Transferred data

side server server ion rk
side port side port protocol protoc
s ols
Spooler Spooler 5555 5555 Propriet TCP Configuration

Controller Controller ary
Management Spooler 5020 n/a HTTP TCP Job preview

Controller
Mobile Spooler 5555 5555 Propriet TCP User credentials, configuration

Integration Controller ary
Gateway
End User Spooler 5555 5555 Propriet TCP Configuration

Interface Controller ary
Mobile Print Spooler 5555 5555 Propriet TCP Configuration, user credentials
Server Controller ary
FlexiSpooler Spooler 5555 5555 Propriet TCP User credentials, configuration

server/client Controller ary
spooling
Flexispooler Spooler 5566 n/a HTTP TCP Print job accounting

Controller information

Client side Server Unsecured Secured Applicat Netwo Transferred data
side server server ion rk
s ols
Terminal Spooler 5556 n/a Propriet TCP Configuration, notification

Server Controller ary about terminal management
and user sessions
Terminal Spooler 5020 n/a HTTP TCP Job preview

Server Controller
Workflow Spooler 5555 5555 Propriet TCP Configuration

Processing Controller ary
System
Payment Spooler 5556 n/a Propriet TCP Configuration, license, user

System Controller ary credentials, card assignment
ProactiveCare Spooler 9000 n/a JMX TCP System state

Controller RMI

Controller

Controller
group

Controller RMI
group
Job Service Spooler 5555 n/a YMQ TCP Configuration, job preview
Controller image
Identity Spooler 5555 5555 Propriet TCP User credentials

Server Controller ary
Terminal Server
Client side Server Unsecur Secured Applicatio Net Transferred data

side ed server side n work
server port protocols prot
side ocol
port s
Embedded terminal Termi 5011 5012 SOAP TCP User credentials

for Xerox nal /HTTPS
Server

side ocol
port s
Embedded terminal Termi 5021 5022 HTTP TCP Application data, job preview
for Xerox nal /HTTPS
Server
Embedded terminal Termi 389 636 LDAP TCP User roles and permission
for Xerox Versalink nal /LDAPS groups
Server
Embedded terminal Termi 389 389 LDAP TCP User roles and permission
for Xerox Altalink nal /LDAP groups
Server over
STARTTLS
Embedded terminal Termi 5011 5012 SOAP TCP User credentials

for Fuji Xerox nal /HTTPS
Server
for Fuji Xerox nal /HTTPS
Server
Embedded terminal Termi 5013 5029 HTTP TCP User credentials

for Fuji Xerox XCP nal /HTTPS
Server
for Fuji Xerox XCP nal /HTTPS
Server
Embedded terminal Termi 5021 5014, 5015, SOAP TCP All device communication
for Konica Minolta, nal 5016, 5017, /HTTPS data, e.g. user credentials
Develop, Olivetti Server 5018, 5019,
5022
Embedded terminal Termi 5011 5012 SOAP TCP Web services

for Sharp nal /HTTPS
Server
Embedded terminal Termi 5021 5022 HTTP TCP User credentials, job
for Sharp nal /HTTPS authorization, accounting
Server information, events
Embedded terminal Termi 5021 n/a HTTP TCP User credentials

for Sharp-eSF nal
Server

side ocol
port s
for Toshiba (non nal /HTTPS
MDS) Server
Embedded terminal Termi 389 636 LDAP TCP User credentials

for Toshiba (non nal /LDAPS
MDS) Server
Embedded terminal Termi 5011 5012 HTTP TCP Web services

for Toshiba MDS nal /HTTPS
Server
Embedded terminal Termi 5021 5022 HTTP TCP User credentials, all
for Toshiba MDS nal /HTTPS application data
Server
Embedded terminal Termi 5013 n/a HTTP TCP User credentials, all
for Samsung nal application data
Server
Embedded terminal Termi 5021 n/a HTTP TCP User credentials

for Lexmark nal
Server
Embedded terminal Termi 5011 5012 HTTP TCP Web services

for Ricoh nal /HTTPS
Server

for Ricoh nal /HTTPS
Server
Embedded terminal Termi 5021 5022 HTTP TCP User credentials, job
for Epson nal /HTTPS preview
Server
Embedded terminal Termi 5023 5024 HTTP TCP Notifications, accounting

for Epson nal /HTTPS
Server
Embedded terminal Termi 5026 5027 HTTP TCP Authentication,Accounting,

for Brother nal /HTTPS Jobs,Scan workflows
Server

side ocol
port s

for HP nal /HTTPS
Server
Embedded terminal Termi 5025 5025 HTTPS TCP Web services

for HP nal
Server
for OKI nal /HTTPS
Server

for OKI nal /LDAPS
Server
for OKI sXP2 nal /HTTPS
Server

for OKI sXP2 nal /LDAPS
Server /LDAP
over
STARTTLS
Terminal Termi 5021 5022 HTTP TCP User credentials, job

Professional (TP4) nal /HTTPS preview, all application data
Server
Mobile terminal Termi 5021 5022 HTTP TCP User credentials, job
(Android) nal REST API metadata
Server (JSON)
/HTTPS
(iPhone) nal REST API metadata
Server (JSON)
/HTTPS
(Windows Phone) nal REST API metadata
Server (JSON)
/HTTPS

side ocol
port s
Mobile terminal Termi 5021 5022 HTTPS TCP Logs (time of crash, OS,
nal stacktrace)
Server
Spooler Controller Termi 5557 n/a Proprietary TCP Configuration, notification

nal about terminal management
Server and user sessions
Network card Termi 5011 n/a HTTP TCP User credentials (card
reader nal number)
Server
Terminal Termi 5011 n/a HTTP TCP User credentials (card

Professional (TPv3. nal number)
5) in Network card Server
reader mode
MFD Termi 20, 21, n/a FTP TCP Scanned document

nal 1024-
Server 65535
MFD Termi User User defined WebDAV TCP Scanned document

nal defined /WebDAVS
Server
EDEE Termi 5021 5022 HTTP TCP User credentials

nal /HTTPS
Server
Terminal Termi 4096 4096 Proprietary TCP User credentials (card

Professional nal number, pin,
(TPv3.5) Server username+password),
firmware update, session
data
Terminal Termi 37 n/a Proprietary UDP Time synchronization

Professional nal
(TPv3.5) Server
Terminal Termi 5021 5022 HTTP TCP Job preview

Professional nal
(TPv3.5) Server
(SQTA
)

side ocol
port s
Terminal Ultralight Termi 4096 4096 Proprietary TCP User credentials (card
nal number, pin), firmware
Server update, session data
Terminal Ultralight Termi 37 n/a Proprietary UDP Time synchronization

nal
Server
Flexi Spooler
Client side Server side Unsecured Secured Applicati Networ Transferred

server side server on k data
ls
Mobile FlexiSpooler 5559 5559 HTTP TCP Job data

Integration server spooling /HTTPS
Gateway /non spooling
Mobile Print FlexiSpooler 5559 5559 HTTP TCP Job data

Server server spooling /HTTPS
/non spooling
User/LPD FlexiSpooler client 515 n/a LPR TCP Job data

Windows spooling/non
Spooler spooling
Desktop FlexiSpooler client 5558 5558 Proprieta TCP Job data,

Interface spooling/non ry user
spooling credentials
FlexiSpooler FlexiSpooler 5559 5559 HTTP TCP Job data

server/client non server spooling /HTTPS
spooling /non spooling
Other app (e.g. FlexiSpooler 515 n/a LPR TCP Job data
SAP) LPR server spooling
printing /non spooling
SafeQ Client FlexiSpooler 9100 n/a TCP/IP TCP Username

server spooling raw/jet and domain,
/non spooling direct job data

Workflow Processing System
Client Server side Unsecured Secured Application Network Transferre

side server side server side protocols protocols d data
port port
Terminal Workflow 5600 5600 HTTP/HTTPS TCP Scanned

Server Processing data
System
Terminal Workflow n/a n/a SMB/WebDAV TCP Scanned

Server Processing /WebDAVS document
System
Payment
Client Server Unsecure Secured Application Netw Transferred data

side side d server server protocols ork
side port side proto
port cols
End Payment 8080 8443 HTTP/HTTPS TCP User information, voucher

User System code, configuration
Interface
User Payment 8080 8443 HTTPS TCP User credentials

System
Web
Interface
Terminal Payment 8080 8443 HTTP REST API TCP Credit and Quotas data
Server System /HTTPS
Payment Payment 4196 4197 Proprietary over User credentials (card

machine System /4198 /4199 SSL/TLS number, pin,
(SPM) username+password), credit
transaction data
Payment Payment HTTP/HTTPS TCP Transaction information

System Gateway
Payment External User User Protocol

System Payment defined defined depends on
System external
payment
system
User Payment Proprietary TCP Configuration change, remote

(termtool machine control commands, firmware
user (SPM) update
utility)

Client Server Unsecure Secured Application Netw Transferred data
side side d server server protocols ork
side port side proto
port cols
User Payment 64099 n/a Proprietary UDP Configuration change, remote

(termtool machine control commands, terminal
user (SPM) discovery
utility)
User Payment 161 n/a SNMPv2c UDP Connection, authentication

machine and operation states
(SPM)
MFD
Client side Server Unsecure Secured Applica Netwo Transferred data

side d server server tion rk
side port side port protoco protoc
ls ols
Terminal MFD 50001 50003 HTTP TCP Terminal installation process

Server (Konica /HTTPS
Minolta)
Terminal MFD User User SNMP Device control (e.g. job deletion)
Server (Konica defined defined
Minolta)
Terminal MFD 80/8080 443 HTTP TCP Terminal installation process

Server (Ricoh) /51443 /HTTPS
Terminal MFD 64098 n/a TCP/IP TCP Configuration

Server (Ricoh)
Terminal MFD Device- Device- HTTP TCP Terminal installation process

Server (HP) dependent depende /HTTPS
57627 nt
7627
/443
Terminal MFD 49629 49630 HTTP TCP Installation of Embedded Terminal for
Server (Toshib /HTTPS Toshiba
a)
Terminal MFD User User HTTP TCP Terminal installation process

Server (Sharp) defined defined /HTTPS

ls ols
Terminal MFD 21, 1024- n/a FTP - Terminal installation process. Port
Server (Sharp- 65535 passive range 1024-65535 is all possible
eSF) ports that the MFD can use to
accept data and depends on the FTP
server settings of the MFD.
Terminal MFD 80 n/a HTTP TCP Terminal installation process

Server (Samsu
ng)
Terminal MFD 21, 1024- n/a FTP - Terminal installation process. Port
Server (Lexma 65535 passive range 1024-65535 is all possible
rk) ports that the MFD can use to
accept data and depends on the FTP
server settings of the MFD.

Server (Epson) /HTTPS

Server (Xerox) /HTTPS
Terminal MFD 161 n/a SNMP Configuration

Server (Xerox)

Server (Fuji defined defined /HTTPS
Xerox)

Server (Fuji defined defined /HTTPS
Xerox
XCP)
Spooler MFD 80 443 IPP TCP Device status information

Controller (Konica /IPPSSL
Minolta)
Terminal MFD User User SNMP Device status information

Professional defined defined
(TP4)
USB card MFD n/a n/a Propriet User credentials (card number),
reader /PC ary Configuration change, remote control
commands, firmware update

ls ols
FlexiSpooler MFD 515/9100 443/631 LPR TCP Job data

server /80 /RAW
/client /IPP
spooling /IPPS
Spooler MFD User User JetDire TCP Job data

defined defined ct, IPP,
IPPS
Database server
Client side Server Unsecured Secured Applicati Networ Transferred data

side server side server side on k
port port protocol protoco
s ls
Manageme Database 1433 1433 TCP TCP User info, job info,
nt server (MS /TCP statistics,
SQL) over configuration, etc.
TLS
Database Database 1433 1433 TCP TCP User info, job info,
server (MS server (MS /TCP statistics,
SQL) SQL) over configuration, etc.
TLS
Manageme Database 5432 5432 TCP TCP User info, job info,
nt server (External) / (External) / /TCP statistics,
(PGSQL) 5433 5433 over configuration, etc.
(Embedded) (Embedded) TLS
Database Database 5432 5432 TCP TCP User info, job info,
server server /TCP statistics,
(PGSQL) (PGSQL) over configuration, etc.
TLS
LDAP
Client side Server side Unsecured Secured Application Network Transferred

server side server side protocols protocols data
port port

Client side Server side Unsecured Secured Application Network Transferred
server side server side protocols protocols data
port port
Management LDAP 9696 n/a JMX TCP User data

Replicator
service
Management LDAP 9002 n/a JMX RMI TCP User data

Replicator
service
LDAP LDAP User defined User defined LDAP TCP User data,
Replicator Server /LDAPS LDAP
service credentials
Management LDAP User defined User defined LDAP TCP User

Server /LDAPS credentials
Microsoft
Client side Server side Unsecured Secured Applicatio Network Transferred

server side server side n protocol data
port port protocols s
Workflow Microsoft n/a 80 HTTP TCP Credentials,

Processing Exchange /HTTPS scanned
System data
Workflow Microsoft n/a n/a HTTPS TCP Credentials,

Processing OneDrive for scanned
System Business (365) data
Workflow Microsoft n/a n/a HTTP TCP Credentials,

Processing SharePoint 2010 /HTTPS scanned
System data

System data

System data
Workflow Microsoft n/a n/a HTTPS TCP Credentials,

Processing SharePoint Online scanned
System (365) data
eDee

Client Server Unsecured server Secured server Application Network Transferre
side side side port side port protocols protocols d data
FlexiSp EDEE 9100 n/a TCP/IP (RAW) TCP Job data

ooler
IMS
Client Ser Unsecured Secured Applicat Networ Transferred data

side ver server side server ion k
s ols
Manag IMS 7347 7348 HTTP TCP Configuration

ement /HTTPS
Spoole IMS 7347 7348 HTTP TCP Configuration

r Prox /HTTPS
Contro y
ller
Termin IMS 7347 7348 HTTP TCP HW device registration, TP4 and EDEE
al Prox (REST) installation process
Server y /HTTPS
UA IMS 7347 7348 HTTP TCP Status report (hardware configuration,

/HTTPS serial number, FW/SW version,
configuration, network state), logs
UA IMS 7347 7348 HTTP TCP Status report (hardware configuration,

Prox /HTTPS serial number, FW/SW version,
y configuration, network state), logs
Terminal Ultralight
Client Server Unsecured Secured Application Networ Transferred data

side side server side server protocols k
port side port protoc
ols
Terminal Termin 4095 n/a Proprietary TCP Configuration change,

Server al firmware update
Ultralig
ht
User Termin 4095 n/a Proprietary TCP Configuration change, remote

(termtool al control commands, firmware
user Ultralig update
utility) ht

Client Server Unsecured Secured Application Networ Transferred data
side side server side server protocols k
port side port protoc
ols
User Termin 64099 n/a Proprietary UDP Configuration change, remote

(termtool al control commands, terminal
user Ultralig discovery
utility) ht
User Termin SNMPv2c TCP Connection, authentication

al over TCP/IP and operation states
Ultralig or UDP/IP
ht
Terminal Pro 3.5
Client Server Unsecure Secured Application Netwo Transferred data

side side d server server protocols rk
side port side port protoc
ols
Terminal Terminal 4095 n/a Proprietary TCP Configuration change,

Server Profession firmware update, compressed
al (TPv3.5) job delivery, session data
User Terminal Proprietary TCP Configuration change, remote

(termtool Profession control commands, firmware
user al (TPv3.5) update
utility)
User Terminal 64099 n/a Proprietary UDP Configuration change, remote

(termtool Profession control commands, terminal
user al (TPv3.5) discovery
utility)
User Terminal SNMPv2c TCP Connection, authentication

Profession over TCP/IP and operation states
al (TPv3.5) or UDP/IP
Others
Client side Server side Unsecured Secured Applicatio Netwo Transferred data
server server n rk
side port side port protocols protoc
ols

server server n rk
ols
Management Identity n/a n/a HTTP TCP Identity provider information,

Provider /HTTPS key for signature verification
(SAML)
Spooler Infinispan 80 n/a HTTP TCP Job metadata

Controller
Infinispan Infinispan 7800 7800 JGroups TCP Job metadata

/UDP
Infinispan Infinispan 7801, n/a JGroups TCP –

7802 /UDP
Management Mail Server 25/587 25/465 SMTP TCP Reporting and notifications
/587 /SMTPS
Spooler Mail Server 25/587 25/465 SMTP TCP Reporting and notifications
Controller /587 /SMTPS
Mobile External 5353 n/a mDNS UDP Printer information

Integration System (UDP)
Gateway
Mobile Mobile 8050 8050 IPP TCP User credentials

device Integration /IPPSSL
Gateway
User End User 9090 9443 HTTP TCP User credentials

Interface /HTTPS
Mobile Print Mail Server 25/587 25/465 SMTP TCP Email notifications
Server /587 /SMTPS
Mobile Print Mail Server 110 995 POP3 TCP Emails with job data
Server /POP3S
Mobile Print Mail Server 143 993 IMAP TCP Emails with job data
Server /IMAPS
Mobile Print Shared 137/138 137/138 SMB TCP Job data

Server folder (UDP) (UDP) /UDP
(used by 137/139 137/139
EUI) (TCP) (TCP)
FlexiSpooler Shared 137/138 137/138 SMB Job data

server/client folder UDP UDP
spooling 137/139 137/139
TCP TCP

server server n rk
ols
Management DropBox n/a 443 HTTPS TCP User credentials / token

(Business
/Enterprise)
Workflow DropBox n/a 443 HTTPS TCP Scanned document

Processing (Business
System /Enterprise)
Workflow File System n/a n/a SMB Scanned data

Processing
System
Workflow Mail Server n/a n/a SMTP TCP Scanned data

Processing /SMTPS
System
Workflow HP Records 1137 1137 TCP/IP TCP Scanned document, job

Processing Manager /HTTPS metadata
System (HP Trim)
Payment Mail Server n/a n/a SMTP Reporting

System
Payment User User User SNMPv2c UDP Connection and

machine defined defined authentication states
(SPM) change
User UA n/a 22 SSH TCP FW/SW update, status

report, credentials,
Management server address
EDEE Mail Server 25/587 25/465 SMTP TCP

/587 /SMTPS
Terminal User User User SNMPv2c UDP Connection and

Professional defined defined trap over authentication states
(TPv3.5) UDP/IP change
Terminal User User User SNMPv2c UDP Connection and

Ultralight defined defined trap over authentication states
UDP/IP change
Management Dispatcher User User HTTP TCP Credentials, availability

Phoenix defined defined /HTTPS status, LDAP settings,
Device information

server server n rk
ols
– End User 9009 n/a AJP –

Interface
Job Service Job 5000 5000 HTTP TCP

Service /HTTPS
Job Service JS 6000 n/a HTTP TCP Job metadata

Infinispan
JS JS 7900 7900 JGroups TCP Job metadata

Infinispan Infinispan /UDP
MySafeQ Identity 5000 5000 HTTP TCP User credentials

Server /HTTPS
MySafeQ Spooler 3050 n/a HTTP TCP Access token
System Spooler 515/631 632 LPR, IPP, TCP Job data

spooler IPPS
(Windows)
System Spooler 5515/5631 5632 LPR, IPP, TCP Job data

spooler IPPS
(MAC)
Spooler File System n/a n/a Configuration, job data
Spooler Job 5000 5000 HTTP TCP Job metadata, commands

Service /HTTPS (print, delete, preview), job
preview image
Job Service Identity 5000 5000 HTTP TCP Access token, scope
Server
2.3 EARLY ACCESS PROGRAM
2.3.1 WHAT IS EARLY ACCESS PROGRAM?
Early Access Program allows Y Soft to expose fresh exciting new features to select partners in
advance before official release. This allows us to collect feedback from around the world, fix any
imminent issues or enhance new features before general availability. Although fully functional,
features may not be fully localized. Unless confirmed otherwise, these features are not covered

by SLA. Also, for some of the features in early Access Program, Y Soft reserves the right to
request official statement of work to be created before considering use of a feature in
customer's project. This is in order to avoid any possible misunderstanding among any of the
involved stakeholders.
For the list of features available in the Early Access Program, please contact the responsible Y
Soft Regional Sales Manager.
2.3.2 HOW CAN I JOIN THE EARLY ACCESS PROGRAM?
Early Access Program is available only for selected partners. Should you wish to join our
community, please contact your responsible account manager. After your request gets approved,
we will update your license and new features become available immediately after product
reactivation.
2.3.3 WHAT IF?
I find an issue or a bug?
Report it back to us through our Customer Services team! Unless confirmed otherwise, EAP
features are not covered by SLA agreement.
I have some comments or ideas?
We are thrilled to hear from your experience with new features. Please do send us the feedback
through your account manager or directly to licenses@ysoft.com.
I would like to use some of the feature with customer/prospect?
Y Soft reserves the right to request official statement of work to be created before considering
use of a feature in customer's project. This is in order to avoid any possible misunderstanding
among any of the involved stakeholders. Please contact your account manager if you have a
prospect or existing customer.
2.4 FEATURE OVERVIEW
2.4.1 ACCOUNTING
2.4.1.1 Overview
Accounting collects information about all print jobs in the environment using multiple options. Print
jobs can travel from a workstation to a printer directly (via the serial or parallel ports of a
computer) where YSoft SafeQ 6 can track the accounting information. For network printers and
print servers, where a print job travels through YSoft SafeQ 6, additional capabilities are available
beyond common print tracking. All gathered job information, including accounting, is then used for
usage and cost reports.

YSoft SafeQ 6 uses print tracking to collect:
information for each job, device, and user
detailed information for each job: the number of pages per paper size (in two sizes: large and
normal), the number of color/middle color (if supported by the device)/monochrome pages,
duplex usage, job title, and originating computer
coverage information for each job: the coverage percent of the page (non-white area/total
page area), estimated usage of CMYK toner cartridges
Not all information may be available with every print job or deployment scenario. YSoft SafeQ 6 is
typically able to address about 95-98% of tracked pages to individual users or departments. This
is most commonly caused by various maintenance print jobs, system status print jobs, direct IP
printing, server reboots, and the limitations of the page meter tracking (vendor-specific
limitations).
2.4.1.2 Online Accounting
Overview
Monitors every print routed from a workstation to a networked printer via YSoft SafeQ 6 in
real time, after printing is complete.
The YSoft SafeQ 6 license must include the online accounting option. If the license does not
include online accounting, it is not possible to select the online accounting method for a
device, and all devices configured for online accounting will be switched to no accounting as
soon as the expiration of the license is detected.
Available for any LPR capable system.
Available for any printer listed on the Partner Portal in the Hardware Compatibility List (HCL).
Online accounting disables the MFD's multitasking capabilities (with this accounting method,
only one user at a time can operate the MFD).
With online accounting, there is a few seconds delay between each printed document
because of the accounting mechanism.
The average network response speed from a printer to the server on an SNMP query must be
less than 200 ms.
Known Issues
When printing duplex jobs with blank pages, (for example, one BW page + one blank page + one
BW page), blank pages may not be considered and the job could be accounted as BW duplex
despite the fact that there are really two simplex BW pages. This depends on the current MFD
counter's behavior, and how it handles blank pages, so it varies by MFD model and vendor.
When a user has multiple documents waiting to be printed, and the user selects "Print all"
before login at a terminal, all jobs are printed, but they are still displayed in the waiting folder.

A counter difference is not detected during login at a terminal, so "anonymous prints" are not
created.
Device monitoring for periodical checking of a device's counters is not supported yet.
Batch accounting of secure prints is not supported yet.
Online accounting of direct prints is not supported yet.
Online accounting of faxes is not supported.
Offline accounting of copies using a Smart Cable is not supported.
Online print accounting with coverage accounting correction is not supported yet.
Online accounting with an embedded terminal is not supported.
Online accounting with a mobile terminal is not supported yet. Online accounting is available
only for YSoft SafeQ Terminal Pro 4.
A3 (large) print jobs are not accounted correctly on some Xerox machines (e.g., Xerox
ColorQube 9303).
YSoft SafeQ Terminal Pro 4 becomes blocked for five minutes when a user tries to print a job
from an unavailable status (offline or not running).
Displaying active device sessions from a Spooler Controller group does not give a correct
result and has a destructive side effect. It is strongly recommended not to use this function
in the YSoft SafeQ Management web interface.
Tracks the number of pages that have really been printed by a network printer. Using this
method, the tracking accuracy is typically 95-98 percent. Even with this method, YSoft SafeQ
6 is unable to identify the origin of various printed pages, such as service pages, printer
status pages, pages originating from a printer web or USB drive, pages printed directly to the
printer IP address, incoming fax pages, and pages copied without authentication. In order to
achieve greater accuracy, it is important to follow the change management procedures when
adding, moving, or changing individual tracked devices and limit outputs without an identifiable
source. Tracked information varies per printer, but can include the total number of
impressions, the total number of BW/color impressions (three tiers, where supported), the total
number of small (A5/A4/letter) and large (A3/11 × 17/tabloid) pages, duplex usage.
Only reports print jobs routed via a YSoft SafeQ server. Documents routed directly to the
printer may be reported as "anonymous prints".

2.4.1.3 Offline Accounting
Offline Accounting Overview
Monitors every print routed from a workstation to a networked printer via a YSoft SafeQ
server in real-time, before printing.
The YSoft SafeQ 6 license must include the offline accounting option. If the license does not
include offline accounting, it is not possible to select the offline accounting method for a
device and all devices configured for offline accounting will be switched to no accounting as
soon as the expiration of the license is detected.
Uses PCL [Y Soft] and/or PostScript [GhostScript] data analyzers.
Tracks the number of A4/letter BW/color pages, A3/legal/tabloid BW/color pages, and duplex
usage for all pages sent to print for any PCL5+, PostScript, and HPGL2 print jobs.
Optionally tracks per-page print area coverage and estimated usage of CMYK toner cartridges
(based on job analysis).
Monitors printed pages, especially their quality and color use. May slightly differ from the
current output and information accounted by the printer because printers can use different
processing algorithms. The print job is always accounted completely, even if only part of it has
been printed (for example, if the user aborts the printing on the MFD panel).
Offline accounting currently does not work in conjunction with the Payment System.
Offline accounting only reports print jobs routed via a YSoft SafeQ server.
This method will not provide a fully accurate report about all printed pages due to
technology limitations and it only measures pages that have been released from a
particular workstation. It also does not take into account the status of the device, its real
output, or other un-monitored prints. Example: A color page printed on a BW printer is
printed as BW but accounted for as a color page.
Performance impact:
The environment:
4 CPU, 16 GB RAM, 1 server deployment
30 jobs per minute, in average 4.3 pages per job

PCL [Y Soft] parser
The result compared to printing with no accounting:
CPU usage in environment increased from 13% to 26%
RAM was not affected significantly
2.4.1.4 Device Dependent Accounting
Device Dependent Accounting Overview
At scheduled intervals, device dependent accounting monitors every print routed from a
workstation to a networked printer via a YSoft SafeQ server.
The YSoft SafeQ 6 license must include the device dependent accounting option. If the license
does not include device dependent accounting, it is not possible to select the device
dependent accounting method for a device, and all devices configured for device dependent
accounting will be switched to no accounting as soon as the expiration of the license is
detected. (Some embedded terminals will be automatically reinstalled.) All accounting
information received from MFDs is ignored.
Works only with PCL jobs with PJL headers and PostScript 2/3 jobs.
Details about fax accounting support are in Fax accounting.
A list of compatible devices is in the Hardware Compatibility List (HCL).
Device dependent accounting is not supported on YSoft SafeQ external (hardware) terminals.
Tracks the number of pages that have really been printed by the network printer. Using this
method, the tracking accuracy is typically 95-98 percent. Even with this method, YSoft SafeQ
6 is unable to identify the origin of various printed pages, such as service pages, printer
status pages, pages originated from a printer web or USB drive, pages printed directly to the
printer IP address, incoming fax pages, and pages copied without authentication. To achieve
greater accuracy, it is important to follow the change management procedures when adding,
moving, or changing individual tracked devices and limit outputs without an identifiable source.
Tracked information varies per printer, but can include the total number of impressions, the
total number of BW/color impressions (three tiers, where supported), the total number of small
(A5/A4/letter/legal) and large (A3/11 × 17/tabloid/ledger) pages, and duplex usage.

Fax accounting
Fax accounting overview
Outgoing fax jobs are accounted for in YSoft SafeQ if the device has terminal embedded with
the accounting module installed and it is connected to a Spooler Controller.
Outgoing faxes are accounted toward the user who has performed the fax job.
Incoming fax jobs are accounted toward the user specified in the system settings in the
faxAccountingUsername property.
If the fax username is not specified in system settings, then all incoming fax jobs to a
device with embedded terminal with accounting module installed are accounted toward an
unknown user.
Fax accounting is supported only with embedded (device dependent) accounting.
Supported vendors
Xerox
Fuji Xerox
Konica Minolta
Ricoh
Fax accounting on Fuji Xerox

Limitations
Only Telefax (G3 fax) and Internet fax (incoming and outgoing) are supported.
Outgoing failed fax does not have to be accounted
It is not possible to capture information about IP fax
It is not possible to capture information about incoming Internet faxes
Accounting for multiple recipients when faxing via Internet fax is not supported
Captured information
Outgoing fax
Outgoing Telefax (G3 fax) successful
Status (successful)
Number of pages
Color distribution
Paper format
Fax type
Destination
Outgoing Internet fax successful
Status (successful)
Number of pages
Color distribution
Paper format
Fax type
Destination
Incoming fax
Incoming Telefax (G3 fax)/Internet fax printed
Number of pages
Color distribution
Paper format
Fax type
Incoming Internet fax (not printed)

Fax type
Number of pages
Fax accounting on Konica Minolta
Limitations
An outbound FAX that is sent without user authentication is not reported.
The first public user operation (print, copy, scan or fax) is not accounted for after the
terminal on MFD was installed or reinstalled.
Outgoing fax
Outgoing Telefax (G3 fax) successful - status (successful), number of pages, color distribution,
paper format, fax type, destination.
Outgoing Telefax (G3 fax) failed - status (failed), fax type, destination.
Outgoing Internet fax successful - status (successful), number of pages, color distribution, paper
format, fax type, destination.
Outgoing Internet fax failed - status (failed), number of pages.
Outgoing IP fax successful - status (successful), number of pages, color distribution, paper format,
fax type, destination.
Outgoing IP fax failed - status (failed), number of pages.
Incoming fax
Incoming Telefax (G3 fax) / IP fax / Internet fax printed - number of pages, color distribution, paper
format.
Incoming Telefax (G3 fax) not printed - number of pages.

Incoming fax printed from the box
Fax printing of authenticated user
When an authenticated user prints a file from a user box, it is considered as a print job type.
Thus, it is also accounted for as a common print job. The job name corresponds to the name used
within the user box and the status is set to Deleted.
Fax printing of public user
When a public user prints a file from the user box, it is considered as a fax printed job type. Thus,
it is accounted for by the price list for an incoming fax (color and size is taken into account). User
is set to -unknown-. Job name is set to 'Fax printed' and status is set to Printed incoming fax.
Counters reset behaviors

When counters were reset manually, in case the previous counter value was higher than the
current counter value, the accounting begins from zero.
The first fax is not accounted for when the Spooler Controller cache is deleted.
Fax accounting on Ricoh
Limitations
It is not possible to get page details for outgoing fax. These default values are used: A4,
BW, Simplex, Plain.
For automatically printed reports (if enabled) are used fax printed account messages in
YSoft SafeQ.
Fax printed account messages is used when incoming fax is received and stored to disk
without printing.
Fax recipient is not known for both outgoing and incoming faxes.
Only telefax type of fax can be recognised. IP fax and internet fax is accounted as
unknown type.
When sender of outgoing fax logs out before fax sending is finished then the sender is
unknown. If another user logs in and outgong fax account, event is triggered during the
user session then fax job is wrongly accounted the user. It is issue notably for telefax
since sending takes quite a long time.
When more pages is scaned and sent via internet fax then page count is 1.
When more incoming pages is received via telefax then there is single accounted message
per page.
Automaticaly printed reports
Ricoh MFD can be configured to automaticaly print fax status reports. Printing of paper fax
reports can be switched on/off in web interface: Fax / Parameter Settings / Automatic Printing
Report.
Accounting events
Fax accounting events might be switched on/off on Ricoh MFD. Ensure that fax accounting is
enabled. Go to: System / Administrator tools / Enhance External Charge Unit Management. Fax
settings is in Others option.

Fax accounting on Xerox
Limitations
Only Telefax and Internet fax (incoming and outgoing) are supported.
It is not possible to capture information about outgoing Internet faxes for some devices (e.
g. VersaLink, AltaLink).
Some devices provide multiple accounting messages for 1 fax. For this devices, reports can
show multiple records (e.g. VersaLink, AltaLink).
Accounting for multiple recipients when faxing is not supported
Outgoing fax
Outgoing Telefax successful
Status (successful)
Number of pages
Color distribution
Paper format
Fax type
Destination
Outgoing Internet fax successful
Status (successful)
Fax type
Destination
Incoming fax
Incoming Telefax/Internet fax - printed
Number of pages
Color distribution
Paper format
Fax type
Incoming Telefax/Internet fax - not printed

Fax type
Number of pages
2.4.1.5 Price Lists
Price Lists Overview
YSoft SafeQ 6 allows prices to be defined for various operations. The prices are defined in
separate price lists which can be later assigned to individual users, cost centers or devices. To
ensure the proper accounting of print operations, devices must have assigned, at minimum, the
default price list. A price list can be shared by multiple users, cost centers, or devices. Therefore,
in a homogenous environment, where all devices run at the same cost, only one price list must be
configured and can be applied to all devices, users, or cost centers quickly.
Price lists assigned to individual users have the highest priority. If no price list is defined for a
user, the cost center price list is used. If no price list is defined for a cost center, the device price
list is used (note, the device must always have a price list if accounting is to be enabled).
Setting the Prices for the MFD
For the proper accounting of all type jobs on a device, prices for that device must be set in
Devices > Printers > Edit device > Price list. Here you can define the prices for all available
printer functions.
If the entered value has more digits than set in the decimal_precision configuration property, it
is automatically rounded.
For example, if the number of decimal places is set to 1, and an administrator enters 1.18, the
number is automatically saved as 1.2
Price Calculations
Prices are calculated based on these formulas:
Operation Price
Scanning Scan cost × number of scanned pages
Copying and (Cost per click × number of printed pages) + (paper cost × number of used papers)
printing + (page cost × number of printed pages)
Incoming fax (Cost per click × number of printed pages) + (paper cost × number of used papers)
+ (fax page cost × number of printed pages)
Outgoing fax Outgoing fax cost

Price Calculation Examples
Operation Price
Print of 1 × A4 page in BW simplex (Cost per click × 1 page) + (paper cost × 1 paper) + (BW page cost ×
mode 1 page)
Print of 2 × A4 page in color (Cost per click × 2 pages) + (paper cost × 1 paper) + (color page
duplex mode cost × 2 pages)
Copy of 1 × A4 page in BW simplex (Cost per click × 1 page) + (paper cost × 1 paper) + (BW page cost ×
mode 1 page)
Copy of 1 × A4 page in color (Cost per click × 2 pages) + (paper cost × 1 paper) + (color page
duplex mode cost × 2 pages)
Scan of 2 × A4 page in BW Scan cost × 2 pages

simplex mode
Advanced Detail Accounting
Overview
There are two additional features in YSoft SafeQ 6 that can be used to account for jobs in more
detail:
Detail Scan Accounting - allows the administrator to specify prices for scan jobs based on
their size (normal / large) and color (B&W / color).
Detail Media Accounting - allows the administrator to specify prices for standard plain paper
and non standard media used for copying or printing.
Both of these features can only be used with some embedded terminals depending on their
accounting/reporting capabilities (more details in the Limitations section below).
Settings
1. To enable these features, navigate to System settings (log into the web as an admin, then
navigate to System -> System settings).
2. Switch to Advanced or Expert view.
3. To enable Detail Scan Accounting - search for " scanJobsDetailAccounting" (without

quotes) and choose the option called Enabled.
4. To enable Detail Media Accounting - search for " detailMediaTypeAccounting " (without
quotes) and choose the option called Enabled.
5. After you change one or both of the options, Save changes.

Price list
Once either of the features is enabled, the Price List configuration will display new items.
There are four items for Detail Scan Accounting: B&W scan (normal), B&W scan (large), Color
scan (normal) and Color scan (large). If the device used for scanning supports detailed accounting,
the values entered in the particular fields will be used.
There are two new items for Detail Media Accounting: Non standard media type (normal), Non
standard media type (large). If the device used for printing/copying supports detailed accounting,
the values entered in the particular fields will be used to account for paper costs. Standard Paper
cost is used otherwise.
Limitations
Not all vendors provide support for detail scan job accounting (e.g. B&W vs.color, normal vs.
large paper size). Please consult with a Y Soft representative for the use of this feature in
your environment.
Not all vendors provide support for media type based job accounting (whether plain paper or
another media type has been used). Please consult with a Y Soft representative for the use of
this feature in your environment.
By design, external Y Soft terminals and the Ricoh embedded terminal do not support this
level of advanced accounting.
Price estimation and final accounting are able to distinguish only 2 color types for detail scan
job accounting - B&W and Color. All other possible color types (one color, two color and
similar) are accounted for as Color. This also applies for devices that are able to report only
the size but not the color type of a scan job - on such a device, all scan jobs are accounted
for as Color when detail scan job accounting is enabled (ie. Konica Minolta MFDs without
payment support enabled).
Only Normal (ie. A4) and Large (ie. A3) paper size are distinguished when detail scan job
accounting is used.
All information about scan job accounting is stored as "common" scan job - it is not possible to
distinguish paper size or color types in YSoft SafeQ reports (Web reports, Manager reports,
CRS, etc.).
It is not possible to distinguish media types used in YSoft SafeQ reports (Web reports,
Manager reports, CRS, etc.) even if media type based job accounting is enabled.

2.4.2 BILLING CODES - PROJECT TRACKING
The billing code tracking feature allows users to select and assign a target project for every print
initiated from their workstation in order to track per-project costs. Billing codes (project codes) are
provided in a hierarchical structure that can represent different business models (for example, a
list of customers and their individual projects).
Billing codes are configured in the management interface and can be selected either in the client
application or in the terminal application.
2.4.3 CARD AND PIN MANAGEMENT
2.4.3.1 Overview
Every user in YSoft SafeQ 6 can have any number (usually one) of assigned card numbers.
Typically, these correspond to the ID badges of employees with RFID and/or similar contactless
identification chips. There are many different standards of identification chips, most of which are,
however, incompatible among themselves. YSoft SafeQ 6 can work with virtually any of them
provided that the terminals are equipped with the right card readers. Note that authentication is
based purely on the knowledge of an identification number which can be read from the chip easily
or guessed. Chips with long random identifiers are preferred and users should always check the
origin and integrity of the reader to achieve a higher level of security.
Instead of or in addition to cards, users may also use numeric PIN codes for authentication at
YSoft SafeQ terminals. This PIN code is treated as a virtual card number: it is stored in the same
place and managed in the same way. However, a cryptographic hash of the PIN code is stored
instead of the current PIN (this behavior can be changed in YSoft SafeQ administration).
2.4.3.2 Required Access Rights for Managing PIN and Card Activation Codes and Cards
The administrator needs to have access rights for View list of users and Add, edit, and delete
users (Users > Roles > Access rights > Users > View list of users, Add, edit, and delete users).
For assigning a card from the YSoft SafeQ web interface, the administrator also needs rights for
List of accesses to terminals (Users > Roles > Access rights > Reports > List of accesses to
terminals).
2.4.3.3 PIN (Personal Identification Number)
Users may use numeric PIN codes for authentication at YSoft SafeQ terminals.
The PIN code is treated as a virtual card number: it is stored in the same place and managed in
the same way.
Additional information can be found in Managing Users.

Common Steps
1. Access User edit mode through Users > Users > User (edit or new).
2. Scroll down to the PIN codes section.
3. Click Add new PIN.
Adding a PIN for a User
1. Enter the PIN.
2. Click SAVE NEW PIN CODE.
Generating a PIN Code Automatically
This feature enables add or generate PIN with time expiration to users. When a PIN expires, the
user cannot log in with this PIN and has to generate a new PIN. New PINs can also be generated
by an administrator. The administrator can set a PIN expiration date or generate a PIN with a
default expiration date.
When a user or administrator generates a new PIN, a notification email with the PIN and its
expiration date is sent to the user. Another notification email is sent before a user's PIN is due
to expire.
When a user already has a PIN defined and a new PIN is generated, all previous PINs are
deleted.
1. Set PIN code expiration.
2. Click SAVE NEW PIN CODE. An email with the new PIN code is sent to the user's mailbox.
Configuration
There are several properties related to PIN code generation.
The feature can be enabled by: PIN-generator = true
This property enables setting the length of the variable part of the PIN (without digits in the login
name) in digits.
PIN-size = 6
PIN expiration time in days. (Time in days, when a notification email is sent to the user before
their PIN expires.)
PIN-default-expiration = 60

PIN-expiration-notification = 7 (This property enables the overriding of old PINs with new PINs. PIN-
override = true)
The following two properties handle the archiving of old PINs. When enabled, the old PINs are
written in a history table. When a PIN is stored in a history table, it cannot be used as an active
PIN. After the PIN archiving period expires, PINs are deleted and can be reused.
PIN-history-enabled = false
PIN-archiving-period = 365
The following properties set the notifications for users.
PIN-enable-email-notifications = true (specifies whether email notifications are sent to the user
after a new PIN is generated.)
PIN-enable-display-for-user = true (specifies whether a newly generated PIN is displayed to the

user in a browser popup window.)
PIN-enable-display-for-admin = false
2.4.3.4 Card Numbers
Card numbers are masked with four asterisk symbols (****). In addition, last digit of the card
number is preserved, in order to help the managing user/administrator quickly identify card
numbers of an user.
This setting can be changed via maskCardNumber property:
true (default) - Enable card masking
false - Disable card masking, reveal the full non-masked card numbers
2.4.3.5 Card Activation Code
The YSoft SafeQ 6 card activation code is a module used for allocating unregistered cards to
users.
Card Activation Code Generation
1. AUTOMATICALLY: The card activation code is generated after receiving the first print job
from a user. YSoft SafeQ 6 subsequently generates the card activation code for the user.
2. MANUALLY: The card activation code is generated by the administrator by clicking the
Generate Card Activation Code button.
You can find more information on Configuring ID Card Self Assignment.

Card Assignment Methods
Card Assignment on Terminals
Activating a New ID Card at a Konica Minolta Device - 2nd Gen.
Activating a New ID Card at a Ricoh Device
Activating a New ID Card at a Sharp Device
Activating a New ID Card at a Sharp-eSF Device
Activating a New ID Card at an OKI Device
Activating a New ID Card at a Fuji Xerox Device
Activating a New ID Card at a Xerox Device - 1st Gen.
Activating a New ID Card at a Samsung Device
Activating a New ID card at a Toshiba Device
Activate new ID card at an HP printer
Activating a New ID Card at a Lexmark Device
Activating a New ID Card at a Fuji Xerox XCP Device
Activating a New ID Card at a Konica Minolta Device Native
Activating a New ID Card at a Terminal Pro 4
Card Assignment from the YSoft SafeQ Web Interface:
When there is an unknown card, PIN, or password, the administrator can create a new user or
assign a PIN or card number to an existing user.
Additional information can be found in Managing Users.
1. Access User edit mode through Users > Users > User (edit or new).
2. Scroll down to the Cards section.
3. Click Add new card.
4. Insert card number.
5. Click Save new card.

2.4.4 EMBEDDED TERMINALS
2.4.4.1 About Embedded Terminals
The YSoft SafeQ Embedded Terminal is a software-based terminal that is integrated into the
multifunction device (MFD) and utilizes the MFD’s printer control panel for user input.
The terminal supports all the functions provided by the YSoft SafeQ print management system.
Users can authenticate at the terminal, then manage their YSoft SafeQ prints, copies, and scans
directly at the MFD.
There are two main types of embedded terminals:
Native terminals that utilize the MFD printer control panel users are already familiar with.
Browser-based terminals that are based on a web platform. These terminals have a
contemporary, user-friendly, intuitive interface
Information about compatible devices is available on the Partner Portal in the Hardware
Compatibility List (HCL).
2.4.4.2 YSoft SafeQ 6 Embedded Terminal Overview
Vendor Platform Documentation
Develop Konica Minolta OpenAPI Using YSoft SafeQ Embedded Terminal for
Olivetti Konica Minolta - 2nd Gen.
Konica A user guide for a native Embedded Terminal
Minolta Configuration guide
Requirements and known limitations
Fuji Xerox Fuji Xerox ApeOS Connection IV, V User guide

Configuration guide
Fuji Xerox Fuji Xerox ApeOS Connection IV, V User guide

with XCP Fuji Xerox eXtensible Customizing Configuration guide
Platform Requirements and known limitations
Lexmark Lexmark LeSF Platform, framework User guide

3, 4, and 6 Configuration guide
OKI OKI Open Platform User guide

Configuration guide
OKI sXP2 sXP2 Platform User guide

Vendor Platform Documentation
Configuration guide
Ricoh Ricoh ESA Platform, SDK/J version User guide

4+ Configuration guide
Ricoh SOP Ricoh SmartSDK 2+ User guide

Configuration guide
Samsung XOA-E Platform (Android) User guide

Configuration guide
Sharp Sharp OSA Platform 3.5+ (ACM User guide

and EAM Module) Configuration guide
Sharp-eSF Lexmark eSF Platform User guide

Configuration guide
Requirements and knows limitations
Toshiba Toshiba Embedded Platform User guide

Configuration guide
Xerox Xerox EIP Platform, Xerox XSA/CA User guide

Configuration guide
Epson Epson Open Platform User guide

Configuration guide
HP HP OXPd, Futuresmart 4 User guide

Configuration guide
Brother Brother Solution Interface (BSI) User guide

Configuration guide

2.4.4.3 Fax access restrictions support
FujiXerox It is not possible to restrict Fax operation (similarly as the copy restrictions).
FujiXerox The Fax application is visible in the menu but user is not allowed to enter it and an insuffici
XCP ent access rights message is displayed if the user does not have Fax access rights
granted.
KonicaMinolt The Fax icon in the menu is not displayed if the user does not have Fax access rights
a granted.
Lexmark The Fax icon in the menu is not displayed if the user does not have Fax access rights
granted.
Ricoh The Fax application is visible in the menu but user is not allowed to enter it and an insuffici
ent access rights message is displayed if the user does not have Fax access rights
granted.
Samsung The Fax application is visible in the menu but user is not allowed to enter it and an insuffici
ent access rights message is displayed if the user does not have Fax access rights
granted.
Sharp User can enter the Fax application but is not allowed to perform any Fax operation and an i
nsufficient access rights message is displayed if the user does not have Fax access
rights granted.
Sharp-eSF The Fax icon in the menu is not displayed if the user does not have Fax access rights
granted.
Toshiba/OKI User can enter the Fax application but is not allowed to perform any Fax operation, if the
user does not have Fax access rights granted.
Xerox All Fax applications (Fax, Server Fax, and Email Fax) icons in the menu are not displayed if
the user does not have Fax access rights granted. Authentication mode must be To
device. It is necessary to enable enableXeroxAccessDefinition property in System
settings. Access definition needs to be supported on the device.
Supported devices Y Soft is aware of: WC 58xx, WC 59xx, WC 78xx, WC 79xx, WC
8700, WC 6655, CQ 930x, AltaLink, VersaLink
Unsupported devices Y Soft is aware of: Phaser 3635
The result of detection whether installed device supports access definition or not is
shown in Embedded Terminals installation overview window:
2.4.4.4 Showing Personal and Virtual Balance
Description
This feature allows users to see various representations of their balance, including their personal
and virtual balance separately.

This feature is available only on embedded terminals.
Configuration
To configure "Showing personal and virtual balance" feature, go to the YSoft SafeQ web interface
and authenticate with an account that has administrative rights. In Views menu, switch to
Advanced options, then go to System > System settings. Under the YSoft Payment System tab,
search for property preferredBalanceType. There are three possible values:
Available balance - The balance shown on the terminal represents the user’s total balance. The
displayed balance represents a formula (personal + virtual - minimum) balance.
Separated balances - The terminal shows the user’s personal and virtual balances separately.
An example would be "EUR 20.52 + 13.04 ", where the virtual balance is in the green font
(except for the native type of YSoft SafeQ Embedded Terminal for Konica Minolta, where the
representation would be "EUR 20.52 (+ 13.04 bonus)").
Available balance without minimum balance - The balance shown on the terminal represents
how much credit is available on the user’s account without including their minimum balance.
The user may have a negative value if their minimum balance is negative. The displayed
balance represents a formula (personal + virtual) balance.
Examples
In these examples, the user John Doe has a personal balance of 100EUR, a virtual balance of
30EUR and a minimum balance set to 50EUR.
Available balance

Separated balances
Available balance without minimum balance
2.4.5 ENHANCED PASSWORD PROTECTION
Enhanced password protection is a feature for strong encryption of non-user secrets (e.g.
passwords to database (DB) or LDAP) in configuration files and database. Those secrets can be
recognized by the ENCSTR: prefix if encrypted.
2.4.5.1 Encryption of passwords in database and configuration files
Y Soft SafeQ stores highly sensitive data (e.g. passwords) in database or configuration files. Even
though access to server storage is typically highly restricted, an additional encoding layer of
protection might be desired to mitigate certain attacks.
The passwords in YSoft SafeQ can be split to 3 categories based on the way they are encoded.

YSoft SafeQ user passwords
Passwords of internal YSoft SafeQ users are not encrypted but stored in a form of a
cryptographic hash designed specifically for password storage (bcrypt by default). It is a one-way
function which makes calculation of the original passwords extremely time-consuming (for non-
trivial passwords). Note that users' domain (LDAP) password are never stored.
Non-user passwords with enhanced password protection support
For most critical passwords, robust "enhanced encryption" (format ENCSTR:...) can be enabled to
prevent reading or changing the password without having access to an encryption key unique for
each server. One of the benefits is that read access to configuration files or DB content can be
given also to less trusted individuals as the most sensitive data is protected by strong
encryption. It also mitigates shoulder surfing (or camera recording) and decreases impact in case
of a data breach (if the key file is protected well, see the section below).
Because manual steps are needed to setup the encryption, the encryption is switched off by
default and the passwords are stored in plain text. See Setup and Configuration of the Enhanced
Password Protection for required steps for configuring the encryption mechanism. Some other
details about the feature can be found below in this document. Currently, these passwords are
supported (support of other passwords is planned):
Passwords to connect to Management DB stored in file safeq.properties and DBValidator.

properties
Passwords to connect to IMS DB stored in file application.properties
Tenant DB passwords stored in Management DB
Passwords to LDAP stored in Management DB
Password to SMTP stored in Management DB
Password to FTP/WebDAV scan server in Management DB
Non-user passwords supporting only legacy encryption (obfuscation)
Non-user passwords which don't support enhanced password protection, use the legacy way of
encryption (format code,...). It obfuscates the passwords so that they are not stored in plain text
but because a hard-coded key is used for encoding, an advanced attacker might decode plain
values. For this reason, it is recommended to handle the obfuscated secrets as if they only were
in plain text (e.g. never send a configuration file with obfuscated passwords over an unsecured
channel).
For backward compatibility, decoding of obfuscated passwords is also supported for passwords
using enhanced password protection.

2.4.5.2 Protecting the key
Because the security of enhanced password protection relies on secrecy of the encryption
key, it is crucial to protect the key file from potential attackers. See the options below (can
also be combined). In contrast, there is no way of decrypting the passwords without having
access to the key, so secure backup of the key should be considered.
Configuring file permissions
Only highly trusted individuals should have the read access to the key file (on the path
configured). In addition, write access to configuration files, binaries and logs needs to be limited to
prevent active attacks. Tampered files might be used to leak encrypted passwords after they are
decrypted by the system otherwise. Integrity of log files (and their configuration) needs to be
ensured for audit purposes.
Storing the key file to encrypted location
The key file can be stored to a location that is transparently encrypted on the system or
hardware level. For example, EFS can be utilized to add additional encryption layer on filesystem
level.
Using Data Protection API
Data Protection API (DPAPI) is a cryptographic tool available as a built-in component on supported
Windows OS versions. DPAPI provides operating system level data protection. DPAPI encrypts and
decrypts custom data in a way that there is a cryptographic link between protected data and
given server. YSoft SafeQ supports DPAPI for additional protection of the secret key. YSoft SafeQ
allows administrator to easily apply DPAPI protection and lock the secret key with a server on
which the key is to be used. Flags used for DPAPI protect operation are
CRYPTPROTECT_LOCAL_MACHINE, CRYPTPROTECT_UI_FORBIDDEN and CRYPTPROTECT_AUDIT.
DPAPI protection is not enabled by default, it can be applied and removed via password protection
tool using the commands protectkeys and unprotectkeys.
For more information about DPAPI please visit this page: https://support.microsoft.com/en-us/help
/309408/how-to-troubleshoot-the-data-protection-api-dpapi
Key file protected by DPAPI can only be used on the machine that was used to protect the
key. It is also not possible to recover the key (remove DPAPI protection) on a different
machine.

2.4.5.3 Key management
Initial key generation
Before using enhanced password protection, a secret key needs to be generated (there is no
default key). Preferred way to do that is running the password protection tool with the command
initkeys after the path to key is set. File is created automatically if it doesn't exist. Alternatively,
32 random bytes encoded in Base64 can be put as a text into the file on the path.
Changing the encryption key
There might be a need to change the encryption key if there is suspicion of leakage or just as a
preventive measure. The command changekey, generates a new key and appends it to the key
file. Any number of keys is supported (for many keys there might be performance issues though).
When more keys are present, only the last one is used for encryption but all keys are used to
attempt decryption of a previously encrypted secret. To make sure all secrets are encrypted with
the newest key, they need to be re-encrypted (decrypted and encrypted again) manually. When
this is done, old keys can be removed by command deleteoldkeys.
Key backup
As there is no way of decrypting previously encrypted passwords without the correct key,
backup should be considered (if passwords themselves are not backed up in decrypted form).
However, for security reasons, the key file should not be backed up together with encrypted
passwords, since the passwords could be easily decrypted in case of a leakage (so there would
be no extra security). Keys should be backed up with DPAPI protection (see above) removed as
the original machine might not be available for restore. Note that you can create a key file
containing a few keys so that the passwords can be easily decrypted no matter the key originally
used to encrypt them (this could make restore procedure easier).
2.4.5.4 Using enhanced password protection with Management cluster
Since nodes of a Management cluster share the same database with encrypted passwords, all
nodes must have access to the same encryption key. This means the key file cannot be simply
initialized on the nodes separately, there are basically two solutions:
Use a shared location for key file storage, generate the key there and configure this path on
every node
Generate the key on the first node, copy it and distribute it manually on all other nodes
When using DPAPI protection (described above), the key file must be distributed with DPAPI
protection removed (as it is bound to a specific machine). After the distribution, DPAPI
protection can be applied again. DPAPI cannot be utilized if key file location is shared.

2.4.5.5 Technical details of protection
Secrets are encrypted using the AES algorithm in CBC mode of operation and random IV.
Encryption is non-deterministic by design so that the same secrets will result in different
ciphertexts each time they are encrypted. Length of a secret is partially masked by PKCS5
padding. Ciphertext is then authenticated using the HMAC-SHA256 algorithm and truncated
authentication tag concatenated to the output which is encoded to Base64 and prefixed with
ENCSTR: afterwards. HMAC uses an independent key - every key in the key file actually contains
both encryption and authentication key internally.
Role of secret names
Authentication tag is calculated not only from the ciphertext but also from the identifier of each
secret (as additional authentication data), which is typically name of the property holding the
secret. Same value also needs to be passed when decrypting the secret because cryptographic
integrity is verified before decryption. As encrypted secrets are transparently decrypted by YSoft
SafeQ utilizing the same key, this feature improves security by only allowing to decrypt secrets
intended for a given purpose.
For example, if an internal attacker had access to the management interface and the SMTP server
configured in YSoft SafeQ, it would not be possible to steal the LDAP password by setting its
encrypted form as a SMTP password.
2.4.5.6 Terminology table
Following table explains technical terms. In the text, there is sometimes used different term for
the same thing.
Term Explanation
secret Piece of data which is to be protected by encryption.

Typically a password in plain text.
key / encryption key / secret key Uniquely generated key which is used for encryption (and
decryption) of secrets (typically passwords). The key is a
piece of secret data which is used to protect other secrets
(passwords).
encryption The process which protects secrets by changing the original

plain text into other (encrypted) form from which the original
plain text cannot be easily deduced without knowing the
encryption key. It can be understood as an application of the
enhanced protection.
decryption The process which remove protection from secrets and

provides original plain text. An administrator does not need to
work with this form. YSoft SafeQ automatically decrypts
secrets when needed.

Term Explanation
encrypted password / encrypted secret Data, typically a password, on which encryption was applied.
/ protected password In case the encryption was applied, we talk about encrypted
or protected password.
key file A file in which the encryption key is stored.
secret name An identifier of the secret. It is typically name of the property

holding the secret.
password protection tool It is a command line tool developed by Y Soft. The tool is
used for example for the key generation and encryption of
secrets.
enhanced password protection The name of a feature YSoft SafeQ uses for enhanced
protection of passwords.
hashing One-way no-key cryptographic transformation of a variable-

length input to a fixed-length output. In contrast to
encryption, original input cannot be directly calculated, it can
only be guessed.
obfuscation Encryption not relying on a provided secret key (e.g. the key
is part of the application instead). This means the result is
not easily readable but could be decoded by anyone having
access to the application (either by running it or extracting
the decode procedure).
2.4.5.7 Enhanced Password Protection - Troubleshooting
This pages describes how to verify that the feature is enabled and addresses possible
configuration issues and solutions.
Verify that enhanced password protection feature is enabled
If enhanced password protection is setup correctly, you should find a following line in
management-service.log (with a correct path to the key file):
INFO SecretVaultFactory - Initializing a new factory, encryption is enabled, path to key is set
to C:/SafeQ6/data-protection/management-key.txt.
Component (Management, LDAP, or DB-validator) Does Not Start
For each component you can find logs file in: <safeq_folder>\Management\logs
Component Log file
Management management-service.log
LDAP

Component Log file
replicator.log
DB-validator db-validator.log
IMS \ims\infrastructure-service.log
Check the log and analyze all error messages. There might be following problems:
Wrong path to key for data protection
You can see in the log file:
Caused by: com.ysoft.security.dataprotection.DataProtectionRuntimeException: File 'C:

\SafeQ6\data-protection\wrong-key.txt' does not exist.
How to fix it:
Set the correct path to key in configuration file for given component. For example in safeq.
properties:
dataProtection.pathToKey = C:/SafeQ6/data-protection/management-key.txt
Do it analogically for other configuration files.
Passwords are encrypted, but pathToKey is not set
Caused by: com.ysoft.security.dataprotection.CannotDecryptSecretRuntimeException: Secret

'database.cluster.management.password' cannot be decrypted: Secret is encrypted but encryption
/decryption is disabled.
You can see e.g. in configuration file safeq.properties:
database.global.management.password = ENCSTR:
atI1EphGThRwJBIgdhGqAwCCO2SNvhTiwZt3qIGOljqw9r6iacMbGJT6fBtE7bnv
dataProtection.pathToKey =
How to fix it:
Set the correct path to key in safeq.properties.

Passwords are encrypted, but wrong password, secret name or key is set
Caused by: com.ysoft.security.dataprotection.CannotDecryptSecretRuntimeException: Secret

'databaseWarehouse.global.management.password' cannot be decrypted: Failing fast - loading
secret that is not authentic.
How to fix it:
Set the correct password:
atI1EphGThRwJBIgdhGqAwCCO2SNvhTiwZt3qIGOljqw9r6iacMbGJT6fBtE7bnv
Make sure the password was encrypted using the correct name.
Set the correct path to key in safeq.properties:
Make sure the encrypted password was rewritten (copied) correctly.
2.4.5.8 Password Protection Tool Manual
Password protection tool is used to create a secret key. After the secret key is generated the
tool can be used for encryption and decryption of passwords (and possibly other data). Password
protection tool is used via batch file data-protection.bat and it is used via Command Line Interface
(later on just CLI).
Within this section the term tool will be used as a placeholder for password protection tool.
Tool location
The tool is typically located at following directory:
<safeq_folder>\Management\utilities\data-protection-cli\
During update of YSoft SafeQ the tool will be rewritten by the latest version in the directory
shown above. The old version of the tool will be backed up. New backup directory indicated a date
of the update will be crated for the backup.
Example of backup directory:
<safeq_folder>\Management\backup\20190903085747.078\utilities\data-
protection-cli\

Password Protection Tool Setup
Tool Setup
The password protection tool requires JAVA 11 to be installed on the system. If YSoft SafeQ 6
have been already installed then an administrator does not need to do anything. If it is not the
case then the administrator has to configure environment variable %JAVA_HOME% or %PATH%
and setup the path to the java executable.
Key storage setup
By default the key file is stored in "%APP_HOME%/conf/keys.txt". The location can be changed by
editing the batch file data-protection.bat.
set KEY_PATH=%APP_HOME%/conf/keys.txt
Note that KEY_PATH variable can be overruled by the tool argument -pathtokey.
Logging
By default tool logs are stored in "bin/logs/data-protection.log". When the file size reaches 20MB
(default value), the original file is renamed to "data-protection.log.yyyy-MM-dd-HH" and a new
(empty) data-protection.log is created.
Password Protection Tool Commands
Parameter -name, which is required by some commands, is a name of secret which should be
protected. In context of YSoft SafeQ 6, it is a name of property in a configuration file or a
name for storing the password in the database. For example, in a configuration file you can
see the following line:
my.password = hChKrDtN8956
In this case, my.password is the name of the secret (argument -name) and hChKrDtN8956 is
the secret in a plain text form.
To use most of the commands an administrator must ensure that the physical file with the
secret key must exist on the hard drive. The secret key can be generated by the command
initkeys. Then the path to the file can be set either in data-protection.bat file (see the tool
setup section above) or via argument -pathtokey. Without the secret key the encryption or
decryption will not be possible.

HELP
The tool writes a user help message into CLI.
Example:
data-protection.bat help
ENCRYPT
The tool encrypts a password. The user has to provide the secret name. The tool asks the
administrator for inserting a password which is to be encrypted. Press the key <ENTER> to
confirm the password insertion.
The tool is able to encrypt plain text passwords as well as legacy obfuscated passwords.
Arguments Description Mandatory
-name <str> Secret name. Yes
-pathtokey <str> Path to a file with the secret key. No
Example including the output:
data-protection.bat encrypt -name my.password

Secret to encrypt: <PASSWORD>
ENCSTR:FgEw9YrHY+6tQ86uBi0XxLp6YjtvorbcENPng+M63FPuYsetgxfQQQ5+Pur14bk/
VERIFY
The tool verifies that an encrypted password can be decrypted. The output is true if it is possible
or false otherwise. An administrator has to provide the secret name. The tool asks the
administrator for inserting a password which is to be verified. Press the key <ENTER> to confirm
the password insertion.
Note that by using this command an administrator can verify that the password can be
decrypted without exposing the real password in plain text in the console.

data-protection.bat verify -name my.password
Secret to verify: <ENCRYPTED PASSWORD>
true
DECRYPT
The tool decrypts an encrypted password. An administrator has to provide also the secret name.
The tool asks the administrator for inserting a password which is to be decrypted. Press the key
<ENTER> to confirm the password insertion.
Note that after password decryption the plain text appears in the console.
data-protection.bat decrypt -name my.password

Secret to decrypt: <ENCRYPTED PASSWORD>
password123
INITKEYS
The tool generates new secret key if one does not exist yet.
The tool checks whether the file with secret key exists and if not then it creates one. The tool
does not overwrite already created secret key.
Example:
data-protection.bat initkeys
Key created in an existing file at c:\data-protection-cli-1.5\bin\../conf
/keys.txt
CHANGEKEY
The tool generates and adds new secret key that will be used for further password encryption.

Previously generated keys can be still used for decryption if not removed by the command
deleteoldkeys.
Example:
data-protection.bat changekey
New key generated and added to c:\data-protection-cli-1.5\bin\../conf/keys
.txt
DELETEOLDKEYS
The tool deletes old keys from file with keys.
After executing this command, passwords encrypted by the old keys cannot be decrypted by
the tool any more. Ensure that all passwords are encrypted by the last generated key.
Example:
data-protection.bat deleteoldkeys
PROTECTKEYS
The tool encrypts stored secret keys with DPAPI.
-out <str> Path to an output file (key file will be rewritten if not specified). No
Example:
data-protection.bat protectkeys
DPAPI protected key file stored to c:\data-protection-cli-1.5\bin\../conf
/keys.txt
UNPROTECTKEYS
The tool removes DPAPI protection from stored keys.

-out <str> Path to an output file (key file will be rewritten if not specified). No
Example:
data-protection.bat unprotectkeys
Plain key file (without DPAPI protection stored to c:\data-protection-cli-
1.5\bin\../conf/keys.txt
2.4.5.9 Setup and Configuration of the Enhanced Password Protection
Enabling of the enhanced password protection requires manual configuration. An administrator

needs to use the password protection tool distributed with SafeQ. The tool is able to generate a
secret key, encrypt passwords and perform other operations. Read Password Protection Tool
Manual for more information.
Before using this guide, it is recommended to read Enhanced Password Protection for general
understanding of the feature.
Enabling of Enhanced Password Protection
Enabling of the enhanced password protection consists of these steps.
1. Stop all YSoft SafeQ services.
2. Generate a secret key. There are two possible alternatives:
a. Manually generate a secret key.
b. Setup automatic generation of a secret key.
3. Enable enhanced password protection in configuration files.
4. Manually encrypt selected passwords:
a. Manually encrypt passwords in configuration files.
b. Manually change database passwords in the database.
5. Start all YSoft SafeQ services and check that all services started successfully.
You can check sections below for more details about every step.
The enhanced password protection is enabled when the secret key is generated and YSoft SafeQ
is able to reach the configured file with the secret key. YSoft SafeQ is able to recognize whether
passwords in configuration files are obfuscated or encrypted and is able to process both
versions.

Encrypted password has a prefix ENCSTR: which is used by YSoft SafeQ to recognize an
encrypted password. Using plain passwords starting with this prefix must be avoided.
Stop all YSoft SafeQ Services
Stop all YSoft SafeQ services in the whole environment (Management Servers, Site Servers)
except the following (leave the services listed below running):
1. YSoft Bundled Etcd
2. YSoft Bundled PostgreSQL (available if an embedded PostgreSQL DB is used)
a. You can use the following PowerShell script to perform the task:
Get-Service*YSoft* | Where-Object{$_.Name -ne'YSoftPGSQL'-and$_.Name -ne'YYSoftPGSQ

L'-and$_.Name -ne'YSoftEtcd'} | Stop-Service
Manually generate a secret key
First of all, the key file needs to be initialized. All secret keys are stored in a file with a custom
name. Use the command line tool data-protection.bat distributed in the following location:
<safeq_folder>\Management\utilities\data-protection-cli\
1. Find an appropriate location for the file where the secret key will be stored.
2. Provide the tool with the path for the file with the secret key. There are two options.
a. Edit the KEY_PATH parameter in data-protection.bat batch file and set the path.
set KEY_PATH=C:/mycustompath/keys.txt
b. Use argument -pathtokey with the path to the file with the secret key for all
commands when using the tool.
3. Use the data-protection.bat tool with command initkeys to create the secret key. If the file
for the key does not exist it will be created.
data-protection.bat initkeys
4. Check the output of the tool.
Key created in an existing file at C:/mycustompath/keys.txt
5. Now, you can use the secret key for passwords encryption.

If Management cluster is used, an administrator must use a shared location or distribute the
key to all servers, see Enhanced Password Protection for more details.
Setup automatic generation of a secret key
The generation of a secret key can be automated. To do so, add configuration property
dataProtection.enableAutomaticKeySetup into all configuration files to that you also add
property dataProtection.pathToKey. Set the property to value true. The list of configuration files
is in the section below.
dataProtection.pathToKey = c:/mycustompath/keys.txt
dataProtection.enableAutomaticKeySetup = true
Enable enhanced password protection in configuration files
Once you have generated the secret key the next step is to setup components of YSoft SafeQ to
use the enhanced password protection. An administrator can configure behavior of the enhanced
data protection features per component via corresponding configuration file. It is recommended to
protect passwords in all components.
See the table below to see which components can be protected. Enhanced password protection
must be enabled for each component separately via given configuration file.
Component Configuration file
Management <safeq_folder>\Management\conf\safeq.properties
Service
IMS <safeq_folder>\Management\ims\application.properties
Database <safeq_folder>\Management\validator\conf\DBValidator.
properties
The enhanced password protection is enabled by adding configuration property dataProtection.

pathToKey with the path to the key file to each of the configuration files mention above.
Typically, all components are supposed to have the same key file configured. If the property is not
contained in the configuration file or is set to empty, the enhanced password protection is
disabled. See the example below which enables the enhanced password protection:
dataProtection.pathToKey = c:/mycustompath/keys.txt
Make sure that the path contains only forward slashes.
Correct: c:/mycustompath/keys.txt
Wrong: c:\mycustompath\keys.txt

The feature can be further tweaked per given component by following properties:
Property Valu Def Description

es ault
dataProtection. true fals When set to true then the secret key is generated automatically if it is
enableAutomati /fals e not already generated. Previous key initialization is not needed in this
cKeySetup e case.
dataProtection. -1/0 -1 Time (in seconds) for which keys will be cached in memory without need
keyCachingSec /N to read them from the file with secret keys. Value -1 dictates to keep keys
onds forever in the cache (until restart of the service). Value 0 dictates not to
cache keys. Positive integer value N dictates keeping keys in the cache
and delete them if not used for N seconds.
Enabling enhanced password protection in Management component
Follow the procedure below to enabling enhanced password protection in management

component. You can do it analogically for other components.
1. Ensure that Management Service and LDAP replicator Windows services are stopped.
2. Edit configuration file safeq.properties.
3. Add property dataProtection.pathToKey and set value to the file with the secret key.
4. Optional: If you want to automatically generate the secret key then add property
dataProtection.enableAutomaticKeySetup and set it to value true.
5. Optional: You can also configure cache behavior by adding property dataProtection.
keyCachingSeconds.
Enabling the feature does not mean that passwords in configuration files will be protected. An
administrator has to encrypt passwords in configuration files manually first. Passwords stored
in DB will be automatically encrypted when saved through Management web interface.
Manually encrypt Passwords in Configuration Files
An administrator has to manually encrypt passwords and insert them into configuration file. YSoft
SafeQ is able to recognize encrypted passwords and decrypt them when needed.
The list of all passwords which can be encrypted per given component via configuration file is
below:
Component Configuration file List of passwords which can be

encrypted in the file
Managemen <safeq_folder>\Management\conf\safeq. database.global.management.

t Service properties password

Component Configuration file List of passwords which can be
encrypted in the file
database.cluster.management.
password
database.cluster.guest.password
databaseWarehouse.global.
management.password
databaseWarehouse.cluster.
management.password
databaseWarehouse.cluster.guest.
password
IMS <safeq_folder>\Management\ims\applicat spring.datasource.password

ion.properties
Database <safeq_folder>\Management\validator\co connectionInfoSQ.userPassword

nf\DBValidator.properties connectionInfoSQ.
userManagementPassword
connectionInfoDW.userPassword
connectionInfoDW.
userManagementPassword
Please follow the procedure below to encrypt a passwords:
1. Ensure that relevant YSoft SafeQ services are stopped.
a. You can use following command.

2. Extract all passwords from configuration file which is to be encrypted.
3. Use the tool and encrypt a password.
a.
i. Run command line (cmd) as administrator.
ii. Use the tool and encrypt the password.
data-protection.bat encrypt -name database.global.management.password
iii. The tool prompt you to insert password for encryption. Insert it and press the
key <ENTER>.
4. Copy the encrypted password (output of the tool including the ENCSTR: prefix) and insert it
into the configuration file.
a.
a. Be careful and insert the encrypted password to the same property in configuration
file you have used in argument -name. Example of protecting the property database.
global.management.password in configuration file safeq.properties.
FgeW9YrHY+6tQ86uBi0AxLp6YjtvorbtENPng+M63FPuYsetgxfQQQ5+Pur14bk/
5. Repeat steps 3 and 4 till all passwords collected in step 2 are encrypted.
The Text encryption (obfuscation) widget in Management web interface cannot be used for
enhanced password protection, it obfuscates the text using the legacy way of encryption.
Manually change Database Passwords in the Database
An administrator has to manually retrieve passwords from the database, encrypt them and then
insert them back into the database. YSoft SafeQ is able to recognize encrypted passwords and
decrypt them when needed.
1. Ensure that relevant YSoft SafeQ services are stopped.
a. You can use following command.

2. Get password and tenant_guid for tenants from the database and write them down.
a. SELECT tenants.db_pass, tenants.tenant_guid FROM cluster_mngmt.tenants;
SELECT tenant_warehouses.db_pass, tenant_warehouses.tenant_guid FROM cluster_mngmt.

tenant_warehouses;
3. Use the tool and manually encrypt all passwords.
a. Run command line (cmd) as administrator.
b. Run data-protection.bat with parameters:
c. For each tenants.db_pass and tenants.tenant_guid from cluster_mngmnt.tenants

table run.
i. data-protection.bat encrypt -name tenants.db_pass
ii.
ii. The tool prompt you to insert password for encryption. Insert it and press the
key <ENTER>.
iii. Write down the result of the encryption for tenants.db_pass (e.g. ENCSTR:
H M H o 9 s
/7STh0GWy1K6fmQHRgy4rspkCRBMOLwnE0rP2eZZMtxaEyoJ6uuXruD0Mx) and
its tenant_guid (e.g. f900b632-aad8-4d99-ad98-33496f83812d).
iv. Repeat for the next tenant.
d. For each tenant_warehouses.db_pass and tenant_warehouses.tenant_guid from

cluster_mngmt.tenant_warehouses table run.
i. data-protection.bat encrypt -name tenant_warehouses.db_pass
ii. The tool prompt you to insert password for encryption. Insert it and press the
key <ENTER>.
iii. Write down the result of the encryption for tenant_warehouses.db_pass (e.g.
E N C S T R : H M H o 9 s
/7STh0GWy1K6fmQHRgy4rspkCRBMOLwnE0rP2eZZMtxaEyoJ6uuXruD0Mx) and
its tenant_guid (e.g. f900b632-aad8-4d99-ad98-33496f83812d).
iv. Repeat for the next tenant
4. Update passwords in the database by encrypted versions.
a. UPDATE cluster_mngmt.tenants set db_pass = <encryptedPassForTenants> where

tenant_guid = <tenantGuidFrom2ndStep>
UPDATE cluster_mngmt.tenant_warehouses set db_pass =

<encryptedPassForTenantWarehouses> where tenant_guid = <tenantGuidFrom2ndStep>
5. Verify that components are able to work with encrypted passwords.
a. See Enhanced password protection - troubleshooting. for more information how to

verify whether YSoft SafeQ is able to work with encrypted passwords.
List of all secret names
In the table below there is a list of secret names for all protected passwords. Even for passwords
encrypted automatically, manual encryption/decryption might be useful in some scenarios (e.g.
restoring DB backup with encrypted passwords).
Location List of secret names for protected passwords
Configuration files database.global.management.password

database.cluster.management.password

Location List of secret names for protected passwords
database.cluster.guest.password
databaseWarehouse.global.management.password
databaseWarehouse.cluster.management.password
databaseWarehouse.cluster.guest.password
spring.datasource.password
connectionInfoSQ.userPassword
connectionInfoSQ.userManagementPassword
connectionInfoDW.userPassword
connectionInfoDW.userManagementPassword
Management mailpass
Interface ldap-replicator-*-pass
ldap-replicator-<DOMAIN>-pass (<DOMAIN> stands for domain name when using
multiple LDAP domains)
scanServerUserPassword
Database tenants.db_pass
tenant_warehouses.db_pass
2.4.6 EXTERNAL TERMINALS
2.4.6.1 Hardware terminals
Terminal Comments Dimensions
Terminal interaction is accomplished via 15 × 3.7 × 7.5 cm

numeric capacitive keyboard, print/copy 500 g
buttons, status LEDs and/or sound signals.
Terminal includes an integrated card reader for
authentication by various types of cards (see E
xternal Terminal Authentication Matrix).
Terminal includes 2-port 10/100 Mbit switch.
Configuration of a terminal is done remotely
from a configuration utility on any workstation
via secured TCP/IP or UDP connection
Network/power cables are connected from the
UltraLight top of the terminal.
See Using YSoft SafeQ Terminal UltraLight for
user interface details and YSoft SafeQ
Terminal UltraLight Installation Guide for
installation guides.
See Terminal UltraLight specification for more
details.
16.5 × 10 × 5 cm
900 g

Terminal Comments Dimensions
Terminal interaction is accomplished via a

graphical touchscreen display (480 x 272
pixels, color).
Terminal includes an integrated card reader for
authentication with various types of cards (see
External Terminal Authentication Matrix).
Terminal contains 4-port 10/100 Mbit switch
Professional with fully configurable sockets.
Configuration of a terminal is done via the
graphical touchscreen display or remotely via a
secured TCP/IP connection from the YSoft
SafeQ management interface.
Network/power cables are hidden under the
cover.
See Using YSoft SafeQ Terminal Professional
for user interface details and YSoft SafeQ
Terminal Professional Installation Guide for
installation guides.
Professional Terminal Supports Terminal
monitoring via SNMP tools.
2.4.6.2 Comments and limitations
Terminal cannot work without connection to the YSoft SafeQ Management server.
Terminal is capable of restricting access to the device via a third-party interface (FDI/FIH/KC
/VI).
Terminal must be connected to TCP/IP network with its own IP address (DHCP ready).
If the terminal fails, copying and scanning are no longer available.
Mounting kit and interface cable are required to connect the terminal to the MFD/printer
(terminal mounted to wall/table/MFD uses 1 or 2 screws or double-sided Velcro tape).
Power socket is required within 2m/6ft distance.
Operating conditions: office environment, 5°C - 35°C, max 20% - 80% air humidity without
condensation.
2.4.6.3 External Terminal Authentication Matrix
Authentication Function Terminal Terminal

UltraLight Professional
PIN code (see Security Overview for more details)
Login/password credentials (see Security Overview for more details)

Authentication Function Terminal Terminal
UltraLight Professional
Proximity cards with support for use card number conversion (Please
contact Y Soft customer support for details about supported
technologies)
Contact cards
Smart cards - single factor (card number is read and compared
with card assigned to a user)
Contact cards (Please contact Y Soft customer support for details

about supported technologies)
Smart cards - two factor (using certificate stored on a card)
Magnetic swipe-thru cards
Barcodes via laser beam not supported on most of the Embedded
Terminals
iButton (Dallas)
Card self-assignment via Card Activation Code
Card self-assignment via user credentials
2.4.6.4 Terminal monitoring via SNMP
SNMP is supported only on Terminal Professional, and support in terminal allows only read only
polling. Supported is only SNMP v2c (with community name set).
The terminal sends SNMP traps (UDP packet) to the management server when the following
conditions are met (according to configuration):
connection to the YSoft SafeQ server is lost
connection to the YSoft SafeQ server is established
connection to the YSoft SafeQ server could not be established
user logs in using PIN
user logs in using ID card
user logs in using Login
User was not authenticated
OID prefix: .1.3.6.1.4.1.20519
Relevant MIB Description
.500.2.1.1.1.1 Connection to YSoft SafeQ server established

Relevant MIB Description
.500.2.1.1.1.2 Connection to YSoft SafeQ server could not be established
.500.2.1.1.1.3 Connection to YSoft SafeQ server closed
.500.2.1.2.1.1 User not authenticated (data: .100.2.1.2.1.3)
.500.2.1.2.1.2 User authenticated (data: .100.2.1.2.1.3)
The terminal also supports SNMP polling and respond to SNMP requests sent from a management
server. The following information is available in the terminal's MIB:
Status of the connection to the YSoft SafeQ server
Type of last user authentication (pin, card, login)
Last server connection IP
Last server connection port
Last server connection time stamp of connection create
Last server connection time stamp of connection close
Last user authentication time stamp
Last user authentication result
OID prefix: .1.3.6.1.4.1.20519
Relevant Type Description

MIB
.100.2.1.1.1.1 integer3 Connected to YSoft SafeQ server (1/2)=(disconnected/connected)

2
.100.2.1.1.1.2 string Last connected YSoft SafeQ server IP
.100.2.1.1.1.3 integer3 Last connected YSoft SafeQ server port

2
.100.2.1.1.1.4 counter Timestamp of last established connection to YSoft SafeQ server

32
.100.2.1.1.1.5 counter Timestamp of last closed connection to YSoft SafeQ server

32
.100.2.1.1.1.6 counter Timestamp of last connection to YSoft SafeQ server which fails (could not
32 connect)
.100.2.1.2.1.1 integer3 Last authentication state (1/2)=(unsucessfull/sucessfull)

2

Relevant Type Description
MIB
. counter Last authentication timestamp

100.2.1.2.1.2 32
. integer3 Last authentication type (1,2,3,4,5,6,7,8)=(pin,card,card&pin,login,digital signature,

100.2.1.2.1.3 2 activation code,forced by server,fingerprint)
Terminal also contains following items which are not relevant to user interaction with the
terminal:
Rest of terminal MIB (text IODs)
SNMPv2-MIB::sysDescr.0 = STRING: Terminal_professional

SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.20519.2.1.4
SNMPv2-MIB::sysUpTime.0 = Timeticks
SNMPv2-MIB::sysContact.0 = STRING: - defined in service menu - contact
SNMPv2-MIB::sysName.0 = STRING: - defined in service menu - hostname
SNMPv2-MIB::sysLocation.0 = STRING: - defined in service menu - location
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks
UCD-SNMP-MIB::memTotalReal.0 = INTEGER: 62916
UCD-SNMP-MIB::memAvailReal.0 = INTEGER: 56008
UCD-SNMP-MIB::memShared.0 = INTEGER: 0
UCD-SNMP-MIB::memBuffer.0 = INTEGER: 0
UCD-SNMP-MIB::memCached.0 = INTEGER: 3548
UCD-SNMP-MIB::laIndex.1 = INTEGER: 1
UCD-SNMP-MIB::laNames.1 = STRING: Load-1
UCD-SNMP-MIB::laLoad.1 = STRING: 0.00
UCD-SNMP-MIB::laConfig.1 = STRING: 1
UCD-SNMP-MIB::laLoadInt.1 = INTEGER: 0
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 68639
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 113753
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 44088979
UCD-SNMP-MIB::ssRawInterrupts.0 = Counter32: 46094044
UCD-SNMP-MIB::ssRawContexts.0 = Counter32: 2800981
Rest of terminal MIB (numeric IODs)
.1.3.6.1.2.1.1.1.0 = STRING: Terminal_professional

.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.20519.2.1.4
.1.3.6.1.2.1.1.3.0 = Timeticks
.1.3.6.1.2.1.1.4.0 = STRING: - defined in service menu - contact
.1.3.6.1.2.1.1.5.0 = STRING: - defined in service menu - hostname
.1.3.6.1.2.1.1.6.0 = STRING: - defined in service menu - location
.1.3.6.1.2.1.25.1.1.0 = Timeticks
.1.3.6.1.4.1.2021.4.5.0 = INTEGER: 62916
.1.3.6.1.4.1.2021.4.6.0 = INTEGER: 56008
.1.3.6.1.4.1.2021.4.13.0 = INTEGER: 0
.1.3.6.1.4.1.2021.4.14.0 = INTEGER: 0

.1.3.6.1.4.1.2021.4.15.0 = INTEGER: 3548
.1.3.6.1.4.1.2021.10.1.1.1 = INTEGER: 1
.1.3.6.1.4.1.2021.10.1.1.2 = INTEGER: 2
.1.3.6.1.4.1.2021.10.1.1.3 = INTEGER: 3
.1.3.6.1.4.1.2021.10.1.2.1 = STRING: Load-1
.1.3.6.1.4.1.2021.10.1.2.2 = STRING: Load-5
.1.3.6.1.4.1.2021.10.1.2.3 = STRING: Load-15
.1.3.6.1.4.1.2021.10.1.3.1 = STRING: 0.00
.1.3.6.1.4.1.2021.10.1.3.2 = STRING: 0.03
.1.3.6.1.4.1.2021.10.1.3.3 = STRING: 0.00
.1.3.6.1.4.1.2021.10.1.4.1 = STRING: 1
.1.3.6.1.4.1.2021.10.1.4.2 = STRING: 5
.1.3.6.1.4.1.2021.10.1.4.3 = STRING: 15
.1.3.6.1.4.1.2021.10.1.5.1 = INTEGER: 0
.1.3.6.1.4.1.2021.10.1.5.2 = INTEGER: 3
.1.3.6.1.4.1.2021.10.1.5.3 = INTEGER: 0
.1.3.6.1.4.1.2021.11.50.0 = Counter32: 68634
.1.3.6.1.4.1.2021.11.51.0 = Counter32: 0
.1.3.6.1.4.1.2021.11.52.0 = Counter32: 113747
.1.3.6.1.4.1.2021.11.53.0 = Counter32: 44088492
.1.3.6.1.4.1.2021.11.59.0 = Counter32: 46093471
.1.3.6.1.4.1.2021.11.60.0 = Counter32: 2800901

2.4.6.5 Terminal Professional specification
Terminal Professional specification
Item Specification
Terminal el. power supply input 12 VDC
Maximum current input 1.0 Amp
Working temperature +10 °C to +40 °C (50 °F to 104 °F)
Storage temperature 0 °C to +50 °C (32 °F to 122 °F)
Maximum air humidity 80% without condensation
Resistance to magnetic field no added resistance
Weight cca900g (varies according to the card reader used)
Size (H x H x D) 165 x 99 x 52mm
Architecture Renesas SH-3

200MHz CPU, 64MB SDRAM, 16MB Flash dedicated for
firmware + 128MB dedicated for data
Screen 480 x 272px, 16-bit color

Maximum pressure: 250g
Internal readers For a complete list, contact your Y Soft sales representative
External interface 8-pin miniDIN (for service only)
External reader interface (for terminal Dsub 9, RS 232 / Wiegand interface, 5V 300mA
with external reader only)
Power/frequency 200 MIPs
Data bus 32-bit
Instruction set RISC
RAM 64MB
Flash memory 16MB
Item Specification
Blocking cables to MFP Yes
Internal operating system Linux
Customization option Yes, as required

For Terminal Professional HID iClass applies: This is a class A product. In a domestic
environment this product may cause radio interference in which case the user may be
required to take adequate measures.
2.4.6.6 Terminal UltraLight specification
Terminal Ultralight specification
Parameter Value
Control Capacitive keyboard
Identification Using a card reader or PIN or any combination
Network 2-port 10/100 Mbit switch (auto MDI/MDIX)
Processor Freescale Coldfire v2
Memory 64 kB RAM, 512 kB Flash
Electric power supply input 12 V DC
Maximum current input 1.0 A
Working temperature +5°C to +35°C
Storage temperature 0°C to +50°C
Working air humidity 20% to 85% without condensation
Storage air humidity 8% to 85% without condensation
2.4.7 IDENTITY MANAGEMENT
2.4.7.1 Overview
YSoft SafeQ 6 has its own identity database in order to provide authentication, authorization and
accounting features. The data can be populated from different sources - manually via web
interface, automatically replicated from LDAP or imported using a CSV file format from a third-
party system. Each user must have a unique record in YSoft SafeQ 6; data are stored in the main
database (Management server).
Each user record includes the following information:
Attribute Status Note
Unique username Mandatory At least one username or alias must be defined in order to
(s) identify the print job owner. Case sensitive.
Alias Optional

Attribute Status Note
At least one username or alias must be defined in order to

identify the print job owner. Case sensitive.
First and last Mandatory

name
Password Optional NOTE: The password is NOT synchronized from LDAP

sources to the YSoft SafeQ 6 database.
Unique user ID Mandatory Mandatory only for LDAP replication.
Card number(s), Optional

PIN code(s)
Email address Optional
Home directory Optional Mandatory for use with Scan to home folder feature.
Department Mandatory
number
Default billing code Optional
User role(s) Optional LDAP (scheduled replication) as a record attribute.

Active Directory (scheduled replication) as an LDAP group.
2.4.7.2 Adding Identities (users) to YSoft SafeQ 6
YSoft SafeQ 6 offers multiple ways of adding identities (users). Information is stored in the main
YSoft SafeQ 6 database (table "users"). Tools that can be used for adding identity (user)
information are: YSoft SafeQ management interface, LDAP User Replicator, CSV File User
Replicator, CSV import and (customization required) third-party systems.
2.4.7.3 Add Users with Web Administration
One of the most common methods for adding users is via the YSoft SafeQ 6 management
interface administration. Since all users are created manually, this process can be lengthy
depending on the amount of users.
The administrator can add, edit or remove users from the internal database (see Managing Users
).
2.4.7.4 Import Users with LDAP User Replicator
The LDAP User Replicator downloads users and their attributes from an LDAP server. When using
the LDAP User Replicator, all user attributes are automatically replicated into the YSoft SafeQ 6
database. The only exception is the password attribute, which is not replicated.
This import process is mostly used in companies with a high number of users and Active
Directory identity management.

More information about the LDAP User Replicator, including configuration tips, can be found at
LDAP Integration.
This process requires connection to an LDAP server.
Multiple LDAP domains and domain forests are supported.
The administrator can schedule either complete or differential data synchronization.
YSoft SafeQ 6 can verify user credentials using LDAPS or Kerberos v5 (Windows, MIT)
authentication.
The connected data source must contain all information as described in the Available
attributes in User Database.
The GUID attribute and the User ID attribute for individual user records must be unchangeable
and unique across all connected domains.
2.4.7.5 Import Users via the CSV File User Replicator
The CSV File User Replicator imports users, roles, and cost centers from a specially formatted
CSV file to the YSoft SafeQ 6 database. This enables use of any source of data with YSoft SafeQ
6. The only requirement is that the source must allow data export to CSV file or through custom
developed scripts.
This import can be performed periodically; the operating system scheduler can be set to
periodically run the CSV File User Replicator.
2.4.8 MANAGED WORKFLOWS
2.4.8.1 Overview
Managed Workflows comprise of all the document scanning and workflow automation features in
YSoft SafeQ 6. Managed Workflows help increase employee productivity by speeding up or
eliminating paper-based tasks, and by automating document workflows to pre-defined
destinations.
Managed Workflows features are enabled by two license modules:
Core Workflows and
Advanced Workflows.
Features enabled by each license module are listed below.

2.4.8.2 Core Workflows
With Core Workflows, documents are scanned using a supported YSoft SafeQ terminal and
delivered to one of several types of destinations. Basic processing and formatting can be applied
to the scanned documents. Scan workflow destinations range from the most common ones, such
as a local file system, file server and e-mail, to third-party document management systems.
Document Capture
Scanning from supported YSoft SafeQ terminals is simplified in order to reduce errors in user
input already at the time of capturing a document. The following document capture features are
available:
Role-based access control to scan workflows.
User input metadata—An administrator can configure a YSoft SafeQ terminal to prompt the
user to provide information related to the document, for example, the project or client name,
invoice number, etc. The following types of user input methods can be used:
Free-text user input metadata—An administrator can configure YSoft SafeQ terminal to
allow free-form text to be entered by the user.
Pre-populated “list” metadata—An administrator may present a drop-down menu list of

choices for the user to select from on YSoft SafeQ terminal. Lists may be populated "live"
from CSV or XML files or can be static and defined manually in the management interface.
Folder browsing—allows the user to select a folder in the destination system using the
YSoft SafeQ terminal.
Predefined scan settings—scan resolution, sides (simple/duplex), color
Document Processing
The following processing options are available in Core Workflows:
1D barcode recognition
Common image output formats and read-only PDF output
Filename definition, capture, and user input variables can be used
Destinations
A scanned document may be delivered to one of the following destinations either under a pre-
defined "service account" or on behalf of the user logged into the YSoft SafeQ terminal:
Local or network filesystem
Email (over an SMTP protocol)
Email (over a Microsoft Exchange server)

DropBox Business/Enterprise
Microsoft SharePoint 2010
Microsoft SharePoint Online
Microsoft OneDrive for Business
Script (a custom script is executed to deliver a document to a custom destination or apply

additional processing)
2.4.8.3 Advanced Workflows
Advanced Workflows extend the feature set of Core Workflows with more sophisticated
document processing and formatting capabilities. The Core Workflows license module is a
prerequisite for the Advanced Workflows license module.
Document Capture
All document capture features are currently part of the Core Workflows module.
Document Processing
Advanced Workflows extend the document processing options of Core Workflows with the
following features:
Optical Character Recognition (OCR)
Available output formats:
Searchable PDF
Searchable PDF/A (an ISO standard suitable for long-term archiving requirements)
Editable DOCX, XLSX, XLS, PPTX, RTF, TXT
Image pre-processing and cleaning
Document formatting:
Append/prepend to a PDF
Blank page removal
Scan job separation
Separation by 1D barcode occurrence
Separation by page count
Separation by a standard separation sheet
Page orientation auto-correction

Splitting of dual pages (used e.g., for scanning books)
Document Post-Processing
Highlighted text extraction/redaction
PDF MRC Compression, encryption and protection by password
Destinations
All supported destinations are currently part of the Core Workflows module.
2.4.8.4 Technical Notes
1. YSoft SafeQ 6 processes individual scan jobs in parallel. It does not guarantee that scan
jobs will be processed and delivered in the same order as they were started from a YSoft
SafeQ terminal.
2. YSoft SafeQ 6 is able to deliver a 100-page document to its destination in 15 seconds in the
case of PDF output (without OCR) to local storage on the server running Workflow
Processing Server.
2.4.9 MOBILE PRINT
2.4.9.1 Mobile Print overview
YSoft SafeQ Mobile Print Server that allows users to print documents from mobile devices such
as smart phones and tablets. The solution is based on commonly known experience - sending an e-
mail with attachment or uploading document via dedicated web page. Such document gets
retrieved from Mobile Print Server by YSoft SafeQ, processed and stored in the print queue. Users
can release their jobs at any printer in YSoft SafeQ environment.
All major document formats are supported. These supported formats can be divided into several
groups according to their types:
MS Office document family doc, docx, docm, dot, dotx, dotm, rtf, xls, xlsx, xlsm, xlsb, xltx, xltm, csv, ppt,
pptx, pps, ppsx, pot, potx
Open Office document odp, ods, odt, ott

family
HTML and Mime HTML html, htm, mhtml, xhtml

documents
Images jpg, jpeg, png, bmp, gif, tiff, ico, wmf, emf, svg
Others txt, pdf, xml, fo, xps, epub

2.4.10 PRINT ROAMING
2.4.10.1 Overview
Print Roaming is an extension of pull-printing (print job after authentication at the MFD). With pull-
printing, after a user sends a job to a printer, the user "pulls" the job to the printer — the user
goes to a printer, authenticates and prints the job. This feature has several important
advantages:
Flexibility: Users can send a print job and print the job at any MFD
Costs and environment: Reduces paper waste resulting from uncollected prints
Security: Users have to authenticate at the printer before documents are printed
With both Print Roaming and pull-printing, users can release their print jobs at any printer
connected to YSoft SafeQ.
Print Roaming is a key need for companies with multiple locations - users who move between the
locations frequently need the ability to manage their print, copy and scan jobs without any
additional changes in their habits. In practical terms - wherever the user is and needs to print,
copy or scan, they can do so using a combination of the Print Roaming and Pull-Printing features
of YSoft SafeQ.
Print Roaming in YSoft SafeQ is built upon SpoolerController and FlexiSpooler technologies. Print
Roaming is established among two or more Spooler Controller components acting as peers, or
among multiple Spooler Controllers and multiple FlexiSpoolers.
2.4.10.2 Description
Print Roaming is designed to meet the following requirements:
1. The user can pick up submitted print jobs at any device connected to YSoft SafeQ without
any significant impact on wait times.
2. The system administrator has an option to decrease system overhead by increasing wait
times before jobs are available in more distant locations.
Two Print Roaming modes are available: near roaming and far roaming. Because peers need to
share certain types of information (in a group), a Spooler Controller can belong to only one
roaming group (members of which have access to all jobs in the group much faster) configured by
the system administrator. YSoft SafeQ provides multiple near-roaming and far-roaming groups in
order to support a variety of environments.
Print Roaming within a single server (LAN)
In organizations with one server, no additional configuration is needed. YSoft SafeQ provides Print
Roaming with all connected devices.

YSoft SafeQ does not modify print job data, so PDL-level compatibility between printers must be
ensured by other means.
Print Roaming with multiple servers within a LAN (near-roaming mode)
In organizations with multiple YSoft SafeQ servers, each hosted in its own location, Spooler
Controller groups can be set up among the site servers. This requires additional CPU power and
network resources in order to allow fast synchronization of print jobs among the group peers
without noticeable delays to end users. This roaming mode uses synchronization protocols which
efficiently distribute job metadata among all members of the Spooler Controller group. Print job
data are kept in the storage of FlexiSpooler that received it and are delivered to the device where
the user authenticates (using the Spooler Controller managing that particular device and the
Spooler Controller managing the FlexiSpooler holding the print job data). This requires availability
of Spooler Controller servers so that the information can be shared and delivered.
This is typically required when there are hundreds/thousands of users in a relatively small area on
a high-speed, low-latency network (such as a LAN or sometimes even buildings co-located in one
city).
Read Configuring Print Roaming for additional configuration details.
Print Roaming with multiple servers within a WAN (far-roaming mode)
When a company operates with several subsidiaries, even across multiple continents, users need
print/copy/scan services to be available at all times. Users may need to (re)print a job sent to
YSoft SafeQ after travelling a longer distance. For this reason, system administrators may
consider decreasing the network and CPU load, where users may notice delays (seconds to
minutes, depending on the network and system configuration) before their jobs are available at
devices connected to the destination.
This far roaming mode sends job metadata over the management server and support for UDP
multicasting is not required for standard operation. However, the infrastructure will still provide
high-performance networking to minimize the delay to job availability. This mode of operation is
more robust, but is useful in situations where only a fraction of the users requires roaming for
their operations (such as travelling sales staff, etc.).
This roaming mode can be disabled by enableFarRoaming configuration option (restart of all
Spooler Controllers is required). In that case print jobs would be roamed only within each Spooler
Controller group and they would not be roamed among the groups nor standalone Spooler
Controllers. By default this roaming mode is enabled.
2.4.10.3 Dependencies / Non-functional Requirements
Each printer must be equipped with a terminal (embedded, mobile terminal or a hardware
terminal).

At least one YSoft SafeQ Management server must have a connection with a Spooler
Controller and FlexiSpooler server(s) in every location required for near roaming or far roaming
printing.
Global identity management (common for all YSoft SafeQ servers in the network) must be
established.
No extensions in a desktop application or any other client workstation tool is necessary. On

the other hand, Print Roaming may introduce additional pop-up messages to be handled by the
YSoft SafeQ Desktop Interface.
The origin and the destination Spooler Controller servers in a near roaming or a far roaming
scenario must be visible to each other on the network. The network must also provide the
necessary bandwidth and low latency to eliminate any impact of the network on the
availability of print jobs. Without network visibility and sufficient performance, near roaming or
far roaming does not produce correct results and cannot be used!
To use far roaming, all Spooler Controller servers must have installed FlexiSpoolers in server
mode.
Note: For a Spooler Controller group with more than 10 Spooler Controller servers, UDP
Multicast must be enabled among servers!
2.4.10.4 Caveats and Limitations
Printer compatibility is defined based on the System Tags in the Management interface. The
tag represents the capability of the printer, such as PDL-compatibility (PCL, PostScript, etc.) or
feature such as Color, Duplex, Paper Size (Large/Small).
For near roaming mode, it is recommended to to use a fiber optics network.
If a FlexiSpooler with print jobs fails, all print jobs stored on the failed FlexiSpooler are
unavailable for release at terminals and users must re-submit the jobs from their workstations.
Shared network storage for print jobs can solve this problem. In this case, all print jobs are
stored locally on a FlexiSpooler and remotely on a network shared storage.
With far roaming mode:
When using Print Roaming (enabled by the license), all Spooler Controller servers are
automatically configured for far roaming. Far roaming also works in near roaming (Spooler
Controller group) and among Spooler Controller groups and standalone site servers. It is
not possible to limit Print Roaming to only selected Spooler Controller servers or groups of
them.

The following components of the YSoft SafeQ system must be online, configured (both
mentioned Spooler Controller servers are not in the same near-roaming group) and working
properly: Management server, the FlexiSpooler the prints will be sent to, the Spooler
Controller the FlexiSpooler is connected to, the Spooler Controller the printer/MFD is
connected to, and the printer/MFD where the print job will be printed.
Users may notice delays (seconds to minutes, depending on the system configuration) in
job availability at the terminals connected to the remote (other than origin of print)
destination Spooler Controller, because Spooler Controller downloads information
(metadata) about the user's print jobs every 5 minutes (by default).
Users may notice delays (depending on the size of the print job and a network speed) in
printing (i.e. time from pressing print button on terminal to time when the first paper
comes out from the printer/MFD), because the print job data is downloaded from remote
locations on demand. Print job data is not regularly synchronized. Only print job metadata
are synchronized.
2.4.10.5 Client Based Print Roaming
Client Based Print Roaming moves the most critical and intensive task - the handling of print data
- from the server to a user's workstation. This is done by a local print spooler placed on
workstation as part of the YSoft SafeQ client components. The server works only with small
metadata (few kB per job) and instructs local spoolers how to work with print jobs.
The result is a need for servers that are fewer in number (typically 2-4 times fewer) and more
lightweight server which has lower hardware, software and maintenance costs. Client Based
Print Roaming may also positively affect the company network by reducing traffic since jobs are
handled on the user’s workstation.
Should a user send a print job and his workstation become unavailable (or he closes his laptop), a
locally spooled print can be optionally replicated to a backup location. The advantage is the user
doesn’t have to depend on the availability of the original, locally spooled job and instead can print
one its replicas. Print job replicas are invisible to the end users. When a user deletes a print job
that has replicas, all replicas are also deleted.
Spooler availability notification for users
Spooler availability notifications
When user tries to print jobs on the terminal and some of them can't be printed due to spooler
not being available, only generic error is shown or no error is displayed at all. If we enable spooler
availability notifications in Management server system configuration, we will get more detailed
status about jobs that are being printed. We can determine current status of the jobs by their
icons.
Jobs in progress - blue spinning wheel

Completed Jobs - green check mark
Failed Jobs - red cross mark
Detailed error message of Failed Jobs can be displayed using white question mark button.
Client computer unavailable
When a user prints job on the terminal using Client Based Print Roaming, the situation may occur
where he is unable to print them because his workstation is either disconnected from network or
simply turned off. Spooler is therefore unavailable and jobs spooled on the workstation cannot be
transferred to the printer. Embedded terminal informs the user about spooler unavailability and
prompts user to try and turn on or reconnect his workstation.
Server unavailable
When a user prints job spooled on the server, the situation may occur where he is unable to print
them because server spooler is not accessible. Jobs spooled on the server cannot be transferred
to the printer. Embedded terminal informs the user about spooler unavailability and prompts user
to contact the administrator if the problem persists.

Computer unavailable
Client spooler or server spooler unavailable. Embedded terminal informs the user about spooler
unavailability, prompts user to turn on his computer or contact the administrator if the problem
persists.
Enabling notifications about spooler availability
This feature can be turned on by following steps:
1. Go to Management server → System → Configuration
2. Make sure you have selected advanced level view
3. Search for showSpoolerAvailabilityNotifications
4. Set the value to Enabled
5. Restart all required services
Using "Print All" functionality from the login screen of the terminal
If the user has some jobs in the waiting folder and spooler availability notifications are enabled,
after they activate the “Print All” functionality, jobs are immediately sent to the printer. The user
can monitor the status of the jobs on the print status screen located in the print application.

We recommend to set the print application as a landing page for the user, so that after the login
with the “Print All” function activated, the print status screen is displayed and users can monitor
they jobs without navigating to the print application.
If billing code selection screen is enabled, the print status screen will be displayed after the
selection a billing code.
Print panel from "Print All" in Quick Actions
Once the functionality is enabled, the user will also see the print status panel after executing
"Print All" from the "Quick Actions" menu. If the installation is set to use the payment's subsystem,
and the user does not have credit to print all the documents in the waiting state, the print jobs
will not be launched and the print status panel will not be shown. The "Quick actions" options is
supported only by selected vendors: consult whether your vendor supports "Quick Actions".
Unavailable job information for users
Workstation is offline or disconnected
ETCD configuration
This feature needs properly configured and fully functional etcd and it needs to be enabled in
YSoft SafeQ Management. See Configuring etcd for failover support in Terminal Server for
details.
With Client Based Print Roaming, when a user is printing job on the terminal, it may happen that
he is unable to print because his workstation is not correctly connected to the network or is just
turned off. Jobs spooled on the workstation cannot be transferred to the printer and Embedded
terminal informs the user with the specific message.
Since it is not 100% reliable and connection could be restored during this process or just
information about connection is not downloaded to the terminal, the user can try to print it
anyway by tapping on Try to print button.

The message informs that spooled jobs are not accessible and user needs to ensure, that
workstation is booted and operational or if it is correctly connected to the network.
This feature is currently available on terminal mode YSoft SafeQ Terminal Application - 1st Gen.
and 2nd Gen. on all vendors.
Enabling monitoring of jobs availability
This feature can be turned on by following steps:
1. Go to Management server → System → Configuration
2. Make sure you have selected expert level view
3. Search for showJobAvailability
4. Set the value to Enabled
5. Restart all required services
2.4.10.6 Universal Print Driver
Universal Print Driver Overview
Print drivers are pieces of software that 'translate' data to be printed into page description
language that a specific printer(s) understand(s). The primary purpose is to enable any application
(e.g. document editor) to print without the need to understand the capabilities and language of
each printer. Once the document is converted into the appropriate description language, it can be
spooled and then sent to a particular printer.
Each printer or MFD manufacturer equips their devices with either a highly device-specific or
product family-specific or generic (universal) print driver for all their devices. These can be used
along with YSoft SafeQ 6 and require separate deployment (installation and configuration at each
workstation) and maintenance.

The multi-vendor solution, YSoft SafeQ 6, offers the YSoft Universal Print Driver which ensures
administrators do not have to install vendor-specific print drivers for standard print needs. This
also means that users do not have to worry about which printer to use to retrieve their print job—
literally any vendor that is indicated as compatible with YSoft Universal Print Driver can be used
to retrieve print jobs.
Deployment
Unlike print drivers provided by manufacturers, the YSoft Universal Print Driver can be deployed
on workstations in a more autonomous fashion, together with the YSoft SafeQ Client interface or
in the case of client-based Print Roaming deployment. This way, the user only sees relevant print
drivers—YSoft SafeQ 6 automatically installs and configures the correct local print queues. When
on the go, the user simply opens their laptop at a new location and see the available local print
queues.
Supported Platforms
YSoft Universal Print Driver fully supports
Windows 8.1 or newer
Windows Server 2012 or newer
For Windows versions older than Windows 8, a generic print driver with a different user
interface is used.
User Interaction
To simplify operation for users, the Universal Print Driver provides a simplified user experience at
the workstation—together with a rich and fully enhanced embedded terminal, the user can
configure additional print job settings, such as finishing options, when standing and working with
a particular printer or MFD.

Key remarks
YSoft SafeQ 6 still supports manufacturers' print drivers.
YSoft SafeQ 6 newly offers an option to deploy the YSoft Universal Print Driver at select OS
platforms.
2.4.10.7 VPSX - Print Management Connector Integration
This features are currently available only under Early Access Program .
Introduction
This technical note describes the integration of the YSoft SafeQ Workflow Solutions Platform with
the print spool system in VPSX EnterpriseTM by Levi, Ray & Shoup Inc. (www.lrs.com). VPSX is an
example of an Enterprise Output Management system. VPSX is used primarily for high-volume,
reliable delivery of jobs to printers. The system’s main purpose is to verify whether a particular
job has been printed and, in the case of a document delivery failure, print it again or redirect it to
other printers.
Note: VPSX exists in multiple versions and configurations. Therefore, the VPSX integration should
be installed and supported by Y Soft and LRS. Y Soft also strongly recommends compatibility
verification in a test environment prior to production deployment. If you have any questions,
please contact the Y Soft Service Desk.
How It Works
VPSX integration provides administrators with the option to use the Print Roaming and secure
print features in YSoft SafeQ 6 while keeping the data reception, storage, and delivery up to the
VPSX system.
Once VPSX integration is configured, it is possible to display the jobs from VPSX on the YSoft
SafeQ Embedded Terminal. It is required that user accounts in YSoft SafeQ 6 and VPSX have the
same login names (used to pair the information about jobs). Jobs from YSoft SafeQ 6 and VPSX
can be displayed together. Jobs from VPSX can be printed or deleted. Device dependent
accounting of jobs printed from VPSX is supported.
Licensing
VPSX integration requires a separate license in addition to the YSoft SafeQ 6 license. To obtain
the VSPX integration license, please contact your Y Soft Regional Sales Manager. Note that the
license includes the necessary customization required (see the section on Installation).

Installation
Configure the YSoft SafeQ System Settings (the YSoft SafeQ Management Interface)
Enable VPSX integration in the YSoft SafeQ system settings
externalSpoolerVpsxEnabled = true
Set the URL of the VPSX server in configuration option externalSpoolerVpsxUrl. The value
should be obtained from the VPSX administrator. (Note: the URL should also contain the port—
it is the URL of VPSX API, not VPSX web interface.)
Example: externalSpoolerVpsxUrl = http://10.0.0.10:6117/lrs/nlrswc2.exe/CUSTOMER123
You can change the default value of the timeouts used for communicating with the external
VPSX server. The first timeout is used when connecting to VPSX, the other timeout is used
while waiting for a response from the VPSX server. These are default values, both are set in
seconds.
externalSpoolerVpsxConnectionTimeout = 20
externalSpoolerVpsxResponseTimeout = 60
You must set the URL prefix that is common for all the personal queues in your VPSX system
in the configuration option: externalSpoolerVpsxQueueUrlPrefix
Example: if the URL of personal queues looks like this:
http://10.0.0.10:6117/MY_PERSONALQ or
http://10.0.0.10:6117/ANOTHER_PERSONALQ
then you should set externalSpoolerVpsxQueueUrlPrefix = http://10.0.0.10:6117/
Setting Up Printers in YSoft SafeQ 6
Create new devices in YSoft SafeQ 6 in the standard way, except in the definition of their
location in YSoft SafeQ 6.
The location parameter defined for each device in YSoft SafeQ 6 has to be the same as
the name of the device defined in VPSX.
Setting Up VPSX (Ask Your VPSX Administrator to Set This Up in VPSX)
Each job printed via VPSX to an MFD/printer with YSoft SafeQ Embedded Terminal can be
accounted, which requires specific headers to be added to each print job. These headers have
to be defined in the VPSX configuration. Since the information about headers is a proprietary
for YSoft SafeQ 6, the information needs to be requested at the time of integration via your Y
Soft Regional Sales Manager (in order to provide access from the product development
organization).

Known Limitations
The functionality stated above is not supported with hardware terminals.
Online accounting, print job preview on a terminal, and the modification of finishing options for
jobs stored in VPSX AREs not supported.
2.4.11 REPORTING
2.4.11.1 Web Reports Overview
This is main reporting engine for all statistical data processed in YSoft SafeQ environment. Variety
of default reports can be generated in several file formats or on the web interface. This feature is
designed in order to allow custom view creation.
Configuration and use
Reports are accessible from management interface under Web reports tab. Access of a single
user is limited to his/her account by default. An administrator is able to see and modify data view
from all users. For more details about possible configuration, see Web Reports.
Licensing
This feature is generally available in all YSoft SafeQ license suites or as a Reporting module.
2.4.11.2 Management Reports Overview
This is an executive summary of YSoft SafeQ environment via reports for the entire company,
departments, devices and users. Reports could be scheduled for email delivery and used for
company stakeholders for example for print budged scaling.
Reports are available under Reports sub-tab where generated report could be exported. The
system can be configured for manual or scheduled export into one of the supported file formats
for more convenience. More information about the configuration and export options, please read
Management Reports.
Licensing
2.4.11.3 Counter Reports Overview
Counter reporting extends YSoft SafeQ solution with the ability to collect device page meters.
Administrators can set the system to collect device counters (sometimes known as "page
meters") after user interaction with the registered device and use the information to provide
invoicing data to the supplier while verifying reporting accuracy.

In order to use this feature, a device must be configured to use an appropriate accounting driver.
Otherwise, the data will not be available. Reports in management interface display the information
about counter readouts on a separate page, where the data can be filtered by date and device
group.
The system can be configured for manual or scheduled export into one of the supported file
formats for more convenience. More information about the web administration and export options,
please read Counter reports.
Licensing
2.4.11.4 Green (Purged Pages) Reports Overview
Green reporting tracks pages which have not been released, i.e. physically printed out.
Sometimes, it is referred to as "purged print jobs". The green report can be displayed in
management interface, tab Reports or as a system widget on Dashboard.
The green report shows the number of print job pages that were received by YSoft SafeQ but
never printed, represent volume of costs saved by Rule-based Engine and printing impact to the
environment. The reported data are shown as a number of trees used for consumed paper,
volume of CO2 produced by creating consumed paper (information is only approximate, based on
publicly available algorithms).
YSoft SafeQ also tracks and reports related costs for pages that have been forced to be printed
in monochrome or duplex.
Dependencies
Print roaming or Rule-based Engine must be configured.
Purge Pages functions reports depends also on print job parser settings:
if parser is enabled - you can specify the price of a particular page type
if parser is disabled - you can specify the average count of pages for every non-printed job.
These jobs will be counted as A4 B/W jobs according to the settings for Green report jobs
with the parser enabled
Licensing
2.4.11.5 Terminal Access Reports Overview
Reports display who authenticated on devices, which authentication method was used and
session duration. This report is designed as a tool for administrators.

The report is available under Reports tab and allows alternative operation of user creation, PIN
and card assignment. It can be used as a troubleshooting tool for basic diagnostic with
authentication. It does not require any configuration only access rights to report sub-menu.
Licensing
2.4.12 RULE-BASED ENGINE
2.4.12.1 Rule-Based Engine Overview
The Rule-Based Engine maximizes the efficiency of MFDs and other networked printers and helps
reduce costs while reducing the workload of administrators and IT staff.
The efficiency of your organization’s print environment depends on three factors:
Printers
People
Processes
Printers
The efficiency of each printer depends on its being used to optimally provide particular functions
within the context of the entire print environment. For example, rule-based printing not only
provides the ability to automatically convert specific print jobs to B/W or duplex, which saves
direct printing costs, but also enables large color jobs to be automatically redirected to more
efficient MFDs – for even greater efficiency and added value.
People
From the user‘s perspective, print jobs can be automatically redirected to, for example, a smaller
printer closer to the user's desk. Rules also make it possible for users to receive notifications
about their print jobs and for scripts to be automatically run that make print-related activities
easier and less time-consuming.
Processes
Rules enable administrators to automatically control access to printer functions and to align print
environment operations with an organization’s processes and financial strategy. For example,
large jobs can be automatically prevented from being printed or can be redirected to the most
cost-efficient printer.

2.4.12.2 How Rules Work
The YSoft SafeQ Rule-Based Engine module enables system administrators to easily create rules
that automatically cause an action to be performed or a notification to be sent. Each rule
comprises three main components: Trigger, Condition, and Action. A rule may also include a fourth
component: Notification.
Trigger
A trigger defines an action that may cause a rule to be executed and the time when YSoft SafeQ
6 evaluates conditions to determine if the rule should be executed.
Condition
Once the rule is triggered, conditions are evaluated to determine whether the action should be
performed or not. When multiple conditions are defined for a specific rule, all of them must be met
for the action to be performed. When conditions are combined as OR and not as AND, more rules
can be set and these are evaluated according to their order.
Action
The action is the part of a rule that defines what YSoft SafeQ 6 does after the rule is triggered
and the condition is met, typically, but not only, with a print job.
Notifications
The notification component is the last and optional part of a rule’s setup. Every rule can cause a
notification to be sent to the print job’s owner and/or others. A variety of notification types are
available.
2.4.12.3 How Triggers Work
The trigger is the first part of a rule that the administrator defines and it determines what may
cause the rule to be executed. Each of the rule’s conditions, actions, notifications, or their
combinations can require different triggers, enabling the creation of fine-grained rules to meet an
organization’s specific, complex needs. The YSoft SafeQ Rule-Based Engine module helps
administrators by guiding them through rule setup and disallowing unsupported combinations of
parameters.
First, the administrator chooses the point in the print process that triggers the rule. The rule can
be triggered when the YSoft SafeQ server receives a print job from a user’s device, such as a
workstation, or from a print server. The administrator then defines the way YSoft SafeQ 6 will
process the job, for example to redirect the job to a different queue, such as a direct queue on a
different, more cost-efficient printer. The administrator can now also specify that the rule causes
a notification to be sent to the Desktop Interface, so a pop-up window appears on the user’s
workstation notifying about the action applied to their print job. A trigger can also cause a
notification to be sent after a user's logout or when a job status changes.

Next, the administrator sets what will occur before the job is released to the printer. For example,
the trigger can cause the job to be rejected or for changes to be applied to the job, such as
forcing it to be printed in B/W instead of color. The trigger can also, for example, cause users to
be denied authentication at a printer.
2.4.12.4 Conditions for Actions or Notifications
YSoft SafeQ 6 provides a comprehensive list of conditions that can cause specific actions to
occur or notifications to be sent, enabling the administrator to configure rules that meet an
organization’s procedural needs.
User management conditions
Rules can be set for specific users, groups, departments, or roles. For example, a rule can be
triggered if the print job was sent by a specified user or cost center.
Printers
YSoft SafeQ 6 can trigger a rule if a job is sent to a specific printer or type of printer.
Furthermore, rules can be set for specific servers in the YSoft SafeQ 6 environment.
Print job specifics
Typically, the administrator sets a rule for specific job titles in which regular expressions are used
to make the title match types of jobs as exactly as possible. This condition can apply to jobs
printed from a specific application or to specific file formats by definition of the suffix (such as
TIFF image files). Rules can also be applied to jobs based on the queue name or queue type.
Furthermore, tags, size of the job, status, number of pages, size of pages or total number of
pages printed within a specified timeframe can be used as conditions of the job which cause the
rule to be applied.
Time of printing
YSoft SafeQ can trigger actions based on time or day. For example, a rule that restricts printing
on weekends or after normal working hours.
2.4.12.5 Actions - Force Duplex Printing and More
The action that makes the biggest impact on print cost savings is forced double-sided printing.
Based on a rule’s conditions, an organization can specify which documents must be printed
double-sided by default. Another action that results in cost savings is automatically converting
color prints to gray scale. With these two simple actions, an organization can enforce rules that
create significant cost savings. Rules can be set that, for example, apply to the entire
organization, a subgroup, or only for specific time periods.

The Rule-Based Engine can also indirectly reduce costs by increasing efficiency and productivity.
For example, rules can automatically add a watermark to confidential documents or print a
predefined set of copies for specific types of jobs, saving employees’ time. Rules can also cause
a print job to be automatically deleted if a prohibited action is detected – for example, if a print job
is for a file in a specified format.
2.4.12.6 Notifications
Notifications proactively inform the user about the status of their print jobs and how the
application of a rule may have affected their jobs. Users can receive notifications in a standard
email message or, if FlexiSpooler with Desktop Interface is used for printing, in a pop-up window
on their PC.
A rule’s notifications settings can also specify that an external script be executed. External
scripts can be used to inform users and also notify the print system so administrators can track
the number and type of notifications users are receiving. This enables administrators to review
and make any changes required to the process or to communications to users.
2.4.13 YSOFT BE3D EDEE
2.4.13.1 Overview
YSoft be3D eDee is the first 3D printer with print management features and a comprehensive
accounting system to manage and recover 3D printing costs.
Unique integration of YSoft SafeQ 6 and be3D printer enables:
Secure access with authentication using card, PIN, username and password or combinations.
Secure 3D printer with electromagnetic locks for security of material and operator.
Track and charge cost of 3D printing to the user or cost center.
YSoft be3D eDee initially focuses on education customers, yet it can serve well also industry
customers who need to prototype securely and manage their 3D printer fleet.
2.4.14 YSOFT PAYMENT SYSTEM
2.4.14.1 Overview
The YSoft Payment System is a standalone system that integrates with YSoft SafeQ 6. The
YSoft Payment System contains information about money accounts, acting as a payment
gateway to charge users for print services.
The YSoft Payment System can help reduce costs and increase revenue in two ways:
It enables users to pay for print/copy/scan services using the YSoft Payment System.

It automatically blocks excessive usage using quotas.
2.4.14.2 Paying for Print/Copy/Scan Services
Support for pay-for-print services gives control for managing and recovering costs. The YSoft
Payment System enables users to purchase personal credit and use it to pay for services. The
YSoft Payment System supports two types of credit:
Personal credit—represents real money, which can be deposited into the system via the
YSoft Payment System Cash Desk interface, payment gateways such as PayPal, YSoft
Payment Machines or vouchers. A personal balance can also be withdrawn from the system
through the Cash Desk application.
Virtual credit—free credit bound to a Merchant (an API user with a merchant role), which can
be granted on a regular or ad-hoc basis. It cannot be withdrawn from the system.
2.4.14.3 Quotas
Quotas limits a user's consumption of print and copy services. Every user has a limit, and the
YSoft Payment System prevents the user from higher-than-allowed consumption. The quota is
defined for a specific period (e.g. monthly) and is automatically refreshed. The primary benefit of
quotas is to save costs by preventing the misuse of print and copy services by employees.
Consumption is limited in an understandable form—in the number of pages. Specific
organizations, such as Universities, benefit from combining quotas and payment. Typically,
employees are limited by page quotas, and students or visitors have to purchase their own credit.
How Quotas Work
The administrator defines the quotas that apply for different groups of users. It is possible to
define:
The maximum number of pages in a defined period (e.g. max 100 pages).
The period for the quota (e.g. monthly). The quota is automatically refreshed after this period.
Specifics (e.g. applies for color pages only or applies for print services only).
The administrator assigns specific quotas to cost centers. For example:
The Japan HQ employees cost center is limited by the quota Color Copy and by the quota
Print BW.
The Germany TOP management cost center is limited by a different quota, Color Print.
All users in an affected cost center are bound by the quota. If a user's action (print or copy) on an
Embedded Terminal exceeds the quota, the action is rejected, and the user is informed about the
reason.
It is possible to combine limiting users by quotas and by credit. For example:

The Professors cost center is limited by a quota.
The Students cost center is limited by credit and has to recharge when printing.
It is possible to have certain users limited by quotas and others by the YSoft Payment System.
The differentiation is done on a cost-center level.
2.4.15 YSOFT SAFEQ MOBILE INTEGRATION GATEWAY
2.4.15.1 Overview
The Mobile Integration Gateway offers:
Support for printing from iOS devices, such as MacBooks, iPhones and iPads, without
installing drivers is available through support of Apple AirPrint. For BYOD or company-provided
devices, the print queues are automatically broadcasted to all said devices. Users can simply
submit print jobs into their secure Print Roaming queue using their laptop/phone/tablet. An IT
organization benefits from fewer help desk requests to enable printing because users can
print from their mobile devices as they normally do.
Support for printing from Android devices without installing drivers is supported through
Mopria Print Service. Mopria Print Service is pre-installed as the default print service in Android
devices (version 8 Oreo and higher), or can be downloaded from Play Store.
A print job gateway for any authenticated IPPS source. The IPPS protocol is a great way to
securely deliver print jobs into YSoft SafeQ from any IPPS compatible device. Vendor specific
PS or PCL drivers are supported.
2.4.15.2 Licensing
This feature is part of the YSoft SafeQ Mobile Print module.
2.4.15.3 Technical Overview
AirPrint enables iOS (version 4.2 and newer) and Mac users to print seamlessly.
Mopria Print Service enables Android devices (version 4.4 and newer) to print seamlessly.
The Mobile Integration Gateway uses Apple’s Bonjour protocol as a network layer. Bonjour is a
zero-configuration protocol that enables the registering and discovering of services on a
network without any user configuration. The printing service itself, presented by a printer, is
registered via this protocol and any iOS, Mac client or Android device, with Mopria Print service
installed, can discover and use it. The YSoft SafeQ Mobile Integration Gateway uses the IPPS
protocol.
All print jobs received via driver-less print queues (AirPrint, MOPRIA) are converted into a PDF
file and stored into the spooler.

All print jobs received via IPPS already processed by a print driver (PS or PCL) are stored into
the spooler "as is".
The client should verify the MIG server certificate (strongly recommended) and if trusted,
establish the connection. The server currently requires 'HTTP Basic Authentication'
authentication mechanism as defined in RFC section 5.4.2..
YSoft SafeQ 6 Integration
Integration of AirPrint with YSoft SafeQ 6 is achieved via two services:
YSoft SafeQ Mobile Integration Gateway
Bonjour
The YSoft SafeQ Mobile Integration Gateway uses Bonjour to broadcast information about the
print server available to iOS, Mac and Android devices.
YSoft SafeQ Mobile Integration Gateway must have an IP address from the subnet for the iOS,
Mac or Android devices. Otherwise, users will not see the announced service.
Mobile Integration Gateway requires the Mobile Print module to be licensed. The service won't
start without a license.
Further reading: YSoft SafeQ Mobile Integration Gateway - print across multiple subnets
The responsibility of YSoft SafeQ Mobile Integration Gateway is to receive requests from an iOS
device, Mac, Android, or any IPPS compatible source, and deliver the print jobs to YSoft SafeQ 6.
Limitations
Billing codes cannot be selected when submitting a job to YSoft SafeQ 6 via AirPrint.
For driver-less print queues (AirPrint, MOPRIA): MFD must support PDF 1.5 or newer.
Some MFD vendors might not support PDF. In such cases, it is recommended to choose a
vendor-specific driver on the Mac device.
Supported page sizes are A4 and Letter.
For iOS 9 and older, once a user submits a job and enters their credentials, the credentials are
saved and used for all subsequent print jobs.
For Mac OS X 10.10 and older, a sequence number is prepended to print jobs.
Mopria Print Service is available for Android devices with version 4.4 Kitkat and higher.
2.4.15.4 References
YSoft SafeQ Mobile Integration Gateway Requirements

Mobile Integration Gateway deployment
Using YSoft SafeQ Mobile Integration Gateway to Print from iOS or OS X
Using Mopria Print Service on Android Device
YSoft SafeQ Mobile Integration Gateway - print across multiple subnets
2.4.16 YSOFT SAFEQ MOBILE TERMINAL
2.4.16.1 YSoft SafeQ Mobile Terminal Overview
The YSoft SafeQ Mobile Terminal is a complementary solution for a mobile workforce or for
devices that do not support embedded terminals. It is also a cost-effective solution to enable
YSoft SafeQ 6 features on smaller printers or MFDs.
The primary use case for YSoft SafeQ Mobile Terminal is network printers that do not support
YSoft SafeQ Embedded Terminal and external terminals are too expensive for them. In YSoft
SafeQ 5, these devices were used either as direct printers or with Terminal Ultralight if Print
Roaming was required. YSoft SafeQ Mobile Terminal enables Print Roaming at these kinds of
printers similarly to the way Terminal Ultralight does. However, the user interface of YSoft SafeQ
Mobile Terminal leaves Terminal Ultralight far behind in terms of features and usability.
Another use case is to use YSoft SafeQ Mobile Terminal with the MFDs that already have YSoft
SafeQ Embedded Terminal installed. Customers with such MFDs can use YSoft SafeQ Mobile
Terminal to leverage users’ mobile devices to provide an alternative means of Print Roaming and
to deliver the same user experience at all devices in a multi-vendor fleet.
Features-wise, YSoft SafeQ Mobile Terminal provides a convenient way to release and manage
print jobs. It supports user authentication, a prerequisite for Print Roaming, and print job
management. MFD-related features are not supported. YSoft SafeQ Mobile Terminal has no direct
link with a device so it cannot control copies and scans. Also, note that YSoft SafeQ Mobile
Terminal is designed and licensed as a terminal. Currently, it is not designed to submit mobile print
jobs. Printing from mobile devices can be enabled using the Mobile Print module of YSoft SafeQ 6.
YSoft SafeQ Mobile Terminal is available for iOS, Android and Windows 10 Mobile operating
systems.
2.4.17 YSOFT SAFEQ CLIENT V3
YSoft SafeQ Client v3 is under the Early Access Program (YSQL6-049-0000; YSoft SafeQ
Client v3; F_NEW_SQ6_CLIENT), see details about the program in Early Access Program.
YSoft SafeQ Client v3 is a new client with redesigned architecture. Main enhancements targeted
Client Based Print Roaming (CBPR), security, performance and united overall user experience
interaction. YSoft SafeQ Client v3 can be currently used with YSoft SafeQ MU28 and higher.

2.4.17.1 Feature comparison and overview
Feature YSoft SafeQ YSoft SafeQ Legacy YSoft

Client v3 client SafeQ Client for
components YSoft SafeQ 4/5
Client workstation platforms
macOS 10.13+
(limited feature set)
Windows
32-bit
64-bit
Linux
(limited feature set)
Installation and Update
Untended installation
Backwards compatibility (Server and

Client)
GUI installer
Client auto-update from server
Client modes
Client Based Print Roaming (CBPR)
Non-CBPR mode (server spooling)
Performance Features
Emergency Print
(Offline print)
Network-level failover
Application-level failover
Network-level load-balancing
(special hardware
needed)
Application-level load-balancing
Health-check of new services

Authorization of users and services
(controlling rights to requests)
Print Roaming
Near Roaming
(supported server
feature)
Far Roaming
(supported server
feature)
Accounting
Device dependent accounting
(supported server (supported server (supported server

feature) feature) feature)
Online accounting over SNMP

feature; only feature; only feature)
secure print) secure print)
Online accounting over IPP

(supported server
(supported server (supported server feature; only direct
feature; only feature; only print)
direct print) direct print)
Offline accounting
(supported server
feature)
Job modifications
Basic Finishing Options
(supported server
feature)
Advanced Finishing Options
(not tested) (supported server

feature)
Rule-Based Engine

User interaction
Billing codes on terminal

feature) feature) feature)
Billing codes on client UI
Job properties
(information from job parser)
Price estimations
Print workflows
Direct print
(see notes for
details)
Secure print
Shared print
(accounted to (accounted to
owner) releaser)
Delegated print
Delete after print/ Spool cleaning
(supported server
feature)
Authentication
Domain authentication
Username and password
Cache credentials
Username
Card
PIN
Stored username
Novell user login
Azure AD
User Roaming

DHCP option 9
Static configuration
Automatic (from list in configuration file)

(locations.config) (CSV with subnets)
Other
Multi-user workstations (universities,

libraries)
Direct queues user deployment
Notes
Legacy YSoft SafeQ Client from YSoft SafeQ 5 is supported with YSoft SafeQ 6 in Enterprise
mode only. See more details in YSoft SafeQ 5 Client Support article.
Packaging service for deployment of the new client is available on request to your Y Soft
Regional Sales Manager or Solution Consultant. Supported platforms are macOS (DMG
package) and Windows (MSI package).
Direct queue(s) can be deployed during installation using MSI/DMG package.
Performance metrics for the new client:
Connections: 10 000 clients per server
Load: 50 jobs per minute per server
Please discuss your load requirements with YSoft technical consultant, this is estimated
generic YSoft SafeQ safe load
Supported print language analysis: PCL 5, PCL 6, PS, XPS, PDF
Print protocols:
Spooler - MFD - Raw, LPR, IPP, IPPS
IPPS is turned off by default
IPP Versions supported: 2.0, 1.1, 1.0
Windows Spooler - Spooler Client - Raw, LPR, IPP, IPPS
IPPS is turned off by default
IPP Versions supported: 2.0, 1.1, 1.0
Support for SAP username handling is available for LPR only.

2.4.17.2 Basic Architecture
YSoft SafeQ Spooler is a new job spooling component different from YSoft SafeQ FlexiSpooler it
is designed to be cross-platform and include the YSoft SafeQ UI - a new UI experience for the
user.
Spooler consists of:
YSoft.SafeQ.Spooler service: service/daemon that has similar functionalities to YSoft SafeQ

FlexiSpooler service,
YSoft.SafeQ.SafeQ UI process: a new cross-platform UI experience for the user substituting

existing YSoft SafeQ Desktop Interface.
In order for YSoft SafeQ Spooler to function with existing YSoft SafeQ 6 deployments it needs a
server counter-part (a connector to rest of YSoft SafeQ 6 components if you will), we call this
component YSoft SafeQ Job Service. In the future YSoft SafeQ Job Service will be used for
many more functionalities and has part in a broader architecture revisioning.
YSoft SafeQ Job Service
Job Service has following responsibilities:
Handles connection with spoolers
Manages job metadata between Spooler Controller and Spooler
Communicates with Spooler Controller using YMQ
Hosts IdentityServer to allow Spooler authentication
Provides distributed layer which contains Job id x Spooler id mapping and Spooler id x Job
Service id mapping

Diagrams
YSoft SafeQ Spooler and YSoft SafeQ Job Service with respect to rest of YSoft SafeQ 6

YSoft SafeQ Spooler in detail
Near roaming group

Port usages
See diagrams above.
2.4.17.3 Deployment instructions
The client application needs a server counter-part (a connector to rest of YSoft SafeQ 6
components if you will), we call this component YSoft SafeQ Job Service. In the future YSoft
SafeQ Job Service will be used for many more functionalities and has part in a broader
architecture revisioning. Read more info in Basic Architecture article.
YSoft SafeQ Client and YSoft SafeQ Job Service pre-installation checklist
YSoft SafeQ Client YSoft SafeQ Job Service
Application type workstation server
Windows Windows 7+ Windows 2008 R2+

YSoft SafeQ Client YSoft SafeQ Job Service
macOS macOS 10.12+

no deployment
Free space on disk 260 MB 350 MB
Administrator rights
Secured environment
You need:
1. Signing key pair (one common for all YSoft SafeQ Job Services).
2. Trusted certificate. Every YSoft SafeQ Job Service has to have it's own certificate issued
for its IP address. These have to be trusted on every client workstation.
Deployment of YSoft SafeQ Client
Folder structure
Following is how the folder structure looks like for the deployed YSoft SafeQ Clients.
YSoft SafeQ Client folder structure
[Client Installation Path]

JobStore
versions
latest // Symlink to the latest version, system services use this to always target latest
version
9.9.9
configuration
logs
...
Installation instructions for macOS workstations:
YSoft SafeQ Client package contains installation script - install.rb. Two components will be
installed: YSoft SafeQ Spooler service (com.ysoft.safeq.spooler) and YSoft SafeQ Client (com.ysoft.
safeq.client). Installation deploys three print queues. You can change their drivers and use any of
them. The script has following arguments
Argument Description Required Default value Example
--install-path Path where the YSoft SafeQ no /Library

Spooler will be installed. /Application
Support/YSoft.
Spooler

--siteserver- Comma separated list of IP yes NONE 10.0.10.50,10.0.10.51

hosts addresses or hostnames of
server where YSoft SafeQ
Job Service is installed.
Spooler will connect to the
first one and if it is not
available it will randomly
select from the rest.
--jobservice- Comma separated list of no 5000 (for all site 5000,5000

ports ports where YSoft SafeQ Job servers)
Service listens. They have to
be in the same order as site
server hosts.
--ipp-port Port where the YSoft SafeQ no 5631 5631

Spooler will listen for print
jobs sent through IPP.
--ipps-port Port where the YSoft SafeQ no NONE 9000

jobs sent through IPPS.
--ipps- Path to certificate that will no NONE

certificate- be used to enable receiving
path print jobs through IPPS.
--ipps- Password for certificate that no NONE

certificate- will be used to enable
password receiving print jobs through
IPPS.
--lpr-port Port where the YSoft SafeQ no 5515 5515

jobs sent through LPR.
--skip-print- Switch which will disable the no Installation of

queues installation of default print default print
queues. queues is enabled.
--force Switch which force the no Files will not be

installation, it will overwrite overwritten.
any existing files.
--disable- Switch which disables YSoft no Certificate

certificate- SafeQ Client's validation of validation is
validation HTTPS certificates. Using enabled.
this switch will severely
decrease the security

because client will

communicate with server
which does not have valid
certificate.
--spooler- The mode in which the no ClientSpooling ClientSpooling

mode spooler will be running. The
possibilities are "Server" for
server mode, "ClientSpooling"
for client with spooling and
"ClientNonSpooling" for client
without spooling.
--https- Store location of the in "Server" NONE LocalMachine

certificate- certificate used for HTTPS in mode
store- "Server" mode. The
location possibilities are
"LocalMachine" and
"CurrentUser".
--https- Store name of the certificate in "Server" NONE My

certificate- used for HTTPS in "Server" mode
store-name mode. The possibilities are
"My" and "Root".
--https- Thumbprint of the certificate in "Server" NONE 2E69C921F3F417C1

certificate- used for HTTPS in "Server" mode 76A299F1CC9A163
thumbprint mode. FC925C019
-- Authentication method that no NONE STORED_USERNAM

authenticatio the Spooler uses to E
n-type authenticate users.
Possible values:
DOMAIN_USERNAME,
USERNAME_AND_PASSWORD,
STORED_USERNAME
DOMAIN_USERNAME - The
username of the user logged
into the workstation is used.
USERNAME_AND_PASSWORD
- The user will be prompted
for a username and
password.
STORED_USERNAME - A
username will be retrieved
from the configuration file.
--username NONE John

Store name of the user for in

STORED_USERNAME "STORED_US
authentication method. ERNAME"
authenticatio
n method
Example of script usage
Script has to be ran using sudo as YSoft SafeQ Spooler does not run under user account but
it runs under system account.
sudo ./install.rb --siteserver-hosts=10.0.10.50,10.0.10.51
By default, YSoft SafeQ Client is installed with automatic restart. It will restart after 60s after
crash. If you want to change the value you can update the values in /Library/LaunchDaemons
/com.ysoft.safeq.spooler.plist for YSoft SafeQ Spooler or in /Library/LaunchAgents/com.ysoft.
safeq.client.plist for YSoft SafeQ Client (desktop application). Either set KeepAlive parameter
to false in order to disable this feature completely or change the ThrottleInterval which
configures intervals between restarts. For additional details run
man launchd.plist
in Terminal on macOS.
Uninstallation instructions for macOS workstations:
YSoft SafeQ Client contains uninstallation script - uninstall.rb. The script is located in the
installation folder of the YSoft SafeQ Client.
Uninstallation instructions
cd /Library/Application\ Support/YSoft.Spooler
sudo ./uninstall.rb --force
Installation instructions for Windows workstations:
YSoft SafeQ Client package contains installation script - install.ps1. Two components will be
installed: YSoft SafeQ Spooler service and YSoft SafeQ Client. Installation deploys three print
queues. You can change their drivers and use any of them. The script has following arguments

-InstallPath Path where the YSoft SafeQ no /Library

Spooler will be installed. /Application
Support/YSoft.
Spooler
- Comma separated list of IP yes NONE 10.0.10.50,10.0.10.51

SiteServerHo addresses or hostnames of
sts server where YSoft SafeQ
Job Service is installed.
Spooler will connect to the
first one and if it is not
available it will randomly
select from the rest.
- Comma separated list of no 5000 (for all site 5000,5000

JobServicePo ports where YSoft SafeQ Job servers)
rts Service listens. They have to
be in the same order as site
server hosts.
-IppPort Port where the YSoft SafeQ no 5631 5631

jobs sent through IPP.
-IppsPort Port where the YSoft SafeQ no NONE 9000

jobs sent through IPPS.
- Path to certificate that will no NONE

IppsCertificat be used to enable receiving
ePath print jobs through IPPS.
- Password for certificate that no NONE

IppsCertificat will be used to enable
ePassword receiving print jobs through
IPPS.
-LprPort Port where the YSoft SafeQ no 5515 5515

jobs sent through LPR.
- Switch which disables YSoft no Certificate

DisableCertifi SafeQ Client's validation of validation is
cateValidation HTTPS certificates. Using enabled.
this switch will severely
decrease the security

because client will

communicate with server
which does not have valid
certificate.
-SpoolerMode The mode in which the no ClientSpooling ClientSpooling

spooler will be running. The
possibilities are "Server" for
server mode, "ClientSpooling"
for client with spooling and
"ClientNonSpooling" for client
without spooling.
- Store location of the in "Server" NONE LocalMachine

HttpsCertifica certificate used for HTTPS in mode
teStoreLocati "Server" mode. The
on possibilities are
"LocalMachine" and
"CurrentUser".
- Store name of the certificate in "Server" NONE My

HttpsCertifica used for HTTPS in "Server" mode
teStoreName mode. The possibilities are
"My" and "Root".
- Thumbprint of the certificate in "Server" NONE 2E69C921F3F417C1

HttpsCertifica used for HTTPS in "Server" mode 76A299F1CC9A163
teThumbprint mode. FC925C019
- Authentication method that no NONE STORED_USERNAM

Authenticatio the Spooler uses to E
nType authenticate users.
Possible values:
DOMAIN_USERNAME,
STORED_USERNAME
for a username and
password.
STORED_USERNAME - A
-Username NONE John

Store name of the user for in

STORED_USERNAME "STORED_US
authentication method. ERNAME"
authenticatio
n method
Following is an example which will install YSoft SafeQ Client with 2 site servers.
powershell -executionpolicy unrestricted .\install.ps1 -SiteServerHosts "10.0.10.50,10.0.10.

51"
Uninstallation Instructions for Win workstations:
YSoft SafeQ Client contains uninstallation script - uninstall.ps1. The script is located in the
installation folder of the YSoft SafeQ Client.
Uninstallation instructions
cd C:\SafeQ6\Spooler\
powershell -executionpolicy unrestricted .\uninstall.ps1 -Force
Deploying YSoft SafeQ Client v3 in the Client Non-Spooling mode
YSoft SafeQ Client v3 in the Client Non-Spooling is a mode in which the client analysis the
received print job and forwards it with the print job metadata to the YSoft SafeQ Client v3 in the
Server mode. The client does not store and print job data locally.
Requirements
Site server IP address
Installation
Following is an example of a command which will install YSoft SafeQ Client v3 in the Client
Non-Spooling mode
.\install.ps1 -SiteServerHosts "10.0.42.42" -SpoolerMode "ClientNonSpooling"
or for macOS

sudo ./install.rb --siteserver-hosts=10.0.42.42 --spooler-mode ClientNonSpooling
Advantages of the Client Non-Spooling mode
Job analysis is offloaded to workstations. Resources of the server will not be used to analyze
print jobs. Only job preview is being generated on the server.
Workstation does not have to be available when a user wants to release a print job, because
print jobs are stored on the server.
User authentication via username/password or Windows SSO while having print jobs stored
on the server.
Deploying YSoft SafeQ Client v3 in the Server Mode
YSoft SafeQ Client v3 in the Server Mode is a mode which receives print jobs and print job
metadata from non-spooling clients and stores them locally on the server.
Requirements
TLS Certificate - you can use the same one as YSoft SafeQ Job Service uses
The certificate will be used for the HTTPS communication between YSoft SafeQ Client v3
in the Client Non-Spooling mode and YSoft SafeQ Client v3 in the Server mode
This certificate must be trusted by the workstation
YSoft SafeQ FlexiSpooler service must be disabled or YSoft SafeQ Client v3 must use
different ports for print job reception.
Installation
Following is a command which will install YSoft SafeQ Client v3 in the Server Mode
.\install.ps1 -SiteServerHosts "localhost" -SpoolerMode "Server" -

HttpsCertificateStoreLocation "LocalMachine" -HttpsCertificateStoreName "My" -
HttpsCertificateThumbprint "2E69C921F3F417C176A299F1CC9A163FC925C019"
Receiving print jobs over IPP
YSoft SafeQ Client v3 in the Server Mode will by default also listen on 631 port for print jobs
sent over IPP.
YSoft SafeQ Client v3 will by default use IPPS with the TLS certificate configured during
installation.

You can use following options to configure the IPP receiving in the `local.json` file
IPP Configuration
{
...
"JobReceivingOptions": {
"IppReceivingEnabled": true, // Enables/disables IPP receiving
"UseIpps": true, // Enables/disables IPPS
"IppPort": 631 // Sets the port over which the client will receive IPP
requests
}
...
}
Receiving print jobs over LPR
YSoft SafeQ Client v3 in the Server Mode will by default also listen on 515 port for print jobs sent
over LPR.
The port 515 is the default port for LPR, and also YSoft FlexiSpooler will be listening to the same
port in case it is installed on the same machine. One can either change the port for spooler or
disable FlexiSpooler in order to use the 515 port, or disable LPR receiving for spooler.
You can use following options to configure the LPR receiving in the `local.json` file
LPR Configuration
{
...
"JobReceivingOptions": {
"LprReceivingEnabled": true, // Enables/disables LPR receiving
"SQLPRPrt": 515 // Sets the port over which the server will receive LPR requests
}
...
}
Security Remark for print job reception over LPR
These are the consideration that Admins should keep in mind when activating the LPR
interface
There is no authentication available to a user, so everyone is effectively anonymous
An attacker could make it look like a job is coming from a different user
An attacker could trick a user into print a modified document instead of his own
An attacker could access the user's data by impersonating the server

Deployment of YSoft SafeQ Job Service
YSoft SafeQ Job Service is a server component for YSoft SafeQ Client v3 which is under the
Early Access Program (YSQL6-049-0000; YSoft SafeQ Client v3; F_NEW_SQ6_CLIENT), see
details about the program in Early Access Program.
Deploying as Windows service
YSoft SafeQ Job Service can be installed using PowerShell script included in the package - install.
ps1. Script will install 2 Windows services:
YSoft SafeQ Job Service (YSoftSQ-JOB-SERVICE)
YSoft SafeQ Job Service Distributed Layer (YSoftSQ-JSDL)
Prerequisites
1. IP addresses of all site servers where YSoft SafeQ Job Services will be installed in cluster
2. IP address of YSoft SafeQ Spooler Controller to which YSoft SafeQ Job Service should
connect
3. SSL/TLS certificate which is trusted in the infrastructure
Used for HTTPS
Without the certificate YSoft SafeQ Job Service will use self-signed certificate
4. Certificate for signing access tokens
Must be the same for all YSoft SafeQ Job Services in the cluster
See Generating certificate for signing access tokens to generate such certificate
How to
1. Run install script install.ps1
This is an example of how the script can be called.
.\install.ps1 -SpocAddress SPOC_IP -NrgAddresses "SITE_SERVER_1,SITE_SERVER_2,

SITE_SERVER_3" -SigningCertificatePath "PATH_TO_SIGNING_CERTIFICATE" -
SigningCertificatePassword SIGNING_CERTIFICATE_PASSWORD -HttpsCertificatePath "PATH_TO
_SSL_TLS_CERTIFICATE" -HttpsCertificatePassword SSL_TLS_CERTIFICATE_PASSWORD

Install script arguments
-InstallPath Path where YSoft SafeQ Job no C:/SafeQ6 C:

Service will be installed /JobService \SafeQ6\JobServic
e
- Address of YSoft SafeQ yes NONE localhost (or

SpocAddress Spooler Controller to which 10.0.10.50)
will YSoft SafeQ Job Service
connect.
- Comma separated list of yes NONE 10.0.10.50,10.0.10.51

NrgAddresses addresses of all YSoft SafeQ ,10.0.10.52
Job Services in the near
roaming group. If the YSoft
SafeQ Job Service is
installed with standalone site
server then you have to
enter the IP address of the
server where the YSoft
SafeQ Job Service is
installed. This argument cann
ot be empty.
- Path to the certificate (with yes NONE YSoft SafeQ

SigningCertifi public and private key) which Signing Certificate.
catePath will be used for signing pfx
access tokens. Use different
from HTTPS certificate.
- Password that was used yes NONE 123456

SigningCertifi during signing certificate
catePasswor generation.
d
- Certificate that will be used no Installer will create YSoft SafeQ Job
HttpsCertifica to enable HTTPS. This will self signed Service.pfx
tePath enable communication certificate.
encryption between YSoft
SafeQ Client and YSoft
SafeQ Job Service (and
between multiple YSoft
SafeQ Job Services). This
certificate will be validated
by clients. If the validation in
client fails, client will not
communicate with the
server. If the path is not

provided, installer will create

self-signed certificate using
which you might need to
disable the certificate
validation on YSoft SafeQ
Clients and other YSoft
SafeQ Job Services. It is
highly recommended to use
certificate which are trusted
by your infrastructure.
- Password that was used no

HttpsCertifica during certificate generation.
tePassword
- Port of Infinispan's REST no

InfinispanPort interface.
DisableCertifi Switch which disables YSoft no Certificate This argument is a

cateValidation SafeQ Job Service's validation is switch, you should
validation of HTTPS enabled by not pass any
certificates. Using this default. values to it.
switch will severely decrease
the security.
- Authentication method that no NONE STORED_USERNAM

Authenticatio the Job Service uses to E
nType authenticate users.
Possible values:
DOMAIN_USERNAME,
STORED_USERNAME
for a username and
password.
STORED_USERNAME - A
- no Disabled by This argument is a

AllowStoredU default. switch, you should
sernameFrom not pass any
Client values to it.

Switch which enables client

username authentication
when the
STORED_USERNAME
authentication method is
used.
This is an example of how the script can be called.
.\install.ps1 -SpocAddress localhost -NrgAddresses "10.0.10.50,10.0.10.51,10.0.10.52" -

SigningCertificatePath "YSoft SafeQ Signing Certificate.pfx" -SigningCertificatePassword
123456
Uninstallation
Following commands can be called to uninstall YSoft SafeQ Job Service from the server.
sc stop "YSoftSQ-JOB-SERVICE"
sc delete "YSoftSQ-JOB-SERVICE"
sc stop "YSoftSQ-JSDL"
sc delete "YSoftSQ-JSDL"
iisreset /stop
RMDIR "C:\SafeQ6\JobService" /Q /S
iisreset /start
Deploying with Windows Authentication - Single sign-on

How to
1. Follow Deploying as Windows service.
2. Create domain account which will run the YSoft SafeQ Job Service. It has to be in the
domain using which your users sign in.
3. Service Principal Names (SPNs) must be added to the user account running the service (not
the machine account!).
Execute in an administrative command shell (where myservername.mydomain.com is

the hostname of the server where YSoft SafeQ Job Service runs and username is
username of the user created in the step 2):
setspn -S HTTP/myservername.mydomain.com username

4. Go to services, right click YSoft SafeQ Job Service and select properties.
5. Go to Log On tab, select This account and click on Browse .
6.
6. Select the user that you created in the step 2 (enter the name into Enter the object name
to select and click on Check Names verify whether entered correctly).
7. In the Windows Services dialog, you should see your new user in the Log On As column.
8. Restart the YSoft SafeQ Job Service windows service.
Generating certificate for signing access tokens
Signing certificate is used to sign access tokens used by clients during communication with
server. Server validates whether access tokens are signed with correct certificate. This features
ensures that only access tokens created by YSoft SafeQ are accepted.
The same signing certificate must be used during installation of every job service in the
near roaming group.
Signing certificate is NOT the certificate which is used for HTTPS.
Signing certificate can be generated using a PowerShell script included in the YSoft SafeQ Job
Service package - generateCertificate.ps1. The script has following arguments.
How to
1. Run script - generateCertificate.ps1

1.
Do not use this example for production. The password in the example is not secure.
.\generateCertificate.ps1 -Subject "YSoft SafeQ" -FriendlyName "YSoft SafeQ Signing

Certificate" -Password "123456"
Certificate will be stored into a file named after FriendlyName (e.g. "YSoft SafeQ Signing
Certificate.pfx").
Script arguments
Argument name Description Required
-Subject Name of the person or entity to whom the certificate is being yes
issued. This field can also include the certificate recipient's
organization, organization unit, locality, state or province, and
country/region.
-FriendlyName Name under which you will see the certificate in the yes
Microsoft Management Console. It is not a unique identifier.
-Password Password that is used for private key encryption. yes
Migrating from IIS to self-host
If you previously deployed YSoft SafeQ Job Service into IIS to enable Windows Authentication,
you have to follow the following migration guide to go back to the self-hosted mode, which now
also supports Windows Authentication.
1. Stop & Remove YSoft SafeQ Job Service from the IIS

2. Create Windows service which will run YSoft SafeQ Job Service (do this only if you
previously removed a Windows service named YSoft SafeQ Job Service). You can create it
by running following command in the PowerShell. If your installation path differs, change it
in the command.
sc.exe create YSoftSQ-JOB-SERVICE binpath="C:\SafeQ6\JobService\YSoft.JobService.Host.exe

--run-as-service" displayname="YSoft SafeQ Job Service" start=auto
3. Start the service
2.4.17.4 Configuration
Configuring YSoft SafeQ Client v3
About
All configuration related files are located in the configuration folder located in YSoft SafeQ
Spooler's root folder.
There are three configuration types:
1.

1. YSoft SafeQ Spooler Configuration
local.json
cached.json
static.json
2. Logging Configuration
logging.json
YSoft SafeQ Spooler Configuration

General
When a YSoft SafeQ Spooler starts, it tries to download configuration from YSoft SafeQ,
which is then saved into cached.json.
When the Site Server is not available, YSoft SafeQ Spooler retries configuration retrieval
indefinitely.
It loads configuration as follows:
1. Download configuration from YSoft SafeQ Managment Service and save it to cached.
json.
2. Load or create static.json
3. Load cached.json.
4. Load local.json.
5. Override values from cached.json with values from local.json ( it does not rewrite
the file, only in memory).
local.json is used for overriding configuration downloaded from YSoft SafeQ which is stored in
cached.json.
It uses same configuration keys as available in the Management Server.
static.json if the configuration file does not exist, it is generated by YSoft SafeQ Spooler, it
currently contains the YSoft SafeQ Spooler GUID for identification. This file should not be
modified or deleted, doing so might lead to loss of jobs.
When configuration is changed on management, the spooler does not require restart.
Exceptions are:
Guid - would lead to loss of jobs (this should never be changed).
IPP printer settings.
Site server configuration.
Job Store path.

Configuration files are created under the Administrator account. Administrator privileges are
required to edit configuration files. To ensure end users cannot modify these files you need to
set adequate access permissions.
Required configuration
Required is only Site Server configuration which should be filled during installation.
{
"SiteServerOptions" : {
"Scheme" : "http" ,
"Host" : "10.0.12.118" ,
"JobServicePort" : 5000,
"JNodePort" : 8111
}
}
Cached configuration
Cached configuration is categorized into
JobDeliveryOptions,
JobReceivingOptions,
UncategorizedOptions - This category contains all of the configuration properties from

YSoft SafeQ Managment Service, which we currently do not use.
Available configuration values
Group Key Type Default Description

value
SpoolerO Guid string Spooler identifier.

ptions
UserInterfacePort int 3000 Port where are hosted static files for the
electron web application
BufferSize int 65536 Size of the buffer
CacheCredentials bool true Flag if user credentials will be cached in the

client's machine so she will be asked less
frequently to sign in when submitting a print
job
EnableQueueMan bool false Enables Queue Management from YSoft SafeQ

agementInClient Client v3 context menu.
DriverConfigurati string Path to folder containing configuration files. On

onFolderPath Windows usually dat file

value
..\..
\DriverConf
igurations
DriverName string Name of the print driver used when the direct
queue is deployed. (Available only on Windows)
DriverConfigurati string Name of the configuration .dat file used when

onFileName the direct queue is deployed. (Available only on
Windows)
OfflinePrintEnable bool false Users using YSoft SafeQ client v3 or YSoft

d SafeQ FlexiSpooler will be able to send a print
job directly to the recently used device when
communication with the server is unavailable.
This configuration is set from YSoft SafeQ
Managment Service through Job Service.
SiteServe Scheme string Scheme used for communication with site

rOptions server. Either HTTP or HTTPS.
Host string IP Address or hostname of site server.
JobServicePort int 5000 Port of Job Service.
JNodePort int 8111 Port of JNode.
DisableCertificate bool false Sets whether spooler should ignore server

Validation certificate errors
KeepAliveInterval TimeSpan 00:00:15 Represents the interval to send keep alive

pings. Should be at most half of the
JobService's ClientTimeoutInterval to avoid
connectivity issues.
JobDelive IppPrinterConnect TimeSpan 00:00:15 Network connection timeout in which IPP

ryOptions ionTimeout server must respond or the print fails.
RawPrinterConne TimeSpan 00:00:30 Network connection timeout in which tcp

ctionTimeout counterpart must respond or the print fails.
RawPrinterConne TimeSpan 00:00:00 When not zero, tcp connection is not closed
ctionLingerTimeo until all queued messages for the socket have
ut been successfully sent or the linger timeout
has been reached.
LprPrinterConnec TimeSpan 00:00:30 Network connection timeout in which LPR

tionTimeout server must respond or the print fails.
TimeSpan 0

value
LprPrinterConnec When not zero, tcp connection is not closed

tionLingerTimeout until all queued messages for the socket have
been successfully sent or the linger timeout
has been reached.
LprBufferSize int 65536 Buffer size used for sending data (usually to
MFD) via LPR.
InternalLdapRepla bool If set to true, the character "@" (at) is replaced

ceAtChar with the given value.
Note that special characters must be escaped
with backslash - ie. use "\#" to replace "@"
with "#" (hash).
This option could be used with Toshiba and Oki
embedded terminals.
RemovePjlDminfo string Enabling this property causes the removal of

ForHp Dminfo PJL header from HP print jobs as the
header could cause problems during printing.
AsposeLicensePa string Password for Aspose license.

ssword
PrintedJobPath string Path where modified job will be stored upon

delivery.
SaveTickets bool false If set then Spooler will store Print request at Pr
intedJobPath.
JobRecei UseIpp bool true If enabled, Spooler will use IPP for receiving
vingOptio print jobs
ns
UseIpps bool false If enabled, Spooler will use IPPS for receiving
print jobs
IppPort int 631 (5631) The port used in the Spooler for receiving print
jobs through IPP.
If a port with a number lower than 1024 is
used, the port applied in OS X will have a
number higher by 5000.
IppsPort int 632 The port used in the Spooler for receiving print
(5632) jobs through IPPS.
CertificatePath string

value
certificate. Defines the path to certificate needed to use

pfx for IPPS
CertificatePassw string password Defines the password needed for certificate

ord
SQLPRPrt int 515 (5515) The port used in the Spooler for receiving print
jobs through LPR.
IsServer bool false If enabled, Spooler will run in server mode
ParseUserFromTit string Defines a list of usernames so that if a print

le job comes from one of them.
The username will be extracted from the job
title and used as the job owner instead.
Job titles contain a username at the position
specified in the property
parseUserFromTitleIndex.
The format of the property: a list of usernames
separated by a comma. Example: Administrator,
SAP
ParseUserFromTit string [.:_/\\] A regular expression that defines the delimiter

leDelimiter of the components of print job titles for
parsing a username.
The default value contains the following
characters: .:_/\ The delimiter is any of these:
dot, colon, underscore, slash, or backslash.
ParseUserFromTit int 1 Defines where the username is located (a

leIndex numerical index of the first character of the
username) in print job titles.
Set 0 for titles like USER.something, and 1 for
something.USER.title, ...
ParseUserFromTit bool false If enabled, original job title is preserved.

lePreserverTitle Otherwise username is removed from the print
job title.
LprEncoding string Default Defines the encoding used by the LPR protocol
for the LPD print server.
Protocol headers also include usernames and
job titles that may contain some non-ASCII
characters which might be displayed
incorrectly.

value
Therefore, specify the encoding that

corresponds to the local national alphabet.
For example, Windows-1251 for Cyrillic, Windows-
1250 for Czech, etc.
If not set, the value set in the computer's
Regional Settings is used.
WaitForDataTime TimeSpan 00:00:30 Defines how long will spooler wait for next
out data chunk before time out-ing.
RemoveInvalidCh bool true If enabled, invalid characters (according to XML

aractersFromJob 1.0 specification) are removed from the title of
Title each print job
when the YSoft SafeQ server receives it.
Common print jobs do not contain such
characters in their titles and will not be
modified.
HeaderAnalysisBu long 256000 Size of the buffer used for header analysis.
fferSize
DefaultJobLangu JobLangu Other Other is useful for most cases, but if customer
age age produced PCL5 without PJL (unwrapped),
(string) setting this to PCL will allow full processing of
these jobs
JobStore Path string JobStore Path to job store.

Options
Authentic AuthenticationTy string Specifies the authentication type to use on

ationOptio pe client.
ns Possible values: DOMAIN_USERNAME,
STORED_USERNAME
DOMAIN_USERNAME - The Job Service will try
to use Windows Integrated Authentication
(SSO) to authenticate the user. If SSO is
successful the user will not get the login
window. If SSO fails user will be prompted for
the credentials.
STORED_USERNAME - The Job Service will try
to use stored username from client to
authenticate the user. If authentication is
successful the user will not get the login
window. If authentication fails user will be
prompted for the credentials.

value
USERNAME_AND_PASSWORD - The user will

have to enter the credentials to authenticate.
Username string Username used for STORED_USERNAME

authentication method.
Printer Configuration
This contains IPP printer configuration.
Logging Configuration
This contains configuration of YSoft SafeQ Spooler's logging.
It is based on Serilog's configuration (see https://github.com/serilog/serilog/wiki/Configuration-

Basics).
Some of the default options
path - (default 'logs/spooler.log') location of log
rollingInterval - (default 'Day') specifies minimal time when log will be rotated (this adds the
date format to the log file name). Available options are Infinite, Year, Month, Day, Hour,
Minute
fileSizeLimitBytes (default 50000000) - maximal size of log file
rollOnFileSizeLimit (default true) - specifies if log will be rotated after maximum size is
reached, if false, NOTHING is logged when the maximal limit is reached.
retainedFileCountLimit (default 20) - maximal number of log files. If exceeded, oldest file
gets deleted
Configuring YSoft SafeQ Job Service
About
All configuration related files are located in the configuration folder located in YSoft SafeQ
Job Services's root folder.
YSoft SafeQ Job Service Configuration
Group Key Su Type Defau Description

b lt
ke value
y
Guid string Identifier of the YSoft SafeQ Job Service.

b lt
ke value
y
JobSer
viceOp
tions
Disable bool false Enables/disable certificate validation for connections

Certific initiated by YSoft SafeQ Job Service.
ateVali
dation
JobPre TimeSpan 00:01: Time that the job preview will be stored for retrieval.
viewSt 00
oreTim
eout
DirectQ TimeSpan 00:01: Time that direct queues retrieve from YSoft SafeQ Spooler
ueuesT 00 Controller will be cached
imeout
HttpSe Host string * Indicates where will YSoft SafeQ Job Service listen.
rverOpt "localhost" to listen only on localhost, "*" to listen on all
ions interfaces.
Port int 5000 Port on which the YSoft SafeQ Job Service will listen.
Schem string https Indicates whether YSoft SafeQ Job Service will use HTTPS
e or HTTP
Certific Certificate
ateOpti Configurati
ons onOptions
Th string TLS certificate with this thumbprint will be loaded from the
u store specified in StoreName.
m
bp
rin
t
St string Certificate store name where the YSoft SafeQ Job Service
or will look for the TLS certificate.
e
N
a
m
e

b lt
ke value
y
St string Certificate store location where the YSoft SafeQ Job

or Service will look for the TLS certificate.
eL
oc
ati
on
Fil string Path to the TLS certificate (YSoft SafeQ Job Service
eP prioritises certificate in the store over certificate on file
at path)
h
Pa string Password for the certificate on the path.

ss
w
or
d
Identity Signing Certificate Same structure as the configuration for TLS certificate.
Server Certific Configurati This certificate will be used as a key pair for signing
Option ateOpti onOptions access tokens.
s ons
Access TimeSpan 1.00: Lifetime of the access token

TokenLi 00:
fetime 00
(=1
day)
Authen TimeSpan 00:01: Life time of authentication cookie. If after a successful

tication 00 authentication client makes a subsequent request for
Cookie authentication they will receive a fresh token without
Lifetim having to input their credentials, given it is within the
e lifetime of the cookie.
JNode Host string localh IP Address of the YSoft SafeQ Spooler Controller.
Option ost
s
Port int 8111 Port of the YSoft SafeQ Spooler Controller.
Spooler KeepAli TimeSpan 00: Represents how long it takes to take YSoft SafeQ Client
Connec veInter 00: v3 as disconnected.
tionOpt val 05
ions

b lt
ke value
y
ClientTi TimeSpan 00: Represents the time during which the client(s) (spooler)
meoutI 00: have to send a message before the server closes
nterval 30 connection. The value should always be at least double of
the client's (spooler) KeepAliveInterval. Default value is 30
seconds, with default of KeepAliveInterval set to 15
seconds.
Spooler Packag TimeSpan 00:10: Interval in which update package folder is monitored for
Update eMonit 00 new update packages.
Option oringInt
s erval
Packag Certificate Same structure as the configuration for TLS certificate.

eSignin Configurati Certificate which has been used to sign the update
gCertifi onOptions package.
cate
Authen Authen bool true Enables/disables validation where YSoft SafeQ Job Service
tication ticated check if the user who is authenticated matched the user
Option UserMu who actually sent the print job (the user which the
s stMatc underlying operating system provided in LPR or IPP).
hJobTi
cketOw
ner
Authen string Specifies the authentication type to use on client.

tication Possible values: DOMAIN_USERNAME,
Type USERNAME_AND_PASSWORD, STORED_USERNAME
DOMAIN_USERNAME - The Job Service will try to use
Windows Integrated Authentication (SSO) to authenticate
the user. If SSO is successful the user will not get the
login window. If SSO fails user will be prompted for the
credentials.
USERNAME_AND_PASSWORD - The user will have to enter
the credentials to authenticate.
STORED_USERNAME - The Job Service will try to use
stored username from client to authenticate the user. If
authentication is successful the user will not get the login
window. If authentication fails user will be prompted for
the credentials.
UserNa string Specifies the user name format used in the rest of the
meFor system.
mat

b lt
ke value
y
Possible values: DOMAIN_USERNAME,

DS_NT4_ACCOUNT_NAME, DS_USER_PRINCIPAL_NAME
AllowSt bool false Enable client username authentication when the

oredUs STORED_USERNAME authentication method is used.
ername
FromCli Security Remark for allowing using of
ent STORED_USERNAME authentication type
These are the consideration that Admins should
keep in mind when setting
'AllowStoredUsernameFromClient' property to
true
Every request with existing user name
submitted to stored username endpoint will
return access token.
An attacker could make it look like a job is
coming from a different user
Credential Caching
By enabling the cacheCredentials configuration option on the management interface, end users
will be asked less frequently to sign in when submitting a print job.
Process description
When administrator configures the system to cache user credentials, the access token generated
by Job Service will be stored on the users workstation in a secure system credential store. On
macOS this is the system keychain and on Windows it is the Credentials Manager.
While the token is not expired it will be reused for all print job submissions. Once it expires user
will be prompted to sing in again.
Job Service Configuration Options
These settings can be changed in YSoft SafeQ Job Service configuration file configuration
/local.json

value
IdentitySer AccessTokenLi 1.00:00: Lifetime of the access token

verOptions fetime 00 (1 day)

value
Time
Spa
n
Authentication Time 00:00:01 Life time of authentication cookie. This specifies for
CookieLifetime Spa how long should the authentication cookie live.
n If after a successful authentication client makes a
subsequent request for authentication they will
receive a fresh token without having to input their
credentials, given it is within the lifetime of the
cookie.
Job Analysis - offline accounting
By configuring the jobAnalysisResolution configuration option on the management interface, job

analysis will be enabled/disabled on the YSoft SafeQ Client v3. When this option is enabled the
client will start analyzing all received print jobs and extracting job information when possible.
This information will be used for accounting when the MFD is configured with offline accounting
method.
The resolution setting itself is not respected by the client. It just enables and disables the
configuration based on the configuration option.
When parsing fails or the print job language is not recognized job will be stored with default
properties which are:
0 Pages
1 Copy
Duplex
Contains color
Spool Cleaning
Spool cleaning ensures that print jobs meeting certain conditions are removed periodically from
spoolers to prevent accumulation of undesired data.

Process description
YSoft SafeQ Spooler Controller based on a CRON rule defined in YSoft SafeQ Management
Service starts the spool cleaning. During the spool cleaning it determines which jobs are viable for
deletion and sends delete request to YSoft SafeQ Job Services for these jobs.
These deletion requests are cached in YSoft SafeQ Job Service's distributed layer.
YSoft SafeQ Spooler periodically sends a status report to YSoft SafeQ Job Service with a list of
jobs it currently has on disk. YSoft SafeQ Job Service compares the job list with the cache of
delete requests and sends command to spooler to delete jobs that should be removed. While
doing so YSoft SafeQ Job Service updates the entries in cache with a TTL (time to live) after
which the cached request will be deleted.
Spooler
Configuration options

value
StatusReporti Reporting Time 3 Defines how often the YSoft SafeQ Spooler will report its
ngOptions Interval Span hours status to the server.
MaxJitter Time 15 Maximum random jitter added to reporting interval. This

Span minutes jitter also represents time, when the first report will be
sent.
Job Service
Configuration options

value
YmqProxy DeleteJobCandidate Time 7 days Time a job delete request is kept in distributed
Options ExpirationTime Span layer before being deleted.
Limitations
It is possible in an edge case scenario that a job will not be deleted from spooler.
YSoft SafeQ Spooler sends status to YSoft SafeQ Job Service
YSoft SafeQ Job Service tries to send command to YSoft SafeQ Spooler to delete jobs and
marks jobs with TTL of DeleteJobCandidateExpirationTime
YSoft SafeQ Spooler disconnects and does not receive the delete command
YSoft SafeQ Spooler doesn't connect within the DeleteJobCandidateExpirationTime

interval

YSoft SafeQ Spooler connects after the cached delete request expired and is deleted
2.4.17.5 Troubleshooting
Logs
C:/SafeQ6/logs/*.log
YSoft SafeQ Client v3
macOS
YSoft SafeQ Spooler: /Library/Application Support/YSoft.Spooler/logs/*.log
YSoft SafeQ Spooler: /Library/Application Support/YSoft.Spooler/versions/latest/logs/*.log
YSoft SafeQ Client (UI): /Users/[USER_ACCOUNT]/Library/Logs/YSoft SafeQ Client
Windows
YSoft SafeQ Spooler: C:/SafeQ6/YSoft.Spooler/logs
YSoft SafeQ Spooler: C:/SafeQ6/YSoft.Spooler/versions/latest/logs/*.log
YSoft SafeQ Client (UI): %APPDATA%/YSoft SafeQ Client/*.log
Monitoring of YSoft SafeQ Job Service
Logging
YSoft SafeQ Job Service log file can be found at $JobServiceInstallationPath$/logs

/jobservice.log, where the log file is rolled every day or when it reaches 50 MB in size.
Health check API
YSoft SafeQ Job Service has a REST API to check the health status of the service. It currently
returns
version of the YSoft SafeQ Job Service
number of connected YSoft SafeQ Spoolers
availability of distributed layer
The information is available by calling HTTP GET method on /health endpoint

Calling the API

You can use tools such as Postman or Insomnia. Following is a sample of the request and
response in Insomnia
If you want to call the API from Terminal on macOS you can use following command
curl on macOS
curl -H "Accept:application/json" https://{JobServiceIPAddress}:{JobServicePort}/health
If you want to cal the API from Windows Powershell you use following command
Invoke-WebRequest on Windows
Invoke-WebRequest https://{JobServiceIPAddress}:{JobServicePort}/health @{"accept"="application

/json"}
Monitoring dashboard
YSoft SafeQ Job Service can be configured to send metrics to InfluxDB. Those metrics can then
be displayed in Grafana dashboard (dashboard with id #2125).
No deployment support
Y Soft does not provide support for deployment of InfluxDB and Grafana and we do not
provide support for any issues related to InfluxDB or Grafana. You can find detailed guides at
their websites.
You have to do following steps to start monitoring YSoft SafeQ Job Service using Grafana
1. Install InfluxDB
2. Install Grafana
3. Add InfluxDB as data source to Grafana
4. Add new dashboard (with id 2125 - "App Metrics - Web Monitoring - InfluxDB")
5. Configure YSoft SafeQ Job Service to start sending metrics to InfluxDB. You have to add
following sections to the YSoft SafeQ Job Service's configuration file

5.
Metics configuration
{
...
"MetricsOptions": {
"Enabled": true,
"ReportingEnabled": true
},
"MetricsReportingInfluxDbOptions": {
"InfluxDb": {
"BaseUri": "...", // Address of your InfluxDB e.g. http://1.1.1.1:8086
"Database": "..." // Name of the database where the data will be stored
},
"FlushInterval": "0:0:5" // This sets the interval at which the data will be sent
}
...
}
If everything went well, you should start seeing some data in your dashboard.
Troubleshooting YSoft SafeQ Client
Frequently encountered issues
Following is the list of frequently encountered issues with YSoft SafeQ Job Service and solutions
which can help you solving them.
1. There is no YSoft SafeQ Client tray icon visible
The installation on Windows requires you to log out and log in again or start the desktop
application manually by opening C:/SafeQ6/Spooler/YSoft SafeQ Client/YSoft SafeQ Client.exe.
2. YSoft SafeQ Client cannot connect to server, resulting in message "The remote certificate is invalid
according to the validation procedure."
If you installed YSoft SafeQ Job Service with a certificate that is not trusted by the operating
system where the client is installed, it will not connect to the server. You can either use trusted
certificate in YSoft SafeQ Job Service or you can disable the validation certificate in YSoft SafeQ
Client (see Configuration).
3. YSoft SafeQ Client user interface keep reopening after a print job is sent
Check whether the time difference between the workstation time and server time is not greater
than 60 seconds. If it is greater then only possible way to fix this issue is by synchronizing the
time of server and workstation. This restriction is because of the security aspects of the
underlying authentication mechanism.
4. YSoft SafeQ Client does not use Single Sign On to authenticate user
Single sign on requires YSoft SafeQ Job Service to be hosted in IIS. See Deployment of YSoft
SafeQ Job Service for details.

If the YSoft SafeQ Job Service is hosted in IIS and single sign on still does not work on macOS
devices then make sure that you use hostname as the server address when installing clients on
macOS. macOS does not enable single sign on with IP addresses.
Troubleshooting YSoft SafeQ Job Service
Frequently encountered issues
Following is the list of frequently encountered issues with YSoft SafeQ Job Service and solutions
which can help you solving them.
1. Near roaming between YSoft SafeQ Job Services fails on Not Authorized
If you found that YSoft SafeQ Job Service could not forward the print request to another YSoft
SafeQ Job Service in near roaming group because the remote YSoft SafeQ Job Service returned
Not Authorized, make sure that you installed both services with the same signing certificate. If
you use separate signing certificate for each service then they will not be able to communicate
with each other.
2. YSoft SafeQ Job Service does not send print commands to connected YSoft SafeQ Spoolers
If a user can send print jobs using YSoft SafeQ Client but those jobs cannot be released from any
printer, then make sure that you have the YSoft SafeQ Job Service correctly configured for your
specific YSoft SafeQ version. YSoft SafeQ Job Service which is connected to YSoft SafeQ
version MU27 or earlier, has to be configured differently.
3. Install script does not get executed
It is possible that Windows might block the install scripts (PowerShell). To unblock them, right click
the script, select Properties and there click/select Unblock. Also make sure, that the use under
which you run the script is allowed to run PowerShell scripts (execution policy in Windows).
4. Near roaming between YSoft SafeQ Job Services fails on "The remote certificate is invalid according to
the validation procedure."
If you did not install your YSoft SafeQ Job Services with certificates, which are trusted by the
operating system where your services run, you have to disable the certificate validation in the
configuration file of the YSoft SafeQ Job Service. You can do it by adding setting
DisableCertificateValidation to true in JobServiceOptions group:
"JobServiceOptions": {
"DisableCertificateValidation": true
}
5. Clients are unable to connect with error ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY
You are probably hosting on a server that does not support HTTP/2 protocol or is incorrectly
configured. You can either fix the issue on your server if possible or force YSoft SafeQ Job
Service to use the HTTP/1 protocol.
To force HTTP/1 protocol add the following to the configuration file:

"Kestrel": {
"EndpointDefaults": {
"Protocols": "Http1"
}
}
2.4.17.6 Features
Auto updating YSoft SafeQ Client
YSoft SafeQ Client can be auto updated by publishing the update package to YSoft SafeQ Job
Service. YSoft SafeQ Job Service will tell YSoft SafeQ Client to update itself if it does not have
the latest available version. Once the YSoft SafeQ Client downloads the installation package from
the server, it will validate its signature and if the update package is valid, it will execute the
executable which is specified in the manifest file. YSoft SafeQ Spooler does not automatically
stop and it does not wait for the updater process to end. It is the responsibility of the updater
process to stop all YSoft SafeQ Client related services, migrate configurations and start services
once the update has completed.
Update is triggered individually for every YSoft SafeQ Spooler. YSoft SafeQ Job Service does not
push the update to all of the YSoft SafeQ Spoolers at once. YSoft SafeQ Spooler reports its
version periodically and when the reported version is not the latest one then YSoft SafeQ Job
Service will tell that YSoft SafeQ Spooler to update itself.
Update package for new version of the client is provided in the product installation packages
alongside the standard installation packages for client and Job Service. The update package
contains new version of both Windows and macOS versions of the client, generated manifest
with package signatures and the signing certificate used for signing the packages.
Updater process privileges
Updater process is executed under the same system account that YSoft SafeQ Spooler runs.
If YSoft SafeQ Spooler runs with elevated privileges so will the updater process. If you write
your own script which will update clients, we will not take any responsibility for any damage
your scripts might cause.
Update architecture support
The auto update is currently supported only on macOS and Windows x64 operating systems.
Configuration

Update mechanism can be configured in SpoolerUpdateOptions group in YSoft SafeQ Job
Service's configuration. Following options are available:
PackageMonitoringInterval - Interval at which the spooler-update folder will be scanned for new
update package.
Format: DD:HH:MM
PackageSigningCertificate - Certificate that was used to sign the update packages. This is
sent to Spooler with the update command, Spooler uses this to verify the update package
(see below).
Example of configuration
{
...
"SpoolerUpdateOptions": {
"PackageMonitoringInterval": "00:10:00",
"PackageSigningCertificate": {
"FilePath":"C:\\SafeQ6\\JobService\spooler-update\cert-2019.cer",
"Password":""
}
}
...
}
YSoft SafeQ Client
Update mechanism can be configured in SpoolerUpdateOptions group in YSoft SafeQ Spooler's

configuration. Following configuration options are available
RequireValidSignature - Client will validate the signature of the package against the certificate
from the server
RequireTrustedCertificate - Client will execute the update package only if the underlying
operating system trusts the certificate
RequireMatchingCertificateFields - Client will execute the update package only if the

certificate's subject contains required fields (see RequiredCommonNames and
RequiredCountries)
RequiredCommonNames - Client will check whether the certificate contains all of these
common names
RequiredCountries - Client will check whether the certificate contains all of these countries
Example of configuration with default values
{
...
"SpoolerUpdateOptions": {

"RequireValidSignature": true,
"RequireTrustedCertificate": true,
"RequireMatchingCertificateFields": true,
"RequiredCommonNames": [ "Y Soft Corporation, a.s." ],
"RequiredCountries": [ "CZ" ]
}
...
}
Security warning
Changing any of the above mentioned configuration values can introduce security issues.
Update package requirements
The package must be a zip file
When creating a custom update package:
Make sure that once you extract it then the extracted folder will contain the YSoft.Spooler[.
exe] executable in it and not another directory. The executable file has to be in root folder
in the package. Name of this file should contain chars "a-zA-Z0-9.".
You should be aware that YSoft SafeQ Spooler might be updating across multiple versions
(Spooler version 1 and the latest version is for example 4). That means (if it applies to you
particular update package) that for example the latest package must contain configuration
migrations for all intermediate versions.
The package must be singed and the signature must be included in the package manifest file.
For more information see section Manifest file structure below.
How to publish update package
Update packages are published to a folder called spooler-updates which is in the installation
path of YSoft SafeQ Job Service. Once the update package is in that folder then it becomes
available for clients.
Folder which contains update packages for YSoft SafeQ Client must have following structure
Spooler updates folder structure
Spooler updates folder structure
JobService
spooler-update
YSoft.Spooler-osx.zip
YSoft.Spooler-win.zip
manifest.json

[VERSION] is the version of the update package (e.g. 9.9.9 - X.Y.Z). Names for the platform specific
compressed packages can be different however they have to be specified in the manifest file.
Manifest file structure
Manifest file structure
{
"version": "[VERSION]",
"packages": [
{
"platform": "macOS", // Target platform
"executable": "update.sh", // File which will be executed
by YSoft SafeQ Spooler
"packageFileName": "YSoft.Spooler-osx.zip", // Update package file name
"packageSignature": "SH+TFBNaInOIO2wGtHECy9pqsQiSb=" // Base64 encoded package
signature
},
{
"platform": "Windows",
"executable": "update.ps1",
"packageFileName": "YSoft.Spooler-win.zip",
"packageSignature": "SbVQfsr3N+vXQRQraR0ov2JDjI7A="
}
]
}
Example of custom update procedure
Following is an example of a procedure which an update script for YSoft SafeQ Client must
implement
1. Migrate configuration files (optional - there might not have been changes between versions)
2. Stop all YSoft SafeQ Client related services (or processes)
a. YSoft SafeQ Spooler
b. YSoft SafeQ Client (user facing application)
3. Change versions/latest symlink to target to your new version
4. Start all YSoft SafeQ Client related services (or processes)
You can see how the folder structure of deployed YSoft SafeQ Client looks like at Deployment of
YSoft SafeQ Client.
Direct Queues in YSoft SafeQ Client v3
YSoft SafeQ Client v3 allows users to manually deploy direct queues on their workstations. This
self-service can simplify queue deployment for administrator up to a point of sharing a queue
name.

Warning for environments with shared workstations
Deployed direct queue will be visible to all users that sign in to the workstation where the first
user deployed the direct queue. Direct queue is being deployed with everyone group in
permissions.
How to deploy - administrator guide
The print driver, native configuration (.dat file) and the path to file that will be used for the
deployed queue should be configured locally in Spooler's configuration file (should be filled during
installation):
spooler.config
{
"SpoolerOptions":{
"Mode":"ClientSpooling",
"DriverName":"YSoft Printer Driver PCL",
"DriverConfigurationFolderPath":"C:/SafeQ6/Spooler/DriverConfigurations",
"DriverConfigurationFileName":"config-a4-x86.dat"
}
}
The print driver in the configuration needs to be installed on the workstation. The print queue
without the driver (both configured and installed) will not be deployed.
In order to configure deployed print queues using native configuration (.dat file), the configuration .
dat file must be located in a folder specified in the Spooler configuration.
How to enable - administrator guide
This feature can be enabled or disabled using enableQueueManagementInClient configuration

property in the Management interface. Also, the product needs to be licensed with the
F_NEW_SQ6_CLIENT license feature.
How to manage print queues on a workstation - user guide
Users are able to deploy direct queues through the user interface.
Accessing the print queues management
To access the Direct queues management UI:
1. Locate the YSoft SafeQ Client v3 icon in the system tray.
2. Right-click the tray icon.
3. Click on the Manage my printers option.

4. A new window with My printers page (showing already deployed print queues) is displayed.
A user authentication may be required before the My printers page is shown.
Deploying new print queues
To deploy new print queues:
1. Access the My printers page (see previous section Accessing the print queues
management on how to do that).
2. Click on Add new printers button.
3.
3. A list of available printers is shown. The page displays all printers to which the user has
access within the SPOC Group he is currently in. It is possible to add more print queues at
once by selecting them from the list. Select printers you want to deploy. You can use the
print queue search to narrow down the number of printers displayed.
4. Once all the desired printers are selected, click on Add new printers button to deploy
selected printers.
Print queues are deployed for all users on given workstation.
5. Once all selected printers are deployed, user is navigated back to My printers page with a
message informing the user about the result of the printers deployment.
Removing deployed print queues

Users can remove any of the deployed print queues.
To remove a deployed print queue:
1. Access the My printers page (see previous section Accessing the print queues
management on how to do that).
2. Hover with your mouse over the print queue you want to remove.
3. T h e Remove printer button appears. Click on it.
4. Selected print queue is removed from the list and the a message informing about the
printer removal is shown.
Emergency Print
Feature description
Emergency print is a feature of the YSoft SafeQ Client v3 that provides limited printing
functionality while a Site Server is not accessible. The client detects if a server is inaccessible
when no response has been received for a specified time and indicate such status with icon.
During emergency print, a user can print directly on printers without passing the job to a server.
Jobs are printed immediately on the selected printer.
Emergency print feature allows printing if the server is not available
Users are able to print if the branch office don't have access to main servers - printing
service is not interrupted
User can willingly decide to print or wait for a resolution from IT department
Emergency print is available for all print queues (Secure, Direct and Shared queues)

Configuration
1. Log in to the YSoft SafeQ Management Service interface with sufficient rights to change
system setting (for example "admin").
2. Go to System > Spooler > Expert tab.
3. Set Enable offline print (offlinePrintEnabled) to Enabled. The default is Disabled. Press
Save Changes to apply these settings.
4. You can also change number of cached printers by editing maximumOfflinePrinters

property.
Limitations & Warnings
Not supported in combination with payment system.
Accounting is not supported but a counter difference accounting message is created with
vendor specific accounting other accounting methods are completely without support.
A user must print at least one job before they are able to print through Emergency print –
to store the last used printer.
Once the job is printed through the YSoft SafeQ Client v3, any users using this Client
application can then do Emergency print.
During printing in Emergency print mode with billing codes enabled (billing-codes-enabled:
true), print job has assigned default billing code (0 - Default Project). This is not
default billing code assigned to the user.
Devices require "print without authentication" configuration option to be enabled (e.g.

Konica Minolta - Configure Print without authentication option).
If there is IP filtering on devices it must be adjusted for communication with workstations

using the Client application.
Emergency print feature is only possible to use with Client application in the client mode (
IsServer: false). Both client modes are supported ( SpoolerMode set to
ClientNonSpooling or ClientSpooling).
Multiple users sharing one Spooler Controller might result in access to other users' print
jobs.
When emergency print is enabled, username and user jobs are not authenticated which
might result in username/accounting data being tampered with.
When emergency print is enabled, user right are not checked and rule based engine rules
are not applied.
Emergency print flow
1.

1. User is notified when connection to Site Server is not available. Client application tray icon
i s c h a n g e d .
2. User sent job to print. There is a notification that he is in Emergency print mode and user
has possibility to print job.
a. User already made print job on some printer. User is able to select a printer and print
t h e j o b .
b.
b. User has no previously used printer. User is not able to print the job and can either
discard all jobs, or wait for the connection. Note that direct print jobs will be
discarded for security reasons.
3. When user clicks on Print now button the job is directly sent to the printer.
a.
3.
a. User is notified when the print job is successfully sent to printer.
b. When printer is not available you can go back and choose another printer, or turn on
the printer and try again. User can also discard all jobs.

Rule-Based Engine Notifications
An administrator can set up a rule in the management interface to display a notification message
with given content to the user. The YSoft SafeQ Client v3 displays a notification message on the
reception of a job by the YSoft SafeQ server.
Some variables or placeholders (job title, job size, etc.) can be defined in the notification message,
as shown in the following image.
The notification messages are grouped within one window until the window is closed by the user,
as shown in the following image.

An Example of a Rule:
When "Job belongs to user with role Management", " Change job owner to John Doe " and " Send
YSoft SafeQ Desktop Interface notification with content of Text to job owner".
2.4.17.7 Limitations
Print Roaming with multiple servers within WAN (Far-roaming mode)
Printing jobs over far roaming is currently not available using new client in combination with Job
Service.
Offline accounting - parsing of duplex and copy count information works only for PCL and PCL
6 jobs
Due to limitation in current version of mako-parser library, only PCL and PCL 6 (PCL XL) jobs have
correctly parsed information regarding duplex and number of copies. Other formats return the
default value of duplex, 1 copy.
Rule based engine
Compatibility table of print languages and rules:

Rule P P P X X PDF
C C S P C
L L S P
6 5
Convert to simplex N/A
Convert to duplex N/A
Convert to grayscale N/A
Print more than once N/A
Watermark N
/A
PJL headers N
/A
2.4.18 YSOFT SAFEQ UNIVERSAL PRINT CONNECTOR
YSoft SafeQ Universal Print Connector is under the Early Access Program, see details about
the program in Early Access Program.
Universal Print technology developed by Microsoft enables customers to manage print servers
and drivers through their Microsoft 365 subscription. A Universal Print connector has been
developed to integrate YSoft SafeQ 6 with the Universal Print feature.
The connector consists of the server component since Microsoft has built in client-side support in
Windows 10 since version 1903 (but recommend 2004+). The installer scripts create an additional
SafeQ service named, “YSoft Universal Print Connector”.
The YSoft Universal Print Connector is compatible with YSoft SafeQ 6 Build 49 and future Builds.
Partners should refer to Microsoft documentation details about accessing the Universal Print
public preview (https://docs.microsoft.com/en-us/universal-print/fundamentals/universal-print-
preview-access) which is required to use the Connector.
2.4.18.1 Architecture
About
The UP Connector is a Windows service which handles communication with the Universal Print
service on behalf of the YSoft SafeQ Spooler.
Universal print information and configuration can be found in Microsoft official documentation.

Prerequisites
YSoft SafeQ installation with a server print job spooler supporting IPP communication:
YSoft SafeQ Client v3
Mobile Integration Gateway (MIG)
A server with YSoft SafeQ (Windows Server OS)
.NET Core 3.1 runtime on the server
Azure Active Directory
Universal Print license
An account with Printer Administrator role in Azure Active Directory
Enabled communication:
HTTPS (443) - communication with the Omni portal API to handle configuration and printer
assignment
IPPS - basic protocol to transfer print jobs between the Universal Print service and the
YSoft SafeQ Spooler
Basic architecture
Single YSoft SafeQ server environment would have the UP Connector service added as outlined
on the diagram below.
Advanced architecture
When there are multiple Site Servers in the YSoft SafeQ environment, the UP Connector service
is added to each Site Server, as outlined on the diagram below. To users, each UP Connector will
be represented by its own print queue name registered with Universal Print portal.

2.4.18.2 UP Connector Deployment
Enroll in Microsoft Universal Print
To be able to use Microsoft Universal Print with YSoft SafeQ, the customer must be enrolled in
Microsoft Universal Print.
Refer to Microsoft Universal Print documentation: https://docs.microsoft.com/en-us/universal-print

/fundamentals/universal-print-getting-started
Register with Y Soft
In this first iteration and to increase security of the solution, Y Soft requires all accounts which
will be used to register the connector whitelisted.
The account used to register connector needs to remain enabled, as it is currently used for
securing and authenticating communication between the connector and OMNI Portal.
If the account used to register connector becomes disabled, one has to re-authorize each
connector using Device code found in service logs (see Troubleshooting section for more
information) using another working account with the right role.
Consider using virtual account instead of a physical user's account for connector
registration.
Contact safequp@ysoft.com to ensure the admin account used in step "Install the UP Connector"
is enabled. Without this step the print queue will not be created. Please provide the following in
your email to safequp@ysoft.com:
Company Name:

SAFEQ MA #:
Microsoft 365 Subscription Level (e.g. E5/A5, E3/A3, etc.):
Contact Name:
Contact Email:
Contact Phone:
Azure AD account UPN (with "Printer Administrator" role):
Download Installation Package
1. Please, download the latest installation package from the Partner Portal.
2. Unzip the package in a location of your choosing.
YSoft SafeQ 6 Environment Prerequisites
The UP Connector delivers the print job using secure IPP protocol, there are those options how to
accept this print job in YSoft SafeQ:
1. Mobile Integration Gateway
2. YSoft SafeQ Client v3 in the Server Mode
Feature Mobile Integration Gateway YSoft SafeQ Client

v3 in the Server
Mode
Accepts IPPS print jobs
Allows queue name changes (print not in the current state (one can configure
job metadata property, not visible to queue it sends jobs to, but it is just this
users) single queue)
Allows to specify UP print queue not in the current state (only very limited
properties on client machines options like default paper size and possibly
3 more)
Allows Far Roaming. See Print

Roaming for more information.
Rule Based Engine integration
OPTION 1: UP Connector with Mobile Integration Gateway
All YSoft SafeQ servers which will be running the connector need to have:
Installed .NET Core Runtime 3.1 - https://dotnet.microsoft.com/download/dotnet-core/3.1
Deploy MIG on the server following Mobile Integration Gateway deployment

Please make set the configuration option allow-public-user to true (default is false) in
<SAFEQ_MIG_DIR>\bin\MigService.exe.config
<add key="allow-public-user" value="T"/>
The MIG certificate needs to be trusted by OS running the UP connector. Either configure
MIG to use own trusted certificate or ensure trust of the default self-signed.
The default deployment script of the UP Connector expects the IPP spooler to be on port
631:
OPTION 2: UP Connector with YSoft SafeQ Client v3 in the Server Mode
Installed .NET Core Runtime 3.1 - https://dotnet.microsoft.com/download/dotnet-core/3.1
Deployed JobService on the server - Deployment of YSoft SafeQ Job Service
You need to apply for Early Access Feature
Deployed Client v3 on the server - Deploying YSoft SafeQ Client v3 in the Server Mode
You need to apply for Early Access Feature
Also stop and disable the server FlexiSpooler service
Install the UP Connector
Deploy with Default Settings
Please, avoid running the Powershell from the Total Commander when running installation
scripts, as there is a bug with the symlinks and your system32 folder might be wrongly
redirected to the SysWOW64 folder!

The account used to register connector needs to remain enabled, as it is currently used for
securing and authenticating communication between the connector and OMNI Portal.
If the account used to register connector becomes disabled, one has to re-authorize each
connector using Device code found in service logs (see Troubleshooting section for more
information) using another working account with the right role.
Consider using virtual account instead of a physical user's account for connector
registration.
1. Make sure you have installed the appropriate .NET Core Runtime version (see the
prerequisites above).
2. Copy the installation package of the UP Connector onto the server.
3. Install the UP Connector by running the following command in the console window
(this will install the UP Connector with the default settings, see the advanced installation
below):
.\install-win-service.cmd
4. Use the device code and URL displayed in the console window to register the connector in
case this step is required and confirm it
(the code and the URL can be found in the installation logs as well).
Advanced Installation with Custom Settings
Follow the steps from the standard installation above but exchange the step #3 with the
following instructions:
Alternatively, the UP Connector can be installed using the following command in the
Powershell console window allowing to customize some settings
(if the script is run without any additional parameters it will again result in the default settings
being used):
.\install-win-service.ps1
The following parameters can be customized:
InstallPath (the default is "C:\SafeQ6\UPConnector")
UPConnectorZipFile (the default is "YSoft.UPConnector.zip")
JobServiceIppsHostname (the default is "localhost")
PrinterDeviceName (the default is "SafeQ 6")

for example:
.\install-win-service.ps1 -InstallPath 'C:\custom\location\UPConnector' -

PrinterDeviceName 'Custom SafeQ 6 Printer Name'
Deploy User Print Queues
1. Once installed, there will be a new print queue into your Universal Print management
console on Azure Portal. Administrators can now share it with people from their
organization. Refer to Microsoft Universal Print documentation: https://docs.microsoft.com
/en-us/universal-print/fundamentals/universal-print-printer-permissions
2. When the printer queue is shared, users can add it following this guide https://docs.
microsoft.com/en-us/universal-print/fundamentals/universal-print-getting-started#step-4-add-
a-universal-print-printer-to-a-windows-device
3. All print jobs can now be released on any print device enabled with YSoft SafeQ 6.
Uninstallation of UP Connector
1. Go to the installation folder of the UP Connector. Usually, it is: C:\SafeQ6\UPConnector
2. Uninstall the UP Connector by running the following command in the console window:
.\uninstall-win-service.cmd
3. Confirm that you really wish to proceed with the uninstallation process.
Force clean the Universal Print connector profile
To fully clean data from MS Universal Print that are used by YSoft SafeQ Universal Print
Connector service, uninstall the service by uninstallation script and remove the folder C:
\Windows\System32\config\systemprofile\.universal-print with all the
content.
Silent Uninstallation of UP Connector
Alternatively, you can uninstall the UP Connector silently by running the following command in
the Powershell console window:
.\uninstall-win-service.ps1 -Force

If you omit the -Force argument, the user will be prompted for the confirmation before
uninstalling (and the unistallation will no longer be silent).
2.4.18.3 Configuration and logs
UP Connector configuration
The main configuration file is created automatically by installation script. There is not need to
update it manually. Following description is important only for validation in case of troubles.
Configuration file for UP Connector is local.json file stored in the UP Connector directory - e.g. C:
\SafeQ6\UPConnector\configuration\
It can look like this:
local.json example
{
"DebugOptions": {
"FakeOutputDevices": false
},
"ConnectorHubOptions": {
"ConnectorHubUri": "https://upconnectorhuburi.azurewebsites.net",
"TenantId": "<TenantGUID>",
"ClientId": "<ClientGUID>"
}
}
You can set FakeOuputDevices to true if you want to debug the IPP messages and printing by
connector itself. The jobs will be stored in C:
\Windows\System32\config\systemprofile\.universal-print\ folder.
The ConnectorHubOptions key contains an object, where you can find links into all important
Azure resources. You can switch here into which environment the connector is connected.
Token cache
There is a token cache file where the authentication to the Azure services is cached. It is stored
in C:\Windows\System32\config\systemprofile\.universal-print\tokenCache.
enc and if you delete it the connector will ask you to perform some action to authenticate again
(in it's logs).
The desired state and printer management
Desired state file can be found here: C:\Windows\System32\config\systemprofile\.

universal-print\desiredState.json
In this file, you can find ProxiedPrinters JSON key, which value is an array of printer object. Each
printer has following attributes:

Proxied printer object example
{
"PrinterId": "",
"DeviceName": "SafeQ 6",
"IsEnabled": true,
"PrinterUri": "https://localhost:631/",
"RegistrationId": "<RegistrationIdGUID>"
}
Right after the installation of the UP Connector, this printer is generated and registered into
Universal Print.
If you want to add a new printer just add a new object into the ProxiedPrinters array. Just pick a
different name for it, because Universal Print can have problems with the same names for
multiple printers. The registration identification can be blank, it will be generated on the server
site.
Changing the existing proxied printer
We do not recommend to change any existing printer, just create a new one with different
name.
Logs
The logs of the UP Connector installation are e.g. in C:

\SafeQ6\UPConnector\logs\install.log
The logs of the UP Connector are e.g. in C:\SafeQ6\UPConnector\logs\upconnector.log

. At the beginning of the log file there is the connector's configuration, so you can check if the
connector is configured properly and you can see the IPP messages here.
2.4.18.4 Troubleshooting UP Connector service
Installation problems
In case of problems during installation, it's recommended to check the install log. Default location
is c:\SafeQ6\UPConnector\logs\install.log
Service does not work properly
In case of problems with service, it's recommended to check the UP Connector log. Default
location is c:\SafeQ6\UPConnector\logs\upconnector.log

Fresh install of the Universal Print Connector
To fully clean data from MS Universal Print that are used by YSoft SafeQ Universal Print
Connector service, uninstall the service by uninstallation script and remove the folder C:
\Windows\System32\config\systemprofile\.universal-print with all the content.
Then you can install it again.
2.4.18.5 Import users from Azure Active Directory - Azure AD
When I need to do that?
When integrating with Azure AD it is necessary to ensure that all print jobs delivered to YSoft
SafeQ are received under the correct user login. Customers using Azure AD are using two
different approaches:
1. Azure AD DS with secure LDAP available.
2. Pure Azure AD with Azure AD joined workstation.
Tip: if unsure which one is you case, think about your logon screen: if you are using your full email
address, you are most likely on option 2.
Scenario 1: Azure AD DS with secure LDAP
Those customers are using managed domain and should follow standard LDAP integration
documentation (LDAP Integration).
Reference: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-
configure-ldaps
Scenario 2: Azure AD
Customers who abandoned traditional managed domain and are running pure Azure AD would be
logging into their workstations using their Office 365 credentials (email address). Those are "Azure
AD joined" workstations where user logins are treated differently than in standard managed
domain environments.
In this case there is Secure LDAP Proxy extension available via the Extension Store.
The Secure LDAP Proxy extension has a number of limitations, stated in the extension
documentation. Please, Read through them carefully to find out if it is applicable for your
deployment.

Troubleshooting tips
In case customer doesn't have LDAP replication he can manually assign print job to an existing
/new user in YSoft SafeQ 6 Management portal.
Customer should follow these steps:
1. Open Management server login window and login
2. On Dashboard page click on Reports
3. On the Reports page find the unassigned job. Select this job and click on the Assign icon

4. On popup dialog select Create a new user or Choose user from list
5. Find and select user which you want to use to assign print job
6. Confirm job assigning to the selected user
7. On the Reports page you should see assigned print job to selected user.
8. Selected user can print the job on printer
2.4.18.6 UP Connector Known Issues and Limitations
Microsoft Universal Print
The following list is directly related to Microsoft's product "Universal Print" (thus outside of Y
Soft's control):
Maximum job size supported by Microsoft Universal Print is 100 MB
Maximum job retention time in the UP cloud queue is 2 days (i.e. connector has 2 days to
download queued jobs)
2.4.19 YSOFT SAFEQ USB CARD READERS
YSoft SafeQ USB Card Reader v2

2.4.19.1 YSoft SafeQ USB Card Reader v2
USB card reader v2 overview
The YSoft SafeQ USB Card Reader v2 can be connected simply to a multi-functional device (MFD)
and serves for user authentication using a card. The card must be assigned to a user in the
YSoft SafeQ system. After successful authentication the user can use the device and perform his
/her print, copy or scan jobs (depending on the device). The YSoft SafeQ USB Card Reader v2 can
also be connected to workstations and used with YSoft Payment System cash desk application
or with the YSoft SafeQ client for authentication.
The YSoft SafeQ USB Card Reader v2 has the following characteristics:
Connection and power supply of the card reader via the USB host interface.
Compatibility with some other MFD applications.
USB card reader v2 specification
Parameter Value
Identification Using a card reader
Voltage 5V DC
Maximum current input 0.5A
Resistance to magnetic fields no added resistance
Cable length 2m
USB card reader v2 certificates/validity approval
The information about certifications depend on exact product part number, therefore, for detailed
information please contact the Y Soft representative.

2.5 LICENSING
2.5.1 LICENSE MODEL OVERVIEW
The YSoft SafeQ 6 license model is based solely on the number of multifunction devices (MFDs) or
other printers in the customer’s print network. The model benefits customers and organizations
of all sizes:
Large enterprises–amount of locations or end users does not affect the license
Small to medium size organizations–feature and license flexibility
Overall, the license model saves time and money when preparing an offer and serves as a guide
to selecting the best mix of features and functions suitable for customer needs. To support the
long-term relationship and growth of customers, the YSoft SafeQ 6 license model allows the
extending or enhancing of a customer's license with new modules, plus increasing the number of
MFDs/printers covered by the license.
2.5.2 TYPES OF YSOFT SAFEQ 6 LICENSE
All licenses are defined by the number of devices, selection of Suite or modules, and license
type.
The number of devices is split into two categories:
MFDs/Printers that support YSoft SafeQ embedded or mobile terminals
These devices require License with Embedded Terminal
MFDs/Printers that either support other YSoft hardware or no terminals
These devices require License without Embedded Terminal
Two types of licenses are available for customer purchases:
A Perpetual License allows the customer to make an upfront purchase of a product license.
A Subscription License enables customers to pay on a monthly or quarterly basis.
YSoft SafeQ 6 can match specific customer needs by offering a selection of modules or
predefined Suites.

2.5.3 SUITE OVERVIEW
2.5.3.1 YSoft SafeQ Enterprise Suite
YSoft SafeQ Enterprise Suite combines centralized enterprise print management with advanced
document capture and workflow processes in a single solution–maximizing productivity, reducing
costs, and increasing document security.
Modules included:
Authentication
Print Roaming
Rule-based Engine
Mobile Print
Core Workflows
Advanced Workflows
Credit and Billing
Reporting
2.5.3.2 YSoft SafeQ Print Management Suite
YSoft SafeQ Print Management Suite provides organizations with a centralized enterprise print
management solution designed to reduce the costs of print services, increase document security,
and improve workflow productivity through a set of core document scanning features.
Modules included:
Authentication
Print Roaming
Rule-based Engine
Mobile Print
Core Workflows
Credit and Billing
Reporting

2.5.3.3 YSoft SafeQ Workflow Suite
YSoft SafeQ Workflow Suite takes the complexity out of scanning and document workflows.
Combining YSoft SafeQ’s core and advanced document capture features, organizations can work
smarter and maximize productivity while using digital workflow processes, which result in
consistent, accurate data capture. The Suite includes the YSoft SafeQ 6 essential print
management modules for secure access to perform document capture processes and to improve
the security of documents in the workflows.
Modules included:
Authentication
Rule-based Engine
Core Workflows
Advanced Workflows
Reporting
2D Barcodes*
*The 2D Barcodes module's availability to be announced via Y Soft Partner Portal
2.5.3.4 YSoft SafeQ Print Management Suite LD
Organizations that wish to deploy print management on small, often inexpensive, printers need a
solution whose cost doesn’t outweigh the benefits. YSoft SafeQ Print Management Suite LD
provides all the benefits of a centralized print management solution, with core document capture
features, for select multifunctional devices.
Modules included:
Authentication
Print Roaming
Rule-based Engine
Mobile Print
Core Workflows
Credit and Billing
Reporting
Print Management Suite LD can be used in conjunction with Print Management Suite or Enterprise
Suite.

2.5.4 MODULE OVERVIEW
2.5.4.1 Authentication
This is an essential module for customers that need users to identify and authenticate
themselves before using MFDs/printers. The module provides secure access to the native
functions of the MFD (copying and scanning). MFDs are automatically locked until a user
authenticates with an ID card or other means of authentication (i.e. a username/password
combination or PIN code). This module also enables users to print jobs sent to the MFD via YSoft
SafeQ 6 direct queue. (Print Roaming module is required to print via a secure or shared queue.)
2.5.4.2 Rule-based Engine
Rule-based Engine is primarily used to optimize the print environment and reduce costs further by
using print rules. This module enables the administrator to set up rules for monochrome and
duplex printing for the entire company, individual users, or departments.
2.5.4.3 Print Roaming
The Print Roaming module enables users to print documents at any MFD in the print network (or
at single function printers through the use of YSoft SafeQ Mobile Terminal). The user is also able
to manage their print jobs directly at the MFD/printer using an embedded terminal, Terminal Pro or
Mobile Terminal, depending on the device's capabilities. For example, the user can reprint or delete
a job or mark the job as a Favorite for quick reprinting anytime.
2.5.4.4 Mobile Print
The Mobile Print module dramatically streamlines the user workflow by allowing them to send
print jobs via email and a web interface from their mobile devices (such as tablets or
smartphones). Mobile Print also features native printing from iOS/OS X devices. The YSoft SafeQ
server verifies the job and places it in a print queue, allowing the print to be released at any
compatible MFD/printer in the network.
This module is an added value for customers that want to increase efficiency and support user
mobility and productivity within a print environment.
The Mobile Print module is suitable for use with all other modules. An Authentication module is
required.
2.5.4.5 Core Workflows
With the push of a single button, users can scan directly to their email or default folder. The
module includes secure scanning to Microsoft Sharepoint, Microsoft SharePoint Online, Microsoft
OneDrive and Dropbox Business and Dropbox Enterprise, with folder browsing and file storage

under the user’s identity. Scanning to email (using SMTP protocol or Microsoft Exchange Web
Services), a home folder, or a predetermined location via scripts is possible in addition to the new
core set up, allowing integration into existing business processes. Authentication module is
required.
2.5.4.6 Advanced Workflows
In addition to Core Workflows, the Advanced Workflows module offers a world-class OCR engine,
image cleanup, append or prepend pages, blank page removal, PDF security, MRC compression,
document separation, highlighter text extraction and redaction, and searchable PDF, DOC, XLS
files. Authentication and Core Workflow modules are required.
2.5.4.7 Credit and Billing
The Credit and Billing module enables the automatic withdrawal of money from a user’s account
for each page the user prints on an MFD/printer. Administrators are able to define multiple price
lists for individual MFDs/printers, users, or groups. Instead of money, quotas can be set up for
tracking the amount of printing per user or groups of users.
This module also enables multi-level project accounting codes, which we recommend combining
together with the Authentication and Reporting modules.
In addition to pay for print, copies and scans can be also charged for, which requires the
Authentication module.
To receive all the benefits of the Credit and Billing module, we recommend combining it with the
following modules:
Authentication–The MFD is locked for copies and scans until the user authenticates, enabling
the user to be charged for copies and scans.
Reporting–Working on a project, users can enter billing codes, so that prints, copies and scans
can be allocated toward the project or client for billing.
Print Roaming–Users can print documents at any MFD/printer, with the terminals showing the
status of the credit account and changes.
2.5.4.8 Reporting
The Reporting module enables customers to display clear and comprehensive information about
the print environment. Reports can be displayed in the YSoft SafeQ management report, which
shows details of how individuals, teams, or departments print.
The Reporting module can be purchased as a standalone option for particular MFDs/printers in the
network. For example, a customer may decide to purchase YSoft SafeQ 6 Enterprise Suite, which
covers 10 MFDs, and in order to cover three legacy network printers, they can purchase three
Reporting modules to track costs and operations related to these three printers, too.

Module name Can be used Included functions Other information
standalone?
Authentication Direct queue The Authentication

Authentication application module is required for the
on YSoft SafeQ following modules:
Embedded Terminal Core Workflows
/Terminal Professional Advanced Workflows
Various authentication Print Roaming
methods (PIN, card, The Authentication
username and password, module is recommended
combination) for the Credit and Billing,
Card self-registration Reporting, and Mobile
Print modules
Print Roaming Secure queue The Reporting or Credit

, requires Direct queue and Billing module is
the Authentication Print application on YSoft required for accounting of
module SafeQ Embedded Terminal the print jobs
/Terminal Professional
Management and The Authentication
administration of the module must be
print queue
installed on the
Shared queues
embedded terminal in
Print Roaming (including
order to make this
near and far roaming)
module functional.
Reporting Direct queue A license for the

Online, offline, and Reporting module can be
embedded accounting offered as standalone in
Predefined automatic addition to the rest of the
reports in various licensed modules
formats Recommended module:
Management reports Authentication
Customizable reports
Local printer monitoring The Authentication
Default definable price list module is REQUIRED fo
User tags
r embedded
accounting on
embedded terminals.
Only one price list is
available
Credit and billing Direct queue Recommended with

module module: Authentication

standalone?
YSoft Payment System The Authentication

(including the Payment module is REQUIRED fo
System administration r embedded
interface and the Cash
accounting on
Desk interface)
embedded terminals.
SafeQ Payment Machine
Support is not
support (credit charging
via SPM)
available for Toshiba
Support for credit and OKI embedded
operations on terminals terminals
(payments for prints
/scans/copies)
Online, offline and
embedded accounting
Multiple definable price
lists
Multilevel billing codes
Rule-based Direct queue Recommended with the

Engine RBE conditions, actions Authentication and Print
and notifications Roaming modules
It will be not possible

to use certain rules
and conditions
without these
additional modules:
Conditions Job has
been sent to
named queue
<contains /
matches>
<queue_name>,
Job has been sent
to queue type
<direct / secured /
shared>, and
"Outcome of
authentication on
terminal" requires
the Authentication
module

standalone?
Actions Re-queue
the job to <queue>
require the Print
Roaming module
Triggers Before job
is released to the
printer, On user's
login at terminal
and On user's
logout at terminal
require the Print
Roaming module
The Standalone Rule

Based Print module
provides the same
benefits when
obtained with a
license for a device
with/without an
embedded terminal.
Core Workflows The Scan application on The Reporting or Credit

, requires the embedded terminal and Billing module is
the Authentication A file system connector required for accounting of
module An email (SMTP) the scan jobs
connector
An email (Microsoft
Exchange) connector
A Dropbox Business /
Enterprise connector
Microsoft SharePoint
2010, 2013 and 2016
connectors
Microsoft SharePoint
Online (Office 365)
connector
Microsoft OneDrive for
Business (Office 365)
connector
Scan to script workflows

standalone?
1D barcode processing
Advanced OCR processing The Reporting or Credit

Workflows , requires Highlighted text and Billing module is
the Authentication extraction required for accounting of
and Core Highlighted text redaction the scan jobs
Workflows Scan Separation
modules
Mobile Print Mobile Print via email Recommended with the

Mobile Print via the Mobile Authentication and Print
Print web interface Roaming modules
Conversion of multiple
formats (PDF, DOC, XLS, The Standalone Mobile
PPT, JPEG, PNG) Print module provides
AirPrint
the same benefits
when obtained with a
license for a device
with/without an
embedded terminal.
2.5.5 LICENSE CONSUMPTION
A license is consumed when a new printer is added:
when an Embedded Terminal is installed, after saving the device, the license for a Device
with embedded terminal is applied.
when the Reporting device is created, after saving the device, the license for the standalone
Reporting module is applied.
when the Hardware terminal option or no option is selected, after saving the device, the
license for Device without embedded terminal is applied.
2.5.6 SUBSCRIPTION LICENSING
In addition to classic perpetual licenses, YSoft SafeQ 6 can also be licensed as a subscription. A
subscription model represents a new business model where the customer is billed with a
recurrent payment based on real usage.
Recurrent payments – The customer pays a recurrent payment on a monthly/quarterly basis

instead of buying a license upfront of usage.

Pay as you use – The customer pays only for devices that are used during that period.
In order for it to be possible to create an invoice for the devices used, it is necessary to export a
report from the customer's environment about how many devices are used in a specified period.
2.5.6.1 How to set up subscription licensing:
1. Activate YSoft SafeQ 6 with a license containing the feature "Subscription model support"
2. Set the configuration option "enableSendingOfSubscriptionModelReport" to Enabled
3. Define the recipient address in the configuration option "subscriptionModelEmailAddress"
4. (optional) Set the configuration option "subscriptionReportBillingDay" to the selected day of

the month when the Subscription model report should be generated
5. (optional) Configure the usage report in the configuration option

"subscriptionReportDeviceData"
6. Set up the email settings with proper SMTP server configuration
2.5.7 GENERAL LICENSE DATA
YSoft SafeQ 6 uses an encrypted XML license file (license.xml) stored in %SAFEQ_HOME%
\SPOC\conf\license\license.xml. Every license has (an) expiration date(s) and is limited to a specific
YSoft SafeQ 6 version.
Information contained in license includes:
Date of expiration
Support ID
Required online product authentication
Extension of existing license
License owner
2.5.8 LICENSE EXPIRATION
When a license accounting feature for some device group (e.g. devices with embedded terminal)
expires, Accounting method feature is disabled on all devices of given device group.
2.5.9 MULTITENANCY LICENSING
To activate Multitenancy in a clean or existing installation, you need to request a license

dedicated for Multitenancy only.
For activation, follow the steps on Activating YSoft SafeQ 6 in multitenant mode

Please note that the list of available features contains only the most important ones. For
further information, please see the licensing guide on Partner Portal or contact your Y Soft
representative.
Available features may vary depending on the type of terminal.
Authentication, Reporting, Credit and Billing, Rule Based Print, and Mobile Print modules can
be licensed standalone. Print Roaming, Core Workflows, and Advanced Workflows modules
must be licensed together with the Authentication module.
For each per device license (with embedded terminal or without embedded terminal), either
the whole Suite with all modules can be licensed, or just individual modules or their
combination. However, the licensed modules have to match.
It is not allowed, e.g., to license 10 devices with embedded terminal with Authentication
and Print Roaming modules and 10 devices with embedded terminal with Authentication
and Core Workflows/Advanced Workflows Modules
The only exception is the Reporting module which can be licensed standalone in addition to
the other licensed modules (for example, for the monitoring of prints on older devices).
Up-to-date information about available licenses, packages, and combinations is always

available from your Y Soft representative.
2.6 PRODUCT LIFECYCLE
This page serves as an official notice about sales, support and EOL (end of life) of Y Soft
products.
Unsupported – Product is no longer supported. Y Soft recommends upgrading to a newer

version of YSoft SafeQ.
Maintained – Product is supported in terms of incident management and fixing critical

defects only. No custom modifications, new features, support of newer platforms or new
devices are provided.
Supported – Officially supported and maintained product. Includes regular update releases,
new device support, new platforms and new features.

2.6.1 YSOFT SAFEQ
Version Status End of life
YSoft SafeQ 6 6.0 Supported Not specified
YSoft SafeQ 5 5.0 Supported Not specified
YSoft SafeQ 4 4.0 (customers with valid Maintained Until the end of the
Silver/Gold/Platinum SLA) agreement
4.0 (customers with valid SW Unsupported 30-Jun-2018

Support)
4.0 (customers without valid Unsupported 30-Jun-2017

SW Support and any SLA)
YSoft SafeQ 3.7 3.7.4 (available to select Unsupported 31-Dec-2012

customers)
YSoft SafeQ 3.6 3.6.2 Unsupported 17-Mar-2016
YSoft SafeQ 3.5 3.5.2 Unsupported 31-Jul-2014

Instant Edition
YSoft SafeQ 3.3 3.3.5 (available to select Unsupported 31-Dec-2011

customers)
YSoft SafeQ 3.2 3.2.44f (selected projects Unsupported 31-Dec-2010

only)
YSoft SafeQ 3.1 3.1.5-p17 Unsupported 31-Jul-2012
YSoft SafeQ 3 3.0 Unsupported 31-Jul-2008
YSoft SafeQ 2 2.1 Unsupported 31-Dec-2007
2.6.2 NEW ACCESSORIES
Component Status End of life YSoft YSoft YSoft YSoft

SafeQ 3. SafeQ 4. SafeQ SafeQ
x x 5 6
YSoft SafeQ Supported Not scheduled

Terminal Pro 4
YSoft be3D eDee Supported Not scheduled
YSoft SafeQube 2 Supported Not scheduled

Component Status End of life YSoft YSoft YSoft YSoft
SafeQ 3. SafeQ 4. SafeQ SafeQ
x x 5 6
YSoft USB Reader Supported Not scheduled

3
2.6.3 LEGACY ACCESSORIES
Compon Latest Status End of YSoft YSoft YSoft YSoft Notes

ent version life SafeQ 3. SafeQ 4. SafeQ SafeQ
x x 5 6
YSoft n/a Maintained n/a End of

Network sales
Card started.
Reader
YSoft n/a Maintained n/a End of

USB sales
Card started.
Reader
v2
Fingerpri n/a Unsupported 31-Jul-

nt 2008
Manager
for
SafeQ
YSoft 1.0 Unsupported 31-Jul-

SafeQ 2008
Terminal
Lite v1

SafeQ 2008
Terminal
Lite v2

SafeQ 2008
FAX
Server
2.0 Unsupported 3.x

x x 5 6
YSoft 31-Jul-
SafeQ 2012
Terminal
Professi
onal v2
YSoft n/a Unsupported 31-Jul- 3.1+

SafeQ 2012
Rechargi
ng
Station
v1
YSoft 3.1 Unsupported 31-Jul- 3.1.5-

SafeQ 2012 p17
Central
Reportin
g
System
Professi
onal
YSoft n/a Unsupported 31-Jul- 3.5+

SafeQ 2012
Rechargi
ng
Point -
Serial
port
YSoft n/a Unsupported 31-Jul- 3.6.2

SafeQ 2014
Branch
Microser
ver
YSoft n/a Unsupported 31-Dec- 3.6+

SafeQ 2015
Rechargi (FW 3.14
ng +)
Station
v2
YSoft n/a Maintained Not 3.5+

SafeQ earlier
Rechargi than

x x 5 6
ng 31-Dec-
Point - 2016
USB
YSoft 3.0 Maintained Not 3.x Support

SafeQ earlier in YSoft
Terminal than (FW (FW SafeQ
Professi 31-Dec- 3.11.1+) 3.11.1+) 6 to be
onal v3 2016 announc
(Monoch ed.
rome
Display)
YSoft 1.0 Supported Not 3.x Support

SafeQ earlier ed in
Terminal than YSoft
Ultraligh 31-Dec- SafeQ
t 2016 6 from
MU7.
YSoft 3.5 Supported Not 3.x Support

SafeQ earlier ed in
Terminal than (FW (FW (FW YSoft
Professi 31-Dec- 3.11.1+) 3.11.1+) 3.11.1+) SafeQ
onal v3 2016 6 from
(Color MU13
Display) for
copying
and
printing
YSoft n/a Supported Not 3.5+

SafeQ earlier
Paymen than (FW 3.14 (FW 3.14
t 31-Dec- +) +)
Machine 2016
2.7 SECURITY OVERVIEW
This whitepaper describes the different configuration options for data security within YSoft
SafeQ 6, required configuration and related demands on customer infrastructure.

2.7.1 COMMUNICATION PATHS
YSoft SafeQ 6, on very abstract level, is comprised of several network communication paths
described in this article. A general overview of the communication is as follows:
There are eight major paths available in YSoft SafeQ 6:
1. Communication from client workstation to YSoft SafeQ server – for printing.
a. Sending job from computer
b. Sending job from mobile client
2. Communication from terminal/reader to YSoft SafeQ server – for MFD level authentication
3. Communication from server to network printer / MFD, covering the following:
a. printing
b. AAA services - authentication, authorization and accounting.
4. Integration with identity management database or identity / authentication provider or

Certification authority.
5. Connection from YSoft SafeQ server to SMTP mail server or shared network folder for data
delivery.
6. Integration with 3rd party applications or systems.
7. Inter-server communication in Distributed SafeQ Server system.
8. Administrator access to YSoft SafeQ web interface.

2.7.2 DATA SECURITY OPTIONS
There are several data transfers realized over the described communication paths. Those data
can be secured by following means. Authentication and encryption details will be described
further.
Transferred Data Unencrypted Encrypted
(1a) Print from client computer HTTP TLS (HTTPS) [default]
(1b) Print from mobile client n/a TLS (IPP over SSL)
[default]
(2) Authentication data from terminal to server proprietary or HTTP TLS (proprietary or
SOAP) [default]
(2) Copy / scan session data from terminal to proprietary or HTTP TLS (proprietary or
server SOAP) [default]
(3a) Print from server to network printer RAW, IPP [default] TLS (IPP over SSL)
(3b) Scan data delivery from MFD to server [default] TLS (WebDAV/S)
(4) SafeQ integration with identity database LDAP or JDBC [default] TLS (LDAPS)
provider
(5) Scan data delivery from server to IMAP, POP3, SMB Protocol dependent
destinations (mail server, shared network [default]
folder)
(5) Scan data delivery from server to HTTP [default] TLS (HTTPS)
destinations (SharePoint, Dropbox)
(5) SafeQ integration with mail server SMTP [default] TLS (SMTPS)
(6) SafeQ integration with 3rd party provider Provider dependent Protocol dependent
(7) SafeQ Inter server communication Proprietary [default] TLS (proprietary)
(8) Administrator access to YSoft SafeQ HTTP TLS (HTTPS)

management interface
Internal communication between YSoft SafeQ server subsystems is mainly unencrypted by

default with optional encryption and authentication. The critical paths are encrypted by
default, using the same certificate for all YSoft SafeQ 6 deployments.
For detailed scheme and information about security of internal communication paths, please
refer to Communication paths.

2.7.3 TLS BASED DATA ENCRYPTION
Authentication
YSoft SafeQ 6 supports unauthenticated TLS communication for data paths 1, 2, 3, 4, 5, 7, 8
3rd Party communication model is based on individual applications and/or protocols.
Server Authentication is enabled by default for data paths:
4 (YSoft SafeQ server verifies LDAP certificate & domain name)
7 (SPOC server verifies Management server certificate)
8 (Administrator web browser verifies YSoft SafeQ server certificate & server hostname).
Server Authentication is supported for data paths:
1 (Client computer verifies YSoft SafeQ server certificate & server hostname. YSoft SafeQ
Client and printer drivers must be installed at the workstation, printer sharing from central
server is not possible)
2 (YSoft SafeQ terminal verifies YSoft SafeQ certificate & server IP address)
3a (YSoft SafeQ server verifies printer certificate & printer hostname)
3b (MFD verifies server certificate - this depends on MFD capabilities and requires trusted
CA)
5 (YSoft SafeQ server verifies mail server certificate)
Client authentication is supported for:
7 (SPOC server verifies Management server certificate and vice versa)
Key management (trusted CA):
Administrator uploads trusted issuer (CA) certificate to YSoft SafeQ 6.
YSoft SafeQ server certificate(s) - for Terminals, Workstation Clients and administrator
workstation(s).
Administrator creates certificates for all servers using Trusted CA.
Server certificates (private keys) are stored in password protected key store on the YSoft
SafeQ server disk with password hard-coded to the application or in System Key Storage
(Windows Certificate Store).
Client can verify the server identity using certificate trust and server host name / IP
address.
MFD Certificates
MFDs are verified using trusted certificate and hostname.
LDAP Certificate
LDAP server is verified using trusted certificate and hostname.

Key management (without trusted CA):
YSoft SafeQ server certificate(s) - for Terminals, Workstation Clients and administrator
workstation(s).
Administrator creates self-signed certificates for all servers.
Server certificates (and private keys) are stored in password protected key store on the
YSoft SafeQ server disk with password hard-coded to the application or in System Key
Storage (Windows Certificate Store).
Client can verify the server identity using certificate trust and server host name / IP
address, in case the created certificate is stored in
MFD Certificates
YSoft SafeQ retrieves X509 certificate on first connection to the MFD.
LDAP Certificate
YSoft SafeQ retrieves X509 certificate on first connection to the identity database
provider.
For detailed guide for setting keys and certificates through all YSoft SafeQ subsystems see
System communication hardening
2.7.4 AUTHENTICATION
YSoft SafeQ 6 supports user authentication to the terminal in various modes (Domain username,
Username & password, PIN, card and combinations of these). Terminal always communicates
authentication data (PIN codes, Card Numbers or User Credentials) via secured TCP/IP
communication to YSoft SafeQ server.
Authentication data are verified by following means:
For SPOC - data are ALWAYS verified with Local Data Cache and (only if not found locally) with
Management server. Data are replicated to SPOC data caches in scheduled intervals or on
demand (by Administrator or 1st User Access).
For Management - PIN codes and Card Numbers are verified by sub-string match in YSoft
SafeQ SQL database. PIN codes are typically stored in form of one-way hash.
User Credentials (Login/Password) on Management server are verified either by sub-string

match in SafeQ SQL database (if manually assigned to the user) or with LDAP - using LDAP/S
authentication mechanism. Locally stored passwords (one-way hashes) are replicated to SPOC
data cache. If the password is found in SPOC data cache, Management server (and further
LDAP server is not used)

2.7.4.1 Password storage
User passwords stored in YSoft SafeQ 6 are encoded using a cryptographically secure hash
function. A random salt is generated for each password.
Currently the only supported hash function for secure password storage is BCrypt, with
configurable strength.
In order to simplify the migration from YSoft SafeQ 5, it is possible, if explicitly enabled, to
authenticate against a non-salted MD5 hashed password. In this case, after successful
authentication, passwords are rehashed using the standard password encoder and the MD5 hash
is removed.
2.7.5 AUTHORIZATION MODEL
YSoft SafeQ 6 is managed via a centralized web interface.
It uses Role-based access control (RBAC) with Capability model for certain system operations.
The administrator can create multiple roles and delegate selected administrative and managerial
permissions and operations to these roles. It is also possible to define personal user accounts
with full administrative privileges, and disable the default, anonymous administrative account.
YSoft SafeQ 6 supports replication of roles from external sources (e.g., Active Directory/LDAPS or
CSV file) with additional administration within YSoft SafeQ 6.
With Active Directory and eDirectory, the YSoft SafeQ system takes advantage of advanced
Active Directory specific replication information to optimize the replication process.
2.7.6 IMPACT TO SYSTEM RESPONSE SPEED
Enabled encryption of communication paths may produce a delay in data delivery. For most of the
communication paths the delay doesn't have any measurable impact to end user experience,
most affected data paths are 1, 2 and 3a.
Data delivery throughput for TLS based encryption (SSL over IPP) depends on the speed of the
target printer.
2.7.7 INTERNAL SYSTEM AUDIT LOG
SafeQ logs all CRUD operations to log file(s) on the file system using standard Log4j logging
library. Manual administrative operations are tracked by the system in dedicated audit logs, which
are accessible to delegated users in the web interface.
Passwords and authentication data are not logged. Access to the log files is not controlled and
must be managed on operating system level.

2.7.8 DATA STORAGE METHODS AND ACCESS TO THE SYSTEM
All data within the operation of the system is stored in the following ways:
Internal SQL database. In case of embedded PGSQL/MSSQL Express, the database is

accessible only via the local host interface. In case of an external DB, the security model is
the responsibility of the database administrator. The database is accessible only with the
name and password stored in the configuration file.
Internal Configuration Files. Are stored in the YSoft SafeQ 6 operation directory in a text
format. The data is secured on the same level of access as relevant directories and OS.
External Data sources. Configuration dependent.
All passwords and user codes are stored in the configuration files and database in an encoded
form (one-way hash). Access data to external systems (including access to the SQL DB YSoft
SafeQ 6 itself) is stored encoded by an AES-256 encryption (using hardcoded key).
Print job data is stored temporarily on the file system in the plain unencrypted form as
received from the source workstation. Using system configuration, this data can be
automatically deleted (not wiped) after print or administrator defined expiration time.
2.7.9 USED TECHNOLOGIES
The whole solution is proprietary. Java 11 is used for System Core, MS .NET 4.5 Framework for
MFD integration and Apache Tomcat, MS SQL or PostgreSQL Database Engines are among
standard 3rd party components used in the solution.
2.7.10 ADDITIONAL NOTES
Some print drivers support print job data encryption for particular printer. This feature can only be
used for direct print to the specified device.
All session timeouts in the system (administrative console or terminal access) are administrator
definable using centralized web interface.
There are not practical limitations regarding character sets and length for usernames and
passwords. Certain MFDs may impose additional limitations on their own.

2.7.11 LDAP INTEGRATION SECURITY
2.7.11.1 Introduction to LDAP Directory Services
The acronym LDAP stands for Lightweight Directory Access Protocol, a protocol invented to
access directory services and intended as a simplification of DAP (Directory Access Protocol)
family of protocols which are defined in the X.500 family of standards. Today, LDAP is widely
used mainly thank to the strong support of the protocol in OpenLDAP (Open Source Directory
Service), Novell eDirectory (formerly Novell Directory Services) and Microsoft Active Directory.
For more information about LDAP, please refer to the following documents:
http://tools.ietf.org/rfc/rfc4510.txt
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
How to view and set LDAP policy in Active Directory http://support.microsoft.com/kb/315071
From the YSoft SafeQ 6 perspective, LDAP support is essential because it is now one of the
major ways how to access corporate user account information. YSoft SafeQ 6 uses such
information for seamless authentication of users.
YSoft SafeQ 6 may retrieve the following information from a directory service (depends on
configuration):
User account information (name, e-mail address, login name and any aliases, assigned cost
center). Password is not retrieved.
Card number and PIN.
Group membership (translated to YSoft SafeQ roles).
Groups (translated to YSoft SafeQ roles for Role-based Access Control)
2.7.11.2 YSoft SafeQ LDAP Replication
LDAP Replication is a technology for integrating YSoft SafeQ 6 with LDAP-based directory
services. Instead of querying data of individual users, it periodically replicates data from selected
directory trees directly to YSoft SafeQ 6.
Traditional approaches to replication usually provide a challenge in designing and configuring the
system integration with directory service or multiple directory services, however YSoft SafeQ
LDAP Replication technology is designed to be deployable in small and big environments.

Replication is a process where data are copied from one data source to another. We only need to
discuss the one-way replication where one source acts as master, where modifications happen
and the other acts as subordinate, which stores data in read only manner. In our case, the master
is the directory service and the subordinate in YSoft SafeQ 6. During the replication, new data are
copied from directory service to YSoft SafeQ 6, existing data are updated and deleted data are
marked as deleted.
The YSoft SafeQ LDAP Replication technology comes with the following features:
Integration with multiple directory services. YSoft SafeQ can also handle situations where
single user account exists in multiple directory trees or services or when user is a member of
a group, which exists in different tree or service.
Security awareness. YSoft SafeQ 6 never replicates user passwords, even if it is technically
possible or permitted by the directory service.
Performance. YSoft SafeQ LDAP Replication operates in two modes: differential and full
replication . Differential replication replicates only changes occurred since the last (differential)
replication. Full replication replicates the entire directory tree(s) according to configuration.
By default, YSoft SafeQ 6 replicates the following attributes (applies to Microsoft Active Directory
configuration):
User: GUID, sAMAccountName, cn, sn, mail, memberOf; optional attributes: homeDirectory,
department, custom attribute with card ID such as otherPager
Group: GUID, sAMAccountName, description
User membership in a group is determined using the memberOf attribute. All replicated groups
are translated into YSoft SafeQ roles.
2.7.11.3 YSoft SafeQ 6 LDAP Replication Concerns
Using data replication may raise concerns about the integrity of the data stored in the system.
Here we list typical problems into which the IT Administrator may run and their solutions. Also we
list typical concerns and explain why YSoft SafeQ LDAP Replication is a solid and viable solution.
The explanation is provided as pairs of concerns and explanations.
Area Concern Explanation
Data YSoft SafeQ 6 stores a redundant copy of YSoft SafeQ 6 stores a read only copy of
Redundancy my data which may get invalid by local the replicated data and correctly
changes. propagates all changes to the system.
This way, data are only provided in a way
which generates less overhead - data are
replicated more efficiently in batches.
Data
Redundancy

It is not feasible to make local YSoft SafeQ 6 maintains local and
modifications as they will be overriden replicated data separately. For example if
when replication occurs. a user account has two ID cards, one
replicated and one added manually, the
system will never automatically delete the
manually added card.
Replication YSoft SafeQ 6 leaks out potentially All data stored in the system would be
of Sensitive sensitive data by using replication. available to YSoft SafeQ 6 even by using
Data online connection anyway. all the
replicated data would be available to YSoft
SafeQ 6 anyway and stored in-memory,
visible in reports, log files, web interface
and other parts of the system which
tracks and displays information.
Leaking Replication leaks out user passwords or at YSoft SafeQ 6 never replicates user
Passwords least stores them in less secure way. passwords, even if it is technically
possible. Password-based authentication
is handled using online connection to the
directory service.
Invalidation It is impossible to quickly invalidate user Differential replication (which also

of User credentials. propagates user credentials) has a very
Credentials low overhead (depending on the amount
of changes in your directory service) and
can be run every few minutes without
raising the load imposed on the directory
service agents. This way, the credential
change is propagated very quickly.
How does Differential Replication work?
Differential Replication mode requires a means of tracking changes in the directory service to
operate correctly. When connected to Active Directory, USN (Universal Sequence Numbers) are
used to track changes. When connected to Novell eDirectory, modification timestamps are used
to track changes.
Differential Replication has currently one limitation: it is not possible to replicate deletion of
objects. This is based on the limitation of the most common directory services (Microsoft Active
Directory and Novell eDirectory) which provide no reliable way to track object deletion. Full
Replication however replicates even object deletion correctly.
2.7.11.4 Recommended Configuration
Regardless of the number of directory services you are going to use, you should follow some
basic guidelines when configuring LDAP replication.

Schedule Differential Replication to run several times a day (even as often as every couple of
minutes) and Full Replication to run once a day, out of office hours. If you have 24/7 environment,
schedule the full replication to run off peak hours.
If you have a complex rule structure, do not forget to correctly configure maximum page size in
YSoft SafeQ 6. Otherwise, only portion of the data will be replicated to YSoft SafeQ 6.
2.7.11.5 Securing LDAP via SSL/TLS
When configuring the LDAP server address, specifying LDAPS as a protocol will lead to encrypted
connection using SSL/TLS. Supported SSL/TLS versions are SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.
By default, TLS 1.0 is the only enabled protocol version because of the compatibility reasons. It is
highly recommended to enable communication via TLS 1.2, since several weaknesses were found
in the lower versions.
Also the list of ciphers used for LDAPS communication can be customized, the default value is
the default list enabled in Java 11.
The authentication is assured via SSL/TLS certificates. There are two options for certificate
verification - comparison of the thumbprints and the standard validation using digital signature.
For more information about the configuration please refer to Configuring secured connection to
the LDAP server.
2.7.12 PERSONAL USER INFORMATION IN YSOFT SAFEQ 6
2.7.12.1 Personal User Information in YSoft SafeQ 6
Abstract
This document deals with how personal information about users is processed in YSoft SafeQ 6
with respect to different data sources, the lifecycle of data processing and potential legal
implications, such as Act No. 101/2000 Coll., on the protection of personal data in the Czech
Republic.
Definition of Personal User Information
For the purpose of this document, the data which might be containing personal user information
are referred to as entities. We make an intentional distinction between Corporate Entities where
all information contained therein is coming from, related to and possibly owned by the legal body
operating the YSoft SafeQ system and Mixed Entities which may contain personal user
information.
In this document, we also refer to data structure and make important distinction between
unstructured data, where the YSoft SafeQ system does not work with the data in a structured
way (i.e. identifying elements of information in the data and relationships between such elements)
and structured data where the data structure is taken into account.

Examples of Structured and Unstructured Data
1. Structured Data
a. Data exchanged between YSoft SafeQ 6 and Identity Management Systems (e.g.,
Active Directory, OpenLDAP)
b. Device information describing connected Printers and/or Multifunction Devices

managed by YSoft SafeQ
c. Cost Centers or Billing Codes managed by YSoft SafeQ system depicting corporate or
management cost structure of the organization using the YSoft SafeQ system
2. Unstructured Data
a. Print Jobs received and managed by the YSoft SafeQ system.
b. Scanned Documents received and managed by the YSoft SafeQ system.
Personal User Information in Unstructured Data
YSoft SafeQ system processes the following kinds of unstructured data which may contain
Personal User Information:
1. Print Jobs
2. Scanned Documents (also referred to as Scans)
Personal User Information in Print Jobs
YSoft SafeQ system extracts information from Print Jobs constituting a Print Job Entity. This
entity is stored in YSoft SafeQ system for archiving and reporting purposes.
The relevant extracted information is:
1. (Optional) Job Title which may be specified as part of the print job data stream by means
of appropriate PCL commands. Such job title contain and refer to the contents of the print
job or the original document which was printed by a user resulting in the print job. Job Title
may also be linking the document to a particular person(s).
2. (Optional) Job Owner which is specified either as part of the print job data stream or as
part of the communication protocol used for receiving the print job by the system. The Job
Owner links the print job to a particular user account, which may or may not correspond to
a real person(s).
This information is tracked for the purpose of reporting printed volumes on a per-user basis.
Who has access to such information?
This information is accessible to particular users, who can view only Print Jobs which have this
particular user identified as Job owner.

The YSoft SafeQ system usually defines one or more administrator user accounts (by default, the
user account is called “admin”). Such user accounts have permissions to view the Job Title and
Job Owner information of all print jobs.
Personal User Information in Scanned Documents
YSoft SafeQ system associates Job Owner information with each Scanned Document by various
technical means, which depend on the type of connected multifunction device, system
configuration, etc.
Who has access to such information?
This information is accessible to particular users, who can view only Scanned Documents which
have this particular user identified as Job owner.
The YSoft SafeQ system usually defines one or more administrator user accounts (by default, the
user account is called “admin”). Such user accounts have permissions to view the Job Owner
information of all Scanned Documents.
Personal User Information in Structured Data
User Account Information and Credentials
The YSoft SafeQ system stores information about user accounts and related credentials. The
following information is stored with the User Mixed Entity:
Login Name
First (Given) Name
Surname
Password
Card IDs and PIN Numbers
E-Mail
Home Directory (*)
Cost Center associated with the User Account (*)
Default Billing Code for the User (*)
Elements marked with (*) are system-related settings and are not relevant for storing Personal
Information. All other elements may, but not necessarily must potentially contain personal
information, however it is crucial to define, how these elements are maintained.
User Accounts are created and managed in one of the following ways:
1.
1. The User Account(s) are created and managed using the YSoft SafeQ management
interface. By default, users can access information related to their User Accounts only if
and only if they can authenticate with the system using their password. Administrator user
accounts can manage any User account in the system.
2. The User Account(s) are “imported” or “replicated” to YSoft SafeQ system using technical
means from another systems. Corporations usually employ systems for managing user
identities and credentials, usually referred to as Identity Management systems. YSoft
SafeQ 6, if properly configured, can retrieve user information from such systems.
Whether User Entity in YSoft SafeQ 6 contains Personal Information depend on the policy
governing what data are entered to the system (above mentioned 1) or policy governing
corporate identity management (above mentioned 2).
YSoft SafeQ 6 is using User entities for authentication and reporting, where the traceability
of particular print jobs/scanned documents to particular User Account(s) can be disabled by
configuration (defined above).
For more information refer to Management Interface - Users in YSoft SafeQ 6 documentation.
Personal Information in other system entities
Besides the User mixed entity, the YSoft SafeQ system operates with the following entities:
1. Device (sometimes referred to as MFD)
2. Cost Center
3. Role
4. Billing Code
All these entities are Corporate Entities. They are created by the corporation using the
YSoft SafeQ system to manage the printing environment.
These entities usually model corporation organization structure, structure of departments

and cost allocation policies. Cost Centers, Roles and Billing Codes are associated with
particular User entities, but on M:N basis, i.e. many User entities may be associated with a
particular Cost Center/Role or Billing Code, but many Cost Centers/Roles or Billing Codes are
also associated with a particular User account.
For more information refer to Management Interface - Devices.

2.8 SUPPORTED LANGUAGES
2.8.1 YSOFT SAFEQ 6 LOCALIZATION
Currently supported languages can be found in our Partner Portal in the section Products > YSoft
SafeQ > Localization > Localization status.

3 RELEASE NOTES
3.1 YSOFT SAFEQ 6 - RELEASE NOTES BUILD 50
3.1.1 NEW FEATURES
3.1.1.1 YSoft SAFEQ Client v3: Emergency print
Emergency print (formerly Offline print) is a client application feature that provides limited printing
functionality while a Site Server is not accessible. The client detects a server is inaccessible
when no response has been received for a specified time and indicates such status with icon.
During emergency print, a user can print directly to printers without the job passing to a server.
Jobs are printed immediately on the selected printer. You can read more in the "Emergency Print"
article. (SQC-2177)
3.1.1.2 YSoft SafeQ Client v3: Authentication option - STORED_USERNAME
A username is retrieved from the configuration file stored locally on a workstation with the client
application. The method must be enabled on the Site Server in which the client application is
connected otherwise all authentication attempts will fail.

If authentication is successful, the user will not see a login window. If authentication fails, the
user will be prompted for login credentials with the standard Username/password dialogue. (SQC-
2147)
3.1.1.3 YSoft SafeQ Client v3: Print job notifications on embedded terminal when CBPR job is
not available
When using Client Based Print Roaming, if a user powers off the workstation while the print job is
still spooling, the print job cannot be released at the printer. Now, a user screen explains why the
job is not released and provides instruction. (SQC-2633)
YSoft SafeQ Client v3 is under the Early Access Program (YSQL6-049-0000; YSoft SAFEQ
Client v3; F_NEW_SQ6_CLIENT), see details about the program in Early Access Program. The
client application use needs to be validated by a Y Soft Solution Consultant.
3.1.2 FIXES AND IMPROVEMENTS
3.1.2.1 Client Application and Terminals
Toshiba login screen no longer freezes during JavaScript loading. (SBT-1886)
Pressing <Enter> on a software keyboard sends login for Username/password authentication

method on Konica Minolta models with Chrome-based browsers. (SBT-1127)
The Mobile Terminal application for Android was updated. The release fixes problems with QR code
reading and secure communication with TLS cypher suites. (SBT-1552)

3.1.2.2 Installation and Administration
Only the system administrator can use the management interface dashboard widget for user
import. (SBT-1727)
System configuration properties, workflowStorageRoot and localWorkflowStorageRoot, now refer

to the Site Server locations, which are created with the installation. (SBT-1854)
Imported definitions of scan workflows no longer fail with the null value of the PdfEncryptionLevel
parameter. (SBT-859)
JavaScript libraries on web interfaces were updated on the latest versions. (SBT-1690)
Tomcat for management interface updated to the latest version. CVE-2020-11996 is mitigated.
(SBT-1525)
The installer now merges the old and new application settings for Workflow Processing System in
WpsService.exe.config file. (SBT-401)
Spool job cleaner on Site Server is now more efficient under high load conditions. (SBT-1377)
QR code preview for Mobile Terminal can be displayed after changing the size on the management
interface. (SBT-1011)
YSoft SafeQ Client Components (FlexiSpooler client) with authentication option

STORED_USERNAME can show notifications from Rule-Based Engine. (SBT-1011)
YSoft SafeQ Demo for business presentation has new documentation, see "YSoft SafeQ Demo"
chapter. (SBT-1834)
3.1.2.3 Product extensions (formerly known as customizations)
Customers who use YSoft SafeQ extensions should contact their Y Soft partner sales
representative or Customer Support Services for compatibility verification with the new Build.
We recommend testing all extensions before applying a Build update into a production
environment.
You can find additional information on Partner Portal: https://portal.ysoft.com/products/ysoft-

safeq/extensions-store
No items.

3.2 RELEASE NOTES - ARCHIVE
3.2.1 YSOFT SAFEQ 6 FALL 2020 RELEASE - RELEASE NOTES BUILD 49
3.2.1.1 New Features
Embedded Terminal 2nd Gen. for Ricoh SOP
Embedded Terminal for Ricoh with Smart Operation Panel (SOP) is now based on Embedded
Terminal 2nd Gen. platform and supports all types of authentication, native copy, print, automated
scan workflows, billing codes and device dependent accounting.
This feature is now released from the Early Access Program (EAP). We appreciate all the print
administrators who helped with testing, enabling us to fine tune and improve the speed of
installation. (SQC-222, SQC-2930)

Default language detection from Active Directory for Embedded Terminal for Konica Minolta
The User Preferred Language feature allows an administrator to set up a preferred language for
individual users. The preferred language can be set up in the LDAP account of the individual user.
When the user logs into YSoft SafeQ Terminal Application - 2nd Gen., the application is
automatically set to his/her preferred language, see the "User Preferred Language at a Konica
Minolta Device - 2nd Gen. " article for more detail about configuration and usage.
This feature was released from the Early Access Program (EAP) with minor fixes. (SQC-2300, SQC-
2931)
Embedded Terminal for Epson supports YSoft SafeQ Payment System
Embedded Terminal for Epson has been fully finalized. Credit and quotas are now supported for
print, scan and copy operations. Customers can use vendor dependent accounting with all the
benefits the payment system offers. Money transactions, virtual credit or limited access based on
personal and/or group spending are supported.
Administrators can read more about terminal behavior in the article, "Credit Handling on Epson".
(SQC-2299)

SAML 2.0 authentication is supported on End User Interface
Based on customer requests, the implementation of Single Sign On (SSO) authentication in the
end user interface via Security Assertion Markup Language 2.0 (SAML 2.0), has been added.
Users can now have a seamless authentication experience (identical to the management service
which is used mainly by administrators). Administrators can read more about configuration in the
article, "Security Assertion Markup Language SAML". (SQC-2152)
SAML 2.0 support is under the Early Access Program (YSQL6-046-0000; Security Assertion
Markup Language single sign-on (SAML); F_SSO_SAML_V2), see details about the program on
the Early Access Program page.
3.2.1.2 Fixes and Improvements
Terminals, User Interfaces
No stapling/punching/folding/binding respective options from Finishing options on terminals were

removed. In all of these four cases, the "original" option replaces them. The "original" value means
"keep as is, without any change". (SBT-1458)
Embedded Terminal for Ricoh displays "Print all" slider for authentication screen on two factor
authentication method such as card and PIN. (SBT-1622)
Embedded Terminal for Ricoh displays native scanner application to terminal users. (SBT-1616)
Ricoh MP 3004 and MP 402 can now account for print jobs. (SBT-1574)
The installation/un-installation procedure is fully functional for Ricoh models such us IM C300 and
IM C4500. (SBT-1519)
A virtual keyboard is no longer overlapping on the Embedded Terminal for Ricoh. (SBT-1621)
The device panel shows the native scanning application (scan to email) on the Embedded
Terminal for Lexmark if there are no scan workflows from an administrator. (SBT-1644)
The billing code selection on the Embedded Terminal for Ricoh is now without an intrusive error
message. (SBT-1764)
Localized texts are optimized for the Embedded Terminal for Epson. (SBT-1178)
Installation and Administration
The upgrade procedure from YSoft SafeQ 5 to YSoft SafeQ 6 with an external database passes
validation. (SBT-1652)
A shared hot folder for jobs uploaded via the web to the Mobile Print Server is automatically
created during installation if it didn't exist before. (SBT-793)

The default certificate, SHA-1, is replaced with SHA-256 in the FlexiSpooler component so it
matches other system components. (SBT-1649)
Privilege escalation vulnerability in the Management interface dashboard is mitigated. (SBT-1632)
The dashboard widget, "Active objects in the system", shows the correct number of Spooler
Controllers instead of a misleading group number. (SBT-1700)
LDAP replication is improved so that special characters "/" and "\" can occur in usernames. (SBT-
1741)
A system configuration export is renamed to "system-configuration_YYYY-MM-DD_HH-MM.xml".

(SBT-132)
Web reporting is improved so it now groups only by a column defined by an administrator. (SBT-
1745)
Management reports use localized names for months of the year. (SBT-375)
The Spooler Controller startup email is localized. (SBT-311)
Product extensions (formerly known as customizations)
Customers who use YSoft SafeQ extensions should contact their Y Soft RSM or Customer
Support Services for compatibility verification with the new Build. We recommend testing all
extensions before applying a Build update into a production environment.

No items.
3.2.2 YSOFT SAFEQ 6 - RELEASE NOTES BUILD 48
3.2.2.1 Infrastructure and other changes
Using Microsoft OAuth2 based authentication for accessing emails in Mobile Print Server
YSoft SafeQ now supports OAuth2 based authentication for accessing emails in the Mobile Print
Server. (Microsoft announced that support for Basic Authentication using username and
password will end later this year; the Mobile Print Server used Basic Authentication). From now
on, administrators can choose to use the Mobile Print Server in OAuth mode. (SQC-1222)

Using Google OAuth2 based authentication for accessing emails in Mobile Print Server
YSoft SafeQ now supports OAuth2 based authentication for accessing emails in the Mobile Print
Server. (Google announced the end of ability of less secure apps to access G Suite account data;
the Mobile Print Server used this approach). From now on, administrators can choose to use the
Mobile Print Server in OAuth mode. (SQC-2863)
Sharp - Support of new A4 devices from the Luna series
YSoft SafeQ Embedded Terminal can now be installed on Sharp A4 devices from the Luna series,
a Lexmark OEM brand. Authentication, copy, print, scan workflows and device dependent
accounting are supported. (SQC-2301)
Client Application, Terminal s and User Interfaces
The native scan panel is enabled on Brother devices with embedded terminal. (SBT-1595)
The screen for card self-assignment requiring login and password now fits on Lexmark devices
with small screens. (SBT-1008)
The Epson SDK was updated to version 1.10. (SQC-2510)
If HTTPS is enforced with 2nd Gen. Embedded Terminal, then images are downloaded over this
protocol. (SBT-1544)
The desktop interface configuration file for the client application is now persisted to the user
folder which should be accessible to the user at all times. (SBT-1327)
Information about 3D reference prints were added to the eDee terminal. (EDEE-2188)
Card numbers visible to a system administrator are now masked. The administrator can reveal
them with the system property, maskCardNumber. (SBT-1004)
The description for the property, forceSecureDeviceDescription, in the management interface and
documentation has been updated to reflect requirements for the OpenAPI version. (SBT-1543)
The description for the parameter, PIN-archivation-period, was improved in the management
interface so it now refers to related properties. (SBT-136)
A server installation with an external MS SQL database is now able to properly connect to a
database with NTLMv2. (SBT-1010)
Terminal server is able to start even if some port binding is not possible during the startup
procedure. (SBT-1038)

Whenever an installer tries to create a database for IMS and fails, the installation process is now
cancelled, giving user feedback with logs for obtaining more details. (SBT-1522)
Documentation has been extended with a description of the MS SQL server which hosts more
product installations (e.g. production and test) which both use a MSSQL instance. (SBT-1080)
The user input field type for scanning workflows are now translated to the selected language.
(SBT-1612)
The LPR client in the Job Routing Proxy (SWC-79) will not fail anymore if special characters are
used in the print job title. Fixed was released in the Job Routing Proxy 3.6.3. (GSS-3085)
Customers who use YSoft SafeQ extensions should contact their Y Soft partner sales
representative or Customer Support Services for compatibility verification with the new Build.
We recommend testing all extensions before applying a Build update into a production
environment.

3.2.3.1 Limited Device List Extended
The list of devices supported under Print Management Suite LD has been extended. All the
supported devices can be found on the Hardware Compatibility List (HCL).
Newly added devices under this license model are: (SQC-2289)
Konica Minolta bizhub C3350i
Konica Minolta bizhub C3320i
Konica Minolta bizhub 4052
Xerox VersaLink C505
Xerox VersaLink B600
A correct port number is displayed for an external PostgreSQL database in installer error
messages. (SBT-1257)

An uninstall procedure removes all components of the print management solution. (SBT-818)
The fail over complementary script for PostgreSQL triggers the fail over only when the main
server goes down. (SBT-1263)
Device detail on management interface has better word wrap for a large number of characters
used in the "Location or description" field. (SBT-288)
PIN code number logging aligned with sensitive data logging standard. (SBT-1331)
Certificate validation can be optionally disabled for scanning workflow connections with an email
server. Certificate revocation check is disabled by default and can be optionally enabled. (SBT-
1312)
Management interface validation and error messages were added on the scanning workflows edit
page. (SBT-1321)
Information stating "it is not possible to use an already existing entitlement" is displayed to an
administrator on the Payment System Administration web interface when the entitlement was
already stored. (SBT-1314)
The end user interface now correctly translates the delete button in all supported languages.
(SBT-1325)
A SMTP password is no longer logged in an obfuscated form in the Mobile Print Server log file. The
security of the password was increased by replacing the obfuscated password with a set of
asterisks symbols. (SBT-1378)
New firmware (version 2.5.2) for YSoft USB Card Reader 3 contains the following:
Fix for a critical bug on the MFX card reader where ISO15693 cards were read in the wrong
byte order
Fix in the processing of some HID Elite configuration cards on MFX card readers
Fix in the processing of some Hitag 2 key fobs on MFX card readers
It is now possible to format blank Mifare DESFire EV1/EV2 8K cards as YSoft Configuration
Cards on the MFX card reader
Some minor LF and HF technology fixes on the MFX card reader
Card removal notification (a.k.a Continous mode) is no longer configured as the default
behavior on USB SmartCard readers
Protocols 1220 and 1222 on MF&Legic card readers were renumbered to 1320 and 1322 to
reflect a difference in the protocol name compared to other readers. Original protocols will
remain present as hidden protocols so there is no need to reconfigure card readers in the field
The "update_to_2.5.2.bat" script does not update the service firmware if the correct version is
already installed to reduce risk of bricking the card reader
"usbrdrtool.exe" now has a -d command line option to reset to defaults, which is suitable for
batch script processing

Terminals
In rare cases when Epson devices were in a secure mode, it was not possible to install an
embedded terminal. This was resolved and installation ends with success. (SBT-1442)
Konica Minolta Native terminal now has instruction aligned hardware button names. (SBT-1141)
A new option, "Blank page removal", in the " Konica Minolta Advanced scan settings " section for
scan workflows was added. This configuration has three options: "Not specified", "Enabled" and
"Disabled". It can be adjusted by an end user on the 2nd Gen. Embedded Terminal for Konica
Minolta. (SBT-1305)
3D Print Management Solution
The terminal application on an eDee device provides information about failed communication with
a mail server. (EDEE-2175)
The service menu network configuration dialogue is validated against a broken DHCP response or
network connection outage. (EDEE-2068)
Long error messages no longer cause unnecessary input elements wrapping in Czech, Slovak and
Dutch languages. (EDEE-2052)
Print head fan operation is restored after a filament replacement procedure is performed during a
print. (EDEE-2140)
The calibration screen newly informs about the calibration process. (EDEE-2141)
Documentation
Documentation of various advanced backup and recovery scenarios were extended, see "Backup
of Databases" and "Recovering databases" articles with new structure and content. (SQC-2339,
SQC-2338, SQC-2337)
Documentation article "Credit handling on Sharp" was extended with better descriptions of
existing limitations. (SBT-1375)

No changes.

3.2.4 YSOFT SAFEQ 6 SUMMER 2020 RELEASE - RELEASE NOTES BUILD 46
Embedded Terminal 2nd Gen. for Ricoh SOP
Embedded Terminal for Ricoh devices with Smart Operation Panel (SOP) is now based on Y Soft's
Embedded Terminal 2nd Gen. platform and supports all types of authentication, native copy, print,
automated scan workflows, billing codes and device dependent accounting.
The Embedded Terminal is being certified by Ricoh Company, Ltd. for public use and will be
released after obtaining the certification. Meanwhile customers in the Early Access Program (EAP)
will receive a beta certified application valid for 2 months. It will be necessary to replace the beta
with the final version. Please note, the beta certified app can only be used for testing purposes,
not for production environment deployments.
Ricoh SOP Embedded Terminal is under the Early Access Program (YSQL6-083-0000; Ricoh
SOP Embedded Terminal; F_RICOH_SOP_EMBEDDED_TERMINAL), see details about the program
on the Early Access Program page.

The number of copies is correctly detected for print jobs containing a "QTY" string in the job title.
(SBT-1307)
Re-installation of Embedded Terminal for Xerox Altalink devices with a newer firmware version
(103.001.000.06000), proceeds without failure. (SBT-1303)
The CA certificate validation for Embedded Terminals for Ricoh has been improved. (SBT-1258)
The user experience when a scanning workflow fails to execute due to an incorrect date format
has been improved. Now, information about the expected format is presented in the dialogue.
(SBT-1348)A new Automated Scan Workflows variable, %separationBarcode%, has been
introduced. This variable contains the value extracted from a barcode which triggered a
separation of scan jobs (by using the Scan Job Separation processing step). (SQC-2335)
Reporting
The resiliency of the database maintenance procedure on PostgreSQL databases has been
improved. The next run will have a better chance for completion of the table which was not
finished in the previous run. (SBT-1267)
A performance improvement in the reporting engine for PostgreSQL database with a database
split deployment scenario has been made. (SQC-828)
Optimizations for the counter reporting database structure have been made so that web
reporting responds better on installations with a high number of monitored devices. (SBT-1356)
The installation directory is explicitly created during a silent installation so it is possible to install
the product into a different location than the default location. In this case, log files are created in
the directory where a configuration file for the silent installation is located. (SBT-72)
The DNS name for Site Services can now be up to 255 characters long; before the maximum
length was only 64 characters. (SBT-1260)
The Mobile Print Server service is now set to a delayed start so that a smooth start is ensured in
environments with minimal hardware specifications. (SBT-1184)
Reverting a system property now populates a correct value. This includes advanced cases where
the value was generated for each installation. (SBT-499)
An administrator informational message that appears when a role is removed from a user is now
enhanced. (SBT-1347)
The Management interface tabs "Devices" and "Counter reports" are better protected against a
link injection attack. (SBT-1254, SBT-1255)

The XML parser used for importing an XML file with configuration or license has been configured
to prevent XML External Entity attacks. (SBT-741)
Logging of card numbers and PINs on Site Services is not enabled by default. (SBT-181)
Database validator log files are now unified into one sub-folder. (SBT-493)
Documentation
A new article System configuration case study of large deployment is available. This article
describes the recommended optimization and architecture design for customers with thousands
of devices.
Several links leading to internal documentation were fixed in the HTML version of product
documentation. (SBT-322)
Product extensions (formerly known as customizations

No items.
When upgrading from YSoft SafeQ 5, the old payment system service now stops and changes to
a manual start so that the database restore can run without issues. (SBT-1105)
During an upgrade from YSoft SafeQ 5, configuration options for a distributed layer are changed
to new YSoft SafeQ 6 defaults. If a customer edited distributedLayerStartCommand,
distributedLayerStopCommand parameters, then values are kept intact. (SBT-374)
Upgrade from YSoft SafeQ 5 no longer duplicates "Default" device group. (SBT-116)
Password protection for an external payment provider has been improved. (SBT-282)
Security of the management interface was improved against Stored Cross-site Scripting (XSS) on
the dashboard, the Support Information Page and other areas. (SBT-189)

Terminals
All terminals will no longer allow free of charge operations if a payment system is used and the
payment system did not fully start. (SBT-1107)
Embedded Terminal for Xerox does not redirect to an authentication screen during logout from
the print/scan application. (SBT-1213)
Payment Machines now refuse money recharging for users with "Unlimited access", "No access"
and "Page quota" account types. (SBT-1012)
Reporting
Web Reports showing purged printing under "Unprinted jobs (cost savings)" device instead of
"unknown device" so the administrator can clearly understand that it was not released. (SBT-
1084)
Predefined Web Reports contained purged (not released) counters even though, in some reports
types, it was not aligned with the report's purpose. (SBT-1026)

SWC-2 Credentials generator (PIN generator for guest mobile printing) will ignore LDAP users
during the password creation process. (GSS-2852)
An administrator is no longer able to create device groups with the same name in the
management interface. The device group name must now be unique within one device group
parent. Users now see the parent hierarchy when selecting the device parent group. (SBT-335)
Auto-generated database password is better protected against a brute-force attack. Randomly

generated passwords use better randomization. (SBT-60)
The /CFG:noUpdateLocations parameter for silent installation of client application has been added
into the installer. (SBT-1142)
The messaging port, (default 5556), is closed by default for new installations. (SBT-170)

List items no longer overlap on the management interface when opening a device bulk action
dialogue such as Print QR Codes, Reinstall or Uninstall. (SBT-1137)
A default list of management interface ciphers was updated for all new installations. It is
suggested to compare the new system default with the existing configuration. Read more in the
article, "Configuring SSL/TLS for Management web interface". (SBT-1041)
Improvement of the LDAP replication has been made so that deactivated objects in the database
(users, groups, organization units) are kept in memory and their processing has been optimized.
(SBT-1031)
The FlexiSpooler service can start when job replication is enabled but replicationSharedFolder
configuration is empty. If replicationSharedFolder configuration is empty, the FlexiSpooler creates
a record in the log file and will start without enabled job replication. (SBT-1123)
A validation message is shown when an administrator saves a new scan workflow when the
name length exceeds the character limit. (SBT-1125)
Fixed the IPP request which contained one attribute group twice. (SBT-1143)ABBYY SDK installer
no longer has a security vulnerability with the associated service "ABBYY SDK 11 Runtime License
Service - Licensing Service". The installer now restricts 'write access' for user group Everyone so
an attacker cannot replace this service with a malicious payload. (SBT-1027)

No items.
3.2.7 YSOFT SAFEQ 6 SPRING 2020 RELEASE - RELEASE NOTES BUILD 43
Embedded Terminal 2nd Gen. for Sharp
YSoft SafeQ Embedded Terminal 2nd Gen. is newly implemented on Sharp devices. This version
supports authentication, copy, print, automated scan workflows, billing codes and device
dependent accounting. The terminal was previously in Early Access Program (EAP) for selected
customers who provided valuable feedback on functionality. (SQC-1359)

On top of that, under Early Access Program you can extend 2nd Gen. Sharp Embedded
Terminal with the Quick Actions screen (YSQL6-040-0000; Quick Actions; F_QUICK_ACTIONS).
YSoft be3D eDee 3D Print Management Solution
Administrators can now better share their responsibilities with supporting staff. "3D print
operator" role can be assigned in YSoft SafeQ management interface to any existing user. 3D
print operator logs in eDee with any standard way (PIN, ID badge or credentials) and above
standard user rights is allowed to: (EDEE-1964)
Switch "Out of order" mode
Exchange filament
Pause, Stop or Resume currently running print job
Take out finished model
3D printer Dashboard (eDee remote monitoring interface) is improved as follows:

Administrators can remotely (service PIN is required for any action): (EDEE-1769)
Stop the print
Switch "Out Of Order" mode
Users can see a snapshot of the model in the device's remote monitoring service (EDEE-2012)
Administrator can receive finisher print email notification for every user if required.
SafeQ Client v3: Server spooling mode
This new client application is able to work in the traditional mode of job spooling on the server. All
jobs are stored on a server and the user can safely shut down his workstation. The client
application use requires an Early Access License and its use needs to be validated by Y Soft
Solution Consultant. (SQC-198)

Terms and Conditions are now displayed in the end user interface (EUI) for a user’s confirmation
when the confirmation is required in the Payment System’s configuration. (SBT-805)
It could happen that an incorrect credit amount was shown in the Embedded Terminal for Fuji
Xerox XCP when a user opened the embedded terminal print application after copying. It has been
fixed in Embedded Terminal 2nd Gen. (SBT-242)
Users can now log into Embedded Terminal for Fuji Xerox XCP with a username and password
when the principal name (domain\user) is used as the username. (SBT-844)
Administrators can now change the authentication screen’s title in the Embedded Terminal for
Xerox through the “welcome-to-safeq-text“ system property. (SBT-947)
To prevent an application error on Xerox devices, the dynamic spinner animation was replaced
with a static hour-glass icon when scanning a large number of pages on Embedded Terminal 2nd
Gen. (SBT-981)
All temporary files are now deleted from the C:\Windows\Temp folder when the scan processing
has finished even when the scan separation is enabled. (SBT-1025)
Job thumbnail is correctly displayed in the service menu for YSoft be3D eDee. (EDEE-2069)
Reporting
Mobile Integration Gateway (MIG) does not recognize a job if it is sent as grayscale from Mopria.
(SBT-1087)
Device group changes made in the management interface are now propagated in the Data Mart
Mode (DMM) reports as well. (SBT-1040)
"Job Title" dimension was added into the OLAP cube for Data Mart Mode (DMM) reports. (SQC-
1358)
Data Mart Mode (DMM) reports were showing different printouts then web reports for direct
queues. (SBT-748)
A new version, Apache Tomcat 9.0.33, has been included in installation package to prevent the
CVE-2020-1938 (Ghostcat) vulnerability. Additionally, the AJP port 9009 are not open in new
installations. When updated from Build 42 or lower, administrators may consider disabling the AJP
as an additional security level. (SBT-310)
YSoft SafeQ can once again be installed on a compatible Microsoft Windows Server with Turkish
default regional settings. (SBT-858)
Client components installer can now create a printer even when the operating system is in a non-
English localization. (SBT-991)

Validation of the “paymentSystemApiPassword“ system property has been improved. The empty
string no longer can be stored. (SBT-994)
SPOC Group performance was improved for user delete operations. (SBT-603)
Unexpected internal error 500 is no longer displayed
when the System menu is selected in the management interface and the language is
switched to Russian (SBT-1028)
when switching to System menu after a management service restart (SBT-39)
when a user with insufficient permissions tries to assign a role to a user. Instead, the “You are
not permitted to view this page or use this function” warning is displayed. (SBT-900)
Documentation
An additional setting has been added in the Sharp device configuration guide to prevent a double
login button on the Embedded Terminal for Sharp. The User Control -> Default Settings -> User
Authentication should be disabled. (SBT-1016)
Several links leading to an internal documentation were fixed in the online version of product
documentation. (SBT-974)

No items.
3.2.8.1 Automated Scan Workflows
External processing step
Automated Scan Workflows have been improved. Administrators can now define an external
processing step in which an external command is executed before delivering documents to a
destination. It may modify the scanned files, the metadata file or it can eventually abort the
workflow. For example, it can be used to archive scanned files. (SQC-765)

OCR input file type
A new Automated Scan Workflows / OCR processing setting is available. Administrators can use
the new system property “ocrInputFileType“ to change the default input file type for OCR
processing. The default JPEG format can be changed to TIFF, Multipage TIFF or PDF. Changing the
file type setting can help optimize the scan process and better adapt to a device’s limitations.
(SQC-1338)
Secured scan delivery from Fuji Xerox
Security of Automated Scan Workflows on the Embedded Terminal for Fuji Xerox has been
improved. Using the ‘scanServerType‘ and 'soapWithAttachmentsSsl' system properties,
administrators can now enable the secured SOAP with Attachments (SwA) protocol for the
transfer of scanned documents from the device to YSoft SafeQ.
Limitation: When SwA is used, the maximum number of files that can be received from the
device is 200 depending on the device's limitations. This means that:
For single page formats (JPEG, TIFF), the maximum number of pages in one scan session is
200.
For formats available with OCR enabled in the scan workflow, (Searchable PDF, Microsoft Word
/ Excel / PowerPoint, Text, Rich Text), the maximum number of pages in one scan session is
200. However, to remove the limitation, administrators can use the new system property,
“ocrInputFileType“, to change the default input file type (JPEG) to Multipage TIFF or PDF.
(SQC-597, SQC-1338)
3.2.8.2 IPP Testing Tool
Partners can now check printers for compatibility with Online Accounting over IPP. The new “IPP
Testing Tool” command line utility and guide can be downloaded here. (SQC-1251)

3.2.8.3 Far Roaming
Administrators can now disable Far Roaming if not needed in a clustered print environment.
Note: With Far Roaming enabled, a user can submit a print job in one location and release it for
print on a device in another location even if that device is in a different Spooler Controller Group.
For more details, see the Print Roaming chapter of the YSoft SafeQ Administrative Guide. (SQC-
1383)
3.2.8.4 Cluster Licensing
Reliability of YSoft SafeQ in a clustered environment has been improved. Licensing is now
provided independent of any Management Server node; therefore the first node is no longer
required to be running when restarting other nodes. The changes have been made in both YSoft
SafeQ and the License Portal (activation portal). When updating YSoft SafeQ Build 41 and lower in
a Management Server clustered environment, administrators should do "re-licensing with the HW
unlock" as described in the Transferring a License to a New System chapter in the YSoft SafeQ 6
Administrative Guide. You can read more on the License Troubleshooting page. (SQC-1227)
Printing
IPP and IPP over SSL back-end has been adapted to HP devices. No print job is lost now when the
input queue of the device is overloaded. Additionally, in the new system property
“securePrintDeliveryTimeoutSeconds“, administrators can adjust the timeout for sending the job
from YSoft SafeQ to the printer. (SBT-923)
No error message is displayed now on the Embedded Terminal for Konica Minolta when the
“konicaMinolta CardShortcut system property” is enabled and no billing code is assigned to the
user. (SBT-1000)
Terms and Conditions are now displayed in the End User Interface (EUI) for a user’s confirmation
when the confirmation is required in the Payment System’s configuration. (SBT-805)
Error 500 is no longer displayed and job settings are now accessible on the Embedded Terminal
for Epson when a print job preview is not available. (SBT-890)
Automated Scan Workflows

An automated scan workflow with an “Email (SMTP)” connector type no longer fails when the list
of email addresses includes blank spaces. (SBT-675)
A user without “System \ System settings – expert options” rights in the Management interface
can now access the basic and advanced levels of System -> LDAP integration page. (SBT-665)
Administrators can no longer mistakenly enable payment features at devices with HW terminals
(Terminal Pro 4, Terminal Ultralight and Terminal Professional v3.5) in the Management interface.
HW terminals don’t support the YSoft Payment System. (SBT-790)
The installer now checks a communication ports‘ availability when installing YSoft SafeQ on
Microsoft Windows Server 2019. (SBT-816)
YSoft SafeQ can once again be installed on a compatible Microsoft Windows Server with Turkish
default regional settings. (SBT-858)
Updating Site Services that include the YSoft Payment System now correctly upgrades a
PostgreSQL embedded database to the new version, PostgreSQL 11. (SBT-866)
The Mobile Integration Gateway (MIG) can once again be installed on Microsoft Windows Server
2012 / 2012 R2. (SBT-869)
When an administrator deletes a price value in a price list in the Management interface, null is
now correctly stored in the database. (SBT-885)
Error 500 is no longer displayed in the Management interface when a user with insufficient
permissions tries to assign a role to a user. Instead, the “You are not permitted to view this page
or use this function” warning is displayed. (SBT-900)
Cost centers are now replicated to YSoft SafeQ even when more LDAP servers are connected.
(SBT-905)
The server installer no longer fails when updating the YSoft Payment System with a MS SQL
database having a named instance and a domain authentication. (SBT-934)
The YSoft Payment System can now be installed with an external PostgreSQL database with
SCRAM-SHA-256 authentication. (SBT-964)
Devices can once again be defined in the Management interface when the Management server is
running on a Microsoft Windows Server with Turkish default regional settings. (SBT-976)
The server installer no longer fails when installing a Site Server that includes the YSoft Payment
System with the embedded PostgreSQL database. (SBT-982)
Administrators can once again use the individual YSoft SafeQ SPOC Installer in silent mode. (SBT-
987)
German titles and descriptions in the Management interface -> System -> Configuration page have
been fixed. (SBT-993)

The installer no longer changes self-signed certificates containing the server IP address that have
been generated for the Embedded Terminal for HP and Brother since Build 39. After Terminal
Server updates the devices with secure communication enabled, it shouldn’t be reinstalled. (SBT-
995)
A periodic recharge is now applied on all existing user accounts in the YSoft Payment System
regardless if the account exists or doesn’t exist in an external payment system. (SBT-904)
Entitlements now create an initial user credit even when the default API user “safeq” has been
renamed. (SBT-924)
When there are network issues (no connection to a server), a user can stop the 3D printing
process or remove a finished model as user credentials are cached now. (EDEE-1891, EDEE-1893)

No items.
Online Accounting over IPP
A new accounting feature called “Online Accounting over IPP” is now available under the YSoft
SafeQ Early Access Program. Online Accounting over IPP is an option for print jobs on print
devices (Single Function Printers) without a YSoft SafeQ terminal or with YSoft External
Terminals. YSoft Payment System is not yet supported. For more details, see the "Introducing
Online Accounting over IPP" article in YSoft Partner Portal. (SQC-86)
Embedded Terminal for Brother
YSoft SafeQ Embedded Terminal for Brother has been improved. User inputs can now be entered
when scanning on the Terminal. Authentication, copy, print, scan workflows and device dependent
accounting (for copy and scan) are supported. All supported devices can be found on the
Hardware Compatibility List (HCL) in Partner Portal. (SQC-1052)

Administrators can configure eDee to get an informational email when the 3D print has finished.
(EDEE-1792)
Administrators can now select the default language for DeeControl during manual and silent
installation. (DEEC-348)
Printing
It could happen that print jobs were not accounted for and deleted after printing in a Site
Services clustered environment (Near Roaming Group) when offline accounting and YSoft
Terminal Pro 4 are in use. It has been fixed. (SBT-872)
Print jobs are no longer accounted for twice on Embedded Terminal for Brother when offline
accounting is in use. (SBT-515)

User permissions in a YSoft SafeQ clustered environment has been improved to prevent a
situation where users can’t print when a fail over situation appears. (SBT-882)
Prints from the "User box" are now accounted for when Embedded Terminal 2nd Gen. for Konica
Minolta is in use. (SBT-922)
Print jobs are now correctly printed on HP devices when IPP over SSL back-end is in use. (SBT-
927)
Terminal s, User Interfaces
The communication of HP devices with YSoft SafeQ Site Services has been optimized resulting in
faster login into the Embedded Terminal for HP when the time from a previous login is not longer
than 24 hours. (SBT-864)
Job previews are now visible on terminals even when they are large in data size. (SBT-865)
Users can now log into Embedded Terminal for OKI sXP2 with username and password
authentication. (SBT-687)
Reporting
Storing job accounting data in the YSoft SafeQ database has been optimized. Processing no
longer gets stuck when data coming from the parser is not standard. (SBT-832)
Administrators can once again add a new zone to an Automated Scan Workflow in the
Management Interface when the special Early Access Program license for the zonal OCR is in use.
(SBT-889)The device’s native despeckle functionality has been disabled for Automated Scan
Workflows on Konica Minolta devices with OpenApi 4.13. The change has resulted in a noticeably
faster scanning process. (SBT-930)
The background removal levels 3 and 4 are no longer supported by Automated Scan Workflows in
Embedded Terminal for Konica Minolta. These levels are not generally supported by all Konica
Minolta devices. (SBT-857)
Scanned documents are now in the correct order when scanning on the Konica Minolta, Xerox,
Fuji Xerox and Ricoh devices. (SBT-874)
The YSoft SafeQ databases' backup scenario described in the “2. Embedded PostgreSQL backup“
chapter in the YSoft SafeQ 6 Administrative Guide has been fixed and the “Cannot locate
Python36.dll” error no longer appears. (SBT-835)Administrators can now define direct queues with
similar names that only differ in uppercase/lowercase letters. Example: “Print1” and “print1” can
now be defined as two different queues in the Management Interface. (SBT-873)
The YSoft SafeQ Mobile Integration Gateway can now be installed on Microsoft Windows Server
2012 / 2012 R2. (SBT-869)

The Spooler Controller no longer stops working when hundreds of devices are licensed as Print
Management Suite LD. (SBT-897)
Direct queues are now correctly renewed in the Site Services' cache when a device definition in
the Management Interface is replaced by a new one and the new device definition includes the
same direct queue name as the previous device definition. (SBT-892)
Error 500 is no longer displayed in the Devices -> Spooler Controller groups menu in the French
Management Interface. (SBT-861)
YSoft Payment System
Error 500 no longer appears in the “payment-system.log” file. It was caused by parallel database
transactions which have been suppressed. (SBT-825)
You can find additional information on Y Soft Partner Portal: https://portal.ysoft.com/products

/ysoft-safeq/extensions-store
No items.
3.2.10 YSOFT SAFEQ 6 WINTER 2020 RELEASE - RELEASE NOTES BUILD 40
3.2.10.1 New Product and New Features
HP Embedded Terminal supports YSoft Payment System (YPS)
Credit and quotas are now supported for print, scan and copy operations on the Embedded
Terminal for HP. Customers can use vendor dependent accounting with all the benefits the YPS
offers. Money transactions, virtual credit or limited access based on personal and/or group
spending is supported on HP devices.
The feature covers YSoft SafeQ applications (SafeQ Print, SafeQ Scan) and HP native applications
(Copy, Print from USB, etc. ). (SQC-892)

YSoft be3D eDee Application Redesign
The application has a new look and feel but is also faster, more stable and less resource
demanding. ( EDEE-1707 )
The main changes for users are a s horter response time (e.g. in displaying print jobs) and on-
screen keyboard improvements including:
Added the possibility to use touch to position the cursor within a text field
Added an "UNDO" button (top right) to revert the field to the previous state
A "BACK" button (top left) updates the field now

Administrators have better diagnostics in the terminal server connection setup and i mproved
workflow for saving notifications and network setup.
Added protection against an accidental save of changes in configuration dialogues ("DISCARD

CHANGES" and "SAVE" buttons)
Login button on the Embedded Terminal for Epson is fully displayed. (SBT-840)
The Epson native scan application is able to propagate the email address of an authenticated
YSoft SafeQ user. (SBT-830)

When a user highlights a billing code, it stays highlighted when navigating through pages. The
selected/default billing code is also highlighted when browsing billing codes on the embedded
terminal. (SBT-230)
The message displayed to a user of Embedded Terminal for Xerox with no access rights was
changed to be more transparent: "You are forbidden to perform any operation". (SBT-237)
Repeated installation of Embedded Terminal for Xerox AltaLink now passes the step for
Convenience Authentication without warning. (SBT-870)
Scanning to a folder is possible even when special accented characters (e.g. "ä", "ü", "ö" or "ß") are
in the fileshare path. (SBT-826)
Certificate validation for email scan file delivery was modified so that a self-signed certificate is
not ignored anymore. In the case of an error during the certificate validation phase, there is
logged detailed information. (SBT-834)
A scan operation should not timeout when using Merge Originals with a large document. (SBT-819)
The issue of the scan server not processing a PDF file before the network transfer of the file was
corrected. (SBT-746)
Customized Web Report validation was extended on report name uniqueness. (SBT-855)
The database validator standalone execution is working again. (SBT-879)
PostgreSQL 11 is correctly displayed in all languages during the installation process. (SBT-850)
Card numbers, PIN codes and obfuscated passwords are not logged in log files by default on
management and spooler controller components. Access rights elevation is displayed in log files
vividly. For troubleshooting purposes, it is still possible to enable logging of sensitive data. (SBT-
115, SBT-131, SBT-712, SBT-588)

No items.

The “DIGEST-MD5 SASL” protocol has been implemented in the YSoft SafeQ Management
Interface as an option for the LDAP user accounts integration. The DIGEST-MD5 SASL mechanism
performs an authentication to the Active Directory Server in a manner that does not expose the
clear-text password. This new authentication option is in compliance with the Microsoft security
advisory (ADV190023) that will result in a Microsoft security patch for Active Directory domain
controllers planned for January 2020. See the article 2020 LDAP channel binding and LDAP
signing requirement for Windows. (SQC-932)
Printing
Resiliency of the YSoft SafeQ Client has been improved. When Site Services is not accessible
from the workstation when the client is starting, it continues checking the address. For example,
when the user starts VPN later and Site Services become accessible, YSoft SafeQ client
switches to online mode automatically. (SBT-774, SBT-775)
Print jobs from YSoft SafeQ Enterprise Client 2.x no longer fails when compression is enabled.
(SBT-820)
When the “Multi half-fold” option is selected in Advanced print settings of a print job on an
embedded terminal, the pages are now folded one after another. (SBT-40)
Embedded Terminal 2nd Gen. for Konica Minolta / Develop / Olivetti now supports devices with the
“LK-114 Serverless pull printing” solution installed. (SBT-537, SBT-626)
The Logout button once again correctly ends the user session in the Embedded Terminal for OKI
sXP2. (SBT-764)
When a favorite job was canceled, for example by an administrator in the Management Interface,
it was still listed in the user's favorite jobs on the YSoft SafeQ terminal, but it couldn't be printed.
It has been fixed and the canceled favorite job can now be printed by the user. (SBT-694)
The "Settings" menu on HP devices is no longer accessible to users authenticated with

Embedded Terminal for HP. (SBT-785)
User PIN length is no longer restricted to 9 digits max when PINs are replicated from an external
directory. (SBT-797)
Installation of Embedded Terminal for HP and Brother has been automated. Administrators are no
longer need to make additional manual changes. During the Site Services installation, a self-signed
certificate containing the server IP address is generated. The corresponding certificate authority
is then uploaded to the device during Embedded Terminal installation. When updating from YSoft

SafeQ 6 Build 38 or lower without having configured the custom certificates, administrators
should follow the "Configuring secured connection between terminals and Terminal Server"
chapter in the YSoft SafeQ 6 Administrative Guide. (SQC-778)
Reporting
Web reports are now accessible in the Management Interface even when a Cost Center name is
more than 64 characters. (SBT-794)
The Workflow processing system is now able to handle rare cases when two scanned files are
generated with the same filename but with different casing on two MFDs. This could had led to
exceptions when storing the file for "keep both files" behavior. It has been fixed. (SBT-728)
Administrators can now export an automated workflow even when the Dropbox Business
/Enterprise connector is used. (SBT-777)
When a cost center is deleted in the Management Interface, users who belonged to this cost
center are now assigned to the default cost center. (SBT-603)The product version number is
once again included in the <SafeQ6_folder>\SPOC\logs\spoc_version.log file. (SBT-637)
Administrators should no longer experience a file name length error when unpacking the YSoft
SafeQ 6 installation complete pack. (SBT-772)
The new "How to Remove a Spooler Controller" chapter has been created in the YSoft SafeQ
Administrative Guide. It helps administrators when a Site Services server should be removed and
devices assigned to another Site Services in the production environment. (SBT-611)
A security certificate distributed with previous Build 38 for Embedded Terminal communication
hasn't been working with some older Samsung devices. A new functional certificate is now
distributed with the Build 39. (SBT-781)
The "Test connection“ button in the "Configure the connection to your external database server“
window of the YSoft SafeQ installer now checks the connectivity to the server including the
username and password even when the domain authentication is used. (SBT-782)
YSoft SafeQ Terminal Server no longer crashes when an unexpected error appears in the KM
OpenAPI 4.2 scan request. (SBT-803)
The User account in the YSoft Payment System can now be created even when the fields for the
user's name and surname in the Management Interface are empty. The username field is used as
a displayed name then. (SBT-747)

You can find additional information on Partner Portal: https://portal.ysoft.com/products/ysoft-safeq

/extensions-store
3.2.12.1 Infrastructure changes
Enhanced password encryption for FTP and WebDAV
The security of YSoft SafeQ communications with external systems has been improved. In our
previous Build, (Build 37), enhanced password encryption was introduced for SQL database
passwords, LDAP passwords and SMTP passwords.
In Build 38, the security of passwords for FTP and WebDAV file transfer has been improved. The
password for FTP and WebDAV file transfer, which is stored in the database, can be additionally
protected with an enhanced password protection mechanism.
The Setup and Configuration of the Enhanced Password Protection chapter in the YSoft SafeQ 6
Administrative Guide assists administrators with enabling the enhanced encryption. The
Enhanced Password Protection chapter describes password protection methods used by YSoft
SafeQ 6.
Printing
Print jobs which were cancelled by the user logging out are now correctly re-queued for printing
again.
Embedded Terminal for Ricoh no longer displays incompatible jobs when the property
"showIncompatibleJob" is disabled.
Print jobs printed from USB by a public user are now being accounted for again on Konica Minolta
bizhub 4050.
The secure transfer of user credentials from FujiXerox devices has been improved. User
credentials are always sent to the server in encrypted form now.

It is now possible to install the Embedded Terminal for Samsung again. The error was caused by
an expired certificate used to sign a package deployed to Samsung devices. It is now fixed, a new
certificate has been used.
In customer environments where quotas were used, users were not able to log in to Embedded
Terminal for FujiXerox. The issue was occurring during a reservation made during login. This has
been fixed and users can once again log into Embedded Terminal for FujiXerox with quotas.
After a specific set of steps on an embedded terminal, it could happen that the scan button
redirected the user to a screen containing a list of workflows instead of initiating scanning. This
has been fixed.
Reporting
Administrators can once again see Job size in Advanced Job Information in the Management
Interface.
Administrators can now correctly export Management reports to PDF.
Print jobs with more than 9 Chinese characters in the job name printed on Embedded Terminal for
Sharp are being accounted for without any issues again.
Some Konica Minolta A4 devices have been producing scanned files in a landscape orientation
even though the user scanned in a portrait orientation. It has been fixed and all Konica Minolta A4
devices now consistently produce scanned files in portrait orientation as expected.
The behavior of a user input list with non-existing default values is now consistent on both
Embedded Terminals for Konica Minolta (Native and Web-Based terminal). The specified default
value is not displayed on the embedded terminal when it is not available in the source .csv or .xml
file.
It is once again possible to upload software packages in the Management Interface in Devices →
Hardware.
In rare cases when a customer had many (more than 200) LD devices communicating with one
Spooler Controller, some of the LD devices were removed. This has been fixed and LD devices are
no longer removed.
Updating of YSoft SafeQ 6 to a higher version of YSoft SafeQ 6 could end with an error message
when the customer upgraded to YSoft SafeQ 6 from YSoft SafeQ 5 before and the YSoft SafeQ 5
database was no longer present. This has been fixed and a YSoft SafeQ 6 update will finish
without an error message.
Deleting billing codes on YSoft SafeQ 6 installations with Microsoft SQL database no longer
returns an error message and works as expected by administrators.

Documentation for YSoft SafeQ FlexiSpooler has been improved. The page with YSoft SafeQ
FlexiSpooler Security considerations will help administrators better understand and consider
security aspects of FlexiSpooler configuration.
The Cashdesk operator can now identify a new user via card when the configuration of the
property, "onDemandPaymentAccountCreation", is enabled.
Single sign-on to the End User Interface with the Windows Integrated Authentication method is
now working.
CLI device replicator now correctly recognizes Terminal Professional 3.5 and/or Terminal Ultralight,
so these types of terminals can now be replicated without issues into YSoft SafeQ 6.
In rare cases after updating of YSoft SafeQ 6 to higher build, it could happen that administrators
are not able to select any online accounting driver. This is now fixed.
A new tooltip with helpful information for administrators about Kiosk mode was added in the
Management Interface based on customer feedback. Kiosk mode can be enabled when an
Administrator is adding a new Konica Minolta device in the Management Interface.
Security of the Management Interface has been improved. Importing scan workflows through XML
is no longer vulnerable to XML External Entity (XXE) attacks.
The security of installing YSoft SafeQ 6 with an external PostgreSQL database has been
improved. The checkbox, "Server requires SSL", which is part of installation setup screen, is now
fully functional and full certificate validation is being used.
The security of YSoft SafeQ 6 has been improved. It is now possible to configure YSoft SafeQ 6
JMX ports to be open only for localhost. Before this change, the port was open on all interfaces
and administrators needed to use a firewall.
The terminology concerning printer components (print pad, print bed, print pad holder) has been
unified across YSoft be3D eDee application and all documents (user guide, admin guide, service
guide, modification kit, etc.)
In rare cases, the eDee printer allowed other users to start a new print job while the previous job
was still in printing mode. This has been fixed and it will not happen anymore.
Note: Customers who use YSoft SafeQ extensions should contact their Y Soft RSM or Customer
extensions before applying a Build update into a production environment. You can find additional
information on Partner Portal: https://portal.ysoft.com/products/ysoft-safeq/extensions-store.

3.2.13 YSOFT SAFEQ 6 FALL 2019 RELEASE - RELEASE NOTES BUILD 37
Enhanced password encryption
Security of YSoft SafeQ communications with external systems has been improved. Now, in the
YSoft SafeQ Management server, a key file is created. This key file stores a secret key used for
an encryption of sensitive data such as passwords or secrets stored in YSoft SafeQ
configuration files and the YSoft SafeQ database. The file can also be protected with access
rights, Encrypting File System (EFS), DPAPI, or a combination of these methods.
The Setup and Configuration of the Enhanced Password Protection chapter in the YSoft SafeQ 6
Administrative Guide has been created to assist administrators with enabling the enhanced
password encryption. The Enhanced Password Protection chapter describes password protection
methods used by YSoft SafeQ. For now, it can be applied on a connectivity with:
YSoft SafeQ database (SQL database password encryption)
External user database (LDAP password encryption)
Mail servers (SMTP password encryption).
Support for PostgreSQL 11
As part of our commitment to update technologies used by YSoft SafeQ, the YSoft SafeQ
installation package now includes a new PostgreSQL version, PostgreSQL 11. The new version
replaces PostgreSQL 9.4 because the developer announced that support for it will expire.
Customers using YSoft SafeQ 6 on servers with a built-in PostgreSQL 9.4 database will be
updated automatically when installing Build 37 and higher. Customers with YSoft SafeQ 6 on
servers using an external PostgreSQL 9.4 database will be prompted for a manual upgrade of the
external database when installing Build 37 and higher.For further information see the Partner
Portal News article, YSoft SafeQ 6 - PostgreSQL Upgrade.
PostgreSQL database failover
Flexibility of YSoft SafeQ 6 has been improved. Administrators can now set up an additional
PostgreSQL connection string for a PostgreSQL YSoft SafeQ 6 database failover. When the
master database becomes unavailable, YSoft SafeQ automatically reconnects to the slave node.
YSoft be3D eDee
The YSoft be3D eDee terminal now supports Dutch, Norwegian and Danish languages.
Administrators can now remotely check the status of the eDee printer.

With Build 35, we improved the Billing code search in the YSoft SafeQ Client application. This fix
was re-opened and two additional improvements applied.
Embedded Terminal for Ricoh has been adapted for special conditions to prevent a random freeze
of the terminal on older devices.
The printer is now locked when Embedded Terminal for Sharp has just been installed.
Embedded Terminal for Fuji Xerox XCP now opens the YSoft SafeQ application correctly after an
authentication when the system property “initial-screen” has the value “sq”.
Card authentication on the Embedded Terminal for Fuji Xerox ApeosPort 4 has been fixed.
A correct administrator error message is now displayed and the Next button is disabled when the
YSoft SafeQ installer does not find a network controller on the server.
When data generation for green reports is disabled (the “enable-purge_reports” property is
disabled), the My Savings widget is now hidden and not available in the Management Interface.
YSoft SafeQ Management servers no longer stop working when a statistics recalculation is being
done in parallel within a clustered environment.
OLAP cube processing issues occurred due to null values in dimension members when Data Mart
Mode for reporting was enabled. Now the null values are overwritten with default values by a
regular Data Mart calculation and the OLAP cube processing is functional.
Administrators can now use device batch editing in the Management Interface when changing an
Embedded Terminal type from none to a brand. The installation of the Embedded Terminals will
start correctly.

The “Configuring and Deploying the Office 365 application for SharePoint Online and OneDrive
Business" guide is now updated to reflect changes made by Microsoft in the Azure configuration
portal.
When the YSoft SafeQ 6 installer is upgrading from version 5 and there are some Cost Center
duplicates in the database, the upgrade is no longer cancelled.
SMTP password credentials are no longer included in a text log file even when plain text without
any encryption is used.
The YSoft SafeQ Client's FlexiSpooler service in non-spooling mode now starts automatically after
its installation.
Printing
Users can now print in duplex on Sharp devices from the Google Cloud print connector.
The price calculation of a job with a nonstandard media type is now accurate when
“detailMediaTypeAccounting” has been disabled. Prices from hidden price list’s fields are no longer
used.
The portrait/landscape orientation of scanned documents has been fixed for Ricoh IM 430
devices.
Automated Scan Workflows are once again functional with Embedded Terminal for Ricoh on Ricoh
IM 430F/350F devices.
Note: Customers who use YSoft SafeQ extensions should contact their Y Soft RSM or Customer
extensions before applying a Build update into a production environment. You can find additional
information on Partner Portal: https://portal.ysoft.com/products/ysoft-safeq/extensions-store.
Printing
YSoft SafeQ once again deletes the printed or retired print jobs from spool folders.
Printing in a SPOC Group environment (Near Roaming) is now functional when a secure mode of
YSoft Message Queueing (YMQ) is enabled.
Mobile Print Server can now resolve the "Unicode (UTF-8)" encoding name.

In rare cases, copies on Embedded Terminal 2nd Gen. for Konica Minolta could be accounted
toward another user. This could occur in a clustered environment when the Embedded Terminal
repeatedly changed the connectivity between two Site Services due to a fail over. It has been
fixed.
Embedded Terminal for Konica Minolta now respects a user's language preference change on a
device before authenticating.
Embedded Terminal for Ricoh can once again be installed on RICOH IM C3000 devices.
Embedded Terminal can now be installed even when the "supported-lang-priority" system property
(language preference) includes a space between the languages.
YSoft Terminal Pro 4 no longer gets stuck when a user ends the terminal session before the
device delivers all scan documents to YSoft SafeQ.
It could happen that YSoft Terminal Pro 4 isn’t able to re-connect back to its primary Terminal
Server. This could occur after temporary connectivity is made with another node in a clustered
environment when an external load balancer is involved. To prevent re-connectivity issues, a new
system property, "terminalProfessionalGlobalTimeoutInMinutes", has been created with a default
value of 180 minutes for the Terminal Server configuration file. When no activity is detected
within 180 minutes, the scanning process is automatically cancelled. This change creates a new
limitation: Scanning to one scanned file (for example one PDF file) with YSoft Terminal Pro 4 can
not take more than 180 minutes otherwise the scanned file is not processed. To increase this
time, the property value must be adjusted.
Embedded Terminal for Aurora can now be installed on Aurora AD308e devices.
Card authentication is no longer delayed on Embedded Terminal for HP when a previous user
canceled a card self-assignment procedure.
Reporting
The Data Mart fields "Queue Type Dimension - Queue Type" and "Queue Type Dimension - Queue
Name" were mistakenly empty at secure prints when the queue has a name other than “secure”.
It has been fixed and the Queue Type is now “secure” and the Queue Name includes the name of
the queue.
Scanned files are now stored in a fallback directory when the OCR process fails.
The entire error message is now logged when the Spooler Controller can not connect to any
Management Server in a clustered environment.
Administrators can now edit the Spooler Controller group, “Spooler Controllers that are not part of
any print cluster”, in the Management Interface and no error message is displayed.

An appropriate warning is now displayed when an administrator tries to delete the default Spooler
Controller group in the Management Interface. Error 500 is no longer displayed.
The Spooler Controller restart time has been shortened in an environment that has many Flexi
Spoolers connected. Administrators can adjust this through a new system property,
“YmqRunOnceWorkerThreadPoolSize”, which has a default value of 200 threads.
Security of YSoft SafeQ has been improved. A stricter input sanitizing rule has been added to
problematic input fields of the Management Interface to mitigate a XSS vulnerability.
A new property, "StoredDeliveriesMaxBatchSize', with a default value of 10 has been added to the
Terminal Server configuration file. Also, the default value of the "PendingRequestsPeriod" property
has been changed from 10 to 60. This change improves the recovery process in a heavy loaded
environment when the communication of Terminal Server to other services was temporarily
interrupted.
Documentation for a recovery process of the YSoft SafeQ SQL database has been improved. The
Recovering Databases chapter in the YSoft SafeQ 6 Administrative Guide now includes a
situation with a SQL domain authentication.
Administrators can now adjust the timeout of the Terminal Server communication with the
Workflow Processing System. A new property, "wpsTsSystemApiConnectionTimeout”, with a
default value of 10 seconds has been created in the Terminal Server configuration file.
Administrators can now configure the memory size for SafeQube 2 operating system logs to have
logs that show longer periods of activity.
The “USER_NOTE” is now correctly substituted when used in a rule’s watermark definition in the
Management Interface.
To increase internal security of YSoft SafeQ, credentials for a print job replication, (JobReplication,
ReplicationSharedFolderCredentials, ReplicationSharedFolder), has been removed from the
Administrators should follow the “2.2.2. Additional steps” chapter of the “Updating from MU/Build
to Build“ section in the YSoft SafeQ 6 Administrative Guide when updating a Build 34 and lower
cluster environment with a secured LDAP integration.
The roof layers are now correctly displayed in DeeControl's preview window when using supports.
The model removal stand, which can be printed from the eDee administrator menu (Printer Control
→ Reference models → Model removal stand), has been improved. The printed model removal
stand now weighs less and the bottom adheres to the print pad better while printing.
An eDee administrator can now repeatedly pause and resume 3D printing from the eDee service
menu.
Administrators can now configure the memory size for eDee's operating system logs so that logs
can show longer periods of activity.

Product extensions
No items.
3.2.14.2 Known Limitations
Installation and deployment
Backup of YSoft SafeQ 6 (configuration, database and more) can be done using the
documented procedure. Please follow the product documentation for backup and restore.
FlexiSpooler in server mode and Spooler Controller components must be installed on the same
server.
After updating FlexiSpooler in client mode, the Offline Print capability needs to build a new list
of last used printers.
PostgreSQL database server uses GMT time zone by default. If YSoft SafeQ management
server is in different time zone, PostgreSQL time zone has to be set accordingly. Description:
Administrative Guide / Installation and deployment / Software / Configure PostgreSQL time
zone for correct print job and report data
Automated upgrade from YSoft SafeQ 5 does not support migration of YSoft SafeQ Payment
System and YSoft SafeQ Mobile Print Server.
When the Mobile Print Server is a part of the YSoft SafeQ 5 system, automated upgrade of
other components is still available. However, the MPS service in YSoft SafeQ will need to
be configured manually.
When the YSoft SafeQ Payment System is a part of the YSoft SafeQ 5 system, a special
manual upgrade must be provided. Contact your Y Soft Regional Sales Manager for
additional information.
An automated upgrade is possible only when using the latest YSoft SafeQ 5 Maintenance
Update. More details on the upgrade process can be found in the Administrative Guide in the
article Upgrade from YSoft SafeQ 5.
Accounting and reporting
Online accounting:
Online accounting of direct prints is not supported.
Online accounting of fax is not supported.
Online print accounting with coverage accounting correction is not supported.
Online accounting with the YSoft SafeQ Mobile Terminal is not supported.
The batch accounting of secure prints is not supported.
Offline accounting:

Combination of offline accounting and Payment System is not supported.
Offline accounting of copies using smart cable is not supported.
Local print monitoring (Local Monitor) is not supported. The price list section "Local" remains on
the web interface for the backward compatibility.
Estimated price of a print job does not change after modification of finishing options.
Management interface
Page with printers does not support searching by the direct queue when the name is put into
the Basic filter or into the keyword field in the Advanced filter. This functionality was removed
due to performance reasons. Searching by direct queue will be reintroduced via a dedicated
field in the Advanced filter.
Embedded, External and Mobile Terminals
Legacy Terminal Professional v3.5 is supported with the following limitations.
Scan Workflows are not available.
When using online accounting, price and number of pages displayed on the terminal might
be different from the actually accounted numbers. Accounted information is correct,
terminal displays only estimation from the parser.
Finishing options are not supported on the YSoft SafeQ Embedded Terminal for Samsung and
Brother.
Scan Workflows are available on devices from the following manufacturers. Please refer to the
product documentation for more details.
Brother
FujiXerox
Konica Minolta / Develop
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Basic finishing options (Simplex/Duplex, BW/Color and Number of copies) are available on
devices from the following manufacturers. See product documentation for details.

Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Advanced finishing options (Stapling, Punching, Folding) are available on devices from the
following manufacturers. See product documentation for details.
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
Any jobs submitted via Mobile Print or Mobile Integration Gateway do not support advanced
finishing options.
Not all of the finishing options are supported on every device, for detailed information please
see the documentation.
YSoft SafeQ 5 Early Access feature "Extended accounting of colors" is currently not
supported in Y Soft SafeQ 6.
YSoft SafeQ Mobile Terminal does not support pay-for-print capability
YSoft SafeQ Mobile Terminal is not currently supported for use with other hardware terminals
(Terminal Ultralight, Terminal Professional v3.5 and Terminal Pro 4).
Advanced finishing options are supported only when the YSoft Mobile Terminal is used on
devices with Embedded Terminals.
Advanced finishing options are not supported on Terminal Pro 4.
When deploying a software update package on Terminal Pro 4, a change of IP address in

Terminal Pro 4 is required prior to starting the software update package deployment. The IP
address of Management server is required. The change can be made via SSH client and
connection to Terminal Pro 4.
Terminal Pro 4 does not support Payment System.
Terminal Pro 4 does not support Stop on zero.

Scan workflows don't support user inputs and scan settings on Terminal Pro 4.
Scanning to one scanned file (for example one PDF file) with Terminal Pro 4 can not take more
than 180 minutes otherwise the scanned file is not processed.
Scan workflows with hardware terminals (Terminal Ultralight, Terminal Pro 4) requires a
Windows-based shared scan destination folder to transfer scanned files. Linux or other
operating systems based shared folders are not supported.
A user is not notified about the unavailable print job while using local spooler (CBPR) when
Print All function on the authentication page is enabled and used.
Scan workflows don't support user inputs on Brother.
Printing and print processing
YSoft SafeQ desktop Interface with FlexiSpooler for MacOS is not supported.
Desktop interface notifications from Rule-Based Engine work only when the FlexiSpooler is in
client mode.
Estimated price for the job is not displayed in the YSoft SafeQ desktop Interface.
Offline print is not supported in the following Embedded Terminals:
Lexmark
Sharp
Samsung
Scan Workflows
The output format, Compact PDF, is not working properly in combination with any processing
step. The scanned file is split into multiple pages.
Printing through Mobile Print Server
Character encoding of the incoming email must match the encoding configured on the server
containing FlexiSpooler used by Mobile Print Server in order to avoid a job name with corrupted
characters.
After adjusting the page range, preview of PDF jobs sent via AP Connector is not generated
from that page.
YSoft SafeQube 2
Only Konica Minolta, FujiXerox, Lexmark, Ricoh, Sharp and Xerox Embedded Terminals are
supported with SafeQube 2.
Scanning on FujiXerox via SafeQube 2 is not supported.

Near, Far Roaming and Offline Print are not supported with SafeQube 2.
Only TLS 1.0 and SSL 3 are supported on SafeQube 2. MFDs with TLS 1.1 or TLS 1.2 only won't
work via a secured channel, but some of them can be configured to use HTTP.
An administrator can not change SSL certificate on SafeQube 2.
Double-byte characters are not supported.
All ports must be configured above 1024.
Card self-registration by entering Card Activation Code is not supported.
Billing codes are not supported.
Quotas are not supported.
3.2.15.1 Infrastructure changes
YSoft SafeQ 6 can now be installed on Microsoft Windows Server 2019. The full list of supported
operating systems is in the “YSoft SafeQ server requirements” section in the YSoft SafeQ 6
Administrative Guide.
Reconfiguration of YSoft SafeQ is now easier. In most cases, administrators no longer need to
restart Terminal Server when changing Terminal Server settings through a system property.
However, when a restart is still needed, a reminder is written in the system property’s
description.
Embedded Terminal for Lexmark has been fixed and printing is now functional when the
installation guide is followed.
Billing code search is now faster in the YSoft SafeQ Client application.
Newly installed third party applications on HP devices are no longer locked for an authenticated
user.
Embedded Terminal for Xerox can now be installed on Xerox Workcentre 6515.
A user billing code is now reset to a default value when a user authenticates at Embedded
Terminal for HP and the SafeQ billing code application is not enabled.
Device native scanning is now functional with Embedded Terminal for Samsung even when
quotas from the YSoft Payment System are used.

Embedded Terminal 2nd Gen. for Xerox no longer creates settlements in the YSoft Payment
System (YPS) when an operation should be free of charge. In other words, the user can make a
copy, print or scan when he is a member of a group with an unlimited access defined in YPS.
In some circumstances, Terminal Server restarted itself when a YSoft Terminal Ultralight’s
connectivity failed. It has been fixed.
The “Configuring Ricoh” chapter (part of the “Embedded Terminals installation and configuration”
section) in the YSoft SafeQ 6 Administrative Guide now has additional paragraphs about the heap
and stack size settings, time settings and configuring USB card reader on 12.x Java devices.
Printing
The fail-over reliability of printing in a SPOC group, when print job replication is enabled, has been
improved.
Large format off-line accounting is now more precise.
Print reports based on off-line accounting are now functional for devices with a “YSoft SafeQ
license without Embedded Terminal” even when no other vendor specific device license with
Embedded Terminal is applied. However, the Reporting module must be part of the licensing.
The “Network Communication” chapter in the YSoft SafeQ 6 Administrative Guide has been
revised to better assist administrators with the pre-installation process.
YSoft SafeQ 6 no longer opens network ports 20223 and 20224.
A new chapter, “How to move a Microsoft SQL database to a new server with a different
hostname and IP address”, has been added to the YSoft SafeQ 6 Administrative Guide.
Automatic PIN expiration is now functional even when LDAP On-demand synchronization is used.
Moreover, LDAP On-demand synchronization no longer clears a user's Cost Center.
Multiple card activation codes were fixed with Maintenance Update 26 however, in some
circumstances, an unwanted multiplicity appeared in a Site Services clustered environment. An
additional fix has been applied.
The YSoft SafeQ installation no longer stops when the network communication port 636 is used
by another application. Instead a warning message appears.
LDAP replication is now covered by another functional node when the primary Management
Server is stopped in a clustered Management Server environment.
Local manual adjustments of the Billing Codes system properties in a Spooler Controller
configuration file (“…\SPOC\conf\modules\spoc.conf”) have once again higher priority than settings
pulled from Management Interface.
A correct time stamp is now written in the Spooler Controller log file, “spoc.log”, to JobInfo and
JobLog items.

Expired money reservations in the YSoft Payment System (YPS) were not automatically deleted
when the expiration period in YPS was shorter than the settings of an external payment system.
It has been fixed. However, it is recommended to set the reservation’s expiration period at least
one day longer than in the external payment system to prevent non-standard situations.
YSoft be3D eDee Print Management Solution
An automatic gradual density of a 3D model’s infill has been disabled. It results in a homogeneous
infill inside the printed model. For example, when a user adjusts the infill density 100% in
DeeControl, cavities no longer appear in the model body section.
Product extensions
No items.
server.

Online accounting:
Offline accounting:
Brother.
Brother
FujiXerox

OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
finishing options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.

from that page.
YSoft SafeQube 2
Card self-registration is not supported.
3.2.16 YSOFT SAFEQ 6 SUMMER 2019 RELEASE - RELEASE NOTES BUILD 34
3.2.16.1 New Product, New Features
Embedded Terminal for Brother
YSoft SafeQ 6 Embedded Terminal for Brother is now generally available. Authentication, copy,
print, instant scan workflows and device dependent accounting (for copy and scan) are
supported. It is developed on special Brother BSI technology that determines its design and range
of compatible devices. All supported devices can be found on the Hardware Compatibility List
(HCL) in Partner Portal. All limitations are described in the “Requirements and known limitations of
YSoft SafeQ Embedded Terminal for Brother” section in the YSoft SafeQ 6 Administrative Guide.

YSoft SafeQ embedded in a Brother device. User selects a job for printing.
Counter reporting
Counter reporting has been improved and can be enabled for all compatible devices. An
administrator can now assign the accounting driver in Management Interface to any device
compatible with online accounting for reading and storing a devices’ counters on a regular basis.
Counter reports are accessible from the Management Interface and are also available through the
SQL API when Data Mart mode is enabled.
Full disk prevention
The reliability of YSoft SafeQ has been improved through a new feature that is now generally
available: Site Services (FlexiSpooler in the server mode) periodically checks the disk space and
stops receiving print jobs when the free space limit has been reached. A new section, “Full disk
prevention”, has been added to the “Configuring Spool Cleaning” chapter in the YSoft SafeQ 6

User experience with Terminal Ultralight
The user experience on Terminal Ultralight has been improved. At a print only device, (a device
that doesn’t support copy and scan functions), users no longer have to tap on the terminal’s print
button; now printing starts immediately once the user has authenticated. The device is
recognized automatically through an accounting driver that must be assigned to the device in the
Management Interface regardless of the method used for the accounting.
YSoft be3D eDee print management solution
New print pad / Print Bed Modification Kit
To improve the user experience with YSoft be3D eDee printers, we have developed a new,
bendable print pad which has a plastic surface. The new print pad makes it easy to "pop" a model
off the printing surface:
No glue is required
Spatula is no longer needed to remove most models
No mess is produced when removing the model
The new print pad is available as part of an optional “YSoft be3D eDee Print Bed Modification Kit”.
The modification kit is easily installed in eDee and allows using both the original glass printing pad
and the new plastic printing pad. The modification kit is compatible with any generation of eDee
printer and includes the new print bed stand (a platform that holds the print pad) and both print
pads (glass and bendable plastic).
Screen workflow update
The Terminal screen workflow for administrators and users has been modified for use of either
the glass or plastic print pad:

Admin adjusts which pad is used by selecting one of three options. User selects a workflow for
the type of print pad..

Glass print pad workflow. Plastic surface print pad workflow.
User card self-registration
The YSoft be3D eDee terminal has been improved. Users can now self register their
authentication card on the eDee terminal when the self assignment using login and password is
enabled.
Improved stability
The eDee printer terminal application's stability and responsiveness has been improved. As a
trade off we had to reduce the print progress snapshots resolution to its original value.
YSoft Terminal Pro 4 now allows the deletion of incompatible print jobs when they are shown on
the terminal. It doesn't matter whether finishing options are enabled or disabled.

Embedded Terminal for Sharp has been fixed. Administrators can now install the terminal even
when no application is defined yet in the "Sharp osa" menu of the Sharp device's system
settings.
Users can no longer log into the Embedded Terminal for Konica Minolta when the device is
remotely locked by an administrator, for example, when an administrator is logged into the device’
s web interface. This prevents wrong behavior of the embedded terminal.
A new SDK version, Lexmark ESS.62.045, is now used for Embedded Terminal for Lexmark. The
new version keeps the embedded terminal compatible with the latest firmware used in Lexmark
devices.
It could happen that a user received an empty scanned file when scanning on Embedded Terminal
for Lexmark. It has been fixed; the embedded terminal has been adapted to a specific behavior of
some Lexmark devices, mainly the Lexmark MX 711, that sends metadata earlier than the scanned
file.
A correct error message is now displayed on Embedded Terminal for Xerox when the user doesn’t
have sufficient credit and tries to perform a job.
Web reports have been fixed when an administrator edited a device location in the Management
Interface during the reported time period. The records are no longer duplicated.
YSoft SafeQ now properly switches utilization of network ports when an administrator adjusts
the system property “managementServicePort” from the Management Interface or the “
serverPORT” property in the SpoolerController configuration file “spoc.conf”.
The user’s first name is now in the "User dimension – Name" column of the data mart SQL API
instead of a user ID which was mistakenly included in previous versions.
Small performance improvements related to periodic service database operations (for example old
jobs deletion, data mart computation, statistics recalculation) have been applied for both MS SQL
and PostGre SQL YSoft SafeQ databases. The performance of the automatic deletion old print
jobs from the MS SQL database has been significantly improved.
A new version, DeeControl 2.7.3, is now available as a free download for Microsoft Windows and
MacOS platforms on Partner Portal and the Y Soft website. Updates include:
The YSoft SafeQ server address is now properly configured for all users working on a
workstation.
All users can open and use DeeControl when two or more of them are logged in on a
workstation simultaneously.
Entering and leaving the service menu login screen no longer allows a user to be logged into a
YSoft be3D eDee printer when another user’s 3D model is finished and waiting in the printer.

A new version of the product extension SWC-2, Credentials Generator (PIN generator for guest
mobile printing), is now available. Improvements in v138 are:
0.138: Fixed a bug in min_seconds_between_runs with Microsoft SQL Server. Slightly improved
login in some situations. Batch Credential Generator now ignores min_seconds_between_runs,
0.137: Fixed a bug in saving generated passwords in BCrypt format (for YSoft SafeQ 6).
0.136: Added support for saving passwords in BCrypt format, which eliminates the need for
the allowMD5PasswordEncoder option. Also fixed issue with VCRUNTIME140.dll.
0.135: Added support for the full set of options for the Batch Credential Generator, which now
supports everything the regular Credential Generator does (including passwords, card
assignment codes, PIN validity operations etc.). See new options with the "batch_" prefix. Also,
added allowed_cost_centers.
0.134: Added min_seconds_between_runs to solve multiple credentials per email with multiple
attachments.
0.133: Added password_chars to let the administrator configure what characters will be used
in generated passwords.
You can find additional information on Partner Portal: https://portal.ysoft.com/products/ysoft-safeq

/extensions-store
server.

Online accounting:
Offline accounting:

Finishing options are not supported on the YSoft SafeQ Embedded Terminal for Samsung.
Brother
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox

FujiXerox
finishing options.

client mode.
Lexmark
Sharp

Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2
The Embedded Terminal for Fuji Xerox no longer hangs showing the “please wait” message when
a user has cancelled a scan job.

YSoft SafeQ no longer stops processing web reports when a violation of a primary key constraint
occurs in the YSoft SafeQ database.
Printing
In rare cases, the third-party component, “Aspose.Word” called from YSoft SafeQ Mobile Print
server, doesn’t convert a Microsoft Word document to a print file and the conversion process
must be stopped. A process in the stoppage has been fixed when the conversion was interrupted
according to the “conversionTimeout” system property.
The LPR encoding implementation on the job title when the lprEncoding system property has
been changed is fixed. Print jobs created by Xerox print drivers with the Russian encoding can
now be printed on Xerox Altalink devices.
Print jobs are now longer deleted from the Microsoft Windows spooler when YSoft SafeQ stops
receiving print jobs due to the free disk space reaches a limit.
Device dependent accounting on Brother devices now correctly accounts for print jobs when
more copies are selected.
Administrators no longer need to make additional manual settings (e.g. deleting IMS server in the
device’s settings) when moving Terminal Pro 4 or a YSoft be3D eDee printer from one YSoft
SafeQ installation to another one. The standard re-installation process initialized from the
Management Interface manages all necessary changes.
A better error message is written in the log file when a print job submitted to YSoft SafeQ fails.
An administrator’s productivity and convenience has been increased with improved device
filtering and grouping in the Management Interface:
The installation status in the advanced filter has 5 new options. The full list now contains:
“Any value”, “Never installed”, “Devices waiting for installation”, “Change in progress”, “Terminal
installed”, “Terminal uninstalled”, “Failure”.
The “GROUP BY” selection has a new item “Spooler controller” instead of the previous “Spooler
controller group”. This option covers both: grouping by Spooler controller and Spooler controller
group.
When a YSoft SafeQ accounting driver is not correctly loaded to a device for any reason, an error
message is now written in the log file.
The YSoft SafeQ installation package now includes the "Process_DataMart_OLAP.xmla“ file for
connecting the Data Mart from Microsoft SQL Server Analysis Services (SSAS). See the “Microsoft
SQL Server Analysis Services chapter” of the YSoft SafeQ 6 Administrative Guide.
A YSoft SafeQ installation no longer fails when TCP port 389 is blocked by another application.
Only a warning message is displayed and written in the log file.

A daily YSoft SafeQ database maintenance default timing has been changed to decrease a server
load and to prevent a collision between processes. The indexing and shrinking now starts at 1:40
a.m. so that it runs after the full statistics recalculation that remains starting at 1:00 a.m. Both
values can be adjusted in the system properties: “databaseMaintenanceSyncJobCronRule” and
“fullStatisticsRecalculationSyncJobCronRule”.
Security of a YSoft SafeQ LDAP integration with external directories has been increased. Higher
security can be now adjusted in three system properties:
"cryptographicProtocolsForOutboundCommunication", ”
allowCustomCipherSuitesForOutboundCommunication" and
"customCipherSuitesForOutboundCommunication”. In YSoft SafeQ MU31 and lower versions, these
properties were known as “cryptographicProtocolForLdapReplication”,
“allowCustomCipherSuitesForLdapReplication” and “customCipherSuitesForLdapReplication”. After
an update to Build 33 or higher, the administrator should consider adjusting a new secure
communication.
The data mart SQL API has been improved to meet the "Papers normalized" and "Pages
normalized" values known in previous versions of YSoft SafeQ. The data mart database schema
has been extended with a new field "sheets_normalized_count ". The fields
"pages_normalized_count" and "sheets_normalized_count" are now calculated when the data mart
is enabled.
A new version, DeeControl 2.7.2, is now available as a free download for Microsoft Windows and
MacOS platforms on Partner Portal and the Y Soft website. Updates include:
Advanced print settings are no longer reset to default values when a user makes any change
in the File -> Preferences menu.
Action buttons are now visible even when DeeControl window sizes are minimized.
Users can now see all the parameters of a model’s preview when the "Detailed view" option is
selected in the preview window. A scrollbar has been added.
No items.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp

Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
Any jobs submitted via Mobile Print or AP Connector do not support advanced finishing
options.
YSoft SafeQ 5 Early Access features such as "Extended accounting of colors" and "Public user
accounting" are currently not supported in Y Soft SafeQ 6.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

The user can now authenticate with an alias even when YSoft SafeQ is implemented in a multi-
domain environment.
Several minor memory leaks have been fixed in the Terminal Server to improve long term stability.
The user is now automatically logged out from the Management Interface according to the
“session-timeout” system property even if it is longer than 3 minutes.
The default value of the system property, "KMCardLoginDelay", has been changed to 1. This
system property is only applied on Embedded Terminal 2nd Gen. for Konica Minolta and the new
default value is suitable for most Konica Minolta devices.
Printing
A restart of the YSoft SafeQ Flexi Spooler from the task bar icon (tray icon) is now functional
even when YSoft SafeQ client components are installed in the Program Files (x86) folder.
Print job submissions when IPPS communication is used have been improved. It is now better
adapted to different printer behaviors regarding the RST and FIN flags.
When parsing an Epson print job without any PJL header, YSoft SafeQ no longer mistakenly adds
two PJL headers into the print file.
Device dependent accounting for Xerox AltaLink devices has been adapted to different situations.
A PostScript print job is now accounted for even when the device’s accounting log file only
includes one record assigned to the print job.
Temporary files are now automatically cleaned from an internal temporary folder after processing
scanned documents from Toshiba devices.
Security of LDAP integration has been increased. The configuration item, "Mode of LDAP server
certificate check", which is accessible from the Management Interface > System > LDAP
integration > Settings window, now has 4 new options. During the update, if LDAPS is configured,

the old option "hash" is automatically changed to "No certificate check (insecure)". The second old
option, "secure", is converted to "Java truststore (without hostname check)". Administrators
should read the "Configuring secured connection to the LDAP server" chapter in the YSoft SafeQ
6 Administrative Guide. Higher security can be set up after the update.
The data migration wizard, as part of the installation package, has been fixed:
Devices migrated from YSoft SafeQ 5 are no longer mistakenly labelled as 3D printers.
Users with custom permissions migrated from YSoft SafeQ 5 can now log into YSoft SafeQ 6
interfaces.
An upgrade from YSoft SafeQ 5 no longer fails due to incompatible scan workflows.
To make email notifications setup easier in the Management Interface, the email server
configuration properties, “mailSmtpSsl” and “mailSmtpTls”, are now replaced with one property:
“mailSmtpEncryption”. There are three options for "mailSmtpEncryption": NONE, SSL/TLS and
STARTTLS.
Administrators can now solve special situations when applying a mix of YSoft SafeQ Reporting
module licenses and licenses with Embedded Terminal. A new topic “Cannot install a device with
an embedded terminal due to insufficient licenses” has been added to the Troubleshooting
section of the “Management Interface – License activation” chapter in the YSoft SafeQ 6
The description of some system properties has been fixed. It now includes a request on the
Workflow Processing System (WPS) restart when changed. The properties are: “mailfrom”,
“mailserver”, “mailSmtpPort”, “mailuser”, “mailpass”, “scanDateFormat” and “scanTimeFormat”.
After a restart of Site Services in a clustered environment, it could happen that Embedded
Terminal device licenses were mistakenly assigned to devices that do not have Embedded
Terminal installed. It has been fixed and all licensed Embedded Terminals are now functional after
the restart as before it.
In a Site Services clustered environment, two TCP random ports were used for a fail detection.
These ports now have fixed values, TCP 7801 and TCP 7802, to prevent conflicting with a firewall
setup. The Network Communication chapter in the YSoft SafeQ 6 Administrative Guide has been
changed accordingly.
A device can now be edited in the Management Interface even when no user tag is defined.
Users can now be imported from an external directory into the YSoft SafeQ Management
Interface in “domain\username” format and user authentication is fully functional.
The YSoft SafeQ Embedded Terminal’s failover functionality needs to be correctly set up in a
clustered environment. When the “enableNetworkLoadBalancer” system property was enabled
and the “enableEtcd” system property was mistakenly disabled, users couldn’t authenticate on
the Embedded Terminal. In this situation the failover behavior is now suppressed and users can
authenticate.

The “Test the selected tracking mechanism” button is now accessible when editing a device in
the Management Interface and the accounting driver has been changed.
The export of Web reports and Counter reports to a CSV file format has been fixed. When the
separation character is found in a data item, the data item is now exported with quotation marks.
Both the separation character and the quotation mark can be adjusted in the system properties:
“exp_separator” and “exp_escape_char”.
The internal “Hex2Dec” function that manages a user's card ID conversion from hexadecimal to
the decimal format has been extended. It now supports longer IDs.
Every pull down menu in the Print settings section now respects a change when the user
requests a language preference in DeeControl.
Extensions Store item SWC-22, Google Cloud Print Connector, has been fixed. In rare cases, a
print job could be assigned to another user. It is recommended that customers using the Google
Cloud Print Connector extension should upgrade. The new version v1-4-19142-447 is now available
on Partner Portal and is backward compatible with any version of YSoft SafeQ 6.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.


client mode.
Lexmark
Sharp
Samsung

Scan Workflows
characters.
from that page.
YSoft SafeQube 2
3.2.19 YSOFT SAFEQ 6 - RELEASE NOTES MU31
3.2.19.1 New Features and Benefits
DeeControl 2 - layering software
A new version, DeeControl 2.7, is now available as a free download for Microsoft Windows and
MacOS platforms on Partner Portal and the Y Soft website.

DeeControl 2.7 provides new capabilities such as:
When the user starts the application, the computer's compatibility is checked. If the graphic
card doesn’t sufficiently support 3D operations, an error message is displayed and the
program is stopped.
Better 3D model supports that are easier to remove.
An infill pattern - (gyroid) - saves printing time, lowers filament consumption and improves
printing profiles.
YSoft be3D eDee 3D printer firmware update
Printed models counter has been added. The printed models counter counts every started model
even if printing was stopped. The counter value is visible in "Service menu → Information." The
counter cannot be reset.
The firmware also includes an updated version of the eDee terminal’s operating system, v4.12.8,
which aligns with other Y Soft products.
Print Order
Based on customer requests, we have revised the print jobs order when printing from a secure
queue. Now the primary print job order is determined by the time the user chooses to print from
his workstation. The right order of printing is kept when one Site Server is in use. In a SPOC
Group environment (near roaming), the print order cannot be determined this way due to
technology limitations.
Embedded Terminal for OKI no longer gets stuck when the device was deleted and installed again
from the Management Interface.
It is now possible to scan A3 format on Embedded Terminal for OKI sXP2.

YSoft Terminal Pro 4 now allows the deletion of incompatible print jobs when they are shown on
the terminal when the system property, “showIncompatibleJobs”, is enabled.
Automatic user logout from Embedded Terminal 1st Gen. for Konica Minolta is now generally
disabled. This prevents the terminal from getting stuck. The native device-based automatic user
logout is still active.
A scanned document’s file size is now smaller when the Compact PDF format is used for
Embedded Terminal 2nd Gen. for Konica Minolta. Documents scanned as Compact PDF are now
the same size for both browser type and native embedded terminals for Konica Minolta.
Printing
A duplex print job can now be printed on a simplex printer when the user applies the “Try to fix
print job” option on any YSoft SafeQ Terminal.
Accounting of Japanese Industrial Standards (JIS) paper formats has been fixed. JIS B6, JIS B5
and JIS B4 are accounted as A4. JIS B3 is accounted as A3 (large) format.
Print rules with quotas were not properly synchronized to Site Servers. It has been fixed.
The YSoft SafeQ Client in CBPR mode is now functional when Arabic regional settings are enabled
on the workstation and the user account uses the Hijri calendar.
Several minor memory leaks have been fixed in the FlexiSpooler to improve long term stability.
The YSoft SafeQ Client no longer mistakenly creates a number of connections with Site Servers
when the workstation switches to a different network connection (e.g. wired and Wi-Fi).
The YSoft SafeQ Client is now immediately functional when it is re-connected to another server in
an environment with clustered Site Services.
A cost center no longer must be defined in the “USERUPDATE” line of a CLI User Replicator’s
import file.
The CLI Device Replicator can now import devices with an identical IP address when the devices
reside in different SPOC Groups.
Administrators can now configure user email notifications about successful or unsuccessful
processing of mobile prints. New system properties “mpsMailUserSuccess” and
“mpsMailUserFailure” have been created.
Administrators can now setup IP restrictions for print jobs submission via the LPR protocol to
Flexi Spooler running in server mode. A new system property “ListeningForJobsOnAddress” has
been created.
YSoft SafeQ updates no longer crash on an installation with a SQL database when the
database's name includes the “\N” string. E.g. “INSTANCE01\NAMEDB”.
A description of the system property “enablePaymentSystem” has been improved. It now includes
the list of YSoft SafeQ subsystems that must be restarted in order to apply all changes.

YSoft SafeQube 2 no longer mistakenly tries to connect to localhost when configuration
properties “serverGUID2” and “serverIP2” are empty.
The CLI User Replicator now correctly processes data when more data files are in the input
folder. Users imported from a previous data file are not mistakenly deleted before importing the
next data file.
Updating YSoft SafeQ 6 MU26, MU27, MU28 and MU29 to a higher version in installations with
Microsoft SQL database could fail. It has been fixed starting with updates to YSoft SafeQ 6 MU31.
No items.
server.
Online accounting:

Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba

Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.

client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.

YSoft SafeQube 2
3.2.20 YSOFT SAFEQ 6 - RELEASE NOTES MU30
JAVA 11
The YSoft SafeQ installation package now includes a new Java version, the third party
component, Red Hat OpenJDK11 (Java 11). The new version replaces Java 8 because the
developer for Java 8 has announced that support for it will expire. Java 11 brings security and
support for third party components. Now TLSv1.3 is supported by Java 11, new cryptographic
algorithms have been added (and old ones removed), and future security Java updates will be
available.
Warning: The Java 11 implementation has an impact on the list of supported operating systems.
YSoft SafeQ 6 MU30 and higher will no longer support any edition of Microsoft Windows Server
2008 and Microsoft Windows Server 2008 R2.
YSoft be3D eDee printer
Model Removal Stand

To increase safety when removing a 3D model from the printing pad, we’ve created a special tool:
model removal stand.

The stand is available by printing it. Ready to print models are included in eDee's firmware when
updating to MU30. (Administrator menu: Printer Control → Reference models → Model removal
stand). The model consists of two parts that can be assembled by mounting the two pieces
together with the bolts, nuts and hexagon screwdriver which are included with new eDee
printers. Existing customers can purchase standard nuts and bolts (14 x M4 bolts with hex head
and 4 x M4 nuts).
Print progress snapshots improvements

A recent, previous maintenance update included additional snapshots during the printing process
(at 5% stage and 50% stage). Since this now means 3 snapshots in 10 second frequencies for
each stage, as shown in the pictures below, the print head might be in the way of the camera
hiding the model.
With this upgrade, we modified our algorithms for clearer and nicer snapshots of your model.

The Print All button options for Embedded Terminal for Xerox in the Management Interface have
been adapted to Xerox devices. It now includes: “Use global settings”, “Disabled – print all waiting
jobs after login”, “Disabled – print nothing after login” and “Enabled – let user choose after login”.
Contact information visible in the “YSoft SafeQ version” widget under the “About the YSoft SafeQ
application” link can now be modified. A new system property “productSupportInformation” has
been created.
Prints from USB flash disk on devices with Embedded Terminal for Xerox are now accounted for
even when the username only consists of numeric characters.
YSoft SafeQ terminals no longer allow the release of any incompatible print jobs even when they
can be shown on the terminal due the system property “showIncompatibleJobs” enabled.
When network connectivity with a Xerox device was interrupted during authentication on
Embedded Terminal for Xerox, it could happen that no subsequent authentications passed even
when the network connectivity was fixed. It has been fixed.
Security of YSoft Payment System web interfaces has been increased. Prevention against Cross-
site Request Forgery (CSRF) attacks has been added.
German text in a help screen in native Embedded Terminal for Konica Minolta is no longer
corrupted when the authentication type “PIN or card or username/password” is used.
Automatic or manual logout from Embedded Terminal for Xerox can now fully cancel scanning
even when the merging originals feature has been used. No scanned document is sent.
A new progress bar now informs the YSoft Payment System's administrator about a length of the
process when the "Refresh" button is pressed in the entitlement's detail window.
YSoft Terminal Pro 4: Processing of scanned documents has been fixed preventing YSoft Terminal
Pro 4 from getting stuck after scanning.
Administrators can now manually set the domain name server (DNS) through the internal web
application in YSoft Terminal Pro 4 when DHCP is disabled.

Printing
The parser no longer analyzes jobs with CPCA language generated by Canon printer drivers on-the-
fly. It starts analysis when the job is completely received to prevent parsing errors and deleting
the job.
After implementing Aspose library for downloading emails in SafeQ 6 MU27 and later, email
messages were not deleted from the email server when an IMAP connection was used.
Furthermore, they were reprocessed as new jobs. A newer version or the Aspose library is now
used and the problem is fixed.
A new system property, “defaultQueueNameForJobsWithoutAny” with the value "secure", has

been created to assign a queue name to print jobs that are submitted to the spooler without any
queue name. It fixes printing in a far roaming group; every print job now has a print queue
assigned.
User accounts synchronization from Management Server to Site Services has been improved. The
new method is 70 times faster then the previous one.
Licensing of large amounts of devices now works correctly and Site Services can start even
when there are more than 2,100 devices in a device group.
Removal of card numbers can now be enabled for a differential LDAP replication. A new system
property "ldap-replicator-remove-cards-in-diff-replication" has been created.
More Mobile Print Servers can now connect to one Spooler Controller. This feature is especially
useful in an environment with clustered Site Services.
Mobile Print Server can once again download emails when theTLSv1.0 protocol is disabled in the
operating system’s registry.
LD (Limited Devices) control check has been improved. The device definition is no longer
automatically deleted from Management interface when the device is switched off.
Administrators can now change the name and password for secured communications in the
YSoft Payment System and payment plugins like DIBS. See the "Advanced configuration of YSoft
Payment System" chapter in the YSoft Soft SafeQ 6 Administrative Guide.
No items.

server.
Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark

OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

3.2.21 YSOFT SAFEQ 6 MU29 - RELEASE NOTES
YSoft Payment Machine
YSoft Payment Machine now supports Lebanese and Georgian currencies.
Embedded Terminal for Lexmark
Automated Scan Workflows are now available on Embedded Terminal for Lexmark. There are two
unsupported limitations: file folder browsing and list type of user input. The Embedded Terminal
for Lexmark is compatible with eSF 3.0/4.0/5.0/6.0 platform devices and supports authentication,
print, scan, billing codes, YSoft Payment System and device dependent accounting.
DeeControl 2.5
A new version, DeeControl 2.5, is now available as a free download for Microsoft Windows and
Mac OS X platforms on Partner Portal and the Y Soft website.
Main enhancements:
YSoft SafeQ username can be configured - dedicated for BYOD used for sending 3D jobs to
SQ server
Dutch localization - user interface, user guide, quick guide

Additional print status snapshots from YSoft be3D eDee printer
If the print job is 5 hours or longer, the user can receive additional snapshots of the print job's
progress (5% and 50% of print completion). The job owner is now better informed about the 3D
print job's progress and can react if needed.
The order of default languages for YSoft SafeQ Embedded and External Terminals has changed.
The system property “supported-lang-priority” now has a new default value: “En, De, Es, Fr, Ja, Cs”.
It results in a lower priority of double byte languages leading to higher performance of YSoft
Terminal Professional 4.
The user can once again open End User Interface when a quota with a zero limit is assigned to
him.
LDAP settings are no longer modified in the device when installing Embedded Terminal for Xerox
and the “enableXeroxAccessDefinition” property is set to “Application registry”.
Installation of Embedded Terminal for Fuji Xerox now automatically disables the device internal
logging of the user's ID card number.
It could happen that the USB card reader as part of YSoft Terminal Professional 4 stopped
working when connected to Konica Minolta devices. It has been fixed.

Printing
The FlexiSpooler now skips invalid XML characters in the print job’s XCPT header and doesn't stop
printing for this reason.
User detail data is now correctly shown to the user in the YSoft Payment System web interface.
A better error message is now displayed in the YSoft Payment System web interface when the
administrator creates an entitlement and the user wasn’t found.
Cash Desk users can now open a user’s account even when the user was already deleted in the
web interface but the money in the user's account hasn’t been deleted yet. The System creates
the user’s account again automatically.
YSoft Payment System’s service is once again called “YSoft Payment System” in the operating
system’s services window.
Terminal Server newly utilizes a certificate’s validation procedure during the establishment of the
HTTPS communication when secured WebDAV scan data storage type is used. A valid certificate
must be installed in the server where Terminal Server is installed otherwise Terminal Server won’t
start.
Embedded Terminal for Fuji Xerox can be once again installed and uninstalled on Fuji Xerox Apeos
devices from Management Interface.
A Web report and an exported Microsoft Excel report now match when a custom report is
created.
Administrators can no longer include blank spaces in the beginning or at the end of a YSoft SafeQ
External Terminal’s serial number in Management Interface which causes a malfunction of the
Terminal.
The YSoft SafeQ database validator no longer writes database credentials in the log file.
Upgraded YSoft SafeQ servers from version 5 to version 6 with YSoft SafeQ Terminal
Professional v3.5 no longer falls into off-line mode after starting.
A better error message is written in the log file when Management Server can’t connect to the
YSoft SafeQ database due to incorrect credentials.
The wrong password is no longer logged in case a user mistypes when logging into Management
Interface.
Microsoft Excel files generated for scheduled reports exported from Management Interface now
have a better name and includes the name of the filter.
A description of the system property “finishingOptionsPriority” has been fixed. It now includes the
right name of the Finishing options property: “enableFinishingOptions”.

YSoft SafeQ installation package now includes a new version third party component Infinispan
9.4.6 that fixes possible crashes of Site Servers in a clustered environment.
System properties in the "SMTP settings" part of the "spoc.conf" (Spooler Controller configuration
file) can now include the "[EMPTY]" value. It tells Site Services that really empty values should be
used for the property instead of a non-empty value received from the central settings in
No items.
server.
server is in different time zone, PostgreSQL time zone has to be set accordingly.
Description: Administrative Guide / Installation and deployment / Software / Configure
PostgreSQL time zone for correct print job and report data
Online accounting:

Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox

EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.

client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.

YSoft SafeQube 2
DeeControl 2.4
The new version, DeeControl 2.4, is now available as a free download for Microsoft Windows and
Mac OS X platforms on Partner Portal and the Y Soft website. Main enhancements: Support of
Spanish, Norwegian and Danish languages.

YSoft be3D eDee printer now supports failover in a Site Services cluster environment. When the
printer loses connectivity to Site Services it can automatically connect to another node of the
SPOC Group.
Filament management
Filament management for YSoft be3D eDee printers has been improved. An administrator can now
enter the filament spool's size during the exchange/replacement process. This enables some
advanced features leading to better administrator and user productivity and convenience.
The user can be notified if the device doesn’t have a sufficient amount of filament for the
print job.
An automatic email notification can remind the administrator when the filament is running out.
The critical level is adjustable.
Data mart mode
The next step in improving YSoft SafeQ's reporting capabilities has been done. The data mart SQL
API and documentation are available for partners and customers. Administrators can now easily
create reports using an external reporting system (e.g. Power BI) connected to the data mart
using the data mart SQL API.

A Microsoft PowerBI template, as a sample of connectivity to the data mart database schema, is
now accessible on Partner Portal. https://portal.ysoft.com/library/manuals/microsoft-powerbi-
template
Security Assertion Markup Language (SAML) v. 2 support, Early Access Program (EAP)
User’s and administrator’s productivity and convenience can be increased with single sign on
functionality to the Management Interface in an environment with authentication services based
on SAML2. This new feature has been released as part of the EAP.
The “duplex to simplex” print finishing option modified by the user on Embedded Terminal is now
applied correctly when the print job was modified by the YSoft SafeQ Rule-Based Engine module
from simplex to duplex.
Device dependent accounting now correctly reads accounting data from Xerox devices even
when users have special characters in their username, like â, ç, ĕ.
A user can now log into Embedded Terminal for Konica Minolta when using the YSoft Payment
System even if no operations were performed during a previous terminal session.
Card authentication is no longer offered in the Page Scope Web Connection login window (user
web access to Konica Minolta devices) when Embedded Terminal for Konica Minolta is installed in
the print device.

A message about the expiration of a credit or quota reservation in YSoft Payment System, in
some circumstances, was not replicated into Terminal Server and a user couldn’t log into
Embedded Terminal. This has been fixed.
Printing
YSoft SafeQ 6 data security has been increased related to print jobs sent from FlexiSpooler to
the printer. When the new system property “ignoreIppsMfdCertificateErrors” is disabled, YSoft
SafeQ utilizes a default validation procedure during the establishment of the IPPS communication
with the device. This improvement is valid for server-based printing and Client Based Print
Roaming.
The parser now correctly recognizes and accounts for jobs with CPCA print language generated
by the Canon Generic Plus PCL6 Printer Driver.
Mobile Print Server email notifications now contain the correct URL address to the mobile web
interface.
Direct print is once again functional on devices where Embedded Terminal for Ricoh is installed
with no accounting or off-line accounting options.
In some circumstances, it wasn’t possible to edit entitlements in the YSoft Payment System
management interface. It has been fixed.
Administrators can now use the new property “paymentSystem.configurationDirectory” to rename

a file folder with YSoft Payment System configuration files. The default value is “ps-conf”.
YSoft SafeQ installation files now include a newer version of the third party component: Apache
Tomcat version 9.0.12. This is accomplished with added support for TLSv1.3 and TLSv1.2 for
HTTPS communication with Management Interface.
Apache JServ Protocol's (AJP) communication port 8009 is no longer open by default in the
Management server due to security reasons.
Email notifications sent to the administrator now include additional data (Site server GUID and IP
address) for easier troubleshooting when mobile printing is allowed to unknown users and the
user can’t be created due to an already deleted user account with the same username.
LDAP replicator no longer mistakenly uses ERROR level in the log file when an alias of the
username was updated.
SNMPv3 communication is once again accessible in the Management Interface with YSoft SafeQ
Terminal Professional v3.5 and YSoft SafeQ Terminal Ultralight.
LDAP replication now uses a correct security protocol in accordance with the
“cryptographicProtocolForLdapReplication" property.

YSoft SafeQ database operations have been improved to prevent a long response time when
batch device requests are made through the Management Interface.
When a user tries to log into the Management Interface using incorrect credentials, the log
message is no longer assigned to the “ERROR” level.
The password of SNMPv3 credentials is no longer logged as plain text in the Terminal Server log
file.
The default value of the system property "securityProtocolTypesForOutboundCommunication" has

been changed from an empty value to "Ssl3, Tls, Tls11, Tls12" to avoid SSL/TLS configuration
issues for Terminal Server communications.
Administrators can now use the new property “useWebserverRootToStoreConfigurationFiles” to

change the folder where the Terminal Server - web server configuration files are stored. It can
prevent Terminal Server dysfunction when the operating system’s “Temp” folder is cleaned up.
The active area of the “Favorite” button on the eDee terminal touch screen has been enlarged.
Preview on the eDee terminal now shows the entire object that is to print.
Product extensions (customizations)
No items.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.


client mode.
Lexmark
Sharp
Samsung

Scan Workflows
characters.
from that page.
YSoft SafeQube 2

User’s last access date and time is now correctly stored in the Spooler Controller in off-line mode
so the user’s credentials are no longer mistakenly deleted from the memory when the user has
been regularly authenticating on a terminal.
The copy count finishing option in Embedded Terminal for Epson has been adapted to the latest
version of the Epson MFD and PostScript print language.
It is now possible to log into the user interface web page as another user when the single sign on
functionality is implemented.
The line between print jobs is now visible on the Printed and Favorite tabs of Embedded Terminals
2nd Gen.
The print progress window is once again shown on Embedded Terminal 2nd Gen. for Xerox
VersaLink.
Copy and scan icons are no longer visible on YSoft Terminal Pro 4 when the print device doesn't
have these capabilities. System properties enableCopyOnHardwareTerminals and
enableScanOnHardwareTerminals are validated.
User card numbers are no longer logged by default. A special level of logging must be used.
The user can no longer release a print from the job details window in Embedded Terminal 2nd
Gen. when the user doesn’t have sufficient quota.
The eFilling feature is once again accessible when YSoft SafeQ Embedded Terminal is installed on
Toshiba/OKI devices with SDK version 3.1.
The user can once again activate his card via Card Activation key on Embedded Terminal for HP.
The icon showing “no billing code search results” is now fully visible on a smaller touch screen
with Embedded Terminal for HP.
The print progress window is now opened by default on Embedded Terminal for Xerox for AltaLink
devices. The "Allow Open Access to Job Information" device’s variable is enabled automatically
during the installation.
Printing
Management Interface no longer keeps a print job in the "printing" state when the print job failed.
Management Interface no longer keeps a print job in the “pending” state when the job’s transfer
to the device via LPR backend failed.

YSoft SafeQ Enterprise Client 2.x can now be used with the authentication setup
CurrentUserNameFormat=SAFEQ_SID_FORMAT and JobOwnerMethod=1. Site Services no longer
refuses this type of username.
In rare cases, it could happen that parts of segmented print jobs spooled to the devices get
swapped. It mostly resulted in printing errors or print job failures. Additionally, this issue created
server memory leaks which could lead to an automatic restart of the FlexiSpooler service after
some time. Starting MU27 it has been fixed.
Mobile Print Server is now able to convert PowerPoint presentations created in 16:9 view into A4
format and print them correctly.
When Spooler Controller is in off-line mode, it no longer crashes with an “Out of Memory” message
when many print jobs create a bigger load.
Behavior of Near Roaming Group has been improved. The internal address book of the connected
spoolers is now updated periodically which prevents loss of a FlexiSpooler’s connectivity.
Print jobs are now accounted to the right billing code when off-line accounting is used for printing
from YSoft SafeQ Client.
The “Edit” user access rights is no longer needed for scanning to Microsoft SharePoint. The
“Write” access rights is now sufficient.
Editing Entitlements in YSoft Payment System management interface is now faster and no longer
gets stuck with the “Please wait” message.
The YSoft SafeQ 5 with YSoft Payment System upgrade to version 6 has been fixed. An error
message about Tomcat uninstallation should no longer appear
Support for Microsoft SQL Server 2017 Standard or Enterprise Edition has been added. The
Administrative Guide’s chapter, YSoft SafeQ Server Requirements, has been updated.
Web and scheduled reports exported from Management Interface now have a fixed number of
columns even when some columns include empty or null values.
The user can now re-queue jobs in the Management Interface even when the
“printJobAccessSafeMode” system property is enabled.
The process of deleting devices through the Management Interface has been improved. When an
administrator tries to delete a device with an Embedded Terminal, the uninstallation of the
Embedded Terminal starts automatically. If the deletion is not successful (e.g. the device is not

accessible on the network), deletion is not done. In this case, an administrator can confirm
deletion and take responsibility for further setting of the device because it could stay
inaccessible for the users. Otherwise an administrator can make the device accessible and try to
delete it again.
Far Roaming of prints no longer generates a big load on the database. The SQL queries have been
optimized.
The SNMPv3 protocol can now be used for online accounting when YSoft Terminal Pro 4 is
connected to the device.
A better message: “Could not log in to the device because it is in use” is shown to the
administrator in Management interface when Embedded Terminal can’t be installed to Konica
Minolta / Develop / Olivetti devices because a user is working with it.
It could happen that YSoft SafeQ Terminal Server services didn’t start automatically when
Embedded Terminal for Brother was used. The services’ dependencies have been changed and
the service now starts well.
server.

Online accounting:
Offline accounting:
FujiXerox

OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows

characters.
from that page.
YSoft SafeQube 2
DeeControl 2.2 - new version of 3D printing slicer software
The new version, DeeControl 2.2, is now available as a free download for Microsoft Windows and
Mac OS X platforms on Partner Portal and the Y Soft website. Main enhancements:
Support of Czech language.
Ability to save a project composed of multiple parts as one .dcp file.

Terminal s
A new firmware version for Terminal Professional 3.5 (3.15.16) has been created. Improvements
are:

User credentials are no longer written in the log file.
The logo visible on the touch screen can be customized via the remote configuration tool for
hardware terminals (Termtool).
Incompatible print jobs can now be deleted on YSoft SafeQ Terminal Pro 4.
Embedded Terminal for Xerox has been improved. Color restrictions on copying can now be
defined by adjusting YSoft SafeQ user roles.
User access to Xerox VersaLink native copy and fax functions can now be restricted based on a
user role.
Embedded Terminal for Toshiba / OKI now supports double byte characters so the Thai language
is now supported correctly.
The Embedded Terminal installation guide for Toshiba / OKI devices, based on e-BRIDGE NEXT or
later architecture, has been extended. An IP-specific certificate is necessary for secure
communication.
The “forceInternalLdapServerIp” system property is now accessible from the Management

Interface expert-level configuration window. It is possible to set up Windows Network Load
Balancing (WNLB) for Toshiba and OKI devices.
Connectivity of Embedded Terminals to Terminal Server in a clustered environment with load

balancing has been improved. The first start of Embedded Terminal is now quicker. This applies to
Embedded Terminal for Xerox, Fuji Xerox, Toshiba, OKI, Sharp and Ricoh devices.
The Embedded Terminal for Lexmark is no longer stuck when the user tries to switch to the print
application or scans again when a previous scan job has finished.
The billing code application title in native Embedded Terminal for Konica Minolta is now dependent
on the “billingCodePrecedence” property. When the selected billing code is also applicable for print,
the title is "Select a billing code". If not applicable for print, the title is “Choose a billing code for
copy and scan.”
Administrators no longer have to manually download a special installation package for the
Embedded Terminal for Ricoh. It is now part of the native YSoft SafeQ installation.
Administrators can now use the new property “billingCodesMessage" to set up appropriate text
for the empty "My billing codes" screen of Embedded Terminal.
Behavior of Embedded Terminal for HP has been changed for accessing the native device’s
functions. When a user is logged into the Embedded Terminal:
Access to SafeQ applications and native copy, scan and fax applications reflect YSoft SafeQ
roles.
Certain native features are restricted: Support tools, delete protected jobs without entering a
password or PIN, ability to view other specific users’ jobs and folders, restore factory settings,
ability to promote any user’s job, retrieve diagnostic data and reports.

All other native features are enabled.
All Job Based Accounting (JBA) records are now downloaded from Xerox VersaLink devices even
when there are more than 50 jobs in the log.
The description of the Terminal Ultralight firmware update has been removed from the
Administrative Guide because this feature isn’t implemented in YSoft SafeQ 6.
Users can now search billing codes on Embedded Terminal for Konica Minolta with the Chromium
browser.
Text in error windows is now better aligned on the Embedded Terminal for Epson.
PIN auto confirmation has been removed from the Embedded Terminal 2nd Gen. for Konica Minolta
login screen. A PIN is validated when the user taps on the login button.
Printing
The print language of jobs that are submitted through the Wireless print (AP Server) is now
correctly detected. Postscript jobs are now correctly printed.
Direct queues of printers without any terminal no longer disappear after restart of the Site
Services or deleting the cache. Printing through direct queues is again functional.
The "ParserPJLUser" functionality now correctly uses encoding set via "lprEncoding" system
property. It solves issues with SAP printing when users have special characters in their
username, like ä,ö,ü.
Internal system tracking the print job status has been improved. Print jobs already printed will no
longer appear as in a "printing" state.
Parser now correctly recognizes print jobs with A2 and higher formats.
A print job with a title containing the text string “Copy - (" is no longer accounted for as copies on
Xerox devices.
Print jobs with non-standard paper size (other than A4 or A3), can now be printed on Xerox
devices when using the YSoft Payment System.
Print jobs uploaded on End User Interface are no longer locked and can be automatically cleaned
from an internal temporary folder after printing.
Scan Workflows
Text validation of user input default values in Automated Scan Workflows has been removed
allowing administrators to now be able to enter scan variables or multiple email addresses.
PDF documents scanned on Konica Minolta devices with OpenApi 4.13a are no longer digitally
signed. Adobe Reader doesn’t show a warning message about a non-valid or insecure digital
signature.
When a user searches for email on Embedded Terminal for Konica Minolta with Chromium browser,
the search window no longer overwrites the keyboard.

YSoft SafeQ Automated Scan Workflows: Resolving of scan variables for HP Records Manager’s
parameters (RecordType, ContainerRecordNumber and ExternalId) has been fixed.
The YSoft Payment System could stop working with an “Out of Memory” error message in
environments with YSoft Payment Machines. It has been fixed.
YSoft Payment System installation files now include a newer version of the third party
component: Apache Tomcat version 9.0.12.
Description of the “cryptographicProtocolForLdapReplication” property in Management Interface

has been fixed. The TLSv2 protocol is supported as well.
An mouse-over message is now readable when an error appears in the database integrity widget
on Management Interface.
The user no longer receives multiple emails with a card activation code in an environment with
two and more Site Services.
“Printed/failed jobs” widget in Management Interface now correctly shows jobs and their status.
A print job preview is now fully available in an environment with clustered Site Services.
The “Local printer” accounting method has been removed from the device definition in the
Management interface. This feature hasn’t been implemented yet.
User can now use an alias to log in to Terminals, the End User Interface and the Management
Interface.
Generation of statistics for reporting has negative impact on the performance of standard YSoft
SafeQ tasks. Generation of statistics has been fragmented in more smaller tasks that no longer
lock the database for a long time and the Management tier can now better respond to Site
Services requests.
Mouse-over help of the 'Overwrite user if already exists in database' and 'Check username
uniqueness' in expert settings of LDAP replication on Management Interface has been improved.
A timestamp assigned to a print job is now taken from the server instead of the device’s date
and time. Jobs and statistics are no longer prematurely deleted when the device’s time is
incorrect.
Validation of the “PIN-default-expiration” property in Management Interface no longer allows

negative numbers.
Administrators can now directly upgrade YSoft SafeQ MU17 to MU26. It was not possible in
version MU25.
The Mobile Print Server service crashed under some circumstances while stopping. It has been
fixed.

It some circumstances, a user received multiple email messages containing a PUK for a new card
self assignment in a clustered Site Services environment. It has been fixed
LD (Limited Devices) control check has been modified. The LD license is no longer removed from a
device when a sporadic SNMP device’s non-response appears and the device still reacts on a
network “ping” instruction. Six checks in a row with 20 minutes frequency must be negative to
automatically remove the device from the LD license in Management Server.
Product Extensions (Customizations)
No items.
server.
Online accounting:

Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox

EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.

client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.

YSoft SafeQube 2
Fail Over Node Selection
In a Site Services cluster environment, administrators can now manually select a subset of nodes
which are to be used for fail over functionality inside the Site Services cluster. This is now
applicable for YSoft Terminal Pro 4, Terminal Professional v3.5 and Terminal Ultralight. For
Embedded Terminals, it is currently available for Ricoh.
The new optional configuration key for selecting a subset of nodes is called failoverAddresses
and the configuration key has been added in the Terminal Server configuration file.
A limitation of nodes used for fail over enables clusters to be created across multiple locations
but limits fail overs, for example, to the local server and a datacenter server.
Terminal s
Embedded Terminal for Epson now immediately respects a change when the user requests a
language preference from the device’s user interface.

Embedded Terminal for Lexmark has been adapted for small displays. Text no longer overflows
the screen for the German language.
Embedded Terminal for Fuji Xerox XCP has been improved. When the system property
“fujiXeroxEnableDefaultQuotaTogglingStrategy” is disabled, the user is now better informed that
all available credit is calculated only for one particular operation (copy, print or scan).
Reinstallation of Embedded Terminal for Konica Minolta no longer deletes manually configured user
rights of the public user.
A new key “maxNumberOfSosCommunicationTries” with a default value of 3 has been added to

the Terminal Server configuration file. It improves the recovery process in a heavy loaded
environment.
Communication of Site Services with Embedded Terminal for Sharp now respects the
securityProtocolTypesForOutboundCommunication property when it is set to Tls12.
It could happen that card authentication stopped working when YSoft SafeQ 6 MU22 was
implemented in a Site Services cluster environment. In MU25 it has been fixed.
The display area of Embedded Terminal for Konica Minolta is no longer shrunk on devices with a
10” display and a Chromium browser.
A duplicate “Home” button has been removed from YSoft SafeQ applications on Embedded
Terminal for HP. The original home button is always present on a native part of the display.
Administrators can now suppress the copy or scan application on Terminal Professional v3.5 to
improve the user experience when the device doesn't support the function. Two new system
properties (enableCopyOnHardwareTerminals and enableScanOnHardwareTerminals ) have been
created.
Accounting of print jobs with advanced finishing options has been fixed. For example, stapling is
now accounted well.
The help dialog ("?" button) from the authentication window in Embedded Terminal 2nd Gen. has
been improved.
The 'Start' button on Konica Minolta devices now turns blue after authentication on Embedded
Terminal 2nd Gen. to remind users that it can be used for releasing selected print jobs.
Administrators can now prevent overriding manual changes in the MFD’s authentication screen
when the Embedded Terminal for Xerox is being installed. A new property,
keepCustomXeroxLoginScreen, with the value "true" can be added in the
<spoc_folder>\terminalserver\TerminalServer.exe.config configuration file.
An error message no longer appears when a user tries to switch between applications on
Embedded Terminal for Fuji Xerox XCP while the YSoft Payment System is used.

Printing
When the printer is not ready, YSoft SafeQ now repeatedly tries to send the direct print jobs via
LPR, IPP or IPPS backend. The number of attempts and the length of the delay between them are
configurable.
Job preview is now available even if Site Services has been switched on after a temporary
unavailability in the Site Services cluster environment.
Scan Workflows
The “Enter” key on Embedded Terminal for Xerox no longer deletes text already entered by the
user in an input field.
Scan to email is functional again in Managed Workflows when secured communication to the
SMTP server is used.
Under some circumstances, the YSoft Payment System could stop working with an “Out of
Memory” error message in environments with YSoft Payment Machines. It has been fixed.
Communication between Site Services, Management Server and the database has been optimized
to improve performance mostly during the start of Site Services.
The configuration file for YSoft SafeQube 2 no longer needs manual changes after a standard
installation.
Customizations
No items.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta

Ricoh
Sharp
Xerox
FujiXerox
options.

client mode.

Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

New: A new feature, Zonal OCR, is currently available under the YSoft SafeQ Early Access
Program. In addition to extracting document contract through text highlighting and barcode
recognition, document content can also be extracted automatically via Zonal OCR. This first
version of Zonal OCR allows text extraction from predefined zones on the document to be stored
as workflow variables. The variables can be then used as document metadata or to automatically
name or route the document. Zonal OCR is ideal for documents with a standardized static
structure.

New: A new SMTP client, MailKit, has been added to Automated Scan Workflows services
replacing the .NET Framework SMTP client. The new client removes a previous limitation of secure
communications - both system properties “mailSmtpSsl” and “mailSmtpTls” are now fully
respected by Automated Scan Workflows. Additionally, the new client prevents a situation where
document delivery of documents became stuck requiring a restart of WPS.
Improved: The flexibility of Automated Scan Workflows has been improved. Administrators can
now use scan variables when changing OCR profiles in the Automated Scan Workflow’s definition.
This is an expert-level setting and needs advanced knowledge about the OCR engine. If needed,
contact Customer Support Services via the Y Soft Service Desk: https://portal.ysoft.com
/customer-support-service/service-desk.

Embedded Terminal 2nd Gen. for Fuji Xerox
YSoft SafeQ Embedded Terminal - 2nd Gen. is newly implemented on Fuji Xerox and Fuji Xerox XCP
devices. This version supports authentication, copy, print, automated scan workflows, billing
codes and device dependent accounting.
Terminal s
Billing codes are no longer visible in Embedded Terminals when this functionality is disabled.
No error message is displayed now when a user selects the home button during the printing of a
job on Xerox devices with Embedded Terminal.
Installation of Embedded Terminal for Epson no longer fails with an awkward error message: “The
last sequential number could either not be obtained.”
Documentation on Embedded Terminals for OKI and Toshiba now includes correct information
about a security certificate’s format.
Embedded Terminal for Lexmark has been fixed. Text no longer overflows the screen.
The ETCD file no longer grows to a large size on Site Services that are not part of any Site
Services cluster.
The Print All button on the Embedded Terminal 2nd Gen. authentication screen no longer has an
active area across the screen.
Charging of copies on devices with Embedded Terminal for Fuji Xerox XCP has been fixed.
When a session is active on the Embedded Terminal for Sharp, a swipe of any user’s card now
ends the session. This solves a situation when a previous user forgot to logout.
Terminal Server no longer accidentally stops communication on port 4096 after specific packets
when a load balancer is used.
Communication port 4096 used for communication with legacy terminals (Terminal Professional
v3.5 and Terminal Ultralight) is no longer open by default.
Terminal Server now resolves DNS hostnames for legacy Terminal Professional v3.5.
Printing
The "Convert job to grayscale" finishing option modified by Rule-Based Engine is now applied
correctly on Toshiba printers.
A print job is now correctly printed even if it includes doubled LF characters. It solves issues with
SAP printing. Note: T his improvement was already announced in MU23, however it mistakenly
wasn't included in the MU23 release. Therefore, it has now been included in MU24.

The FlexiSpooler no longer crashes when a connectivity to the port 515 (LPR printing) is closed
prematurely.
Detection of the PCL jobs has been improved. More types of PCL print drivers can now be used
for printing.
A new locally configurable setting for FlexiSpooler has been created to allow LPR printing to a
USB printer connected to a workstation. This setting is disabled by default.
The “Convert job to grayscale”, “Convert job to duplex” and “Print job # times“ finishing options
modified by Rule-Based Engine are now applied correctly on KM devices with YSoft Terminal Pro 4
and off-line accounting.
The Spooler Controller service no longer starts without having a complete list of terminals.
Performance of the SPOC Group has been optimized. Only print jobs are now shared inside the
Site Services cluster.
Scan Workflows
A scanned document from the Embedded Terminal 1st Gen. is now processed even when the
Merging Originals feature is enabled in the automated scan workflow’s definition. Because the
Merging Originals feature is not supported on the Embedded Terminal 1st Gen., the document is
delivered as the Merging Original was disabled.
The data security of Automated Scan Workflows has been increased to prevent malicious access
to a customer’s file system through the Automated Scan Workflow services.
A user can now scan from the Embedded Terminal for Xerox when the username includes the
domain, i.e. domain\username.
The default web report no longer shows other data than data related to the user who is
authorized only for his data reporting.
Embedded Terminal can now be installed even when the “Admin username” field is blank in the
device definition in the Management Interface. A default username is used.
After a new card self assignment the PUK is now deleted from the user account when the
system property “remove-puk-after-use” is enabled.
After a maintenance update of YSoft SafeQ, the service account's credentials that are used for
cluster management in the DBValidator.properties file now matches with the credentials in the
safeq.properties configuration file.
The Network Communication chapter of YSoft SafeQ 6 Administrative Guide has been corrected:
The network port 8000 hasn’t been used in YSoft SafeQ 6.
Management of Terminal Pro 4 hasn’t been using the 7347 port.
SSH port 22 is optional for administrative communication with Terminal Pro 4.

Fixed incorrect behavior in eDee's administrator interface. Entering the “Notifications” page
caused an error.
Fixed incorrect printing of a few top layers of a tall model. Layers were not printed correctly under
certain circumstances.
Customizations
No items.
server.
Online accounting:

Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba

Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
FujiXerox
options.

client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.

YSoft SafeQube 2
New options for integrating with external systems have been added. The three new workflow
variables are: unique scan job ID, workflow ID and workflow name. With unique values assigned to
every scan job, it is possible, for example, to track the scan workflow’s entire life cycle. The full
list of workflow variables is part of the documentation and is accessible here.

It is now possible to make changes to prepaid accounts of users already deleted in the
Management Interface. Administrators can disable, enable or remove any existing account.
Example: When a student postpones studies for a short time, the student's prepaid account can
be manually disabled and enabled again when studies resume. When a new user with an identical
username must be created in the Management Interface, the old prepaid account can be removed
from the YSoft Payment System.
Fixes and Improvements
Terminal s, user interfaces
Finishing options and job preview are shown correctly in the job preview window of Embedded
Terminal for Fuji Xerox.
Embedded Terminal for Konica Minolta / Develop / Olivetti now supports devices with the “LK-114
Serverless pull printing” solution installed.
Communication with legacy External Terminals (Terminal Professional v3.5 and Terminal Ultralite)
is now secured by default. Additionally, any attempt of non secured communication is refused
when secured communication is used.

An improved informative message appears when the installation of the YSoft SafeQ billing codes
application failed during the installation of Embedded Terminal for Xerox.
An “Insufficient permissions” message is now shown when a user tries to log in to the legacy
External Terminal (Terminal Professional v3.5) and has no entitlement assigned.
YSoft SafeQ Embedded Terminal 2nd Gen. for Xerox can be installed in "Third Party
Authentication" mode.
The YSoft SafeQ billing codes application can be assigned as the initial application at an
Embedded Terminal for Xerox in the 3rd party authentication mode in accordance with the “initial-
screen” system property.
A new version of YSoft SafeQ 6 Embedded Terminal for Ricoh (1.0.4) was certified and is now
available on Partner Portal. The main enhancement: fail over functionality's fix for clustered
environments. The new version has been tested with YSoft SafeQ 6 MU22 and higher.
Printing
Additional information has been added to FlexiSpooler’s log files: which SPOC the FlexiSpooler is
communicating with. This improvement helps administrator with troubleshooting in the clustered
environment.
Print job is now correctly printed even it includes doubled LF characters. It solves issues with
SAP printing.
FlexiSpooler has been improved. It is now able to handle number of concurrent http requests
without causing high CPU usage and malfunctions of the system.
Mobile Print Server no longer stops document’s processing when the document is temporarily
locked by an external process, e.g. an antivirus.
Scan Workflows
Automated Scan Workflows no longer fail on YSoft Terminal Pro 4 and Embedded Terminal for OKI
when no billing code is assigned to the user.
The data migration wizard, as part of the installation package, has been fixed so that Automated
Scan Workflows now work fine after migrating from YSoft SafeQ 5 when user input fields have
included empty strings.
User inputs can now be entered when scanning on Embedded Terminal for Konica Minolta with
the Chromium browser.
Administrators can once again add user inputs when creating an Automated Scan Workflow.
An informative message that no card reader is connected to the MFD when installing Embedded
Terminal for HP has been improved.

A new system property *allowCombiningUserEntitySources* has been created. When enabled, CLI
User Replicator is allowed to update attributes (role, cost center) of users created manually or via
LDAP replication in Management Interface.
A new system property “reportExportRowCountThreshold” has been created. Administrators can

define the maximum number of rows that can be present in the web report. If the number of
actual records in the report is greater than this value, the report is not exported.preventing a
potential crash of the YSoft SafeQ Management Server.
The expiration date of an SLA was fixed to show always precise date in the Management
Interface. When the support agreement is going to expire, partner can contact his Y Soft Regional
Sales Manager to arrange a Software Support/SLA extension for this particular customer to
ensure continuous future support.
The scheduler responsible for the creation and delivery of an automatic report no longer ends in a
never-ending loop when a target email address doesn’t exist.
The YSoft SafeQ installer now handles the linked values of the safeq.properties configuration file
well.
The name of the database once again reflects the value that an administrator wrote during
installation. Only an _IMS suffix is automatically added.
The YSoft SafeQ billing codes application is no longer installed in Embedded and External
Terminals when the Credit and Billing module is not licensed.
A new system property *showJobAvailability* has been created. When enabled, a message about
job availability is displayed on the terminal’s print window. When disabled, the system’s load is
lower.
Internal communication between the Management Server and the Spooler Controller has been
improved. New properties can be applied in the spoc.conf configuration file (written with default
v a l u e s ) :
communicatorSyncWaitRetry = 600
communicatorSyncWaitSleep = 100
This allows for adjustments in a special environment.
Customizations
Customization Catalog item SWC-2, Credentials generator (PIN generator for guest mobile
printing), has been improved. Administrators can now define a special list of keyboard characters
which are not allowed in generated passwords to prevent frustrating users. For example, a user
might confuse zero (0) for O or the capital letter “I” and the lower case letter “l”. (SAT-4854)

server.
Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark

OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

OCR Profiles
When an Automated Scan Workflow result isn’t as expected, the processing can be adjusted for
better results. For example, the percentage threshold for the “Remove blank pages” option can be
changed or the “Despeckle” option can be modified. Administrators can make changes in the
default OCR (Optical Character Recognition) profile that is applied to all workflows or in each
individual workflow’s OCR profile. This is an expert-level setting and needs advanced knowledge
about the OCR engine. If needed, contact Y Soft technical support.
YSoft SafeQ Client
Deployment of YSoft SafeQ with the YSoft SafeQ Client is now easier.
Restarting the user workstation is no longer needed after installing the Client.
Backward compatibility for the YSoft SafeQ Client in SafeQ 6: It is always our recommendation
to update the YSoft SafeQ Client whenever updating to the latest YSoft SafeQ 6 MU. The
Client update often contains important performance improvements that can impact the overall
SafeQ system. For example, MU20 contained important performance fixes when DHCP auto
discovery is enabled in deployments that use the Client. The Client also needed to be updated
to enact these fixes.
However, we understand that sometimes it is more manageable to deter updating the Client.

For this reason, the YSoft SafeQ Client no longer needs to be the same version as the YSoft
SafeQ 6 server applications, in most cases. This means a deployment can be updated with
server components and will be backward compatible with older versions of the Client.
However, this backward compatibility applies beginning with MU22 and will be backward
compatible with the SafeQ Client from MU14 and higher. This backward compatibility will be
the default mode of future MUs unless announced otherwise. In those cases, it will be
explicitly said that both the Client and the Server components need to be updated together.
Rule-Based Engine
Administrators can now suppress the “Append” functionality in the “Add or replace text in PJL
header (PJL jobs)” action of the Rule-Based Engine so a specific PJL header can be applied for
every device’s model. This allows Print Roaming to be implemented better across different models
of print devices.
Terminal s, user interfaces
User card authentication through the YSoft SafeQ Client has been improved. When the
authentication window appears on the workstation, the keyboard’s focus is automatically set
in the authentication window and the card number is properly transferred to the application. If
the keyboard’s focus is for any reason out of the Client's window, a message reminds the
user to click on the authentication window manually.
If the initial screen of Embedded Terminal for Toshiba has MDS mode set to "Copy" in the
Management Interface, the UI on the device behaves accordingly.
Installation of Embedded Terminal for HP has been improved. If a security certificate already
exists in the HP device from a previous Embedded Terminal’s installation, it is automatically
deleted and the new one is uploaded.
The "Cancel" button has been removed from the print progress dialog on the Embedded
Terminal 2nd Gen. for Xerox devices with EIP 3.0+. This functionality is not supported by these
devices.
Embedded Terminal 2nd Gen. for Konica Minolta in kiosk mode keeps MyPanel option disabled
by default. It is now a unified behavior across native, 1st Gen. and 2nd Gen. embedded
terminals.

Embedded Terminal 2nd Gen. for Konica Minolta has been adapted to the latest Konica Minolta
device’s firmware with the Chromium-based browser. Automatic PIN submission on the closing
screen of the PIN authentication was removed and card authentication has been fixed.
Embedded Terminal 1st Gen. for Konica Minolta now supports devices that use the latest
firmware with the Chromium-based browser.
Users can now access the device with Embedded Terminal 2nd Gen. when YSoft Payment
System is used, "Print All" function is on and the user doesn’t have sufficient credit for
printing. A warning message can be closed and the user can provide operations which are not
charged.
Card authentication on the Embedded Terminal 2nd Gen. for Konica Minolta has been improved
and should open any session on the first attempt.
Users can still authenticate at the device in situations when only a single node of Site Server
cluster is online and all the other nodes are offline, even authentication to this Site Server
cluster had never been done before.
The language selection window of the Embedded Terminal 2nd Gen. has been graphically fixed.
Printing
Print jobs waiting in a direct queue with IPP/IPPS backend due to a non-readiness of the
printer are no longer permanently stopped. After fixing the device and getting the ready
status, the jobs are automatically sent to the device for printing.
Online accounting is now functional when the Terminal Server is running on a different server
than the Spooler Controller.
Online accounting on Konica Minolta BH 195/215 devices has been fixed.
Updating a print job status across YSoft SafeQ has been improved and is now more accurate.
Scan Workflows
The user input selection window (drop down list) on the Embedded Terminal 1st Gen. has been
fixed and no longer uses only a half of the touch screen.
A dialog window has been added if the paper size is not recognized when scanning on a Xerox
device with Embedded Terminal 2nd Gen.
YSoft Payment System (YPS)
Automatic creation of a user money account when “onDemandPaymentAccountCreation“ is

enabled has been fixed.
When a user is using the recharge function, the operation has been improved on the server
side. It is no longer possible to break the desired minimum deposit amount by a HTML
modification.

The Installation Guide has been improved to inform the administrator about automatic suffixes
(_IMS, _YPS) applied on the names of the SQL databases when the Management Server or
YPS server are initially installed.
When an administrator creates a shared or direct queue in the Management Interface with a
name that already exists as a queue name, a better error message is now displayed.
A print job can now be reprinted when the direct queue was deleted and created again.
In the Management Interface the "Test" window of the LDAP integration now shows the
mapped cost centers correctly.
Additional troubleshooting information has been added to the Installation Guide. It conveys the
need to remove the "sysadmin" role from the "NT AUTHORITY\Authenticated Users" group
when a domain service account is used for YSoft SafeQ connectivity to an external MS SQL
database. The Installation Guide can be accessed here .
The default value of the system property "mpsCheckTimeout" has been changed from 1 000
ms to 10 000 ms. Its value is how often the designated email inbox is checked for new mobile
print jobs.
The YSoft Payment System checkbox is no longer available on Embedded Terminals for Epson
in the Management Interface because this functionality is not supported for Epson devices
yet.
The FlexiSpooler log now informs more clearly what is happening when the “location.config” file
is not accessible.
The upgrade of the Infinispan libraries has been fixed and the near roaming group is functional
after a new maintenance update implementation.
When a device has been deleted from the Management Interface, on occasion the embedded
terminal wasn’t uninstalled from the device even though the uninstall command was sent. It is
fixed now.
Increased terminal application stability.
Incorrect menu heading text (Czech language only) on the service menu after user input have
been fixed.
The default backlit screen level is now set to 80% to prolong the display's lifespan.
Customizations
No items.

server.
Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
HP
FujiXerox
Konica Minolta
Lexmark

OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
Konica Minolta
Ricoh
Sharp
Xerox
options.
YSoft SafeQ Mobile Terminal does not support pay-for-print capability.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

A special set of applications, called GDPR Tools, have been created for supporting General Data
Protection Regulation (GDPR). GDPR Tools can help an administrator fulfill a user’s GDPR rights
concerning their personal identifiable data within the YSoft SafeQ 6 environment. There are three
executable applications for the YSoft SafeQ 6 Management Server.
RtbF.exe: allows an administrator to execute the "Data Subject's Right to be Forgotten".

The program works by anonymizing all references to structured and unstructured data within
the YSoft SafeQ 6 databases related to the user.
RtA.exe: allows an administrator to execute the "Data Subject's Right to Access of Data".
The program creates a summary document containing all of the user’s data collected in YSoft
SafeQ 6. See the graphic below.
RtR.exe: allows an administrator to execute the "Data Subject's Right to Restriction of
Processing", or to re-identify at a later date, those users whose requests have expired.
The program creates a pseudonym in YSoft SafeQ 6 for the user and redacts all other
references including file names. Sensitive data is stored in a special database with a
restricted access. Once a request has expired, it is possible to reverse the process.
The GDPR Tools installation package and documentation is now available on Partner Portal.

GDPR Tools sample report obtained when running RtA.exe.
3.2.29.2 Highlighted Improvements
User input of email addresses in Automated Scan Workflows (Embedded Terminal 2nd Gen.) has
been improved. The user can:
assign multiple email addresses separated by a semicolon
perform a quick search for an email address, which searches within the YSoft SafeQ internal
user database.

Terminals, user interfaces
The number of copies, changed by a user on the Embedded Terminal for Epson, is now
correctly propagated when a PostScript print job is released
Print jobs that contain the character "$" in their title can now be printed.
The YSoft SafeQ Client application has been improved in terms of the user authentication in
special network environments. For example, authentication with a user's principal name no
longer causes a FlexiSpooler failure.
The “Add or replace text in PJL header (PJL jobs)” action of the Rule-Based Engine has been
fixed. It no longer mistakenly leaves the original text in the print file.
A Mobile Terminal user now has a visual indication when the mobile network connectivity has
been lost while scanning a QR code.
Once a print job has started it is now immediately removed from the Waiting folder on any
YSoft SafeQ Terminal. This prevents double printing of the job from different devices.

Communication between Spooler Controllers inside a SPOC Group has been optimized. The
number of communication threads is now better maintained. Additionally the Spooler Controller
no longer creates error messages with stack trace.
The Embedded Terminal for Sharp has been improved. Authentication is now immediately
functional when the device is waking up from sleep mode. Additionally, a user can logout by
touching the native logout button. Both improvements are applicable when YSoft SafeQube 2
is used as a Site server.
Terminal Server can now be secured when the device supports certificate usage and other
necessary parts of secure communication. This improvement is applicable for Embedded
Terminal's installation and scan's initialization.
An incorrect printing time could be shown for print jobs on YSoft Terminal Pro 4. A new
version of the terminal's operating system (4.10.5) fixes this issue.
Embedded Terminal for Toshiba/OKI has been improved. A user's authentication is now
immediately functional when the device has woken up from sleep mode.
The Accounting of print jobs is now more accurate for a very specific situation when the
Epson device is unplugged while printing.
The Embedded Terminal for Sharp/Sagem no longer is stuck when an unknown card is used
for user authentication.
The job price is now correctly shown on the Embedded Terminal for Xerox – Altalink model.
Scan Workflows
Log messages, related to bad credentials assigned to the “File system” connector type, are
now more clear.
Native Embedded Terminal for Konica Minolta once again enables PDF/A and PDF Web
Optimization scan settings.
FTP communication of devices with the Terminal server has been improved and no longer
results in server memory leaks.
Scan workflows now correctly propagate and evaluate meta-data in Microsoft SharePoint.
Scan workflows, as part of the native Embedded Terminal for Konica Minolta, have been
adapted to the new version of the device’s firmware. Scan attributes, such as Page Setting,
JPEG filetype, Scan Size and Original type, are once again available to users.
Administrators can once again setup the online accounting in combination with Terminal Pro 4
on a device in the Management interface.
The navigation bars in the Management interface screens are now properly visible on small
screens.

The Management interface has been adapted for mobile devices with lower resolutions.
Users can now control whether web reports include Scan counters when no license for Core
Workflows is applied.
Validation of an email address field in the web report’s scheduling has been improved. It
accepts the format which is in line with the RFC 5322 standard. For example, "user.name@abc.
local" can be used.
The data migration wizard, as part of the installation package, has been fixed so that report
scheduling in an upgraded installation from YSoft SafeQ 5 on an MS SQL database engine
works fine.
The validation of the Terminal Pro 4's network address on a device in the Management
interface has been improved.
On the rule definition page in the Management interface, an action description has been
changed from "Add watermark (PS/PCL jobs)" to "Add watermark (PCL jobs)" because
watermarks for PostScript print jobs is not supported.
Service accounts for LDAP integration are now properly saved when more LDAP servers are
connected to the Management server.
Optional widgets 'My savings' & 'My reports' in the Management interface’s dashboard are
functional from all nodes in the clustered environment.
The 'internal server error 500' message no longer appears when devices are quickly stored in
a row in the Management interface.
Custom Web reports are now functional even if thousands of cost centers are used and the
field "User cost center name" is assigned to the report.
Mandatory attributes are newly validated on the LDAP integration page in the Management
interface.
A note in the Management interface: Users > Access rights > Reports > "View all jobs" is now
more precise. The text “for search” has been added.
Missing checkbox “Use domain authentication” is back again on the Microsoft SQL database
configuration window in the YSoft SafeQ 6 installation application.
Customizations
SWC-48 “Google Directory Export” has been improved and the documentation has changed
accordingly. An additional “custom” type of “externalID” can be exported and imported.
Reliability of the users’ listing on a web interface of the SWC-49 “Web interface for delegated
print queue management” has been improved.
SWC-4 “Payment Gateway Plugin for WPM Education” has been adapted to the newest version
of the third party component - WPM gateway.

server.
Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp

Toshiba
Xerox
EPSON
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

New: User’s and administrator’s productivity and convenience can be increased with single sign
on functionality to the management interface when the Central Authentication Service (CAS) is
used for authentication at workstations. Additionally, no personal passwords must be handled by
YSoft SafeQ in order to access the management interface.
Improved: User experience with YSoft SafeQ 6 has been improved. Billing codes are now
displayed faster, even if thousands of billing codes are used. Improvement is visible on the YSoft
SafeQ embedded, mobile and external terminals as well as in the management interface and the
desktop interface.
Improved: DeeControl 2.1 - new version of 3D print layering software.
The new version, DeeControl 2.1, is now available on Partner Portal and the Y Soft website as a
free download. Main enhancements:
Multiple models support.
Enhanced model placement.
Redesigned rotations control panel.
Improved installation – application can be accessible for one user or all users of the
workstation.
Print properties: reset to default button added.

3.2.30.2 Fixes and General Improvements in MU20
Terminals, user interfaces
Only one Paypal icon is now visible in the client interface when clustering is implemented.
On browser based Embedded Terminals, the job details option (i button or wheel button) is no
longer highlighted after the user accessed this menu and nothing has been changed.
Native applications are no longer blocked on the device after reinstallation of the Embedded
Terminal for Epson.
Embedded Terminal no longer mistakenly shows the card self registration window when the card
is already registered. This was occurring when payment functions had been switched on and Pin
or card authentication used.
The print progress window is now shown on the Embedded Terminal 2nd Gen. for Xerox
VersaLink.
New authentication option "(Card and PIN) or Username/Password" has been added in Embedded
Terminal for Xerox.
The YSoft SafeQ favicon is shown again on the end user interface web page.
Scan Workflows
Native Embedded Terminal for Konica Minolta has been adapted to new firmware of Konica Minolta
devices. The Scan separation feature is again accessible.

The error message on the Embedded Terminal for Konica Minolta is now more explanable when an
unsupported combination of scan parameters is used.
Administrators are no longer allowed to uncheck the 3D system tag in the 3D device definition in
the management interface.
On the billing code selection window of the desktop interface, the “Recently used” tab is no longer
visible to users when the property “enableRecentBillingCodes” is disabled.
Using the “Uninstall terminal” action on a device in the management interface no longer shows an
error state when the device hasn’t been installed yet.
LDAP replication in the management interface now allows data replication from domains with
longer names. The limit has been increased from 20 to 50 characters.
Load of the Management Server has been optimized. Frequency of the management reports ’
recalculation has been changed from hourly to daily. Additionally, recalculation of management
reports is no longer provided on a manual request from the Web reports page, but only on a
manual request from the Management reports page.
Users can now log into the management interface from a Google Chrome web browser via
Windows Integrated Authentication (single sign on).
The user’s authentication in the management interface is now properly logged in the management-
service-audit.log file.
Administrators can now install the YSoft SafeQ Client application using Remote Desktop
Connection (RDP) and redirected printers from the administrator’s workstation are not mistakenly
considered as already installed printers.
Site server discovery process of the non spooling YSoft SafeQ client’s application using DHCP
option 9 has been improved. Internal communication timeouts were changed so that the
discovery process doesn’t end up in a loop.
Documentation now exactly specifies which versions of Microsoft Office or similar products can
be used for automatic conversion in the mobile print server.
On the eDee terminal, an appropriate error message appears and an email message is sent to the
administrator when a printer power board error occurs (e.g. the extruder over-heated).

server.
Online accounting:
Offline accounting:
Local print monitoring is not supported.

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
EPSON
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba

Xerox
EPSON
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

New: Embedded Terminal for Epson is now generally available. The Epson version supports
authentication, copy, print, scan workflows, billing codes and device dependent accounting on all
Epson devices that support Open Platform version 1.0+.
Improved: YSoft SafeQ 6 Embedded Terminal 2nd Gen. now supports right to left languages and
double byte fonts.
Printing
When a user changes the finishing options of a print job on YSoft Terminal Pro 4, an improved
message informs the user about the compatibility of the MFD and the finishing options.
The "secure" queue name in the print job ticket is now propagated well when the legacy YSoft
SafeQ 5 client is used with YSoft SafeQ 6.
When parsing a print job’s username from the PJL header and no username is found, the
username is taken from the LPR protocol and no new user with an empty username is created.
Any certificate’s validation errors in FlexiSpooler are now logged for quicker support.
Terminals
Under some circumstances, USB card readers connected to YSoft Terminal Pro 4 could stop
working. It has been fixed.
Embedded Terminals for Konica Minolta, Develop and Olivetti devices now support new USB card
readers (e.g. AU201S). When the property “usb-card-reader-conversion” is enabled and the
conversion returns an invalid output, the original value is used for the user authentication
Wrong text {product.name} no longer appears on the Embedded Terminal for Konica Minolta,
Develop and Olivetti devices when a language other than English is used
Administrators can once again successfully log into the The YSoft SafeQ 6 Embedded Terminal
Migration Tool.
Embedded Terminal for Epson has been improved:
Translation of some submenus to other non-English languages on Embedded Terminal for

Epson has been fixed.
Speed of the print job listing has been increased.
Menu button is accessible even when only one print job is listed.

Scan Workflows
The export and import of scan workflows in the management interface has been fixed. An
undefined item has been corrected in the exported XML files.
Billing codes are now propagated into %billingCode% scan variables when scanning with
Embedded Terminal for Ricoh.
YSoft SafeQ 6 server installers (the bundled ones) have been improved. They can be used for
YSoft SafeQ installation with clustered Microsoft SQL databases and the “Always On Availability
Groups” database feature is supported. See the documentation for detailed setup instructions.
Deletion of a device with an assigned hardware terminal in management interface no longer

causes any issues when the same hardware terminal is assigned to a new device.
The CLI user replication tool now interprets the RMAP keyword well and doesn’t delete a previous
manual role mapping.
The CLI user replication tool no longer crashes with a blank source file.
The YSoft Payment System’s failover behavior has been improved in a cluster environment where
SQL cluster components are running in different subnets. The new Microsoft JDBC Driver v. 6.2.2.
for SQL database has been implemented.
Security
The management interface login page no longer makes the IP addresses of the network adapters
visible in the html source when there are more adapters on the server.
The nozzle temperature warning is now only displayed when the nozzle’s temperature is high.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox

options.

client mode.
Lexmark
Sharp
Samsung

Scan Workflows
characters.
from that page.
YSoft SafeQube 2
New: YSoft SafeQ now supports an extended list of Lexmark multifunctional devices. Embedded
Terminal for copying and printing can be installed on Lexmark CX series devices with Framework 6
firmware.

Printing
On Embedded Terminal for Fuji Xerox XCP and Sharp, the advanced finishing options now respect
the not collated / collated settings.
The copy count and duplex finishing options are now applied well on Fuji Xerox XCP printers.
The copy count, duplex and color finishing options modified by Rule-Based Engine are now applied
well on HP printers.
If the YSoft SafeQ Client is configured to not automatically search any Site Server, unwanted
DHCP traffic is no longer generated.
Terminals, End User Interface
On occasion the touch screen of Embedded Terminal would freeze due to slow communication
with Terminal Server. Administrators can now use the property remoteSpocGetPreviewTimeout to
create a proper timeout to prevent the Embedded Terminal’s behavior.
Users can now select and deselect a print job on Embedded Terminal for Fuji Xerox XCP devices.
The Embedded Terminal 2nd Gen. interface has been improved. A user can change a job's
finishing options even when the preview image hasn’t been downloaded.
On the browser type Embedded Terminal, the appearance of the user message explaining
whether the print job is currently available for print, has been fixed. The sentence “You can try to
print…” no longer appears twice.
The quality of Embedded Terminal's 2nd Gen. interface icons for Xerox Versalink C405 model has
been improved.
Scan Workflows
Scanning “from glass” with Embedded Terminal's 1st and 2nd Gen. interface for Konica Minolta has
been improved. Auto detection of the page format has been switched off by default so the
scanner no longer makes an additional pre-scan.
Administrators can now use the new property "mailEncoding" to set up appropriate encoding of
email notifications for scan workflow connectors.
Administration and Reporting
When the Management interface is left unattended and the automatic logout time expires, the
page is no longer accessible and the administrator is correctly prompted to re-login.
If 2D and 3D jobs are selected for requeue in Management interface, the administrator is informed
that only 2D jobs can be re-queued. 3D jobs will be ignored as this feature is not supported.

The CLI replication tool now supports the IP address for YSoft Terminal Pro 4 so that devices
with this type of external terminal can be imported. This tool is used for batch import of devices
and user accounts.
“Server system info” service is no longer mistakenly shown as stopped in the Support information
/ System information window in the Management interface.
System property PIN-default-expiration is now considered even when users generated the PIN in
the end user interface.
Incoming faxes on Konica Minolta and Develop devices can be reported and accounted for (when
the model supports fax accounting). The faxAccountingUsername property is considered.
Security
Installation files now include a newer version of the third party component: Apache Tomcat
version 8.0.50 (tcnative version 1.2.16). It brings recommended OpenSSL version 1.0.2m, where
CVE-2016-2017 is fixed.
A certificate’s upload to the device by an automatic Embedded Terminal installation procedure

when secure connection is requested has been fixed.
A clear message is shown when the installation of Embedded Terminal for Konica Minolta fails
because SSL/TLS is switched off in the device.
French localization of the YSoft be3D eDee terminal has been improved.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows

characters.
from that page.
YSoft SafeQube 2
New: Customers using previous versions of YSoft SafeQ with LPR (Line Printer Remote) protocol
can upgrade to YSoft SafeQ 6 without a major change in their network infrastructure. The LPR
protocol has been implemented as an option for print job delivery from YSoft SafeQ 6 to printers.

New: Customers using YSoft SafeQ can now better scale their print environment by using entry-
level MFDs. The list of devices supported under YSoft SafeQ Print Management Suite LD has been
extended. All the supported devices can be found on Partner Portal in the Hardware Compatibility
List (HCL) .
New: YSoft SafeQ's reporting and accounting has been improved. Outgoing faxes can be reported
and charged based on a price list. This enhancement has been implemented for Konica Minolta,
Xerox, Fuji Xerox and Ricoh multifunctional devices.
3.2.33.2 Early Access Program
Improved: Print file replication, used for high availability of a print job waiting in the secure queue,
has been improved. Administrators can now individually switch on/off print files’ replication for
every Site server cluster and create dedicated replication storage inside every Site server cluster.
This extends the applicability of this feature (from centralized installations) to distributed
installations with multiple Site Server clusters.
Print file replication allows a print job to be available even when the Site server (where the print
files have been originally spooled), is not accessible or is down.
3.2.33.3 Additional Releases

Deployment of YSoft USB Card Readers has been improved. YSoft SafeQ administrators can now
easily configure selected models of YSoft USB Card Reader 3 by simply attaching a special
configuration card at the reader. This feature is accessible in the Card Reader Configuration Tool
version 1.2.0 and higher, which will be available during March 2018 on Partner Portal as a free
download.
3.2.33.4 Fixes and Improvements in MU17
Printing
The HPGL print job’s recognition by FlexiSpooler is now more reliable.
FlexiSpooler now provides a correct username format when the “User principal name” format
is used in the YSoft SafeQ installation (see the “usernameFormat” property in management
interface).
When the user hasn't used any billing codes in the YSoft SafeQ client popup window while
printing, the "Browse all" tab, which lists all billing codes assigned to the user, is displayed as a
default instead of the "Recently used" tab.
Extracting the print job owner from the print job title (see the parseUserFromTitle property)
has been fixed and works fine on different types of print workflows.
Untrusted certificates are no longer used for the YSoft Printer Driver installation. Mandatory
prerequisites are described in the “Installing Security Certificates” section of the SafeQ
The Mobile print server’s failover behavior has been improved in terms of its cooperation with
the Site servers cluster (SPOC Group).
Text in the Mobile print server service log file has been improved when secured SMTP
connection fails. Additionally, a description of the SMTP communication security has been
added to the Administrative Guide, section “Configuring Mobile Print Server”.

Processing reliability of large amounts of print jobs coming from the Mobile print server has
been improved. No print job can be lost.
Log messages related to the print job's preview are now more informative.
Terminals, End User Interface
YSoft SafeQ 6 data security has been increased related to communications between YSoft
SafeQ Terminal server and Embedded Terminals. This is accomplished with default use of the
SHA256 certificate instead of the previously used SHA1 certificate.
A better message now appears when a user is trying, but is not allowed, to log into an
Embedded terminal due to lack of funds.
Embedded Terminal (browser type, 2nd Gen.) no longer freezes when only one language for
the user interface is available.
The billing codes window in browser type Embedded Terminals now better informs the user
that this choice will be applied only on copy, scan or fax.
Embedded Terminal 2nd Gen. for Xerox now works in accordance to the "initial-screen" system
property.
Prioritization between rules and finishing options on Embedded Terminal applied on a print job
has been fixed when the “finishingOptionsPriority” property is set to “Finishing options have
priority”. The user must now manually change the finishing option in the Embedded Terminal to
force its priority above a rule. E.g. switching between b/w and color printing.
It is now possible to restrict access to copy application in Embedded Terminal for Xerox
AltaLink and VersaLink models.
Administrators can now successfully stop the Terminal Server service from within the MS
Windows operating system.
On Embedded Terminal for Fuji Xerox and Sharp, the advanced finishing options window is no
longer mistakenly shown.
On the browser type Embedded Terminal, appearance of the message explaining to users
whether the print job is currently available for print, is now switched off by default.
Administrators can switch it on by adding the showJobAvailability key in the “TerminalServer.
exe.config” configuration file.
The error message about network accounting is no longer mistakenly stored in the log file
when Embedded Terminal for Xerox is being installed in the Xerox Versalink device.
Printing with Terminal Ultralight or Terminal Professional v. 3.5 has been fixed when a smart
cable with support for off-line accounting is used.
The end user interface now correctly works with the following languages: Hebrew, Bahanasa,
Slovenščina and Serbian in Cyrillic and Latin scripts.

Scan Workflows
The appearance of the “Separate scan” button has been fixed in the native Embedded
Terminal for Konica Minolta.
Billing code is now propagated into %billingCode% scan variables when scanning with
Embedded Terminal for Konica Minolta is provided.
Configuration settings for the CLI replication tool are kept after an update to a new version is
made (starting MU17). This tool is used for batch import of devices and user accounts.
Spooler Controller Group service is installed properly when YSoft SafeQ is installed in a
different drive other than C: .
Administrators can once again export data to MS Excel format from the web based database
editor http://<SafeQ>/db.
Administrators now have more time to fix YSoft SafeQ license issues. The delay for automatic
device deletion has been extended from 10 to 30 days from the license's expiration date.
When the user is replicated via LDAP from an external directory, administrators can edit the
user’s other properties in the management interface even if a mandatory field is empty (Name,
Surname).
Filtering of LDAP user replication from AD have been improved. The new filter: (&
(objectClass=user)(objectCategory=person)) has been applied so that the computer’s records
are no longer read.
Licensing for the Rule-Based Engine module has been fixed.
Administrators, when logging into the Management interface, can now use a specific page, e.g.
http://<SafeQ>/devices .
Editing of passwords in the Management interface has been improved. When a stored item
includes a password and is open for editing, e.g. a device, an administrator can no longer
partially change the password. The password must be left as it is or the entire password
must be entered again.
Translation of the label “Name” into the Polish language in Management interface has been
fixed.
When a user is created via the auto-registering process, administrators can now edit the
record without any limitation.
Editing of rules in Management interface has been fixed. All text is visible when different
languages are used.

Authentication on the YSoft be3D eDee terminal is no longer disrupted when the user
changes the interface’s language while entering a PIN.
An appropriate message is now shown to an unauthorized user who is trying to unlock the
eDee printer when a model has finished printing.
A finished 3D model locked in the eDee printer is still reserved for the owner even if the
service menu login screen was accessed.
server.
Online accounting:

Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox

FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.
YSoft SafeQ 5 Early Access features "Fax accounting", "Extended accounting of colors" and
"Public user accounting" are currently not supported.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

Improved: Rules-Based Engine has been improved. In Management interface for rules definition,
administrators can use three new condition types enhanced by advanced text operators. For
example:
Job owner’s username <starts with> "adm"
Job owner’s cost center number <is greater than> 100
Job is printed on device whose name <starts with> "MFD COLOR"
The advanced text operators (the full list is visible in the picture below) are especially useful
when structured name conventions of usernames, cost centers and devices are applied.
Improved: Admins can now configure loglevel and persistance of logs of the eDee printer. This
results in a longer physical lifetime of the eMMc internal flash memory in the embedded terminal.

3.2.34.2 Additional Releases
The following two areas are not included in the MU16 release install package. Availability is
indicated for each section.
New: DeeControl 2 - new version of 3D print layering software.
DeeControl software adds the layering information to a design file when preparing files for the
YSoft be3D eDee printing process. It allows the user to scale, rotate or move the model and
creates a preview of the 3D model. For advanced users more detailed settings are also possible.
DeeControl 2 is not part of the standard MU release and will be available during February 2018 on
Partner Portal and the Y Soft website as a free download.
New: YSoft SafeQ 6 Embedded Terminal Migration Tool.

Large enterprises with a high number of Site servers and hundreds of MFDs with Embedded
Terminals can now easily upgrade to YSoft SafeQ 6. YSoft SafeQ 6 now includes an external
migration tool where administrators can provide devices' reorganization and Embedded Terminals
can be automatically reinstalled in bulk. The YSoft SafeQ 6 Embedded Terminal Migration Tool is
not part of the standard MU release and will be available during February 2018 on Partner Portal
as a free download.
Printing
FlexiSpooler now respects central settings via jobAnalysisResolution and previewResolution

properties. When the “No rendering” value is setup for both properties, no rendering is
provided.
Embedded Terminals now display a correct IP address/hostname in the warning when Client
Based Print Roaming (CBPR) is unable to print a job because the user's laptop is closed
A new configuration key "pdfAConversionTimeout" has been added to the Mobile Print Server
configuration file to avoid mobile print jobs to become stuck in processing.
Print All functionality at YSoft SafeQ terminals respects the printSharedJobs property. When
the property is enabled, print jobs from shared queues are printed and vice versa. The right
number of jobs is shown on the Print All screen.

Print jobs are printed in the correct order when Print All is in use or when jobs have been
released from secure queue in the Waiting job tab. Listing at Embedded Terminal and printing
keeps the order given by position in the secure queue.
Terminals
A suitable warning appears when a user tries to start printing from the finishing option screen
of YSoft SafeQ terminal and doesn’t have sufficient credit.
When authentication mode of Embedded Terminal for Xerox is set to “To each application“ in
the device settings on management interface, only YSoft SafeQ applications are locked after
terminal installation. Copy, Fax, Email and other native applications remain unlocked unless
manual settings in the MFD administration are done.
On Embedded Terminals for Lexmark, handling of ALL PAGES quotas has been fixed.
Under some circumstances, the Terminal server service didn’t start automatically after the
host computer reboot. It has been fixed. In addition, the Embedded Terminal no longer
mistakenly downloads any print jobs just after installation.
Terminal server logs are preserved in accordance to system settings.
The Terminal server now uses security certificates for communication with Authentication
application of Embedded Terminals for Konica Minolta properly.
On Embedded Terminals for Xerox with EIP 4.0 (i.e. AltaLink) only a Xerox native keypad is
used.
Print All switcher functionality in the Embedded Terminal 2nd Gen. for Konica Minolta has been
fixed. Waiting jobs are printed when the “authenticate by card" mode is used and the switcher
is on. This follows similar fixes made in MU15.
Fuji Xerox native scanning application is now available when Embedded Terminal is installed
and "scanPanelEnabled" property is available.
The CBPR message of browser type Embedded Terminals explains to users more clearly about
what to do when a print job is unable to print because the user's laptop is closed.
Scan workflows
Implementation of a new version of the ABBYY OCR third party component in the scan
workflows involves a better paper format recognition and more reliable highlighted text
extraction.
YSoft SafeQ 6 internal OCR engine is now compatible with Amazon Web Services and
Microsoft Azure. A new license for the ABBYY OCR third party component has been used.

“Departments” view of management reports generated in management interface has been

improved.
Editing of a new rule in the Management interface has been improved. When a trigger is
changed while editing, dependencies to acceptable Actions are changed accordingly.
The manual migration of Embedded Terminal when upgrading from YSoft SafeQ 5 to 6 has
been improved and is consistent with the new migration tool.
The correct number of registered Spooler controllers is shown in the Management interface
immediately after an auto-registration process of a new Spooler controller.
Authentication keyboard on eDee Terminal has been improved. Users can now hit the Next key
when username is entered and the Login key when password is entered.
Users are no longer allowed to start a motion test while the bed is still returning to its home
position.
Administrators can now set up SMTP credentials in the YSoft be3D eDee printer without
authentication if the SMTP server doesn’t require it.
Service menu of YSoft be3D eDee printer now correctly shows the status of YSoft SafeQ
server connectivity.
Job listing on the eDee Embedded Terminal has been improved to be more reliable.
server.

Online accounting:
Offline accounting:

FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.


Scan workflows are not supported on Terminal Professional v3.5
client mode.
Lexmark
Sharp
Samsung
Scan Workflows

characters.
from that page.
YSoft SafeQube 2
Double-byte characters in job names are not supported.
LikeBe the first to like this
New: Updated security protocol support. The NTLMv2 protocol is now supported in the YSoft
SafeQ 6 installer allowing for domain user authentication to a MS SQL database.
New: A size limit for uploading mobile print files through the end user interface has been
implemented for maintaining high availability. The user will see an alert if the file size is exceeded.
See image below. The 1GB default threshold can be changed by a YSoft SafeQ administrator.

Printing
Print All switcher functionality in the Embedded Terminal 2nd Gen. for Konica Minolta has been
fixed. Waiting jobs are printed when a user authenticates with the card and the switcher is
on.
Terminals
The Print button in the Embedded Terminal 1st Gen. for Xerox is no longer greyed out when
the Copy icon is disabled in the multifunction machine.
Change of the preferred language from English to another one and reinstallation of the
Embedded Terminal 2nd Gen. for Konica Minolta now correctly changes the Embedded Terminal’
s language.
Scan workflows
Scan workflows can now be repeatedly edited without any error when the highlighted text
extraction “Chinese Simplified and English” language has been selected.
Administration & deployment
Old logs of YSoft SafeQ are now deleted regularly.
It is possible to edit removed devices in the management interface. If the device IDs are
known, it is possible to rewrite the editing URL address to recover them.
A manually renamed cost center is no longer overwritten by an LDAP replication.
Reliability of showing print jobs in the management interface has been improved. The list is no
longer prone to fail based on database deadlocks.
The Rule-Based Engine (RBE) Wizard now generates an RBE rule containing "Job status
change trigger" in the correct format.
It is now possible to store also HTTPS links in the "My links" widget on the management
interface dashboard.
The PIN code description has been improved in the "Access Credentials" management
interface dashboard widget.
Inactive direct queues are no longer shown in the queue filter of the Job list in the
management interface.
Jobs are no longer duplicated in statistics for clustered management.

Site server installation no longer fails if "YSoft SafeQ" printer already exists.
YSoft Payment System is now able to handle a large number of email notifications.
Under some circumstances, the Terminal server didn’t start services for legacy terminals after
the upgrade from YSoft SafeQ 5. It has been fixed.
Service installation scripts are now deleted after SPOC installation.
The description of the system parameter, "scanPanelEnabled", now specifies the related
vendors for this setting.
SNMP community names are now used correctly when administrators define new ones in the
Site servers’ communication inside a SPOC group has been improved and optimized.
Performance tests show a significant improvement.
server.

Online accounting:
Offline accounting:
FujiXerox
OKI
Ricoh
Sharp

Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

Double-byte characters in job names are not supported.
LikeBe the first to like this
New: The security of YSoft SafeQ Mobile Terminal (app) has been improved. A new user
authentication method is used.

Beginning December 8, 2017, a new
version of the YSoft SafeQ mobile app
will be accessible for YSoft SafeQ
users. The new version features
improved security and is compatible
with YSoft SafeQ 6 MU14 and higher.
The new, secure authentication feature
will no longer prompt for a username
and password. Instead, the user is
prompted for their email address and
YSoft SafeQ 6 sends back an
authorization link via email. Tapping on
this link from within email on the
mobile phone completes their
authentication.
The previous version of the mobile app
will no longer be available in the app
stores, however it will still be
compatible across all current and
future YSoft SafeQ 6 updates.
Note: The new app will be available on
iOS, Android and Windows app stores.
The app stores vary in the speed at
which new apps are added. December
8, 2017 is an estimate of availability.
New: YSoft SafeQ Mobile Print users now have an even easier way to print from their Android
devices. Any Android user who wishes to print from their favorite app can select YSoft SafeQ as
a printer under the standard print menu. This is made possible by the YSoft SafeQ print server's
certification with the Mopria Print Service. Newer Android devices (those with the Oreo version of
Android) have the Mopria Print Service already installed. Older Android devices can download the
Mopria Print Service from the Google Play store.
Improved: We are able to provide additional information for external payment systems when they
require more identification details about a payment for processing.
Improved: Embedded Terminals now display a message when Client Based Print Roaming (CBPR)
is unable to print a job because the user's laptop is closed. (When the laptop is closed, the local
CBPR spooler is unavailable.) This improvement is valid on Embedded Terminals for Konica Minolta
(1st Gen.), Xerox (1st Gen.), Fuji Xerox, Sharp, OKI and Toshiba.

Printing
The print job names’ rendering from a LPR (Line Printer Daemon) protocol header for YSoft
SafeQ reporting has been changed to meet the same rules as YSoft SafeQ 5. The "T" header
has higher priority than the "N" header.
Registration of print jobs is not duplicated in the SPOC when communication of FlexiSpooler
and SPOC is slow due to high network traffic.
Reading a device's status via IPP protocol has been improved and is now more accurate.
A new property “folderSortAllOrder” has been created for the print jobs’s order listing in a
browser-based Embedded Terminal. It offers the possibility of detailed separated order setting
for: printing via Print All feature after login, printing via Print All button inside the Embedded
Terminal and job listing in the Embedded Terminal.
Web reports for a device's page counters are now generated properly.
The delay before printing when the Print All feature is used has been significantly shortened.
Incompatible print jobs are still visible on browser-based Embedded Terminals and no longer
disappear when using the Print All feature.
Incompatible jobs can now be printed when the user makes the appropriate changes directly
from Embedded Terminal. For example, when the user is not authorized for color printing, the
user can change to BW and print the job.
For Toshiba and OKI devices, blank pages are now accounted for along with other printed
pages.
Some print jobs were not listed in the jobs' history when the Print All features was selected. It
has been fixed.
Cleaning of print jobs in FlexiSpoolers has been improved. A new property

"spoolerCleanerSchedule" allows setting the frequency of the cleaning.
Terminals
On the YSoft SafeQ Mobile Terminal, use of the camera focus on many Android devices has
been improved.
Logout of a YSoft SafeQ Mobile Terminal session on Android devices with the NFC printer
recognition now goes smoothly.
Users of older Konica Minolta devices with Embedded Terminal 2nd Gen. couldn’t use the HW
button for printing. It has been fixed.
Users of Xerox D95 devices with Embedded Terminal can now use their virtual credit.

Some Embedded Terminals could show a warning window without any text message when
print application was setup as a default and billing codes requested. It has been fixed and a
correct message is displayed.
Scan workflows
The automated scan workflow connector for Microsoft OneDrive for Business / Education has
been adapted to a new OneDrive API behavior. Concurrent append to a PDF is again functional.
The Workflow Processing System (WPS) now provides a better cleaning of temporary folders
saving data storage space
Export files from web reports now includes all columns after upgrading from YSoft SafeQ 5.
When a FlexiSpooler service installation fails, the correct name of the log file is now mentioned
in the YSoft SafeQ installation screen.
Print devices that only use the YSoft SafeQ Reporting module license are no longer counted
twice when counting licenses in the management interface system > license information
window.
The YSoft SafeQ 6 license updating process in the management interface has been improved.
It is faster and is able to quickly handle large installations with thousands of devices
When a device terminal type in the management interface is changed from an Embedded
Terminal to None, uninstalling the terminal from the device passes correctly
Administrators can edit users' home directory even if a LDAP replication is used. When the
original home directory value in the LDAP is empty, a manual setting in the YSoft SafeQ
management interface is kept in case replications periodically run. The property: “ldap-
replicator-*-keep-internal-homefolders” must be set up accordingly
While starting the YSoft SafeQ 6 management server, an additional check of GUID and host IP
address uniqueness is provided. This check saves the reliability of the system when a
management server was changed or a new one installed.
In the management interface, it is now possible to move devices from one SPOC group to
another one.
Deleting a temporary folder, for instance C:\Windows\Temp\webserver, does not cause an

outage of the YSoft SafeQ system anymore.
The Terminal Server service does not crash anymore when older HW terminals (Terminal
Ultralight and Terminal Professional v. 3.5) are being installed.
While editing a device in the management interface, the "Scan workflows" shortcut is visible
only when YSoft SafeQ Terminal UltraLight is selected.

Stability of the Terminal Server service has been improved using a newer version of WebDAV
server.
The FlexiSpooler installation log has been improved. The ERROR (instead of INFO) label is
assigned to messages when an issue arises with “YSoft SafeQ” printer installation.
Upgrading the YSoft SafeQ client doesn’t fail when a space is part of the client’s home folder.
It is now possible to update YSoft SafeQ servers with a standard installer even if the YSoft
Infrastructure Service does not currently exist at the server.
Upgrading YSoft SafeQ 5 ORS servers to version 6 could fail on the Terminal Server service
renaming. It has been fixed.
Updating YSoft SafeQ 6 Site Servers now keeps information about all management servers
when clustering of management servers is implemented. No manual corrections are needed.
The device installation status in the management interface now shows more accurately the
real status of the device.
Uninstallation of Embedded Terminal 2nd Gen. from Konica Minolta devices now passes
correctly.
Under some circumstances the SPOC service didn’t start due to a bad internal interpretation
of Spooler Controller and Spooler Controller Groups identification. This issue has been fixed.
YSoft SafeQ 6 server installer now automatically creates a work directory

"…\SPOC\server\mobile" so no manual changes after installation are required and mobile
printing works properly.
The printer no longer waits for the nozzle to cool down when admin prints a diagnostic print
An error message appears when the user's refund request was not sent
The French language version corrected on eDee Terminal.
The IOTA OS now has been updated to version 4.8, the latest version.
The service menu enter/leave respects the authentication rights from which it was invoked
therefore fixing the problem where an unauthorized user could access a print of another user
Backup of YSoft SafeQ 6 (configuration, database and more) can be done using documented
procedure. Please follow the product documentation for backup and restore.
server.

Automated upgrade is possible only when using the latest YSoft SafeQ 5 Maintenance
Online accounting:
Offline accounting:

Legacy Terminal Professional v3.5 is supported with following limitations.
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox

options.

client mode.
Lexmark
Sharp
Samsung

Scan Workflows
Character encoding of incoming email must match the encoding configured on the server
characters.
from that page.
YSoft SafeQube 2
work via secured channel, but some of them can be configured to use HTTP.
Administrator can not change SSL certificate on SafeQube 2.
Card self registration is not supported.
Double byte characters in job names are not supported.

New: Terminal Professional v3.5 is compatible with YSoft SafeQ 6 for copying and printing
Customers using previous versions of YSoft SafeQ with Terminal Professional v3.5 can upgrade
to YSoft SafeQ 6 and still use their existing external terminal for copying and printing. However,
YSoft SafeQ 6 scan workflows are not supported.
Improved: Devices page redesigned for faster content loading
The device page in the management interface could take a long time to load information,
especially for installations with over 200 devices. This has been improved.
New: YSoft SafeQ 6 Embedded Terminal 2 nd Gen. for Konica Minolta and Xerox
A new UI theme for our embedded terminals adds the latest design principles and improves the
end user experience. We call this new UI theme, YSoft SafeQ Embedded Terminal - 2nd Generation
(2nd Gen.). It is currently implemented for Konica Minolta and Xerox MFDs.
While the new UI can be used now, it remains accessible under Early Access License and named
YSoft SafeQ 6 theme. When the new UI theme is released from Early Access License in MU14, it
becomes a standard part of YSoft SafeQ 6 and will be named YSoft SafeQ Terminal Application -
2nd Gen.
A final main component - Billing code application - was created and built in the new SafeQ 6
theme browser-based embedded terminal.

Security
Color print jobs are moved to “Rejected” status when a user without color printing permissions
tries to print it. These jobs were mistakenly marked as “Pending”.
Terminals
German and Catalan translations of the Xerox Embedded Terminal was changed so new
shorter descriptions don’t overflow the menu fields.
Print jobs are no longer visible in the Waiting folder when they are printed via “Print all“
functionality when logging in.
While installing YSoft SafeQ 6 management server, a clipboard copy of the automatically
generated password to the PostgreSQL database for later administrative utilization was
sometimes incorrect. It was fixed and administrators can rely on the password ’s clipboard
copy.
When updating YSoft SafeQ 6, the Ricoh Embedded Terminal files are no longer deleted
(\terminalserver\Apps\Ricoh).
During installation of YSoft SafeQ 6 server on a MS Windows Server where IIS is already
running, the default IIS site is no longer deleted by the YSoft SafeQ installer and a free port
(different from default 80) is offered as an option.
Flexispooler installation stability has been improved.
When adding new devices, the warning "Some devices are not licensed correctly" may appear.
More information on the devices this relates to has been added.
Activation and Deactivation time is now set properly when editing a device in the
Installation of Embedded Terminal on Xerox Versalink has been improved when YSoft Payment
System is used. No additional reinstallation is necessary now.
When exporting the per cost center report to XML, if special characters are used, they were
not encoded properly. They are now encoded to XML standards.
CLI user replicator (import tool) now supports Unicode languages (e.g Chinese).
The software requirements section of the YSoft SafeQ 6 Administrative Guide has been
updated to include "Highlighter feature (part of Advanced Workflows) is not supported on
Windows Server Core edition".

Under some circumstances, the “YSoft SafeQ Workflow Processing System” service couldn’t
be stopped in the Services window of the operating system. It has been fixed.
Cost Reporting of a scan job was different in two separate reports. This has been corrected.
Scan workflows
An error message (202) mistakenly appeared when scanning on Xerox Embedded Terminal
from the glass asking the user for the paper format. It has been fixed.
Accounting of scans on the Sharp Embedded Terminal has been fixed. Simplex and duplex
scanning is now properly recognized.
Scan workflows were not displayed to users who have special characters in their usernames.
This has been fixed.
When a validation error in the scan workflow form occurred, the definition of scan workflow
access roles was not displayed correctly. This has been fixed.
Users could experience an error on the Konica Minolta Embedded Terminal when a Microsoft
Exchange contact list was used as an editable parameter of a scan workflow. Errors no longer
appear and users can search in the Global Address List.
Entering and exiting the Service menu on the eDee touchscreen has been redesigned.
The Print summary screen now includes correct information on consumed filament, time of
printing and other data when a 3D print has finished and the Feedback option is on.
When a 3D job submission to the YSoft be3D eDee printer fails and the YSoft Payment
System is used, the credit reservation is canceled.
The brightness of the eDee touchscreen no longer descends to zero by itself.
Email notifications to the administrator when the filament runs out are now properly sent out.
When cancelling a print job during the preparation stage, the credit reservation is released if
YSoft Payment System is used.
Charging and quotas
Embedded Terminal for Sharp devices has been improved when the YSoft Payment System is
used. Users can print multiple jobs in one batch and the system works with credit and quota
reservations in the YSoft Payment System correctly.
An appropriate message appears on Embedded Terminals when the user account is disabled
or no credit is assigned yet.

When a quota was assigned to “All” users in the YSoft Payment System, the limit wasn’t
functional. It has been fixed and users can’t continue to copy/scan now when a limit is
reached.
server.
Automatic upgrade is possible only when using the latest YSoft SafeQ 5 Maintenance Update.
More details on the upgrade process can be found in the Administrative Guide in the article
Upgrade from YSoft SafeQ 5.
Online accounting:
Offline accounting:

Legacy Terminal Professional v3.5 is supported with following limitations.
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh

Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.


client mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
YSoft SafeQube 2

New: YSoft SafeQ 6 automatic upgrade and data migration wizard.
YSoft SafeQ 5 customers who are interested in upgrading to YSoft SafeQ 6 can use the SafeQ 6
installation package to automatically upgrade and for data migration. The graphic below shows
the installation wizard with the migration steps highlighted. Although the automatic upgrade can
be used to upgrade many YSoft SafeQ 5 installations, it is important to be familiar with the
limitations of the automatic upgrade. You can find technical information in the Known
Limitations section of the Release Notes and in the YSoft SafeQ 6 Administrative Guide. A special
webinar Upgrading to YSoft SafeQ 6 from version 5 has been prepared and invitations to the
webinar have been already sent - https://portal.ysoft.com/education/webinars/upgrading-to-ysoft-
safeq-6-from-version-5 .
Improved
Dropbox connectors
Customers using Dropbox connectors in scan workflows should upgrade to MU12. Dropbox has
released a new SDK (Dropbox API v4.2.6 .NET) that fixes a bug in their software. MU12 updates
our connector for Dropbox with this new SDK. Dropbox SDK improvements are described in:
https://github.com/dropbox/dropbox-sdk-dotnet/releases .
Increased data security
The security of data inside YSoft SafeQ 6 has been increased related to internal communication
between YSoft SafeQ components. This is accomplished with added support for TLSv1.1 and
TLSv1.2 protocols. These protocols can be used for communication between YSoft SafeQ and
other components:
FlexiSpoolers
FlexiSpooler and devices communicating via IPPS
Mobile Print Server and FlexiSpooler
Mobile Print Server and Microsoft Exchange Server

Security
Password of the SMTP account used for e-mail settings in the management interface can now
include special characters such as ~!@#$%^&*()_+{}|:"<>?`-=[]\;',.
The Terminal Server now stores security certificates in the Personal store instead of the
Trusted Root Certification Authorities store which was inappropriately used in the past.
The text encryption widget in the management interface has been improved. The set of
characters which can be encrypted has been extended to include %, &, + .
Terminals
YSoft SafeQ Embedded Terminal for Fuji Xerox multifunction devices: Print jobs’ accounting
based on vendor specific accounting now works correctly when direct queues have been
assigned to the device.
Installation of YSoft SafeQ Embedded Terminal for Xerox WorkCentre 4265 (EIP2.5) has been
fixed.
The logout process for Terminal Ultralight when online accounting is used has been improved.
Logout is no longer allowed until all copy and scan jobs in the multifunction device are
finished.
Reliability of the finishing options for the Xerox Embedded terminal has been improved.
It is now possible to generate a user’s PIN automatically when the property “PIN-history-
enabled” is enabled in the YSoft SafeQ 6 management interface.
Report scheduling, which is accessible from the management interface, has been fixed.
The FlexiSpooler reliability when receiving a print job while simultaneously losing connectivity
to the Spooler Controller has been improved.
Mobile Print Server couldn’t detect the Ghostscript version 9.20. It is now fixed and MPS can
now use Ghostscript versions 9.19, 9.20 or 9.21 for print job's parsing (off-line accounting,
preview, ...).
User access rights to printers based on a user role assigned to a Spooler Controller group
now works correctly. See management interface, menu Rules, Access definitions tab.
When editing a printer in the management interface, it is no longer possible to assign the
same network address to two different terminals. The network address of YSoft SafeQ
Terminal Pro 4 must be unique around one SPOC group.

System info widget in management interface now shows the right version of the operating
system even when Windows Server 2016 is used.
Scan workflows
Cooperation and stability of YSoft SafeQ Terminal Pro 4 scanning functions with the MFD's
native scanning have been improved.
In the scan connector section of the YSoft SafeQ management interface, the password for a
custom service account used in the Fail Over section can be written in plain text and works
correctly.
On Xerox devices with YSoft SafeQ Terminal Pro 4, scan workflows are based on the native
scanning features.
When a multi page document was scanned using the SMB protocol, the scan workflow wasn't
reliable. It is now fixed.
Accuracy of YSoft be3D eDee accounting has been improved: changing the filament while
YSoft be3D eDee printer is printing doesn’t reset the time counters of the job.
The user can now repeatedly open the eDee printer door after the job is finished.
When the eDee touchscreen terminal is in sleeping mode, buttons can no longer be mistakenly
activated when the terminal is awakened.
Software updates no longer resets the total printing time and nozzle time of the YSoft be3D
eDee printer.
Automatic email notifications sent by the YSoft be3D eDee printer have been fixed.
Several improvements to the YSoft be3D eDee user interface were made for a smoother user
experience:
User is now notified that no filament is present in the printer when releasing the print job
For administrators, the IP address field now defaults to a numeric keyboard input
When requesting a refund for an unsuccessful print job, the user is now guided through
the process on the screen
Charging and quotas
A user's transaction records in the payment menu now include the time of a transaction.

server.
Specific Device group structure is required in management interface when there are many
devices on Printers page. Please follow the product documentation, section Management
interface - Devices, for more information.
Automatic upgrade is possible only when using the latest YSoft SafeQ 5 Maintenance Update.
More details on the upgrade process can be found in the Administrative Guide in the article
Upgrade from YSoft SafeQ 5.
Online accounting:
Offline accounting:

Legacy Terminal Professional v3.5 is not supported.
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox

options.
(Terminal Ultralight, Terminal Pro 4).
When deploying an software update package on Terminal Pro 4, a change of IP address in

client mode.
Lexmark
Sharp
Samsung
Scan Workflows

characters.
from that page.
YSoft SafeQube 2
IMPROVED
Administrators can now explicitly deny access to scan workflows for specific user roles. This
allows simpler access control to scan workflows.

NEW
Scanning on Terminal Ultralight is now supported in YSoft SafeQ 6. YSoft SafeQ 5 customers
with legacy Terminal Ultralight who use scan features are able to upgrade to YSoft SafeQ 6
without the need to purchase new hardware terminals.
Scan workflows can now deliver documents to the HP Records Manager 8.x record management
system. The HP Records Manager 8.x scan connector can be ordered in the Y Soft Price list.
Y Soft continues to make card reader deployment easier and smoother for partners. Part of MU11
is our new Graphic user interface for card reader configuration: YSoft Card Reader tool. The card
reader tool is a desktop application that offers many features such as protocol configuration,
uploading custom configuration, update firmware or test the card reader.
Security
The security of user data inside the YSoft SafeQ 6 system has been increased. We have
enhanced security of communication between the MFD’s Embedded Terminal and YSoft SafeQ
Terminal Server in order to make "snooping“ of user print jobs more difficult.
Co-existence of Terminal Ultralight scanning functions with the MFD's native scanning can result
in ambiguous user assignment of the final scan files. A potential risk has been minimized by
performing a detailed check of the scan folder when a user is logging in on the Terminal Ultralight.
When using YSoft SafeQ Terminal Pro 4 for scans on an MFD, a potential risk about ambiguous
user assignment has been minimized by performing a detailed check of the temporary SMB scan
folder.
Mobile print & mobile terminal
More YSoft SafeQ AP Connectors can be connected to one Spooler Controller without any errors
now.
A YSoft SafeQ AP Connector installed in the Windows environment with Japanese localization
starts and works properly now.
It was possible to generate QR codes used in YSoft SafeQ Mobile Terminal (mobile app) for
Terminal Ultralight and YSoft SafeQ Terminal Pro 4 even though these two hardware terminals are
not supported by the mobile app. This has been fixed so that QR codes for these two hardware
terminals can no longer be generated.

Terminals
Previous security improvements of the YSoft SafeQ Terminal Pro 4 were having a bad influence
on the correct fail-over behavior. This has been resolved with MU11.
While scanning on Fuji-Xerox devices the scan variable %billingCode% returns the "Billing code“
now (previously it returned the "Billing code Id“).
Behavior of Embedded Terminals on Konica Minolta devices has been improved when the YSoft
Payment System is used and outage of the MFD occurs due to missing consumables exceeding a
time limit. Now, the system doesn't create duplicated reservations in the YPS.
For Konica Minolta, Develop and Olivetti Embedded Terminals, the quotas in place no longer have
delays in the printing of jobs that have a large page count caused by reservations.
On Lexmark Embedded Terminals, the system of messages was improved by pictograms replacing
long texts.
On Xerox VersaLink devices with embedded terminal, accounting has been fixed so it now
considers the price of paper in addition to other components.
On Xerox devices with embedded terminal, restricted access to applications work properly now.
Administrators no longer need to make manual corrections in the MFD setup.
Emergency off-line printing is available again for Konica Minolta multifunctional devices with
Embedded Terminal and Print without authentication is enabled on the devices.
Uninstallation of the Embedded Terminal on Konica Minolta devices from the Management
interface now gives administrators a warning and refuses to uninstall when a user is currently
logged in at an MFD.
Web reporting in the YSoft SafeQ management interface is now accessible from any node of the
clustered implementation.
Editing of scan connectors in the Management interface has been improved. Inputs are validated
better and errors are not returned.
Restriction of the scan files defined in the Management interface for the scan workflows didn’t
take into account the file size unit and calculated the limit in Bytes in any case. It was fixed and
restrictions accept a selected unit as well.
When a system property "assign-new-card-single" is enabled, the card self-registration now

deletes the user's previous card and only stores the new card in the YSoft SafeQ database.
When the database server used by Management Server is recovered after an outage, the Spooler
Controllers now automatically change their status from off-line-to on-line mode without requiring a
restart of services.
When updating the Spooler Controller, it now properly merges manual settings present in the
"spoc conf" with the new configuration file.

Scan workflows
Scan workflows that utilize the Dropbox connector now correctly map a user's identity using their
email address when impersonation is enabled.
Other
A3 BW jobs were mistakenly considered as color ones resulting in users without color access
unable to print. It was fixed and users without rights for color printing can print the A3 BW jobs
now.
In a clustered environment with more Spooler Controllers, a job could be automatically deleted
from the secure queue even if its print had failed under some circumstances. This is now fixed.
3.2.39.3 Outlook
Ability to migrate data from the latest YSoft SafeQ 5 Maintenance Update to YSoft SafeQ 6 from
within the installation package.
Under very specific circumstances, Print Roaming (secure or pull print) would cause print jobs not
to be printed out. This limitation will be removed in an upcoming Maintenance Update of YSoft
SafeQ 6.
Automated data and configuration upgrade from YSoft SafeQ 5isnot supported. For any ad-
hoc requests, please contact your Y Soft representative.
server.
After updating FlexiSpooler in client mode, Offline Print capability needs to build new list of last
used printers.
PostgreSQL database server uses GMT time zone by default. If YSoft SafeQ Management
Specific Device group structure is required in Management interface when there are many
devices on Printers page. Please follow the product documentation, section Management
interface - Devices, for more information.

Online accounting:
Online accounting with Mobile terminal is not supported.
Offline accounting:
Estimated price of a print job does not change after modification of Finishing options.
Scan Workflows are available on the following vendors. Please refer to the product
documentation for more details.
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
Basic finishing options (Simplex/Duplex, BW/Color and Number of copies) are available on the
following vendors. See product documentation for details.
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh

Sharp
Toshiba
Xerox
Advanced finishing options (Stapling, Punching, Folding) are available on the following vendors.
See product documentation for details.
Konica Minolta
Ricoh
Sharp
Xerox
options.
Not all of the Finishing options are supported on every device, for detailed information please
YSoft Mobile Terminal does not support pay-for-print capability.
Mobile Terminal is currently not supported to use with Hardware terminals (Terminal Ultralight,
Terminal Professional 4).
Advanced finishing options are supported only when the YSoft Mobile Terminal is used on the
When deploying an software update package on Terminal Pro 4, change of IP address in

Terminal Pro 4 settings is required prior to start the software update package deployment.
The IP address of Management server is required. The change can be made via SSH client and
YSoft SafeQ Desktop Interface with FlexiSpooler for MacOS is not supported.
Desktop Interface notifications from Rule Based Engine work only with FlexiSpooler in client
mode.
Estimated price for the job is not displayed in the YSoft SafeQ Desktop Interface.
Offline print is not supported the following Embedded Terminals:
Lexmark

Sharp
Samsung
Scan Workflows
Output format Compact PDF is not working properly in combination with any processing step.
Scanned file is split in multiple pages.
containing FlexiSpooler used by Mobile Print Server in order to avoid job name with corrupted
characters.
from that page.
SafeQube 2
YSoft be3D eDee
Due to a fix of wrongly calculated "Nozzle printing time", "Total printing time" and "Device
uptime", your counters might be reset.
When updating eDee, it has to be in idle state (not printing, not waiting for user to pick up a
model and not in service menu), otherwise the device might get unstable until next reboot.

IMPROVED
With the YSoft SafeQ 6 MU10, there is an additional option for implementing authentication of
print jobs in a multi-domain environment. YSoft SafeQ 6 functionalities have been extended in
such a way that authentication in multiple domains can be applied when users print from
workstations through print queues (Windows v3 print drivers) shared by a Windows server. No
YSoft SafeQ client is needed on the workstations, just the YSoft SafeQ Enterprise Client 2.x must
be installed on the Windows print server. This implementation covers a Citrix-based environment
as well. A limited set of SafeQ Enterprise Client 2x functionality is supported: domain user
authentication, job compression, failover and load balancing.
YSoft SafeQ administrators can now customize scan workflows to allow or disallow users to
choose a scan file format type. This capability was available in YSoft SafeQ 5 and is now enabled
in YSoft SafeQ 6 as well.
NEW
User’s and administrator’s productivity and convenience have been increased. Separate login for
Windows and YSoft SafeQ Web applications (YSoft SafeQ management interface, YSoft Payment
Systems, YSoft end user UI) is no longer necessary.
Security of user information when working with printing devices equipped with YSoft SafeQ
Terminal Pro 4 has been increased. Upon user logout or session timeout, the Terminal checks the
ongoing processes in the device and allows user logout only after all jobs have been processed.
Terminals
The currency symbol in Embedded Terminals no longer displays when YSoft Payment System is
not installed and the currency isn’t required to be displayed.
Embedded Terminals for Lexmark not initialized properly after a device reboot would not charge
users for jobs. The Lexmark Embedded Terminal has been fixed to always properly initialize after a
device reboot.

For some Embedded Terminals, the last used Billing Code was pre-selected instead of the default
Billing Code. This has been fixed so that the default Billing Code is always pre-selected. If no
default Billing Code exists, no pre-selection is made.
In Xerox Embedded Terminal, credit information wasn’t updated when made a copy without a
browser refresh. Now the job is accounted for within the user session.
Mobile Print
Chinese characters now print properly when the Mobile Print Server is used for printing.
FlexiSpooler newly validates the jobStorePath system setting and we can change the print job
location as we need.
The "Add scan workflow" page now works correctly in Internet Explorer 10 with no JavaScript
error.
Scan workflows
After an upgrade from a previous MU when the terminal type was changed and the device was
reinstalled, scanning stopped working (MFD was unable to deliver documents) unless Terminal
Server was restarted. This is now fixed.
On Konica Minolta devices, a workflow with PDF file format and barcode separation enabled, it
changed A6 page proportions to A4 and stretched the image.
3.2.40.3 Outlook
New: Terminal Ultralight will support YSoft SafeQ 6 scan workflows. YSoft SafeQ 5 customers
with legacy Terminal with scan features will be able to upgrade to YSoft SafeQ 6.
New: Terminal Professional v3.5 will be compatible with YSoft SafeQ 6. YSoft SafeQ 5 customers
with legacy Terminal will be able to upgrade to YSoft SafeQ 6.
Improved: Administrators will be able to setup access rights to scan workflows for selected user
roles. This will allow simple control of access to scan workflows.
Automated data and configuration upgrade from YSoft SafeQ 5 is not supported. For any ad-

server.
used printers.
Online accounting:
Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox

Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.
Terminal Professional 4).


mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
SafeQube 2
eDee
POC-1/2 devices will not work properly with MU10 (doors won't open) without HW intervention
GA HW revision will work only with SQMU10

New Features and Benefits
Improved: Larger deployments of YSoft SafeQ 6 can offload scan job processing to a central
dedicated location. Offloading scan job processing can eliminate the impact of scanning on branch
servers.
Offloading scan job processing to a central location eliminates impact of resource-intensive scan
processing operations, such as OCR, on branch servers. This may allow for the use of less
powerful branch servers or reducing the number of branch servers. It is now also possible to
create a central farm of servers hosting the Workflow Processing Service. This is suitable when a
powerful datacenter for scan processing is available in the company.
New: A new documentation section covers backup and recover scenarios.
New: A new documentation section covers failover and load balancing options for embedded
terminals.
Note that all product documentation is available in the Partner Portal in PDF format.
Info: Since MU7 we have been robotically measuring the time characteristics of YSoft SafeQ
embedded and external terminals. Quick response of the authentication process is important for
the ease-of-use for users. In the graph below you can see the measured lengths of the
authentication process within the latest versions of YSoft SafeQ 6.
Measurements are made using a robotic system that interacts with MFDs and YSoft SafeQ
embedded and external terminals much like a person would. The device screen is observed by a
camera and video processing technology. The measurement starts by the robot tapping the login
button and ends by detecting the screen after authentication. This measurement is repeated in
hundreds of cycles for each device to guarantee the statistical significance of the results.
Terminals

There were some problems when reinstalling Embedded Terminal on a Fuji Xerox – APEOS
MFD. A new property containing a longer delay for the MFD’s reboot was created which
has fixed it. Refer to the “fujiXeroxFinishRebootDelay” property in the YSoft SafeQ
When a YSoft SafeQ authenticated user printing with the YSoft SafeQ client application
wasn’t the same as a Microsoft Windows logged-in user, billing codes assigned to the
Windows user had been erroneously loaded and offered to the YSoft SafeQ authenticated
user.
Administrators can configure the YSoft SafeQ terminals' behavior such that even non
compatible print jobs are visible. For example, a color job is visible at a BW MFD YSoft
SafeQ terminal. However, there was an error when a user tried to force BW printing of
these special jobs. With MU9, BW printing in this situation is possible.
"Card and PIN" authentication methods did not work on Terminal Ultralight together with
Online Accounting.
When a card reader was set to continuous mode with YSoft SafeQ Terminal Pro 4, a user
could still log in to the Terminal when swiping a card.
On Samsung devices, when a user had a default billing code assigned, the screen
remained stuck on billing code selection upon login.
In some situations, a number of open connections to the PostgreSQL database exceeded a

limit and caused YSoft SafeQ to work improperly. For more information about the newly
implemented configuration search for "Tomcat JDBC connection pool configuration" in the
How To Guide.
If you set the YSoft SafeQ 6 management interface to French or Dutch, a JavaScript error
was displayed.
It was not possible to change the job owner with YSoft SafeQ 6 installed on a MSSQL
database.
Updates from YSoft SafeQ 6 MU6 to a higher version would sometimes fail with YSoft
SafeQ 6 installed on a PostgreSQL database.
If YSoft SafeQ 6 was installed on an external MSSQL database, the IMS service did not
start after installation.
YSoft SafeQ installers can now detect the actual configuration of the YSoft SafeQ server
which is being updated. For example, if you have originally installed a server with the YSoft
SafeQ 6 Server installer and you are trying to update it with the SafeQ 6 Standalone
Management installer, you get a warning (you should upgrade other services too).
Device editing in the YSoft SafeQ management interface with Internet Explorer 10 wasn’t
fully functional.
Scan workflows

Billing code scan metadata was invalid when scanning on Xerox devices.
Switching from "Scan" screen to "Copy" screen on YSoft SafeQ Terminal Pro 4 caused user
logout.
Mobile Print
Documents printed on some printers using YSoft SafeQ Mobile print can contain incorrect
diacritic symbols. A new conversion option was added and administrators can solve this by
turning on a new parameter in the conversion.config (<add key="ensurePdfA" value="true"
/>).
End user web interface
Memory leaks in the YSoft SafeQ 6 End User Interface were removed.
The end user web interface shows number of copies at every job now.
Finishing Options
The copy count finishing option did not work when duplex was set on the Konica Minolta
printer driver and copy count finishing option was set on the device by a user.
The copy count finishing option did not work when copy count finishing option was set on
the Sharp printer driver.
Payment Systems
Administrators faced an error in the YSoft Payment System administration when trying to
open detail of the payment gateway with pending deposits.
Other
We improved the reliability of the job transfer between the YSoft SafeQ client and server
(Flexi spoolers) when the data connection has low quality. Flexi spooler logic ensures that
the job is transferred even if the connection is interrupted.
Xerox models have new print drivers. Some problems appeared when applying rules
(multiple copy) in environments with CBPR.
server.

used printers.
Online accounting:
Offline accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI

Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.

mode.
Lexmark
Sharp

Samsung
Scan Workflows
Concurrent upload of big files is not working reliably for some cloud connectors (SharePoint
Online, Onedrive for Business, Dropbox).
characters.
from that page.
SafeQube 2
Improved: Terminal Pro 4 now supports application failover configuration. It increases the
reliability of the entire solution in YSoft SafeQ 6 multi-server deployments.

Reliability of the entire YSoft SafeQ 6 solution with Terminal Pro 4 can be improved in a multi-
server topology, which is commonly used by large enterprises. Terminal Pro 4 is able to connect
automatically to another YSoft SafeQ 6 Site Server for further communication at the application
level without needing any extra network appliance (i.e. software or hardware load balancer). A
YSoft SafeQ administrator just selects a preferred scenario of the fail-over behavior centrally in
the SafeQ 6 Management Server.
Improved: The value of YSoft SafeQ 6 Site Servers has increased:
The recovery process of standalone Site Server is supported with minimal impact on user’s
data (cache can be rebuilt from the Management Server after restart).
Two-node Site Server clusters are fully functional including terminal failover support.
Recovery from the failure of one member of a Site Server cluster is easier. It is enough to fix
and start the server.
Improved: YSoft Wireless Print has been adjusted to meet the latest Apple AirPrint protocol
(version 1.7).
YSoft Wireless Print (part of the YSoft SafeQ Mobile Print module) is now adjusted to work with
the latest version of the most recently released Apple AirPrint 1.7 protocol.
New: User balances of real and virtual (bonus) credit balances are now displayed on the
embedded terminal screen. Embedded terminal users had no way to distinguish whether they are
using real or virtual (bonus) credit to print or scan using YSoft SafeQ 6. With YSoft SafeQ 6 MU8,
real and virtual credit balance can be displayed separately on the embedded terminal user
interface, so users are aware whether they are using real money or virtual credit.
Improved: Do your visitors need to print? YSoft SafeQ 6 can be customized to automatically
email a PIN to a guest allowing use of the MFD for printing. See the Customization Catalog on the
Y Soft Partner Portal and contact Y Soft Regional Sales Manager for additional information.

New: A new, important section of documentation has been created. The new section focuses on
updating from older MU to the latest MU of YSoft SafeQ 6 and its components such as YSoft
be3D eDee, YSoft SafeQube, embedded terminals, and Terminal Pro 4. All necessary information is
available now in public documentation which can be downloaded from Partner Portal in PDF.
Improved: The size of YSoft SafeQ 6 installation packages was reduced to simplify distribution of
YSoft SafeQ 6 installers. Installation packages are offered with the option of including the
Advanced Workflows module or without the Advanced Workflows module:
YSoft-SafeQ-6-MUxx-Server-installer.zip for installation without Advanced workflow module

(size 1.4 GB)
YSoft-SafeQ-6-MUxx-Server-installer-with-Advanced-workflows.zip with Advanced workflows

module (size 2.0 GB)
YSoft-SafeQ-6-MUxx-Client-installer.exe
YSoft-SafeQ-6-MUxx-Complete-pack-[date_of_public_release].
Administrators have rarely encountered a situation where installation of SafeQ 6 failed with
the error code: “Installation of Visual C++ Redistributable finished with: 23”. We examined the
situation in detail and if that happens, consult please WPS installer documentation in the
YSoft SafeQ 6 Administrative Guide.
Administrators can easily discover bad behavior of another solution which prints to YSoft
SafeQ. When a job is sent to SafeQ without a username in the LPR header, SafeQ 6 accepts it
and shows it in the Job list without a user assigned.
Secure communication of SafeQ Mobile Terminal on the Android platform was improved to the
newest version of TLS.
It could happen, that an Embedded Terminal failed to install when it had been uninstalled
before at the same device. This behavior is fixed with the MU8.
Spooler Controller no longer stops responding when 120-150 FlexiSpooler clients try to
connect to it.
YSoft SafeQ Mobile Terminal for Android no longer crashes when a user deletes a job and then
clicks on job "info" button on the last job.
When administrators change the field “Number” at a Cost center in the management interface,
the new value is propagated to all Site Servers immediately after click on the “Update data on
Spooler Controllers” menu. It did not happen in previous versions.
LDAP integration was improved for better accommodation of multi-tenant environment. Some
settings have been promoted from common to tenant-specific and administrator can easily
troubleshoot the synchronization with MU8.

When editing a device in the management interface, points in passwords’ fields tell the
administrator, that a password has been saved already.
server.
used printers.
Online accounting:
Offline accounting:
FujiXerox

OKI
Ricoh
Sharp
Toshiba
Xerox
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.

mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
SafeQube 2
Terminal server will not start on SafeQube 2 when the WebDav Document Store is not
configured. Make sure to manually create 'Ftp' and 'WebDav' folder in WebDAV root.

New: Need to use Terminal Ultralight and YSoft SafeQ 6 together? Not a problem. Terminal
Ultralight, used typically for printing and copying is now compatible with the YSoft SafeQ 6.
Existing YSoft SafeQ 5 customers can upgrade to YSoft SafeQ 6 and still use the Ultralight
Terminal for copying and printing. However, scanning features for Ultralight Terminal are not
completed and not supported yet.
New: Quick Scan Workflows are newly available for Terminal Pro 4
For those familiar with Terminal Professional v3.5 (the legacy predecessor of Terminal Pro 4), this
isn't anything new. Thanks to the smart architecture of scan workflows, you can run Quick Scan
Workflows on Terminal Pro 4 with devices that support native scanning into a network folder
(SMB or FTP). Quick Scan Workflows are perfectly suited when no user input is required.
New: OKI sXP2 terminal has been moved out of Early Access Program and is part of a
standard license
Formerly under an Early Access Program license, the newer sXP2 terminal for OKI MFDs is now
available for general use.
Improved: Terminal Pro 4 operability is even faster now
Terminal Pro 4 is a flagship of the new YSoft SafeQ 6 platform and is being carefully improved
based on operational experience. MU7 brings visible acceleration of the operability in case that it
works in conjunction with the on-line accounting.
Improved: Travellers with FlexiSpooler in client mode can print better and faster at any
location
When users are travelling, if their workstation has the YSoft SafeQ client app installed, the
workstations client app can recognize the nearest SafeQ server and use it for printing. This brings
a much higher efficiency to the print process: jobs do not have to travel long distances which

typically are costlier and take longer to process. With this MU7 update, the workstation app can
read new IP addresses of the site server in a better way using the less known DHCP option 9
(which must be configured in the network infrastructure).
Improved: Length of the Cost Centre identification field for LDAP replication is doubled
Based on our customer experience, we decided to enhance the length of Cost Centre ID number
for LDAP replication purposes. The old limit (9 digits) was doubled to 18 digits.
Improved: Security of YSoft SafeQ installation files has increased, the SHA256 certificates
are used now.
To improve the security of YSoft SafeQ and to be in line with security standards, we have started
to use the SHA256 certificate for the YSoft SafeQ installation files instead of the previously used
SHA1 certificate.
Improved: More convenient printing for Mac users
AP Connector enables much easier printing for users running OS X or iOS devices. AP Connector,
when configured from the MU7 release, now works even better - after users log in for the first
time, they can store their credentials and do not need to enter them again unless they log out.
Fixes in MU7
Administrators are already using the autocomplete features when working with the YSoft
SafeQ management interface. Time is precious and the items can be filtered quickly as you
type. This was not the case for older Internet Explorer 10, and that has been fixed.
Administrators who need to install applications to a different drive than C: can now use D:, E:
or any other drive. Wherever you would like to keep SafeQ, you won't experience an issue with
LDAP replicator logging.
Users can configure finishing with vendor print driver as they are used to. The print jobs were
sometimes mistakenly stripping out the finishing configuration (i.e. stapling), which is no longer
the case.
Print jobs originating from less traditional systems or with less common configuration may
have not passed correctly through internal parser. YSoft SafeQ fully respects this and enables
their printing.
Users could use Terminal Pro 4 and the MFD even if their quota was zero. Fix has been put in
place to make the quotas work properly.
Product security has been improved. When installing YSoft SafeQ on an MFD, you may need
to specify a password. These passwords are now stored in the database using a much better
encrypted form.
Terminal Pro 4, Unexpected outages were occurring a short time after midnight. This has
been fixed and no longer occurs.
Users can now clearly recognize their favorite jobs on Terminal Pro 4 even when the
configuration shows all jobs in one folder (when Favorite tab is not displayed).

Administrators updating to YSoft SafeQ 6 will no longer face an issue caused by misbehaving
installation of an ABBYY component.
As part of our effort to simplify YSoft SafeQ 6 upgrades, the process for migrating ORS to
Site Server has been improved to create correct groups of Spooler Controllers.
PDF compression did not work properly when running scan workflows with Xerox and
FujiXerox MFDs.
Combining two automatic workflow processing features: Document separation and Remove
blank pages no longer confuses the product (no errors) and yields no blank pages and
documents are split as expected.
Accessing Billing Codes on Xerox MFDs from scan workflows led the user to the last page of
billing codes which was not expected and users are no longer confused.
Fixed alignment of embedded terminal authentication screen pieces for Samsung and Sharp
MFDs.
Updating to newer maintenance update and restarting Spooler Controller services no longer
causes print jobs to appear "deleted".
A Performance fix has been made to avoid bad behavior of Spooler Controller when working
with Job Previews.
SafeQ with embedded PostgreSQL database has many benefits. Apart from the simple
installation, you also do not have to remember complex passwords. Embedded PG SQL
supports a limited set of characters for database passwords and we make sure that you
cannot enter a password that will not work during the installation (remember, you can choose
from a combination of "a..z", "A..Z", "0-9" and a few special characters "!?{}()^,./[]|~+*". If you like
your password with other special characters, we recommend using an external database,
which brings even additional security for your data.
Together with the previous point, we also fixed an issue when installing external PosgreSQL
database server, so you can enjoy its benefits even more.
Web Reports have not been correctly reporting the Device location and Device equipment
number. Now you can just generate a list of locations and device equipment numbers (when
you do not need the device name).

server.
YSoft Universal Print Driver supports
Windows 8.1 or newer
Windows Server 2012 or newer
Windows 2008 R2, Windows 7 and Windows Vista, generic (HP) driver can be used instead
used printers.
Online accounting:
FujiXerox
OKI
Ricoh
Sharp
Toshiba
Xerox
It is not possible to enable showing user's personal and virtual credit separately.

FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
options.

Terminal Pro 4 does not support Payment System and Offline Accounting.

mode.
Lexmark
Sharp
Samsung
Scan Workflows
characters.
from that page.
SafeQube 2
Terminal server will not start on SafeQube 2 when the WebDav Document Store is not
configured. Make sure to manually create 'Ftp' and 'WebDav' folder in WebDAV root.

3.2.44.1 Release Notes
Improvements and fixes
Terminals:
Fixed issue that caused wrong username to be displayed on the embedded terminals.
YSoft SafeQ Embedded Terminal for FujiXerox: Long texts on the authentication screen (i.e. in
Japanese) are now automatically wrapped in order to be displayed correctly.
YSoft SafeQ Embedded Terminal for Konica Minolta: In the native interface, it is possible to
hide the users account balance. A new configuration property "kmShowBalance" has been
introduced for this.
YSoft SafeQ Embedded Terminal for Sharp: Print all function works correctly with card
authentication.
Print:
Regression: Domain user authentication for MSSQL
Improved:
YSoft SafeQ FlexiSpooler has lower resource consumption when user has no activity.
Secured communication between CML
Rule Based Print fixes:
3D jobs may be used in environment with Rule Besed Engine. Rule Based Engine rules for
2D jobs do not interfere with 3D jobs.
The rule "Reject print job" is working correctly.
Workflows
Scanning workflows variables can now be used as default value of workflows user inputs
Fixed issues with scanning workflows email notifications
Improved workflow access management in Management interface
Limitations listed as "currently not supported" are planned for the upcoming releases.

General
YSoft SafeQ Backup Tool is currently not available.
Terminal Ultralight and Terminal Professional v3 are currently not supported.
Automatic upgrade from previous YSoft SafeQ 5 is currently not supported.
FlexiSpooler in the server mode has to be installed on the same server as Spooler Controller.
After cache recovery, all jobs accepted by the recovered Spooler Controller are currently
marked as deleted.
On Windows 2008 R2, Windows 7 and Windows Vista the HP driver is installed instead of
YSoft Print Driver.
Information about last used printer for offline print is lost after FSP is updated. New version
creates new file with different format, that is used after first print job send.
Online accounting limitations:
Online accounting with Mobile terminal is not supported yet. Online accounting is available
Local print monitoring is currently not supported.
The estimated price for the job is not changed once Finishing options are modified.
Embedded Terminals
Usernames containing a space are not supported when using scan workflows.
The Scanning Workflows are available on the following vendors:
FujiXerox
Konica Minolta
Ricoh

Sharp
Xerox
OKI
Toshiba
Workflow user parameters are currently not validated.
following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Advanced finishing options (Stapling, Punching, Folding) are available on the following vendors
(see documentation for details):
Konica Minolta
Ricoh
Sharp
Xerox
Proper functionality of Advanced Finishing Options is guaranteed only with YSoft Universal
Print Driver.
Advanced finishing options are not supported for jobs sent via Mobile Print Server or AP
Connector.
YSoft Mobile Terminal
Payment System is not supported in combination with YSoft Mobile terminal.

YSoft SafeQ Desktop Interface with FlexiSpooler for MacOS is currently not available.
Desktop Interface notifications from Rule Based Engine work only with FlexiSpoolers in Client
Spooling mode .
Lexmark
Sharp
Samsung
On Windows 2008 R2, Windows 7 and Windows Vista - only HP driver instead of YSoft Print
Driver.
Scan Workflows
Compact PDF does not produce compressed PDF files on Sharp / Sagem / FujiXerox ETs.
Combination of Scan separation and Remove blank pages processing steps fails in some
cases.
List of scan workflows may appear empty on the "Scan" screen of YSoft SafeQ terminals
under very rare circumstances.
In case this issue occurs:
Stop all SPOCs
Clean cache of all SPOCs
Start all SPOCs
Character encoding of incoming mails must match to the encoding set on the server
containing FlexiSpooler used by MPS. Otherwise job name has corrupted characters.
PDF preview is not generated from page specified with page range for jobs sent via AirPrint.

SafeQube 2
Only Lexmark, Konica Minolta, Xerox, Sharp, FujiXerox and Ricoh Embedded Terminals are
supported on SafeQube 2.
Terminal server won't start on SafeQube 2 with empty WebDav Document Store. It is required
to manually create 'Ftp' and 'WebDav' folder in WebDAV root.
Near and Far roaming are not supported on SafeQube 2
Offline Print mode is not supported on SafeQube 2
Only TLS 1.0 and SSL 3 are supported on SafeQube 2. MFPs with TLS 1.1 or TLS 1.2 only won't
work via secured channel, but some of them can be configured to use HTTP
Administrator can not change SSL certificate on SafeQube 2
All ports must be configured above 1024
Terminal Pro 4
When deploying an software update package on Teminal Pro 4, change of IP address in

Terminals
YSoft SafeQ Embedded Terminal for Windows Mobile has been released:
Mobile Terminal supports functions provided by the YSoft SafeQ print management
system.
Users can identify the printer by scanning the QR code, authenticate and then manage
their YSoft SafeQ prints directly in their device.
YSoft SafeQ Embedded Terminal for Windows Mobile is available in Microsoft Store.
YSoft SafeQ Terminal Pro 4:

Terminal speed has been improved, this is especially noticeable during authentication.
Basic finishing options are correctly applied.
Logout messages are correctly localized.
Card reader protocol is correctly displayed.
Fixed issue that caused the second and every other job to stays in Waiting folder in case
the user logged in with Print All enabled
YSoft SafeQ Embedded Terminal for Samsung: Several issues related to quota handling has
been fixed.
Print
Print jobs can be automatically deleted on SPOC and FSP in defined time period.
New config property "maxSpoolerJobTimeCheckInterval" created (180 minutes is the

default value) and used instead of the "check-spooler-size-interval" property used in YSoft
SafeQ 5.
MaxSpoolerJobTime, maxSpoolerJobTimePrinted config properties are also working, both

are by default set to 7 days.
Finishing options are working correctly also for print roaming.
The preview rendering of the PDF jobs containing Cyrillic text has been fixed.
When printing from UPD, job was not printed correctly on FX XCP printer when XCPT tag was
checked.
Automatic creation of users based on template (" templateUserLogin" configuration property)

is correctly working both for secure and direct print.
YSoft SafeQ FlexiSpooler
Fixed issue that prevented large print job (800 MB) not to be accepted by the FSP.
All log files are saved only in default install location e.g "c:\SafeQ6\FSP\logs\".
YSoft SafeQ Fixed issue that caused transfer window has been sometime shown to user,
even if the user was not printing.
Management Interface
It is possible to select direct queue in Rule Based Engine wizard in the Job conditions and
Actions.
It is possible to search for user when assigning new card via Management Interface.
Billing codes from Cost Center are correctly listed both in default BC selection and on the
Embedded Terminals.
There was missing possibility for PIN conversion in LDAP Replicator.

Properties "Attribute containing PIN code", "PIN code conversion" were added. Please note
that the compatibility between property "conversionPIN" (currently in cloud system
settings) and the defined PIN conversion has to be maintained.
Workflows
Scanning workflows support added to YSoft SafeQ Embedded Terminals for OKI and OKI sXP2.
Scanning workflows support added to YSoft SafeQ Embedded Terminal for Toshiba.
Scanning workflows delivery success rate increased by addition of automatic invalid

characters replacement in filenames and directories.
Support for semicolon delimited CSV files added for list type of user input sourced from CSV.
General
FlexiSpooler in the server mode has to be installed on the same server as Spooler Controller.
marked as deleted.
YSoft Print Driver.

Online accounting with Embedded terminal is not supported.
Embedded Terminals
FujiXerox
Konica Minolta
Ricoh
Sharp
Xerox
OKI
Toshiba
following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh

Sharp
Xerox
Print Driver.
Connector.
Spooling mode .
Lexmark
Sharp
Samsung
Driver.
Scan Workflows
Workflow that sets PDF/A compliance sometimes does not produce PDF/A compliant
document.

cases.
List of scan workflows may appear empty on the "Scan" screen of YSoft SafeQ terminals
under very rare circumstances.
In case this issue occurs:
Stop all SPOCs
Clean cache of all SPOCs
Start all SPOCs
SafeQube 2
Terminal Pro 4

Online accounting
Online accounting support has been added. Online accounting monitors every print routed
from a workstation to a networked printer via YSoft SafeQ in real-time, after printing is
complete. Online accounting currently works only for secure print, copies and scans. List of
printers compatible with online accounting is available on the Partner Portal in the Hardware
Compatibility List (HCL).
Terminals
Terminal Pro 4:
Card number is now correctly displayed when testing card reader is tested in the service
menu.
Performance of of HTML rendering has been increased.
YSoft SafeQ Embedded Terminal for Konica Minolta:
Only supported color settings are now displayed in the scan settings.
Billing code handling has been improved. YSoft SafeQ now utilizes Track ID for precise
accounting of billing codes for copy and scan jobs.
YSoft SafeQ Embedded Terminal for Ricoh: Direct print in Near Roaming Group has been
improved. When job was stored on SPOC 1 and terminal installed on SPOC 2, terminal asked
SPOC 2 to get the jobs, instead of the SPOC 1. Now the terminal checks which S{PC sent the
original request to print a direct job.
YSoft SafeQ Embedded Terminal for Xerox:
Credit information is now periodically refreshed, so the user has always accurate
information about their balance. This feature is supported on Xerox devices with EIP 2.0
and higher.

It is now possible to install Payment System also on the older Xerox devices (with EIP 1.x).
With Payment System enabled, only the users with positive credit balance and quotas are
able to authenticate on the terminal. The solution is usable only with charging on Xerox
with EIP 1.x with enabled Debt feature in YSoft Payment System.
Management Interface
Counter reports were added to the Management Interface. Counter reports are used by
admins to verify that YSoft SafeQ accounting works correctly in comparison to device
counters.
First and last readout report - This is the default type of a report. It lists counters value at
the start of displayed report period, it's ending values and difference.
Daily readout report - The report shows one record per each day for each monitored
device. Report is sorted by device name and then by readout date. You can easily observe
how counters values changed for each device day by day.
Device history - The device history contains all the records of device counter readouts
stored in main database. The data displayed by two previously described reports comes
from statistics warehouse database.
It is also possible to schedule e-mail reports.
There is a new log file created in SafeQ logs folder - management-service-audit.log. This log file
audits the operations on Mangement interface. The audit log captures the following
information:
Change of configuration
License activation
Security (i.e. user authentication)
Tenant management (i.e. cloud admin)
All Dashboard save actions from all widgets (change widgets, save company configuration,
change default billing code ...)
Reports (saving reports, emails, recalculate statistics)
Jobs (assign, delete ...)
All CUD actions in all new slices:
Device
Price list
User (+ replication)
Scan workflows/connectors
Cost centers

Roles
Billing codes
Access rights
Audit messages are in format according to Syslog specification (RFC5424).
The configuration options "showJobTitle" and "show-job-user" that allows to hide job summary
/name/title from the administrator are now also applied in the Web reports and Management
reports.
Administrator can search for roles on Assign workflows access to roles page and in case
there is big amount of roles, they are not displayed on one page. Pagination has been added.
The UI has been changed in a way to emphasize that Administrator hasn't assigned any roles
yet (this was a frequent case based on user feedback).
Fixed defect that prevented to assign an unknown card to existing user in the Terminal
Access page.
Downloaded Management Report is now correctly formatted.
Administrator can use white spaces in label column or value column when defining list type
user input with CSV file data source in managed workflow definition.
Workflows
OneDrive for Business (Office 365) connector has been added to Core Workflows.
Administrator can create OneDrive for Business connector and create a workflow using this
connector as a destination.
Microsoft SharePoint Online (Office 365) connector has been added to Core Workflows.
Administrator can create SharePoint Online connector and create a workflow using this
connector as a destination
Microsoft SharePoint 2016 connector has been added to Core Workflows. Administrator can
create SharePoint 2016 connector and create a workflow using this connector as a
destination. MFD user is able to use this workflow.
User access management has been improved. Administrator can search for roles on Assign
workflows access to roles page. Also, pagination has been added so in case there is big
amount of roles, they are not displayed on one page.
Microsoft Exchange connector is now correctly working with Exchange 2010.
Flexi Spooler
Basic finishing options are now supported also for PostScript jobs. This includes:
Duplex/Simplex
Color/BW

Number of copies
Offline mode is now working after Flexi Spooler service is restarted (no connection to SpoC
was established, spooler was not fully started). Jobs are queued and released after the
connection to SPOC is reestablished.
Before switching to another Spooler Controler in Near Roaming, the connection is switched to
another Spooler Controler from the same Near Roaming meanwhile jobs are being processed
and jobs are not lost.
General
FleixSpooler in the server mode has to be installed on the same server as Spooler Controller.
marked as deleted.
YSoft Print Driver.
Online accounting with Embedded terminal is not supported.

Embedded Terminals
FujiXerox
Konica Minolta
Ricoh
Sharp
Xerox
following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox

Print Driver.
Connector.
Print jobs cannot be released on Ricoh device with accounting enabled. To disable it, navigate
to printer's System Settings -> Administrator tools -> Enhanced External Charge Unit
Management and turn off Color and Black and White under "Printer" section.
Spooling mode .
Lexmark
Sharp
Samsung
Driver.
Scan Workflows
document.

Online, Onedrive for Business, Dropbox)
cases
AP connector update is not possible due to brand new installer. Update is possible only by
uninstalling old version of AP connector and installing new 6.0.2.
SafeQube 2
IMS proxy is not running on SafeQube2. This means that TP4 and eDee cannot be updated
when connected to SafeQube 2.
Terminal Pro 4
IMS proxy is not running on SafeQube 2, therefore Terminal Pro 4 and eDee cannot be updated
when connected to SafeQube 2


YSoft SafeQ Mobile Terminal
YSoft SafeQ Mobile Terminal for Windows 10 is now available for testing. The supported
functionality includes:
Printer identification via QR code or NFC tag.
User authentication via username and password.
Support for secured print and job management.
Billing code selection.
Option to modify basic finishing options.
Management Server
It is possible to hide job summary/name/title from administrator web interface.
Feature preview: The first version of the new Enterprise Reporting is now available.
Management service works now supports DB fail through witness server (MSSQL).
Management interface improvements:
Card Activation Code properties are now tenant specific
Cost Centers are sorted alphabetically
Configuration options are filtered by license elements which are available in case that all
tenant specific properties are moved from cloud to tenant.
Scan Workflows
The administrator can now manually define list type user input items directly in management
interface in case he doesn't want to use external XML or CSV files.
Improved Assign workflow access to roles window:
Added the ability to search when adding user role to workflow
Added pagination
Folder browsing in SharePoint 2010/2013 is now working.
The administrator can now define a File system type connector with network folder and
subfolders on connector level.

Scan resolution "High" on Sagem MFD now scans a document in the expected resolution (400
DPI).
Feature preview: OneDrive for Business connector. It's possible to create a OneDrive for
Business connector and deliver scanned files to OneDrive for Business destination. Additional
features and changes will be part of next SafeQ release.
Feature preview: SharePoint Online connector. It's possible to create a SharePoint Online
connector and deliver scanned files to SharePoint Online destination. Additional features and
changes will be part of next SafeQ release.
Terminals
YSoft SafeQ Embedded Terminal for Konica Minolta:
Reworked job details on KM native ET
Job details and job preview are now correctly displayed on KM A4 devices (Venus
/Cronos)
When modifying finishing options, confirmation is no longer done by the Cancel button
Terminal supports native application fail over.
YSoft SafeQ Embedded Terminal for Ricoh: Scan can now be correctly performed from glass
on Ricoh MP 501.
Terminal Pro 4:
Fixed issue that sometime caused user to be logged out immediately after log in.
After reinstallation to embedded terminal, the Terminal Pro 4 is correctly uninstalled.
Other
The Direct Queues are now created when FlexiSpooler on client mode is installed on all
supported system, including Windows 7.
The security level of communication between Management server and SPOC increased by
checking service certificate for IP address and its time validity.
Billing codes description is now correctly displayed in the End User Interface.
MS SQL Server 2014 and 2016 are now supported.
Limitations listed as currently not supported are already planned for of the next upcoming
releases, but the MU version has not been confirmed yet.

General
marked as deleted.
YSoft Print Driver.
YSoft SafeQ 6 server installer does not contain installer for OCR engine. If you wish to use
OCR feature in workflows then all site servers WPS sub-systems need to be reinstalled with
"YSoft SafeQ Workflow Processing System/ysq-wps-ocr-install.exe".
When upgrading to MU2 from YSoft SafeQ 6 GA, YSoft SafeQ services should be stopped
manually in advance due to defect in SQ6 GA.
Update of Flexispoolers, including Desktop Interface from MU1 to MU2 has to be done manually
only.
Online accounting is not supported.
Counter Reports are currently not supported.
Embedded Terminals
FujiXerox
Konica Minolta
Ricoh

Sharp
Xerox
following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
Print Driver.
Connector.
see the Hardware Compatibility List.

YSoft SafeQ 6 does not accept documents from PostScript drivers on YSoft SafeQ Embedded
Terminal for Ricoh.
Spooling mode .
RBE and Finishing Options are currently not supported for PostScript based drivers.
Lexmark
Sharp
Samsung
Driver.
Scan Workflows
YSoft SafeQ 6 server installer does not contain installer for OCR engine. If you wish to use
OCR feature in workflows all site servers WPS sub-systems need to be reinstalled with "YSoft
SafeQ Workflow Processing System/ysq-wps-ocr-install.exe"
Scan to file system with custom credentials and impersonation does not work.
Microsoft exchange connector is not working with Exchange 2010
Search on Email user input does not work on KM ET Native.
Scan settings on KM ET Web allow selection of unsupported color settings.
document.

AP connector update is not possible due to brand new installer. Update is possible only by
uninstalling old version of AP connector and installing new 6.0.2.
SafeQube 2
Only Konica Minolta, Xerox, Sharp, FujiXerox and Ricoh Embedded Terminals are supported on
SafeQube 2.
Both Near and Far roaming are not supported on SafeQube 2
IMS proxy is not running on SafeQube2. This means that TP4 and eDee cannot be updated
when connected to SafeQube 2.
Terminal Pro 4
When using Terminal Pro 4 the device panel is not unlocked for copying and scanning, only
printing is available.
IMS proxy is not running on SafeQube 2, therefore Terminal Pro 4 and eDee cannot be updated
when connected to SafeQube 2


Improvements and Fixes
Hardware
Terminal Pro 4 now supports 40 languages, including Hebrew, Arabic, and Japanese.
eDee print chamber becomes locked until the owner of the print job logs in, even after a
power outage.
eDee can now send a picture of a printed model to the cash desk operator when a user
demands a refund.
Management Web Interface
It is now possible to update Terminal Pro 4, eDee, and SafeQube 2 from the management web
interface.
Job search and filtering are improved.
Price lists now support numbers with more than two decimal places.
Date format is now the same on all pages in management web.
The username of an unidentified job owner is now highlighted correctly.
The Add printer template button is now disabled when there is no device and SpoC group.
SafeQ Desktop Interface and FlexiSpooler
Single spooler can now support multiple Desktop Interface instances.
Desktop interface now supports Rule-Based Engine notifications for multiple users on a single
machine (e.g., CITRIX).
FlexiSpooler now handles all jobs properly, even when username caching is turned off.
When a PDF job is received with forceBw from AirPrint or Mobile Print Server, it is now
displayed as BW in YSoft SafeQ 6.
Mobile Print jobs with Finishing Option mpsFinishingDuplex=enable are now correctly printed as
duplex.
Desktop interface now correctly deletes the print job when billing code selection is canceled.
Is this preceeded

Scan Workflows
Customers with a CBPR + SafeQube 2 environment can process and deliver scanned
documents via the Workflow Processing Service located on a central server.
Advanced Workflows customers can now separate batch scans into individual documents
using separation sheets or barcode detection.
Advanced Workflows customers can now set standard PDF metadata fields (Title, Author,
Subject, Keywords) in scan workflows.
Advanced Workflows customers can now use MRC compression in scan workflows.
Advanced Workflows customers can now enable password protection and encryption in scan
workflows with Searchable PDF document output.
It is possible to select from all ABBYY supported languages in the OCR processing step of a
scan workflow in the management interface.
It is possible to specify a language for highlighter processing steps in the management

interface.
It is possible to duplicate scan workflows in the management interface.
Scanned documents can now be delivered to an alternate location and notifications sent out
if scanned files run over restrictions (limits).
Scanned documents can now be delivered to a fallback location and notifications sent out in
case of delivery failure.
Enable YSoft SafeQ 6 administrators to configure advanced scan workflow connector

properties through the YSoft SafeQ Web Admin UI.
There are more help tooltips in the connector and scan workflow screens of the management
interface.
Other
Mobile Print Server can connect to the Exchange server via EWS.
Registered users are now properly recognized when the email body is processed in Mobile
Print Server and when an anonymous print is enabled.
Billing codes for printing are now available on Mobile and Embedded Terminal.
Fixed problems with secure communication between YSoft SafeQ services.
Minor graphical and content glitches were fixed on various interfaces.

Known Limitations
Limitations listed as currently not supported are already planned for upcoming releases, but
the MU version has not been confirmed yet.
General
Installation and Deployment
Automatic upgrading from YSoft SafeQ 5 is currently not supported.
marked as deleted.
On Windows 2008 R2, Windows 7, and Windows Vista, the HP driver is installed instead of
YSoft Print Driver.
Information about the last used printer for offline print is lost after FSP is updated. The new
version creates a new file with a different format, which is used after the first print job is
sent.
YSoft SafeQ 6 server installer does not contain an installer for the OCR engine. If you wish to
use the OCR feature in workflows, then all site servers' WPS sub-systems need to be
reinstalled with "YSoft SafeQ Workflow Processing System/ysq-wps-ocr-install.exe".
When upgrading to MU2 from YSoft SafeQ 6 GA, YSoft SafeQ services should be stopped
manually in advance due to a defect in YSoft SafeQ 6 GA.
Update of FlexiSpoolers, including Desktop Interface from MU1 to MU2, has to be done
manually only.
Accounting and Reporting
Enterprise reporting via the YSoft CRS server is not supported.
Billing code selection for print jobs directly on the Embedded Terminal is currently not
supported.

Embedded Terminals
The Scanning Workflows are available with the following vendors:
FujiXerox
Konica Minolta
Ricoh
Sharp
Xerox
It is not possible to enable showing a user's personal and virtual credit separately.
Basic finishing options (Simplex/Duplex, BW/Color and Number of copies) are available with the
following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Advanced finishing options (Stapling, Punching, Folding) are available with the following
vendors (see documentation for details):
Konica Minolta
Ricoh
Sharp
Xerox
Print Driver.
Connector.

Not all of the Finishing options are supported on every device. For detailed information, please
YSoft SafeQ 5 Early Access features "Fax accounting", "Extended accounting of colors", and
YSoft Payment System is not supported in combination with YSoft Mobile terminal.
Finishing options are supported only when the YSoft Mobile terminal is used on the devices
with Embedded Terminals.
Print jobs cannot be released on a Ricoh device with accounting enabled. To disable it,
navigate to the printer's System Settings -> Administrator tools -> Enhanced External Charge
Unit Management and turn off Color and Black and White under "Printer" section.
Printing and Print Processing
Terminal for Ricoh.
Spooling mode .
The estimated price for a job is not displayed in the YSoft SafeQ Desktop Interface.
Offline print is not supported on the following Embedded Terminals:
Lexmark
Sharp
Samsung
On Windows 2008 R2, Windows 7 and Windows Vista—only HP driver instead of YSoft Print
Driver.
Scan Workflows
Scan to a file system with custom credentials and impersonation does not work.
A workflow that sets PDF/A compliance sometimes does not produce a PDF/A compliant
document.
Compact PDF does not produce compressed PDF files on Xerox Embedded Terminals.

Character encoding of incoming emails must match the encoding set on the server containing
the FlexiSpooler used by the MPS. Otherwise, the job name has corrupted characters.
The text defined in mpsNotifyFinishOptionForced is sometimes not displayed in an email

notification.
PDF preview is not generated from the page specified with the page range for jobs sent via
AirPrint.
An AP connector update is not possible due to a brand new installer. An update is possible
only after uninstalling the old version of the AP connector and installing the new one, 6.0.2.
SafeQube 2 and Terminal Pro 4
Only Konica Minolta, Xerox, Sharp, FujiXerox and Ricoh Embedded Terminals are supported on
SafeQube 2.
When deploying a software update package on Teminal Pro 4, a change of IP address in

Terminal Pro 4 settings is required prior to starting the software update package deployment.
The IP address of Management Server is required. The change can be made via the SSH client
and connection to Terminal Pro 4.
Terminal Server will not start on SafeQube 2 with empty WebDAV Document Store. It is
required to manually create an 'Ftp' and 'WebDAV' folder in the WebDAV root.
An IMS proxy is not running on SafeQube 2, therefore, Terminal Pro 4 and eDee cannot be
updated when connected to SafeQube 2
Both Near and Far roaming are not supported on SafeQube 2
Only TLS 1.0 and SSL 3 are supported on SafeQube 2. MFPs with TLS 1.1 or TLS 1.2 only will
not work via a secured channel, but some of them can be configured to use HTTP
An administrator cannot change the SSL certificate on SafeQube 2
When using Terminal Pro 4, the device panel is not unlocked for copying and scanning, only
printing is available.

3.2.49.1 Release notes
Scanning Workflows configuration
All languages were made available for selection when defining scanning workflow in the OCR
processing step.
Administrators can add and remove SharePoint columns for scanning workflows that deliver
to SharePoint 2010 & SharePoint 2013 destinations.
Append/Prepend PDF option is now supported for workflow with destination to a SharePoint
connector.
SafeQ Administrators can select "XML file" as data source of a list type user input field, SafeQ
Administrators can supply a local / UNC path to the list source XML file.
More information can be found in the documentation in the article Edit Workflow
YSoft SafeQ Mobile Terminal
It is now possible to use Eddystone beacons for printer identification both on iOS and Android.
If the printer uses beacon technology, the app will detect it and offer the printer in “Nearby
printers”. When choosing the printer this way, QR code authorization is not necessary. More
information on the Eddystone configuration can be found in the documentation in the article
Eddystone configuration.
Design improvements on the QR code scanning screen.
Printing in offline mode
Offline print mode is now supported also on Fuji Xerox and Konica Minolta devices. Offline print
allows to print the document on the last known device in case the connection to server is
down when Client Based Print Roaming is used.
It is possible to reprint the job printed in offline mode once the connection to server is
restored.
New interface for offline print was introduced,
It is now possible to define the number of last used printers available to the user.
User is informed the documents will be printed directly and that the printed documents
shouldn't be left unattended.

When offline print was not successful (printer is not available), offline printer selection
window is displayed with error message about unsuccessful print.
More information can be found in the documentation in the article YSoft SafeQ Desktop
Interface - More about Printing in Offline Mode - to delete duplicate
YSoft SafeQ desktop interface
RBE notifications displayed in YSoft SafeQ desktop interface can be formatted. It is possible
to use bold, italic, underscore, new line and hyperlink formatting. More information can be
found in the documentation in the article Using YSoft SafeQ Desktop Interface Notifications.
Other
Support for job preview in far roaming has been added.
PostScript and PDF files are now correctly analyzed by parser, its possible to see the preview
of print jobs submitted on PDF format, e.g from Mobile Print Server. More information can be
found in the documentation in the article Print language support and limitations.
It is now possible to set secure communication between Terminal Server and Worklow
Processing System. This includes:
Encryption
Validation of WPS certificate in TS
Validation of TS certificate in WPS
More information in can be found in the documentation in the article System communication
hardening.
Number of copies selected in the print driver is now correctly propagated when the job is
released.
Job with paper size "A4Tab" is now correctly delivered to the printer.
Fixed UI for finishing options modifications on printers with smaller displays.
Known limitations
General

marked as deleted.
YSoft Print Driver.
supported.
Management Server
Guest user registration is not supported.
Local administrators are currently not supported.
Embedded Terminals
Usernames containing a space are not supported when using scan worklows.
FujiXerox
Konica Minolta
Ricoh
Sharp
Xerox

following vendors:
FujiXerox
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
Print Driver.
Connector.
YSoft SafeQ Embedded Terminal for Lexmark: Device dependent accounting is not working.
Finishing options are supported only when the YSoft Mobile Terminal is used on the devices

Terminal for Ricoh.
Lexmark
Sharp
Samsung
End user interface
Change of user cost center in YSoft Management will be not synchronized when this user log
into EUI. This may cause use of incorrect entitlement. As a workaround, the user has to log to
the Embedded Terminal which will will trigger correct synchronization.
When sending job to print through Mobile Print Server via email, the code page of the incoming
emails must match the encoding set on server containing FlexiSpooler used by Mobile Print
Server, otherwise job name has corrupted characters. The same applies for the jobs sent via
the AP Connector.
3.2.50 YSOFT SAFEQ 6 GA - RELEASE NOTES
3.2.50.1 Release notes
As a platform, YSoft SafeQ 6 includes 3 main pillars:
Print Management
Document Capture
3D Print Management
The 3 main pillars enable customers to:
Secure documents from unauthorized access (using one of the convenient authentication
methods).
Set up print, copy and scan access rights.

Save costs thanks to support of scripted actions and rules for print jobs by executing the rule
at any stage of job lifecycle.
Allow users to print to anywhere from anywhere.
Keep control over the print environment (costs, queues, devices, users) with consolidated and
detailed reporting.
Seamless and secure mobile and web printing from any device.
Core or advanced workflows that optimize employee productivity
Allocate costs to specific clients or projects to charge back
Enable pay-for-print so your organization can leverage print environment as a service offering
to your clients
Track 3D print jobs and allow pay-for-print with secure print at be3D printers
Embedded and External Terminals allow users to securely print, copy and scan (run workflows)
To see details about pricing, licensing and other sales related activities, please refer to
https://portal.ysoft.com/ .
3.2.50.2 Known limitations
The list indicates planned for the Maintenance Update 1.
General
It is currently not possible to define the database name during installation.
Domain authentication for MS SQL is currently not supported.
marked as deleted.

Online accounting is not supported. Currently planned for MU1.
supported.
Management Server
Job preview for jobs in far roaming is currently not supported. Currently planned for MU1.
Guest user registration is not supported. Currently planned for MU1.
Local administrators are currently not supported.
It is not possible to set the company logo for Management Reports.
Embedded Terminals
Usernames containing a space are not supported when using scan worklows.
FujiXerox
Konica Minolta
Ricoh
Sharp
Xerox
following vendors:
FujiXerox
Konica Minolta
Lexmark

OKI
Ricoh
Sharp
Toshiba
Xerox
Konica Minolta
Ricoh
Sharp
Xerox
Print Driver.
Connector.
YSoft SafeQ Embedded Terminal for Ricoh is not part of the installation package. It will be
released to the Partner Portal separately.
Finishing options are supported only when the YSoft Mobile Terminal is used on the devices
Offline print is supported only for FSP in spooling client mode and on Windows. Offline print
allows to print the document on the last known MFD in case the connection to SPOC is down.
Offline print is is supported only on OKI, Konica Minolta (with enabled Public User), Ricoh and
Xerox Embedded Terminals. Additional vendors will be added in MU1.
Terminal for Ricoh.

Shared queues are currently not supported.
End user interface
Change of user cost center in YSoft Management will be not synchronized when this user log
into EUI. This may cause use of incorrect entitlement. As a workaround, the user has to log to
the Embedded Terminal which will will trigger correct synchronization.
When sending job to print through MPS via email code page of incoming emails must match
the encoding set on server containing FlexiSpooler used by Mobile Print Server, otherwise job
name has corrupted characters. The same applies for jobs sent via the AP Connector.
3.3 YSOFT SAFEQ 6 - KNOWN LIMITATIONS
3.3.1 INSTALLATION AND DEPLOYMENT
server.
PostgreSQL database server uses GMT time zone by default. If a management server is in
different time zone, PostgreSQL time zone has to be set accordingly. Description:
zone for correct print job and report data.
other components is still available. However, the Mobile Print Server service in YSoft SafeQ
will need to be configured manually.

3.3.2 ACCOUNTING AND REPORTING
Online accounting:
Online accounting with the Mobile Terminal is not supported.
Offline accounting:
Combination of offline accounting and payment system is not supported.
3.3.3 MANAGEMENT INTERFACE
3.3.4 EMBEDDED, EXTERNAL AND MOBILE TERMINALS
Legacy Terminal Professional v3.x is supported with the following limitations.
Brother.

Brother
FujiXerox
Lexmark
OKI
Ricoh
Sharp
Sharp-eSF
Toshiba
Xerox
EPSON
HP
Konica Minolta
Lexmark
OKI
Ricoh
Sharp
Sharp-eSF
Toshiba
Xerox
EPSON
HP
Konica Minolta
Ricoh
Sharp (except Sharp-eSF)
Xerox
FujiXerox

Any jobs submitted via Mobile Print Server or Mobile Integration Gateway do not support
advanced finishing options.
Mobile Terminal does not support pay-for-print capability.
Mobile Terminal is not currently supported for use with other hardware terminals (Terminal
Ultralight, Terminal Professional v3.x and Terminal Pro 4).

Hardware terminals (Terminal Ultralight, Terminal Professional v3.x and Terminal Pro 4) do not
currently support Payment System.
Scanning to one scanned file (for example one PDF file) with Terminal Pro 4 can not take more
than 180 minutes otherwise the scanned file is not processed.
3.3.5 PRINTING AND PRINT PROCESSING
YSoft SafeQ desktop interface with FlexiSpooler for macOS is not supported.
client mode.
Estimated price for the job is not displayed in the YSoft SafeQ desktop interface.
Lexmark
Sharp
Sharp-eSF
Samsung

3.3.6 SCAN WORKFLOWS
3.3.7 PRINTING THROUGH MOBILE PRINT SERVER
characters.
After adjusting the page range, preview of PDF jobs sent via Mobile Integration Gateway (MIG)
is not generated from that page.
3.3.8 YSOFT SAFEQUBE 2
Only Konica Minolta, FujiXerox, Lexmark, Ricoh, Sharp, Sharp-eSF and Xerox Embedded
Terminals are supported with YSoft SafeQube 2.
Near, Far Roaming and Offline Print are not supported with YSoft SafeQube 2.
Only TLS 1.0 and SSL 3 are supported on YSoft SafeQube 2. MFDs with TLS 1.1 or TLS 1.2 only
won't work via a secured channel, but some of them can be configured to use HTTP.
An administrator can not change SSL certificate on YSoft SafeQube 2.
Card self-registration by entering Card Activation Code (CAC) is not supported.

4 USER GUIDES
4.1 QUICK GUIDE FOR USERS
The purpose of this document is to present to end users the system capabilities and tools at
their disposal and to enable them to manage their printing environment easily.
This will help users to understand the system and provide tools for them to perform tasks such
as printing, reprinting jobs, deleting jobs, managing their credentials, and more.
4.1.1 EMBEDDED AND EXTERNAL TERMINALS
Multifunction devices (printers, copiers) can be equipped with a terminal to allow secure access to
device functions as well as providing the ability to manage print jobs. The following terminals can
be installed:
An embedded terminal, running on the device's display
An external terminal, running on attached devices
Both embedded and external terminals offer various authentication methods, typically they go
hand in hand with a card reader, but they can also provide other ways to authenticate (such as
username and password, PIN code, and more).
Tap the terminal screen to explore the available authentication options. If you do not see the
authentication screen or the terminal attached to the device, it is possible the device is not
equipped with features that enable secure access and print job management. Such devices can
be used either as an ordinary network printer or together with Mobile Terminal.

4.1.2 MOBILE TERMINAL
Mobile Terminal is an application that has to be installed on your smartphone or tablet by you or
your IT staff. When enabled, Mobile Terminal can provide access to your print queue on selected
devices from your mobile devices. By launching the YSoft SafeQ application and scanning a QR
code (as illustrated in the picture), you can manage your print jobs or print them on selected
printer.
4.1.3 YSOFT SAFEQ MANAGEMENT INTERFACE FOR USERS
4.1.3.1 YSoft SafeQ Management Interface for Users
To display your print jobs
1. Click the YSoft SafeQ 6 shortcut on your desktop or enter the URL provided by your
system administrator. You can access this address from your desktop, smartphone, or
tablet browser (if they are connected to the office network).
2. When asked, provide your credentials. On the same screen, you can change the login page
and session language by using the flag in the top-right-hand corner.
3. Alternatively, when the Single Sign-On integration is enabled, you can enter the secured
part of the web interface by clicking on Login using system credentials button. Your Active
Directory credentials under which you are logged into the operating system will be used
instead and you will be logged into the interface without needing to enter your credentials
manually.

4.1.3.2 Job List
To display your print, copy, and scan jobs quickly, select the Reports tab from the left menu.
4.1.3.3 Manage Selected Print Jobs
In the Reports tab, select the print jobs you want to manage and press the Actions button:

On the selected jobs, you can perform any of the following actions:
Cancel the selected print job
Send the selected job to requeue the jobs
You can then select the queue to send the job to:
By default, if you press Requeue, the job will be sent to the queue the job was previously sent to
Marking the selected jobs as favorites allows you to store jobs on the server for
reprinting.
They are deleted or removed from the favorite list on the terminal or on the end user
interface by using the unmark selected jobs as favorites.
4.1.3.4 Job List - Filtering Specific Jobs
To display the most common views, choose one from the menu Views, displayed on the right-
hand side of the filter above the job list
If you are looking for a particular print job, you can adjust the filter to:

Date and Hour range
Specific device group
Specific print queue
4.1.3.5 Job List - Filtering Specific Jobs (Advanced)
You can also filter print jobs based on their specific status. Click on the Advanced link in the right
corner of the filter screen, which will display additional options such as filtering:
2D and 3D print jobs
All print jobs that are waiting to be printed
Jobs based on their specific status
4.1.3.6 Display Individual Job details, Preview, Requeue, or Delete
Each print job in the table shows available options to manage them individually.
Click the icon to show a job preview.
Click the icon to display detailed job information.
Click the icon to requeue the print job.
4.1.3.7 Change Your Access Credentials
To access a device, you might be required to use a username and password, PIN code or a card.
You can change your username and password as well as PIN code to access printers and a YSoft
SafeQ end user interface. This is useful if you have forgotten your PIN code or access credentials
to access printers via the terminals. A card can be changed by an administrator or by the user via
a card activation code.
1. Navigate to the main Dashboard from the left menu. Find the widget named Access
credentials and expand the Generate PIN option by selecting it.
2. Click Generate PIN.

2.
3. Confirm new PIN code generation by clicking YES.
4. The new PIN code is automatically generated and displayed.
5. You will also get an email with the PIN code and its expiration date.
Card activation code, if enabled by your administrator, allows you to assign yourself an ID card.
You can use this code to register your new card at the terminal on the printer. Place your card on
the terminal and, when the terminal prompts you, type the card activation code. From now on,
you will only need to use your card. You will not need to re-enter this code.
1. To issue a card activation code, navigate to the main Dashboard from the left menu. Find
the widget named Access credentials and expand the Generate card activation code by
selecting it.
2. Click Generate card activation code.
3. Confirm new card activation code generation by clicking YES.
4. The new card activation code is automatically generated and displayed.
5. You will also get an email with the card activation code and its expiration date.

4.1.3.8 Choose Your Default Billing (Project, Matter) Code
YSoft SafeQ 6 supports the ability to choose which project or billing code an activity, such as
copying, scanning or printing, is assigned to. If you always work in the context of one project or
billing code (or, for example, department), you can choose one billing code as default for every
activity.
This step requires that billing codes are enabled and configured for use by the system
administrator.
1. Navigate to the main Dashboard from the left menu. Find the widget named Default billing
code and click the Choose another billing code button.
2. From the options revealed, choose one of the billing codes. You can browse through all
billing codes that are available.
3. Once finished, you will see the billing code has changed to your newly selected billing code.
4.1.3.9 Other Widgets
What have you saved for the environment and your company:
Your last jobs, and their status:

Your monthly and yearly report:
4.1.3.10 Logging Out from YSoft SafeQ Management Interface for Users
When you finish working with the YSoft SafeQ end user interface, you can simply click the Logout
button as illustrated in the screenshot below.
4.2 SOFTWARE - USER GUIDES
The following software manuals target ordinary users. They can serve as guidance or a step-by-
step set of instructions on how to use the different software parts of YSoft SafeQ 6.
4.2.1 USING MOPRIA PRINT SERVICE ON ANDROID DEVICE
Limitation: Mopria Print Service will not discover Mobile Integration Gateway if packets
aggregation is used.
RFC 6762 specification is not supported by Mopria Print Service: "When possible, a Responder
SHOULD, for the sake of network efficiency, aggregate as many responses as possible into a
single Multicast DNS response packet."

4.2.1.1 Prerequisites
Android device with Android 4.4 or later
Some Android devices have Mopria Print Service preinstalled (for example Huawei or
Samsung devices)
Installation Mopria Print Service from Play Store
1. Open the Play Store application.
2. Search for Mopria Print Service.
3. Download and install the application.

4.2.1.2 Enabling Mopria Print Service on Android
1. Open Settings.
2. Look for the Printing section.
3. Enable Mopria Print Service.

Example: Printing from Adobe Acrobat using Mopria Print Service
1. Open a PDF document in Adobe Acrobat.
2. Tap the three vertical dots in the top right corner.
3.

3. Select Print.
4. Tap the printer button to send the document to YSoft SafeQ 6.
4.2.2 USING THE CASH DESK WEB INTERFACE
4.2.2.1 Overview
The Cash Desk web interface is for cash desk operators, such as front desk agents that
manipulate cash, and provides basic operations with customer accounts (cash deposits or
withdrawal, transaction refunds, voucher redemption, increasing or decreasing virtual balance,
etc.) and cash desk (opening and closing cash desks, money deposits or withdrawal, financial
closures, etc).
The Cash Desk application is installed as part of the YSoft Payment System.
To change the language, click the flag icon in the right corner of the top menu and select one of
the available languages.
4.2.2.2 Types of Cash Desks
The Cash Desk can be configured in administration to be General or Merchant.
An operator operating a General Cash Desk can see a customers' personal account and all virtual
accounts. The operator can perform deposit and withdrawal operations on personal accounts and
increase or decrease the balance on virtual accounts.
An operator operating a Merchant Cash Desk can only see the total account balance as a sum of
a personal account balance and a virtual account balance. The operator can only do refunds or
redeem vouchers.
4.2.2.3 Logging In/Logging Out
Before logging into the Cash Desk web interface, the following prerequisites must be met:
The YSoft Payment System is connected to a YSoft SafeQ server.
A user with the role cash desk operators is available in YSoft SafeQ 6.
The YSoft Payment System and YSoft SafeQ 6 are running.
Logging In
1. Open an Internet browser and go to the URL https://<server-ip-address>:8443/payment-

system/cash-desk or click the shortcut created on the desktop of the computer where the
YSoft Payment System is installed.
2. Enter the credentials of the user with a cash desk operator role.
3. Click Log In.

3.
Inactive users will automatically be logged out. For more information, see Working with
Payment System
Logging In with Remember Me
'Remember me' allows a user to stay logged in without needing to fill in a login form. After logging
in with a check in the 'Remember me' checkbox, a user does not need to log in again for the next
30 days (by default). This functionality can be cancelled by logging out. The 'Remember me'
feature has to be configured. For more information, see Advanced Configuration of YSoft SafeQ
Payment System.

system/cash-desk or click the shortcut created on the desktop of the computer where the
3. Check the 'Remember me' checkbox.
4. Click Log in.

All unsaved information will be lost for inactive users.
Logging In as a Current Windows User
'Log in as current Windows user' allows a user to log in using Windows user credentials. For more
information about the configuration of Single Sign-on, see Configuring Single Sign-on for YSoft
Payment System

system/cash-desk or click the shortcut created on the desktop of the computer where
3. Click Log in as current Windows user (see picture above).
Logging Out
Logging out from the Cash Desk web interface is performed by clicking the Log out button in the
top right corner. Or a user can be logged out automatically when they have been inactive for a
specified period.
4.2.2.4 Operating Cash Desks
This section describes all possible operations with assigned cash desks in the Cash Desk web
interface.

List of Cash Desks
After logging in, a cash desk operator can see a list of assigned cash desks that are not disabled.
Cash desks can be assigned to operators in the YSoft Payment System Administration web
interface.
In the list, you can see basic information for each cash desk:
Name—the name defined for the cash desk
Current balance—the balance of the cash desk should reflect the amount of physical money
in the cash desk
Status
Opened—the operator that opened the cash desk and has not closed it yet
Closed—nobody is operating the cash desk, it can be opened and used
Current operator—the name of the operator that is operating the cash desk and has not
closed it yet
All cash desks can be forcibly closed using the YSoft Payment System Administration web
interface
Opening and Closing a Cash Desk, Cash Desk Details
To use any of the available cash desks, click Open cash desk. If the cash desk has already been
opened, click on the Return to cash desk button.
In the top right corner, the cash desk's balance is displayed. To check the last activity in the cash
desk, see the Activity log at the bottom of the screen—the last five activities are displayed
ordered by date and time.
When finished with the currently opened cash desk, click Leave cash desk. The cash desk will be
properly closed, and the operator is redirected to the list of cash desks.

A list of all activities can be displayed by clicking View all.
Activities on a cash desk are sorted by ID. Optionally, filter them by date and type, sort by
columns, or list through pages. The number of lines displayed on the page can be changed.
Return back by clicking Back to <cash desk name> cash desk.
Money Deposits and Withdrawals into/from a Cash Desk
To deposit money to a cash desk, follow these steps:
1. Click the Deposit into cash desk button, the "Deposit money into cash desk" window
appears.
2. Fill in the amount (mandatory) and the purpose (optional).
3. Click Deposit and the transaction is saved.

After a successful deposit, the cash desk balance increases and the transaction appears in the
Activity log.
To withdraw money from a cash desk, follow these steps:
1. Click the Withdraw from cash desk button, the "Withdraw money from cash desk" window
appears.
2. Fill in the amount (mandatory) and the purpose (optional), alternatively, use the Select
everything button.
3. Click Withdraw, and the transaction is saved.
After a successful withdrawal, the cash desk balance decreases and the transaction appears in
the Activity log.
When using the YSoft Payment System with YSoft SafeQ 6, it might not be possible to
withdraw all money visible on a customer's account. This is caused by a very small value
missing on the customer's account.
This behavior is caused by a limitation of YSoft SafeQ 6 from incorrect rounding of credit.

Cash Desk Closures
Cash desk closure is used for financial closure (e.g. at the end of the day). It can be performed by
following these steps:
1. Click the Perform cash desk closure button on the opened cash desk screen.
2. In the following screen, click the Perform closure button to proceed with closure.
When cash desk closure is performed, a closure report appears with the list of operations on the
cash desk since last closure. Here receipts can be viewed or reprinted for operations performed
on customer accounts. Also, the entire report can be printed by clicking the Print closure button.
A list of all closures performed by the currently logged-in operator for all assigned cash desks can
be viewed by clicking Closures in the top page menu.
Optionally, filter closures by date and time, by cash desk, or operator, and sort or list pages with
closures. To see the details of a certain closure, click View on the right side of the selected line.

4.2.2.5 Operating Customer Accounts
This section describes all possible operations with money accounts in the Cash Desk web
interface. Before operating customer accounts, first open a cash desk.
Opening a Money Account
Open a customer account by:
Entering username—enter a user’s name into the field and click the Open button. Entering
the first character, the cash desk will display a list of users that match that written string.
Identify user with card—identify a user by their card (if a card has been assigned to them)
by following these steps:
1. a. Click Identify user with card, the "Enter card number" window appears.
b. Swipe the user's card using the card reader attached to the computer, or
c. Enter the user's card number and click Open.
When the user has been successfully identified, the customer account screen is displayed.
After opening a customer's account, the account details are displayed and the operator can
perform the various actions that are described below. The list of action buttons depends on the
cash desk type—General or Merchant.
Clicking Close customer account, you will be redirected to cash desks.

Money Deposits and Withdrawal into/from a Customer Account
To deposit money into a customer account, follow these steps:
1. Click the Deposit button, the "Deposit money" window appears.
2. Fill in the amount to be added to a customer's personal balance.
3. Click Deposit and the transaction is saved.
4. When the deposit has been processed, a deposit receipt is displayed with the receipt
number, cash desk name, customer name, deposit amount, and date. Print the receipt by
clicking the Print receipt button or close without printing by clicking the Close button.
After a successful deposit, the account balance and cash desk balance increase and the
transaction appears in the Activity log.

To withdraw money from a customer account, follow these steps:
1. Click Withdraw , the "Withdrawal money" window appears.
2. Fill in the amount to be withdrawn from the customer's account. Alternatively, use the
Select everything button.
3. Click Withdraw and the transaction is saved.
4. When a withdrawal has been processed, the deposit receipt is displayed with the receipt
number, cash desk name, customer name, deposit amount, and date. Print the receipt by
clicking the Print receipt button or close without printing by clicking the Close button.
After a successful withdrawal, the account balance and cash desk balance decrease and the
transaction appears in the Activity log.

The possible amount of a withdrawal can be limited by the cash desk balance or the smallest
amount used for withdrawal, configured in Payment administration.
Increasing and Decreasing a Virtual Balance
To increase the balance of a customer's virtual account, follow these steps:
1. Click Increase virtual balance, the "Increase virtual balance" window appears.
2. Select the merchant of the virtual account.
3. Enter the amount.
4. Click Increase virtual balance, the virtual balance increases.
After a successful increase, the virtual balance of the appropriate merchant increases, the cash
desk balance does not change and the increase is not displayed in the Activity log.
To decrease the balance of a customer's virtual account, follow these steps:

1. Click Decrease virtual balance, the "Decrease virtual balance" window appears.
2. Select the merchant of the virtual account.
3. Enter the amount.
4. Click Decrease virtual balance, virtual balance decreases.
After a successful decrease, the virtual balance of the appropriate merchant decreases, the cash
desk balance does not change and the decrease is not displayed in the Activity log.
Refunding a Transaction
A cash desk operator can refund all charged transactions on a customer account if refunding is
allowed in the YSoft Payment System Administration web interface.
To refund a transaction, follow these steps:
1. Click Refund to display the operations for refunding. The operator can filter the list of
displayed operations.
2. Select the operation for refunding by clicking the Refund button. The refund operation
details are displayed.
3. Enter the amount for refunding. Optionally, use the Select everything button, enter the
reason, and click the Refund button. If an operation has already been partially refunded, the
rest can be refunded or a part of it up to the remaining amount can be refunded.
4. When the refund has been processed, a Refund receipt is displayed with the receipt
number, cash desk name, customer name, claimed for, reason, refunded amount, and date.
Print the receipt by clicking the Print receipt button or close without printing by clicking
the Close button.
After a successful refund, the account balance increases, the cash desk balance does not
change, and the transaction is not displayed in the Activity log.

Redeeming a Voucher
To redeem a Voucher, follow these steps:
1. Click the Redeem voucher button, the "Redeem voucher" window appears.
2. Enter the voucher code and click the Redeem button.
After a successful redemption, the personal balance increases, the voucher code is deactivated
and the transaction is not in the cash desk Activity log.

Transaction History
A cash desk operator can also see a transaction history for the opened customer account if this
feature is enabled for the particular cash desk.
Click the Customer history button and a list of all transactions performed for this account
appears.
Optionally, filter, sort, or list pages with transactions.

4.2.3 USING THE YSOFT SAFEQ DESKTOP INTERFACE
4.2.3.1 Printing with the YSoft SafeQ Desktop Interface
Setting Print Options via the YSoft Universal Print Driver
The YSoft Universal Print Driver allows users to print to a wide range of devices via one driver
and is automatically installed with the YSoft SafeQ FlexiSpooler.
The YSoft SafeQ 6 printer is available in the print window. Set print options by choosing
Preferences. Currently supported features are color/grayscale print, duplex/simplex print, and
the selection of page size (currently A4, A3, Letter, and Tabloid).

Duplex:
Currently, two options are supported: simplex print, which is the default option, and duplex,
which is applied as duplex with long-edge binding. For a better understanding, see the picture:

The YSoft Universal Print Driver is available only for Windows 8 and higher. For previously
supported versions, a generic print driver is used.
Authentication
There are several possibilities of authentication. Based on which authentication mode is set in the
configuration, an authentication window can be shown when a user is printing.
If the entered credentials are not valid, a notification is shown, and the user is asked for their
credentials again. If the credentials cannot be verified, an error is shown.
Billing Code Selection
This step is only available if billing codes are set up and enabled in the management interface.
After successful authentication, the user is asked to select the billing code for that print.

There are two tabs available:
1. Recently used: Shows recently used billing codes.
When the user has not yet used any billing codes for previous print jobs, the list
"Browse all" with all assigned billing codes is displayed as a default instead of the list
"Recently used".
2. Browse all: Shows a tree view of available billing codes with the option to search for billing
codes.
Search: Enter a part of billing code or its description to search available codes for the
desired one.
If the user has only one billing code assigned, that one is selected automatically and the window
is skipped.
Processing
After confirmation of the selected billing code (by clicking Next), the print job is sent to YSoft
SafeQ 6 under the entered credentials with the selected billing code. During this process, this
window with a list of files sent for print may appear:

Confirmation
After the print job is received and processed, a confirmation notification window appears for a
moment.
Rule-Based Engine Notifications
An administrator can set up a rule in the Management interface to display a notification message
with given content to the user. The Desktop Interface displays a notification message on the
reception of a job by the YSoft SafeQ server. The message closes itself after a given period or
can be closed by the user. (The duration of how long notification windows are displayed can be
configured in notificationWindowTimeoutSeconds in the Management interface by
administrators. The default value is five seconds).

Some variables or placeholders (in bold) can be defined in the notification message, as shown in
the following image.
An Example of a Rule:
When "Job belongs to user with role Management" and "Job title contains text Confidential", "
Send YSoft SafeQ Desktop Interface notification with content of Text to job owner".
4.2.3.2 The Desktop Interface Tray Icon and Its Options
On computers with an installed YSoft SafeQ Desktop Interface, a user can find the YSoft SafeQ
Desktop Interface tray icon (usually in the right-hand bottom corner):
Right clicking the icon provides the status of the YSoft SafeQ FlexiSpooler and the following
options:
Open End User Interface
This menu option opens the End User Interface of the currently connected Spooler Controller in
the web browser. This is where the user can view their print queue and account balance,
recharge their account, upload a document, etc. (depending on the enabled options).
The option may not be available in the menu at all if the administrator has disabled it.

Switching the Current Location
The following text provides instructions on how to switch your location manually to be able to
print from any location defined in YSoft SafeQ.
Switching locations can be done manually or automatically, as configured by an administrator.
Users can check their current location via the tray icon.
Users still can switch it manually.
In the case of automatic location switching:
1. Find the FlexiSpooler Desktop Interface Tray icon.
2. Right click the icon and go to Locations.
3. A list of all possible Locations is displayed.
4. By clicking non-selected location, FlexiSpooler will try to reconnect to a Spooler Controller at

the selected location.
5. After successful connection, the new location is selected.
Tray Notifications
Important messages appear as tray notification bubbles. If a user has trouble printing a job, check
the notifications first.
The user is notified about several events during the print process. Usual situations that invoke a
notification popup are:
When print job sending was not successfully completed.
Authentication was not successful or was aborted.
Billing code selection was aborted.

An error occurred during the sending of the job.
When Rule-Based Engine is applied to the print job, a tray notification might appear.
When direct printers are deployed and configured.
4.2.3.3 Direct Queues Deployment
This feature is only available if Direct queues deployment is enabled in the Management
interface
A periodic check on direct printers configured in the Management interface is performed, and the
missing ones are created. During checking, a tray notification is shown.
4.2.3.4 Offline Print
Note
Offline Print is only available if enabled in Management interface.
Offline Print is a feature of the YSoft SafeQ Desktop Interface that provides limited printing
functionality while the Spooler Controller is not accessible. The desktop interface detects if the
Spooler Controller is inaccessible when no response has been received for a specified time.
During offline print, a user can print directly on the last used printers that are persisted. Jobs are
printed immediately on the selected printer. When the desktop interface reconnects, the job
tickets for all jobs printed offline are sent to the Spooler Controller with the status Printed.
Print Workflow of Offline Print
1. The connection to the Spooler Controller goes down, Offline Print is enabled, and the user
had previously been printing. Offline Print starts and the user prints a job.
2. The offline printer selection is displayed. The printers listed are the last ones used.

If a printer is selected, the job is sent directly to the printer. If the printer is not available,
the user is asked to select another printer or cancel the print.
3. If the job was successfully sent to a printer, once the connection to the Spooler Controller
is restored, job tickets for all jobs printed offline are sent to the Spooler Controller.
Accounting
Accounting information from embedded terminals will be sent to YSoft SafeQ 6 once the
connection to the Spooler Controller is restored.
The accounting method is Device dependent accounting or Offline accounting.

Vendor Accounting description
Xerox The job is accounted via Terminal Server, which periodically checks the logs for basic
accounting information.
The default configurable period is 20 minutes.
Ricoh The job is accounted via Terminal Server, which receives basic accounting information from the
log.
OKI The job is accounted via Terminal Server.
It only works with a Browser-based embedded terminal.
Limitations of Offline Print
A user must print at least one job before going offline to enable the feature—to store the
last used printer.
The Desktop Interface has to load the configuration from the Spooler Controller at least
once.
During printing in Offline Print with billing codes enabled (billing-codes-enabled: true), print
job has assigned a default billing code from YSoft SafeQ (0 - Default Project). This is not
the default billing code assigned to the user.
The Offline Print feature does not work with Sharp, Sharp-eSF, Lexmark, and Samsung
printers.
The Offline Print feature only works for a FlexiSpooler in client spooling mode.
The Offline Print feature works with Konica Minolta only when "Print without authentication
" is set on the MFD.
4.2.3.5 Sending 3D Jobs via FlexiSpooler
FlexiSpooler can receive 3D jobs sent via the be3D DeeControl application (for details, see Using
YSoft be3D eDee)
3D job files have a .GCO extension. After they are sent, they are spooled the same way as 2D
jobs on JobStore.

4.2.3.6 Possible Printing Issues
Several issues can occur during the print process. This section briefly introduces the problems
and their usual solutions.
1. Print job cancellation
If the print job is cancelled by the user, it is necessary to send the job again (to be able to
print the document on a device).
2. Unsupported format
If the print job is in an unsupported format. This usually happens when the print job is
created by an incompatible print driver.
3. Other errors
These can be caused by various reasons. See logs for more details.
4.2.4 USING THE YSOFT SAFEQ END USER INTERFACE
4.2.4.1 Overview
This chapter describes how to use the YSoft SafeQ end user interface.
The YSoft SafeQ end user interface is a web interface for end users, allowing them to manage
their YSoft SafeQ 6 accounts. The YSoft SafeQ end user interface has been developed for the
YSoft SafeQ 6 suite and replaces the end-user targeted interfaces from YSoft SafeQ 5. Users do
not have to use several separate interfaces with a different look and feel anymore. The YSoft
SafeQ end user interface is simple to use, responsive (adapts to different screen sizes (widths),
looks good on both desktop PCs and mobile devices), and receives necessary data and
configuration from other YSoft SafeQ systems.
4.2.4.2 Logging In
Only users with an existing account in YSoft SafeQ 6 can log into the YSoft SafeQ end user
interface using their username and password.
Enter a username and password on the YSoft SafeQ end user interface login screen. If
credentials are verified, and if the process is successful, the user is logged into the application.
1. Go to the URL of the YSoft SafeQ end user interface. The default URL is https://<server-ip-
address>:9443/end-user/ui
2. Enter the credentials for the YSoft SafeQ 6 user account
3. Click Login.

Single Sign-On
If Single Sign-On is enabled in YSoft SafeQ 6, users will be logged into the YSoft SafeQ end
user interface automatically. Only Windows Integrated Authentication is supported. Read
more about how to use Single Sign-On here.
4.2.4.3 User Profile
The user profile is displayed in the upper right-hand corner of the YSoft SafeQ end user interface
after a successful login.
The user profile contains information about the user's name and surname, username, personal
balance, virtual balance, a flag symbolizing the selected language, a link to recharge credit, and
logout.
Element Description
Name, surname, and The full name and username of a logged user
username
Personal balance and virtual Personal balance and virtual balance are displayed only if the YSoft
balance Payment System is enabled and if the logged-in user has payment
entitlement.
Personal balance is displayed in gray. When a user recharges the credit
on their account via the YSoft SafeQ end user interface, the personal
balance increases.

Element Description
Virtual balance is displayed in green as a "Bonus". A virtual balance

represents a customer's bonus or free credit. It can be provided by a
periodic recharge, a manual increase, or by setting an initial account
balance.
Flag symbolizing the selected The language of the YSoft SafeQ end user interface can be changed by
language clicking the flag in the upper right-hand corner and choosing the
selected language.
Recharge credit The Recharge credit link leads to the Recharge credit page.
Note: this button is only visible when a logged-in user has Pay
ment entitlement.
Logout The Logout button logs the user out of the YSoft SafeQ end user
interface. The user is redirected to the login screen.
4.2.4.4 Dashboard
The dashboard displays widgets, such as My recent jobs, My deposit, Budget, and Quotas.
Widget Description
My recent
jobs
The My recent jobs widget displays a list of jobs ready to print (Waiting) and printed
jobs (Printed). Jobs can be uploaded, for example, via the menu item Upload job in the
YSoft SafeQ end user interface.
A user can display more information about a job by clicking the symbol.
This widget is editable. By clicking the Edit button, the user can delete previously
uploaded jobs.
My deposit
This widget is only visible to users with Payment entitlement and without a
shared subject account.

Widget Description
My deposit widget displays a list of transactions, such as deposit, withdrawal, voucher

redemption, or transaction settlement.
By clicking the Show more button, a user can view a history of transactions.
By clicking Recharge, a user can recharge credit.
Quotas
This widget is only visible to users with Quota entitlement.
The Quotas widget displays information about a user's remaining quota and its reset
date.
The reset date is displayed by hovering the mouse over the remaining quota bar.
If the reset dates for all quotas are the same, it is also shown below the title.
The widget also displays a list of the last quota transactions.

Widget Description
Budget
This widget is only visible to users with Payment entitlement and a shared
subject account.
The Budget widget displays a list of recent transactions and the date of the next
periodic recharge (if any).
4.2.4.5 Upload Job
The menu item Upload job is visible only when YSoft SafeQ Mobile Print is installed and
enabled by an administrator.
The menu item Upload job is developed for the quick and convenient uploading of a user's print
jobs.
1. Click the Select files button or drag and drop to add a print job.
2. Files from a user's computer can be selected in two ways:
Click Select files, select the required print jobs and click Open.
Drag and drop the files to be printed.
3. Print jobs are ready to be uploaded. Print job can be left as they are or managed by
selecting the relevant checkbox:

3.
Black and white (a job will be printed in black and white).
Duplex (allows printing on both sides of a sheet of paper).
4. To delete a job, hover the mouse over the print job and click the revealed symbol.
5. Click the Upload button.
6. Jobs are successfully uploaded and ready for printing.
7. All jobs ready for printing are visible in the My recent jobs widget on the Dashboard.

When uploading a print job via the menu item Upload job in the YSoft SafeQ end user
interface, the user has to wait a few seconds for the print job to be processed—this
usually does not take longer than 10 seconds. The print job then appears in the Waiting
section of this widget.
4.2.4.6 Payment
The Payment menu item is visible only when the YSoft Payment System is installed and
enabled by an administrator. The user's account also needs to have Payment entitlement
settings.
Account Details
The Account details tab contains data related to a user's payment account. The records are
displayed in a tab and can be filtered by operation type, date from, date to, amount from, and
amount to.
Transaction Filter
The transaction filter filters transaction records. Filtered fields can be combined—when more
fields are chosen, the results will be more restricted.
Element Description
Operation type Restricts results to the selected operation type (for example, Cash desk
deposit, Cash desk withdrawal, Voucher redemption, Deposit via
Payment gateway, Balance decrease, etc.)
Date from Restricts results to records after the selected date (the timestamp
used is the start of the selected date—00:00)
Date to Restricts results to records before the selected date (the timestamp
used is the end of the selected date—23:59)
Amount from Restricts the results to records with the amount >= given value
Amount to Restricts the results to records with the amount <= given value
Search button Submits the search query

Element Description
Clear all button Clears the form, but does not submit the search query
List of Transactions
This list shows the history of transactions on a user's account. Transactions are ordered by date,
the newest records are displayed at the top of the tab. Every transaction contains date, payment
type, and amount—some transactions also have a description.
Recharge Credit
The Recharge credit tab contains the Voucher and Electronic payment tabs (if configured and
allowed by your administrator).
Voucher
In this tab, a voucher can be redeemed. Enter the voucher code in the displayed field and click the
Redeem your code button.
If the voucher code is valid, the balance increases. The transaction can be viewed in the tab
Account details.
If the voucher is invalid (expired, already redeemed, etc.), the balance does not increase, and a
validation message is displayed.
Electronic Payment
The Electronic payment tab is only visible when at least one Payment gateway for the YSoft
Payment System is configured, and the YSoft Payment System is installed and enabled by an
administrator.

Via the Electronic payment tab, a user's account can recharged via the selected payment
gateway.
Element Description
Accept and pay/ The button redirects to the selected payment gateway. The button is enabled
Pay only if an amount is filled in, it meets all validations, and a payment gateway has
been selected.
ACCEPT AND PAY is displayed when terms and conditions need to be accepted.
PAY is displayed when terms and conditions do not need to be accepted.
Amount Enter an amount to recharge via the selected payment gateway into the Amoun
t field.
This field is required and needs to be more than 1.
If a minimum deposited amount is defined by an administrator for a selected
payment gateway, the deposited amount has to be equal to or higher than
the minimum deposited amount.
List of payment A list of all enabled payment gateways. At least one of them has to be selected
gateways to proceed.
Terms and conditions If terms and conditions need to be accepted, a link to the terms and conditions
is displayed next to the ACCEPT AND PAY button.
Depositing Money via DIBS
1. Go to the menu item Payment and click Recharge credit. The Electronic payment tab is
displayed and you can see at least one payment gateway.
Depending on the country, the user may be required to confirm the terms and conditions
. To display and get familiar with the terms and conditions, click the conditions link next
to the ACCEPT AND PAY button.

2. Enter the required Amount, choose the DIBS payment gateway, and click the Accept and
pay button. If there are no terms and conditions to accept, click the Accept button.
3. The user will be redirected to the DIBS portal page.
4. Fill in all the mandatory fields about the card and click the Validate payment button. The
user should be redirected to the DIBS's payment result page.
5. Click the Next button.
6.

6. The user is redirected to the YSoft SafeQ end user interface. A validation message about
the recharge is displayed, and the balance on the user's account increases by the given
amount.
Deposit Money via PayPal
1. Go to the menu item Payment and click Recharge credit. The Electronic payment tab is
displayed, and at least one payment gateway is shown.
Depending on the country, the user may be required to confirm terms and conditions. To
display and get familiar with terms and conditions, click the conditions link next to the
Accept and pay button.
2. Enter the required Amount, choose the PayPal payment gateway, and click the ACCEPT
AND PAY button. If there are no terms and conditions to accept, click the Accept button.
3. The user should be redirected to the PayPal portal page.
4. Enter the Email and Password of the PayPal account and click Log In.

4.
5. Check the information on the screen and click the Continue button.
6. The user will be redirected to the YSoft SafeQ end user interface. A validation message
about the recharge is displayed and the balance on the user's account increases by the
given amount.

4.2.4.7 Account Connection
The Account connection menu is only visible when the YSoft Payment System with an
external payment system provider requires user authorization in order to access external
account data (for example, PayEx).
The menu Account connection allows access to a user's external payment system provider's
account. This is necessary for using YSoft Payment System features.
The activation process has two parts. Enter an activation email and then an activation code.
1. Enter the activation email used by the external payment system provider. An activation
code will be sent to this email.
2. Enter the activation code and click Activate.
If the activation code has not been received, use the Resend code link.

3. After authorization, the result screen of the PayEx activation will be shown. Optionally, the
Disconnect account can be used.
4.2.4.8 Related Documentation
Configuring YSoft SafeQ end user interface (Installation and configuration of the YSoft SafeQ end
user interface for administrators)
YSoft SafeQ Payment System administration
4.2.5 USING YSOFT SAFEQ MOBILE INTEGRATION GATEWAY TO PRINT FROM

IOS OR OS X
A step-by-step description on how to print natively from OS X and iOS devices. All jobs will be
sent to the user's secure queue in YSoft SafeQ, available to be printed at any connected printer.
4.2.5.1 Send a Print Job to a Secure Queue on Devices with a Mac OS X Operating System
1. Print a document from any application. You can either use a pre-configured printer (set by
your administrator) or select from nearby printers (the name depends on the configuration,
for example, "YSoft SafeQ 6").
2. Enter your credentials. The print job will be sent to a secure queue in YSoft SafeQ 6.

2.
Send a Print Job to a Secure Queue on Sevices with an iOS Operating System
1. Open the document you want to print, and click the "Print" icon.
2. Select the printer with the name set in YSoft SafeQ 6.

3. Confirm the print job by clicking the "Print" button. The print job is sent to a secure queue
in YSoft SafeQ 6.
4. You can also see additional printer options, which allow you to configure:
a. Single-sided/Double-sided printing
b. Color/Black & White print
c. Number of copies
d. Page ranges
e. Media size–A4 or Letter

5. If you are printing for the first time, enter the required credentials.
iDevices cache credentials. Subsequent print jobs will not require the re-entering of
credentials.
Configure a Printer on Mac OS X
Instead of discovering available printers ad-hoc on your Mac, you can configure a printer following
the steps below.
1. Open System Preferences.

2. Open Printers & Scanners.
3. Click '+', click the printer with the name set in YSoft SafeQ Mobile Integration Gateway, and
click the 'Add' button.
4.3 TERMINALS - USER GUIDES
The following manuals provide guidance or can serve as step-by-step instructions for users
working with embedded, external, or mobile terminals.
4.3.1 USING YSOFT PAYMENT MACHINE TERMINAL
4.3.1.1 Recharging account using YSoft Payment Machine
1. YSoft Payment Machine is used for recharging your money account registered in YSoft
Payment System.

2. Login by swiping card, touching Login or PIN. We are using PIN in this example. Enter PIN
and touch OK.
3. Now you can select if you want to print receipt or not.
This option depends on administrator settings. It doesn't have to be displayed.
4. Screen with user name, last last balance and recharged amount is displayed.

5. To recharge your account put money into coin or banknote acceptor. To exit recharging
session touch End button. You can see recharged amount value on display.
YSoft Payment machine is accepting coins and banknotes based on administrator

settings. Some coins/notes may be rejected.
6. As the last step, receipt will be printed, if you touched Yes in step 3. Please take the
printed receipt.

4.3.2 USING YSOFT SAFEQ EMBEDDED TERMINALS
4.3.2.1 Using YSoft SafeQ Embedded Terminal for Brother
Accessing and Logging in at a Brother Device
Loggin in on device with installed YSoft SafeQ Embedded Terminal for Brother
You can be asked if you want to print all your compatible jobs after authentication. Whether it
occures depends on configuration.
Logging in Using the Card Method
1. Place your card on the card reader attached to the device
2. You are logged in.
Logging in Using the PIN Method
1. Enter your Pin and tap OK.
2.

Logging in Using the Username and Password Method
1. Write your Username and tap OK.
2. On the other screen write Password and authenticate with OK.
Logging in Using the Username and Password or Card Method
1. Select authentication method

2. Use authentication method Card or Username and Password according to your choice
Log in Using PIN or Card Method
1. Select authentication method
2. Use authentication method Card or PIN according to your choice
Logging in Using the Username and Password and Card Method
1. First you need to use your card and swipe it on the card reader.
2. After that you also need to authenticate with username and password.
Logging in Using the PIN and Card Method
1. First you need to use your card and swipe it on the card reader.

1.
2. After that you also need to authenticate with PIN.
Language selection
Changing language from authentication screen is not possible for the user.
Log out
1. To log out from the device, tap the black area in the top left corner (with users name) and
confirm Log out action. Optionally, you can swipe your card on card reader to log out if this
option is supported.
Not all devices has logout frame on the same place. But user always use black frame
with their name wherever it is placed.

2. You are logged out.
If you do not log out, the device automatically logs you out after the period of time set
for the MFP by your system administrator (typically three minutes).
Activating a New ID Card at a Brother Device
Card assignment
Card can be assigned to a user either with Card activation code (CAC) or Username and
password.
1. Card activation code
a. Swipe with unknown card when device is on default screen
b. Select Card activation code as activation method. (This step will be skipped if only
one activation method is available)

c. Enter your CAC
d. You are logged in and Card is assigned to your account
2. Username and password
a. Swipe with unknown card when device is on default screen
b. Select Username and Password as activation method. (This step will be skipped if
only one activation method is available)

b.
c. Enter your Username and tap OK.
d. Enter your password and tap OK.
e. You are logged in and Card is assigned to your account
Copying at a Brother Device
If your system allows you to make copies, follow these instructions.

If you have questions about whether or not you can make copies, contact your system
administrator.
Copying at a Brother Device
1. Log into the embedded terminal.
2. On the Main Menu screen, tap Copy.
Your Main Menu screen may not look exactly like the one shown here.
3. Select the number of copies by tapping on + and - buttons and select the copy settings via
Options button. Then tap Start on the device panel to start copying.
Printing at a Brother Device
Printing and Managing Jobs
2.
2. If you are not redirected automatically, tap the YSoft SafeQ application in the device's Main
Menu.
Your Main Menu screen may not look exactly like the one shown here. Use arrows on
the sides to navigate in menu.
3. The print application is displayed.
Note that you need to first choose the folders from Waiting, Printed, or Favorite.
Empty Job List
When there are no jobs in the folder, you will see zero displayed next to all folders.
Printing jobs
Select print job that you want to print.

Printing and Button Descriptions
Print button will initiate printing of the selected document
Delete button will delete selected document
Mark as favorite will make it accessible from the favorite folder
Show details will display detailed information about the print job
Job Detail Screen
Show details will display screen with the job detail without the possibility to modify it.

Navigation in print application
If user is currently in Print application, Back arrow (this button is usually on Hardware panel)
needs to be used to navigate back.
To leave Print application there is Home button that needs to be tapped.
Scanning at a Brother Device
Workflow scanning
1. Log in to the embedded terminal.
2. Tap the Solutions icon in the device's main menu.
3. Tap the SafeQ Scan application in the Solution menu.
Scan workflows without user input
1. Select a scan workflow you want to execute.

2. In workflow detail screen, you can initialize the scan job or enter into the scan workflow
settings.
3. Tapping Scan settings opens a screen where you can select properties of the scan job.
Confirm your settings by tapping OK button.
4. When you are ready, tap the Scan button to initialize the scan job.
Scan workflows with user input
1.

1. Select a scan workflow you want to execute.
2. In workflow detail screen, you can initialize the scan job or enter into the scan or workflow
settings.
3. Tapping Scan settings opens a screen where you can select properties of the scan job.
Confirm your settings by tapping OK button.
4. Tapping Worklfow settings opens a screen where you can insert values for user inputs (email,
text, date ...) of the scan job.
(* means that user input is required)
By default all scanned documents are scanned as A4 format and as portrait orientation.

Device's merging originals feature is always enabled and will allow you to join more documents
into a single workflow.
4.3.2.2 Using YSoft SafeQ Embedded Terminal for Epson
Accessing and Logging in at an Epson Device
This document describes YSoft SafeQ Terminal Application - 2nd Gen. for authentication. It is an
alternative to YSoft SafeQ Terminal Application - 1st Gen.
Logging In with a PIN
1. Enter your PIN.
2. Tap Login.
Logging in with a username/password
1. Enter your username.
2. Enter your password.
3. Tap Login.

Logging in with a card
1. Put your card on the reader attached to the printer.
Logging in with a card or a PIN (username/password)
2. Or enter your PIN (username/password) and tap Login.

Logging in with a card and a PIN (username/password)
1. Put your card on the reader attached to the printer and continue to the next step.
2. Enter your PIN (username/password).
3. Tap Login.

Logging out
There are three options for logging out:
1. To log out, press the Logout button (highlighted in the image) on the printer panel.
1. Or to log out from the application, tap the icon Log out (highlighted in the image) on the
printer display.
1. Or put your card on the reader attached to the printer (if the terminal uses authentication
by card).
Display Help
1. Tap the icon and the help dialog is displayed.
2. Tap OK and the Help dialog is hidden.

Select Language
1. Tap the icon and the Select a language dialog is displayed.
2. Select the language and tap Select. The Select a language dialog is hidden.
Activating a New ID Card at an Epson Device
This document describes YSoft SafeQ Terminal Application - 2nd Gen. for activating a new ID card.
It is an alternative to YSoft SafeQ Terminal Application - 1st Gen.
Registering a New Card by Entering Your Card Activation Code
If a card activation code has been assigned to you (it was received by email or is displayed on the
YSoft SafeQ web interface dashboard), you can use this simple method to register your card.
1. Place your card on the card reader attached to the device.
2. If prompted, select Activation code method.

This screen may be skipped based on YSoft SafeQ configuration.
3. Enter the card activation code, and confirm it with the Activate button.
4. If the assignment process is successful, you will be logged into the device and the new card
will be assigned to your user account.
Registering a New Card by Entering Your Username And Password
2. If promted, select Username and password method.

3. Enter the username and password, and confirm it with the Activate button.
Printing at an Epson Device
This document describes YSoft SafeQ Terminal Application - 2nd Gen. for the print application. It is
an alternative to YSoft SafeQ Terminal Application - 1st Gen.

2.
Note that when no job is selected, you can tap the arrow to select from Waiting, Printed or
Favorite folder. Folder name is not available when a job is selected.
List of folders depends on printer installation. In case that device is installed only with
Waiting folder, no arrow for selection is displayed.
3. If you have selected at least one job, then print button is enabled in the footer.
Empty Job List
When there are no jobs in the folder, you will see the message "The folder is empty." instead of a
job list.
Action Bar
The buttons in the action bar allow you to manipulate the selected jobs. In the middle, you can
see text indicating the number of selected jobs.

Header Buttons
The menu lists accessible application and dashboard.
The back button navigates you back to the print application from the job detail screen.
The exit button logs you out.

User Info
User info is on the right side next to the exit button.
There are two text lines on the left side next to the exit button. The upper line is the username,
and the lower line is the billing code.
If a billing code is not used, only the username is displayed. Alternatively, there is only the
username and credit.
If the payment feature is enabled, there might be three text lines. The first line is the username,
the second line is the billing code, and the third line is for user credit.
Printing and Managing Button Descriptions
The action bar button Select all selects all the jobs in a given folder.
The action bar button Delete deletes all selected jobs.
The footer bar Print button prints all selected jobs. Note that the number on the
button indicates the number of selected jobs.
The Favorite button makes a job as favorite. If a favorite folder is configured, it will be
present in this folder.
The Settings button navigates you to job detail screen.
The Modified settings button indicates finishing options was changed. Button navigates
you to job detail screen.

When there are more jobs in a given folder, a browsing arrows button is displayed on the right
side to move one page up or down.
Job Detail Screen
When the finishing options feature is not enabled, you will see the job detail without the
possibility to modify it. You can use the pagination buttons to see all job details.
When a job preview is not available, it is not present on the job detail or finishing option
screen. A user will see only the job details without a preview.
You can use the Print button to print a job directly from the job detail screen.
Job Detail Screen with Enabled Finishing Options
When the finishing options feature is enabled, the can select from basic and advance finishing
options and can modify the job.
You can switch between basic and advanced finishing option

settings by the arrow and selecting from list.
You can use the following actions when in the finishing options screen.
You can save changes possibly made with the finishing options and continue
browsing jobs in the print application by pressing the Save and close button.
Using Save and close button always save finishing option settings even when there is no
change from the original document. Then modified settings button is shown.

You can print a document with possibly made changes immediately from the
finishing option screen by pressing the Print button.
You can modify the finishing options settings as described below.

Basic settings description
You can change the color mode by selecting

the B&W (Black and White) or Color.
You can increase or decrease the amount of

copies by tapping the '-' or '+' button. The current value is visible on the left in the edit box.
You can choose to print a document in either

simplex or duplex mode by seelcting the One-sided or Two-sided button.
You can switch to advanced finishing option settings by selecting the Advanced settings.
The Buttons in the Finishing Options
You can change stapling in the modal dialog

when tapping the button on the right. The current value is visible in the edit box on the left.
The current value is the selected one. You can change it and use the pagination buttons to get all
options.
You can change punching in the modal dialog

by tapping the button on the right. The current value is visible in the edit box on the left.
For all following advanced finishing options, the modal dialog is similar to the Stapling dialog.
You can change folding in the modal dialog by

tapping the button on the right. The current value is visible in the edit box on the left.
You can change binding in the modal dialog

by tapping the button on the right. The current value is visible in the edit box on the left.
Incompatible Job
When the show incompatible jobs feature is enabled, you can see incompatible jobs in the job list.

This icon indicates incompatible jobs. Additionally, the background color is pink.
You can see incompatibility details by tapping the Show details text.
Note, you cannot mark a job as favorite or see the job detail when a job is incompatible.
An incompatible job cannot be selected and printed.
The reasons for incompatibility and suggested fixes are displayed in the incompatibility dialog.
You can delete an incompatible job by tapping the Delete button.
If the finishing options feature is enabled, you can try to fix the issue using the
Apply fixes button.

The Apply fixes button is available only if the finishing options feature is enabled. If not, only
the Delete button is available. You can navigate to the job list via the back button in the
header.
Note that a fix might not always work. The job's finishing options are switched to default
values, which can help in most cases.
After the Apply fixes button has been tapped, the user is informed about the result through the
modal dialog.
Scanning at an Epson Device
User part
Instant scan workflows
Scan workflows can be defined in a very simple way for the user to tap and start the scan
workflow immediately. These are instant scan workflows.
1. Log into the embedded terminal. If not redirected automatically, tap Scan application in the
device main menu.

2. If print jobs list is displayed tap menu button
and then select Scan application in the menu.
3.

3. On the Main Menu screen, tap Scan on the left side.
You may be asked to select a Billing Code first.
Available scan workflows vary based on your permissions and YSoft SafeQ configuration.
To learn more, please contact your system administrator. Instant scan workflows enable
you to start a specific workflow without any additional input. These are marked with
Instant workflow label under the name. To start scanning, tap one of the instant scan
workflows. Scanning starts immediately with the selected workflow.
Display more pages of the scan workflows list.
Tap to change the predefined Scan settings.
Tap to display scan workflow description.
User input may be required with some scan workflows. This guide will show you how to work
with them.
1. Workflows not marked with an instant scan label require additional input from users. Tap
one of the listed scan workflows and you will proceed to the Workflow settings screen.

Tap to display scan workflow description.
2. The Workflow settings screen is displayed. If a workflow is not marked with an Instant
scan label, it is a regular workflow with user input. Selecting such a workflow on the Scan
workflows screen always opens the Workflow settings screen .
3. Tap an input field or its icon to set the value of a workflow user input. Optional user inputs
are marked with a label (optinal).
Tap to open the List selection screen.
Tap to select a target folder.

After placing a paper document on the glass or in the feeder, start
scanning using the Scan button. If any required user input is not filled-in, input is marked
with label Missing information highlighted with red color. If user inputs are invalid, a
Validation screen is displayed and scanning will not start. When scanning starts, the Scan
in progress screen is displayed.
Tap to leave the screen and display the Scan workflows screen.
Go to the next/previous page to view and edit user input fields not displayed
on the current page.
On the top of the screen tap to switch to scan setting or workflow settings screen
.
a. On the List selection screen select one of the options by tapping it.
Go to the next/previous page to view other options from the list.
Tap to list item and then Select to confirm selection and return
back to the Workflow settings screen.
Tap to Cancel the screen without a selection change. The screen

is displayed with the original choice set in the list input field.
b. On the Folder browsing screen you can browse a folder's structure. The folders are
listed in alphabetical order. The label of the tab at the top of the screen initially
contains the same label as the related workflow user input field. After accessing a
folder, the label contains the current folder path. Tap a folder item to browse its
content.

Tap to return to the root folder.
Tap to return to the parent folder.
Tap to go to the next/previous page to see other folders.
Tap to display the folder content.
Tap to the folder name and then Select to confirm selected

folder as the target folder.
Tap to the Cancel to leave the Folder browsing screen without a

selection change.
Additional scan settings

Additional scan screens are displayed after tapping their tabs on the detail workflow screen or
tapping the instant scan More button.
1. The Scan settings screen is displayed after pressing the More button in the instant scan
workflow or pressing the Scan settings tab regular Workflow settings.
The Scan settings screen is displayed only if any of the options are modifiable (set by
an administrator).
2. The Scan settings screen contains at least one of following options:
Set desired scan quality.
Select from the available colors options.
Select simplex or duplex scanning.
Select the desired file format.

scanning using the Scan button. If any required user input is not filled-in, the Validation
screen is displayed and scanning will not start. When scanning starts, the Scan in
progress screen is displayed.
Tap to leave the screen and display the main scan workflows screen.
Use selection button to display available options.

Tap to list item and then Select to confirm selection and return back to
the Scan settings screen.
Tap to Cancel the screen without a selection change. The screen is

displayed with the original choice set in the scan settings field.
Scan description
1. The Scan description screen describes the workflow and how to work with it.
Using Billing Codes at an Epson Device
This document describes YSoft SafeQ Terminal Application - 2nd Gen. for the billing codes
application.

Whether the selected billing code applies or not to your print jobs as well depends on the
configuration performed by your administrator.
Open the Billing codes application
2. On the Main Menu screen, tap SafeQ Billing codes.
3. My billing codes screen is displayed.
My billing codes screen
This is the first screen you will see after opening the Billing codes application.
When you have default billing code assigned, then you will see that default billing code selected.
Otherwise, you will see an information message instead of a billing codes list.
If you have selected a different billing code by browsing or searching, you will see that billing code
in the billing codes list.
You can browse or search for billing code by tapping Browse.

You can assign selected billing code to yourself by tapping Select. Tapping it also close the
application.
Browsing/Searching screen
Browsing
Browsing screen displays a billing codes tree structure which you can go through to find, select
and assign a billing code to yourself.
1. After opening the Browsing screen you will see the root of the billing codes tree structure.
2. If you want to find the billing code, you can use the navigation buttons. You can go deeper
in the tree structure by pressing on the right side of a billing code. It is available only
for billing codes with at least one child billing code. You can go up to the previous level in
the tree structure by pressing .
You can display the root billing codes by pressing
3. When you select a billing code, the Select button is enabled and by pressing it you can
assign the selected billing code to yourself.

Searching
If you cannot find the desired billing code using browsing, you can use the search box on the
browse screen to find the billing code by searching.
Text from the search box is searched in the billing code name and description.
1. Tap inside the Search line.
2. The search box will fill the window width.
3. Write down a text you are searching for.
4. Press symbol of magnifying glass if you want to search. Or press the cross if you want to
cancel searching and return to browsing.
5. After the successful search you can see a billing codes list.

6. When you select a billing code, Select button is enabled and by pressing it you can assign
the selected billing code to yourself.
You can use Cancel for return to the My billing codes screen.
Searching screen displays a billing codes list of all matching billing codes. The billing codes with at
least one child billing code have the folder button on the right side of a billing code. The folder
button you can use to go deeper in the billing codes tree structure.
Default Billing code
Based on your configuration, the default billing code is selected automatically immediately after
login (in this case: Development - Development). Until you change it, all copies, scans and prints
will be accounted to your default billing code.
Your default billing code can be changed in the YSoft SafeQ management interface.

Using Credit Balance to Print and Copy and Scan at an Epson Device
Displaying the Current Credit Balance
2. In the Print and Scan application, the currently available balance is written at the top of the
screen under your username.
If the user has the entitlement set to "Prepaid account", the information about their credit balance
is shown at the upper-right corner of the SafeQ Print Application screen.
Legend for images above:
user has some credit available

user has no credit available
The available balance consists of your personal balance and virtual balance minus the minimum
balance set for your money account. If you are in a debt, zero is displayed.
Displaying the Current Page Quota Balance
2. In the Print application, the currently available balance is written at the top of the screen
under your username.
If the user has the entitlement set to "Page quota", the information about their quota balance is
shown at the upper-right corner of the SafeQ Print Application screen.
quota for black&white prints only (2 available)

quota for color prints only (1 available)

quota for all print types (1 available)
quota set but no available pages
only not-related quota are assigned (e.g. user has print quotas and is in Copy application)
Printing with a Credit Balance using SafeQ Print application
If the credit balance is not sufficient for the selected print job, the job will not be released for a
print. Otherwise the print job will be released.
Cost of print job is estimated before the print.
insufficient credit message

print jobs have been released message
Printing with a Quota Balance using SafeQ Print application
If the quota balance is not sufficient for the selected print job, the job will not be released for a
Count of pages is estimated before the print.

insufficient quota message

Printing using Epson native print application, e.g. Print from memory device
If the credit/quota balance is not sufficient for the selected print job, the job will not be released
for a print. Otherwise the print job will be released.


Making copies using Copy application
If the credit/quota balance is not sufficient for the even making one copy, the job will not be
released for a copy. Otherwise the copy job will be released.
If the users balance is depleted during copying, the copy process will be cancelled

Scanning using SafeQ Scan and Native Scan application
If the credit balance is not sufficient for the even making one scan, the job will not be released for
scanning. Otherwise the scan job will be released.

If the users balance is depleted during scanning, the scanning process may be cancelled. Please
see the Credit Handling on Epson page for more details.
insufficient credit message - for Native Scan application

insufficient credit message - for SafeQ Scan application (check before scan starts)
4.3.2.3 Using YSoft SafeQ Embedded Terminal for Fuji Xerox - 1st Gen.
Accessing and Logging in at a Fuji Xerox Device
Log in using a Username and Password or Card method
ApeosPort-VI and older ApeosPort-VII
1. Place your card on the card reader attached to the device OR press the 1. Press the Log In button, press press th
Log In/Out physical button and continue with the next step. use and continue with the next step.

When the unknown card assignment feature is enabled, the assignment screen is also
displayed for swiping with a known card, so the assignment screen has to be skipped. This
can be done just by leaving the input field empty and pressing Enter.
1. Type in your Username and tap Next. 1. Type in your Username, Password and t
2. Type your Password and tap Enter.

Log in using a Pin or Card method
Place your card on the card reader attached to the device OR press the Log In/Out physical
button and continue with the next step.
EPA connector interface is not supported on ApeosPort-VII, so EPA Card Reader cannot be
used on ApeosPort-VII. If card authentication is required, USB card reader and XCP terminal
should be used.

1. Type your Pin and tap Next. 1. Type in your PIN into Enter User ID field
K.
2. Leave the Password field empty and tap Next.
Log out
To log out from the device, swipe with a card on the card reader or press the physical Log In/Out
button or tap the green software button in the top right corner of the screen.

If you do not log out, the device automatically logs you out after a period of time set for the MFD
by your system administrator (typically three minutes).
If you are inside the YSoft SafeQ application and inactive for a period of time defined within YSoft
SafeQ 6 by your system administrator, you will automatically leave the YSoft SafeQ application to
the device main menu first. After another period of time (based on the MFD settings), you will also
be automatically logged out from the device main menu.
Activating a New ID Card at a Fuji Xerox Device
Register a New Card by Entering Your Card Activation Code
If a card activation code has been assigned to you (either by email or it is displayed on the YSoft
SafeQ web interface dashboard), you can use this simple method to register your card.
2.

2. Insert the card activation code and confirm it with the Enter button.
3. When the assignment process is successful, you will be logged into the device, and the
new card will be assigned to your user account.
Copying at a Fuji Xerox Device
administrator.

2.
You may need to press the Home button to get to the Main Menu screen.
3. Select the number of copies by entering the number on the keypad and select the copy
settings by tapping the available options. Then press Start (typically a green button) on the
device panel to start copying.
Printing at a Fuji Xerox Device
1. Log into the embedded terminal. 1. Log into the embedded terminal.
2. On the Main Menu screen, tap Print. 2. On the Main Menu screen, tap YSo

You may be redirected directly to the YSoft SafeQ application. In that case, skip this step.
1. The print job menu is displayed.
Select the jobs you want to print and tap the Print button.
2. Sometimes, a print job is not compatible with a particular device. This can be due to a
variety of reasons but means that the print job cannot be printed at the device.
Incompatible jobs are marked with a red cross and cannot be selected for printing.

2.
Sometimes, changing Finishing options makes the print job compatible. Finishing options
are accessible from job information (see below). If the device still does not print and
shows the job as being incompatible, either try a different device or contact the system
administrator.
3. Once the job is printed, it appears in the Printed folder. This job can be reprinted in the
future.
This behavior may not be available. It depends on the configuration of your YSoft SafeQ
6.
4. You can also perform the following actions in the print menu:
Tap the Print all button to print all your waiting jobs.

Display the other pages of your job list.
Navigate to the Waiting/Printed/Favorite folders.
Select jobs and mark them favorite (only in Waiting/Printed/Favorite and All in one
layouts).
Select the jobs and delete them.
Display more information and a print job preview of the selected job.
Indicates finishing options was changed. Display more information and a print job
preview of the selected job.
Job Details and Finishing Options
The info button provides access to print job details, its preview, and available finishing options.
Not all print jobs and devices are compatible and allow changing the finishing options at the
terminal. Consult with your administrator or provider to see which devices are compatible.
1. Tap the Info button next to the job to view the job's details.
2. The job's details and a preview of the first page of the print job shows. Tap the OK button
to exit or Print settings to access print job finishing options (if available).

3. Edit the settings of the print job. Use the up and down arrows at the bottom of the screen
to show other available settings. Tap OK to confirm or Cancel to discard changes.
Not all options may be available. Always make sure to choose compatible combinations (i.
e. don't choose left-side stapling with right-side binding). See the device's manual for
supported combinations.
4. Review the new print job settings and tap OK to return to the job list. Select the print job
and print it.

The selected finishing options are applicable for printing the job right away. If you log
out and access the print job, its original settings will return.
Pressing OK button in finishing options always save finishing option settings even when
there is no change from the original document. Then modified job detail button is shown.
Some of the print settings may be overridden by rules set by your administrator.
Scanning at a Fuji Xerox Device
Quick Scan Workflows
Scan workflows can be defined in a simple way for the user to tap and start the scan workflow
immediately. These are the quick scan workflows
1. Log into the embedded terminal. If you are not redirected automatically, tap the YSoft SafeQ
application in the device's main menu.

Available scan workflows vary based on your permissions and YSoft SafeQ's configuration.
To learn more, please contact your system administrator. Quick scan workflows enable you
to start a specific workflow without any additional input. These are marked with a quick
scan label under the name. To start scanning, tap one of the quick scan workflows.
Scanning starts immediately with the selected workflow.
Tap to change the predefined scan options.
3.

3. When scanning in Duplex mode (a two-sided scan) from the feeder, a native prompt window
will appear on some of older models of the Fuji Xerox device (with Apeos JF
SCLIPTLanguage Version 3.1.1 or earlier). Tap on the Last Original button on the native Fuji
Xerox screen to finish the scanning.
Scan Workflows with User Input
User input may be required with some scan workflows. This guide will show you how to use
them.
1. Workflows not marked as quick scan require additional information from users. Tap one of
the listed scan workflows, and you will proceed to the Workflow detail screen.
2. The Workflow detail screen is displayed. If a workflow is not marked with a quick scan
label, it is a regular workflow with user inputs. Selecting such a workflow on the Scan
workflows screen always opens the Workflow detail screen.

Tap an input field or its icon to set the value of a workflow user input. A required user
input is marked with a red asterisk ( * ).
Tap this icon to open the List selection screen.
For selecting a target folder, tap the folder browsing icon.
After placing a paper document on the glass or feeder, start scanning using
the Scan button. If any required user inputs are not filled, the Scan button is disabled. If
user inputs are invalid, a Validation screen is displayed and scanning does not start. When
scanning starts, the Scan in progress screen is displayed.
Tap to change the predefined scan options for a workflow.
Tap to display a workflow description.
a.
a. On the List selection screen , select one of the options by tapping it.
Tap to leave the screen without changes. A workflow detail screen will be
displayed with the original choice set in the list input field.
b. On the Folder browsing screen, you can browse a folder's structure. The folders are
contains the same label as related to the workflow user input field. After accessing a
contents.

Tap to select the current folder as the target folder.
Tap to leave the folder browsing screen without making a selection.
Additional Scan Options
tapping the quick scan More button.
1. The Scan options screen is displayed after pressing the More button on the quick scan
workflow or pressing the Scan options tab regular workflow detail.
The Scan options screen is displayed only if any of the options are set to modifiable.
2. The Scan options screen contains at least one of the following options.

Set the desired scan quality.
Select among the available colors options for the scan result.
Use the selection buttons to scroll among the available options.
After placing a paper document on the glass or feeder, start a scan using the
Scan button. If any required user inputs are not filled, the Scan button is disabled. A scan
will not start if user inputs are invalid. While scanning, the scan's progress is displayed.
Scan Description
1. The Scan description screen describes the workflow and how to use it.

After placing a paper document on the glass or feeder, start the scan using
the Scan button. If any required user inputs are not filled, the Scan button is disabled. If
user inputs are invalid, a validation screen is displayed and the scan does not start. While
scanning, the scan's progress is displayed.
Using a Credit Balance to Print and Copy and Scan at a Fuji Xerox Device
1. Log into the embedded terminal and navigate to the YSoft SafeQ Print or Scan application.
2. In the Print and Scan application, the current credit balance is written at the bottom of the
screen next to your username.
The available balance consists of your personal balance and a virtual balance minus the
minimum balance set for your money account. If you are in debt, zero is displayed.

At every login, YSoft SafeQ 6 makes the reservation of an amount based on the rules
described in the administrator's manual.
Printing with a Credit Balance
1. Select the jobs you want to print and start printing.
Only the print jobs you have enough credit balance for will be printed.
2. The credit balance decreases.
The credit balance is refreshed a few seconds after performing a print job. You need to
refresh the screen (e.g., by switching to another folder) to see the updated balance.
a.
a. Users are allowed to continue printing even after their credit balance is insufficient
when the job parser is disabled or only a job analyzer is used. This is a limitation of
the device.
When the current balance is not sufficient for the print job, a debt is registered
for the user (if debt registration is enabled in YSoft Payment System).
b. When you try to print jobs you don't have enough credit balance for, the job is not
printed and stays in the waiting folder. You are informed about insufficient credit. In
this case, you have to deposit money to continue printing.
A negative account balance can be enabled. Contact your YSoft SafeQ

administrator for more details.
This message is displayed only when a job parser with image rendering is enabled
in YSoft SafeQ's configuration.
Copying with a Credit Balance
1. a. Enter the copy menu and start copying. After performing the copy job, your credit
balance decreases.

2. When you try to copy a job you don't have enough credit balance for, the copy job is
refused.
If you have an available credit balance for only a few copies, these copies will be
performed and charged, and the rest will be refused.
A negative account balance can be enabled. Contact your YSoft SafeQ administrator for
more details.
This functionality is not supported by some types of devices.

Scanning with a Credit Balance
1. Select the scan workflow you want to use and start scanning. After performing the scan
job, your credit balance decreases.
The credit balance is refreshed a few seconds after performing a scan job. You need to
refresh the screen (e.g., by switching to the Print application) to see the updated
balance.
2. When you try to scan a job you don't have enough credit balance for, the scan job is
refused.
more details.
Using Billing Codes at a Fuji Xerox Device
With YSoft SafeQ Embedded Terminal, you can select billing (project) codes in the application
menu for copying and scanning (and possibly also printing).
Whether or not the selected billing code applies to your print jobs also depends on the
configuration done by your administrator.
Select a Billing Code from the List
1. In the YSoft SafeQ application, select Billing codes from the menu.

1.
2. The screen with billing codes is displayed.
Here you can:
Tap + button to see a list of children billing codes (lower level).
Tap the Back button to see a list of parent billing codes (higher level).
Tap the Arrow buttons to list the pages of billing codes in the current level.
Tap the text field to enter a search phrase.
Tap the Magnifier button to start searching.
3. When you find your billing code in the list, tap the billing code's name to select it.

3.
Tap the tick button to confirm the selection.
4. You are now redirected to the screen you were previously on. The newly selected billing
code can be seen at the bottom of the screen.
Default Billing Code
1. Based on the configuration, the default billing code is sometimes selected automatically
immediately after login (in this case: 0: Default Project). Until you change it, all copies and
scans (and prints) will be accounted to your default billing code.

Your default billing code can be changed in the YSoft SafeQ web administration
interface.
Searching for Billing Codes
2. A screen with billing codes is displayed. If you want to search the billing codes, tap text
field to enter the search phrase.

3. Type the name or number or text of the billing code you want to search for and tap Enter.
ApeosPOrt-VI and older ApeosPort-VI
4. A result matching your search phase is displayed.

Tap the Arrow buttons to list the pages.
Tap the text field if you want to change your search phrase.
Tap the Cancel button to stop searching and return to the Billing codes list.
5. Select one of the billing codes and confirm by tapping the tick button.
Continue with Scanning or Copying
1. Once a billing code is selected, you can continue to Scan menu to start scanning.
2. Continue to the Copy menu to start copying. Go back to the device menu using the home
screen, and enter the Copy application as shown below.

4.3.2.4 Using YSoft SafeQ Embedded Terminal for Fuji Xerox - 2nd Gen.
Accessing and Logging in at a Fuji Xerox Device - 2nd Gen.
Browser login screens are only available on devices with installed YSoft SafeQ Embedded
Terminal for Fuji Xerox XCP.
Loggin in on device with installed YSoft SafeQ Embedded Terminal for Fuji Xerox XCP
1. Place your card onto the card reader attached to the device OR tap the text fields to enter
your Username and Password and tap Login.

You can also check the Print all check box to print all compatible waiting jobs after login.
Log in Using Pin or Card Method
1. Place your card on the card reader attached to the device OR type in your PIN using the
external keyboard and tap Login.
Language selection
To change language for login and the user session you can use the language selection
button at top right corner.
Other login methods
For other authentication methods, just follow the instructions written on the screen.
With the authentication method PIN and Card, Username and password and Card, be sure to
enter your credentials first and swipe your card afterward.
Log out
1. To log out from the device, swipe a card on the card reader, or
press the physical Log In/Out button, or tap the green area and choose Logout. tap the left top area with logge

If you are inside the YSoft SafeQ application and inactive for the period of time defined
by your system administrator, you will automatically exit from the YSoft SafeQ
application to the device's main menu. After another period of time (based on the MFP's
settings), you will also be automatically logged out from the device's main menu.
If you are inside the YSoft SafeQ application you can also use the exit button at the
top right corner.
If you are inside the YSoft SafeQ application you can get into native menu by using
the home button at the top left corner.
2. You are logged out.
Logging in on device with installed YSoft SafeQ Embedded Terminal for Fuji Xerox
Log in using a Username and Password or Card method
1. Place your card on the card reader attached to the device OR press the 1. Press the Log In button, press press th
Log In/Out physical button and continue with the next step. use and continue with the next step.

1. Type in your Username and tap Next. 1. Type in your Username, Password and t
2. Type your Password and tap Enter.

Log in using a Pin or Card method
Place your card on the card reader attached to the device OR press the Log In/Out physical
button and continue with the next step.
EPA connector interface is not supported on ApeosPort-VII, so EPA Card Reader cannot be
used on ApeosPort-VII. If card authentication is required, USB card reader and XCP terminal
should be used.

1. Type your Pin and tap Next. 1. Type in your PIN into Enter User ID field
K.
2. Leave the Password field empty and tap Next.
Log out
To log out from the device, swipe with a card on the card reader or press the physical Log In/Out
button or tap the green software button in the top right corner of the screen.

If you do not log out, the device automatically logs you out after a period of time set for the
MFD by your system administrator (typically three minutes).
If you are inside the YSoft SafeQ application and inactive for a period of time defined within
YSoft SafeQ 6 by your system administrator, you will automatically leave the YSoft SafeQ
application to the device main menu first. After another period of time (based on the MFD
settings), you will also be automatically logged out from the device main menu.
Activating a New ID Card at a Fuji Xerox Device - 2nd Gen.
Browser login screens are only available on devices with installed YSoft SafeQ Embedded
Terminal for Fuji Xerox XCP.
Activating new ID card on device with installed YSoft SafeQ Embedded Terminal for Fuji Xerox
XCP

2. If promted, select Username and Password method.

3. Enter the Username and Password, and confirm it with the Activate button.
Activating new ID card on device with installed YSoft SafeQ Embedded Terminal for Fuji Xerox
(ApeosPort-VI and older)
Following steps are related to ApeosPort-VI and older with AuthenticationAgent and EPA reader.
If a card activation code has been assigned to you (either by email or it is displayed on the YSoft
1.

2. Insert the card activation code and confirm it with the Enter button.

Copying at a Fuji Xerox Device - 2nd Gen.
administrator.
2. Optional: If you get into YSoft SafeQ application tap the home button to get into
native menu.
ApeosPort-VI and older ApeosPort-VII and newer
a. Select the number of copies by entering the number on the keypad and select the
copy settings by tapping available options. Then press Start (typically a green
button) on the device panel to start copying.

ApeosPort-VI and older ApeosPort-VII and newe
Printing at a Fuji Xerox Device - 2nd Gen.
2. If you are not redirected automatically, tap the Print application in the device's Main Menu.

Note that when no job is selected, you can browse the folders Waiting, Printed, or Favorite via
buttons under the header.

When an embedded terminal is configured to allow the switching between folders and a
job is selected, switching between folders is not possible as the place is covered by the
button action bar.
4. If you have selected at least one job, then buttons for the selected job's manipulation are
displayed in an action bar under the header, and the print button is enabled in the footer.
Empty Job List
job list.
Action Bar
Header Buttons
The home button navigates you to the dashboard.
The exit button logs you out

User Info

There are two text lines on the left side of the exit button. The upper line is the username, and
the lower line is the billing code.
Job Detail Screen

When the finishing options feature is enabled, the user will see basic and advance finishing
You can use the following actions on the finishing options screen.


You can change the color mode by tapping the BW

(Black and White) or Color button. The black button indicates the current value.

copies by tapping the '-' or '+' button. The current value is visible on the left side of the edit box.

simplex or duplex mode by tapping the One-sided or Two-sided button. The black button indicates
the current value.
Incompatible Job

Apply fixes button.
header.
modal dialog.

Scanning at a Fuji Xerox Device - 2nd Gen.
Workflow scanning
1. Tap Scan and log in to the embedded terminal.
2. Optional: If you logged in not by tapping Scan, tap the Scan application in the device's main
menu after you are logged in.

ApeosPort-VI and older ApeosPort-VII and newer
3. Select a scan workflow you want to execute. Some of the workflows are marked as Quick
and are executed directly from the workflows screen by tapping on the workflow. The other
workflows need additional parameters to be entered and tapping on the workflow redirects
you to a workflow detail screen.
4. In workflow detail screen, you can enter additional workflow parameters.

5. Tapping Scan settings tab opens a screen where you can select properties of the scan job.
The workflow configuration might not allow to configure scan or workflow settings. In
that case, the tab is not shown.
6. Some of the parameters allow you to browse folders or lists of available options. Tapping
such parameter opens a new dialog for value selection.

Device's merging originals feature is always enabled and will allow you to join more
documents into a single workflow.
8. When scanning is finished, you get information about the result. If there were no problems,
you get information about scan success.

If scan did not finish successfully, you get information about scan stopped.
Using billing codes at a Fuji Xerox Device - 2nd Gen.
Whether or not will the selected billing code apply also to your print jobs depends on the
1. In the Main menu select Billing codes application.


Whether you have assigned your default billing code
or not

.
You can browse or search for another billing code by tapping Browse.
application.
Browsing
2.
in the tree structure by pressing on the right side of a billing code. It is available
only for billing codes with at least one child billing code. You can go up to the previous level
in the tree structure by pressing .
You can display the root billing codes by pressing .
Searching


login (in this case: 0: Default Project). Until you change it, all copies, scans and prints will be
accounted to your default billing code.

Continue with print, scan or copy
When you have selected the billing code you can continue with printing, scanning or copying.
Using Credit Balance to Print and Copy and Scan at a Fuji Xerox Device - 2nd Gen.
The available balance consists of your personal balance and virtual balance minus the
minimum balance set for your money account. If you are in a debt, zero is displayed.
On every login, YSoft SafeQ makes a reservation of an amount based on the rules

when the job parser is disabled or a job analyzer is used. This is a limitation of the
device.
b.
b. If the print job parser is enabled to render jobs, when you try to print jobs that you
don't have enough credit balance for, the job is not printed and stays in the waiting
folder. You are informed about insufficient credit. In this case, you have to deposit
money to continue with printing.
The negative account balance can be enabled. Contact your YSoft SafeQ
1. Enter the copy menu and start copying. After performing the copy job, your credit balance
decreases.
2.
2. When you try to copy a job that you don't have enough credit balance for, the copy job is
refused.
If you have available credit balance for only few copies, these copies will be performed
and charged and the rest will be refused.
more details.
1. Select the scan workflow that you want to use and start scanning. After performing the
scan job, your credit balance decreases.

The credit balance is refreshed a few seconds after performing a scan job.
refused.
Reservation strategy on Fuji Xerox XCP
This strategy only works on Fuji Xerox with XCP.
If system property ' fujiXeroxEnableDefaultQuotaTogglingStrategy ' is set to Enabled, user will

need to chose which action they want to perform after login. This will allow the credit to be
allocated for desired action. If the property would be Disabled, users credit would be distributed
between all possible actions and no choosing screen would be displayed.

4.3.2.5 Using YSoft SafeQ Embedded Terminal for Fuji Xerox XCP - 1st Gen.
Accessing and Logging in at a Fuji Xerox XCP Device
1. Place your card onto the card reader attached to the device OR tap the text fields to enter
Log in Using Pin or Card Method

Other login methods
For other authentication methods, just follow the instructions written on the screen.
With the authentication method PIN and Card, Username and password and Card, be sure to
enter your credentials first and swipe your card afterward.
Log out
1. To log out from the device, swipe a card on the card reader, press the physical button Log
In/Out button, or tap the green area and choose Logout, as shown on the screenshot
below.
If you are inside the YSoft SafeQ application and inactive for the period of time defined
by your system administrator, you will automatically exit from the YSoft SafeQ
application to the device's main menu. After another period of time (based on the MFP's
settings), you will also be automatically logged out from the device's main menu.

Activating a New ID Card at a Fuji Xerox XCP Device
If a Card Activation Code has been assigned to you (it is received by email or it displayed on the
YSoft SafeQ Web Interface Dashboard), you can use this simple method to register your card.
2. If prompted, select the Card activation code method.
This screen may be skipped based on YSoft SafeQ's configuration.
3. Enter the Card Activation Code and confirm it with the Activate button.
4. If the assignment process is successful, you will be logged into the device and the new
card will be assigned to your user account.
Registering a New Card by Entering Your Username and Password

2. If prompted, select the Username and password method.
This screen may be skipped based on YSoft SafeQ's configuration.
3. Enter the Username and Password and confirm it with the Activate button.
Copying at a Fuji Xerox XCP Device
administrator.
Copying at a Fuji Xerox XCP Device

2. Optional: If you are prompted, select Copy at the Quota selection screen.
You will not be able to perform any other operation until you log out and log in again.
a. On the Main Menu screen, tap Copy.
settings by tapping available options. Then press Start (typically a green button) on the

Printing at a Fuji Xerox XCP Device
2. Optional: If you are prompted, select Print on the Quota selection screen.
You will not be able to perform any other operations until you log out and log in again.
If you are not redirected automatically, tap the YSoft SafeQ application in the device's Main Menu.

1. Now the Print job menu is displayed.

Sometimes, changing the Finishing options makes a print job compatible. Finishing
options are accessible from the job information (see below). If the device still does not
print and shows a job as incompatible, either try a different device or contact the
system administrator.
future.
This behavior may not be available. It depends on the configuration of your YSoft SafeQ.
Tap the Print all button to print all waiting jobs.

Display other pages of your job list.
Navigate to Waiting/Printed/Favorite folders.
layouts).
Select jobs and delete them.
Not all print jobs and devices are compatible and allow changing finishing options at the
2. Job details and a preview of the first page of the print job displays. Tap the OK button to
exit or Print settings to access the print job's finishing options (if available).

to show other available settings.
Not all options may be available. Always make sure to choose compatible combinations (i.
e. don't choose left-side stapling with right-side binding). See the device manual for
Tap OK to confirm or Cancel to discard the changes.
and print it.

out and access the print job, its original settings will return.
Scanning at a Fuji Xerox XCP Device
immediately. These are the quick scan workflows.
1. Log into the embedded terminal. If you are prompted, select Scan at the Quota selection screen.

Optional: If not redirected automatically, tap the YSoft SafeQ application in the device's main
menu.
You will not be able to perform any other operations until you log out and log in again.
Available scan workflows vary based on your permissions and YSoft SafeQ's configuration. To
learn more, please contact your system administrator. Quick scan workflows enable you to start a
specific workflow without any additional input. These are marked with a quick scan label under
the name.

To start scanning, tap one of the quick scan workflows. Scanning starts immediately with the
selected workflow.
1. When scanning in Duplex mode (a two-sided scan) from the feeder, the native prompt
window will appear on some of older models of the Fuji Xerox device (with Apeos JF
SCLIPTLanguage Version 3.1.1 or earlier). Tap the Last Original button on the native Fuji
Xerox screen to finish scanning.
with them.
1. Workflows that are not marked quick scan require additional information from users. Tap
one of the listed scan workflows, and you will proceed to the Workflow detail screen.

label, it is a regular workflow with user inputs. Selecting such a workflow on the Scan
Tap an input field or its icon to set the value of a workflow user input. A required user
input is marked with a red asterisk ( * ).
Tap this icon to open the List selection screen.
To select the target folder, tap the folder browsing icon.
the Scan button. If any required user input is not filled in, the Scan button is disabled. If
user inputs are invalid, a Validation screen is displayed, and scanning does not start. When
scanning starts, a Scan in progress screen is displayed.
Go to the next/previous page to view and edit user input fields not
displayed on the current page.
Tap to change the predefined scan options for the workflow.
Tap to display a workflow description.
a. On the List selection screen, select one of the options by tapping it.

a.
Tap to leave the screen without changes. A workflow detail screen will be
displayed with the original choice set in the list input field.
b. On the Folder browsing screen, you can browse the folder structure. The folders are
contents.

Tap this icon to return to the root folder.
To return to the parent folder, tap the Up button.
Go to the next/previous page to view the other subfolders of the

current folder.
Tap this button to select the current folder as the target folder.
Tap to leave the Folder browsing screen without changes.
1. The Scan options screen is displayed after pressing the More button on the quick scan
The Scan options screen is displayed only if any of the options are set as modifiable.
2. The Scan options screen contains at least one of following options.

Choose for among the available color options for the scan result.
Use the selection buttons to scroll among available options.
After placing a paper document on the glass or feeder, start the scan using
the Scan button. If any required user input is not filled in, Scan button is disabled. Scanning
is not started if user inputs are invalid. While scanning, the scan's progress is displayed.

Scan Description
user inputs are invalid, a validation screen is displayed, and the scan does not start. While
scanning, the scan's progress is displayed.
Using a Credit Balance to Print and Copy and Scan at a Fuji Xerox XCP Device
2. In the Print and Scan application, the currently available balance is written at the bottom of
the screen next to your username.

On every login, YSoft SafeQ makes a reservation of an amount based on the rules

when the job parser is disabled or only a job analyzer is used. This is a limitation of
the device.
b. If the print job parser is enabled to render jobs, when you try to print jobs that you
don't have enough credit balance for, the job is not printed and stays in the waiting
folder. You are informed about insufficient credit. In this case, you have to deposit
money to continue with printing.

The negative account balance can be enabled. Contact your YSoft SafeQ
in YSoft SafeQ's configuration.
decreases.
2. When you try to copy a job that you don't have enough credit balance for, the copy job is
refused.

If you have available credit balance for only a few copies, these copies will be performed
more details.
1. Select the scan workflow that you want to use and start scanning. After performing the
scan job, your credit balance decreases.
The credit balance is refreshed a few seconds after performing a print job.
refused.
Using Billing Codes at a Fuji Xerox XCP Device
Whether or not the selected billing code also applies to your print jobs depends on the

Select the Billing Code from a List
2. A screen with billing codes is displayed.
Here you can:
Tap the + button to see a list of children billing codes (lower level).

3. If you find your billing code in the list, just tap the billing code name to select it.

interface.
Searching the Billing Codes
2. A screen with billing codes is displayed. If you want to search the billing codes, tap the text

3. Type the name, number, or text of the billing code you want to search for and tap Enter.
4. A result which matches your searching phase shows.

Now you can:
1. Once a billing code is selected, you can continue to the Scan menu to start scanning.
a. Continue to the Copy menu to start copying. In this case, navigate using the home
button to enter the Copy menu.

ApeosPOrt-VI and older ApeosPort-VII
4.3.2.6 Using YSoft SafeQ Embedded Terminal for HP
Access and log in at an HP Device
Log in using Username and Password or Card method
1. Tap Sign in.

2. Place your card on the card reader attached to the device OR tap the text field to enter
You can also enable Print all switch to print all compatible waiting jobs after log in.

Log in using Pin or Card method
1. Tap Sign in.
You can also enable Print all switch to print all compatible waiting jobs after log in.
3.

Other login methods
For other authentication methods just follow the instructions written on the screen.
With authentication method PIN and Card or Username and Password and Card, be sure to
first enter your credentials and swipe your card afterwards.
Log out
1. To log out from the device using your card on the card reader, or press the Sign Out button
on home screen. Or tap the log out button in YSoft SafeQ application.
If you do not log out, the device automatically logs you out after a period of time set for
the MFD by your system administrator (typically 3 minutes).
If you are inside the YSoft SafeQ application and inactive for period of time defined by
your system administrator, you will automatically be exited from the SafeQ application
to the device main menu. After another period of time ( based on the MFD's settings)
you will also be automatically logged out from the device main menu.

Activate new ID card at an HP Device

2. If promted, select Username and Password method.
3. Enter the Username and Password, and confirm it with the Activate button.

Copying at an HP Device
administrator.
Copying at an HP device
3. Select number of copies by pressing number on keypad and select copy settings by
tapping available options. Then press Copy (typically a green button) on the device panel to
start copying.

Also user can copy tapping on in the right bottom corner of Main menu.
If user don't have permissions to copy, then he is not able to open Copy application. In this
case user see this application icon:

Printing at an HP Device
2. If not redirected automatically, tap the SafeQ Print in the device main menu.
Name of SafeQ Print application can be different if it is changed by administrator.
When user don't have print permissions assigned then he see locked SafeQ Print
application:

Note that when no job is selected, you can browse the folders Waiting, Printed, or Favorite
via buttons under the header. These buttons are not available when a job is selected.
button action bar.
Empty Job List

job list.
Action Bar
Header Buttons
The exit button logs you out

User Info
There are two text lines on the left side of the exit button. The upper line is the username, and
the lower line is the billing code.

Job Detail Screen

You can use the following actions on the finishing options screen.



copies by tapping the '-' or '+' button. The current value is visible on the left side of the edit box.

the current value.
Incompatible Job


Apply fixes button.
header.
modal dialog.

Scanning at an HP Device
Workflow scanning
2. On the Main Menu screen, tap SafeQ Scan


7.
Device's merging originals feature is always enabled and will allow you to join more
documents into a single workflow.
Using billing codes at an HP Device

1. In the Main menu select SafeQBilling codes application.
When user don't have any billing code assigned then application SafeQ Billing codes is locked:

or not

.
application.
Browsing
2.
Searching


6.

Continue with scan or copy
Once billing code is selected you can continue to
1. Scan application
a. Press home button or or hardware home button on MFD.
b. Continue with Scanning at an HP Device
2. Copy menu to start copying
a. Press home button or or hardware home button on MFD.
b. Tap on Copy application
Using Credit Balance to Print and Copy and Scan at an HP Device
If the user has the entitlement set to "Prepaid account", the information about her/his credit
balance is shown at the upper-right corner of the SafeQ Print Application screen.
user has some credit available

user has no credit available
The available balance consists of your personal balance and virtual balance minus the minimum
balance set for your money account. If you are in a debt, zero is displayed.

Displaying the Current Page Quota Balance
2. In the Print application, the currently available balance is written at the top of the screen
under your username.
If the user has the entitlement set to "Page quota", the information about her/his quota balance is
shown at the upper-right corner of the SafeQ Print Application screen.
quota for black&white prints only (2 available)

quota for color prints only (1 available)
quota for all print types (1 available)
quota set but no available pages
only not-related quota are assigned (e.g. user has print quotas and is in Copy application)
If the credit balance is not sufficient for the selected print job, the job will not be released for a
Cost of print job is estimated before the print.


Printing with a Quota Balance
If the quota balance is not sufficient for the selected print job, the job will not be released for a


Copying and printing using native HP print application
For Copy application and native HP print application (print from USB, print from storage, ...) the
credit of user is incrementally assigned to printer.
When printer asks for more credit/quota, following dialog is displayed:
In case the user does not have sufficient credit to start the copy or native print operation,
following dialog is displayed:

Similar dialogs may be displayed in case of other print failures, e.g. user is not authenticated, user
does not have additional credit to continue the print, etc.
Scanning using native HP print application
If there is scan price configured in the system, the printer will display the Contacting Quota
Server dialog, but the scan operations are not yet limited by any mean. User is charged, but he
can reach the negative balance.
4.3.2.7 Using YSoft SafeQ Embedded Terminal for Konica Minolta - 1st Gen.
There are two different modes in which the the terminal can operate:
Using browser-based YSoft SafeQ Embedded Terminal for Konica Minolta
Using YSoft SafeQ Embedded Terminal for Konica Minolta Native
Both manuals also work with selected Develop, Olivetti and Aurora devices.
Accessing and Logging in at a Konica Minolta Device - 1st Gen.
Logging In with a PIN or a Card
1. Place your card on the card reader attached to the device and go to the next chapter OR
tap PIN and continue to the next step.
You can log in even in a case that someone else is logged in. The other user will be
logged out after your authentication.

2. Type your PIN and tap OK.
You can also use the numeric keyboard on the device.
3. Tap Login.

You can choose to print all waiting jobs right after logging in.
Logging In with a Login Name/Password or a Card
tap the Login keyboard button and continue to the next step.
2. Type your login name and tap OK.
3. Tap the Password keyboard button.

4. Type your password and tap OK.
5. Tap Login.
You can choose to print all waiting jobs right after logging in.

Logging Out
1. To log out, press the Access button (highlighted in the image) on the device panel.
If you do not log out, the device automatically logs you out after a period set by your
system administrator (typically three minutes)
Activating a New ID Card at a Konica Minolta Device - 1st Gen.
The first time you use a card, use one of the methods described below to register it.
The available methods depend on the system configuration, and some may not be available.
Registering a New Card by the Entering Your Username and Password Method
1. Use the new card on the card reader attached to the device.
2. When the card assignment screen displays, tap the Login keyboard button to assign the
card by entering your username and password.

3. Type in your username and tap OK.
5. Type in your password and tap OK.

5.
6. Tap OK. You will be logged in, and the new card will be assigned to your user account.
Registering a New Card by the Entering Your Card Activation Code Method
1. Use the new card on the card reader attached to the device.
2. When the card assignment screen displays, tap the Card Activation keyboard button to
assign the card by entering the card activation code.

3. Type in your card activation code and tap OK.
4. Now tap OK. You will be logged in, and the new card will be assigned to your user account.

Copying at a Konica Minolta Device - 1st Gen.
administrator.
Copying at a Konica Minolta Device
2. On the main menu screen, tap Copy.
Your main menu screen may not look exactly like the one shown here.
You may need to press the Home button to get to the Main Menu screen.
3. Select the number of copies by entering the number on the keypad, and select the copy
settings by tapping the available options. Then press the Start button on the device panel
to start copying.

Printing at a Konica Minolta Device - 1st Gen.
2. On the main menu screen, tap SafeQ Print.
3. The print job menu displays.

Sometimes, changing the Finishing options makes the print job compatible. Finishing
options are accessible from the job's information (see below). If the device still does not
print and shows the job as being incompatible, either try a different device or contact a
future.

layouts).
Not all print jobs and devices are compatible and allow the changing of finishing options at the

2. Job details and a preview of the first page of print job display. Tap the OK button to exit or
Print settings to access print job finishing options (if available).

Not all options may be available. Always make sure to choose compatible combinations
(e.g., don't choose left-side stapling with right-side binding). See the device manual for
Tap OK to confirm or Cancel to discard the changes.
and print it.
out and access the print job, its original settings return.
Scanning at a Konica Minolta Device - 1st Gen.
2. Enter the SafeQ Scan application.

2.
3. Available scan workflows vary based on your permissions and YSoft SafeQ's configuration.

them.
1. Workflows not marked with a quick scan label require additional input from users. Tap one
of the listed scan workflows and you will proceed to the Workflow detail screen.
2. The Workflow detail screen displays. If a workflow is not marked with a quick scan label, it
is a regular workflow with user input. Selecting such a workflow on the Scan workflows
screen always opens the Workflow detail screen.
Tap an input field or its icon to set the value of a workflow user input. Required user
inputs are marked with a red asterisk ( * ).
Tap to select the target folder.

scanning using the Scan button. If any required user input is not completed, the Scan
button is disabled. If user inputs are invalid, a Validation screen is displayed and scanning
does not start. When scanning starts, the Scan in progress screen displays.
Go to the next/previous page to view and edit user input fields not
displayed on the current page.
Tap to display the workflow's description.
Tap to leave the screen without a selection change. The Workflow detail
screen displays with the original choice set in the list input field.
b.
folder, the label contains the current folder path.
Tap a folder item to browse its contents.
Go to the next/previous page to view the other subfolders of the

current folder.
Tap to select the current folder as the target folder. (The currently
selected folder is the one noted on the label of the tab.)

Tap to leave the Folder browsing screen without a selection change.
1. The Scan options screen is displayed after pressing the More button in the quick scan
The Scan options screen is displayed only if any of the options are modifiable (set by
an administrator).
2. The Scan options screen contains at least one of following options:
Select from the available color options.
Use the selection buttons to scroll between available options.

does not start. When scanning starts, the Scan in progress screen displays.
Scan Description

does not start. When scanning starts, the Scan in progress screen is displayed.
Using a Credit Balance to Print and Copy and Scan at a Konica Minolta Device - 1st Gen.
1. Log into the embedded terminal and navigate to the YSoft SafeQ print or scan application
or the native copy application.
2. The current credit balance is written at the bottom of the screen, next to the Username in
the Print and Scan application. In the native copy application, it is displayed in the upper left-
hand part of the screen.


Only pages you have enough credit balance for will be printed. It might happen that only
half of your print job are printed if you don't have enough credit.
2. The credit balance will decrease.
The credit balance automatically refreshes after performing a print job.
a. When you try to print jobs and don't have enough credit balance, only some pages
will be printed (those you have a credit balance for). Depending on the system
configuration, you will see one of the following screens:

If a print job costs exactly the same as your current available credit balance, then
the print job is finished, and the following screen appears.
In this case, you have two options:
a) Deposit credit balance and continue by pressing the Start button.
b) Finish your session and log out by pressing the access button .
b. When you do not have enough credit and attempt to use the Print All function from
the authentication screen, you will see the following warning message. Tap OK or
Cancel to confirm.

1. Enter the copy menu and start copying.
The current credit balance automatically refreshes.
2. When you try to copy a job which you don't have enough credit balance for, the copy job is
refused. When you only have enough credit balance for a few copies, then only those
copies are performed, and the rest of the copy job is refused. In this case, you have two
options:
a) Deposit credit balance and continue copying with the Continue button.
b) Finish copying by pressing the Job Finished button.

more details.
The current credit balance does not automatically refresh.
2. When you try to do a scan you don't have enough credit balance for, the scan job is
refused. In this case, you have two options:
a) Deposit credit balance and continue copying with the Continue button.
b) Finish copying by pressing the Job Finished button.

more details.
The Insufficient Funds Notification
At the end of printing, copying, or scanning, the terminal can notify you about insufficient funds.
1. If the print, copy, or scan job costs the exact amount as your available credit balance, the
job is successfully finished, and the following screen appears. You can continue by pressing
the Start button or the access button . Consider recharging your account.
Using Billing Codes at a Konica Minolta Device - 1st Gen.
Selecting a Billing Code from a List
With YSoft SafeQ Embedded Terminal, you can choose billing (project) codes in the application
right after login.
1.
1. After authentication, when prompted, tap the List icon .
2. A screen with billing codes is displayed:
a. To select a billing code, tap the billing code of your choice and tap OK. At the next
screen, tap OK once more.
b. Nested billing codes can be displayed by selecting a billing code with at the
front. Tap OK and when returned to the original screen, tap the List icon again .
This way you can see all the children billing codes of the previously selected billing
code.

You can move between pages with billing codes by tapping the arrow buttons.
Using a Default Billing Code
1. When the billing code screen appears and you want to use the default billing code, which is
displayed at the top of the screen, just tap OK and continue to the device application main
menu.

You can also use the Access button to continue to the device application menu.
interface.
1. If you want to search for a billing code, tap the keyboard button on the left of the Search
button.
2. Type the name, number, or text of the desired billing code and tap OK.

3. If your enter a specific billing code, you do not need to perform a search and you can
immediately tap OK to use the particular billing code. Otherwise, tap Search.
4. A result matching your search phrase is displayed. Select one of the billing codes from the
search result, tap OK and continue to next step OR tap Cancel, if you want to change your
search phrase and repeat steps 1 to 4.

The path of the parent billing code is shown in brackets.
5. Now your billing code is selected. Tap OK to continue to the device application main menu.
4.3.2.8 Using YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen.
YSoft SafeQ Terminal Application - 2nd Gen. for Konica Minolta
OpenAPI version 3.6 or higher and an iOption license are required.

Installation
Install the embedded terminal as usual.
In the section Terminal, there is a combo box for choosing the Terminal mode.
Select YSoft SafeQ Terminal Application - 2nd Gen.
Existing limitations
The following limitations can be observed when using YSoft SafeQ Terminal Application - 2nd Gen.:
General:
YSoft SafeQ Terminal Application - 2nd Gen. is not yet supported by SafeQube 2.
Authentication:
If the firmware of Konica Minolta does not support selected language, the language is English
on panel. YSoft SafeQ applications are localized in selected language.
Authentication modes to device/to each application are not supported.
Print application:
The job price is not refreshed when Finishing Options are changed.
Authentication application configuration
Configure help on authentication screen
The administrator can specify help message that will be displayed on the authentication screen
(configuration option authenticationScreenHelpContent).
This text can be enabled/disabled by configuration option enableAuthenticationScreenHelp.
Print all configuration
During terminal installation administrator can configure availability of print all button on
authentication screen.

Languages selection on authentication screen
The user can select a language on authentication screen. The selected language will be applied
on the panel and YSoft SafeQ applications. List of languages is specified by configuration option
supported-lang-priority.
If list of prioritized language codes (configuration option supported-lang-priority) contains more
than one language code, the icon will be displayed on authentication screen.
Accessing and Logging in at a Konica Minolta Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen. for
authentication. It is an alternative to YSoft SafeQ Embedded Terminal for Konica Minolta - 1st Gen.
1. Enter your PIN.
2. Tap Login.
3. Tap Login.

In case that another user is logged in, you will log him/her out by placing your card to the card
reader. If you want to log in yourself, place your card once again to the card reader.

3. Tap Login.

Logging out
1. To log out, press the Access button (highlighted in the image) on the printer panel.
2. Or to log out from the application, tap the icon Log out (highlighted in the image) on the printer
display.
3. Or put your card on the reader attached to the printer (if the terminal uses authentication by
card).
Display Help

Select Language
Activating a New ID Card at a Konica Minolta Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen. for
activating a new ID card. It is an alternative to YSoft SafeQ Embedded Terminal for Konica Minolta
- 1st Gen.


Printing at a Konica Minolta Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen. for the
print application. It is an alternative to YSoft SafeQ Embedded Terminal for Konica Minolta - 1st
Gen.
2. On the Main Menu screen, tap SafeQ Print.

2.
You may be redirected automatically to the SafeQ Print application. In that case, skip
this step.
Note that when no job is selected, you can browse the folders Waiting, Printed, and
Favorite via buttons under the header. These buttons are not available when a job is
selected.
button action bar.

Empty Job List
job list.
Action Bar
Header Buttons
The exit button does not work on a Konica Minolta. After tapping the button, the user is
instructed by the modal dialog to use the hardware button.
User Info

Job Detail Screen

You can switch between

basic and advanced finishing option settings by pressing the Basic settings or Advanced
settings button under the header.




the current value.
You can switch to advanced finishing option settings by tapping the Advanced settings button
below the header.
Advance Settings Description
On the left side of the edit box, you

can see how many pages, out of all the pages, will be printed. On the right side, you can see the
total number of pages.
You can change the page range in the modal dialog by tapping the button on the right side. The
first item From indicates the first page from which the pages will be printed. The second item To
indicates the last page that will be printed. You can change it by tapping the '-' and '+' buttons.

The Buttons in the Finishing Options Modal Dialogs
You can cancel any changes and keep the last values by clicking the Cancel
button in the modal dialog.
You can confirm the changed values by clicking the OK button in the modal dialog.
You can confirm the changed value by clicking the Select button in the modal
dialog for other advanced finishing options settings described below.
You can change stapling in the

modal dialog when tapping the button on the right. The current value is visible in the edit box on
the left.
options.
You can change punching in the

modal dialog by tapping the button on the right. The current value is visible in the edit box on the
left.
You can change folding in the

left.

You can change binding in the
left.
Incompatible Job

Apply fixes button.
header.
modal dialog.

Public User Access at a Konica Minolta Device - 2nd Gen.
General overview
Public user can be used to allows print, scan, copy and fax to non-authenticated users.
Enabling Public User Access
1. Create a regular user, who will be used as a Public User. The user will be used to:
account all print/copy/scan/fax jobs
control access rights
2. Set the publicUserOperationsUsername property in system settings to the username of the

created user.
3. Allow public user access in the device configuration page.

3.
Signing in as a public user
1. Tap on the Public user access button in the authentication screen
2.
2. You will be prompted to confirm if you want to log in as a public user. Tapping the Cancel
button will redirect you back to the authentication screen. Tapping the Login button will
sign you in as a public user.
Public user accounting
All print, scan, copy and fax jobs will be accounted under the user specified in the system
settings under publicUserOperationsUsername property.
All jobs performed by public user are displayed in Job list and included in Web reports.
Public user access definitions
Access definitions can be edited the same way as for any other regular YSoft SafeQ user. See
Configuring Access Definitions for more details.
Troubleshooting
If you get an error when you try to login as a public user into the Embedded Terminal, then
make sure that the user configured in publicUserOperationsUsername is correctly set and that
Site Server services were restarted after the publicUserOperationsUsername configuration
was changed.
If you do not see the Public user access button in the authentication screen:
make sure that the device has the Allow public user enabled and that the user in the
publicUserOperationsUsername configuration is correctly set

reset the cache of the MFD in the MFD administration web
Limitations
IP Fax is accounted as one scan job (from outgoing device) and one incoming fax (from
receiving device), because device's counters does not distinguish between regular scanning
and scanning for IP Fax.
Fax accounting is licensed by separate license and is not included in license for this feature by
default.
Not all Konica Minolta devices send counters for duplex, so in this case the duplex job is
accounted as simplex one.
Public print jobs are not spooled by the server and cannot be requeued.
Scanning at a Konica Minolta Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen. for scan
application. It is an alternative to YSoft SafeQ Embedded Terminal for Konica Minolta - Native.
Workflow scanning
Log in to the embedded terminal.
On the Main Menu screen, tap Scan
You may be redirected directly to the Scan application. In that case, skip this step.

Select a scan workflow you want to execute. Some of the workflows are marked as Quick and
are executed directly from the workflows screen by tapping on the workflow. The other
workflows need additional parameters to be entered and tapping on the workflow redirects you to
a workflow detail screen.
In workflow detail screen, you can enter additional workflow parameters.
Tapping Scan settings tab opens a screen where you can select properties of the scan job.

The workflow configuration might not allow to configure scan or workflow settings. In that
case, the tab is not shown.
Some of the parameters allow you to browse folders or lists of available options. Tapping such
parameter opens a new dialog for value selection.
Email parameters allow you to search for an email address. See this page for details:
When you are ready, tap the Scan button to initialize the scan job.

When scanning is finished, you get information about the result. If there were no problems, you
get information about scan success.
Email search parameter
It is possible to search for an email of the YSoft SafeQ user in the database using email search
parameter.

1. Tap the "plus" button to open the search screen (see the picture below).
2. Type in part of an email address into the search field and press the magnifying glass icon to
initialize the search.
3. You will either get the list of found email addresses where you can choose a single item from
the list (see the picture below), or you can get an warning message when no matching email
could be found.

4. The selected item from the list will be added to the parameter field. If there is already another
email presented it will be appended with the semicolon character (see the picture below).
5. It is also possible to manually edit the email field however bear in mind that this edit action
must comply with email validation rules.
Using Billing Codes at a Konica Minolta Device - 2nd Gen.
application. It is an alternative to YSoft SafeQ Terminal Application - 1st Gen.
Billing code application will appear as the last part of user authentication process if the user has
some available billing codes assigned. If the user has only one billing code assigned. This billing
code will be automatically selected without the billing code selection process.
Once billing code is selected it cannot be changed during user session.

You can browse or search for another billing code by pressing Browse.
You can assign selected billing code to yourself by pressing Select. Pressing it also close the
application.
Browsing
1.

2. If you want to find the billing code, you can use the navigation buttons.
You can go deeper in the tree structure by pressing on the right side of a billing
code. It is available only for billing codes with at least one child billing code.
You can go up to the previous level in the tree structure by pressing .

Searching
4. Press symbol of magnifying glass if you want to search.

Or press the cross if you want to cancel searching and return to browsing.

6. When you select a billing code, Select is enabled and by pressing it you can assign the
selected billing code to yourself.

User Preferred Language at a Konica Minolta Device - 2nd Gen.
General overview
Available also for Ollivetti, Develop and Aurora with YSoft SafeQ Terminal Application - 2nd Gen.
User Preferred Language feature allows administrator to set up preferred language used by YSoft
SafeQ Terminal Application for individual users.
The preferred language could be set up in LDAP account for individual users. When the user logs
into YSoft SafeQ Terminal Application - 2nd Gen. the application is automatically set to his/her
preffered language.
Enabling User Preferred Language feature
1. Set up LDAP Integration Wizard to replicate information about user's preferred language
into system database.
To set up LDAP/Active Directory integration, go to System > LDAP Integration in the
Management Service interface, and navigate to an Advanced settings tab.
Fill in the name of the LDAP attribute that contains user's preferred language to the field
named Attribute containing preferred language .
2. Set up the values in the users LDAP accounts - fill in language codes into the LDAP
attribute used for users' preferred language - see Configuring supported languages in
Embedded Terminal for currently supported languages and their codes.
3. Run Full LDAP Replication, and either wait until the changes are synchronized to all Site
Servers automatically or force their synchronization manually via Management Service web
interface.

Check the language code are replicated from LDAP and that they are valid
1. Open Management Service web interface, navigate to Users, open detailed information of
selected user.
2. See value of Preferred language - there should be the language code read from LDAP
followed by the name of the language in parenthesis.
3. If the value read from LDAP is not supported by YSoft SafeQ Terminal Application, there is
(Unknown) displayed as the language name.
Disable the feature
1. Set up LDAP Integration Wizard to replicate information about user's preferred language
into system database.
To set up LDAP/Active Directory integration, go to System > LDAP Integration in the
Management Service web interface, and navigate to an Advanced settings tab.
Set the field named Attribute containing preferred language to be empty.
Billing codes application
Billing codes application - Xerox

Application can be showed after user authentication depends on the configuration performed
by your administrator (using property initial-screen).

or not
application.
Browsing


Searching

4.3.2.9 Using YSoft SafeQ Embedded Terminal for Konica Minolta Native
This manual is also applicable to Develop, Olivetti and Aurora devices.

Accessing and Logging in at a Konica Minolta Device Native
tap PIN and continue to the next step.
You can log in even in a case that someone else is logged in. The other user will be
logged out after your authentication.
2. Enter your PIN and tap OK.
3. Tap Login.

3.
You can choose to print all waiting jobs right after login.
Logging In with a Login Name/Password or a Card
tap the Login keyboard button and continue to the next step.
2. Enter your login name and tap OK.

4. Enter your password and tap OK.
5. Tap Login.

5.
You can choose to print all waiting jobs right after login.
Log Out
1. To log out, press the Access button (highlighted in the image) on the device panel.
If you do not log out, the device automatically logs you out after a period of time set by
your system administrator (typically three minutes).
Activating a New ID Card at a Konica Minolta Device Native

The available methods depend on the system configuration and may not be available.
The Register a New Card by Entering Your Username and Password Method
1. Swipe the new card on the card reader attached to the device.
2. When the card assignment screen displays, tap the Login keyboard button to assign the
card by entering the username and password.
3. Enter your username and tap OK.

6. Tap OK. You will be logged in and the new card will be assigned to your user account.

The Register a New Card by Entering Your Card Activation Code Method
If a Card Activation Code has been assigned to you (it was received by email or is displayed on
YSoft SafeQ Web Interface Dashboard), you can use this simple method to register your card.
1. Swipe the new card on the card reader attached to the device.
2. When the card assignment screen is displayed, tap the Card Activation keyboard button
to assign the card by entering the Card Activation Code.
3. Enter your Card Activation Code and tap OK.
4. Now tap OK. You will be logged in and the new card will be assigned to your user account.

Copying at a Konica Minolta Device Native
If you have any questions about whether or not you can make copies, contact your system
administrator.
Copying at a Konica Minolta Device (Native)

You may need to press the Home button to get to the main menu screen.
settings by tapping the available options. Then press the Start button on the device panel
to start copying.
Displaying a Session Summary at a Konica Minolta Device Native
A history of the user's current session can be displayed at the terminal. The history contains a
list of print, copy, and scan jobs that were performed during one user's session (from the user's
login to the user's logout).

Displaying a Session Summary
1. Tap the Jobs History button in the YSoft SafeQ Print or the YSoft SafeQ Scan application.
You can enter the Job history screen anytime while working with the device.
2. A history with all the types of jobs performed in this session is displayed.

There should also be the prices for jobs (if credit is used).
Printing at a Konica Minolta Device Native
1. L o g into the embedded terminal.

From the main menu, select SafeQ Print.
Your screen may look different to the one shown here, it depends on the administrator
settings.
You may be redirected directly into the YSoft SafeQ application. In that case, skip this
step.

2. The job folders are displayed. Tap one of the folder buttons.
Your screen may include different options to those shown here, it depends on your
administrator settings.
3. Tap the job(s) you want to print.
a. To mark/unmark all jobs, tap Select All.
b. To display more jobs, tap the Arrow keys on the right side.
When ready, press the Start button located on the device's panel.
Incompatible jobs are marked with a red cross symbol and cannot be selected for printing.

Sometimes, changing the Finishing options makes the print job compatible. Finishing
print and shows job as being incompatible, either try a different device or contact a
5. A history displays with all the types of jobs performed in this session. Tap Close.
6. Once the job has printed, it appears in the Printed folder. This job can be reprinted in the
future.
Deletes the selected print job(s) from the list.
Selects all print job(s) from the list.

Access job details and advanced functions.
Returns to the previous screen.
The button provides access to print job details, its preview, and available finishing
options.
1. Tap the button next to the job to change the job print settings or view the
detailed job information.
2.
2. If the finishing options are not enabled the detailed job information screen (with or without
the job preview) is displayed. Tap Close to return to the previous screen.
3. If the finishing options are enabled the print settings screen is displayed. The Print settings
enable the users to configure various print job settings.

(e.g. don't choose left-side stapling with right-side binding). See the device manual for
You can also tap Job information to show the detailed job information.
Tap OK to confirm or Cancel to discard changes.
Scanning at a Konica Minolta Device Native
2. On the main menu screen, tap SafeQ Scan.

3. Available scan workflows vary based on your permissions and YSoft SafeQ configuration.
to start a specific workflow without any additional input. These are not marked with an icon
next to the workflow name: . Tap one of the quick scan workflow buttons. Scanning
starts immediately with the selected workflow after you press the Start button (on the
device's panel).
Tap to show a description of the selected workflow.
Tap to display and configure additional scan settings.
them.
1. Tap one of the scan workflows that require user input and you will be taken to the
Workflow detail screen.

This icon indicates the scan workflow requires user input and is not a quick scan
workflow.
2. The Workflow detail screen is displayed requesting additional user input. Now you can
change the user inputs of the scan workflow.
Tap this icon to show a list of available values, which are a) a list user input field or b) to
browse a folder's structure.
Tap this icon to show the SW keyboard so you can change the user input value.
Tap this icon to confirm the user input and proceed to scan on the Scan workflows
screen.
Tap this icon to discard the input and return to the Scan workflows screen.

User inputs with an asterisk * (in a red circle) are mandatory and must be completed.
Otherwise, the scan workflow will not start and the user is prompted to enter the
missing details.
a. List selection screen. To select one of the options, tap the option row.
The OK button becomes available after a value is selected.
Tap this icon to confirm input and return to the Workflow detail screen.
Tap this icon to discard input and return to the Workflow detail screen.
b. Folder browsing screen. Folders are listed in alphabetical order.
Tap this icon to show a list of subfolders of the root folder.

Tap a folder to select it and confirm the selection. If you want to browse the folder to
see its subfolders, open the Folder browsing screen again after confirmation. If you
want to return to the parent folder, select ".." folder, confirm the selection, and open
the Folder browsing screen again.
The OK button becomes available after a value is selected.
Tap this icon do discard input and return to the Workflow detail screen.

c. Text or numeric user input screen.
Tap the keyboard shown or the HW keyboard to enter the value of the selected user
input.

Tap this icon to discard input and return to the Workflow detail screen.
Additional Scan Settings
1. The Scan settings screen is displayed after tapping the Scan Settings button.
The Scan Settings button is available only when a scan workflow is selected.
2. The Scan settings screen contains the available scan settings. You can change the scan
settings by tapping each option.
Some options might not be available as they can be disabled in the scan workflow by
the system administrator.

Some older devices may not respect the administrator's choices and can choose
simplex over the system default of duplex.
Tap this icon to confirm the settings and return to the Scan workflows screen.
Using a Credit Balance to Print and Copy and Scan at Konica Minolta Device Native
1. Log into the embedded terminal and navigate to the YSoft SafeQ print or scan application
or to the native copy application.
2. The current credit balance is written in the upper left-hand side of the copy, print, and scan
menu.

Only print jobs you have enough credit balance for will be printed.
The credit balance does not automatically refresh after performing a print job. Exit the
job list and enter it again to refresh the credit balance.
a.
a. When you try to print jobs you don't have enough credit balance for, printing is
refused. When you have a credit balance for only a few pages of a print job, only
those pages are printed and the rest of the print job is not printed. Depending on the
system's configuration, you will see one of the following screens:

b. When you do not have enough credit and attempt to use the Print All function from
the authentication screen, you will see the following warning message. Tap OK or
Cancel to confirm.

The current credit balance automatically refreshes.
2. When you try to copy a job you don't have enough credit balance for, the copy job is
refused. When you have enough credit balance for only a few copies, then only those
copies are performed and the rest of the copy job is refused. In both cases, you have two
options:
a. Deposit a credit balance and continue copying by pressing the Continue button.
b. Finish copying by pressing the Job Finished button.

more details.
The current credit balance does not automatically refresh.
refused. In this case, you have two options:
a. Deposit a credit balance and continue scanning by pressing the Start button.
b. Finish scanning by pressing the Job Finished button.

more details.
Using Billing Codes at a Konica Minolta Device Native
right after login.
1. After authentication, when prompted, tap the List icon .
2. A screen with billing codes is displayed:
a. To select a billing code, tap on the billing code of your choice and tap OK. At the next
screen, tap OK once more.
b.

b. Nested billing codes can be displayed by selecting a billing code with at the
front. Tap OK and when returned to the original screen, tap the List icon again .
This way you can see all the children billing codes of the previously selected billing
code.
You can move between pages with billing codes by tapping the arrow buttons.
Using a Default Billing Code
1. When the billing code screen appears and you want to use the default billing code displayed
at the top of the screen, just tap OK and continue to the device application main menu.

interface.
1. If you want to search for a billing code, tap the keyboard button on the left of the Search
button.
2. Enter the name, number, or text of the desired billing code and tap OK.

3. If you enter a specific billing code, you do not need to perform a search, and you can
immediately tap OK to use the particular billing code. Otherwise, tap Search.
4. A result that matches your search phrase is displayed. Select one of the billing codes
from the search result, tap OK and continue to the next step OR tap Cancel if you want to
change your search phrase, and repeat steps 1 to 4.

The path of the parent billing code is shown in brackets.
5. Now your billing code has been selected. Tap OK to continue to the device application main
menu.

4.3.2.10 Using YSoft SafeQ Embedded Terminal for Lexmark
Accessing and Logging in at a Lexmark Device
Logging In with a PIN or Card
1. Place your card on the card reader attached to the device OR tap the PIN field and
continue to next step.
2. Enter your PIN and tap Login.
Logging In with a Username/Password or a Card
1. Place your card on the card reader attached to the device OR tap the Username field and
continue to the next step.

1.
3. Tap the Password field.

4.
5. Tap Login.
Logging Out
1. You can use any of the following methods to log out:
Press the sleep button.
Press the home button twice.
Tap the logout button.

Activating a New ID Card at a Lexmark Device
Register a New ID Card by Entering Your Card Activation Code
If you have a Card Activation Code, you can use this simple method to register your card.
1. Swipe your card on the card reader attached to the device.
2. Tap the Card Activation Code button.
3. Tap the Activation Code text field.
4. Enter your Card Activation Code and tap the Activate button.

card is assigned to your user account.
Register a New card by Entering Your Username and Password
2. Tap the Username and password button.
3. Tap the Username button.

4. Enter your Username and confirm it with the OK button.
5. Tap the Password button.
6. Enter your Password and confirm it with the OK button.

6.
7. Tap the Activate button.
If you use an invalid card during authentication with login and password and card sequence
then card is automatically assigned to user.
Copying at a Lexmark Device
administrator.

Copying at a Lexmark Device
3. Select the number of copies by entering the number on the keypad, then select copy
settings by tapping from the available options. Then tap Copy It to start copying.
Printing at a Lexmark Device
2. On the main menu screen, tap the YSoft SafeQ 6 icon.
step.

Sometimes, changing Finishing options makes a print job compatible. Finishing options
shows job as being incompatible, either try a different device or contact a system
administrator.
5. Once the jobs are printed, they appear in the Printed folder. These jobs can be reprinted in
the future.

Select jobs you want to print and touch the Print button.
Touch the Print all button to print all your waiting jobs.
layouts).
Display more information about and a print job preview of a selected job.
Return to the main menu screen.
The info button provides access to a print job's details and its preview.
2. Select a job you are interested in and tap the info button at the bottom of the screen.

2.
3. Job details and a preview of the first page of the print job are displayed. Tap the OK button
to exit or the gear button to access print job finishing options (if available).
and print it.

Scan at a Lexmark Device
If your system allows you to scan, follow the instructions in this chapter.
If you have questions about whether or not you can scan, contact your system administrator.
Scan Workflows list
1. Log in to the Embedded Terminal: Accessing and Logging in at a Lexmark Device
2. On the Main Menu screen, Tap Scan .
3. The Scan workflows screen displays.
Availability of scan workflows may vary according to the YSoft SafeQ configuration at
your location. To learn about your available scanning options, contact your system
administrator. Currently only quick workflows are supported.
Tap one of scan workflows and now you can:
Tap Scan button to perform scan with default workflow parameters and scan
settings. Your scanning starts immediately.
Tap Scan settings button, if you want to change parameters like resolution, color,
etc.
Display another pages of your scan workflows.

Using a Credit Balance to Print and Copy and Scan at a Lexmark Device
1. Log into the embedded terminal and open the YSoft SafeQ application.
2. The current credit balance is displayed at the bottom of the screen next to your username.

Only print jobs that you have enough credit balance for will be printed.
3. When you try to print jobs that you don't have enough credit balance for, the job is not
printed and stays in the waiting folder. You are informed about insufficient credit. In this
case, you have to deposit money to continue printing.

more details.
This message is only displayed when a job parser with image rendering is enabled in
YSoft SafeQ's configuration.
decreases.
The current credit balance is not shown in the copy menu.

If you only have available credit balance for a few copies, these copies will be performed
1. Select the scan workflow you want to use and start scanning.
Only scan jobs you have enough credit balance for will be performed.
When you only have available credit balance for a few pages, these pages will be
scanned and charged and the rest will be refused.
Using Billing Codes at a Lexmark Device
1. In the YSoft SafeQ application, select Billing code from the menu.

Here you can:
Tap a Folder button to see a list of children billing codes (lower level).
Tap the Arrow buttons to list pages of billing codes in the current level.
3. Select your desired billing code by tapping it and confirm your choice by tapping the tick
button. Now you can see the newly selected billing code at the bottom of the screen.

1. The default billing code is selected immediately after login (in this case: Invoices 2015). Tap
the tick button to confirm the default billing code, or you can select a different billing code.
Until you change the default billing code, all copies and scans (and prints) will be accounted
to your default billing code.
interface.
Searching Billing Codes

2. The screen with billing codes is displayed. If you want to search billing codes, tap the
search button.
3. Type the name, number, or text of the billing code you want to search for and tap Search.
4. A result that matches your search phase is displayed. Choose one of the billing codes
from the results.

4.
Tap the Cancel button to stop searching and return to the billing codes list.
2. Or you can press the home button to enter the main menu screen and then continue to
the Copy menu to start copying.
4.3.2.11 Using YSoft SafeQ Embedded Terminal for OKI
Accessing and Logging in at an OKI Device
To use YSoft SafeQ functions at the device, you must first log in. The method you use depends
on how the system is set up at your location.
Logging In with a Username and Password
1. Tap User name.
2. Type your user name and tap OK.
3. Tap password.
4. Type your password and tap OK.
5.
5. T a p O K .
1. Type your PIN using the keyboard and tap OK.
Logging Out
1. To log out, tap the Access button on the device panel.

2. Confirm the logout action with the YES button.
system administrator (typically three minutes).
Accessing and Logging in Using New Authentication at an OKI Device
Log in with a PIN or a card
The device must be set up with an embedded or external card reader.
1. Place your card on the card reader attached to the device OR tap PIN field and continue
to next step.

2. Type your personal PIN code and tap OK button.
3. Tap Login.
You can also check Print all check box to print all compatible waiting jobs after log in. For
more information see: Printing at an OKI Device.

Log in with a username/password or a card
1. Place your card on the card reader attached to the device OR tap Username field and
2. Type your username and tap OK.
3. Tap Password field.

5. Tap Login.

Logging out
1. To log out, press the Access button on the device panel.
2. Confirm the logout action with YES button.
If you do not log out, the device automatically logs you out after a period of time set by your
system administrator (typically 3 minutes).
Activating a New ID Card at an OKI Device
Registering a New Card by Entering your Card Activation Code
If a card activation code has been assigned to you (it was received by email or it is displayed on
the YSoft SafeQ web interface dashboard), you can use this simple method to register your card.

3. Enter the card activation code and confirm it with the Activate button.
Registering a New Card by Entering your Username and Password

3. Insert the Username and Password and confirm it with the Activate button.
Copying at an OKI Device
administrator.
Copying at an OKI Device
1. Log in at the device.
2. Press the COPY button (on the device's panel) .

2.
3. Select the options you need.
4. On the device panel, press Start.
5.

5. If you want to navigate back to the YSoft SafeQ application, press the MENU button.
6. Tap the SafeQ button.
Printing at an OKI Device
2. Now, the Print job menu displays.

3. Sometimes, a print job is not compatible with the particular device. This can be due to a
Sometimes, changing finishing options makes the print job compatible. Finishing options
are accessible from the job information (see below). If the device still does not print and
shows the job as being incompatible, either try a different device or contact your
future.

Navigate to the Waiting / Printed / Favorite folders.
layouts).
Not all print jobs and devices are compatible and allow the changing of finishing options at a
1.

1. Tap the Info button next to the job to view job details.
2. The job details and a preview of the first page of print job display. Tap OK button to exit or
Print settings to access print job finishing options (if available).

(e.g., do not choose left-side stapling with right-side binding). See the device manual for
and print it.
The selected finishing options are applicable for printing a job right away. If you log out
and access the print job, its original settings return.
Using Billing Codes at an OKI Device
Select the Billing Code from a List
menu for copying and scanning in one session without logging out and logging in.

2. The screen with billing codes displays.
Here you can:
Tap the '+' button to see a list of children billing codes (lower level).
Tap Arrow buttons to list the pages of the billing codes in the current level.
Tap the text field to enter the search phrase.
3. If you find your billing code in the list, just tap the billing code name to select it.

4. Continue to the Scan or Copy application. The selected billing code will be applied
automatically.
scans will be accounted to your default billing code.
interface.

1.
2. The screen with billing codes displays. If you want to search for billing codes, tap the text
3. Type the name or number or text of a billing code you want to search for and tap OK.
4. A result matching your search phase displays.

4.
Here you can:
Tap Arrow buttons to list pages.
Tap text field if you want to change your search phrase.
Tap this button to stop searching and return to the Billing codes list.
6. Continue to the Scan or Copy application. The selected billing code will be applied
automatically.
4.3.2.12 Using YSoft SafeQ Embedded Terminal for OKI sXP2
Copying at an OKI sXP2 Device

administrator.
Copying at an OKI sXP2 Device
2. Press the COPY button (on the device's panel)
4. On the device panel, press Start.

5. If you want to navigate back to the YSoft SafeQ application, press the MENU button and
tap the YSoft SafeQ application icon.
Deleting a Print Job at an OKI sXP2 Device
1. Log into YSoft SafeQ Embedded Terminal for OKI sXP2: Logging In and Logging Out at an
OKI sXP2 Device and navigate to the job list: Selecting Jobs to Print at an OKI sXP2 Device.
2. Touch the job(s) you want to delete and touch the Delete icon. .

If you delete a job, you will not be able to reprint it in the future.
3. Touch the Yes button to confirm this action.
Displaying Detailed Print Job Information at the OKI sXP2 Device
OKI sXP2 Device and navigate to the job list: Selecting Jobs to Print at an OKI sXP2 Device.
2. Touch the Info button next to the job to view the job's details.

3. Job details and a preview of the first page of print job display. Touch the OK button to exit.
Logging In and Logging Out at an OKI sXP2 Device
To use YSoft SafeQ functions at the device, you must first log in. The method you use depends
on how the system is set up at your location.
Logging In with a Username and Password
1. Select User name.
2. Enter your user name and tap OK.
3. Select password.
5. Tap OK.

1. Enter your PIN using the keyboard.
2. Tap OK.
Logging Out
1. To log out, tap the Logout button on the screen.
2.

Scanning at OKI sXP2 Device
Quick scan workflows
workflow immediately. These are quick scan workflows.
1. On the Main Menu screen, tap Scan on left side. Available scan workflows vary based on
your permissions and YSoft SafeQ configuration. To learn more, please contact your system
administrator. Quick scan workflows enable you to start a specific workflow without any
additional input. These are marked with quick scan label under the name. To start scanning,
tap one of the quick scan workflows. Scanning starts immediately with the selected
workflow.
with them.
1. Workflows which are not marked with a quick scan label require additional input from users.
Tap one of the listed scan workflows and you will proceed to the Workflow detail screen.

1.
label, it is a regular workflow with user input. Selecting such a workflow on the Scan
3. Tap an input field or its icon to set the value of a workflow user input. Required user inputs
are marked with a red asterisk ( * ).
After placing a paper document on the glass or in the feeder, start scanning
using the Scan button. If any required user input is not filled-in, the Scan button is disabled.
If user inputs are invalid, a Validation screen is displayed and scanning will not start. When

Tap to change predefined scan options for the workflow.
screen is displayed with the original choice set in the list input field.
content.

Tap to return back to parent folder.
Tap to select current folder as target folder.
Tap to leave the folder browsing screen without any selection.
Additional scan options
an administrator).
2.
2. Scan options screen contains at least one of following options:
Use selection buttons to scroll between available options.
Use selection buttons to scroll among available options.
Scan description

Tap cancel button to leave the screen and display the main scan workflows screen.
After placing a paper document on the glass or in the feeder, start scanning using the Scan
button. If any required user input is not filled-in, the Scan button is disabled. If user inputs are
invalid, a Validation screen is displayed and scanning will not start. When scanning starts, the
Scan in progress screen is displayed.
Selecting a Billing Code at an OKI sXP2 Device
Your system may be set up for you to select a billing code for the copies and scans you make.
Use either of the methods described below to select your billing code.
1. In the YSoft SafeQ print application, select Billing codes from the menu.

2. A screen with billing codes displays.
Here you can: Touch the '+' button to see a list of children billing codes (lower level).
Touch the Back button to see a list of parent billing codes (higher level).
Touch the Arrow buttons to list the pages of billing codes in the current
level.
Touch the text field to enter a search phrase. Touch the Cancel
button to stop searching and return to the Billing codes list.
3. If you have found your billing code in the list, press the billing code name to select it.
The selected billing code is highlighted.

4. Now you can see the newly selected billing code at the bottom of the screen.
1. The default billing code is preselected immediately after login (in this case: 0: Default
Project).
Until you change it, all copies and scans will be accounted to your default billing code.

interface.
If you want to search billing codes, touch the text field to enter the search phrase.

3. Enter the name or number or text of the billing code you want to search for and touch OK.
4. The search phrase appears in the text field. Start searching by tapping the Magnifier
button.
Touch the Magnifier button to start searching.
5.

5. A result that matches your search phase displays .
Now you can:
Select one of the billing codes from the results.
Touch the Arrow buttons to list pages.
Touch the text field if you want to change your search phrase.
Touch the Cancel button to stop searching and return to the Billing codes list.
6. The selected billing code is highlighted.
Selecting Jobs to Print at an OKI sXP2 Device
OKI sXP2 Device.
2. Now the Print job menu displays.

2.
future.

Navigate to the Waiting/Printed/Favorite
folders.
Select jobs and mark them favorite.
Display more information and a print job preview about a selected job.
4.3.2.13 Using YSoft SafeQ Embedded Terminal for Ricoh
Accessing and Logging in at a Ricoh Device
1. Place your card on the card reader attached to the device OR tap the following icon and
continue with the next step.
If you want the device to print all your waiting jobs after you log in, check the Print all box.
The Print all option is present only if it was enabled by your administrator.
2. Tap PIN text field or directly type your PIN using the device's numeric keypad (2 to 20
numbers).

2.
If you enter a PIN using the device's numeric keypad, you can confirm the code with the '
#' key.
3. If you use the keyboard on the panel, tap OK to confirm.
1. Place your card on the card reader attached to the device OR tap the following icon.
If you want the device to print all your waiting jobs after you log in, check the Print all box.

The Print all option is present only if it was enabled by your administrator.
2. Tap Username text field and type your username and tap OK to confirm.
3. Tap Password and type your password and tap OK to confirm.

3.
Logging Out
1. Tap the Exit button OR place any card on the card reader.
The device automatically logs out users after a defined time set by a system
administrator (usually three minutes).

Activating a New ID Card at a Ricoh Device
The method you use may depend on the way your system administrator has configured YSoft
SafeQ.
Registering a New Card by Entering your Card Activation Code
If a card activation code has been assigned to you (it was sent by email or is displayed on the
1. Use your card on the card reader attached to the device.
2. Tap the CARD ACTIVATION CODE button.
4. Enter your card activation code and confirm it with the OK button.

5. If the assignment process is successful, you are logged into the device, and the new card
is assigned to your user account.
Registering a New card by Entering Your Username and Password
2. Tap the USERNAME & PASSWORD button.
3. Tap the Login button.
4. Enter your username and confirm it with the OK button.

4.
6. Enter your password and confirm it with the OK button.
7. If the assignment process is successful, you are logged into the device and the new card is
assigned to your user account.
Copying at a Ricoh Device

administrator.
Copying at a Ricoh Device
2. Tap or press the Home button, which is either located on the touch panel or is a physical
button located on the buttons panel.
On the Main Menu screen, locate and start the Copier application.
You may also use a physical copy button to open the copy application immediately.
To get back to the YSoft SafeQ application, tap or press the Home button again and
start the YSoft SafeQ application.
3. Configure the copy options and start copying by pressing Start button on the device's
panel (usually a green button).
How to harden the communication with Ricoh terminal
In order to harden the communication between TS and Ricoh's terminal, a terminal version major
of 1.0.9 is needed

Enable the secure configuration on Terminal Server
In order to enable the secure configuration on Terminal Server, follow the steps specified in
Configuring secured connection between terminals and Terminal Server v6.0.40
In case that you want to use the already supplied generated CA so that you can use the default
certificate for Terminal Server, you can export the server certificate with the following
openssl pkcs12 -in .\SafeQTerminalServer.pfx -cacerts -nokeys -out ca.cer
The default keystore has no password.
Add the truststore to the app certificate store
1. Extract the truststore file from the 320400101.zip zipfile of the Ricoh application (by default,
it is stored in {TERMINAL_SERVER_FOLDER}\Apps\Ricoh)
2. Add the new CA into that truststore file, using the keytool from Java version 1.7. It is
required to use the keytool from Java 1.7 version, as the format of the truststore could
change with a newer version.
a. EXAMPLE: keytool -import -alias ca -file ca.cer -keystore truststore -storetype jks -
storepass changeit
3. Extract the SafeQEmbeddedTerminalXlet.dalp file from the zipfile
4. Change the value of enableServerCertificateValidation to true in the <application-desc>...<

/application-desc> section of the SafeQEmbeddedTerminalXlet.dalp file, resulting like the
following:
<argument>enableServerCertificateValidation=true</argument>
5. Add the SafeQEmbeddedTerminalXlet.dalp file back to the zipfile
6. Add the trustore file back to the zipfile
7. Install the Ricoh app in to the MFD.
Additional security information
The implementation of the SRET application will use the default TLS version configured in the
JVM.
Troubleshooting
Logging has been enhanced, so in case there is some issue while configuring the communication,
it should be visible by accessing the device logs using the SRET configuration Servlet: "http://
{device_ip}:8080/sqet/Login"

Printing at a Ricoh Device
Incompatible jobs are marked with an [I] symbol and cannot be selected for printing.
shows a job as being incompatible, either try a different device or contact your system
administrator.
4.

future.
layouts).
Display more information about the selected job.
The info button provides access to print job details and its preview.
1. Select a job and tap the Info icon

exit or Print settings to access print job finishing options (if available).

Not all options may be available. Make sure always to select compatible combinations (e.
g., do not choose left side stapling with right side binding). See the device manual for
and print it.
The selected finishing options are applicable for printing the job immediately. If you log
Scanning at a Ricoh Device
workflow immediately. These are the quick scan workflows:
You may be asked to select a billing code after successful authentication.
2.
2. On the Main Menu screen, tap Scan on the left side. Available scan workflows vary based
on your permissions and your YSoft SafeQ configuration. To learn more, please contact
your system administrator. Quick scan workflows enable you to start a specific workflow
without any additional input. These are marked with a quick scan label under the name. To
start scanning, tap one of the quick scan workflows. Scanning starts immediately with the
selected workflow.
them.
1. Workflows that are not marked with a quick scan label require additional input from users.
Tap one of the listed scan workflows, and you will proceed to the Workflow detail screen.

2. The Workflow detail screen displays. If a workflow is not marked with a quick scan label, it
is a regular workflow with user input. Selecting such a workflow on the Scan workflows
screen always opens the Workflow detail screen.
Tap an input field or its icon to set the value of a workflow user input. Required user
After placing a paper document on the glass or in the feeder, start scanning using
user inputs are invalid, a Validation dialog displays and scanning will not start. When
scanning starts, the Scan in progress dialog displays.

Tap to confirm your selection. The Workflow detail screen displays with the
selected choice set in the list input field.
screen displays with the original choice set in the list input field.
listed in alphabetical order. The folder is initially set to the root, and the label at the
top of the screen contains Select a destination text. After accessing a folder, the
label contains the current folder path.

Tap a folder item to browse its content.
Tap to select the current folder as the target folder (the currently selected
folder is the one noted on the label of the tab).
Additional Scan Settings
1. The Scan settings screen displays after pressing the More button in the quick scan
workflow or pressing the Scan settings tab regular workflow detail.
The Scan settings screen displays only if any of the options are modifiable (set by an
administrator).
2. The Scan settings screen contains at least one of following options:

Scan description

Using a Credit Balance to Print and Copy and Scan at a Ricoh Device
2. The current credit balance is written at the bottom close to your username.

Only print jobs for which you have enough credit balance will be printed.
a. If the job parser is disabled or set only to analyze jobs, users are allowed to continue
printing even after their credit balance is insufficient.
When the current balance is not sufficient for a print job, a debt is registered to
the user (if debt registration is enabled in YSoft Payment System).
b. When you try to print jobs for which you do not have enough credit balance, the job
is not printed and stays in the waiting folder. You are informed about insufficient
credit. In this case, you have to deposit money to continue printing.

in the YSoft SafeQ configuration.
Some minimal credit is necessary to be able to enter the copy menu. The minimal
amount is configured by your administrator.
The copier usually allows the copying of a few more pages than your credit allows. For
these pages, a debt is registered (if debt registration is enabled in YSoft Payment
System

Only scan jobs for which you have enough credit balance will be performed.
2. When you try to scan job for which you do not have enough credit balance, the whole scan
job is refused.
When you have available credit balance only for a few pages, you can scan them one by
one until your credit balance is used up.
Using Billing Codes at a Ricoh Device
Selecting a Billing Code after Login
1. The billing code screen appears directly after login.

Select a billing code.
Confirm the billing code selection.
Navigate to the billing code children (Only billing codes with a + symbol have
children).
Search for a billing code.
Navigate between billing code pages.
Return from a deeper level.
2. Once the billing code is confirmed, it displays at the bottom of the screen.
Selecting a Billing Code from the YSoft SafeQ Application
1. In the YSoft SafeQ application, select Billing Codes from the menu.

1.
2. The screen with billing codes displays. The default billing code is highlighted.
1. The default billing code is selected immediately after login (in this case: 0: Default Project).
Until you change it, all copies and scans (and prints) will be accounted to your default billing
code.

interface.
Searching for a Billing Code
2. The screen with billing codes displays. If you want to search billing codes, tap the
magnifier icon
3. Type the name or number or text of the billing code you want to search for and tap OK.

4. The results display.
Select a billing code
Confirm the billing code selection
Navigate to the billing code children (Only billing codes with a + symbol have
children)
Search again for a billing code
Navigate between billing code pages
Return from a deeper level
1. Once a billing code is selected, you can continue to the Scan menu to start scanning with
the selected billing code.

2. Navigate to the Copy menu and perform a copy job for the selected billing code.
4.3.2.14 Using YSoft SafeQ Embedded Terminal for Samsung
The YSoft SafeQ application can usually be found either on the home screen or in an XOA
application menu.
Accessing and Logging in at a Samsung Device
1. Place your card on the card reader attached to the device and go to step 3 or tap the PIN
field to continue to the next step.

2. Enter your personal PIN code and tap OK.
The keyboard may not look exactly like the one shown here.
3. You can also check the Print all checkbox to print all compatible waiting jobs after logging
in. Tap Login.

The Print all checkbox is present only if this option was enabled by your administrator.
1. Place your card on the card reader attached to the device and go to step 3 or tap the
Username field and continue to the next step.

5. You can also check the Print all checkbox to print all compatible waiting jobs after logging
in. Tap Login.

The Print all checkbox is present only if this option was enabled by your administrator.
Log out
1. To log out, tap the hardware or software Logout button (depending on your device).
Activating a New ID Card at a Samsung Device
The method you use may depend on the way your system administrator has configured YSoft
SafeQ.
If a card activation code has been assigned to you (it was sent by email or is displayed on the
2. Tap the Card activation code button.

This screen may be skipped based on your YSoft SafeQ configuration.
4. Enter your card activation code and confirm it with the OK button.
5.

3. Tap the Username input field.

5. Tap Password input field.

6.
Copying at a Samsung Device
administrator.
Copying at a Samsung Device
3.
3. Select the number of copies by entering a number on the keypad, and select the copy
settings by tapping the available options. Then press Start on the device panel to start
copying.
Your Copy screen may not look exactly like the one shown here.
Printing at a Samsung Device
2. On the Main Menu screen, tap YSoft SafeQ 6.
3. Print job menu is displayed.
Select the jobs you want to print, and tap the Print button.
4.
It is possible that another device supports your kind of print jobs (depending on the
administrator settings for each device). It is recommended to try another device in your
company and repeat the steps above.
future.
Tap the Print all button to print all the jobs in the folder.

layouts).
Display more information and a print job preview about the selected job.
Job Details
The info button provides access to print job details and a preview.
1. Tap the Info button next to the job to view jobs details.
2. Job details and a preview of the first page of the print job display. Tap the OK button to
exit.

Using a Credit Balance to Print and Copy and Scan at a Samsung Device
2. The current credit balance displays at the bottom of the screen next to your username.
minimum balance set for your money account. If you are in debt, zero displays.

Only print jobs for which you have enough credit balance will be printed.
2. The credit balance decreases once the print job is printed and the screen is refreshed.
3. When you try to print jobs that you do not have enough credit balance for, printing is
refused. In this case, you have to deposit money to continue printing.
more details.
Copying and Scanning with a Credit Balance
1. Enter the copy or scan menu and start copying or scanning.
Only jobs for which you have enough credit balance will be finished.
2.
2. When you try to perform a job for which you do not have enough credit balance, only part
of the job is performed that the user has credit for. A message informing the user about
the limited account is usually accompanied by a beep.
The information about a limited account may not look exactly like the one shown here.
Using Billing Codes at a Samsung Device
Select a Billing Code from the List
2.

Tap Back button to see a list of parent billing codes (higher level).
Tap the Arrow buttons to list the pages of the billing codes in the current
level.
3. If you have found your billing code in the list, just press the billing code name to select it.
The selected billing code will be highlighted.
4. Now you can see the newly selected billing code at the bottom of the screen.

4.
1. The default billing code is selected immediately after you log in (in this case: 121: invoices
2013). Until you change it, all copies will be accounted to your default billing code.
Your default billing code can be changed in YSoft SafeQ web administration interface.

2. The screen with billing codes displays. If you want to search billing codes, tap the text field
to enter the search phrase.

4. Results that match your search phase display.
Select one of the billing codes from the results.
Tap the Arrow buttons to list pages.
5. The selected billing code is highlighted.
1. Once a billing code is selected, you can tap on the return button to enter the main
menu screen. After that, continue to the main menu to start copying or scanning.

4.3.2.15 Using YSoft SafeQ Embedded Terminal for Sharp
Accessing and Logging In and Logging Out at a Sharp Device
1. Place your card on the card reader attached to the device and go to step 3, OR tap the
PIN field and continue to the next step.
2. Enter your personal PIN code and close the keyboard or tap anywhere on the screen.
3. Tap Login.

You can also check the Print all check box to print all compatible waiting jobs after
logging in.
1. Place your card on the card reader attached to the device and go to step 3, OR tap the

5. Tap Login.

logging in.
Logging Out
1. To log out, press the hardware or tap the software Logout button (depending on your
device)
system administrator (typically, three minutes).
Activating a New ID Card at a Sharp Device
Activating a New Card by Entering Your Card Activation Code
1.

2. Tap the Card activation code button.
4. Enter your card activation code and close the keyboard or tap anywhere on the screen.

5.
6. If the assignment process is successful, you will be logged into the device.


8. If the assignment process is successful, you will be logged into the device.
Copying at a Sharp Device
If you have any questions about whether you can make copies or not, contact your system
administrator.

3. Select the number of copies by entering the number on the keypad, and select copy
settings by tapping the available options. Then press Start on the device panel or the Start
button on the screen to start copying
Printing at a Sharp Device
2. On the Main Menu screen, tap Sharp OSA.


Sometimes, changing Finishing options makes the print job compatible. Finishing options
shows job as being incompatible, either try a different device or contact your system
administrator.
future.
Tap the Print all button to print all of your waiting jobs.
layouts).

The info button provides access to a print job's details, its preview, and available finishing options.
Not all print jobs and devices are compatible and allow changing the finishing options at the
1. Tap Info button next to the job to view jobs details.
2. Job details and a preview of the first page of print job displays. Tap the OK button to exit
or Print settings to access print job finishing options (if available).

(e.g., do not choose left side stapling with right side binding). See the device manual for
and print it.

Scanning at a Sharp Device
workflow immediately. These are the quick scan workflows.
1. Log into the embedded terminal. If not redirected automatically, tap Sharp OSA button in
the device main menu.
Your Main Menu screen may not look exactly like the one shown here. On older devices
you have to tap SafeQ button.
2. Tap YSoft SafeQ Scan icon to open the scanning application.
3.
3. Available scan workflows vary based on your permissions and YSoft SafeQ configuration.
with them.
2.

3. Tap an input field or its icon to set the value of a workflow user input. Required user
using the Scan button. If any required user input is not filled-in, the Scan button is disabled
. If user inputs are invalid, a Validation screen is displayed and scanning will not start.
When scanning starts, the Scan in progress screen is displayed.

contents.

Tap to return to the parent folder
Go to the next/previous page to view other subfolders of the current

folder.
an administrator).

Scan description

Using a Credit Balance to Print and Copy and Scan at a Sharp Device

3. When you try to print jobs you do not have enough credit balance for, the following two
situations could occur.
a. The job is not printed and stays in the waiting folder. You are informed about
insufficient credit. In this case, you have to deposit money to continue printing.

This message displays only when job parser with image rendering is enabled in
your YSoft SafeQ configuration.

b. Only those pages you have credit balance for are printed. Then the printing stops and
the job is suspended.
This message displays only when job parser with image rendering is disabled in
It is not possible to print, copy, or scan on the device unless the suspended job is
deleted.


In this case, you have two options:
Continue to step 4 a to deposit credit balance and continue printing, OR
Continue to the step 4 b to stop printing and delete the suspended job.
a. If you want to deposit credit balance and continue printing:
i. Make the deposit.
ii. Tap the Limit button.
iii. Tap the suspended job. A prompt message appears.
iv. Tap the Yes button.
b. If you want to stop printing and delete the suspended job:
i. Tap the Limit button.
ii. Tap the scroll menu
iii.

iii. Tap Stop/Delete job
The job will be accounted and the printed pages canceled.
Only copy jobs you have enough credit balance for will be copied.
The current credit balance is not shown in the Copy menu.
2. When you try to copy a job you do not have enough credit balance for, the copy job is
refused. In this case, you have options:
a. Deposit credit balance and continue copying with the Yes button.
b. Finish copying by tapping the No button.

If you have an available credit balance for only a few copies, these copies will be
performed and charged, and the rest refused.
more details.
job, your credit balance will decrease.
The current credit balance is not automatically refreshed.
2. When you try to scan a job you do not have enough credit balance for, the whole scan job
is refused. In this case, you have two options:
a. Deposit credit balance and continue copying with Back > Scan.

2.
b. Finish scanning by pressing the Back button.
more details.
Using Billing Codes at a Sharp Device
Selecting the Billing Code from a List

Here you can:
3. When you find your billing code in the list, just tap the billing code name to select it.

4.
5. Continue to the Scan or Copy function, the selected billing code will be automatically
applied.
interface.
Searching for Billing Code

2. The screen with billing codes displays. If you want to search the billing codes, tap the text

4.
Here you can:
6. Continue to the Scan or Copy function, the selected billing code will be automatically
applied.
4.3.2.16 Using YSoft SafeQ Embedded Terminal for Toshiba
Access and log in using new authentication at a Toshiba Device
Log in with a PIN or a card
1.

1. Place your card on the card reader attached to the device OR tap PIN field and continue
to the next step.
2. Type your personal PIN code and tap OK button.
3. Tap Login.

Log in with a username/password or a card
1. Place your card on the card reader attached to the device OR tap Username field and
2. Type your username and tap OK.
3. Tap Password field.

5. Tap Login.

Logging out
2. Confirm the logout action with YES button.
If you do not log out, the device automatically logs you out after a period of time set by your
system administrator (typically 3 minutes).
Accessing and Logging In at a Toshiba Device
Logging In with a User Name and Password Method
1. Tap User name.
2. Enter your user name and tap OK.
3. Tap Password.
4.

5. Tap OK.
Logging In with a PIN Method
1. Enter your PIN using the keyboard.
2. Tap OK.
Logging Out

Activating a New ID card at a Toshiba Device


3. Enter the Username and Password and confirm it with the Activate button.
Copying at a Toshiba Device
administrator.
Copying at a Toshiba device
2. Press the COPY button on the device panel.

2.
4. Press START on the device panel.
5. If you want to navigate back to the YSoft SafeQ application, press the MENU button.

6. And tap SafeQ button to navigate back to the YSoft SafeQ application.
Printing at a Toshiba Device
2. Now the Print job menu displays.

shows the job as being incompatible, either try a different device or contact your
future.

layouts).

1.

and print it.
Using Billing Codes at a Toshiba Device

Now you can:
Tap the Arrow buttons to list the pages of billing codes in current level.
3. If you have found your billing code in the list, just tap the billing code name to select it. Tap
the tick button to confirm the selection.

5. Continue to the desired application. The selected billing code will be applied automatically.
Application of the selected billing code to print jobs depends on the current settings of
the YSoft SafeQ.
1. Based on your configuration, the default billing code is sometimes selected automatically

interface.
2. A screen with billing codes displays. If you want to search the billing codes, tap the text

4. A result that matches your search phrase displays.
Now you can:

6. Continue to the desired application. The selected billing code will be applied automatically.
Application of the selected billing code to print jobs depends on the current settings of
the YSoft SafeQ.
4.3.2.17 Using YSoft SafeQ Embedded Terminal for Xerox - 1st Gen.
Accessing and Logging In at a Xerox Device - 1st Gen.
Logging In with a Card or PIN
1. Place your card on the card reader attached to the device and go to step 3 OR tap the
Alternate Login button and continue with the next step.

Your authentication screen may look slightly different.
2. Enter your personal PIN code and tap Enter.
3. You can select to print all of your waiting jobs immediately after login. Tap Yes to do so,
otherwise, tap No.

This screen is present only if this option was enabled by your administrator and there
are print jobs in your queue.
Logging In with a Card or a Username/Password

2.
4. You can select to print all your waiting jobs immediately after login. Tap Yes to do so,
otherwise tap No.

This screen is present only if this option was enabled by your administrator and there are
print jobs in your queue.
Logging In with a Card and PIN or a Username/Password
1. Place your card on the card reader attached to the device and go to the next step OR tap
the Alternate Login button and continue with step 3.
2. Enter your personal PIN code and tap OK. Then go to step 5.

2.

otherwise tap No.
Logging In with Authentication mode To Each Application
1. Choose the application you want to open.

1.
2. See Login screens showed in Logging In with a PIN or Card or Logging In with a Username
/Password or Card.
Logging Out
1. Tap the Access button.
You can use this access button anytime. After tapping this button, you will be
immediately logged out.
OR
1. Navigate to the main menu using the home button.
2. Tap your username in the top right corner and select Log Out.

2.
OR
1. After three minutes (note that this could be configured differently in your environment), you
will automatically be logged out.
Activating a New ID Card at a Xerox Device - 1st Gen.
The method you use may depend on the way your system administrator has configured your
YSoft SafeQ.
2. Enter your username and confirm it with the Enter button.

2.
3. Enter your password and confirm it with the Enter button.
If a card activation code has been assigned to you (it was sent by email or is displayed on YSoft
2. Enter the card activation code and confirm it with the Enter button.

Registering a New Card by Entering Your Card Activation Code OR Username and Password
2. Enter the card activation code and confirm it with the Enter button. The new card is
assigned to your user account OR tap the Enter button without entering the card
activation code to skip to username and password assignment. Continue to the next step.

Copying at a Xerox Device - 1st Gen.
administrator.
Copying at a Xerox Device

2.
You may need to press the Home button to access the Main Menu screen.
Printing at a Xerox Device - 1st Gen.
2. On the Main Menu screen, tap YSoft SafeQ 6.
You may be redirected directly to the YSoft SafeQ application. In that case, skip this
step.
3. Print job menu displays.

Sometimes, changing the finishing options makes the print job compatible. Finishing
print and shows a job as being incompatible, either try a different device or contact your
future.

6.
Tap the Print all button to print all jobs in the folder.
Display other pages of your jobs list.
layouts).
The info button provides access to the print job details, its preview, and the available finishing
options.
Not all print jobs and devices are compatible and allow the changing of the finishing options at
the terminal. Consult with your administrator or provider to see which devices are compatible.
2. Job details and a preview of the first page of the print job display. Tap the OK button to

and print it.

The selected finishing options are only applied to the current print of the job. If you log
out and log in again, the original settings of the job will be restored.
Scanning at a Xerox Device - 1st Gen.
workflow immediately. These are quick scan workflows.
1. Log into the embedded terminal. If not redirected automatically, tap YSoft SafeQ application
in the device main menu.

Available scan workflows vary based on your permissions and YSoft SafeQ configuration.
to start a specific workflow without any additional input. These are marked with quick scan
label under the name. To start scanning, tap one of the quick scan workflows. Scanning
starts immediately with the selected workflow.

with them.
3. Tap an input field or its icon to set the value of a workflow user input. Required user inputs
are marked with a red asterisk ( * ).

Tap to change predefined scan options for the workflow.
content.

Tap to go to the next/previous page to see other folders
1.
an administrator).
Scan description

1.
Using a Credit Balance to Print and Copy and Scan at a Xerox Device - 1st Gen.

a. When you try to print jobs you do not have enough credit balance for, the printing is
refused. In this case, you have to deposit money to continue printing.

b. When you try to print jobs you do not have enough credit balance for, the job is not
printed and stays in the waiting folder. You are informed about insufficient credit. In
this case, you have to deposit money to continue printing.

This message displays only when job parser with image rendering is enabled in
Only copy jobs you have enough credit balance for are copied.
2. When you try to copy job you do not have enough credit balance for, the whole copy job is
refused.

2.
When you have an available credit balance for only a few pages, you can copy them one
by one until your credit balance is consumed.
Only scan jobs you have enough credit balance for are performed.
2. When you try to scan a job you do not have enough credit balance for, the whole scan job
is refused.
When you have an available credit balance for only a few pages, you can scan them one
by one until your credit balance is consumed.
Using Billing Codes at a Xerox Device - 1st Gen.

Here you can:
Tap the '+' button to see a list of the children of a billing code (lower level).
3. If you find your billing code in the list, tap the billing code name to select it.

1. Based on your configuration, the default billing code is sometimes selected automatically

interface.
2. The screen with billing codes displays. If you want to search the billing codes, tap the text
field to enter a search phrase.

3. Enter the name or number or text of the billing code you want to search for and tap Save.
4. A result that matches your search phase displays.
Now you can:

1. Once the billing code is selected, you can continue to the Scan menu to start scanning.
2. Continue to the Copy menu to start copying
Go back to the device menu using the home button and then enter the Copy application.

4.3.2.18 Using YSoft SafeQ Embedded Terminal for Xerox - 2nd Gen.
YSoft SafeQ Terminal Application - 2nd Gen. for Xerox
Support for EIP 1.5 or higher is required.
Installation
General:
Print application:
Accessing and Logging In at a Xerox Device - 2nd Gen.
Logging In with a Card or PIN

2. Enter your personal PIN code and tap Enter.
3. You can select to print all of your waiting jobs immediately after login. Tap Yes to do so,
otherwise, tap No.

Logging In with a Card or a Username/Password

2.
otherwise tap No.

This screen is present only if this option was enabled by your administrator and there are
print jobs in your queue.
Logging In with a Card and PIN or a Username/Password
1. Place your card on the card reader attached to the device and go to the next step OR tap
the Alternate Login button and continue with step 3.
2. Enter your personal PIN code and tap OK. Then go to step 5.

2.

otherwise tap No.
Logging In with Authentication mode To Each Application
1. Choose the application you want to open.

1.
2. See Login screens showed in Logging In with a PIN or Card or Logging In with a Username
/Password or Card.
Logging Out
1. Tap the Access button.
You can use this access button anytime. After tapping this button, you will be
immediately logged out.
OR
1. Navigate to the main menu using the home button.
2. Tap your username in the top right corner and select Log Out.

2.
OR
1. After three minutes (note that this could be configured differently in your environment), you
will automatically be logged out.
Activating a New ID Card at a Xerox Device - 2nd Gen.
The method you use may depend on the way your system administrator has configured your
YSoft SafeQ.

2.
If a card activation code has been assigned to you (it was sent by email or is displayed on YSoft
2. Enter the card activation code and confirm it with the Enter button.

Registering a New Card by Entering Your Card Activation Code OR Username and Password
2. Enter the card activation code and confirm it with the Enter button. The new card is
assigned to your user account OR tap the Enter button without entering the card
activation code to skip to username and password assignment. Continue to the next step.

Copying at a Xerox Device - 2nd Gen.
administrator.
Copying at a Xerox Device

2.
You may need to press the Home button to access the Main Menu screen.
Printing at a Xerox Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Xerox - 2nd Gen. for the print
application. It is an alternative to YSoft SafeQ Embedded Terminal for Xerox - 1st Gen.
this step.

selected.
button action bar.
Empty Job List

job list.
Action Bar
Header Buttons

User Info

Job Detail Screen

You can switch between

basic and advanced finishing option settings by pressing the Basic settings or Advanced
settings button under the header.




the current value.
below the header.



the left.
options.

left.

left.

left.
Incompatible Job

Apply fixes button.

header.
modal dialog.
Print Progress Information
Only available on XEROX printers with EIP 3.0+
While your jobs are printing, you get on-screen information about the print's progress.

Scanning at a Xerox Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Xerox - 2nd Gen. for scan
application. It is an alternative to YSoft SafeQ Embedded Terminal for Xerox - 1st Gen.
Workflow scanning
2. On the Main Menu screen, tap Scan

6.
Email parameters allow you to search for an email address. See this page for details: Email
search parameter
Steps 8 and 9 are available only on XEROX devices with EIP 3.0+
8. You'll get a progress screen with possibility to cancel scanning by tapping on Cancel
scanning button. This screen will automatically dissapear when scan workflow is finished.

After tapping on Cancel scanning button you'll get modal dialog to confirm scan
cancellation. Please tap on Cancel scanning button to confirm. Scanning will be aborted
without any other information shown.

Using Billing Codes at a Xerox Device - 2nd Gen.
Application can be showed after user authentication depends on the configuration performed
by your administrator (using property initial-screen).

or not

.
application.
Browsing

Searching


4.3.2.19 Using YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen.
Installation
General:

Authentication:
If the firmware of Sharp does not support selected language, the language is English on panel.
YSoft SafeQ applications are localized in selected language.
Authentication modes to device/to each application are not supported.
Print application:
Authentication application configuration
Configure help on authentication screen
The administrator can specify help message that will be displayed on the authentication screen
(configuration option authenticationScreenHelpContent).
This text can be enabled/disabled by configuration option enableAuthenticationScreenHelp.
Languages selection on authentication screen
The user can select a language on authentication screen. The selected language will be applied
on the panel and YSoft SafeQ applications. List of languages is specified by configuration option
supported-lang-priority.
If list of prioritized language codes (configuration option supported-lang-priority) contains more
than one language code, the icon will be displayed on authentication screen.
Accessing and Logging in at a Sharp Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen. for authentication.
1. Enter your PIN.
2. Tap Login.

3. Tap Login.


3. Tap Login.

Logging out
1. To log out, press the Logout button in the top black area.
2. Or to log out from the application, tap the icon Log out (highlighted in the image) on the printer
display.

3. Or put your card on the reader attached to the printer (if the terminal uses authentication by
card).
Display Help

Select Language
Activating a New ID Card at a Sharp Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen. for activating a
new ID card.


2. If prompted, select Username and password method.
4. If the assignment process is successful, you will be logged into the device, and the new card

Copying at a Sharp Device - 2nd Gen
administrator.
2. Optional: If you get into YSoft SafeQ application tap the home button to get into
native menu.
3. On the Main Menu screen, tap Easy Copy.

settings by tapping available options. Then press Start (typically a green button) on the
Printing at a Sharp Device - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen. for the print
application.
2. On the Main Menu screen, tap on the Sharp OSA and then on the SafeQ Print.

2.
this step.
selected.
button action bar.

4.
Empty Job List
job list.
Action Bar
Header Buttons

User Info
The user info is on the right side next to the exit button.

The Favorite button makes a job as a favorite. If a favorite folder is configured, it will be
The Settings button navigates you to the job detail screen.
The Modified settings button indicates finishing options were changed. Button navigates
you to the job detail screen.
Job Detail Screen
possibility to modify it. You can use the pagination buttons to see all the job details.


Using Save and close button always saves finishing option settings even when there is no
change from the original document. Then the modified settings button is shown.
You
can switch between basic and advanced finishing option settings by pressing the Basic settings
or Advanced settings button under the header.
You can modify the finishing options settings, as described below.


You can increase or decrease the number of


the current value.
below the header.




the left.
the options.

left.

left.

left.
Incompatible Job
Note, you cannot mark a job as a favorite or see the job detail when a job is incompatible.

Apply fixes button.
header.
modal dialog.

Public User Access at a Sharp Device - 2nd Gen.
General overview
Public user can be used to allows print, scan, copy and fax to non-authenticated users.
NOTE
Available only with YSoft SafeQ Terminal Application - 2nd Gen.

Enabling Public User Access
1. Create a regular user, who will be used as a Public User. The user will be used to:
account all print/copy/scan/fax jobs
control access rights
2. Set the publicUserOperationsUsername property in system settings to the username of the

created user.
3. Allow public user access in the device configuration page.
Signing in as a public user
1. Tap on the Public user access button in the authentication screen

2. You will be prompted to confirm if you want to log in as a public user. Tapping the Cancel
button will redirect you back to the authentication screen. Tapping the Login button will
sign you in as a public user.
Public user accounting
All print, scan, copy and fax jobs will be accounted under the user specified in the system
settings under publicUserOperationsUsername property.
All jobs performed by public user are displayed in Job list and included in Web reports.

Public user access definitions
Access definitions can be edited the same way as for any other regular YSoft SafeQ user. See
Configuring Access Definitions for more details.
Troubleshooting
If you get an error when you try to login as a public user into the Embedded Terminal, then
make sure that the user configured in publicUserOperationsUsername is correctly set and that
Site Server services were restarted after the publicUserOperationsUsername configuration
was changed.
If you do not see the Public user access button in the authentication screen:
make sure that the device has the Allow public user enabled and that the user in the
publicUserOperationsUsername configuration is correctly set
reset the cache of the MFD in the MFD administration web
Limitations
Public print jobs are not spooled by the server and cannot be requeued.
Scanning at a Sharp Device - 2nd Gen
This document describes YSoft SafeQ Embedded Terminal for Sharp - 2nd Gen. for scan
application.
Workflow scanning
2. On the Main Menu screen, tap on the Sharp OSA and then on the SafeQ Scan
3.

5.

search parameter

Email search parameter at a Sharp Device - 2nd Gen.
It is possible to search for an email of the YSoft SafeQ user in the database using the email
search parameter.

the list (see the picture below), or you can get a warning message when no matching email could
be found.

email presented, it will be appended with the semicolon character (see the picture below).
5. It is also possible to manually edit the email field, however, bear in mind that this edit action
Using billing codes at a Sharp Device - 2nd Gen.

1. In the Main menu select Sharp OSA and then SafeQ Billing codes application.


or not
application.
Browsing


Searching
1.


6.

Continue with print, scan or copy
When you have selected the billing code you can continue with printing, scanning or copying.
4.3.2.20 Using YSoft SafeQ Embedded Terminal for Ricoh SOP - 2nd Gen.
Accessing and Logging In at a Ricoh SOP - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for a Ricoh SOP - 2nd Gen. for
authentication.
Logging in with a PIN
1. Enter your PIN.
2.
2. T a p L o g i n .
3. Tap Login.

Logging in with a card or a PIN
1. Put your card on the reader attached to the printer or enter your PIN and tap Login.
Logging in with a card or a username/password
1. Put your card on the reader attached to the printer or enter your username/password and
tap Login.

Logging in with a card and a PIN
2. Enter your PIN.
3. Tap Login.
4.

Logging in with a card and a username/password
4. Tap Login.
5.
Logging in with print all
1. You can select to print all compatible waiting jobs immediately after logging in by "Print all"
switch.

The "Print all" switch is present only if this option was enabled by your administrator.
Logging out
There are two options for logging out:
1. To log out, press the Logout button (highlighted) on the upper/right corner of the screen.
2. Or put your card on the reader attached to the printer (if the terminal uses authentication
by card).
Select Language
1. Tap the icon
and the Select a language dialog is displayed.
2. Select the language and tap OK.

2.
Activating a New ID Card at a Ricoh SOP - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Ricoh SOP - 2nd Gen. for activating
a new ID card.
3. Enter the card activation code, and confirm it with the Register button.

3. Enter the username and password, and confirm it with the Register button.

Copying at a Ricoh SOP - 2nd Gen.
administrator.
Copying at a Ricoh SOP Device
2. Tap the Home button, which is located on the touch panel.
On the Main Menu screen or in the application list, locate and start the Copier application.
To get back to the YSoft SafeQ applications, tap the Home button again.
3. Configure the copy options and start copying by pressing Start button.

Printing at a Ricoh SOP - 2nd Gen.
This document describes YSoft SafeQ Embedded Terminal for Ricoh SOP - 2nd Gen. for the print
application.
You may be redirected automatically to the SafeQ Print application. In that case, skip this
step.

selected.
button action bar.
Empty Job List

job list.
Action Bar
Header Buttons
User Info
User info is on the right side.
There are two text lines. The upper line is the username, and the lower line is the billing code.
The Favorite button makes a job as favorite. If a favorite folder is configured, it will be present in this folder.

The Modified settings button indicates finishing options was changed. Button navigates you to job detail
screen.
Job Detail Screen
possibility to modify it.

You can save changes possibly made with the finishing options and continue browsing jobs in the print
application by pressing the Save and close button.
You can switch between basic and advanced finishing option settings by pressing the Basic settings or
Advanced settings button under the header.

You can change the color mode by tapping the BW (Black and White) or Color button. The black button
indicates the current value.
You can increase or decrease the amount of copies by tapping the '-' or '+' button. The current value is
visible on the left in the edit box.
You can choose to print a document in either simplex or duplex mode by tapping the One-sided or Two-
sided button. The black button indicates the current value.

below the header.
You can cancel any changes and keep the last values by clicking the Cancel button in the modal dialog.
You can confirm the changed value by clicking the Select button in the modal dialog for other advanced
finishing options settings described below.
You can change stapling in the modal dialog when tapping the button on the right. The current value is
visible in the edit box on the left.
options.
You can change punching in the modal dialog by tapping the button on the right. The current value is visible
in the edit box on the left.

You can change folding in the modal dialog by tapping the button on the right. The current value is visible in
the edit box on the left.
You can change binding in the modal dialog by tapping the button on the right. The current value is visible in
the edit box on the left.
Incompatible Job

If the finishing options feature is enabled, you can try to fix the issue using the Try to fix button.
The Try to fix button is available only if the finishing options feature is enabled. If not, only the
Delete button is available. You can navigate to the job list via the back button in the header.
After the Try to fix button has been tapped, the user is informed about the result through the
modal dialog.

Scanning at a Ricoh SOP - 2nd Gen
This document describes YSoft SafeQ Embedded Terminal for a Ricoh SOP - 2nd Gen. for scan
application.
Workflow scanning
2. On the Main Menu screen, tap Scan
3. Select a scan workflow you want to execute. Some of the workflows are marked as Instant
workflow and are executed directly from the workflows screen by tapping on the workflow.
The other workflows need additional parameters to be entered and tapping on the workflow
redirects you to a workflow detail screen.

4. In workflow detail screen, you can enter additional workflow parameters. All parameters are
mandatory, except parameters marked as (optional).
6.

Example of Department list:
Example of Destination folder:
search parameter at a Ricoh SOP - 2nd Gen.
8.

8. You'll get a progress screen with possibility to cancel scanning by tapping on Cancel
scanning button. This screen will automatically disappear when scan workflow is finished.
After tapping on Cancel scanning button you'll get information about scanning of your
documents has been stopped.

If scan did not finish successfully, you'll get information about scanning of your documents
has been stopped.
Action Bar
Header Buttons
The back button navigates you back to the scan application from the workflow detail screen.
User Info
User info is on the right side.
There are two text lines. The upper line is the username, and the lower line is the billing code.
Scanning
The footer bar Scan button start scanning in selected workflow.

When there are more attributes in a given screen, a browsing arrows button is displayed on the
right side to move one page up or down.
Email search parameter at a Ricoh SOP - 2nd Gen.
It is possible to search for an email of the YSoft SafeQ user in the database using email search
parameter.
the list (see the picture below).

Or you can get an message "No search results" when no matching email could be found (see the
picture below).
email presented it will be appended with the semicolon character (see the picture below).
5. It is also possible to manually edit the email field however bear in mind that this edit action

Using Billing Codes at a Ricoh SOP - 2nd Gen.
Accessing the Billing Code screen
1. The billing code screen appears directly after login.
(Billing code screen without default Billing code)
2. In the YSoft SafeQ application, select SafeQ Billing codes from the menu.
1. The default billing code is selected immediately after login (if set in the YSoft SafeQ web
administration interface). Until you change it, all copies, scans and prints will be accounted

Your default billing code can be changed in the YSoft SafeQ web administration interface.
Selecting a Billing code
1. Navigate to your Billing code screen.
2. Select Browse at the bottom part of the screen.
3. Billing code browser will appear

4. Use navigation buttons to select desired Billing code:
a.
Navigate between billing code pages
b.
Navigate to the billing code children (Only billing codes with a + symbol have children)
c.
Search for a billing code
d.
Return from a deeper level
e.
Return to the Billing code screen
5. Select desired Billing Code
6. Click Select at the bottom to confirm your choice

1. Navigate to your Billing code screen.
2. Use search field at the top right position to search for billing code
3. Type the name or number or text of the billing code you want to search for and tap the
magnifier icon.
4. The results display.

5. Select desired billing code (see Selecting a Billing code).
Continue with Scanning, Copying or Printing
1. Once a billing code is selected, you can continue to the Scan, Copy or Print menu to start
scanning with the selected billing code.
2. Selected Billing code is dislayed under the user name in the top right corner
4.3.2.21 Using YSoft SafeQ Embedded Terminal for Sharp-eSF
Accessing and Logging in at a Sharp-eSF Device
1. Place your card on the card reader attached to the device OR tap the PIN field and

2. Enter your PIN and tap Login.
1. Place your card on the card reader attached to the device OR tap the Username field and


4.
5. Tap Login.
Logging Out
1. You can use any of the following methods to log out:
Press the sleep button.
Press the home button twice.
Tap the logout button.

Activating a New ID Card at a Sharp-eSF Device
Register a New ID Card by Entering Your Card Activation Code
If you have a Card Activation Code, you can use this simple method to register your card.
2. Tap the Card Activation Code button.
4. Enter your Card Activation Code and tap the Activate button.

Register a New card by Entering Your Username and Password


6.
If you use an invalid card during authentication with login and password and card sequence
then card is automatically assigned to user.
Copying at a Sharp-eSF Device
administrator.

Copying at a Sharp-eSF Device
2. On the main menu screen, tap Easy Copy.
3. Select the number of copies by entering the number on the keypad, then select copy
settings by tapping from the available options (you can also swipe right for additional
options). Then tap B/W Start or Color Start to start copying (either black and white or
colored). You can also click Detail button at the top right and configure more in the new
screen, then click the green Copy button to start copying.
Printing at a Sharp-eSF Device
2.

2. On the main menu screen, tap the YSoft SafeQ 6 icon.
step.
Sometimes, changing Finishing options makes a print job compatible. Finishing options
shows job as being incompatible, either try a different device or contact a system
administrator.
5.

5. Once the jobs are printed, they appear in the Printed folder. These jobs can be reprinted in
the future.
layouts).
Display more information about and a print job preview of a selected job.
The info button provides access to a print job's details and its preview.
2. Select a job you are interested in and tap the info button at the bottom of the screen.

2.
3. Job details and a preview of the first page of the print job are displayed. Tap the OK button
to exit or the gear button to access print job finishing options (if available).
and print it.

Scan at a Sharp-eSF Device
If your system allows you to scan, follow the instructions in this chapter.
If you have questions about whether or not you can scan, contact your system administrator.
Scan Workflows list
1. Log in to the Embedded Terminal: Accessing and Logging in at a Sharp-eSF Device.
2. On the Main Menu screen, Tap Scan.
3. The Scan workflows screen displays.
Availability of scan workflows may vary according to the YSoft SafeQ configuration at
your location. To learn about your available scanning options, contact your system
administrator. Currently only quick workflows are supported.
Tap one of scan workflows and now you can:
Tap Scan button to perform scan with default workflow parameters and scan
settings. Your scanning starts immediately.
Tap Scan settings button, if you want to change parameters like resolution, color,
etc.
Display another pages of your scan workflows.

Using a Credit Balance to Print and Copy and Scan at a Sharp-eSF Device
2. The current credit balance is displayed at the bottom of the screen next to your username.

Only print jobs that you have enough credit balance for will be printed.
3. When you try to print jobs that you don't have enough credit balance for, the job is not
printed and stays in the waiting folder. You are informed about insufficient credit. In this
case, you have to deposit money to continue printing.

more details.
This message is only displayed when a job parser with image rendering is enabled in
YSoft SafeQ's configuration.

d e c r e a s e s .
The current credit balance is not shown in the copy menu.
If you only have available credit balance for a few copies, these copies will be performed

Only scan jobs you have enough credit balance for will be performed.
When you only have available credit balance for a few pages, these pages will be
scanned and charged and the rest will be refused.
Using Billing Codes at a Sharp-eSF Device

Here you can:
Tap a Folder button to see a list of children billing codes (lower level).
3. Select your desired billing code by tapping it and confirm your choice by tapping the tick
button. Now you can see the newly selected billing code at the bottom of the screen.

1. The default billing code is selected immediately after login (in this case: Invoices 2015). Tap
the tick button to confirm the default billing code, or you can select a different billing code.
Until you change the default billing code, all copies and scans (and prints) will be accounted
interface.

2. The screen with billing codes is displayed. If you want to search billing codes, tap the
search button.
3. Type the name, number, or text of the billing code you want to search for and tap Search.
4. A result that matches your search phase is displayed. Choose one of the billing codes
from the results.

4.
2. Or you can press the home button to enter the main menu screen and then continue to
the Copy menu to start copying.
4.3.3 USING YSOFT SAFEQ MOBILE TERMINAL
4.3.3.1 Using YSoft SafeQ Mobile Terminal for Android
QR Code Scanning Screen
First Launch
On Android 6 and newer
On the first launch, the application will ask you for permission to access your camera and
location.
Not allowing access will make the YSoft SafeQ Mobile Terminal unusable with QR codes or
Eddystones. A camera is required for scanning QR codes. Location permission is required to
find a printer using an Eddystone.

General
Place the camera over the QR code located at/on your printer.
Success: You are redirected to the Authentication screen.
Failure: You are redirected to QR code scanning screen.

Nearby Printers
When the Mobile Terminal detects a nearby printer (through Bluetooth and Eddystone), a toolbar
is visible at the bottom of the screen.
Bluetooth has to be turned on to detect Eddystone.
You can open the list of nearby printers by tapping the Nearby printers button.
List of Nearby Printers
You can select a printer by tapping on the found printer in the list. You will be redirected to the
Authentication screen.

Authentication Screen
General
1. Enter your email registered in YSoft SafeQ.
If you do not know your email registered in YSoft SafeQ contact your administrator.
2. Send activation link sends an activation link to the provided email.
Success: You are redirected to the Checking Email screen.
Failure: You are notified by red underlines - see section Wrong Email.
You can reset your credentials in the Settings screen. For more information see section
Settings Screen.

Wrong Email
This screen appears when you enter the wrong email.
Checking email Screen
1. Open mail app opens your email application on your mobile device.
2. After opening an email app and tapping on Activate button in the email, YSoft SafeQ Mobile
Terminal will try to activate.

2.
You will see the dialog about successful or unsuccessful activation.
Successful activation dialog
This dialog is shown after successful activation. You will be logged in and redirected to the Job
List screen after scanning again.

Job List Screen
General
1. Release print jobs by selecting them and clicking the Print button.
You will see a notification that the job has been sent to the printer.
2. Tapping the button redirects you to the Print job detail screen.
3. You can mark a print job as a favorite by tapping the button.
Popover Menu Visible
A popover menu becomes visible after tapping the "three dots" icon.
You can delete selected print jobs.
You can sort print jobs by name and date.
You can select/deselect all print jobs.
You can enter the Settings screen.

Print Job Released
A print notification displays when a print job is sent to the printer.
Long Touch for Deleting
Using a long touch, you can delete the current print job.

Print Job Detail Screen
General
In the Print job detail screen, you can:
Print current job.
Open a print job preview.
See detailed information about a print job.
Edit finishing options (color, copies, side, stapling, punching, binding, folding).
Select the billing code.
If you cannot edit finishing options, the printer does not support them.

Billing Codes Page
General
Billing codes in YSoft SafeQ Mobile Terminal can be set individually for each print job
Billing codes set in YSoft SafeQ Mobile Terminal will override the billing code set in the client
On the Billing codes page, you can:

See a list of billing codes.
Navigate to the lower level of billing codes.
See the path where the user is navigated.
Scroll in the path and select an item from path directly.
Confirm the selection.

After Billing codes search, you can:
See a found billing code if the billing code exists.
See the path of the found billing code.
Open the lower level of the billing code structure if available.
Settings Screen
General
You can change the printer by tapping the Change printer button.
You can reset your stored credentials by tapping the Reset stored credentials button.
Resetting stored credentials will require new activation with next use.

NFC Printer Identification
You must enable NFC technology on your mobile device.
When the printer is configured with an NFC tag, place the mobile device over the tag.
YSoft SafeQ Mobile Terminal identifies the printer and shows the Authentication screen.
If you have stored credentials, the Job List screen displays instead.
4.3.3.2 Using YSoft SafeQ Mobile Terminal for iOS
QR Code scanning screen
First launch
On the first launch, the application will ask for permission to send you notifications. It is up to you
whether you want to receive notifications. Not allowing notifications will not alter the main
features of the YSoft SafeQ Mobile Terminal.

General
Success: You will be redirected to the Authentication screen.
Failure: You will be redirected to the QR code scanning screen.
Nearby printers
When the YSoft SafeQ Mobile Terminal detect a nearby printer (through Bluetooth and Eddystone)
a toolbar will be visible at the bottom of the screen.

Bluetooth has to be turned on to detect Eddystones.
You can open the list of nearby printers by tapping the Nearby printers button.
List of nearby printers
You can select a printer by tapping on the chosen printer. You will be redirected to the
Authentication screen.

Authentication screen
General
If you don't know your email registered in YSoft SafeQ contact your administrator.
2. Send activation link sends an activation link to the provided email.
Success: You will be redirected to the Checking email screen.
Failure: You will be notified by red underlines.
You can reset your credentials in the Settings screen.
Wrong Email

1. Open mail app opens your email application on your mobile device.

List Screen after scanning again.
Job List screen
General
You will see a notification that the job has been sent to the printer.
4. Tapping redirects you to the Settings screen.

Popover menu visible
A popover menu becomes visible after tapping the " • • • " icon.
You can sort print jobs by name and date.
You can select/deselect all print jobs.

Print job released
Swipe to delete
YSoft SafeQ Mobile Terminal supports the swipe-to-delete feature.
3D Touch to preview
YSoft SafeQ Mobile Terminal supports 3D Touch.
With a light press, you will see a peek preview of the print job.

With a harder press, you will pop open the preview.
Print job detail screen
General
In the Print job detail screen you can:
Print current job.
Change the billing code

Settings screen
General
You can reset your stored credentials by tapping the Reset the stored credentials.

Billing codes screen
General
Billing Codes in YSoft SafeQ Mobile Terminal can be set individually for each print job
Billing Codes set in YSoft SafeQ Mobile Terminal will override the Billing Code set in the client
In the Billing codes page, you can:
See the list of billing codes.
See the path where is user navigated.
Scroll in the path and select item from path directly.

Searching for billing code
See found billing code if billing code exists.
See the path of found billing code.
Open lower level of billing code structure if available.

4.3.3.3 Using YSoft SafeQ Mobile Terminal for Windows
QR Code Scanning Screen
General
Success: You are redirected to the Authentication screen.
Failure: You are redirected to QR code scanning screen.

Authentication Screen
General
If you don't know your email registered in YSoft SafeQ contact your administrator.
2. Send activation link button sends an activation link to the provided email.
Success: You are redirected to the Checking email screen.
Failure: A message notifies you.
You can reset your credentials in the Settings screen.

Wrong Email
1. Open mail app button opens your email application on your mobile device.

List Screen after scanning again.

Job List Screen
General
4. You can enter the Settings screen.
Popover Menu Visible
A popover menu becomes visible after tapping the "• • •" icon.
Sort jobs by name or date (the not used option is always available)
Select/deselect all available jobs

Print Job Detail Screen
General
In the Print job detail screen, you can:
Print current job.

Billing Codes Page
General
Billing codes in YSoft SafeQ Mobile Terminal can be set individually for each print job
Billing codes set in YSoft SafeQ Mobile Terminal will override the billing code set in the client
On the Billing codes page, you can:

See a list of billing codes.
See the path where the user has navigated.
Scroll to the path and select an item from the path directly.

See a found billing code if the billing code exists.
See the path of the found billing code.
Open the lower level of the billing code structure if available.
Settings Screen
General
You can reset your stored credentials by tapping the Reset stored credentials button.

NFC Printer Identification
You must enable NFC technology on your mobile device.
When the printer is configured with an NFC tag, place the mobile device over the tag.
YSoft SafeQ Mobile Terminal identifies the printer and shows the Authentication screen.
If you have stored valid credentials, the Job List screen displays instead.
4.3.4 USING YSOFT TERMINAL PRO 4
4.3.4.1 Accessing and Logging In and Logging Out at a Terminal Pro 4
Terminal Pro 4 must be set up with an external card reader.
1. Place your card on the card reader attached to the Terminal Pro 4 and go to step 2 OR
enter your PIN code on the numeric keyboard and continue to the next step.

2. Once you have entered your PIN code, tap OK to log in.
logging in.
Terminal Pro 4 must be set up with an external card reader.
1. Place your card on the card reader attached to Terminal Pro 4 and go to step 3 OR tap the

2. Enter your username and tap Enter.
4. Enter your password and tap Enter.

4.
5. Tap Login.
You can also select the Print all toggle to print all compatible waiting jobs after logging
in.
Logging Out
1. To log out, tap the software Logout button (depends on your printer).

If you do not log out, the printer automatically logs you out after a period set by your
4.3.4.2 Activating a New ID Card at a Terminal Pro 4
If a card activation code has been assigned to you (it was received by email, or it displays on the
1. Swipe your card on the card reader attached to the Terminal Pro 4.
2. Tap the Enter your card activation code button.
3. Enter your card activation code.

3.
4. Tap the OK button to activate your card.
5. When the assignment process is successful, you will be logged into the printer.
1. Use your card on the card reader attached to Terminal Pro 4.
2. Tap the Enter your username and password button.

4. Enter your Username and confirm it with the Enter button.
5.

6. Enter your Password and confirm it with the Enter button.
7. Tap the Login button.
8. When the assignment process is successful, you will be logged into the printer.

4.3.4.3 Copying at a Terminal Pro 4
administrator.
Copying at a Terminal Pro 4
1. Log into Terminal Pro 4.
2. On the Main Menu screen, tap Copy on the left side.
The copy application may not be visible in your Main Menu depending on your current
user rights.
3. The printer is unlocked before the copy application displays.

4. Leave the application after finishing copying. You must confirm that no copy job is running.
The dialog may NOT appear depending on the correct printer SNMP settings.
4.3.4.4 Printing at a Terminal Pro 4
Printing and managing jobs
1. Log in to the Terminal Pro 4.
2. On the Main Menu screen, tap Print.
You may be redirected directly into the Print application. In that case, skip this step.
3. Print job menu is displayed.

3.
Select jobs you want to print and tap the Print button at the bottom of the screen.
Black and white jobs are labeled with symbol and color jobs are labeled with .
Deselect all selected jobs.
Delete selected jobs.
Select all jobs.
Mark job as a favorite.
Display more information and a print job preview about the selected job.
4. Sometimes, print job is not compatible with the particular device. This can be due to variety
of reasons, but means that the print job cannot be printed at the device.
Incompatible job is marked with a warning triangle and it cannot be selected for printing.

Sometimes, the print job can be made compatible. User can try to fix the job from the
job information (see below). If the job cannot be fixed, try either a different device or
contact system administrator.
5. Once the job is printed, it appears in the Printed folder. This job can be reprinted in future.
This behavior may not be available. It depends on configuration of your YSoft SafeQ.
6. You can also navigate to Waiting / Printed / Favorite folders:
This behavior may not be available. It depends on configuration of your YSoft SafeQ.
Job details and printing settings
The info button provides access to the print job details, its preview and the available print
settings. The info button turns blue once the print settings were changed.
Not all print jobs and devices are compatible and allow changing print options at the terminal.
Consult with your administrator or provider to see which devices are compatible.
1. Tap Info button next to the job to view jobs details.

2. If the job is incompatible then you will see list of possible problems and solutions which can
be automatically proceeded in order to make the job compatible with the printer. If you try
to fix the job then you will be informed about the result at the end of the process.
3. If the job is compatible with the device then job details and preview of the first page of the
print job are displayed. Tap OK button to exit or Print settings to access print job finishing
options (if available).

4. Edit settings of the print job.
5. Review the new print job settings and tap OK to return to job list. Select the print job and
print it.

The selected finishing options are applied only to the current print of the job. If you log
out and log in again, original settings of the job will be restored.
4.3.4.5 Scanning at a Terminal Pro 4
If your system allows you to scan, follow these instructions.
If you have any questions about whether or not you can scan, contact your system
administrator.
Scanning at a Terminal Pro 4
1. Log into Terminal Pro 4.
2. On the Main Menu, tap Scan on the left-hand side.
The scan application may not be visible in your Main Menu depending on your current
user rights.
3. The list of scan workflows displays.

4. Tap on the desired workflow.
5. Terminal Pro 4 asks the user to use the devices' terminal.
Please proceed with scanning on the devices' terminal.
6. After you have scanned all pages, please tap Finish scanning on Terminal Pro 4.

7. Once you've tapped Finish scanning button Terminal Pro 4 will check the status of the
scan. Three different results are possible.
8. If the scanned files are still not being sent to the server a Waiting to retrieve files
notification will be shown.
9. The user has the possibility to cancel the scan by tapping the Cancel button.

10. If receiving of the files is still in progress, Retrieving files notification will be shown.
11. The user can select to be logged out automatically once the scanning is done, by tapping
the Log out when done button.
12. Waiting screen will remain so no one can interrupt the scan process until it's finished.
13.

13. Once your workflow is successfully processed, you are notified by Terminal Pro 4.
4.3.4.6 Using Billing Codes at a Terminal Pro 4
With YSoft Terminal Pro 4, you can select billing (project) codes in the copying and scanning
application.
Selecting a Billing Code from the List
1. In the YSoft SafeQ application, select the Scan or Copy application from the Main menu.
2. A screen with billing codes either displays automatically if you access the Scan or Copy
application for the first time, or you have to tap the Change button.

3. On the billing codes selection screen, you can:
Tap the folder icon to see a list of the children of a billing code (lower level).
Tap Search to start searching.
4. After tapping the folder icon, the search field is replaced by breadcrumbs navigation:

Tap the Home button to see the root billing codes (the highest level).
Tap any of the breadcrumbs in front of the home button to navigate higher in the hierarchy.
5. If you find your billing code in the list, tap the billing code's name to select it. Tap the OK
button to confirm the selection.

1. Based on your configuration, the default billing code is sometimes selected automatically (in
this case: 0 - Default Project). Until you change it, all copies and scans (and prints) will be
interface.
1. Navigate to Billing codes either from the Scan or Copy application.

2. A screen with billing codes displays. If you want to search for billing codes, tap the text
field to enter a search phrase.
3. Type the name or number or text of the billing code you want to search for and tap Search.

4.
Now you can:
Tap the Back button to stop searching and return to the billing codes list.
5. Select one of the billing codes and confirm by tapping the OK button.
Continue to Scanning or Copying
1. Once a billing code is selected, you can continue to the Scan application to start
scanning at the printer's panel.

2. Continue to the Copy application to start copying at the printer's panel.
4.3.5 USING YSOFT SAFEQ TERMINAL ULTRALIGHT
4.3.5.1 Overview
YSoft SafeQ Terminal UltraLight provides a compact, fast, and easy-to-use interface for users to
access multifunction devices (MFDs) and network printers to perform print, copy, and scan
operations. The terminal supports Print Roaming and authorized copying.
The terminal has a touch keypad for user interaction. Users can authenticate with an ID card and
/or by entering a PIN.
YSoft SafeQ Terminal UltraLight Print & Copy can provide authentication for printing and
copying.
YSoft SafeQ Terminal UltraLight Print Only can provide authentication only for printing.

You use the terminal to log in before using the printer.
When logging in with a PIN, touch the keys to enter your PIN, then touch OK.
YSoft SafeQ Terminal UltraLight is equipped with a 2-port Ethernet switch — the MFD or printer
connects to the Ethernet network via the terminal. The terminal communicates with the YSoft
SafeQ server over the Ethernet network. MFDs and other printers communicate with the YSoft
SafeQ server via the terminal.
The terminal also includes an Emergency button for performing service procedures.

The terminal also features:
A microcomputer
Flash ROM
An (optional) card reader – Various optional card readers are available to meet the compatibility
requirements of your existing identification cards. (PINs can be used instead of the card
reader.)
4.3.5.2 Using the Keypad
YSoft SafeQ Terminal UltraLight's capacitive touch keypad does not require finger pressure — a
light touch is enough. (The terminal may have been configured to emit a short beep to signal
when it registers a touch.) (See YSoft SafeQ Terminal UltraLight beep and LED code sequences.)
NOTE: Do not touch the keypad when the terminal is starting up. The keypad is calibrated
every time the terminal starts up — essential for proper operation — and touching the keypad
during startup interferes with this process.
To use the keypad:
Use fingerpads — not fingertips. Fingerpads cover a larger area, enabling better detection by
the terminal.
Use a light touch.
Use only fingers — not instruments such as nails, pens, or screwdrivers.
Do not wear gloves (other than latex gloves such as those used in the medical or food
industries).
The keypad may become more sensitive or less sensitive after a long period of use or when
electrostatic or electromagnetic properties in the surrounding area change. If this occurs, reboot
the terminal or turn the power off/on to recalibrate the keypad automatically.

4.3.5.3 YSoft SafeQ Terminal UltraLight Beep and LED Code Sequences
See YSoft SafeQ Terminal UltraLight beep and LED code sequences.
4.3.5.4 FCC statements
§ 15.21 Information to user
The user's manual or instruction manual for an intentional or unintentional radiator shall caution
the user that changes or modifications not expressly approved by the party responsible for
compliance could void the user's authority to operate the equipment. In cases where the manual
is provided only in a form other than paper, such as on a computer disk or over the Internet, the
information required by this section may be included in the manual in that alternative form,
provided the user can reasonably be expected to have the capability to access information in
that form.
§ 15.105 Information to the user
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used
in accordance with the instruction manual, may cause harmful interference to radio
communications. The operation of this equipment in a residential area is likely to cause harmful
interference in which case the user will be required to correct the interference at his own
expense.
4.3.5.5 Logging In and Logging Out at YSoft SafeQ Terminal UltraLight
Logging In
To use the YSoft SafeQ functions at the printer, you must first log in. The method you use
depends on how the system is set up at your location.
Your system may be configured so that you can choose to log in with:
Using Card
To log in, place your ID card on the terminal as shown here. If your ID card is not recognized and
Card Activation Codes are enabled in the YSoft SafeQ management interface, you will get an
Enter Card Activation Code sequence. If you know your card activation code, enter it and press
OK, otherwise, contact your YSoft SafeQ administrator.

Using PIN
Press the keys to enter your PIN (2 to 8 numbers); then press OK.
Using Card and PIN
To log in, place your ID card as shown in the Using Card section, then use the keys to enter your
PIN (2 to 8 numbers) and press OK. If your ID card is not recognized and Card Activation Codes
are enabled in the YSoft SafeQ management interface, you will get an Enter Card Activation Code
sequence.
If you know your card activation code, enter it and press OK, otherwise, contact your YSoft SafeQ
administrator.
If authentication is successful:
You can now use the printer.
If authentication is unsuccessful:
This LED sequence indicates that the terminal did not recognize your ID card:
Place the card on the terminal again. If authentication is still not successful, contact your YSoft
SafeQ administrator.
Logging Out
To log out, touch the X button or OK button on the terminal or swipe any card (if available).

If you do not log out, the printer automatically logs you out after a period set by your system
administrator (typically three minutes).
4.3.5.6 Printing All Your Print Jobs at YSoft SafeQ Terminal UltraLight
Print All Jobs
After you log in, press the Print icon to print all your jobs waiting in the queue. If your terminal is
YSoft SafeQ Terminal UltraLight Print Only, your waiting jobs are printed automatically after you
log in.

Print with Credit Balance
When you use Credit (YSoft Payment System), your print jobs are printed only if you have
sufficient credit balance. Once your jobs are printed, the credit balance automatically decreases.
When you do not have sufficient balance for your jobs, printing is not possible, and YSoft SafeQ
Terminal UltraLight informs you with a . - - beep code.
When you have sufficient balance only for a few waiting jobs, these jobs are printed, and the
remaining jobs are refused. In this case, YSoft SafeQ Terminal UltraLight informs you with a . - -
beep code.
4.3.5.7 Copying at YSoft SafeQ Terminal UltraLight
Copy
If your terminal is the YSoft SafeQ Terminal UltraLight Print&Copy model, you can make copies.
Tap the Copy icon, then select a copy application on the copier's panel to make copies.
If you have no waiting jobs in the queue when you log in, then the terminal automatically goes
into copy mode. Pressing the Copy icon will log you out.

Copy with a Credit Balance
When you are using Credit (YSoft Payment System), your copy jobs only are performed if you
have sufficient credit balance. Once your copy jobs are finished, the credit balance automatically
decreases.
If you do not have sufficient balance for your copy jobs, copying is not possible, and YSoft SafeQ
Terminal UltraLight informs you with a . - - beep code.
If you have sufficient balance for only a few copy jobs, these jobs are performed, and the
remaining copy jobs are refused. In this case, YSoft SafeQ Terminal UltraLight informs you with a .
- - beep code.
4.3.5.8 Scanning at YSoft SafeQ Terminal UltraLight
Scan
Precondition
Your terminal needs to be YSoft SafeQ Terminal UltraLight Print&Copy model to be able to use
the YSoft SafeQ scanning feature.
How to
1. Log in on YSoft SafeQ Terminal UltraLight.
2. Press the copy icon on YSoft SafeQ Terminal UltraLight.
3. Navigate to the scan module on the MFD display.
4. Select the desired destination from the address book of the MFD.

4.
If you are not sure which address book entry to use, please contact your administrator
for detailed instructions.
5. Scan your document
6. Once you log out of YSoft SafeQ Terminal Ultralight, your documents will be delivered as
expected
If you have no waiting print jobs in the queue when you log in, then the terminal automatically
goes to copy/scan mode. Pressing the copy icon will log you out.
Scan with a Credit balance
When you are using Credit (YSoft Payment System), your scan jobs are only performed if you
have sufficient credit balance. Once your scan jobs are finished, the credit balance automatically
decreases.
If you do not have sufficient balance for your scan jobs, scanning is not possible, and the YSoft
SafeQ Terminal UltraLight informs you with a . - - beep code.
If you have sufficient balance for only a few scan jobs, these jobs are performed, and the
remaining scan jobs are refused. In this case, YSoft SafeQ Terminal UltraLight informs you with a .
- - beep code.

4.3.6 USING YSOFT SAFEQ TERMINAL PROFESSIONAL
4.3.6.1 Overview
This chapter provides instructions for using YSoft SafeQ Terminal Professional, firmware version
3.8.0 and higher.
Depending on how your YSoft SafeQ administrator has set up the terminal, you can use the
terminal to:
Access printers and MFDs to print, copy, and scan.
View and select jobs (jobs to print, favorite jobs, and printed jobs).
Print favorite jobs by selecting them at the terminal.
Delete jobs from queues.
View information about print/copying status and detailed price accounting.
that form.

expense.
4.3.6.3 Changing the language of terminal at Terminal Professional
How to
1. Touch the globe icon
2. Touch the language you want.
The available languages depend on how your terminal is configured.

OR
1. Touch the language button to switch to the alternate language.
4.3.6.4 Copying and scanning at Terminal Professional
How to
1. Log in on YSoft SafeQ Terminal Professional.
2. In the Main menu, tap Copying/Scanning.

3. If billing code entry screen opens, select or search for a billing code; then you are moved to
copy screen.
4. On the MFD's control panel, select the options you want; then make the copies or scan
your document. When you finish, tap End. The terminal automatically logs you out.
The terminal displays information about the copies or scans you made.

5. The terminal may or may not display more information about your session, depending on
the way the terminal has been configured.
4.3.6.5 Deleting a print job at Terminal Professional
How to
1. Swipe your card on the card reader and/or enter other login information.
2. Touch Job list button in main menu.

2.
3. You may see submenu depends on administrator's settings. Touch the button for the type
of job you want to delete.
4. Touch the job you want to delete.

5. Touch button Delete.
If you delete a job, you will not be able to reprint it in future.
4.3.6.6 Incompatible jobs at Terminal Professional
How to
1. Print a few jobs
2. Login terminal professional
3. When you select Print option (print all), only compatible jobs will be printed.
Terminal Professional informs you, that there are also incompatible jobs, which were not
printed.
OR
4. Navigate to joblist.
You will see incompatible jobs marked with cross.
You can print only compatible jobs.
Example: As displayed on picture above the printer supports only normal (A5/A4/letter) page
print, so large (A3/legal/tabloid) pages print jobs are incompatible and it is not possible to
print them.
5. It is possible that another printer supports such kind of your print jobs.
So it is recommended to try another printer in your company (in this case of example
above: Try to login and print on the normal (A5/A4/letter) / large (A3/legal/tabloid) printer).

4.3.6.7 Logging In and Logging Out at YSoft SafeQ Terminal Professional
To use the YSoft SafeQ functions at the printer, you must first log in. The method you use
depends on how the system is set up at your location.
How to logging in with a PIN or a card
Your system may be configured so that you can choose to log in either with a PIN or a card.
The first time you use your card, register it as described in Registering a new card at Terminal
Professional.
1. To log in, swipe your card on the card reader embedded in the terminal.
OR
1. Touch PIN.
2. Type your PIN.
3. Touch OK.

4. If you want the printer to print all your unprinted jobs, touch Print.
How to logging in with a username/password or a card
Your system may be configured so that you can choose to log in by entering your username and
password or by swiping your card on the card reader embedded in the terminal.
The first time you use your card, register it as described in Registering a new card at Terminal
Professional.
1. To log in, swipe your card on the card reader embedded in the terminal.
OR
1. Touch Login.

2. Type your username. The keypad works like phone keypads. To enter a lowercase or
uppercase letter, touch a key more than once.
3. Touch OK.
4. Type your password.
5. Touch OK.
6. If you want the printer to print all your unprinted jobs, touch Print.

6.
How to logging out
To log out, on the Main menu, touch End, or swipe any card (if available).
If you do not log out, the terminal automatically logs you out after a period of time set by your
system administrator (typically 1 minute).
4.3.6.8 Print and Copy and Scan with Credit Balance at Terminal Professional
Display the current credit balance
1. Log in.
2. The current credit balance is written in the main menu or job menu next to your user name.

2.
Print with credit balance
1. Print all your waiting jobs by pressing Print button or navigate to Job list to select jobs
you want to print.
2. Once the job is printed, there is displayed consumed price and the credit balance is
decreased.
Hint
You could authenticate again to check your current credit balance.

3. When you try to print jobs, for which you don't have enough credit balance, the printing is
refused.
Only the jobs that you have credit balance for are printed. The ones you do not have
sufficient credit balance for are refused.
The negative account balance can be enabled. Contact your YSoft SafeQ administrator
for more details.
Copy / scan with credit balance
1. Enter the copy / scan menu and start copying / scanning.
After performing the copy / scan job, your credit balance will be decreased.

2. When you try to copy / scan job, for which you don't have enough credit balance, the copy
/ scan job is refused.
Only the pages that you have credit balance for are copied / scanned. The ones you do
not have sufficient credit balance for are refused. There are some limitations depending
on MFP blocking technology / cable.
The negative account balance can be enabled. Contact your YSoft SafeQ administrator
for more details.
4.3.6.9 Printing all your print jobs in the queue at Terminal Professional
Depending on how your administrator has set up the terminal, the print all jobs functionality
could be disabled. Pressing print button enters joblist, where you can individually select jobs to
print.
How to
1. Swipe your card on the card reader and/or enter other login information.
2. On the Main menu, touch Print button.
The Print button displays the number of print jobs you have waiting to be printed. In the
example shown here, three (3) jobs are waiting.

3. The MFD begins to print all your jobs. Then the print message is shown.
4. When all your jobs have been printed, the terminal displays information and then
automatically logs you out.
Price and pages information may or may not appear, depending on how the terminal has
been configured.

4.3.6.10 Registering a new card at Terminal Professional
If YSoft SafeQ does not recognize your ID card, the terminal displays a message asking you to
enter your username and password or Card Activation Code.
How to
1. Place your ID card on the terminal.
2. To assign the card via your username and password, touch LOGIN.
OR
To assign the card via Card Activation Code, touch Act. Code.
The terminal should ask you only for a Card Activation Code or only for a username and
password. This depends on YSoft SafeQ system configuration.
OR
OR
3. When you have selected assigning by username and password, enter your username and
password.

OR
When you have selected assigning by Card Activation Code, enter your Card Activation
Code.
4. Your Card Activation Code appears in an e-mail you receive from YSoft SafeQ.

5. A confirmation message is displayed.
From now on, the terminal will recognize your ID card; you will not have to enter the Card
Activation Code again.
4.3.6.11 Selecting a billing code at Terminal Professional
Your system may be set up to for you to select a project for the copies and scans you make. If
this is the case, after you log in and touch Copying/Scanning, the Project selection screen
appears.
How to
1. Select Copying/Scanning

1.
2. Project selection screen appears.
If you have a default billing code, it is highlighted (Project B is default billing code in this
case).
OR
Project search screen appears.
You can search billing codes by Code number or Code name/description or use exit button
to show Project selection screen.

3. Press to select a billing code.
O R
Touch the folder icon to display a list of sub-codes.

List of sub-codes displayed immediately.
4. Press the Exit button to display:
the list of parent billing codes, if sub-codes is displayed
to use default billing code, if defined
to exit without selecting a billing code, if default code is not defined

5. To display more billing codes, touch the slider.
To search through all the billing codes, touch Filter; then type part of the billing code and
touch OK.
4.3.6.12 Selecting jobs to print at Terminal Professional
How to
1. Place your card on the card reader and/or enter login information.
2. On the Main menu, touch Job list.
3. Depending on the way terminal has been set up, a sub-menu may appear.

3.
Touch the button for the type of job you want to print.
4. Touch the job you want to print.
To print the selected job(s): touch the Print button and the printer prints the job(s).
5. Touch the icon hand; then select one of the following options:
To display more jobs, touch the up or down arrows.
To select / deselect all the jobs, touch Select all / Unselect all.
To mark a selected job as favorite, touch Mark favourite.
To view more information about the selected job, touch Show info.
To display a print job preview, touch Show preview.

Depending on how your administrator has set up the terminal, the Select all item in
context menu could be disabled.
6. Touch Print.

5 ADMINISTRATIVE GUIDES
5.1 QUICK ADMINISTRATION GUIDE
This document enables you to install YSoft SafeQ quickly and easily and helps you configure the
basic settings.
If you require further details, check the full official documentation. The official documentation
has clearly defined installation sections and configuration options are discussed in a greater
level of detail.
5.1.1 WHAT YOU GET WHEN YOU DOWNLOAD YSOFT SAFEQ
When you download the YSoft SafeQ package, you get everything you need to install the system.
The package also includes important tools and standalone applications that can help you
configure and troubleshoot YSoft SafeQ, as well as documentation that provides both basic and
detailed information about various aspects of the system.
5.1.2 INSTALLING YSOFT SAFEQ - PREREQUISITES
Once you have the YSoft SafeQ installation package, you can begin the installation. However, to
make sure your installation is successful, before you begin, consider the following important
preliminary requirements:
A physical or virtual server must be available, dedicated for the YSoft SafeQ system, that
meets the requirements to support YSoft SafeQ functions.
All Windows security and optional updates must be installed.
MFDs and other printers that will be used with YSoft SafeQ must be configured and
connected to the network, and the associated required print drivers and hardware
components (for example, terminals or network readers) must be available.
If you plan to integrate YSoft SafeQ with a User Domain such as Active Directory, Novell, or
OpenLDAP, make sure you have all required information, especially domain controller access
/connection information and an FDQN user directory.
Make sure you have a valid, new activation key.
The activation key is hardware-bound and once used, cannot be reused by a different
computer.

When you are sure your system meets all the prerequisites, you can begin YSoft SafeQ
installation. With the interactive installer, all you need to do is to run the installation file and follow
the steps in the installation wizard.
5.1.3 INSTALLING YSOFT SAFEQ
YSoft SafeQ 6 generally comes bundled in a self-installing package that sets up a YSoft SafeQ
server in your environment. The installer provides several installation scenarios that differ from
each other depending on what type of server you are installing, and how it fits your solution
design or server landscape. Many installer settings are pre-configured to default values that are
enough for a typical YSoft SafeQ installation.
First Server - includes everything you need to use all YSoft SafeQ core features
Site Server - the server dedicated to the printing and scanning features on a site connected
to management server
Management Server cluster node - multiple management servers can together form a cluster
Each scenario has some optional features that can be chosen to enlarge your YSoft SafeQ
feature set but are not vital for YSoft SafeQ core features like printing and scanning to work.
YSoft SafeQ Payment System
YSoft SafeQ Mobile Print Server
Enable the spooling of jobs on this server
YSoft SafeQ comes with a bundled PostgreSQL database that is pre-configured for optimal
performance and security. External PostgreSQL and MSSQL database backends can also be used.
5.1.4 INSTALLATION PROCEDURE
The installer provides a straightforward wizard-like user interface that guides you through the
installation process. During the sequence of installation pages, you will be asked about the
various setup aspects of your YSoft SafeQ solution.
5.1.4.1 Choose Language
The installer is localized to a wide range of languages. Select the language you wish the installer
to communicate with you in.
5.1.4.2 Welcome Page
Click NEXT to continue
License Agreement

Click I Agree to continue.
5.1.4.3 Server Environment
The option First server will guide you through the installation process of Management Server.
This is the foundation on which every YSoft SafeQ 6 solution is based. For small or mid-size
installations, you probably will not need any additional servers. This guide will show you, step
by step, how to install this scenario.
The option Other servers offers the deployment of additional servers that can connect to
Management Server and provide features that large or enterprise environments can benefit
from.
5.1.4.4 Optional Features
Install payment system features - If ticked, YSoft SafeQ Payment System will be installed.
Install mobile print server features - If ticked, Mobile Print Server will be installed.
Install spooling features - If ticked, YSoft SafeQ will start spooling jobs on this server.
Additional setup needed
Both YSoft SafeQ Mobile Print Server and YSoft SafeQ Payment System will need to finish
their integration by visiting the YSoft SafeQ management interface and creating a setup
suitable for your solution.
Install spooling features
Due to a temporary limitation in YSoft SafeQ 6, only the spooling of jobs on the server is
supported. Due to this fact, the value of the spooling features checkbox is regarded as always
being ticked.
5.1.4.5 Pre-installation Check
The pre-installation check performs a series of tests to verify if the server environment is suitable
for the installation. The installer will display a warning or error depending on your environment's
status.
Administrator access for the installer process
Windows OS version (server edition)
The availability of a .NET framework 4.8 or higher
Essential network ports are checked if they are available
Every test made can have three outcomes and is displayed in the corresponding column.

OK - column showing all passed tests
Warnings - column displays events that are important but not essential for installation success.
Typically, problems were detected, but the installer was able to resolve them.
Errors - something that is essential for YSoft SafeQ to work is missing, and the installer was not
able to compensate for it.
The user can continue the installation even if an error occurs, but the installation will probably fail
later on, or YSoft SafeQ will not work properly.
5.1.4.6 Installation Folder Path
Provide the location where you want your YSoft SafeQ installed.
There has to be at least 10 GB of free space on your disk drive.
The folder path must not contain spaces and characters from this set: ~`!@#$%^&*()[]{}?§!=
5.1.4.7 Database Configuration
Choose the database backend you want to use with your YSoft SafeQ installation. The
recommended option is to use an embedded PostgreSQL that is pre-configured for optimal use
with YSoft SafeQ,
5.1.4.8 Embedded Database Configuration
Provide a password that will be used to access the embedded PostgreSQL database. You can
provide your own or generate a password using the corresponding button.
Other Properties
Management Servers use unique GUIDs. Provide your own GUID or use the auto-generated value.
If your server has multiple network interfaces, you can select the network interface from the drop-
down menu that will be used by YSoft SafeQ.
Summary
An installation summary where the user can double check all the installation properties. After
clicking Install, the installation process begins.
5.1.4.9 Installation Progress Page
The installation logs its progress in the form of status messages and the movement of the
progress bar.
5.1.4.10 Installation Finished
The installer informs you about the successful completion of the installation process. Click Finish
to exit safely.

5.1.4.11 Logging Into YSoft SafeQ
To use YSoft SafeQ, log into the YSoft SafeQ interface interface. The default login credentials are:
user: admin
password: admin
If the YSoft SafeQ Management interface is configured to use a different port than the standard
port 80, enter the complete URL (e.g., http://safeq_server_IP:8080/).
Use default credentials to begin working with YSoft SafeQ 6. Choose the desired language for the
YSoft SafeQ Management interface by clicking the national flag.
The domain field is only available in the multitenant environment.
It is possible to hide the field and have its value filled in automatically by pointing the browser
to the specially formed URL in the following format http://safeq_server_IP/login/DOMAIN (or
http://safeq_server_IP:8080/login/DOMAIN if the YSoft SafeQ Management interface is
configured to use a different port than the standard port 80). This can be helpful, for example,
for setting up bookmarks in a user's browser or shortcuts on user's desktop.
5.1.5 ACTIVATING YSOFT SAFEQ
After installation is complete, YSoft SafeQ must be activated. YSoft SafeQ supports two types of
activation: online and offline. The system requires an activation key, which is part of the license
agreement you received after the product was purchased.
To activate YSoft SafeQ using the online activation method, log into the YSoft SafeQ
management interface as administrator and on the Dashboard, enter the activation key. YSoft
SafeQ automatically contacts the Partner Portal and downloads the license.

If the YSoft SafeQ server is not connected to the Internet, please perform offline activation.
5.1.6 YOU ARE NOW READY
After you log in, the YSoft SafeQ Dashboard page opens. A list of widgets is available that you
can use to get information about various YSoft SafeQ functions.
The most important first step is to use the Welcome to YSoft SafeQ widget. This widget shows
you the steps you need to perform before the YSoft SafeQ system is ready to use.
5.1.7 ADDING USERS
If you use Active Directory and want to integrate YSoft SafeQ with your AD domain, follow
these steps. Otherwise, add users manually.
The following steps will guide you through the default Active Directory integration setup.
1. Open the LDAP integration wizard through the Welcome to YSoft SafeQ widget on the main
screen. You can access different levels of detail (Basic, Advanced, and Expert). Particular
sections are covered under the tabs:
Status
Settings
Test
Logs
The settings for LDAP replication can also be found on the interface interface: System >
LDAP Integration

2. Open the Connection section in Settings. On the Connection tab, you can configure the
integration setting with LDAP. Available settings are:
LDAP server type (AD, NDS, OpenLDAP)
Load users on demand - This type of replication mode is sometimes referred to as semi-
online. When enabled, users are created only during job reception or when logging into
the terminal.
Full and differential replication updates only users already registered within YSoft
SafeQ.
Replication of roles and cost centers is unaffected.
When the <removeCardsInDiffLdapReplication> configuration option is enabled, users'

cards removed from LDAP are not removed from the YSoft SafeQ database when
synchronization is run.
URL of LDAP server
Searched LDAP subtree
Service account

There is the possibility to use either an anonymous account or an authorized
account to log into the LDAP server to search for users. The selected account must
have at least read access to view the users and their attributes.
Please ask your domain administrator for this information.
3. Open the Scheduling section. The Scheduling tab gives you the possibility to schedule the
run of replication. All settings are revealed after you check the Enable regular
synchronizations checkbox. The options are:
Start full replication - Here you can select the days and times for full replication by
clicking checkboxes.
Start differential replication - Here you can specify the hours or time interval from the
last replication to start differential replication. This type of replication will start every
day.
You have to restart YSoft SafeQ Management Server to apply these changes.
4. Run the synchronization using the Sync now button.
5. Check the result. The Status tab only contains information about the last synchronization
with the LDAP server (date, duration, and result) and the count of added/updated/deleted
users, cost centers, and roles. If an error occurs, the error is displayed here.
5.1.8 ADDING A PRINTER
Many YSoft SafeQ features require a terminal that controls the associated printer/MFD. For
information about installing and configuring terminals, see the section Embedded Terminals
installation and configuration in the documentation.
5.1.8.1 Adding a Printer to YSoft SafeQ
After installing YSoft SafeQ, add a printer to the YSoft SafeQ system as follows:
1. In the YSoft SafeQ management interface, select Devices from the menu.
2. Select Add device.
3. Proceed through all the device setup options, and configure the settings according to your
needs. (Skip Terminal type unless you want to connect a terminal to the system—a
terminal is not required for direct printing.)
4. In the Direct printing section, enter a unique name for the direct printing queue. We
recommend a name like direct-<name of the machine>, for example, direct-printer1.
5. Click Save changes to save the printer.

5.1.9 CONFIGURING ROLES AND ACCESS DEFINITIONS
5.1.9.1 Configuring Roles
The last thing you need to do is to set up access rights and/or restrictions. These rights and
restrictions are determined by the Roles you define in the YSoft SafeQ system. YSoft SafeQ
includes some predefined roles. If you want to create your own role:
1. In the management interface, select Users > Roles > Add new item.
2. Each user can be assigned one or more roles. To assign a role to a user, edit the user and
assign a role to him or her in the Roles section.
Create an access definition for the new role.
1. After you create a role, to assign it to users, select Rules > Access definition.
Click Add new item, then select the desired User role and the Spooler Controller group. It
is possible to define these restrictions for All devices in the group or just for one selected
device.
2. To allow or restrict the use of the printers in this group, click the icons below the print,
copy, color, fax, and 3D options. A check means that the users the role is assigned to are
permitted to perform the operation. A cross means they are not permitted to perform the
operation.
By default, users are permitted to perform all operations. To force black-and-white

printing for all users the role is assigned to, change the icon to a cross.
3. After the settings are complete, click Add.
5.1.10 BASIC TROUBLESHOOTING
YSoft SafeQ installation cannot proceed - Check to make sure the server meets all the
prerequisites for YSoft SafeQ installation. If you use the graphical YSoft SafeQ installer, after
the pre-installation check is performed, the Warnings and Problems sections provide
information about conditions that have not been met.
YSoft SafeQ installation fail - If the installation proceeds but fails, look in the
<SAFEQ_HOME>\SafeQ6-installation.log to see if you can find the possible cause of the
failure. This log file may redirect you to other log files, depending on the root cause of the
failure.

Activation issues - If you encounter any issues during the activation process (online/offline),
first make sure you are using the correct activation code. Both online and offline activation
processes tell you exactly where the fault is, so troubleshooting should be easy.
A print job sent to the printer was not printed - If you sent a job to YSoft SafeQ, but it did
not print, there can be several causes:
1. In the YSoft SafeQ interface interface, go to Reports > Job list and check to see if the job
is listed there.
If the job is not listed in the Job list, the printer's settings on the Windows workstation
may not be correct. Verify that the printer and its port are configured exactly as described
in this guide and that the queue to which you sent the print job has been created in YSoft
SafeQ.
If the job is in the Job list, check the job's details to see why the job did not print.
2. Other causes of this problem could be incorrect printer settings in YSoft SafeQ (IP address,
queue name, etc.) or incorrect access settings for the printer. You can usually find these
causes in the details about the job in the Job list.
3. If you cannot find the cause of the issue, contact Y Soft Customer Support Services, who
will be glad to help you.
5.2 YSOFT SAFEQ MOBILE PRINT SDK
Document contains reference for implementators of mobile applications for:
Android – YSoft SafeQ Mobile Print SDK - Android
iOS – YSoft SafeQ Mobile Print SDK - iOS
5.2.1 YSOFT SAFEQ MOBILE PRINT SDK - ANDROID
The document describes API for integrating with YSoft SafeQ. The document contains reference
to source code.
The document describes requests for delivering job to Mobile Integration Gateway (MiG).
5.2.1.1 Delivering Print job via MiG
MiG = Mobile Integration Gateway which operates typically on port 8050. This services has full
implementation of IPPS according to Apple's IPP documentation and it also comply with Mopria
standard. It was the first server solution certified by Mopria for IPP delivery. IPP is described in
RFC https://tools.ietf.org/html/rfc2911 - RFC is quite big, we will need just a subset.

To check whether MiG is running just enter following url to browser: https://safeq-server:8050/
Result should be web page with the string:
MIG hello
In web browser
Note: If you do not have valid certificate installed, we recommend to use Firefox for testing
purpose, because it allows you to continue even with not valid certificate on HTTPS.
The job upload to MiG is just one POST request delivered to url: https://safeq-server:8050/ipp/print
.
The request should be composed from following parts
HTTP Header:
Content-Type: application/ipp
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Authorization: Basic BASE64_encoded_password
HTTP Body:
IPP encoded payload
Y Soft recommends to use OkHTTP: https://square.github.io/okhttp/ for upload . Here you may
choose different stack, based on your application.
Following code will construct the header:
val request: Request = Request.Builder()

.url(uploadUrl)
.header("Content-Type", "application/ipp")
.header("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2")
.header("Authorization", this.token)
.post(requestBody).build()
The request body could by generated using IppRequest class described by Petr Barton's his
thesis written in 2016.
You can find the thesis here: https://is.muni.cz/th/wyl4x/?lang=en
PDF: https://is.muni.cz/th/wyl4x/thesis.pdf
Attachment here: https://is.muni.cz/th/wyl4x/attachement.zip
The class is here: android-printservice/app/src/main/java/com/ysoft/safeqprintservice/IppRequest.
java

To serialize the ipp to request body you can use following code:
var ippRequest = IppRequest(myFile.name, myFile.readBytes())
val requestBody = ippRequest.bytes.toRequestBody()
5.2.1.2 Service discovery
One approach to solve service discovery is to register specific DNS A record and point it to print
service. The application can search for subdomain by prepending the text to company domain
provided by DHCP or VPN client.
Following code is able to read domain from DHCP info. Keep in mind that result could be none, one
or multiple domains. In case of multiple domains there could be several different delimiters -
semicolon, comma or space.
// based on: https://stackoverflow.com/questions/46065159/get-android-dhcpinfo-connected-via-

ethernet
val connectivityManager: ConnectivityManager =
applicationContext.getSystemService(Service.CONNECTIVITY_SERVICE) as ConnectivityManager
val link = connectivityManager.getLinkProperties(connectivityManager.activeNetwork)

val domains = link?.domains
if (domains != null) {
domains.replace(",", " ").replace(";", " ")
val myDomainsInArray = domains.split(" ")
for (dhcpDomain in myDomainsInArray) {
...
}
}
The next step is to send request to verify that endpoint exist.
E.g. Company has domain ysoft.local, this was discovered using code above. MiG server has DNS
A record with subdomain safeq6. The application should check url on domain safeq6.ysoft.local.
Verify MiG availability
Send HTTP GET to: /
Expected response: 200 OK with content MIG hello
Verify EUI availability
Send HTTP GET to: /end-user/ui/
Expected response: 200 OK with HTML page containing _csrf token.
Response codes
200 OK - job was accepted by MiG

401 Unauthorized - authorization header is missing or credentials are incorrect
404 Not found - request URL is incorrect and it's not pointing to working MiG /ipp/print
5.2.2 YSOFT SAFEQ MOBILE PRINT SDK - IOS
The document describes API for integrating with YSoft SafeQ. The document contains reference
to source code.
The document describes requests for delivering job to Mobile Integration Gateway (MiG).
5.2.2.1 Delivering Print job via MiG
MiG = Mobile Integration Gateway which operates typically on port 8050. This services has full
implementation of IPPS according to Apple's IPP documentation and it also comply with Mopria
standard. It was the first server solution certified by Mopria for IPP delivery. IPP is described in
RFC https://tools.ietf.org/html/rfc2911 - RFC is quite big, we will need just a subset.
To check whether MiG is running just enter following url to browser: https://safeq-server:8050/
Result should be web page with the string:
MIG hello
In web browser
Note: If you do not have valid certificate installed, we recommend to use Firefox for testing
purpose, because it allows you to continue even with not valid certificate on HTTPS.
The job upload to MiG is just one POST request delivered to url: https://safeq-server:8050/ipp/print
.
The request should be composed from following parts
HTTP Header:
Content-Type: application/ipp
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Authorization: Basic BASE64_encoded_password
HTTP Body:
IPP encoded payload

Following sample code is based on URLRequest (see Apple documentation for more details:
https://developer.apple.com/documentation/foundation/urlrequest). Here you may choose different
stack, based on your application.
Following Swift code will construct the header:
var urlRequest = URLRequest(url: uploadURL)

urlRequest.httpMethod = "POST"
urlRequest.setValue("application/ipp", forHTTPHeaderField: "Content-Type")

urlRequest.setValue("text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2",
forHTTPHeaderField: "Accept")
urlRequest.setValue("Basic \(self.token)", forHTTPHeaderField: "Authorization")
The request body is mix of binary and text protocol known as IPP. We recommend you to read
Petr Barton's his thesis written in 2016.
You can find the thesis here: https://is.muni.cz/th/wyl4x/?lang=en
PDF: https://is.muni.cz/th/wyl4x/thesis.pdf
Attachment here: https://is.muni.cz/th/wyl4x/attachement.zip
The sample implementation in Java class is here: android-printservice/app/src/main/java/com/ysoft
/safeqprintservice/IppRequest.java
Code could serve as inspiration here is code written in Swift. Code is not optimized, it could be
simplified. The point is to demonstrate structure of packet.
To serialize the IPP to request body you can use following code:
var data = Data()
// IPP Version
data.append(contentsOf: [0x01, 0x01])
// Operation ID
data.append(contentsOf: [0x00, 0x02])
// Request ID
data.append(contentsOf: [0x00, 0x00, 0x00, 0x01])
// Operational attributes - signature

data.append(0x01)
// Operational attributes
// Charset tag
data.append(contentsOf: [0x47, 0x00, UInt8("attributes-charset".count)])
data.append("attributes-charset".data(using: .utf8)!)
data.append(contentsOf: [0x00, UInt8("us-ascii".count)])
data.append("us-ascii".data(using: .utf8)!)
// Natural language tag

data.append(contentsOf: [0x48, 0x00, UInt8("attributes-natural-language".count)])
data.append("attributes-natural-language".data(using: .utf8)!)

data.append(contentsOf: [0x00, UInt8("en-us".count)])
data.append("en-us".data(using: .utf8)!)
// Name without language tag

data.append(contentsOf: [0x42, 0x00, UInt8("job-name".count)])
data.append("job-name".data(using: .utf8)!)
data.append(contentsOf: [0x00, UInt8(filename.count)])
data.append(filename.data(using: .utf8)!)
// Boolean tag
data.append(contentsOf: [0x22, 0x00, UInt8("ipp-attribute-fidelity".count)])
data.append("ipp-attribute-fidelity".data(using: .utf8)!)
data.append(contentsOf: [0x00, 0x01, 0x01])
// Job attributes - signature

data.append(0x02)
// Job attributes
// Integer tag
data.append(contentsOf: [0x21, 0x00, UInt8("copies".count)])
data.append("copies".data(using: .utf8)!)
data.append(contentsOf: [0x00, 0x04, 0x00, 0x00, 0x00, 0x01])
// Keyword tag
data.append(contentsOf: [0x44, 0x00, UInt8("sides".count)])
data.append("sides".data(using: .utf8)!)
data.append(contentsOf: [0x00, UInt8("one-sided".count)])
data.append("one-sided".data(using: .utf8)!)
// End attributes - signature

data.append(0x03)
To invoke the delivery it's sufficient to call:
do {
fileUrl.startAccessingSecurityScopedResource()
data.append(try Data(contentsOf: fileUrl))
fileUrl.stopAccessingSecurityScopedResource()
let configuration = URLSessionConfiguration.default

let session = URLSession(configuration: configuration, delegate: self,
delegateQueue:OperationQueue.main)
session.uploadTask(with: urlRequest, from: data, completionHandler: self.

uploadCompletionHandler).resume()
} catch {
print(error)
return false
}

Response codes
200 OK - job was accepted by MiG
401 Unauthorized - authorization header is missing or credentials are incorrect
404 Not found - request URL is incorrect and it's not pointing to working MiG /ipp/print
5.2.2.2 Client certificate support
Set up Nginx proxy before MiG. Replace mig-server-address by your server.
listen [::]:443 ssl;

listen 443 ssl;
ssl_certificate /etc/.../fullchain.pem;
ssl_certificate_key /etc/.../privkey.pem;
ssl_dhparam /etc/.../ssl-dhparams.pem;
location ^~ /ipp/print {
proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;
proxy_pass http://mig-server-address:8050;
}
ssl_client_certificate /etc/nginx/ssl/ca.cer;
ssl_verify_client on;
The application must implement urlSession handler to recognize

NSURLAuthenticationMethodClientCertificate.
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge,

completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
let authenticationMethod = challenge.protectionSpace.authenticationMethod
switch authenticationMethod {
case NSURLAuthenticationMethodClientCertificate:
print("handle client certificates")
handleClientCertificate(didReceive: challenge, completionHandler: completionHandler)
....
To send the client certificate to server (after initial response). It's necessary to load certificate in
P12 format.
Client certificate might be protected by password, in order to open the certificate it's necessary
to specify the password.
The next step is to create identityTrust which loads certificate and password.
To complete the client certificate loading, it's necessary to invoke completionHandler.
func handleClientCertificate(didReceive challenge: URLAuthenticationChallenge,

completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {

let documentsUrl = FileManager.default.urls(for: .documentDirectory, in: .
userDomainMask).first!
let localCertPath = documentsUrl.appendingPathComponent( "client.p12")

print(localCertPath)
let localCertData = try? Data(contentsOf: localCertPath)

if localCertData != nil
{
let clientCertificatePassword = UserDefaults.standard.string(forKey: "CLIENT_CERTIFI
CATE_PASSWORD_KEY") ?? ""
let identityAndTrust:IdentityAndTrust = extractIdentity(certData: localCertData! as

NSData, certPassword: clientCertificatePassword)
let urlCredential:URLCredential = URLCredential(
identity: identityAndTrust.identityRef,
certificates: identityAndTrust.certArray as [AnyObject],
persistence: URLCredential.Persistence.forSession);
completionHandler(URLSession.AuthChallengeDisposition.useCredential, urlCredential);
return
}
challenge.sender?.cancel(challenge)
completionHandler(URLSession.AuthChallengeDisposition.rejectProtectionSpace, nil)
Additional code to work with TrustIdentity
public struct IdentityAndTrust {

public var identityRef:SecIdentity
public var trust:SecTrust
public var certArray:NSArray
}
public func extractIdentity(certData:NSData, certPassword:String) -> IdentityAndTrust {
var identityAndTrust:IdentityAndTrust!
var securityError:OSStatus = errSecSuccess
var items: CFArray?

let certOptions: Dictionary = [ kSecImportExportPassphrase as String : certPassword ];
// import certificate to read its entries
securityError = SecPKCS12Import(certData, certOptions as CFDictionary, &items);
if securityError == errSecSuccess {
let certItems:CFArray = (items as CFArray?)!;

let certItemsArray:Array = certItems as Array
let dict:AnyObject? = certItemsArray.first;
if let certEntry:Dictionary = dict as? Dictionary<String, AnyObject> {
// grab the identity

let identityPointer:AnyObject? = certEntry["identity"];
let secIdentityRef:SecIdentity = (identityPointer as! SecIdentity?)!;

// grab the trust
let trustPointer:AnyObject? = certEntry["trust"];
let trustRef:SecTrust = trustPointer as! SecTrust;
// grab the certificate chain

var certRef: SecCertificate?
SecIdentityCopyCertificate(secIdentityRef, &certRef);
let certArray:NSMutableArray = NSMutableArray();
certArray.add(certRef as SecCertificate?);
identityAndTrust = IdentityAndTrust(identityRef: secIdentityRef, trust: trustRef,

certArray: certArray);
}
}
return identityAndTrust;
}
5.3 EXTERNAL SCRIPTS AND TOOLS
5.3.1 CLI DEVICE REPLICATOR
This external utility is used for device replication from files into the internal YSoft SafeQ
Management Service database.
5.3.1.1 At a Glance
See YSoft shell information page for information on how to run shell.
5.3.1.2 CLI Device Replicator
The command for replicator is "device replicate".
The device replicator has these parameters:
--username Name of the user connected to the rest service (administrator user name)
--password User password
--tenant Tenant domain identification (if not set, the default value is 'tenant_1')
--host URL of YSoft SafeQ Management service (if not set, the default value is
https://localhost The port number may be omitted as well, default is 80)
An example of command line arguments

With the parameters above, the .bat file for fast run can be created:
call "c:\SafeQ6\Management\utilities\Import tool\import_tool.bat" device replicate --

username admin --password admin --tenant tenant_1 --host https://localhost
The following steps are needed to enable CSV file replication:
1. Configure the replication source directory by editing the deviceReplicationDir configuration

property through System Settings. Usually, it is an absolute path on the local computer.
An example of a root folder for replication files
2. Configure the incrementalDeviceReplication property—if disabled (default), the replicator will

delete all devices created by the previous replication. If enabled, the replicator will only
update existing devices.
3. Configure sending emails when replication fails—see Replicator e-mail configuration page.
4. Create CSV files according to the structure described in the next chapter. Use UTF-8 for
CSV file encoding.
5. Start the replicator by running the command line (for its parameters, see above).
6. For regular synchronization with the CSV file, schedule the import via system scheduled
tasks.
7. Information about replication results will be saved into the log file (ysoft-shell.log) stored
next to the import_tool.bat file.
Supported file formats: CSV (separated with ';'), Microsoft Excel (XLS and XLSX).
5.3.1.3 File Structure
Before replication, the respective files must be stored in the directory according to the
configuration (see above).

These files must be stored in the format shown below. The files are processed in alphabetical
order based on their names. (For replication, only some of them may be used.)
Optional values may be left blank. In this case, they will be obtained from the device template
All names are "case-sensitive", i.e., small and capital letters are distinguished. Example: group
"default" is not the same as "Default".
Format of a row - single item entry
<device name>;<spooler controller group name>;<template unique ID>;<network address>;<device group

name>;[direct queues];[reporting cost center number];[location or description];[Equipment ID];
[Service Agreement ID];[Contact person];[ZIP code];[terminal network address];[terminal serial
number]
Column specification
Device name – the name of a device. This parameter does not have to be unique in the device
group. If device name is not specified, the device will not be replicated.
Spooler controller group name – name of a spooler controller group to which the device will
be assigned. If no group exists or specified group does not exist then device will not be
replicated.
Template unique ID – ID of device template from which the values not specified in the CSV
file will be taken. All missing parameters (in the case of a new device) are taken over from it.
If the template does not exist or is not specified, the device will not be replicated.
Device network address – the network address must be unique. If the device network
address is not specified or is not unique, the device will not be replicated.
Device group name – the name of a device group to which the device will be assigned. If no
group exists or the specified group does not exist, the device will not be replicated.
Direct queues – if the value is filled out, then direct queues will be assigned to the device. If
updating the device, then all previously assigned direct queues will be removed and newly
specified queues added. The individual names must be separated by commas (if multiple
queues are to be assigned). The direct queue must be unique within all of YSoft SafeQ. If a
device with the same direct queue exists, the new device will not be replicated.
Reporting cost center number– the cost center to which the device will be assigned if the
value is specified. In the case of a new device, if the value is incorrect (the cost center has
already been deleted or renamed) or the value is not specified, the value is taken from the
template. If no such cost center number exists (the cost center in the template is also
incorrect), the device will not be replicated.
Location or description description – a description of the device. If no value is specified, then

the value from the template is taken (in the case of a new device).
Equipment ID – the equipment number of the device. If no value is specified, then the value
stays empty.

Service Agreement ID – the maintenance contract number. If no value is specified, then the
value stays empty.
Person to contact – the n ame, email, or phone number of the contact person. If no value is
specified, then the value from the template is taken (in the case of a new device).
ZIP code – the zip code of the city where the device is. If no value is specified in the CSV file,
then the value from the template is taken (in the case of a new device).
Terminal network address - the network address of the terminal. If the terminal network
address is not specified, device network address is used. It's possible to alter value only for
Terminal Professional version 4 terminal type.
Terminal serial number - the serial number of Terminal professional 3.5 or Terminal ultralight.
There are two types of item in the row format prescription:
items in "< >" are required
items in "[ ]" are optional
Sample row:
Printer24;Spooler1;zQhcyz3dxa;10.0.10.12;MFDs;;0;Corridor B, near kitchen;;125498541000454;;;

10.0.10.12;SQPR12345678900
If replicated devices use an embedded terminal, admin will have to install the embedded
terminal manually after replication. The embedded settings are preconfigured, and admin just
has to click the reinstall button in the device settings or the special page where all terminals
can be reinstalled.
5.3.2 CLI USER REPLICATOR
The User Replicator is intended for the downloading of users, cost centers, and/or user roles
from pre-defined supported files and for storing its information in the YSoft SafeQ
Management Service internal database. YSoft SafeQ provides a REST web service as a
middleware, so authentication is required.
By default, the User Replicator will not edit user entities (user, user role, cost center) created
from different source (e.g. LDAP replication). To allow such editing, please see section Allow to
combine user entity sources.

5.3.2.1 At a Glance
See the YSoft shell information page for information on how to run shell.
5.3.2.2 CLI User Replicator
The command for the User Replicator is "user replicate"
User Replicator do not edit another user entity (user, user role, cost centre) by default.
User Replicator has the following parameters:
--username Name of user connected to the rest service (administrator username)
--password User password
--tenant Tenant domain identification (if not set, the default value is 'tenant_1')
--host URL of YSoft SafeQ Management service (If not set, the default value is
https://localhost . The port number may be omitted as well, default is 80.)
Example of command line arguments
user replicate --username username --password password --tenant

tenant_1 --host https://localhost
With the parameters above, the .bat file for a fast run can be created:
@echo off
set IMPORTDIR=%SAFEQ_HOME%\utilities\Import tool\
cd %IMPORTDIR%
call "%IMPORTDIR%import_tool.bat" user replicate --username csv --password csvimport --
tenant tenant_1 --host https://localhost
The following steps are needed to enable CSV file replication:
1. Configure the replication source directory by editing the userReplicationDir configuration

property through System Settings. Usually, it is an absolute path on a local computer.
Example of root folder for replication files

2. Create CSV files according to the structure described in the next chapter. Use UTF-8 for
CSV file encoding.
3. Configure the sending of emails when replication fails—see Replicator e-mail configuration
page.
4. Start replicator by running command line (for its parameters, see above).
5. For regular synchronization with the CSV file, schedule the import via system scheduled
tasks.
6. Information about replication results will be saved into the log file (ysoft-shell.log) stored
next to the import_tool.bat file.
Supported file formats: CSV (separated by ';'), Microsoft Excel (XLS and XLSX).
Allow to combine user entity sources
Set configuration property allowCombiningUserEntitySources t o allow to combine user entity

(user, user role, cost center) sources during replication. This configuration option applies only to
creating and updating of user entities.
5.3.2.3 File Structure
Before replication, the respective files must be stored in the directory according to the
configuration (see above).

If you store a subdirectory in the aforementioned directory, the files from all the subdirectories
are parsed recursively.
These files must be stored in the format shown below. The files are processed in alphabetical
order based on their names. (For replication, only some of them may be used.)
Only one type of input information per file is allowed, e.g., you cannot import users and
update card numbers in the same file.
Files must be imported in logical order, e.g., users must be created before a card is assigned to
them.
The User Replicator is not able to create/modify the money accounts in YSoft Payment
System.
Supported input types
User information
Card numbers
Cost centers
Roles
Mapping roles to users
Update of users
Deletion of users
Set user's password
Replication of complete user list
Replicates the complete list of all users created from an external source.
<user ID>;<login,alias,...>;<first name>;<last name>;[email];<centre number>;[home directory]
The replication has the following features:
If the userID equals zero, then the user is updated based on the login (first record). Otherwise,
the user with ID matching the userID is updated.
If the replicator finds an existing user, the replicator compares existing records. In the case of
changes, it updates relevant data (and adds and/or removes data).
If the replicator does not find a user, a new one is created. The user ID for the new user is
added by database sequence, not by the userID specified in the data.
Records not present in the list (and created by the replicator before) will be marked deleted.

PIN or card number update
Adds additional information to an existing list of users (internal and/or replicated from another
source).
PINCARD;<login>;<PIN/card number>
or deprecated variant (where user login cannot contain only numbers):
<login>;<PIN/card number>
New PINs or card numbers will be added to corresponding records.
PINs or card numbers not specified in the list will be deleted.
Empty fields in place of a PIN/card number imply the removal of all associated records.
When importing a PIN already encrypted via MD5, add the tag md5@@ before the whole PIN
e.g., jondoe;md5@@PINe10adc3949ba59abbe56e057f20f883e
Records (for a given login) not present in the list (and created by a replicator before) will be
marked deleted.
Cost center list replication
The list of all cost centers to be replicated into the internal database.
DEPT;<centre number>;<centre name>
Centers not included in the list (and created by the replicator before) will be removed (marked
deleted).
Other cost centers will be added and/or updated.
Role list replication
The list of all roles to be replicated into the internal database.
ROLE;<role name>;<role description>
Roles not included in the list (and created by the replicator before) will be removed (marked
deleted).
Other roles will be added and/or updated.
Assignment of user to role
The list of roles the user has been assigned to.

RMAP;<login>;<role name>
Only roles in the list will be kept for a user (plus the role Everyone); the others (created by
replicator before) will be removed.
Set password for user
This replication type can be used to initialize a password for replicated (or any other) users.
A password is set only if the user does not have one. This should prevent the situation when the
next replication overwrites the current user's password that the user chose instead of the
default one (for example, via the Dashboard widget, if the password change action is enabled via
their user's rights).
PASSWORD;<login>;<password>
Password cannot be empty and must be entered as plain text
Update of users
While the replication of users require a list of all users (not-listed users are deleted), the update of
users updates only particular users.
USERUPDATE;[userID];[login,alias,...];[name];[surname];[email];[centre number];[home directory]
If the userID is not empty, the user is searched by ID. Otherwise, the user is searched by login.
Parameters can be empty. Only filled-in values are updated for the user.
Users can be updated only if they were created by the replicator before.
Deletion of users
While the replication of users deletes all not-listed users, deletion of users deletes only particular
users.
USERDELETE;[userID];[login,alias,...]
If the userID is not empty, the user is deleted based on ID. Otherwise, the user is deleted
based on login.
Users can be deleted only if they were created by the replicator before.
There are two types of item in the row format prescription:
An item in "< >" is required

An item in "[ ]" are optional
Sample row:
0;johndoe;John;Doe;john.doe@example.com;0;
5.3.3 DB VALIDATOR TOOL
This tool is used and configured during the installation process.
DB Validator is a tool for deploying the YSoft SafeQ Management database or upgrading it to a
higher version. The process of validation consists of the following steps:
checking the current version of the YSoft SafeQ Management database from the tables
smartq_validator in all YSoft SafeQ Management schemas (cluster_mngmt, tenant_1,
dwhtenant_1, ...)
checking the required version from *.dbinfo files located in the YSoft SafeQ Management
root\conf\modules (for example, c:\SafeQ6\Management\conf\modules\*)
if needed (when the required version is higher than the current version in the database), the
database is upgraded to the required version
5.3.3.1 Where to Find the DB Validator
DB Validator root is located in the YSoft SafeQ Management installation in the validator folder. (For
example, c:\SafeQ6\Management\validator\)
5.3.3.2 How to Configure the Tool
The tool is configured during the installation process, so it does not need any other settings. The
configuration file (DBValidator.properties) can be found in DB Validator root under the conf folder.
(For example, c:\SafeQ6\Management\validator\conf\DBValidator.properties)
5.3.3.3 How to Run the DB Validator
The tool can be run using validatorRunner.exe located in the DB Validator root under the \bin
folder. (For example, c:\SafeQ6\Management\validator\bin\validatorRunner.exe)

5.3.4 GDPR TOOLS
5.3.4.1 Executive Summary
The General Data Protection Regulation has been thoroughly written about and explained in white
papers and periodicals that give it the attention it deserves. The intent of this article is to provide
the reader with an understanding on how the included GDPR executables can help an
administrator execute upon a Data Subject's rights. In particular, Y Soft has developed three
executables, each with a specific purpose:
rtbf.exe: Allows an administrator to execute a Data Subject's Right to be Forgotten within

YSoft SafeQ
rta.exe: Allows an administrator to execute a Data Subject's Right to Access of Data within
YSoft SafeQ
rtr.exe: Allows an administrator to execute a Data Subject's Right to Restriction of Processing

withing YSoft SafeQ, or to later re-identify a user whose request has expired.
For the purpose of this document, the following distinctions will be made:
Structured Data includes data contained within YSoft SafeQ that has intentional, strictly
defined purposes. This includes, for example, network usernames, names, surnames, email
addresses, and home directories. Structured Data is intended to store only personal data, not
sensitive data, unless the source of the data (e.g., Active Directory) was poorly defined or
managed.

Unstructured Data includes data contained within YSoft SafeQ that is not well defined or
structured. This includes, for example, print jobs submitted by the Data Subject, along with
metadata such as job titles, job origin, or file names. There is no simple way to filter this
information to ensure it does not contain sensitive personal data, and thus the user is at their
discretion to ensure that they understand this when submitting print jobs to YSoft SafeQ.
The scripts provided here are compatible with YSoft SafeQ 6 MU17 or later build. For customers
who have upgraded from much older versions of YSoft SafeQ 6, verify that the following lines are
present and have appropriate values in the Management folder's safeq.properties file, located in
the conf directory. Older releases only had the line database.global.management.username. The
below code block is only a sample, and will not work in production environments.
# Database
...
database.global.management.domain =
database.global.management.username.without.domain =
database.global.management.username = ${database.global.management.username.without.domain}
...
Visual C++ Redistributable Package for Visual Studio 2015: https://www.microsoft.com/en-us

/download/details.aspx?id=48145
5.3.4.3 Right to be Forgotten
The executable rtbf.exe is a simple command-line application that can be used in interactive or
non-interactive mode to remove references to a Data Subject or fields that may contain a Data
Subject's personal or sensitive data. This includes references to all Structured Data containing
user data, but also unstructured data in the form of print job metadata.
The application works by fully anonymizing details that could be attributed back to an individual.
To ensure that the data is still useful for reporting purposes, the username is still unique,
however an administrator is unable to attribute this information back to a specific Data Subject.
Execution
When running in interactive mode, you will be prompted to provide a user's login to remove. You
will then be prompted with the extent of data that will be removed, with a request to proceed.
Once this is done, the application will then prepare a series of queries, but will not commit the
transaction until the very end. If the transaction fails for any reason, there is no need to worry
about only partially deleted records.

The application can be run in non-interactive mode by supplying the parameters -u <username> --
no-prompt where <username> is the login of the user.
Out of Scope
Information within the main databases of YSoft SafeQ are affected when this application is run. It
does not modify system logs, archives of reports that an administrator or manager may have
created, or print data files residing on YSoft SafeQ servers.
The following versions are not supported with this solution:
YSoft SafeQ 4, any SR
YSoft SafeQ 5, any MU
Support has not been tested for versions of YSoft SafeQ 6 prior to MU17. The solution only
supports the first tenant in multi-tenant installations.
5.3.4.4 Right to Access
rta.exe provides a human-readable document containing all of a Data Subject's information

collected. For completeness, this report includes details on all available print jobs, user details,
statistics from the data warehouse web reporting, as well as information from the DataMart, if
enabled. The report can be quite large, especially if the user is a heavy printers. Note that print
job titles are included, as users may print personal documents with sensitive titles.
The output is a simple HTML document with minimal CSS styling for better readability. Also note
that an explanation of the data is included at the head of the document.

5.3.4.5 Right to Restriction of Processing
The executable rtr.exe is also a simple command-line application that can be used in interactive or
non-interactive mode. This application requires configuration in advance by setting up a separate,
restricted database that the system can use to store data about a user to preserve the
information and to keep it from being processed further. It then creates a pseudonym in YSoft
SafeQ's systems for the user and redacts all other references to a Data Subject, including file
names. Once a request has expired, or there is a need to re-identify the user, the -R flag will allow
the administrator to reverse the process.
5.3.4.6 Right to Access - rta.exe
Name
rta - YSoft SafeQ 6 GDPR Right to Access CLI
Synopsis
rta [-u login] [-o outputDir] [-V] [-l logFileName] [--log-file-trace logFileName] [--log-file-debug
logFileName] [--log-file-info logFileName] [--log-file-warning logFileName] [--log-file-error logFileName] [--
log-file-critical logFileName] [--version]

Description
YSoft SafeQ 6 - GDPR Right to Access CLI. Allows an administrator to execute a Data Subject's
right to access. The program works by retrieving all references to structured and unstructured
data within the YSoft SafeQ 6 databases related to the user, and exporting them to a single
Hypertext Markup Language (HTML) file. The application must be run on one of the YSoft SafeQ 6
Management servers, as it references the configuration files to connect to the database.
The following information is stored in the HTML file:
User: The contents of the row that specifies the user
Aliases: All known aliases of the user
Terminal Accesses: List of times the user was identified accessing a Terminal
Job Details: Detailed record of print job metadata collected related to the user, including file
names and job titles
Job Accounting: List of print, copy, scan and faxing accounting data associated with the user
Data Warehouse: List of information related to the user stored in the Data Warehouse and
DataMart
The template for the HTML file is located in the same directory as the application. Minor
modifications, such as changing the CSS Stylesheet formatting or the verbiage explaining the
data, can be performed by anyone familiar with HTML, however it is not recommended to modify
any section containing reserved name placeholders (words in all capital letters, with an
ampersand at the beginning and end). Records in log files on YSoft SafeQ servers will not be
provided.
Options
-u, --user <login> User to remove from the system
-o, --outputDir <directory> Output directory for the report to be delivered to
-r, --random-retries <Number> The number of times to generate a random number until failure.
Default 1000
-V, -VV, -VVV Increase logging level to (-V) INFO, (-VV) DEBUG, or (-VVV) TRACE
-l, --log <logFileName> Specify the log file where output will be sent
--log-file-trace <logFileName> Specify the log file where trace level logging will be sent
--log-file-debug <logFileName> Specify the log file where debug level logging will be sent
--log-file-info <logFileName> Specify the log file where info level logging will be sent
--log-file-warning <logFileName> Specify the log file where warning level logging will be sent
--log-file-error <logFileName> Specify the log file where error level logging will be sent

--log-file-critical <logFileName> Specify the log file where critical level logging will be sent
--version Print version and exit
5.3.4.7 Right to be Forgotten - rtbf.exe
Name
rtbf - YSoft SafeQ 6 GDPR Right to be Forgotten CLI
Synopsis
rtbf [-u login] [-n] [-r] [-V] [-l logFileName] [--log-file-trace logFileName] [--log-file-debug logFileName] [--
log-file-info logFileName] [--log-file-warning logFileName] [--log-file-error logFileName] [--log-file-critical
logFileName] [--version]
Description
YSoft SafeQ 6 - GDPR Right to be Forgotten CLI. Allows an administrator to execute a Data
Subject's right to be forgotten. The program works by anonymizing all references to structured
and unstructured data within the YSoft SafeQ 6 databases related to the user. The application
must be run on one of the YSoft SafeQ 6 Management servers, as it references the configuration
files to connect to the database.
Tables impacted include:
Print Jobs: Job titles, file names, and origins will be changed to <DELETED>. Favorited jobs will
be un-favorited.
Cards: Cards and PINs associated with the Data Subject will be removed.
Aliases: Any aliases will be removed.
PIN History: If PIN history is enabled, all records of a Data Subject's PIN history will be
removed.
Roles: If the Data Subject has any roles specifically associated with them, they will be
disassociated from them
Terminal Accesses: Any records of accessing terminals will be removed.
Email Stats: Any scheduled statistics and counter reports to be sent to the data subject will
be removed.
Data Warehouse: References to the Data Subject in the Data Warehouse and the DataMart
will be anonymized
User: Name, surname, home directory, email, password (if relevant), extended ID, and notes will
be cleared out. The login will be anonymized, and the source

The Data Subject's user login is anonymized, but still unique. All anonymized users will have a
login of "DELETED_" followed by a large random number. Due to the uniqueness of each customer
environment and identity management systems, it may still be possible to identify a Data Subject
using knowledge aggregated from systems outside of YSoft SafeQ. As an example, a user may be
the only member of a Cost Center, or may have been known to be the only person to print at a
specific time.
Records in log files on YSoft SafeQ servers will not be anonymized. However, the logs will be
rotated out and the user will eventually have their data removed. Any previously exported reports
will also not be anonymized.
Options
-n, --no-prompt Do not prompt for confirmation
Default 1000.
-V, -VV, -VVV Increase logging level to (-V) INFO, (-VV) DEBUG, or (-VVV) TRACE.
Running in unattended mode
rtbf -n -u <login>
If a batch of requests need to be processed, the above statement will not require any prompt to
complete the action, and will supply the name. Specifying a log file will allow an Administrator to
check on the success or failure of each individual request by using the -l <logFIleName> attribute.
5.3.4.8 Right to Restriction of Processing - rtr.exe
Name
rtr - YSoft SafeQ 6 GDPR Right to Restriction CLI

Synopsis
rta [-u login] [-n] [-R] [-r numRetries] [-V] [-l logFileName] [--log-file-trace logFileName] [--log-file-debug
logFileName] [--log-file-info logFileName] [--log-file-warning logFileName] [--log-file-error logFileName] [--
log-file-critical logFileName] [--version]
Description
YSoft SafeQ 6 - GDPR Right to Restriction of Processing CLI. An Administrator can restrict further
processing of a Data Subject in YSoft SafeQ by replacing the user's login and personal data with
a pseudonym. Note that doing so will prevent the user from continuing to use the solution, and
should only be used if the user is not expected to interact with YSoft SafeQ while their data is
restricted.
A separate database must be created and properly configured so that the application can store
mapping tables between the Pseudonym and the actual Data Subject. The restricted database
can be either PGSQL or MSSQL, A companion configuration file, rtr-db.conf, must be modified by
the database administrator with the proper connection information. The password can be
encoded using the widget on the Management server's dashboard. The first time the application
is run with a successful connection to the restricted database, the user will be asked to create
the schema. Consult with your company's legal team on ensuring the database is isolated and
properly protected from processing by unauthorized third parties.
Tables impacted include:
Print Jobs: Job titles, file names, and origins will be changed to RESTRICTED. Favorited jobs
will be un-favorited.
Cards: Cards and PINs associated with the Data Subject will be removed.
Aliases: Any aliases will be removed.
Terminal Accesses: Any records of accessing terminals will be removed.
Data Warehouse: References to the Data Subject in the Data Warehouse and the DataMart
will be changed to RESTRICTED
User: Name, surname, home directory, email, password (if relevant), extended ID, and notes will
set to RESTRICTED or cleared out. The login will be changed to a pseudonym.
Mobile Terminal Tokens and Codes will be completely removed. Users will need to be issued
new tokens or codes.
The Data Subject's user login is pseudonymized, and still unique. All pseudonymized users will
have a login of "restricted_" followed by a large random number. Due to the uniqueness of each
customer environment and identity management systems, it may still be possible to identify a
Data Subject using knowledge aggregated from systems outside of YSoft SafeQ. As an example,
a user may be the only member of a Cost Center, or may have been known to be the only person
to print at a specific time.

Records in log files on YSoft SafeQ servers will not be pseudonymized. However, the logs will be
rotated out and the user will eventually have their data removed. Any previously exported reports
will also not be pseudonymized.
Options
-n, --no-prompt Do not prompt for confirmation
-o, --outputDir <directory> Output directory for the report to be delivered to
-R Lift the restirction of processing on the user
Default 1000.
-V, -VV, -VVV Increase logging level to (-V) INFO, (-VV) DEBUG, or (-VVV) TRACE.
5.3.5 REPLICATOR EMAIL CONFIGURATION
The replicator tasks support sending an email when replication has not finished successfully. The
email sending feature must be configured:
1. Configure the sendEmailWhenReplicationFails property—enables the sending of an email

to the administrator when replication fails.
2. Configure the replicationResultAddresses property—a comma-separated list of email

addresses where the replication error report is sent. The sendEmailWhenReplicationFails
configuration property must be enabled.
The replicator sends a separate email for each processed file.

5.3.6 THE YSOFT SAFEQ 5 TO YSOFT SAFEQ 6 UPGRADE TOOL
The YSoft SafeQ 5 to YSoft SafeQ 6 upgrade tool is intended for completely upgrading YSoft
SafeQ 5 to YSoft SafeQ 6. This tool runs automatically Installing YSoft SafeQ 6 Server from
the Server installer, but if the upgrade process fails, it can also be run manually.
Under the hood, it runs the database procedures and imports a special Rule-based Engine file
to migrate data from the older version to the newer one.
Please note that in case the embedded PostgreSQL database is used in a time zone other
than GMT, the following workaround to the known limitation must be applied.
Configuring the PostgreSQL Time Zone for Correct Print Job and Report Data
5.3.6.1 Overview
The upgrade tool drives the whole process of an upgrade from YSoft SafeQ 5 to YSoft SafeQ 6. It
runs a set of upgrade steps, checks their results, and decides if the next step runs or the
upgrade process aborts. The main purpose of the upgrade process is to migrate the database.
The migration is divided into particular steps that have to be run in a set order. If any step fails,
the migration process aborts, data from the particular step rolls back, and the manual intervention
of an administrator is required. The administrator can check logs (and the upgrade report) and
decide if the upgrade process can be continued by ignoring the step's result or whether the
whole step can be skipped. Ignoring the step result means that the step is processed, data is
probably partially migrated, and the execution of the next steps can be attempted. When the step
cannot be finished due to technical reasons, the step can be completely ignored, but the
administrator must explicitly exclude the step after careful consideration.
Prerequisites
Java (minimal version Java 11) must be installed on the server with the YSoft SafeQ 5 to
YSoft SafeQ 6 upgrade tool (alternatively, configure the JAVA_HOME system property and
path to the upgrade tool in <SAFEQ6_HOME>/Management/upgrade/sq5-upgrade-tool.bat if it
is not configured automatically by the installer).
Installed YSoft SafeQ 6 (fulfilled by the installer).
Restored/visible original databases from YSoft SafeQ 5 as the data source, typically SQDB5
and SQDB5_SQDW. A new database for YSoft SafeQ 6 must be prepared as the data target.
These prerequisites should be fulfilled by the installer.

The upgrade tool must be configured before the first run —so all properties in
<SAFEQ6_HOME>/Management/upgrade/conf/sq5-upgrade-tool.properties must be filled (the
installer will set the configuration automatically, but they can be changed).
Database engines of both old and new installation must aligned (PostgreSQL→ PostgreSQL,
MS SQL→MS SQL). Migration between database engines is not supported.
Configuration properties (with example values):
YSoft SafeQ 6 section - the installed upgraded version
sq6.configuration.file= c:/SafeQ6/Management/conf/safeq.properties - Path to

Management Service configuration file.
sq6.database.tenantDomain = tenant_1 - Tenant domain name where data from the older
version of YSoft SafeQ will be migrated.
sq6.localSpoolerController.guid = <GUID> - Generated unique ID of the Spooler Controller

if it is presented on the same server as Management Service. This value can be empty if
at least one ORS server exists in the upgraded YSoft SafeQ 5.
sq6.localSpoolerController.network.address = <network addres> - Network address of

the Spooler Controller if is presented on the same server as Management Service. This
value can be empty if at least one ORS exists in the upgraded YSoft SafeQ 5. If the sq6.
localSpoolerController.guid property is filled, it must also be filled.
YSoft SafeQ 5 section - the installed version to upgrade
sq5.rbeRules.file = c:/SafeQ5/conf/rools.drl - Path to RBE rules file.
sq5.database.host = 127.0.0.1 - Database host.
sq5.database.name = SQDB5 - Name of the database.
sq5.database.dwh.name = SQDB5_SQDWH - Name of the warehouse database.
sq5.database.port = 1433 - Port of the connection to the database.
sq5.database.username = username - Database user name.
sq5.database.password = *** - Database password.
Each time the upgrade tool is reconfigured, it must be restarted.
The properties sq5.database.username, sq5.database.password, sq5.database.host, sq5.

database.port are ignored in the case of the MSSQL database because YSoft SafeQ 5
databases must be on the same database machine and credentials for YSoft SafeQ 6 are
used instead. The properties must, however, still be set even if they have no effect (this is a
known limitation of the upgrade tool).

How to Run
The Management Service and other services connected with YSoft SafeQ must be stopped
before the upgrade runs.
Run the upgrade tool shell with <SAFEQ6_HOME>/Management/upgrade/sq5-upgrade-tool.bat

and then run the required shell command (for supported commands, see next, run help for list of
possible commands, or see documentation at Spring shell documentation page)
Run the upgrade tool shell with the required command immediately— run <SAFEQ6_HOME>
/Management/upgrade/sq5-upgrade-tool.bat <command>
The upgrade can take time depending on the size of the database (especially based on, e.g.,
the number of devices, jobs in reports, etc.).
After Running
See the console output and also the log files and upgrade report.
These are the possible results of running the upgrade tool (in the console or log output):
SUCCESS - the upgrade process ended successfully with nothing to solve.

WARNING - the upgrade process ended successfully but has changed the system
configuration (by design). It is strongly recommended to review the changes and adjust them
to match business requirements.
FAILED - there were some critical problems during the upgrade process that must be solved
with support.
Because of upgrade does not solve licensing of migrated devices and entities in general, there
can be the notification that re-licensing of the product is necessary for Management Service
notifications (after administrator signs in). Reactivation must be done within 10 days after
upgrade otherwise the devices can be removed from the system. Also, devices will not work
until reactivation because of technical limitations. See how to activate new license after
upgrade.
Check in general that migrated data are as expected.
If YSoft SafeQ 6 manages printing devices, all device terminals must be reinstalled (use
Devices > Printers > select all devices > Actions > Reinstall terminal). After re-installation check
that devices working properly.
5.3.6.2 The "Upgrade" Command
The command for running the whole upgrade is: upgrade

The upgrade command has optional parameters:
--ignore-steps-result - A comma-separated list of step names that result will be ignored during
the upgrade (i.e., when the step fails, the upgrade can continue to the next step).
--ignore-steps - A comma-separated list of step names that will be ignored during the upgrade.
Use this option as the last possibility to continue with the upgrade only when the
consequences the of the ignored step are well known.
upgrade --ignore-step-result TENANT.DEVICES,DWH.STATS --ignore-steps TENANT.COMMON
Steps names have to be in the format <upgrade scheme>.<upgrade step>
Allowed upgrade schemes:
CLUSTER - scheme for cluster management steps loaded automatically for the "tenant_1"
database scheme
TENANT - scheme for upgrading the tenant database
DWH - scheme for upgrading the tenant's warehouse database
Allowed upgrade steps:
INITIALIZE: This step creates database entities for migration and cleans logging tables.
COMMON: This step prepares common data for migration (id conversion tables).
POOL: This step migrates data about a file pool to be deleted.
CONFIGURATIONS: This step migrates the system/tenant configuration.
USERS: This step migrates users data.
DEVICES: This step migrates devices data, including terminals.
DEVICE_TEMPLATES: This step migrates device templates data, including terminal
templates.
QUEUES: This step migrates queues data.
PRICELISTS: This step migrates price lists data.
PROJECTS: This step migrates billing codes data.
JOBS: This step migrates jobs data.

STATS: This step migrates the metadata of reports (web reports, management reports,
scheduled reports to email and file, ...).
REPORTS: This step migrates reporting data.
RBE_RULES: This step migrates the RBE data file into the database.
SCAN_WORKFLOWS: This step migrates scanning workflows.
See a detailed step description for more information about particular steps.
5.3.6.3 The "Rules Import" Command
The RBE rules import is a part of the upgrade process, but the import can be run separately with
the command: rule import
The rule import command has an optional parameter:
-- file The path to the YSoft SafeQ 5 RBE rules file to import. If this option is not set, the
default file from the upgrade tool's configuration is used.
rule import --file C:/path/rbe.drl
5.3.6.4 The Upgrade Tool File Structure and Logs
The <SAFEQ6_HOME>/Management/upgrade structure:
/bin - The folder with necessary binaries for internal purposes
/conf/
sq5-upgrade-tool.properties - Configuration of the upgrade
log4j2.xml - Configuration of the logging (the upgrade tool must be restarted when the
configuration changes)
/lib - Necessary libraries for internal purposes
/logs - The folder with the log files
upgrade-tool.log<timestamp> - The log with technical notes from run
upgrade-tool-history.log - A history of commands

sq5-upgrade-tool-rbe-rules.log<timestamp> - The extracted results of the RBE rules
import
Upgrade-report-<timestamp>.xlsx - A report of the upgrade (a steps overview with details

for each step)
sq5-upgrade-tool.bat - The main runner of the upgrade tool
5.3.7 YSOFT SAFEQ 6 EMBEDDED TERMINAL MIGRATION TOOL
YSoft SafeQ 6 Embedded Terminal Migration Tool can be downloaded from Partners Portal.
YSoft SafeQ 6 Embedded Terminal Migration Tool allows administrators to assign or reassign an
MFD to YSoft SafeQ site servers easily when upgrading to YSoft SafeQ 6. It also allows the
assigning of terminals from multiple site servers into one site server or dividing terminals from
one site server to multiple site servers. Additionally, YSoft SafeQ Embedded Terminals can be
reinstalled in bulk when the YSoft SafeQ servers' upgrade to version 6 is finished.
The migration process also provides the full re-installation of migrated printers.
Assigning and reassigning an MFD is an advanced feature. We recommend using it under GSS
supervision.
5.3.7.1 Requirements
Windows OS
YSoft SafeQ 6 MU16 and newer builds.
A user with correct user rights.
5.3.7.2 Screens
Login Screen
Type of Migration
Model of Migration
Adding Terminal Servers Manually
Import Terminal Server from a CSV File
Migration Screen
Migration Progress Screen

Schedule Migration Screen
Change Terminal Server Screen
The Reports Screen
Migration Configuration
5.3.7.3 Required User Rights
YSoft SafeQ 6 Embedded Terminal Migration Tool can be used only by a user with specified user
rights.
To allow a user to migrate a terminal using YSoft SafeQ Embedded Terminal Migration Tool, the
following steps need to be performed:
Create a new user role named management-api-operator.
In the access rights section, enable the access right Remote access via the Management
Server REST API for the role.
Create a new user who can operate SQMT (please note that this user must be different to an
administrator user).
Assign the following roles to the user:
safeq admins
SQTS API operators
management-api-operator
It is possible that after the update, YSoft SafeQ6 may be missing the "SQTS API operators"
role. In that case, use the following command in the database:
INSERT INTO tenant_1.users (login, pass, name, surname, sign, email, flag, ip, card_num, ou_id,
ou_number, ext_id, login_ascii, name_ascii, surname_ascii, replicated, homedir, ext_name,
safeq_oid, tenant_id, source, user_note) VALUES ('sqts api operators', '', '', 'YSoft SafeQ
Terminal Server API operators', '', '', 163840, '', '', 0, 0, NULL, 'sqts api operators', '', 'YSoft SafeQ
Terminal Server API operators', 0, NULL, NULL, 10, NULL, 'INTERNAL_DATABASE', NULL);

5.3.7.4 Login Screen
Address to YSoft SafeQ 6
The IP address or Hostname of YSoft SafeQ 6 Management.
Username and Password
The credentials of the YSoft SafeQ user with all the required user rights specified in Required
user rights.
Accepting a Certificate
All communication is processed by HTTPS protocol. If the certificate used in management cannot
be trusted, then the Certificate error screen is shown.
The user can continue by accepting a not-trusted certificate.

5.3.7.5 Type of Migration
This screen allows you to choose the type of migration you want to process. Pressing the Start
button will start downloading the current structure from YSoft SafeQ Management. This can take
a few minutes.
Upgrade
The Upgrade option will create a structure where the source and target Terminal Server are the
same. Terminals are already assigned to Terminal Servers, and a user can make changes if
necessary.
New servers
This option creates an empty target structure. It is necessary to assign terminals to Terminal
Server to start the migration process.
Import topology
This option allows importing a CSV file where source devices and target devices should be filled
in. Right after choosing this option, the tool allow user to download CSV file with actual topology,
this CSV file user can use as template for import.
5.3.7.6 Model of Migration
This screen allows the assigning of terminals to new target Terminal Servers. A user can add new
target Terminal Servers and also assign terminals to target Terminal Servers using drag and drop.
When the terminals migrate all assigned items, then the user can move to the next screen using
the Migration button.
An added target Terminal Server has to be assigned to the current Spooler Controller group.

Assigning a Target Terminal Server
Assigning is performed using a drag and drop operation. Drag the Terminal Server from the left
and place it on the Terminal Server on the right. When a terminal is dropped on the target
Terminal Server, then the source Terminal Server is shown inside the target Terminal Server.
Multiple source Terminal Servers can be moved to one target Terminal Server.
Screen Messages
Add YSoft SafeQ 6 Terminal Servers
This message is visible when no target Terminal Server exists. This screen is the default for the
New Servers option.
Drag and drop to assign all terminals
This message shows a user they can assign terminals to a Terminal Server using drag and drop.

Congratulation! You assigned all terminals
This message informs the user they assigned all terminals to the target Terminal Servers.
Buttons
Add Terminal Servers manually
This button opens Adding Terminal Servers Manually. On this screen, the user can add the target
Terminal Servers.
Import CSV
This button allows import target Terminal Server from CSV file.
Adding Terminal Servers Manually
This screen allows the adding of new target Terminal Servers into a current SPOC group.
After adding/generating Terminal Servers, the state of the Terminal Server is checked.

Add Hostname or IP address
A new target Terminal Server is created.
Generate from Hostname or IP address
Allows the generating of a sequence of Hostnames or IP addresses.
Accepting Certificates
When Terminal Server does not have a trusted certificate, then you must accept the certificate
by clicking the Accept all (accept certificates of all added/generated Terminal Servers) or Accept
button for each Terminal Server separately.
Import Terminal Server from a CSV File
CSV Format
Columns should be separated by commas.
One file per SPOC Group contains only the IP address list
Example:
Terminal Server IP
<10.0.0.1>
One file for all SPOC Groups with two columns
Example:

Spoc Group Name Terminal Server IP
<10.0.0.1>
<Group Name 1>
5.3.7.7 Migration Screen
On this screen, a user can start a migration. A migration can be started by pressing the Migrate
All button, the Migrate button in terminal actions, or by scheduled migration.
Terminals are divided into multiple tabs depending on their state. These states can be filtered by
SPOC group.
The migration's progress is shown on the Migration Progress Screen.
In the top right-hand corner is the button for the The Reports Screen.
Terminal Actions
Terminal actions appears in the context menu after pressing the button.

Migrate now
This button starts the migration of the current terminal.
Schedule migration
This button opens the Schedule Migration Screen.
Change terminal server
This button opens the Change Terminal Server Screen.
Migration Progress Screen
This modal dialog shows the migration's progress.
Running migrations are processed by YSoft SafeQ 6 Embedded Terminal Migration Tool. Do not
shut down your computer until the end of the progress. When an application is closed during
migration, then all migrations in the state In progress will be moved to the state Failed.
This report shows all finished migrations.

Try again each
When enabled, then unsuccessful migrations will run again periodically at the selected interval.
Change Terminal Server Screen
This screen allows the assignment of the terminal server and starting migration using the
Migration screen.
Schedule Migration Screen
This screen allows the scheduling of the migration at a specified time in a specified time zone.

Try again each
When enabled, then unsuccessful migrations will run again periodically at the selected interval.
5.3.7.8 The Reports Screen
A user can open this screen by clicking the Report button in the top right-hand corner.
On this screen, the user sees an overall report of the migration progress.
A report can be downloaded as a CSV format file using the Download report button in the top
right-hand corner. Data in the report can be refreshed by clicking the Refresh button.
5.3.7.9 Migration Configuration
How to configure
Configuration is made using JSON configuration file. Name of the file has to be app-config.json.
This file does not exist and therefore it has to be created first. Place it to c:\Users\<user
name>\AppData\Roaming\SafeQMigrationTool\.

Configuration properties
List of all available configuration properties.
Configuration file can contain only properties you want to set. Others stay in default.
Property Default Description

value
DeviceApiDom tenant_1 Device API domain (YSoft SafeQ 6 Management domain).

ain
DeviceApiPort 443 Device API port (YSoft SafeQ 6 Management port).
DeviceListPag 100 How many devices should be downloaded using Device API per one
eSize request.
RequestTimeo 120 Device API requests timeout.

ut
LocalPort 5000 Internal API port. If all local port properties are defined then this
property has priority.
LocalPortMin 5000 Used for looking for a free port when exact internal API port cannot be
specified. Minimal port number to look for.
LocalPortMax 6000 Used for looking for a free port when exact internal API port cannot be
specified. Maximal port number to look for.
Example file
Name Version Published
app-config.json 1 2019-01-17 08:32
5.3.8 YSOFT SHELL
Java (minimal version Java 11) has to be installed on the server with YSoft Shell (alternatively,
configure the JAVA_HOME system property in import_tool.bat).
5.3.8.2 How to Run
Run YSoft Shell with "import_tool.bat" and then run the required command (run help for a list of
possible commands or see the documentation on the Spring shell documentation page).
Run YSoft Shell with the required command immediately—run "import_tool.bat <command> --
required parameters".

5.3.8.3 YSoft Shell Plugins (commands)
See the Spring shell documentation page for general use and possible default parameters.
5.3.8.4 Security
When YSoft Shell needs to connect to the server, it is necessary to pass the host name to the
server (it depends on the command).
There are two possibilities for providing the URL to CLI—it can connect through HTTP and a more
secure HTTPS protocol (e.g., http://localhost vs. https://localhost). If it connects through HTTPS,
then a certificate for the server must be in trusted certificates. The Trust Store and Key Store
for certificates are fully configured in the conf\cli.properties file where, as default, there is a path
to the YSoft SafeQ Management Server Trust Store where the YSoft SafeQ Management Server
default certificate is saved. If the server has another certificate, it must be added to the Trust
Store (see conf\ssl-truststore) or the path to the Trust Store in conf\cli.properties must be
changed.
Structure of conf\cli.properties
cml_home - path to home directory
truststore.path - path to trust store
truststore.password - password to trust store
keystore.path - path to key store
keystore.password - password to key store
5.4 HOW TO GUIDES
5.4.1 CONFIGURATION OF A REVERSE PROXY FOR MOBILE TERMINAL WITH

YSOFT SAFEQ 6 IN A DMZ
To expose YSoft SafeQ 6 (or a specific part), an administrator must set up a reverse proxy that
relays requests to the server in a DMZ running the service.
This manual covers both the unencrypted version of communication via HTTP and the
encrypted version via HTTPS.
There are two possible channels where you can turn on encryption: from Mobile Terminal to
Proxy, from Proxy to Terminal Server.
After successful configuration, the Reverse Proxy will respond to both unencrypted
communication on port 5021 and encrypted communication on port 5022.

An IIS server accessible from outside the private network
5.4.1.2 A Step-by-step Guide
Step 1 - Installing Required IIS Modules
If your instance of IIS does not have the modules URL Rewrite and Application Request Routing
installed, you must install them first. Otherwise, you can skip to Step 2.
To install the URL Rewrite module, go to the Microsoft Downloads Page and download the
installer appropriate for your version of Windows. Install the module by following the install wizard
instructions.
To install the Application Request Routing module, go to the Microsoft Downloads Page and
download the installer appropriate for your version of Windows. Install the module by following the
install wizard instructions.
Step 2 - Configuring Server Certificates for HTTPS
1. Using the openssl utility, pre-installed certificate (safeq-tomcat.crt), and private key (safeq-
tomcat.key) located in <SafeQ Management>\tomcat\conf\ directory, generate the
certificate.
openssl pkcs12 -export -in safeq-tomcat.crt -inkey safeq-tomcat.key -out SERVERNAME.pfx
SERVERNAME should be the YSoft SafeQ server host name
When running the command, you will be asked to enter the private key password. You can
find it in the tomcat configuration file <SafeQ Management>\tomcat\conf\server.xml, the
attribute is called SSLPassword.
2. After you have generated the certificate, you must import it into IIS. In the IIS Manager,
follow the steps described in the images below.

3. In the popup window, select the generated certificate file and enter the SSL password
once again.
4. You must use this same certificate on the Terminal Server. To do that, follow the guide at
Configuring secured connection between terminals and Terminal Server.
Step 3 - Setting Up a Reverse Proxy Site in IIS
Once you have the modules installed and the certificate is set up, you can start configuring the
site used for the reverse proxy in the IIS Manager.
1. Create a new site (ReverseProxy) with binding on port 5021.
2. Add HTTPS binding by clicking the Bindings action in the right pane in the site configuration.

3. In the popup dialog, click Add to add the HTTPS binding, then fill in the form and select the
correct imported certificate in the SSL certificate drop-down menu.
4. Then on the proxy server machine, open the web browser and access the proxy using its
IP address
a.
a. If your proxy server IP is 10.0.11.103, then open https://10.0.11.103:5022 in the web
browser and install the certificate of the proxy server.

Step 4 - Adding the Rewrite Rule
When setting up the rewrite rule, you must make sure there are not any rules in the parents
of the site that might override it.

1. Double click the URL Rewrite Module icon, from the Actions Panel (on the right), select Add
Rule(s).
2. In the popup dialog, select Reverse Proxy and click OK. If you see another popup, click OK
again.
3.
3. In the next dialog, fill in the field Enter the server name or the IP address... to match the IP
address of the endpoint in your network, enter {SERVER_PORT} as the port and uncheck
SSL Offloading.
Step 5 - Pointing Mobile Terminal to the Correct Address
Once the reverse proxy is set up in IIS, you must point the Mobile Terminal application to the right
address.
1. Generate a QR code for a printer.
2. Scan the QR code with a scanning application of your choice to get the content of the QR
code.
a. You will receive text that looks similar to this: {"terminalServerEndpoint":"https://10.

0.10.150:5022/et/v1/201"}
b. You must change only the host part of the URL so that it corresponds to your
exposed server on which you have set up the reverse proxy.
i. Example: if the IP address of the server with the reverse proxy is 10.0.11.103,
then you would modify the text so it looks like this: {"terminalServerEndpoint":"
https://10.0.11.103:5022/et/v1/201 "}
c. Generate a new QR code from the modified text (for example, with this online tool:
https://www.ysofters.com/qr/ ).
3. You can scan this new QR code using Mobile Terminal. If you have set up everything
correctly, you should have the ability to log in and see your jobs.

5.4.2 CONFIGURING DATABASE POOL OF MANAGEMENT AND LDAP REPLICATOR
This article will help you with the configuration of the database connection pool.
5.4.2.1 Tomcat JDBC Connection Pool Configuration
The configuration is stored in <SafeQ Management>\conf\safeq.properties.
Management connection pool uses application for basic database operations:
Default properties of Management connection pool
# The maximum number of active connections that can be allocated from this pool at the same
time, or negative for no limit.
database.connections.max = 50
# The initial number of connections to create when the pool is started.
database.connections.min = 5
# The minimum number of established connections that should be kept in the pool at all times.
# The connection pool can shrink below this number if validation queries fail. The default
value is derived from initialSize.
database.idle.min = 5
# The number of seconds to set for the query timeout. A value less than or equal to zero will
disable this feature.
database.connections.queryTimeout = 120
# Number of milliseconds before running a validation check to ensure that the JDBC connection
is still valid.
# A connection that has been validated within this interval is not revalidated. Running
validation checks too frequently can slow performance.
database.connections.cleanerPeriod = 10000
# Set to true if you want the connection pool to rollback any pending transaction when a
connection is returned.
database.rollback.on.return = true
# Indicates whether objects are validated before borrowed from the pool.
# If the object fails to validate, it is dropped from the pool, and an attempt is made to
borrow another.
database.test.on.borrow = false
# Indicates if objects are validated before they are returned to the pool.
database.test.on.return = true
# Indicates whether objects are validated by the idle object evictor (if any). If an object
fails to validate, it is dropped from the pool.
database.test.while.idle = true
# Set to true to remove abandoned connections if they exceed the removeAbandonedTimeout.
# Setting this to true can recover database connections from poorly written applications that
fail to close a connection.
# A connection is considered abandoned and eligible for removal if it has been idle longer than
the removeAbandonedTimeout.
database.remove.abandoned = true
# Timeout in seconds before an abandoned connection can be removed. The value should be set to
the longest running query your applications might have.
database.remove.abandoned.timeout = 120
# The SQL query used to validate connections from this pool before returning them to the caller.
# If specified, the query must be an SQL SELECT statement that returns at least one row.
database.validation.query = SELECT 1
# The maximum milliseconds a pool with no available connections will wait for a connection to
be returned before throwing an exception, or -1 to wait indefinitely.
database.max.wait = 30000

# The number of milliseconds to sleep between runs of the idle object evictor thread.
# The thread checks for idle, abandoned connections and validates idle connections. The value
should not be set below 1 second (1000).
database.time.between.eviction.runs.millis = 5000
# The minimum amount of time an object may sit idle in the pool before it is eligible for
eviction by the idle object evictor, if any.
database.min.evictable.idle.time.millis = 60000
# Time in milliseconds to keep this connection. This attribute works both when returning
connection and when borrowing connection.
# When a connection is borrowed from the pool, the pool will check to see if the now - time-
when-connected > maxAge has been reached,
# and if so, it reconnects before borrow it. When a connection is returned to the pool, the
pool will check to see if the now - time-when-connected > maxAge
# has been reached, and if so, it closes the connection rather than returning it to the pool.
The default value is 0,
# which implies that connections will be left open and no age check will be done upon borrowing
from the pool and returning the connection to the pool.
database.max.age.millis = 60000
Management warehouse connection pool uses application for reporting database operations:
Default properties of Management warehouse connection pool
# The maximum number of active connections that can be allocated from this pool at the same
time, or negative for no limit.
databaseWarehouse.connections.max = 10
# The initial number of connections to create when the pool is started.
databaseWarehouse.connections.min = 1
# The minimum number of established connections that should be kept in the pool at all times.
# The connection pool can shrink below this number if validation queries fail. The default
value is derived from initialSize.
databaseWarehouse.idle.min = 1
# The number of seconds to set for the query timeout. A value less than or equal to zero will
disable this feature.
databaseWarehouse.connections.queryTimeout = 1800
# Number of milliseconds before running a validation check to ensure that the JDBC connection
is still valid.
# A connection that has been validated within this interval is not revalidated. Running
validation checks too frequently can slow performance.
databaseWarehouse.connections.cleanerPeriod = 10000
# Set to true if you want the connection pool to rollback any pending transaction when a
connection is returned.
databaseWarehouse.rollback.on.return = true
# Indicates whether objects are validated before borrowed from the pool.
# If the object fails to validate, it is dropped from the pool, and an attempt is made to
borrow another.
databaseWarehouse.test.on.borrow = false
# Indicates if objects are validated before they are returned to the pool.
databaseWarehouse.test.on.return = true
# Indicates whether objects are validated by the idle object evictor (if any). If an object
fails to validate, it is dropped from the pool.
databaseWarehouse.test.while.idle = true
# Set to true to remove abandoned connections if they exceed the removeAbandonedTimeout.
# Setting this to true can recover database connections from poorly written applications that
fail to close a connection.
# A connection is considered abandoned and eligible for removal if it has been idle longer than
the removeAbandonedTimeout.
databaseWarehouse.remove.abandoned = true

# Timeout in seconds before an abandoned connection can be removed. The value should be set to
the longest running query your applications might have.
databaseWarehouse.remove.abandoned.timeout = 1800
# The SQL query used to validate connections from this pool before returning them to the caller.
# If specified, the query must be an SQL SELECT statement that returns at least one row.
databaseWarehouse.validation.query = SELECT 1
# The maximum milliseconds a pool with no available connections will wait for a connection to
be returned before throwing an exception, or -1 to wait indefinitely.
databaseWarehouse.max.wait = 30000
# The number of milliseconds to sleep between runs of the idle object evictor thread.
# The thread checks for idle, abandoned connections and validates idle connections. The value
should not be set below 1 second (1000).
databaseWarehouse.time.between.eviction.runs.millis = 5000
# The minimum amount of time an object may sit idle in the pool before it is eligible for
eviction by the idle object evictor, if any.
databaseWarehouse.min.evictable.idle.time.millis = 60000
# Time in milliseconds to keep this connection. This attribute works both when returning
connection and when borrowing connection.
# When a connection is borrowed from the pool, the pool will check to see if the now - time-
when-connected > maxAge has been reached,
# and if so, it reconnects before borrow it. When a connection is returned to the pool, the
pool will check to see if the now - time-when-connected > maxAge
# has been reached, and if so, it closes the connection rather than returning it to the pool.
The default value is 0,
# which implies that connections will be left open and no age check will be done upon borrowing
from the pool and returning the connection to the pool.
databaseWarehouse.max.age.millis = 60000
If you change the configuration, you must restart the proper service: YSoft SafeQ Management
Service service or YSoft SafeQ LDAP Replicator service.
The configuration of the PostgeSQL database is stored in <SafeQ Management>\PGSQL-data\
postgresql.conf.
PostgreSQL connection properties
max_connections = 120
If you change the configuration, you must restart the YSoft Bundled PostgreSQL 9.4 service.
5.4.3 CONFIGURING MS SQL SERVER DATABASE SNAPSHOT ISOLATION
Snapshot isolation enhances concurrency for OLTP applications.

It is enabled automatically for new installations where database is created by YSoft SafeQ
installer since YSoft SafeQ MU23.
If you are updating from older YSoft SafeQ 6 version (less than MU23) or if the YSoft SafeQ
databases were created manually, then snapshot isolation needs to be enabled manually.
If Payment System is in use, then snapshot isolation needs to be enabled for its database
manually (if you did not do so before).

5.4.3.1 How to check snapshot isolation current state
1. Connect to the SQL Server and run the following query:
SELECT name, collation_name, state_desc, snapshot_isolation_state_desc,

is_read_committed_snapshot_on, recovery_model_desc, containment_desc, is_trustworthy_on
FROM sys.databases WHERE name like '%SQDB6%'
2. If you see that snapshot_isolation_state_desc is OFF for YSoft SafeQ databases, then
please continue with the next section.
5.4.3.2 How to set up the database
1. Stop YSoft SafeQ Management Service, YSoft Infrastructure Service and YSoft SafeQ LDAP
Replicator services on all Management nodes.
a. If Payment System is in use, stop also YSoft SafeQ Payment System service.
2. If your database name does not equal SQDB6, please change the name according to your
configuration. Connect to SQL Server and run the following commands:
SQL Server commands
ALTER DATABASE [SQDB6] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6] SET READ_COMMITTED_SNAPSHOT ON
ALTER DATABASE [SQDB6_IMS] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_IMS] SET READ_COMMITTED_SNAPSHOT ON
3. If you use separate database for data warehouse, reconfigure it as well:
ALTER DATABASE [SQDB6_DWH] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_DWH] SET READ_COMMITTED_SNAPSHOT ON
4. Same applies for Payment System database, if Payment System is in use:
ALTER DATABASE [SQDB6_YPS] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_YPS] SET READ_COMMITTED_SNAPSHOT ON
5. Start YSoft SafeQ Management Service, YSoft Infrastructure Service and YSoft SafeQ
LDAP Replicator services again.
a. If Payment System is in use, start also YSoft SafeQ Payment System service.
See Microsoft documentation of Snapshot Isolation in SQL Server for more information.

5.4.4 HOW AND WHEN TO RESTART A STANDALONE SPOC AND SPOC GROUP
This "how to" describes how and when it is necessary to restart SPOC or a SPOC group. It is
strongly recommended to perform the restart with no load on the SPOC server (no new jobs, no
printing/copying/scanning, ...) and running YSoft SafeQ Management Server.
A SPOC group with only one SPOC server is not a supported configuration. A SPOC group has
to have at least two SPOC servers.
To control services, run 'Services' on the Windows server (Start > Run > Services.msc > Enter).
What a SPOC cache is and how to delete it is described in How to Delete the YSoft SafeQ
Spooler Controller Cache.
5.4.4.1 SPOC Maintenance Scenarios:
When Creating a SPOC Group from Standalone SPOCs
When a new SPOC group was created on YSoft SafeQ Management Server, follow the steps
below.
If the SPOC servers are newly installed, then:
Follow the steps described in the section How to safely restart a SPOC group without cache
deletion below ( In this case, it is not necessary to wait as described in step 8).
If SPOC servers are already in production and contain waiting and printed jobs, then:
Follow the steps described in the section How to safely restart a SPOC group with cache deletion
.
When Adding a Standalone SPOC to an Existing SPOC Group
When a standalone SPOC was added to an existing SPOC group on YSoft SafeQ Management
Server, follow the steps below.
When adding a standalone SPOC to an existing SPOC group that already has two members:
Follow the steps described in the section How to safely restart a SPOC group with cache deletion
below, including the newly added SPOC.
When adding a standalone SPOC to an existing SPOC group that already has three or more
members:
1. a. Stop the YSoft SafeQ Spooler Controller service and YSoft SafeQ Spooler Controller
Group Service service on the newly added SPOC.

1.
b. Stop the YSoft SafeQ Terminal Server service on the newly added SPOC.
c. Stop all other YSoft services except those on the newly added SPOC.:
i. YSoft SafeQ Management Service service (if present)
ii. YSoft Bundled PostgreSQL 9.4 service (if present)
iii. YSoft Bundled Etcd service (if present)
d. Delete the cache folder <SAFEQ_DIR>\SPOC\SpoolCache on the newly added SPOC.
e. Follow the steps described in the section How to safely restart a SPOC group without
cache deletion below only for SPOCs in the original SPOC group.
f. Start the YSoft SafeQ Spooler Controller service on the newly added SPOC and verify
that the YSoft SafeQ Spooler Controller Group Service service starts automatically
within 1-2 minutes.
g. Start the YSoft SafeQ Terminal Server service on the newly added SPOC.
h. Start all the other YSoft services stopped in step c. on the newly added SPOC.
When Removing One SPOC from a SPOC Group
When one SPOC is removed from a SPOC group on YSoft SafeQ Management Server, follow these
steps:
1. a. Follow the steps described in the section How to safely restart a SPOC group with
cache deletion below only for the SPOCs that stayed in the SPOC group.
b. Stop the YSoft SafeQ Spooler Controller service and YSoft SafeQ Spooler Controller
Group Service service on the removed SPOC.
c. Stop the YSoft SafeQ Terminal Server service on the removed SPOC.
d. Stop all other YSoft services except those on the removed SPOC:
i. YSoft SafeQ Management Service service (if present)
ii. YSoft Bundled PostgreSQL 9.4 service (if present)
iii. YSoft Bundled Etcd service (if present)
e. Start the YSoft SafeQ Spooler Controller service on the removed SPOC.
f. Start the YSoft SafeQ Terminal Server service on the removed SPOC.
g. Start all the other YSoft services stopped in step d. on the removed SPOC.
When Moving a SPOC from a SPOC Group to Another SPOC Group
When it is necessary to move a SPOC from a SPOC group to another SPOC group, do it in two
steps.
1. First, remove the SPOC from the SPOC group and make it a standalone SPOC.
2.

2. Then add the standalone SPOC to the new SPOC group.
Optionally, it can be done in one step, but then it is necessary to follow the How to
safely restart a SPOC group with cache deletion section below for both SPOC groups.
When Changing the IP Address of Site Server
When the IP address of Site Server (SPOC) is changed as described in the section How to Change
the IP Address of YSoft SafeQ Site Server, then follow the steps described in the section How to
safely restart SPOC group with cache deletion on all remaining members of Spooler Controller
Group to properly reconnect the node with the changed IP address.
When Restarting the Server with the Installed SPOC
When a server restart is required due to, e.g., Windows updates, Windows failure, or a hardware
configuration change, then restart the operating system. Windows shuts down all services,
reboots, and then restarts them.
The SPOC server that is not part of the SPOC group:
You may restart multiple SPOC servers in parallel
SPOC servers in a SPOC group (any size of SPOC group):
Only one member (server) of a SPOC group can be restarted at a time. Once the server
restarts and the SPOC is visible online on Management Server (YSoft SafeQ Management
Server administration > Devices > Spooler Controller Groups), wait circa 5-10 minutes. If
you wish, you may then proceed with the restart of the next SPOC server in the group.
If you restarted multiple members of a SPOC group in parallel, follow the section How to
safely restart a SPOC group with cache deletion on all members of a SPOC group.
5.4.4.2 SPOC Restart Procedures:
The following section describes the process for restarting a standalone SPOC and a SPOC group.
To choose the right one, please check the use cases above. If you delete the cache during a
restart, the cache recovery algorithm executes and the SPOC downloads all its jobs from YSoft
SafeQ Management Server and saves them to its cache and distributed layer if the SPOC is in
the SPOC group. If you do not delete the cache during the restart, the cache rescue algorithm
executes. The difference between the cache recovery and cache rescue algorithm is that in the
cache rescue algorithm, the jobs are not downloaded from YSoft SafeQ Management Server and
stored in the cache and distributed layer again, but only the jobs' "statuses" are updated
according to the newest time stamp (the time stamp on the SPOC vs. the time stamp on YSoft
SafeQ Management Server).

How to Safely Restart a SPOC Group with Cache Deletion
1. Stop the YSoft SafeQ Spooler Controller service and YSoft SafeQ Spooler Controller Group
Service service.
2. Stop the YSoft SafeQ Terminal Server service.
3. Stop all other YSoft services except those:
a. YSoft SafeQ Management Service service (if present)
b. YSoft Bundled PostgreSQL 9.4 service (if present)
c. YSoft Bundled Etcd service (if present)
4. Repeat previous steps 1-3 on all Site Servers in the Spooler Controller group.
5. Delete the cache folder <SAFEQ_DIR>\SPOC\SpoolCache on all Site Servers in the group.
6. Start the YSoft SafeQ Spooler Controller service and verify that the YSoft SafeQ Spooler
Controller Group Service service starts automatically within 1-2 minutes.
7. Start the YSoft SafeQ Terminal Server service.
8. Wait until the YSoft SafeQ Spooler Controller service starts and is online. Check that
<SAFEQ_DIR>\SPOC\logs\spoc_lifecycle.log last status is "ONLINE".
9. Start all the other YSoft services stopped in step 3.
10. Repeat the previous steps 6-9 on all Site Servers in the Spooler Controller group.
Depending on the count of not-deleted jobs, wait 3-10 minutes between the start of each
Site Server services.
Previously printed jobs may not be visible in the terminal job list for 15 to 30 minutes
until spooler job recovery has completed.
How to Safely Restart a SPOC Group without Cache Deletion
Service service.

8. Wait until distributed layer has converged (wait circa 5 minutes since spoc.log contains
"RescueCache| Rescue process for SPOC's cache finished.").
9. Repeat the previous steps 1-8 on all SPOCs in the SPOC group.
5.4.5 HOW TO CHANGE THE IP ADDRESS OF YSOFT SAFEQ MANAGEMENT

SERVER
This document describes how to change the IP address of one YSoft SafeQ Management Server
that is a standalone server or a member of a cluster. These guidelines are typically used in the
environment where YSoft SafeQ Management Server runs on the same server as other
components (such as YSoft SafeQ Spooler Controller, YSoft Payment System, ...).
5.4.5.1 Verification of the IP Address
This section describes the way to find the IP address of the current server.
1. Log into the server where the IP address is changed.
2. Open command prompt (e.g., Start => Run => cmd).
3. Enter the ipconfig command in the command prompt and press Enter.
4. Check IPv4 Address from the command output.

5.4.5.2 Reconfiguration of Management Server
An Environment with a Single Management Server
Enable license reactivation if you plan to move YSoft SafeQ Management Server to a different
server with a new IP address.
This scenario assumes that you have a Backup of Databases and a Backing Up Configuration
and Binary Files available.
1. If you have only one standalone YSoft SafeQ Management Server, uninstall it.
2. Prepare a server (or virtual machine) with the new IP address.
3. If you are using an external database (on another server), check its state.
a. If the external database is damaged, perform a Recovering Databases but skip the
Finalization part for now.
4. Check the backup of the configuration files and note the following:
a. Which optional features were installed:
i. Mobile Print Server – the MPS folder is available in the backup files.
ii. YSoft Payment System – the YPS folder is available in the backup files.
b. A Management Server GUID. It is noted in the safeq.properties file as the value of

the parameter communicator.cml.guid. For example:
backup\Management\conf\safeq.properties
# COMMUNICATOR
communicator.cml.guid = MGMT1
c. A SPOC GUID. It is noted in the guid.conf file as the value of the LocalGUID option.
For example:
backup\SPOC\conf\modules\guid.conf
localGUID = ectp5o8ep0op3hzi
5. Reinstall Management Server using the same build version of the installation package as
you were using before.
a. Enable optional features if they were used before (see step 4.a.)
b.
b. Provide the wizard with the same Management Server GUID that was used before
(see step 4.b.)
c. If you have YSoft SafeQ 6 MU11 or newer build:
Provide the wizard also with the same SPOC GUID that was used before (see step 4.
c.)
d. Finish the installation.
See First server installation for a detailed procedure.
6. Stop almost all YSoft services after installation has finished.
a. Leave only these two YSoft services running:
i. YSoft Bundled Etcd
ii. YSoft Bundled PostgresSQL 9.4 (available if embedded PostgresSQL DB is

used)
b. You can use the following PowerShell script to perform the task
Get-Service *YSoft* | Where-Object {$_.Name -notmatch 'YSoftPGSQL' -and $_.Name -ne

'YSoftEtcd'} | Stop-Service
7. If you are using an embedded PostgreSQL database, perform a Recovering Databases but
skip the Finalization part for now (as new empty databases were created during
installation).
8. Update the IP addresses in the database.
a. Connect to the SQDB6 database, the cluster_mngmt schema, and check the
contents of the cluster_server table:
i. If there is only one record with the server_guid of the reinstalled node, then
update the ip_address value to match the new node.
ii. If there are two records with the same server_guid but different ip_address,
then delete the record that contains the IP address of the old server.
b. Connect to the SQDB6 database, tenant_1 schema (or the schema to which your
server with the replaced IP address belonged, tenant_1 is default), and check the
contents of spooler_controllers table:
i. Find the record where spooler_controller_guid equals the GUID of your

replaced SPOC (see step 4.c), then update the network_address value to
match the new IP.
9.
9. If you have YSoft SafeQ 6 MU10 or older build :Edit
<SAFEQ_DIRECTORY>\SPOC\conf\modules\guid.conf (e.g. c:\SafeQ6\SPOC\conf\modules\guid.
conf) and rewrite the localGUID to the value that was used before (see step 4.c.).
10. Delete the SPOC cache by deleting the whole folder

<SAFEQ_DIRECTORY>\SPOC\SpoolCache
11. Start YSoft services with an Automatic startup type again.
Do not start the YSoft SafeQ Spooler Controller Group Service service. It will be started
by the YSoft SafeQ Spooler Controller service when the proper configuration is ready.
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftSQ-SPOCGS'} | Start-Service
12. Re-activate your YSoft SafeQ 6 license using your preferred method (online/offline). See
Management Interface - License Activation for detailed instructions.
13. If YSoft Payment System is installed on this server, update paymentSystemApiUrl.
In YSoft SafeQ Print Management web, system update paymentSystemApiUrl to reflect

the new IP address.
14. Restore customized configuration:
a. If you had services running under a specific domain account, set it up again.
b. If you used customized scripts on the server (e.g., for batch files launched by Rule-
Based Engine or customized batch files used by Workflow Processing System),
restore those scripts from the backup.
c. If you used a customized configuration (such as your own certificates for the web
services), locate the relevant documentation and set the configuration again.
15. Check that Spooler Controller is correctly connected on the management web.
An Environment with Two Management Servers in the Cluster
This procedure is valid only for installations where an external database located on another
server is being used.
If the affected node is the one on which the YSoft SafeQ 6 license was activated, enable
license reactivation before transferring the license to a new server.
Both original Management Server cluster nodes must remain operational during the changes
so etcd quorum is not lost! See https://coreos.com/etcd/docs/latest/faq.html for more
information.

1. Make sure both existing servers (including the one that should be replaced by the other one
with a new IP address) are functional.
2. If you have two node clusters, add a third node that is using the new IP address.
3. Uninstall the node that is being replaced.
4. Edit <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf on both remaining Management

Servers
a. Make sure the details about and correct IPs for both remaining nodes are stored in
the properties: serverGUID1, serverPORT1, serverIP1, serverGUID2, serverPORT2,
serverIP2
b. Should details about any node (except the one which is going to be removed) be
missing, add them.
5. Remove IP address of the uninstalled node from the database
a. Connect to the SQDB6 database, cluster_mngmt schema and check the contents of
the cluster_server table.
b. Delete the record that contains ip_address and server_guid of the server that was
uninstalled.
6. Restart the YSoft SafeQ Management Service service on both Management Servers in the
cluster.
7. If the reinstalled node was the one on which the YSoft SafeQ 6 license was activated, re-
activate YSoft SafeQ 6 license using your preferred method (online/offline). See
8. If the reinstalled node also contained a SPOC:
a. move the MFDs managed by the uninstalled SPOC to the SPOC with a new IP
address (YSoft SafeQ management interface -> Devices).
b. delete the uninstalled SPOC from YSoft SafeQ (YSoft SafeQ management interface ->
Devices -> Spoler Controller groups).
c. if the old SPOC was member of a SPOC group, move the newly installed server to a
SPOC group (YSoft SafeQ management interface -> Devices -> Spooler Controller
groups).
other necessary steps to fully initialize a SPOC group are described later in this
guide.
An Environment with Three or More Management Servers in the Cluster
This procedure is valid only for installations where an external database located on another

Check etcd cluster health
1. Connect to a node that is still functional or where the configuration will not change.
2. Start PowerShell and move to the "<SAFEQ_DIRECTORY>\Management\etcd\" folder.
3. Run this command:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 cluster-health
4. The output will contain a list of etcd cluster members, and the last line will report etcd
cluster health – it can be:
a. cluster is healthy
b. cluster is unhealthy
We expect that the cluster is healthy. Also, at least (n+1)/2 members, where n is the number
of Management Server cluster nodes that must remain operational during the changes so
etcd quorum is not lost! See https://coreos.com/etcd/docs/latest/faq.html for more information.
If a cluster is unhealthy, then etcd cluster health must be restored first. Please follow
Reconfiguration or recovery of etcd cluster in Management Service and then continue with
the next step.
Stop YSoft SafeQ services
1. Stop all YSoft SafeQ services on the affected server.
a. You can use the following PowerShell script to perform the task
Get-Service *YSoft* | Stop-Service
Update the IP address in the database
Replace the old IP address with the new one in the SQDB6 database, the cluster_mngmt
schema, the cluster_server table, the ip_address column. Be sure to replace the IP address only
for the line where the old one is present:

Update management
Edit <SAFEQ_DIRECTORY>\Management\conf\safeq.properties – set the new IP address in the

entry "safeq.network.address".
Edit <SAFEQ_DIRECTORY>\Management\tomcat\conf \server.xml – replace all occurrences of

the old IP address with the new IP address (use the search and replace function in your text
editor)
Update etcd configuration
Etcd needs to be updated in the registry of the Management Server where the IP address has
changed:
1.
1. Go to HKLM\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0
\YsoftEtcd\Paramaters\Start
2. Edit the Params entry and replace the old IP address with the new one (five lines):
3. Remove the cache directory in <SAFEQ_DIRECTORY>\Management\etcd\[SERVERNAME].etcd
Reconfigure the etcd cluster
If etcd quorum is not lost, you can remove the affected node from the etcd cluster
configuration and add a reconfigured node.
An example three-node environment:
The first node is installed on a server with the hostname MGMT1 and IP 10.0.5.147
The second node is installed on a server with the hostname MGMT2 and IP 10.0.5.155

The third node is installed on a server with the hostname MGMT3 and IP 10.0.5.156 (The
IP address of this node will be changed to 10.0.5.134 in this example.)
An example result of a previous etcd cluster health check
1. The state before the IP address change:
member 944c8b2d3903fd86 is healthy: got healthy result from http://10.0.5.147:2379

member 9e4d2088eb250e7c is healthy: got healthy result from http://10.0.5.156:2379
member a522606ea77f5003 is healthy: got healthy result from http://10.0.5.155:2379
cluster is healthy
Perform the IP address change
1. Change the IP address on the server – the IP address of the third node was changed
following How to change the IP address of YSoft SafeQ Management Service as an
example.
2. Check the etcd cluster health again.
a. Run this command from a node where the configuration was not changed:
b. The state after the IP address change:

failed to check the health of member 9e4d2088eb250e7c on http://10.0.5.156:2379:
Get http://10.0.5.156:2379/health: dial
tcp 10.0.5.156:2379: connectex: A connection attempt failed because the connected
party did not properly respond after
a period of time, or established connection failed because connected host has
failed to respond.
cluster is healthy
Remove the node where the IP address was changed from the etcd cluster configuration
1. Run this command from a node where the configuration was not changed:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 member remove 9e4d2088eb250e7c
Replace the ID 9e4d2088eb250e7c with actual ID of the node which shall be removed.
2. The result should look like this:

2.
Removed member 9e4d2088eb250e7c from cluster
Add the node where the IP address was changed again
1. Add the affected node again with the changed IP address.
.\etcdctl.exe --endpoint http://127.0.0.1:2379 member add MGMT3 http://10.0.5.134:

2380
Replace MGMT3 with the actual hostname of the third node and 10.0.5.134 with
the actual IP of the third node.
b. The result should look like this:
Added member named MGMT3 with ID 9ba4c4e9fe82737c to cluster
ETCD_NAME="MGMT3"
ETCD_INITIAL_CLUSTER="MGMT1=http://10.0.5.147:2380,MGMT3=http://10.0.5.134:2380,
MGMT2=http://10.0.5.155:2380"
ETCD_INITIAL_CLUSTER_STATE="existing"
2. Connect to the node where the IP address was changed, start PowerShell, and move to
the "<SAFEQ_DIRECTORY>\Management\etcd\" folder.
a. Run this command:
.\prunmgr.exe //ES//YSoftEtcd
b. In the General tab, use the Start button to start the YSoft Bundled Etcd service.
You need to start YSoft Bundled Etcd service this way to create a proper etcd
configuration. This is needed only once after the changes.
c. YSoft Bundled Etcd starts.
3. Check the etcd cluster's health again.
b. The output should look like this:

b.

member 9ba4c4e9fe82737c is healthy: got healthy result from http://10.0.5.134:2379
cluster is healthy
4. You can now close YSoft Bundled Etcd Properties on the affected node. The YSoft
Bundled Etcd service will remain running. The etcd cluster is now reconfigured.
Start some YSoft SafeQ services again
1. Start the following YSoft SafeQ services again:
a. The YSoft SafeQ Management Service service
b. The YSoft SafeQ LDAP Replicator service
i. You can use the following PowerShell script to perform the task
Start-Service YSoftSQ-Management; Start-Service YSoftSQ-LDAP
Update the configuration of the remaining services

Configure Spooler Controller to use the new IP address.
Change the IP address of the Site Server in the operating system.
Replace the IP address in the spoc.conf file.
Edit <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf and set the new IP address in the

property:
smartQ-server-ip= %NEW_IP_ADDRESS%
If YSoft SafeQ Management Server's IP address was changed too, then also configure the
parameter serverIP1=%NEW_MS_IP% at the end of the file. If there are more YSoft SafeQ
Management Servers, then change all serverIP properties on all servers accordingly.
If you have YSoft SafeQ 6 MU14 or older, replace the IP addresses in the server.xml file.
Edit <SAFEQ_DIRECTORY>\SPOC\tomcat\conf\server.xml and replace all entries of the old IP

address with the new IP address (search and replace).
This file is not present in SafeQ 6 MU15 and newer.
Replace the IP address in the TerminalServer.exe.config file
Edit <SAFEQ_DIRECTORY>\SPOC\terminalserver\TerminalServer.exe.config and set the new IP

address in the properties:

<add key="networkAddress" value="%NEW_IP_ADDRESS%" />
<add key="imsProxyAddress" value="%NEW_IP_ADDRESS%:7348" />
imsProxyAddress also contains the port number. If the port was changed too, replace the
default 7348 port accordingly.
Open the web interface of YSoft SafeQ Management Server (use the first node in the case of the
Management Server cluster) and go to Devices => Spooler Controller groups
Locate the SPOC where the IP address was changed, and click Edit.
Replace the Network address with the new one.
Delete the SPOC's cache by deleting the folder <SAFEQ_DIRECTORY>\SPOC\SpoolCache

If YSoft Payment System is installed on this server, update paymentSystemApiUrl
In the YSoft SafeQ Print Management interface, system update paymentSystemApiUrl to

reflect the new IP address.
Update FlexiSpooler

No update required.
Update Workflow Processing System
No update required.
Update Mobile Print
In <SAFEQ_DIRECTORY>\MPS\Service\conf, update the file controlerIPs.config. Update the

single entry to reflect the new IP address.
Update Mobile Integration Gateway
In <SAFEQ_DIRECTORY>\MIG\bin\ update the file ConnectorService.exe.config. Update the

Apply changes
It is recommended to reboot the server with the changed configuration (make sure the new IP
address is active).
If a reboot is not possible, you will need to follow these steps:
1. Stop all YSoft SafeQ services if they are not stopped already.
2. Start YSoft SafeQ services with the Automatic startup type again.
Verify the SPOC has the correct functionality according to the article YSoft SafeQ SPOC
Health Check
YSoft SafeQ Spooler Controller Health Check

5.4.5.3 Reconfiguration of the Site Servers – Connection to the New IP Address of the
Management Server
1. Edit <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf
a. Replace the IP addressof the affected Management Server in the corresponding

serverIP parameter at the end of the file.
b. If you had a two-nodes Management Server cluster before you started with the
procedure, also replace ServerGUID for the replaced server with the new IP address.
The correct ServerGUID can be obtained from the web interface of the node with the
new IP address.
2. Also reconfigure the YSoft Infrastructure Service Proxy service settings.
YSoft Infrastructure Service Proxy service is available only on Site Servers. If you are
changing settings on a Management Server, skip this section and continue with step 3.
If you have YSoft SafeQ 6 MU14 or newer build:
a. stop the YSoft Infrastructure Service Proxy service.
b. move to the <SAFEQ_DIRECTORY>\SPOC\ims\ directory and edit the application.

properties file.
c. replace the old IP address of Management Server with the new IP address of the
server and save changes.
d. start the YSoft Infrastructure Service Proxy service again.
If you have YSoft SafeQ 6 MU13 or older build:
a. Stop the YSoft Infrastructure Service Proxy service.
b. Move to the <SAFEQ_DIRECTORY>\SPOC\ims\ directory and start the following

command from the Command line.
prunmgr.exe //ES//YSoftImsProxy
c. The YSoft Infrastructure Service Proxy Properties dialog opens.
d. Move to the Java tab and check the value of the -DinfrastructureServiceAddress
parameter inside Java Options:
if the old IP address of Management Server is there, replace it with the new IP
address of the server and confirm the changes.
e. Start the YSoft Infrastructure Service Proxy service again.
3. Reinitialize the connection from the Site Servers to the Management Servers.
a.

3.
a. If you did not recover the database from the backup in the previous steps, then a
restart of the Spooler Controller service is sufficient for re-initialization:
i. Standalone Site Servers:
restart the Spooler Controller service
ii. Site Servers that are part of a SPOC group:
perform a restart of the Spooler Controller service only on one server at a

time – once the service has restarted and the SPOC comes online on the
Management Server (YSoft SafeQ Management Server administration >
Devices > Spooler Controller Groups), wait approximately 5-10 minutes, and
then you can proceed with restarting the Spooler Controller service on the
next server in the same SPOC group.
b. If you did recover the database from the backup in previous steps, a cache deletion
and a restart of all services is necessary:
i. Standalone Site Servers:
see How to Delete the YSoft SafeQ Spooler Controller Cache
ii. Site Servers that are part of a SPOC group
see How and When to Restart a Standalone SPOC and SPOC Group, section
"How to safely restart SPOC group with cache deletion"
5.4.5.4 Other Required Configuration
1. If a SPOC on the server with the new IP address is part of a Spooler controller group, then
the SPOC cache must be deleted and the whole SPOC group must be restarted.
a. The other members of the SPOC group must learn about the new IP address. They
learn it only during their startup.
b. Follow the section "How to safely restart SPOC group with cache deletion" from the
chapter How and When to Restart a Standalone SPOC and SPOC Group
2. If a SPOC on the server with the new IP address is part of a Spooler Controller group and
the parameter enableEtcd is enabled, then the etcd cluster in Terminal Server must also be
reconfigured.
a. Follow Reconfiguring or Recovering an etcd Cluster in Terminal Server.
3. Reinstall all Embedded and hardware Terminals that connect to the server with the new IP
address.
4. Reconfigure all print drivers (or YSoft SafeQ FlexiSpoolers) to connect to the new IP
address.
a. All print drivers and YSoft SafeQ FlexiSpoolers that were connected to the SPOC
server with the old IP address must be re-connected to the new IP address

If a Terminal Server, Mobile Print, and FlexiSpooler are not running correctly, check the logs. You
might see that they are either still listening on the old IP (Terminal Server) or trying to connect to
the old IP address (FlexiSpooler and Mobile Print). To fix this, do the following only on the affected
server:
1. Stop all SPOC services, FlexiSpooler, TerminalServer service and Mobile Print services.
2. Delete the SPOC's cache by deleting the folder <SAFEQ_DIRECTORY>\SPOC\SpoolCache
3. Edit <SAFEQ_DIRECTORY>\FSP\Service/locations.config. Replace the old IP address with the

new IP address.
after the first startup, it should update to 127.0.0.1
4. Edit <SAFEQ_DIRECTORY>\MPS\Service\conf\controllerIPs.config. Replace the old IP address

with the new IP address.
5. Start the SPOC services and then the remaining services. Everything should work normally
now.
5.4.6 HOW TO CHANGE THE IP ADDRESS OF YSOFT SAFEQ MANAGEMENT

SERVICE
This document describes how to change the IP address of YSoft SafeQ Management Service. You
would typically use these steps in environment where YSoft SafeQ Management has its own
server that is not used for other purpose (such as Spooler Controller, Payment system...).

5.4.6.2 Reconfiguration of Management Service
Environment with a single server hosting Management Service
Enable license reactivation if you plan to move YSoft SafeQ to a different server with a new IP
address.
This scenario assumes that you have Backup of Databases and Backup of configuration (and
binary) files available.
1. If you have only one standalone Management Service, uninstall it
2. Prepare a server (or virtual machine) with the new IP address
a. If the external database is damaged, perform Recovering Databases but skip the
4. Check backup of configuration files from the old server and note the following:
a. Management Server GUID. It is noted in the safeq.properties file as the value of

property communicator.cml.guid. For example:
# COMMUNICATOR
5. Install management server using the same build version of the installation package as you
were using before.
a. Tick the I want to customize my YSoft SafeQ Management Server option.
b.

5.
b. Choose Install a new YSoft SafeQ Management Server... option.
c. Use the same database type as was used before.
d. Provide wizard with the same Management server GUID which was used before (see
step 4.a.)
e. Finish the installation.
See Install the YSoft SafeQ Management Server for detailed procedure.
6. Stop almost all YSoft services after installation is finished:
ii. YSoft Bundled PostgresSQL 11 (available if embedded PostgresSQL DB is

used).
b. Stop all other YSoft services.
Get-Service *YSoft* | Where-Object {$_.Name -notmatch 'YSoftPGSQL' -and $_.

Name -ne 'YSoftEtcd' } | Stop-Service
7. If you are using embedded PostgreSQL database, perform Recovering Databases but skip
the Finalization part for now (as new empty databases were created during installation).
8. Update IP addresses in the database
a. Connect to SQDB6 database, schema cluster_mngmt and check content of

cluster_server table:
i. If there is only one record with the server_guid of the reinstalled node, then
update the ip_address value to match the new node
ii. If there are two records with the same server_guid but different ip_address,
then delete the record which contains IP address of the old server
9. Start YSoft SafeQ services again
10. Re-activate YSoft SafeQ license using your preferred method (online/offline). See
a.

11.
a. If you used customized configuration (such as your own certificates for the web
services), seek the relevant documentation and set the configuration again
Environment with two Management Services in a cluster
If the affected node is the one on which was SafeQ license activated, enable license
reactivation before transferring the license to a new server.
This procedure is valid only for installations where external database located on another
Both original Management Service cluster nodes must remain operational during the changes
so etcd quorum is not lost! See https://coreos.com/etcd/docs/latest/faq.html for more
information.
1. If you have two node cluster, add a third node which is using the new IP address
2. and then uninstall the node which was replaced
3. Remove IP address of the uninstalled node from the database
a. Connect to SQDB6 database, schema cluster_mngmt and check content of

cluster_server table
b. Delete the record which contains ip_address and server_guid of the server which
was uninstalled
4. Restart YSoft SafeQ Management Service service on both Management Services in cluster
5. If the reinstalled node was the one on which was SafeQ license activated, re-activate YSoft
SafeQ license using your preferred method (online/offline). See Management Interface -
License Activation for detailed instructions.
Environment with three or more Management Services in the cluster
This procedure is valid only for installations where external database located on another

3.
We expect that cluster is healthy. Also at least (n+1)/2 members where n is number of
Management Service cluster nodes must remain operational during the changes so etcd
quorum is not lost! See https://coreos.com/etcd/docs/latest/faq.html for more information.
If cluster is unhealthy then etcd cluster health must be restored first. Please follow
Reconfiguration or recovery of etcd cluster in Management Service and then continue with
next step.
Stop YSoft SafeQ services
1. Stop all YSoft services on the affected server
Update IP address in database
Replace the old IP address by the new one in the database SQDB6, schema cluster_mngmt, table
cluster_server, column ip_address:

Update Management
1. Edit <SafeQ>\Management\conf\safeq.properties - set new IP address in entry "safeq.

network.address"
2. Edit <SafeQ>\Management\tomcat\conf \server.xml - replace all occurrences of the old IP by
the new IP (use search and replace function in your text editor)
Update etcd configuration
Etcd needs to be updated in the registry of the Management Server where IP address has
changed:
1. Go toHKLM\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0

\YsoftEtcd\Paramaters\Start
2. Edit the Params entry and replace the old ip address by the new one (5 lines):

3. Remove the cache directory in SAFEQ directory\Management\etcd\[SERVERNAME].etcd
Reconfigure etcd cluster

cluster is healthy
1.
example.

failed to respond.
cluster is healthy

2380

ETCD_NAME="MGMT3"
MGMT2=http://10.0.5.155:2380"

cluster is healthy

Apply changes
It is recommended to reboot the server with the changed configuration (make sure the new IP is
active). If a reboot is not possible you will need to follow these steps:
1. Stop all YSoft SafeQ services
2. Start all YSoft SafeQ services again
5.4.6.3 Reconfigure Site Servers to connect to the new IP of the Management Service
1. Edit <SafeQ>\SPOC\conf\modules\spoc.conf and replace the IP of the affected Management

Service in the corresponding serverIP parameter at the end of file.
2. If you had a two-nodes Management Server cluster before you started with the procedure,
make sure to replace also ServerGUID parameter in <SafeQ>\SPOC\conf\modules\spoc.conf
for the replaced server with a new IP address. The correct ServerGUID can be obtained
from the web interface of node with a new IP address
3. Reconfigure also YSoft Infrastructure Service Proxy service settings
a. If you have SafeQ 6 MU14 or later build:
i. stop YSoft Infrastructure Service Proxy service
ii. move to <SafeQ>\SPOC\ims\ directory and edit the application.properties file
iii. replace the old IP address of Management Service with the new IP of the
server and save changes
iv. start YSoft Infrastructure Service Proxy service again
b. If you have SafeQ 6 MU13 or older build:
i. stop YSoft Infrastructure Service Proxy service
ii. move to <SafeQ>\SPOC\ims\ directory and start the following command from
Command line
prunmgr.exe //ES//YSoftImsProxy
iii.

iii. YSoft Infrastructure Service Proxy Properties dialog shall open
iv. move to Java tab and check the value of -DinfrastructureServiceAddress

parameter inside Java Options:
v. if the old IP address of Management Service is there, replace it with the new IP
of the server and confirm changes
vi. start YSoft Infrastructure Service Proxy service again
If database recovery was not performed in previous steps then restart Spooler Controller
service
Skip this section and move to next one if database recovery was performed
1. For standalone Site Servers restart Spooler Controller service after previous changes on all
servers.
2. If Site Server is part of a Spooler Controller group, always perform restart of Spooler
Controller service on only one server at a time.
a. Once the service is restarted and Spooler Controller is visible online on Management
server (SafeQ Management server administration > Devices > Spooler Controller
Groups), wait cca 5-10 minutes before proceeding to restart Spooler Controller
service on next server in the Spooler Controller group.
If database recovery was performed in previous steps then delete cache and restart all
services
Skip this section if database recovery was not performed
Cache on Spooler Controllers needs to be deleted after Database restore to avoid possible
inconsistencies.
Delete Spooler Controller cache directory on all servers
Delete YSoft SafeQ Spooler Controller cache by deleting whole folder

<SAFEQSPOC_DIR>\SpoolCache (e.g. c:\SafeQ6\SPOC\SpoolCache)
Start Management service again
Open the Services window (e.g. Start > Run > services.msc) and start the following services:
1. Start YSoft SafeQ Management Service

Verify the Spooler Controller cache recovery settings
Go to tab System > Configuration on YSoft SafeQ Management web interface and set
orsCacheRecovery property to enabled.
In case of YSoft SafeQ Spooler Controller cache data corruption, cache can be manually
deleted and all job-related metadata will be recovered from YSoft SafeQ Management Server.
If you omit this step, all jobs stored on the YSoft SafeQ Spooler Controller might be lost after
the end of procedure.
Start the remaining services on all servers
Do not start YSoft SafeQ Spooler Controller Group Service manually. If YSoft SafeQ Spooler
Controller is part of Spooler Controller group then this service will start automatically when its
configuration is ready.
1. Start remaining YSoft services with Automatic startup type in no particular order
You can use the following PowerShell script to perform the task:
Verify the correct Spooler Controller functionality
Once the YSoft SafeQ Spooler Controller cache is deleted and YSoft SafeQ Spooler Controller
services are running, verify the correct YSoft SafeQ Spooler Controller functionality according to
the article YSoft SafeQ Spooler Controller Health Check.
5.4.7 HOW TO CHANGE THE IP ADDRESS OF YSOFT SAFEQ SITE SERVER
This document describes how to change the IP address of one YSoft SafeQ Site Server.

5.4.7.2 Stopping YSoft SafeQ Services
1. Stop almost all YSoft services on the affected server:
a. Leave only the YSoft Bundled PostgreSQL 9.4 service running (available if embedded
PostgreSQL DB is used).
b. Stop all other YSoft services
Get-Service *YSoft* | Where-Object {$_.Name -notmatch 'YSoftPGSQL'} | Stop-

Service
5.4.7.3 Update Steps
Change the IP address
Configure Spooler Controller to use the new IP address.

Change the IP address of the Site Server in the operating system.
Replace the IP address in the spoc.conf file.
Edit <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf and set the new IP address in the

property:
smartQ-server-ip= %NEW_IP_ADDRESS%
If YSoft SafeQ Management Server's IP address was changed too, then also configure the
parameter serverIP1=%NEW_MS_IP% at the end of the file. If there are more YSoft SafeQ
Management Servers, then change all serverIP properties on all servers accordingly.
If you have YSoft SafeQ 6 MU14 or older, replace the IP addresses in the server.xml file.

Edit <SAFEQ_DIRECTORY>\SPOC\tomcat\conf\server.xml and replace all entries of the old IP
address with the new IP address (search and replace).
This file is not present in SafeQ 6 MU15 and newer.
Replace the IP address in the TerminalServer.exe.config file
Edit <SAFEQ_DIRECTORY>\SPOC\terminalserver\TerminalServer.exe.config and set the new IP

address in the properties:
<add key="networkAddress" value="%NEW_IP_ADDRESS%" />
<add key="imsProxyAddress" value="%NEW_IP_ADDRESS%:7348" />
imsProxyAddress also contains the port number. If the port was changed too, replace the
default 7348 port accordingly.
Open the web interface of YSoft SafeQ Management Server (use the first node in the case of the
Management Server cluster) and go to Devices => Spooler Controller groups
Locate the SPOC where the IP address was changed, and click Edit.
Replace the Network address with the new one.

Delete the SPOC's cache by deleting the folder <SAFEQ_DIRECTORY>\SPOC\SpoolCache
If YSoft Payment System is installed on this server, update paymentSystemApiUrl
In the YSoft SafeQ Print Management interface, system update paymentSystemApiUrl to

reflect the new IP address.
Update FlexiSpooler
No update required.
Update Workflow Processing System
No update required.
Update Mobile Print
In <SAFEQ_DIRECTORY>\MPS\Service\conf, update the file controlerIPs.config. Update the

Update Mobile Integration Gateway
In <SAFEQ_DIRECTORY>\MIG\bin\ update the file ConnectorService.exe.config. Update the

Apply changes
It is recommended to reboot the server with the changed configuration (make sure the new IP
address is active).
If a reboot is not possible, you will need to follow these steps:
1. Stop all YSoft SafeQ services if they are not stopped already.
a.

1.
2. Start YSoft SafeQ services with the Automatic startup type again.
Verify the SPOC has the correct functionality according to the article YSoft SafeQ SPOC
Health Check
5.4.7.4 Other Required Configurations
1. Reconfigure all print drivers (or YSoft SafeQ FlexiSpoolers) to connect to the new IP
address.
a. All print drivers and YSoft SafeQ FlexiSpoolers that were connected to the SPOC
server with the old IP address must be connected to the new IP address.
2. Reinstall all embedded and hardware terminals.
a. Reinstall all embedded and hardware terminals that will connect to the server with
the new IP address.
3. If a SPOC is part of a Spooler Controller group, then the SPOC cache must be deleted, and
the whole SPOC group restarted.
a. The other members of the SPOC group must learn about the new IP address. They
will learn it only during their startup.
b. Follow How and When to Restart a Standalone SPOC and SPOC Group (the chapter,
When changing the IP address of Site Server).
4. If failover for embedded terminals is being used and the parameter enableEtcd is enabled,
then the etcd cluster in Terminal Server must also be reconfigured.
a. Follow Reconfiguring or Recovering an etcd Cluster in Terminal Server to remove the

old IP address from the etcd cluster and register the new IP address there.

It might occur that Terminal Server, Mobile Print, and FlexiSpooler are not running correctly. When
you check the logs, you will see that they are either still listening on the old IP address (Terminal
Server) or trying to connect to the old IP address (FlexiSpooler and Mobile Print). To fix this, do the
following only on the affected server:
1. Stop all SPOC services, FlexiSpooler, the TerminalServer service and the Mobile Print
service.
2. Delete the SPOC's cache by deleting the folder <SAFEQ_DIRECTORY>\SPOC\SpoolCache
3. In <SAFEQ_DIRECTORY>\FSP\Service, update the file locations.config. Update the old IP

address to the new IP address.
a. After the first start, it should update to 127.0.0.1
4. In <SAFEQ_DIRECTORY>\MPS\Service\conf, update the file controllerIPs.confg. Update the

old IP address to the new IP address.
5. Start the SPOC services and then the remaining services. Everything should be working
normally now.
5.4.8 HOW TO CHANGE THE PASSWORD OF A DATABASE USER
Before using this guide, it is recommended to read Enhanced Password Protection which offers
enhanced protection of passwords.
It is a good security practice to regularly change database access credentials. Whenever the
database user password is changed, it is necessary to update connection properties on several
places. The article below provides guidelines for:
PostgreSQL server
MS SQL Server with SQL authentication
MS SQL Server with domain authentication and service account
Internal accounts
There are several SQL logins in the database, which were created automatically during
installation by YSoft SafeQ installer. Those are SQL logins, not domain accounts. In the text
below, those accounts are highlighted in a box like this one.

5.4.8.1 How to Encrypt Password
Passwords in Configuration Files and in etcd
Passwords in the configuration files can be in plain text or encrypted by the utility provided by
YSoft SafeQ 6 as a widget on Dashboard:
1. Sign into Management Service interface as an administrator (into a tenant scheme if it is

in a multi-tenant environment).
2. Stay on Dashboard.
3. Find the Text Encryption widget or enable it (click the Add widget button).
4. Enter the text to encrypt.
5. Click the Encode button at the bottom of the widget.
6. Copy the text to the clipboard or transcribe it and replace the original password in the
property file.
Passwords in Database
Passwords in the database are in plaintext.
5.4.8.2 YSoft SafeQ 6 Management Service
Refer to page YSoft SafeQ server requirements for details about all user accounts used by
YSoft SafeQ.
YSoft SafeQ 6 Management Service - SQL Authentication
Use this procedure to change password for:
PostgreSQL server

For MS SQL Server with domain authentication skip this section. Continue with YSoft
SafeQ 6 Management Service - Domain Authentication instead.
STEP 1 - CONFIGURATION FILES
When using SQL authentication (not domain authentication), update the following configuration
files:
<SAFEQ_DIRECTORY>\Management\ims\application.properties:
spring.datasource.password – password of a user account for IMS database, typically a
database with suffix _IMS. This is the account provided by the customer.
<SAFEQ_DIRECTORY>\Management\conf\safeq.properties:
database.global.management.password – password for a common connection to the
database. This is the account provided by the customer.
databaseWarehouse.global.management.password – password for a common connection

to the database. This is the account provided by the customer.
Internal accounts
Those accounts were created automatically during installation by YSoft SafeQ installer.
Those are SQL logins, not domain accounts.
database.cluster.management.password – password of a cluster management user,

typically called cluster_mngmt).
database.cluster.guest.password – password of a cluster guest user, typically

called cluster_guest).
databaseWarehouse.cluster.management.password – password of data warehouse

guest user, typically called cluster_guest).
databaseWarehouse.cluster.guest.password – password of data warehouse guest

user, typically called cluster_guest).
<SAFEQ_DIRECTORY>\Management\validator\conf\DBValidator.properties:
connectionInfoSQ.userPassword – password for a common connection to the database.
This is the account provided by the customer.
connectionInfoDW.userPassword – password for a common connection to the database.

STEP 2 - DATABASE

The procedure slightly differs on MU 8 or older, refer to Recovery of databases
documentation, Reconfiguring the SQDB6 Database section.
Execute the following query to reset stored procedures' connection strings:
For PostgreSQL:
PostgreSQL
SELECT cluster_mngmt.spu_recover_tenant_db_passwords();
For MS SQL Server:
MS SQL Server
EXEC cluster_mngmt.spu_recover_tenant_db_passwords;
Execute database validator:
1. Execute the following query
a. For PostgreSQL:
PostgreSQL
SELECT cluster_mngmt.spu_clean_validator_tables();
b. For MS SQL Server:
MS SQL Server
EXEC cluster_mngmt.spu_clean_validator_tables();
2. Navigate to <SAFEQ_DIRECTORY>\Management\validator\conf\DBValidator.properties and

verify the database passwords.
3. Navigate to <SAFEQ_DIRECTORY>\Management\validator\bin\validatorRunner.exe
a. Run it.
More information: DB Validator Tool
NEXT STEP: see section YSoft SafeQ 6 Management Service - etcd.

YSoft SafeQ 6 Management Service - Domain Authentication
MS SQL Server with domain authentication. The installation followed this procedure: Installing
YSoft SafeQ Management Server on external MSSQL using domain users
STEP 1 - CONFIGURATION FILES
When using DOMAIN authentication (not sql login authentication), update the following
configuration file:
<SAFEQ_DIRECTORY>\Management\validator\conf\DBValidator.properties:
connectionInfoSQ.userPassword – password for a common connection to the database.
connectionInfoDW.userPassword – password for a common connection to the database.

STEP 2 - DATABASE
Internal accounts
Internal accounts are users without passwords when using domain authentication. There is
no need to update any passwords.
Reference: https://docs.microsoft.com/en-us/sql/relational-databases/databases/contained-
databases
Execute database validator:
Perform the steps below only if data warehouse is deployed on a different SQL Server, SKIP
THEM OTHERWISE.
1. Execute the following query
a. For PostgreSQL:
PostgreSQL
b. For MS SQL Server:
MS SQL Server
EXEC cluster_mngmt.spu_clean_validator_tables();

2. Navigate to <SAFEQ_DIRECTORY>\Management\validator\conf\DBValidator.properties and
verify the database passwords.
3. Navigate to <SAFEQ_DIRECTORY>\Management\validator\bin\validatorRunner.exe
a. Run it.
More information: DB Validator Tool
STEP 3 - WINDOWS SERVICES
Update service account password on affected Windows services (run services.msc):
YSoft Infrastructure Service
YSoft SafeQ LDAP Replicator
YSoft SafeQ Management Service
NEXT STEP: see section YSoft SafeQ 6 Management Service - etcd.
YSoft SafeQ 6 Management Service - etcd
1. Open PowerShell window and navigate to directory: <SAFEQ_DIRECTORY>\Management\etcd
2. Run this command to dump etcd content
rm etcddump.ps1 -ea silentlycontinue; .\etcdctl.exe ls / | %{" .\etcdctl.exe --endpoint

http://127.0.0.1:2379 update $($_ -replace `"/`", `"`") `"$(.\etcdctl.exe get $_)`"" | out
-file etcddump.ps1 -append }
3. Open newly created file etcddump.ps1 for editing
4. Adjust password value on those lines:
a. This is the account provided by the customer:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 update encryptedUserPassword "code,

104,119,-55,-123,-120,-2,-11,-38,44,-42,70,123,-64,-125,30,69"
If you have SafeQ DataWarehouse database deployed on a different server (MSMD

deployment), adjust also this line:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 update DWencryptedUserPassword

"code,104,119,-55,-123,-120,-2,-11,-38,44,-42,70,123,-64,-125,30,69"
b. Internal accounts:

b.
Internal acounts
Those accounts were created automatically during installation by YSoft SafeQ

installer. Those are SQL logins, not domain accounts.
.\etcdctl.exe --endpoint http://127.0.0.1:2379 update encryptedClusterPassword

"code,-57,-15,18,97,115,-62,79,17,-93,-27,25,13,61,124,37,34"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 update
encryptedClusterGuestPassword "code,-68,22,-35,-10,33,-82,24,42,-64,81,
-56,112,54,83,121,76"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 update encryptedTenantPassword
"code,-105,-107,-24,-63,-8,29,43,-21,14,64,68,91,-106,60,-59,94"
If you have SafeQ DataWarehouse database deployed on a different server

(MSMD deployment), the following lines are also present:

DWencryptedClusterPassword "code,-57,-15,18,97,115,-62,79,17,-93,
-27,25,13,61,124,37,34"
DWencryptedClusterGuestPassword "code,-68,22,-35,-10,33,-82,24,42,-64,81,
-56,112,54,83,121,76"
5. Run this command to restore etcd content:
powershell.exe -executionpolicy bypass .\etcddump.ps1
6. Review the content using this PowerShell command:
.\etcdctl.exe ls / | %{write-host "$($_): $(.\etcdctl.exe get $_)" }
More information about etcd: Reconfiguration or recovery of etcd cluster in Management

Service
YSoft SafeQ 6 Management Service - Apply the Change
The following services need to be restarted to apply the changes:
YSoft Infrastructure Service

5.4.8.3 YSoft SafeQ 6 Payment System
YSoft SafeQ 6 Payment System - SQL Authentication
PostgreSQL server
For MS SQL Server with domain authentication skip this section.
The passwords must be changed in configuration files when the user password of a connection
to the database is changed:
for MU26 or newer <SAFEQ_DIRECTORY>\YPS\ps-conf\environment-configuration.

properties
for MU25 or older <SAFEQ_DIRECTORY>\YPS\ysoft\environment-configuration.properties
database.password – the password of a user for a common connection to the database (typically,
a default user with the username "postgres" or "sa")
YSoft SafeQ 6 Payment System - Domain Authentication
No extra step required.
YSoft SafeQ 6 Payment System - Apply the Change
The following services need to be restarted to apply the changes:
YSoft Payment System Service
5.4.9 HOW TO DELETE THE YSOFT SAFEQ SPOOLER CONTROLLER CACHE
5.4.9.1 What Is the YSoft SafeQ Spooler Controller Cache?
The YSoft SafeQ Spooler Controller cache is the persistent storage on the YSoft SafeQ Spooler
Controller server. YSoft SafeQ Spooler Controller saves all necessary data to the cache so that it
can run in offline mode (without connection to YSoft SafeQ Management Server) and optimize the
data flow between YSoft SafeQ Spooler Controller and YSoft SafeQ Management Server. The
cache contains, for example, the print job metadata, billing codes, users, devices, and so on. Most
of the entities stored in the cache are downloaded from YSoft SafeQ Management Server during
the YSoft SafeQ Spooler Controller's startup. The others (e.g., users) are downloaded when
needed.

5.4.9.2 About YSoft SafeQ Spooler Controller Cache Deletion
Deleting the YSoft SafeQ Spooler Controller cache is, in specific cases, the only way to restore
proper YSoft SafeQ Spooler Controller functionality.
When the cache is deleted, the particular YSoft SafeQ Spooler Controller will lose all information
about users, cards, jobs, billing codes, and printers etc.
All necessary information about printers, users rights, and billing codes are synchronized again
to the YSoft SafeQ Spooler Controller (from YSoft SafeQ Management Server) during the first
synchronization (after the restart of YSoft SafeQ Spooler Controller services).
Information about print jobs is synchronized as part of the cache recovery mechanism, where
YSoft SafeQ Spooler Controller downloads all its jobs from YSoft SafeQ Management Server
and saves them to the cache.
The user's data will be synchronized to YSoft SafeQ Spooler Controller (from YSoft SafeQ
Management Server) during the first authentication of the user or when the user sends a
print job to YSoft SafeQ that will be accepted by a particular YSoft SafeQ Spooler Controller.
WARNING
The YSoft SafeQ Spooler Controller cache is almost equal to the YSoft SafeQ Management
Server database. The request for the deletion of the YSoft SafeQ Spooler Controller cache will
be performed only when requested by Y Soft or when it is explicitly defined in the manual.
5.4.9.3 How to delete the YSoft SafeQ Spooler Controller Cache
Verify the YSoft SafeQ Spooler Controller cache recovery settings
Stop YSoft SafeQ Spooler Controller services
Open the Services window (e.g.Start > Run > services.msc) and stop the following services:
1. YSoft SafeQ Spooler Controller service
2. YSoft SafeQ Spooler Controller Group Service service
3.

3. YSoft SafeQ Terminal Server service
4. and, optionally, stop:
a. YSoft Infrastructure Service Proxy service
b. YSoft SafeQ End User Interface service
c. YSoft SafeQ FlexiSpooler service
d. YSoft SafeQ Mobile print service
Delete the YSoft SafeQ Spooler Controller Cache Directory
Delete the YSoft SafeQ Spooler Controller cache by deleting the entire folder
<SAFEQ_DIR>\SPOC\SpoolCache (e.g., c:\SafeQ6\SPOC\SpoolCache)
Start YSoft SafeQ Spooler Controller services
Open the Services window (e.g., Start > Run > services.msc) and start the following services:
Do not start YSoft SafeQ Spooler Controller Group Service service. It will be started by YSoft
SafeQ Spooler Controller service when proper configuration is ready.
1. YSoft SafeQ Spooler Controller service
2. YSoft SafeQ Terminal Server service
3. and start other YSoft SafeQ services if they are not running:
a. YSoft Infrastructure Service Proxy service
b. YSoft SafeQ End User Interface service
c. YSoft SafeQ FlexiSpooler service
d. YSoft SafeQ Mobile print service
The YSoft SafeQ Spooler Controller cache recovery mechanism on a standalone SPOC with
the recommended hardware is processing on average 3000 jobs per minute. That means with
60 000 jobs the recovery will take about 20 minutes. SPOC is not fully functional until the
recovery is finished. To see how many jobs is going to be recovered use the following SQL
query:
-- query to be launched on SQDB6 database

-- use proper tenant prefix at smartq_jobs table
-- use proper server_guid, SPOC guid can be found on YSoft SafeQ Management interface ->
tab Spooler Controller groups
SELECT count(1) FROM tenant_1.smartq_jobs where server_guid = 'j1dvczklt5l5hm69' and
cur_status in (1,2,4,8,16,32,64,128,256,512)

Verify the correct YSoft SafeQ Spooler Controller functionality
5.4.10 HOW TO MANAGE FINISHING OPTIONS AND SYSTEM TAGS
5.4.10.1 A List of Basic and Advanced Finishing Options
Basic Finishing Options:
Simplex/Duplex
BW/Color
Copy Count
Advanced Finishing Options:
Stapling
Punching
Folding
The possibility to apply a particular finishing option depends on the driver and machine capability
combinations.
5.4.10.2 Configuring Finishing Options
Enabling/disabling the possibility to change the finishing options on terminals
1. Go to System > Terminal UI and set the configuration property enableFinishingOptions to

enabled or disabled (by default it is enabled ). This property enables the finishing options
feature support on terminals.
Setting the priority between rules and finishing options set on terminals
1. Go to System > Terminal UI, select Expert view and set the configuration property
finishingOptionsPriority
This property sets the priority of finishing options versus the rules. For example, a global rule
states that the user's print jobs must be converted to black and white, but the user can choose
color in the finishing options panel on the terminal just prior to printing. The property specifies
which print job modification feature takes precedence.
The default value is Finishing options have priority .

5.4.10.3 System Tags
System tags refers to the print languages and features of a printer and should be set according
to its capabilities.
System tags can be enabled or disabled here, but no new tags can be added or removed. By
default, all system tags for 2D printers are enabled. In order to disable/enable the system tags,
the associated checkbox or tag name should be checked.
If the device has a terminal, it must be reinstalled when system tags are edited. The re-installation
is triggered automatically after the button Save Changes is pressed.
System tags are used to specify the compatibility between printers and print jobs. If a job has a
tag that is not enabled on the device, the job will be not able to print because it will be not
displayed on the terminal.
On the other hand, if a finishing option tag (e.g., stapling) is disabled, then this finishing option is
marked disabled on the terminal on the Job Information/Print Settings, and if the user accesses
Print Settings, the terminal will not display the options associated with stapling, e.g, left stapling,
right stapling, etc; only No Stapling will display.
System Tags Configuration
System tags can be configured at Devices > Edit [SELECTED_DEVICE] > Advanced > Tags >
System Tags.
If you are using a Xerox device that uses XCPT tickets, make sure the checkbox XCPT-
Xerox (in the Device detail page) is checked when installing the printer. Otherwise, some
finishing options might not work.
Admin cannot specify a list of available sub-options. It is only possible to enable or disable
the selection menu.
In this case, all jobs with a Color tag will be marked as being incompatible jobs, and it will not
be possible to print them.

System Tag Attributes
The gray color indicates that this tag cannot be used (enabled/disabled) for any 2D print
jobs.
The white color (no check mark) indicates that this tag cannot be included in the job in
order for the job to be printed.
The presence of the check mark indicates that this option is allowed in the print job in
order for the print job to be printed.
5.4.10.4 Configuring the Displaying of Incompatible Jobs
In order to be able to see all the incompatible jobs on the terminal, use the system property
showIncompatibleJobs.
Go to System > Configuration > Terminal UI (Expert mode view) and set the
showIncompatibleJobs property to enabled. By default, it is disabled.
5.4.10.5 Displaying the Tags in Job Information on the Web Interface
This information can be checked at the Reports > Display detailed job information > Tags page.

This job will be marked as an incompatible job because it contains a Color tag, which was not
allowed in the device configuration.
5.4.11 HOW TO SINGLE SIGN-ON FOR THE YSOFT SAFEQ
The single sign-on for YSoft SafeQ can be enabled by changing the global system settings
properties:
webAuthenticationMethod for Managenment Interface
webAuthenticationMethodEUI for End User Interface
The following values are currently available:

Username and password – the default value that allows users to log into the YSoft SafeQ
Management interface by entering their username and password into the standard login page.
Windows Integrated Authentication – an automatic single sign-on login via Active Directory
credentials under which the user is currently logged into the operating system they browse
YSoft SafeQ Management interface from.
Central Authentication Service - (CAS) allows users to authenticate only once and gain access
to multiple applications
Security Assertion Markup Language SAML - open standard that allows identity providers to
pass authorization credentials to service providers.
5.4.11.1 Central Authentication Service
About
Central Authentication Service (in short CAS) is an open source, Java-based authentication server
that includes a mechanism for single sign-on (SSO) across web applications, including those
running on different application servers. When a user requests a page from a CAS-enabled web
application, the application redirects the user to the CAS server login page. Thereafter, logged-in
users can navigate between all participating applications without needing to log in again. Each
application communicates with the CAS server in the background to verify that the user is valid
before providing access to its resources.
With the CAS protocol, the client application ( YSoft SafeQ Management interface ) never receives
or transmits the user’s password. However, unlike LDAP, CAS does not provide any user context,
such as roles or organizations. CAS service provider supplies only the identification of the user in
form of username property. This is used to map roles and privileges in YSoft SafeQ Management
interface.
For more information about CAS, visit:
https://en.wikipedia.org/wiki/Central_Authentication_Service
https://apereo.github.io/cas/5.1.x/protocol/CAS-Protocol.html
Enabling the Integration
Client's workstation configuration
CAS integration does not require any specific configuration of the client's workstations or
browsers.
YSoft SafeQ configuration
1. Log into the YSoft SafeQ Management interface using an admin account.
2.

2. Navigate to System > Configuration and change the following properties.
a. Under Basic filter, change property's webAuthenticationMethod value to CAS Single

sign-on to enable the single sign-on method using CAS.
b. Under Advanced filter, change property's localCasServiceUrl value of the

Management interface CAS service endpoint.
c. Under Advanced filter, change property's casServerUrl value to CAS service provider
base URL.
d. Under Advanced filter, change property's casServerLoginUrl value to URL of CAS

server login page, where user authenticates.
e. (Optional) Under Basic filter, it possible to enable property ldap-replicator-online-mode

which determines whether YSoft SafeQ tries to find user in directory service (e.g.
Active Directory) instantly if the user is not present in the database. This parameter
applies only to users which are not in the database, but they were successfully
authenticated against CAS.
3. Restart YSoft SafeQ Management Service to apply the settings.
URLs
URLs are crucial configuration properties of the CAS feature. Both YSoft SafeQ Management
interface and CAS service provider has to 'see' each other - therefore the full URL paths has to
be used (scheme:[// host[:port]][/path]).
localCasServiceUrl - has to point to YSoft SafeQ Management interface service endpoint /login
/cas. The full path should look like this: https://safeq_server_hostname/login/cas
casServerUrl - value of CAS service provider base URL - has to point to the base URL path of the
CAS authentication, i.e. Management interface is using this base path to append various path
suffixes, like /validate, / serviceValidate, p3/serviceValidate depending on CAS protocol and
configuration specifics.
Importing CAS server certificate
Once the CAS service provider authenticates the user, it forwards the user back to the
application where the authentication requests has been initiated. But the application needs to
verify the authentication in CAS. For that, the certificate used by the CAS service provider has to
be trusted by the YSoft SafeQ - therefore it has to be imported into YSoft SafeQ truststore. To
do so, do the following:
1. Import the CAS service provider certificate into YSoft SafeQ truststore using Java keytool.
On the machine where the Management interface is running, open the command line and
run the following keytool command:
keytool -import -alias <certificate-alias> -keystore <truststore-location> -file <cas-

certificate-location>

<certificate-alias> - a key under which will be the certificate stored in the truststore, e.g.
cas-certificate
<truststore-location> - the location of the keystore, e.g. SAFEQ_DIR\Management\conf\ssl-

truststore
<cas-certificate-location> - the location of the CAS service provider certificate to be

imported
2. Enter a password for keystore protection.
3. Write yes to confirm you want to trust this certificate. If import was successful, the
following message should appear:
Certificate was added to keystore

In case your key/certificate is in a different format than specified, convert it following the
guide in Conversions between different keystores and certificate types.
In case you do not have key/certificate at all, follow the guide in the Generating key/certificate
in Personal Information Exchange format chapter (steps 1 - 7) in System communication
hardening .
Logging Into the YSoft SafeQ Management Interface
When this feature is enabled following the instructions above and an administrator is not logged
in to YSoft SafeQ Management interface and any page except the login page in entered (e.g., the
root page, Dashboard, etc.), the redirection to the CAS service provider login page is done (to the
URL defined by the property casServerLoginUrl). On this service, the administrator logs in, and if
the logging in succeeds, the user is forwarded back to the YSoft SafeQ Management interface (to
the URL defined by the property localCasServiceUrl, i.e.: https://safeq_server_hostname/login/cas
).
When exactly YSoft SafeQ login page (https://safeq_server_hostname/login) is entered, the user
is provided with the possibility to either log in using Single sign-on or may log in via standard
username/password login option.
When user is logged out of the system, the login page will be shown.
Logout
CAS service provider and YSoft SafeQ Management interface is having separate user sessions.
This means the logging out from the one application, does not logout user from the other.

Caveats & Limitations
Implemented CAS 3 .0 protocol specification (https://apereo.github.io/cas/5.1.x/protocol/CAS-

Protocol-Specification.html#head2.5.7) without proxy support.
CAS Single sign-on feature and its setting are available only in single tenant mode due to the
technical limitations of the integration.
CAS Single logout feature is not supported - logout from CAS service does not end an open
session in YSoft SafeQ Management Interface and vice versa.
While using Management cluster deployment, only one localCasServiceUrl can be used, thus
authenticating only one node in a cluster.
No protection against login via CSRF is implemented.
Troubleshooting
In case the CAS SSO fails, user is redirected to login page with an common error message and
has a possibility to log in via standard username/password login option.
Depending on the log message in the management-service.log one of the following problems may
be experienced.

No subject alternative names present
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject

alternative names present
In most cases this is a hostname/SSL certificate CN mismatch. This commonly happens when a
self-signed certificate issued to localhost is placed on a machine that is accessed by IP address.
It should be noted that generating a certificate with an IP address for a common name, e.g.
CN=print-management.com ,OU=Middleware will not work in most cases where the client making
the connection is Java. For example the Java CAS client will throw SSL errors on connecting to a
CAS server secured with a certificate containing an IP address in the CN.This is because IP
Address in the CN is deprecated by both the IETF (most tools, like wget and curl) and CA/B
Forums (CA's and Browsers). According to both the IETF and CA/B Forums, Server names and IP
Addresses always go in the Subject Alternate Name (SAN).
Unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path

building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
The problem here is that the CAS client does not trust the certificate presented by the CAS
server; most often this occurs because of using a self-signed certificate on the CAS server. To
resolve this error, import the CAS server certificate (as described in section Importing CAS server
certificate above) into the system truststore of the CAS client. If the certificate is issued by your
own PKI, it is better to import the root certificate of your PKI into the CAS client truststore.
CAS server is unresponsive or unavailable
In case of network/configuration issues on side of CAS service provider, a Management interface

can still be accessed using the https://safeq_server_hostname/login URL.
5.4.11.2 Security Assertion Markup Language SAML
This features are currently available only under Early Access Program .
About
The Security Assertion Markup Language ( SAML ) is a standard protocol for web browser Single
Sign-On (SSO) using secure tokens. The SAML eliminates all local application passwords and
instead uses standard cryptography and digital signatures to pass a secure sign-in token from an
identity provider to a SaaS application.

When SAML integration is enabled user authentication requests to the Management interface will
be redirected to a remote Identity Provider server URL. After user authentication to the remote
Identity Provider the user is redirected back to the Management interface for the authentication
session to be verified.
Supported SAML Features
Management Service supports Asynchronous Binding (Front Channel) with this binding types:
Single Login: HTTP redirect ( <AuthnRequest>) and H TTP POST (<Response>)
Single Logout: HTTP POST (both SP and IdP initiated)
Enabling the integration
Before starting
To use SAML a few things will need to be prepared in advance. Once SAML implementation is
enabled the only way to authenticate in Management interface will be through the Identity
Provider SSO credentials.
1. Ensure that the server where Management service is installed can access the Identity
Provider metadata URL. The metadata from the Identity Provider is downloaded by the
Management service using the Identity Provider metadata URL.
Proxy connections are not supported.
The Identity Provider metadata URL must contain XML metadata.
Example of Identity Provider metadata
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="{EntityID of the

Identity Provider}">
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:
oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data><ds:X509Certificate>{encoded certificate information}</ds:
X509Certificate></ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:X509Data><ds:X509Certificate>{encoded certificate information}</ds:
X509Certificate></ds:X509Data>
</ds:KeyInfo>
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
<xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:
KeySize>
</EncryptionMethod>
</KeyDescriptor>

<ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:
SAML:2.0:bindings:SOAP" Location="{public URL from IdP}"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:{HTTP-Redirect
/HTTP-POST/SOAP}" Location="{public URL from IdP}" ResponseLocation="{public URL from
IdP}"/>
{...}
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:{HTTP-Redirect
/HTTP-POST/SOAP}" Location="{public URL from IdP}" ResponseLocation="{public URL from
IdP}"/>
{...}
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat
>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:{HTTP-Redirect
/HTTP-POST/SOAP}" Location="{public URL from IdP}"/>
{...}
</IDPSSODescriptor>
</EntityDescriptor>
2. If the URL of the Identity Provider metadata is secured (HTTPS), you need to store the
certificate of the URL into management server Truststore (by default, it is located in
Management/conf/ssl-truststore).
How to import the certificate
a. Import the Identity Provider certificate into management server truststore using
Java keytool. On the machine where the Management interface is running, open
the command line and run the following keytool command:
keytool -import -alias <certificate-alias> -keystore

<truststore-location> -file <certificate-location>
<certificate-alias> - a key under which will be the certificate stored in the

truststore, e.g. saml-certificate
<truststore-location> - the location of the keystore, e.g. Management\conf\ssl-

truststore
<certificate-location> - the location of the Identity Provider certificate to be

imported
b. Enter a password for keystore protection.
c. Write yes to confirm you want to trust this certificate. If import was successful,
the following message should appear: Certificate was added to keystore
d. Restart YSoft SafeQ Management Service to apply the settings.

In case your key/certificate is in a different format than specified, convert it following
the guide in Conversions between different keystores and certificate types.
3. Ensure that there is at least one user in Management (preferably with admin rights) with a "
username" that matches an user in the Identity Provider by the property you have chosen
as "samlAttributeAsId" (check the list of properties below).
How the authentication works
In order to generate the authentication in YSoft SafeQ Management based on the

authentication coming from the Identity Provider, we are using already existing users in
Management database so we can use their access rights.
Having SAML enabled as your Web Authentication Method, when you try to access
Management interface, you will be redirected to the Identity Provider login page. After
login, the Identity Provider will redirect you back to YSoft SafeQ Management. This
redirection is done in a form of an XML response, together with some information about
the user (also called attributes) which can be configured in the Identity Provider. The
property "samlAttributeAsId" is used to specify the name of the attribute that matches
the "username" in YSoft SafeQ Management database.
Configuration in YSoft SafeQ Management
2. Navigate to System > Configuration and change the filter to Advanced or Expert.
3. Change the following system property settings:
a. Set the value of the property webAuthenticationMethod to SAML v2 single sign-on

in order to enable the single sign-on method using SAML.
b. Set the value of the property samlServerAddress with the URL of the Management
server where users are to be redirected after Identity Provider authentication. The
URL should contain "https" when service works in HTTPS mode (redirect from HTTP
to HTTPS may be unsupported in some SAML configuration).
4. Using the configuration from the Identity Provider change the following system property
settings:
a. Set the value of the property samlAttributeAsId with the attribute from the Identity
Provider which will be used to match the username in Management interface. The
value should be blank if the SAML assertion contains correct user attribute in
authentication subject. If the samlAttributeAsId is set then logout requests may not
work as the IdP may expect NameId value in the logout request, not other attribute
value.
b.
b. Set the value of the property samlIdentityProviderMetadataUrl with the metadata
URL from the Identity Provider.
c. Set the value of the property samlIdentityProviderLifetime with the session lifetime
value in seconds from the Identity Provider. This property defines the timeout when
Management considers the session as non-trusted. If the session lifetime does not
match the Identity Provider configuration then authentication may fail.
d. Set the value of the property samlServiceProviderId with the unique identifier of
Service Provider (YSoft SafeQ 6) from the Identity Provider.
e. Set the value of the property samlSingleLogout to Enabled if you want the user to
be logged out from other Service Providers when you log out of YSoft SafeQ
Management interface. The default value of property is Disabled which means user
will NOT be logged out of all Service Providers which use the Identity Provider, only
local YSoft SafeQ Management interface session will be destroyed.
Configure Identity Provider
Add Management server Service Provider metadata into Identity Provider server configuration
After Management configuration add the local metadata generated by Management into the
remote Identity Provider server configuration. The remote Identity Provider configuration requires
the Management metadata to configure authentication and register the Management callback
endpoint URL. Management service will generate the metadata automatically the first time
accessing the Management dashboard and it will be stored in SAFEQ_DIR/conf/sp-metadata.xml.
Optional: Provide Management server callback endpoint URL to Identity Provider
For manual configuration the Identity Provider may require the Management server callback
endpoint URL. The Management service endpoint URL is {samlServerAddress}/ security/saml/v2
/callback where the value of samlServerAddress is configured in "Configuration in YSoft SafeQ
Management" section.
Caveats & Limitations
No proxy support.
No HTTP Artifact binding support
No Synchronous Bindings (Back-Channel) support
SP SAML requests and responses are not signed
ADFS IdP is not fully supported - ADFS 3.0 does not accept NameQualifier when using urn:
oasis:names:tc:SAML:2.0:nameid-format:entity. It's not possible to disable the NameQualifier
from SAML Request.

SAMLv2 Single sign-on feature and its setting are available only in single tenant mode due to
the technical limitations of the integration.
To redirect the user after authentication the system property samlServerAddress can only be
set to one Management server URL. When using Management cluster deployment without a
load balancer the other servers are not accessible for user authentication.
No protection against login via CSRF is implemented.
Usage with Management Cluster
With load balancer
Recommended configuration is that the Management cluster will act as a single service provider e.
g. single login URL and single callback URL with authentication result. The system property
samlServerAddress must be set to the load balancer URL in front of the Management Service
cluster.
Without load balancer
Only one Management server can be configured for user authentication.
Recommended configuration is that each Management server in the cluster acts as a standalone
service provider, i.e. each server has own login and callback URL. Due to limitation of system
configuration only one Management server URL can be registered in system property
samlServerAddress to redirect after user authentication.
To enable additional logging for SAML troubleshooting
To enable additional SAML logging add this to log configuration file <SAFEQ6_HOME>/Management
/conf/log4j2.xml. Restart YSoft SafeQ Management Service to apply the settings.
<Logger name="org.pac4j" level="debug" additivity="false">

<AppenderRef ref="management_log_app"/>
</Logger>
To disable SAML authentication
Disabling SAML authentication requires that the application settings be changed in the YSoft
SafeQ database. Restart YSoft SafeQ Management Service to apply the settings.
Execute SQL command in PostgreSQL:
UPDATE cluster_mngmt.configuration_properties SET value = 'USERNAME_AND_PASSWORD' WHERE key = 'w

ebAuthenticationMethod'

Execute SQL command in Microsoft SQL Server:
UPDATE cluster_mngmt.configuration_properties SET value = 'USERNAME_AND_PASSWORD' WHERE [key] =

'webAuthenticationMethod'
Enabling the integration in End User Interface
Configuration in YSoft SafeQ Management
2. Navigate to System > Configuration and change the filter to Advanced or Expert.
3. Change the following system property settings:
a. Set the value of the property webAuthenticationMethodEUI to SAML v2 single sign-

on in order to enable the single sign-on method using SAML.
b. Set the value of the property samlIdentityProviderMetadataUrl with the metadata

URL from the Identity Provider.
Property samlIdentityProviderMetadataUrl is shared for Management Interface

and End User Interface.
4. Using the configuration from the Identity Provider change the following system property
settings:
a. Set the value of the property samlAttributeAsId with the attribute from the Identity
Provider which will be used to match the username in Management interface. The
value should be blank if the SAML assertion contains correct user attribute in
authentication subject. If the samlAttributeAsId is set then logout requests may not
work as the IdP may expect NameId value in the logout request, not other attribute
value.
b. Set the value of the property samlIdentityProviderLifetime with the session lifetime
value in seconds from the Identity Provider. This property defines the timeout when
Management considers the session as non-trusted. If the session lifetime does not
match the Identity Provider configuration then authentication may fail.
Properties samlAttributeAsId, samlIdentityProviderLifetime are shared for

Management Interface and End User Interface.
c.
c. Set the value of the property samlSingleLogoutEUI to Enabled if you want the user
to be logged out from other Service Providers when you log out of YSoft End User
Interface. The default value of property is Disabled which means user will NOT be
logged out of all Service Providers which use the Identity Provider, only local YSoft
SafeQ End User Interface session will be destroyed.
Configuration in YSoft SafeQ End User Interface
1. If the URL of the Identity Provider metadata is secured (HTTPS), you need to store the
certificate of the URL into end user server Truststore (by default, it is located in
<install_dir>/SafeQ6/SPOC/java/lib/security/cacerts).
How to import the certificate
a. Import the Identity Provider certificate into End User Interface truststore using
Java keytool. On the machine where the End User Interface is running, open the
command line and run the following keytool command:
keytool -import -alias <certificate-alias> -keystore

<truststore-location> -file <certificate-location>
<certificate-alias> - a key under which will be the certificate stored in the

truststore, e.g. saml-certificate
<truststore-location> - the location of the keystore, e.g. <SAFEQ6_HOME>

/SafeQ6/SPOC/java/lib/security/cacerts
<certificate-location> - the location of the Identity Provider certificate to be

imported
b. Enter a password for keystore protection.
c. Write yes to confirm you want to trust this certificate. If import was successful,
the following message should appear: Certificate was added to keystore
d. Restart YSoft SafeQ End User Interface to apply the settings.
In case your key/certificate is in a different format than specified, convert it following

the guide in Conversions between different keystores and certificate types.
2. Open file <install_dir>/SPOC/EUI/ui-conf/environment-configuration.properties and add or

modify these properties
saml.entityId="{EntityID of the Identity Provider}"

saml.baseUrl=https://<end-user-ip>:<end-user-port>/end-user

EntityID must be unique for each End User Interface instance.
3. Example of environment-configuration.properties
safeq.authentication.address=tcp://127.0.0.1:5555
saml.entityId=SafeQEndUserInterface
saml.baseUrl=https://10.0.124.248:9443/end-user
4. Restart YSoft SafeQ End User Interface Windows Service
5. Download End User Interface SAML spring_saml_metadata.xml from following address:
https://<end-user-ip>:<end-user-port>/end-user/saml/metadata
Example of spring_saml_metadata.xml
<?xml version="1.0" encoding="UTF-8"?>

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="SafeQEndUserInter
face3" entityID="SafeQEndUserInterface3">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupp
ortEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:X509Data>
<ds:
X509Certificate>MIIG5jCCBM6gAwIBAgIBCDANBgkqhkiG9w0BAQ0FADCBizELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BEJybm8xGzAZBgNVBAoTElkgU29mdCBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDUm5EMRUwEwYDVQQD
EwxZU29mdCBSbkQgQ0ExHTAbBgkqhkiG9w0BCQEWDmluZm9AeXNvZnQuY29tMQwwCgYDVQQEEwNE
WkEwIBcNMTQwMjA0MTMzMDIxWhgPMjA5OTEyMTcxNDE1MTdaMIGmMQswCQYDVQQGEwJjejENMAsG
A1UEBxMEQnJubzEbMBkGA1UEChMSWSBTb2Z0IENvcnBvcmF0aW9uMQwwCgYDVQQLEwNSbkQxMDAu
BgNVBAMTJ1lTb2Z0IHBheW1lbnQgc3lzdGVtIHNlcnZlciBjZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3
DQEJARYOaW5mb0B5c29mdC5jb20xDDAKBgNVBAQTA2R6YTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAKeedoSGKfRZbGbn4ItQPSRXRVF3p9m96TKiJAc2zLZmx/K0kVfdtNuDr9nEPTrW
HQrBYTGdQHrXLjKbt8zZ5QVeQRRLw9okmQFo5vJOWADeN8keJUuLluad0s+9LKEh35U/r3fHOCia
fJZzDR9bPGNhRnWYC8+FL06SNMcJPOpSlbc0Oxccq7m5qewxL1GaeRbA8lGioiQhgZqEIfE4ZLIB
oNoOTI+LApBEuMSPpqF4k22qjV/D5MMmigcA9XMJCwLGxZE4zMBGvxRWDvPxvZ9ZBaAH0/bMWfCG
rA83L1Gn9WIfdQIuboKKg8en0P44mXzO0Q3qy8hCbEeIKrxnMPohYnSdQL3h5DpnUHqJTGA3UqmV
g95iiFIBnBHC0F57lab5iQ5H59ZB4KD9dfbYrrphGSOs9MbcQHwdDgVkQLPKxv71t79brc5xMyms
KX+7YL3+sC+BTvVlvmG4CHrEK7+HiOK7yKoKu+H3m2tXP+TbVaQ7Xq4F2KQ4p9G/xA+bs/uXJyRR
2Z9ouKDOv05Dgm8Owt2/yHSG+dLNRd6Xz+L4DnZtiOe9jIq+7phn3eICuUyyrMa6+gDE6YJyDaaP
rzc/36RB8t2V+I9MwDccWaAcWyqSpjqKRwyY40Rv7Buvl5hDgobYf35AhDkv4Vu64vWcJbaVwbiZ
uEmPJq9tEXCbAgMBAAGjggE0MIIBMDAPBgNVHRMBAf8EBTADAgEAMB0GA1UdDgQWBBQHB9H1AkI6
hHA7isu+ZpBYztJzITCBvQYDVR0jBIG1MIGygBRsX+zIeY4vA4v56DnduOWJYQ1cOaGBlqSBkzCB
kDELMAkGA1UEBhMCY3oxDTALBgNVBAcTBEJybm8xGzAZBgNVBAoTElkgU29mdCBDb3Jwb3JhdGlv
bjEMMAoGA1UECxMDUm5EMRowGAYDVQQDExFZU29mdCBSbkQgcm9vdCBDQTEdMBsGCSqGSIb3DQEJ
ARYOaW5mb0B5c29mdC5jb20xDDAKBgNVBAQTA0RaQYIBAjALBgNVHQ8EBAMCBeAwEQYJYIZIAYb4
QgEBBAQDAgZAMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQENBQAD
ggIBACVh5BXX4d706MHWLfo9fpe7NlJYhSwU5r6kI0uXvn7gyGvq86x27qINQwAXHeGJBLGqmEpb
GuiPND+IT461/gkaaSUOyaZ1/AfVk7Eek3E7Vl7gzHsleNM3vdmEIogB7+CO30Ud0P6VlibKXuye
94E47arAKT2f+lbxlZX5+vj4Tqptm9lMI9JhphP63pouJMGXkb/DcWwWWT5T6eftJ21LHqCKhsb2
N6Kb1hGT5OaiX/suRy01o5FF7wt6VPPc7fTwtdo/BiaDECqH9uyXe7oZ7LJ2NbhMio3szOrCRwra
7P8GZLKcbfIFNqe99/CTbeW9EQ3kJdhycNIsu2p1Z1fa/6Fj3/p+SQTk452/6TCYHV9l9xgNRrsW
ZPamDqv4jT1rZx8PgCeQJ0h6KSrM2J2nhf1EWhfGrHR7pO32+WwHsOIO7rrL4TS7e9eizPfMuDQs

4xx8g4Ju58LoWoeyMlCHR6mk3MSaYHDoQaHYpw0cRpO1kqrG6ezXnwYj0TRdLcHpAz4pvoORhaw8
KbJKQwt/eeM+bC0PRaT27Q60V4OyJAgtWzV/hxuc3l4ay1qKM9eRwjkc8CvKQKFcZV9WrVkkX2dL
6gkTDJbk7XDT16jY65GzNTk8WF+pMZsL/++HRZhjshPGVLmEQjlnXrVf7AAmWeQRkMEFB77I6m0v
I21b</ds:X509Certificate>
<ds:
X509Certificate>MIIG0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BEJybm8xGzAZBgNVBAoTElkgU29mdCBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDUm5EMRowGAYDVQQD
ExFZU29mdCBSbkQgcm9vdCBDQTEdMBsGCSqGSIb3DQEJARYOaW5mb0B5c29mdC5jb20xDDAKBgNV
BAQTA0RaQTAgFw0xMzEyMTkxNDE2NDVaGA8yMDk5MTIxNzE0MTUxN1owgYsxCzAJBgNVBAYTAmN6
MQ0wCwYDVQQHEwRCcm5vMRswGQYDVQQKExJZIFNvZnQgQ29ycG9yYXRpb24xDDAKBgNVBAsTA1Ju
RDEVMBMGA1UEAxMMWVNvZnQgUm5EIENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlzb2Z0LmNvbTEM
MAoGA1UEBBMDRFpBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq8BtILfntIjYRcUV
Iy1MwkVB92OtT22Jp/MDeX/tF7YycM+3MZ6AGNRHZ+6+6psNKlicbmmpGoCNNfoBjNjDIAwElH4Z
zvytb5FxYh8/j5MqwW2C2TMbdRAMJOgS9P9Ek79yVNvqjJY4u5m8Wi4gmB05VkvT0d99Uxij3TO5
BVOWUbZtBhMftTH5jXy64zRDsOQ1ay5OXvSanx91OnK91dqAqnF8WUfyEMPwX/Db72ptgmYKuWVm
Chdg1c8ZD0/rXLMXmwv79jxEHkZc872PqdOK9rpxoT6VWxj0q0AduP9HR8FqqvyVo9SPD6kRPvfC
6DC4Jf09e84II/kY4FlS1kuM+QWtV4F7+PYdO/6gwenmCzIxZzpLFkvfRdfIwqJLyiuGhCb9BOro
d63LKsVkjiQ8GGihjB/mArw4CFY8AGY6r7mwhCFxecbsUZW9Aa26Vpgd5k52mahbHvTPLkHlQhD1
kG+NQffQ9OCLam4uG9p0EHLmKNDyWhOJfL8C5gjG4h2JCftJbZWDkX47ALkAdeIFafd1t10f93fA
3eq/pSA7ENwUMB3jARbMs8741XFQVdo3fVqFQBFUzndVPUnLB+CGyxDcpsSjqY5njzjmzQc+a9qR
0Gl93BeElJ6AltYEjFL/iBlSRnPT94IbJjUifPcf6bzFbPGQWN9Ow7ZOjekCAwEAAaOCATcwggEz
MBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGxf7Mh5ji8Di/noOd245YlhDVw5MIG9BgNV
HSMEgbUwgbKAFCdB3zHbLUTpzj7wSJmz7PJP+XokoYGWpIGTMIGQMQswCQYDVQQGEwJjejENMAsG
A1UEBxMEQnJubzEbMBkGA1UEChMSWSBTb2Z0IENvcnBvcmF0aW9uMQwwCgYDVQQLEwNSbkQxGjAY
BgNVBAMTEVlTb2Z0IFJuRCByb290IENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlzb2Z0LmNvbTEM
MAoGA1UEBBMDRFpBggEBMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4
QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQ0FAAOCAgEAiFBTlOzYMYWvJG3rW0q+
tTBAQGMGySbeV7PxANcpMWZZrT/5WrKQMPObhxj9yHiGJp2xovmKXoUJSImsoh4DZGdkpKrzdPZN
wkIAxd+0z75RU9N6/0qu4gZ8wenWlVXBKLn/3Wp19L3EsebXvlx0ZoMm0MdC9CAtalxMO1dbQPDT
1CjQ2NxjYjhRx52DpQJYjbFqjEkCEG509i1xNPkG/D+cZycRxzorKi7ZHUGPSwem5LxYLk3AKDuG
XMNYoTiX+v29RVolQhZoibBIssDQiUvnUnvS++gLvBF5wlmA9nLvCGzFbfwEfrUCQXflP5DCoZDL
7We9Wcy+NapPFrJJ6zcdVg3UkzYD+88i59jB05VwdbeorDyxoZkbmebCpaa4bQ5ImjRZgwqA+es4
twWKlsujXpQfyCxJd4DbD251UBJYaI5kRlQq8CYGhIiAgSVWHyTMdBV4ixIfsLRZ4zc3FXmeQBdy
73+OfcBbQvp3MIXIeyEXQ9DHB+SpJGiy0JxV1SHcwFitQT239wShEq9qXAb7D5f/s2MWN1+csvhR
dJPii0g7fMgWvyrF1sQGfWy9ZMdE/wEL3LTPyc7vL3XlCSXlu1N9jmipGTSKvV4Xxf9xuGeXNZwR
6zY5EwcrOsOaZnkF+DhY7TcJNO7mvov6ujFKbAECGYKw3e37PYUoOZo=</ds:X509Certificate>
<ds:
X509Certificate>MIIGNzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BAQTA0RaQTAgFw0xMzEyMTkxNDE1MTdaGA8yMDk5MTIxNzE0MTUxN1owgZAxCzAJBgNVBAYTAmN6
RDEaMBgGA1UEAxMRWVNvZnQgUm5EIHJvb3QgQ0ExHTAbBgkqhkiG9w0BCQEWDmluZm9AeXNvZnQu
Y29tMQwwCgYDVQQEEwNEWkEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6n3LNV4vI
5Kdobz2dlwXPIwk6Vhk45p6lGHfbSuN0rxaMIaBiseL8jdIYBv6xOQT6O58/hbCa+/Et9o+cxG3m
1HQ/DwgLK6OWWL3CPepkmRU/GgZQCZQ1619r0d534G1rRQIXWRhC3o5H4oVsk3vKz3oQrFPuzAbi
LiKAIi9k9qvgzOKSt5YQV5pNCOygFV/A7YjMNXcnpekDxM1GObTh9/CNaErC8xP5ZthDhucnGDHX
oqStamWmUICAO8d1jgoaDraxDwHZcDtmT4kXKjtOvpfIyVL/1+FSxE7qauKwtJ/e2IyX7ourgf2K
hDGJawmF3gLZCj1MuRd5Zg+GBK61MTzyWnT+0J+HKEixFO8mqrgCdV7BmC2oJEyyJHeRpIcOUPJY
DRorXrDmwzQB4hkLDiACnWQTI1Sc2Tkr7d0ZkuKipgf5YkGCZeG/c2geQ++04SxIu9Grb0SOh+LB
DhvrQp70rgy1F+NzVjcqVW/vqyP32/M/AJO6+wuSZVMRNEzEdVEinPvm6WMgZhw0KH5O1KEFJ1r7
72m/7mUMiOaukRps9NenmUvNq8YbO8ZfDFi0KrHPR+mLifczxIAie+xIJu0HJKTm0OoSz+rgxRQY
aS3RsLIOJePtgcEIQlc5T9kUfvnVpFuBRxEAaQWhgApge4ALv7O2aF2l0focnkfM1QIDAQABo4GX
MIGUMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFCdB3zHbLUTpzj7wSJmz7PJP+XokMB8G
A1UdIwQYMBaAFCdB3zHbLUTpzj7wSJmz7PJP+XokMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEE
BAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQ0FAAOCAgEA
fmmSihhS+mQkeUuVLodPRy4T9iZ+WTeVHqcHx4JlYWceqzSLXfaskyCsPIk9ZoShgmNhHnB8VEwG

sjYdHpP9/MWG4uYgTQr04zvF/oYNkVfRRxWLQjj8jLAKnqOiaTPhr7XgOadNLWlggMZXqKvQhAah
v3guei/A/oAfSEx/i7ZffEv/bb7SKSuaukXNSxgBwpzMdaAew1nDTrSiH/wYwTMF0hgD49JBboOo
gvlz4qELcX8GGXQcnr9/cbABetkLH5r0gZHyAGb/PLRzs2Ur3g4UrntKlXY5tfr415D9m6CQJk42
GKUlWjYQ77X6yFwc2RDWrmF6QvfWHDAXQ0eJUy+iqsMl0WgrBAIJPUBh8W2p/KYg0BpLwKSXR6xC
0qEgkoV8vpTZZc+11UvFKT/4pXdJGnWmg5sbEhDT5FrT4GYNN3bBwkTLzK5ZzyvFLWJn0mdXrosW
9WOR9gK22yU+BtijzHtmH3myVtamjnmmDZp6UNvGEJ2x4mxHGP/5w7D6ftxRVDkDyEZd5v0NvMCn
41FRx9E1zI58bix8iT5TmD8J98EdkyptynNwsJz5eizn8/L7wiOZX8kgmlI3jU7BOikoMHDMC6oj
pULuVtd2x5gvLjq7mug5E6ILmh0JzOHhjgfIDm2vW71rLi+OPZlsGA0JViyzEIQyARxnEXvDtY4=</ds:
X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:X509Data>
<ds:
X509Certificate>MIIG5jCCBM6gAwIBAgIBCDANBgkqhkiG9w0BAQ0FADCBizELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BEJybm8xGzAZBgNVBAoTElkgU29mdCBDb3Jwb3JhdGlvbjEMMAoGA1UECxMDUm5EMRUwEwYDVQQD
EwxZU29mdCBSbkQgQ0ExHTAbBgkqhkiG9w0BCQEWDmluZm9AeXNvZnQuY29tMQwwCgYDVQQEEwNE
WkEwIBcNMTQwMjA0MTMzMDIxWhgPMjA5OTEyMTcxNDE1MTdaMIGmMQswCQYDVQQGEwJjejENMAsG
A1UEBxMEQnJubzEbMBkGA1UEChMSWSBTb2Z0IENvcnBvcmF0aW9uMQwwCgYDVQQLEwNSbkQxMDAu
BgNVBAMTJ1lTb2Z0IHBheW1lbnQgc3lzdGVtIHNlcnZlciBjZXJ0aWZpY2F0ZTEdMBsGCSqGSIb3
DQEJARYOaW5mb0B5c29mdC5jb20xDDAKBgNVBAQTA2R6YTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAKeedoSGKfRZbGbn4ItQPSRXRVF3p9m96TKiJAc2zLZmx/K0kVfdtNuDr9nEPTrW
HQrBYTGdQHrXLjKbt8zZ5QVeQRRLw9okmQFo5vJOWADeN8keJUuLluad0s+9LKEh35U/r3fHOCia
fJZzDR9bPGNhRnWYC8+FL06SNMcJPOpSlbc0Oxccq7m5qewxL1GaeRbA8lGioiQhgZqEIfE4ZLIB
oNoOTI+LApBEuMSPpqF4k22qjV/D5MMmigcA9XMJCwLGxZE4zMBGvxRWDvPxvZ9ZBaAH0/bMWfCG
rA83L1Gn9WIfdQIuboKKg8en0P44mXzO0Q3qy8hCbEeIKrxnMPohYnSdQL3h5DpnUHqJTGA3UqmV
g95iiFIBnBHC0F57lab5iQ5H59ZB4KD9dfbYrrphGSOs9MbcQHwdDgVkQLPKxv71t79brc5xMyms
KX+7YL3+sC+BTvVlvmG4CHrEK7+HiOK7yKoKu+H3m2tXP+TbVaQ7Xq4F2KQ4p9G/xA+bs/uXJyRR
2Z9ouKDOv05Dgm8Owt2/yHSG+dLNRd6Xz+L4DnZtiOe9jIq+7phn3eICuUyyrMa6+gDE6YJyDaaP
rzc/36RB8t2V+I9MwDccWaAcWyqSpjqKRwyY40Rv7Buvl5hDgobYf35AhDkv4Vu64vWcJbaVwbiZ
uEmPJq9tEXCbAgMBAAGjggE0MIIBMDAPBgNVHRMBAf8EBTADAgEAMB0GA1UdDgQWBBQHB9H1AkI6
hHA7isu+ZpBYztJzITCBvQYDVR0jBIG1MIGygBRsX+zIeY4vA4v56DnduOWJYQ1cOaGBlqSBkzCB
kDELMAkGA1UEBhMCY3oxDTALBgNVBAcTBEJybm8xGzAZBgNVBAoTElkgU29mdCBDb3Jwb3JhdGlv
bjEMMAoGA1UECxMDUm5EMRowGAYDVQQDExFZU29mdCBSbkQgcm9vdCBDQTEdMBsGCSqGSIb3DQEJ
ARYOaW5mb0B5c29mdC5jb20xDDAKBgNVBAQTA0RaQYIBAjALBgNVHQ8EBAMCBeAwEQYJYIZIAYb4
QgEBBAQDAgZAMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQENBQAD
ggIBACVh5BXX4d706MHWLfo9fpe7NlJYhSwU5r6kI0uXvn7gyGvq86x27qINQwAXHeGJBLGqmEpb
GuiPND+IT461/gkaaSUOyaZ1/AfVk7Eek3E7Vl7gzHsleNM3vdmEIogB7+CO30Ud0P6VlibKXuye
94E47arAKT2f+lbxlZX5+vj4Tqptm9lMI9JhphP63pouJMGXkb/DcWwWWT5T6eftJ21LHqCKhsb2
N6Kb1hGT5OaiX/suRy01o5FF7wt6VPPc7fTwtdo/BiaDECqH9uyXe7oZ7LJ2NbhMio3szOrCRwra
7P8GZLKcbfIFNqe99/CTbeW9EQ3kJdhycNIsu2p1Z1fa/6Fj3/p+SQTk452/6TCYHV9l9xgNRrsW
ZPamDqv4jT1rZx8PgCeQJ0h6KSrM2J2nhf1EWhfGrHR7pO32+WwHsOIO7rrL4TS7e9eizPfMuDQs
4xx8g4Ju58LoWoeyMlCHR6mk3MSaYHDoQaHYpw0cRpO1kqrG6ezXnwYj0TRdLcHpAz4pvoORhaw8
KbJKQwt/eeM+bC0PRaT27Q60V4OyJAgtWzV/hxuc3l4ay1qKM9eRwjkc8CvKQKFcZV9WrVkkX2dL
6gkTDJbk7XDT16jY65GzNTk8WF+pMZsL/++HRZhjshPGVLmEQjlnXrVf7AAmWeQRkMEFB77I6m0v
I21b</ds:X509Certificate>
<ds:
X509Certificate>MIIG0zCCBLugAwIBAgIBAjANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BAQTA0RaQTAgFw0xMzEyMTkxNDE2NDVaGA8yMDk5MTIxNzE0MTUxN1owgYsxCzAJBgNVBAYTAmN6
RDEVMBMGA1UEAxMMWVNvZnQgUm5EIENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlzb2Z0LmNvbTEM
MAoGA1UEBBMDRFpBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq8BtILfntIjYRcUV
Iy1MwkVB92OtT22Jp/MDeX/tF7YycM+3MZ6AGNRHZ+6+6psNKlicbmmpGoCNNfoBjNjDIAwElH4Z

zvytb5FxYh8/j5MqwW2C2TMbdRAMJOgS9P9Ek79yVNvqjJY4u5m8Wi4gmB05VkvT0d99Uxij3TO5
BVOWUbZtBhMftTH5jXy64zRDsOQ1ay5OXvSanx91OnK91dqAqnF8WUfyEMPwX/Db72ptgmYKuWVm
Chdg1c8ZD0/rXLMXmwv79jxEHkZc872PqdOK9rpxoT6VWxj0q0AduP9HR8FqqvyVo9SPD6kRPvfC
6DC4Jf09e84II/kY4FlS1kuM+QWtV4F7+PYdO/6gwenmCzIxZzpLFkvfRdfIwqJLyiuGhCb9BOro
d63LKsVkjiQ8GGihjB/mArw4CFY8AGY6r7mwhCFxecbsUZW9Aa26Vpgd5k52mahbHvTPLkHlQhD1
kG+NQffQ9OCLam4uG9p0EHLmKNDyWhOJfL8C5gjG4h2JCftJbZWDkX47ALkAdeIFafd1t10f93fA
3eq/pSA7ENwUMB3jARbMs8741XFQVdo3fVqFQBFUzndVPUnLB+CGyxDcpsSjqY5njzjmzQc+a9qR
0Gl93BeElJ6AltYEjFL/iBlSRnPT94IbJjUifPcf6bzFbPGQWN9Ow7ZOjekCAwEAAaOCATcwggEz
MBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFGxf7Mh5ji8Di/noOd245YlhDVw5MIG9BgNV
HSMEgbUwgbKAFCdB3zHbLUTpzj7wSJmz7PJP+XokoYGWpIGTMIGQMQswCQYDVQQGEwJjejENMAsG
A1UEBxMEQnJubzEbMBkGA1UEChMSWSBTb2Z0IENvcnBvcmF0aW9uMQwwCgYDVQQLEwNSbkQxGjAY
BgNVBAMTEVlTb2Z0IFJuRCByb290IENBMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlzb2Z0LmNvbTEM
MAoGA1UEBBMDRFpBggEBMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4
QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQ0FAAOCAgEAiFBTlOzYMYWvJG3rW0q+
tTBAQGMGySbeV7PxANcpMWZZrT/5WrKQMPObhxj9yHiGJp2xovmKXoUJSImsoh4DZGdkpKrzdPZN
wkIAxd+0z75RU9N6/0qu4gZ8wenWlVXBKLn/3Wp19L3EsebXvlx0ZoMm0MdC9CAtalxMO1dbQPDT
1CjQ2NxjYjhRx52DpQJYjbFqjEkCEG509i1xNPkG/D+cZycRxzorKi7ZHUGPSwem5LxYLk3AKDuG
XMNYoTiX+v29RVolQhZoibBIssDQiUvnUnvS++gLvBF5wlmA9nLvCGzFbfwEfrUCQXflP5DCoZDL
7We9Wcy+NapPFrJJ6zcdVg3UkzYD+88i59jB05VwdbeorDyxoZkbmebCpaa4bQ5ImjRZgwqA+es4
twWKlsujXpQfyCxJd4DbD251UBJYaI5kRlQq8CYGhIiAgSVWHyTMdBV4ixIfsLRZ4zc3FXmeQBdy
73+OfcBbQvp3MIXIeyEXQ9DHB+SpJGiy0JxV1SHcwFitQT239wShEq9qXAb7D5f/s2MWN1+csvhR
dJPii0g7fMgWvyrF1sQGfWy9ZMdE/wEL3LTPyc7vL3XlCSXlu1N9jmipGTSKvV4Xxf9xuGeXNZwR
6zY5EwcrOsOaZnkF+DhY7TcJNO7mvov6ujFKbAECGYKw3e37PYUoOZo=</ds:X509Certificate>
<ds:
X509Certificate>MIIGNzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBkDELMAkGA1UEBhMCY3oxDTALBgNVB
AcT
BAQTA0RaQTAgFw0xMzEyMTkxNDE1MTdaGA8yMDk5MTIxNzE0MTUxN1owgZAxCzAJBgNVBAYTAmN6
RDEaMBgGA1UEAxMRWVNvZnQgUm5EIHJvb3QgQ0ExHTAbBgkqhkiG9w0BCQEWDmluZm9AeXNvZnQu
Y29tMQwwCgYDVQQEEwNEWkEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6n3LNV4vI
5Kdobz2dlwXPIwk6Vhk45p6lGHfbSuN0rxaMIaBiseL8jdIYBv6xOQT6O58/hbCa+/Et9o+cxG3m
1HQ/DwgLK6OWWL3CPepkmRU/GgZQCZQ1619r0d534G1rRQIXWRhC3o5H4oVsk3vKz3oQrFPuzAbi
LiKAIi9k9qvgzOKSt5YQV5pNCOygFV/A7YjMNXcnpekDxM1GObTh9/CNaErC8xP5ZthDhucnGDHX
oqStamWmUICAO8d1jgoaDraxDwHZcDtmT4kXKjtOvpfIyVL/1+FSxE7qauKwtJ/e2IyX7ourgf2K
hDGJawmF3gLZCj1MuRd5Zg+GBK61MTzyWnT+0J+HKEixFO8mqrgCdV7BmC2oJEyyJHeRpIcOUPJY
DRorXrDmwzQB4hkLDiACnWQTI1Sc2Tkr7d0ZkuKipgf5YkGCZeG/c2geQ++04SxIu9Grb0SOh+LB
DhvrQp70rgy1F+NzVjcqVW/vqyP32/M/AJO6+wuSZVMRNEzEdVEinPvm6WMgZhw0KH5O1KEFJ1r7
72m/7mUMiOaukRps9NenmUvNq8YbO8ZfDFi0KrHPR+mLifczxIAie+xIJu0HJKTm0OoSz+rgxRQY
aS3RsLIOJePtgcEIQlc5T9kUfvnVpFuBRxEAaQWhgApge4ALv7O2aF2l0focnkfM1QIDAQABo4GX
MIGUMBIGA1UdEwEB/wQIMAYBAf8CAQIwHQYDVR0OBBYEFCdB3zHbLUTpzj7wSJmz7PJP+XokMB8G
A1UdIwQYMBaAFCdB3zHbLUTpzj7wSJmz7PJP+XokMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEE
BAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQ0FAAOCAgEA
fmmSihhS+mQkeUuVLodPRy4T9iZ+WTeVHqcHx4JlYWceqzSLXfaskyCsPIk9ZoShgmNhHnB8VEwG
sjYdHpP9/MWG4uYgTQr04zvF/oYNkVfRRxWLQjj8jLAKnqOiaTPhr7XgOadNLWlggMZXqKvQhAah
v3guei/A/oAfSEx/i7ZffEv/bb7SKSuaukXNSxgBwpzMdaAew1nDTrSiH/wYwTMF0hgD49JBboOo
gvlz4qELcX8GGXQcnr9/cbABetkLH5r0gZHyAGb/PLRzs2Ur3g4UrntKlXY5tfr415D9m6CQJk42
GKUlWjYQ77X6yFwc2RDWrmF6QvfWHDAXQ0eJUy+iqsMl0WgrBAIJPUBh8W2p/KYg0BpLwKSXR6xC
0qEgkoV8vpTZZc+11UvFKT/4pXdJGnWmg5sbEhDT5FrT4GYNN3bBwkTLzK5ZzyvFLWJn0mdXrosW
9WOR9gK22yU+BtijzHtmH3myVtamjnmmDZp6UNvGEJ2x4mxHGP/5w7D6ftxRVDkDyEZd5v0NvMCn
41FRx9E1zI58bix8iT5TmD8J98EdkyptynNwsJz5eizn8/L7wiOZX8kgmlI3jU7BOikoMHDMC6oj
pULuVtd2x5gvLjq7mug5E6ILmh0JzOHhjgfIDm2vW71rLi+OPZlsGA0JViyzEIQyARxnEXvDtY4=</ds:
X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Loc
ation="https://10.0.124.248:9443/end-user/ui/saml/SingleLogout" />

<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://10.0.124.248:9443/end-user/ui/saml/SingleLogout" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:
NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
POST" Location="https://10.0.124.248:9443/end-user/ui/saml/SSO" index="0" isDefault="true"
/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
6. Import spring_saml_metadata.xml as a new Entity with set EntityId into Identity Provider.
5.4.11.3 Windows Integrated Authentication
Enabling the Integration in YSoft SafeQ 6
1. Log into the YSoft SafeQ management interface as a user with rights to modify the
system configuration (for example, as the default user admin).
2. Navigate to System > Configuration and search for the webAuthenticationMethod

property.
3. Change the property value to Windows Integrated Authentication to enable the single sign-
on method.
4. Additionally, the cutUsernameDomainDuringWindowsIntegratedAuthentication property

can be disabled if necessary (see the info box below).
5. Restart YSoft SafeQ Management Service to apply the settings. In case YSoft SafeQ
Management Service is part of the cluster, all nodes must be restarted.
In the case when YSoft SafeQ users have been replicated from multiple LDAP domains and
the domain information is part of the replicated usernames (in domain\username format), the
configuration option cutUsernameDomainDuringWindowsIntegratedAuthentication must be
disabled otherwise parsed names from a single sign-on authentication token would not match
the usernames in the YSoft SafeQ database.

Setting Up LDAP Integration
All the users the system will authenticate must be replicated into the YSoft SafeQ database. You
can find more information about LDAP integration and how to set it up on this dedicated page.
Additionally, semi-online mode can be enabled in the LDAP integration settings to replicate users
on demand in the case when the authenticated user is not found in the database.
Setting Up the Internet Browser
Internet Explorer
Ensure that Integrated Windows Authentication is enabled.
1. Choose the Tools, Internet Options menu.
2. Click the Advanced tab.
3. Scroll down to Security.
4. Check Enable Integrated Windows Authentication.
5. Restart the browser.
The target website must be in the Intranet Zone.
1.

1. Navigate to the website.
2. Choose the Tools, Internet Options menu.
3. Click the Local Intranet icon.
4. Click the Sites button.
5. Check Automatically detect intranet network.
If the steps above does not work, click Advanced. Add the https://safeq_server_hostname to the
list of intranet sites.
Chrome
The instructions are the same as for Internet Explorer as Chrome uses its intranet settings.
Firefox
1. Type about:config in the address bar and hit enter.
2. Type network.negotiate-auth.trusted-uris in the Filter box.
3. Put your server name as the value. If you have more than one server, you can enter them
all as a comma-separated list.
4. Close the tab.
In case of problems, it is possible to use a third-party add-on providing Windows Integrated

Authentication (search the Firefox add-on repository for the currently most used one).
Logging Into the YSoft SafeQ Management Interface
When this feature is enabled following the instructions above, and you enter any page that is
not the login page (e.g., the root page, Dashboard, etc.), you will be logged in automatically
without the need to enter your credentials.
When you enter the YSoft SafeQ 6 login page (https://safeq_server_hostname/login) for the first
time after the Management Service restart, you can either log in automatically by clicking the
Continue as current user button (in which current user refers to the credentials under which you
are logged into your operating system) or you can choose to log in by entering your credentials
manually. The latter is important when no Active Directory user has super administrator rights
assigned in YSoft SafeQ 6, or in the case when the single sign-on integration was not configured
correctly and it needs some additional setup changes.
When you enter the login page next time after the first successful login, the Continue as
current user button will be changed to Continue as <FIRST_NAME LAST_NAME> because the
browser now knows your name (it was stored in the cookie owned by the Management Service
interface page).
When you log out of the system, you will end up on the login page.

Caveats
Tenants
The Windows Integrated Authentication feature and its setting are available only in single
tenant mode due to the technical limitations of the integration.
Windows domains
The YSoft SafeQ server must be installed on the Windows operating system that is part
of the same domain the users are authenticating against from their browsers.
Problems with saving requests in Microsoft Explorer or Microsoft Edge browser
Symptoms: When user signs in through SSO or try to sign in through login form after SSO
login attempt - user cannot save form, the 403 page occurs; Access Forbidden 403 page
randomly showed to user.

Solution: Windows Registry must be changed to disable Explorer's re-authentication
feature, follow resolution at https://www.itprotoday.com/compute-engines/jsi-tip-8574-you-
cannot-post-any-data-non-ntlm-authenticated-web-site-after-you.
Workaround: User have to bypass SSO without "touching" SSO - open clean browser, go
directly to http://<sever_url>/login/<tenant_domain> and login through form. In this case
Explorer shouldn't try to re-authenticate.
Behind scene: The problem occurs because Microsoft's browsers decide to try re-
authenticate a user with SSO and send 0-length request with "Authorization: Negotiate ... "
header even if the user is already signed in and it should send regular request with data to
save. It is the same issue and has the same resolution as described here: https://www.
itprotoday.com/compute-engines/jsi-tip-8574-you-cannot-post-any-data-non-ntlm-
authenticated-web-site-after-you (and here https://support.microsoft.com/en-us/help
/2749007/an-unexpected-401-1-status-is-returned-when-using-pre-authentication-h).
YSoft SafeQ End User Interface
If the single sign-on is enabled in YSoft SafeQ 6, users will be logged into the YSoft SafeQ End
User Interface automatically.
Single sign-on authentication was also implemented for YSoft Payment System. Read more about
how to configure sign-on authentication here.
Troubleshooting
In case there are still troubles making the feature work on Internet Explorer try the following
additional steps:
1. Enable session cookies for the browser.
2. T r y to verify the following registry keys in \

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\] (
https://www.itprotoday.com/compute-engines/jsi-tip-8574-you-cannot-post-any-data-non-ntlm-
authenticated-web-site-after-you):
a. "EnableNegotiate"=dword:00000000
b. "DisableNTLMPreAuth"=dword:00000001

5.4.12 UPGRADING FROM YSOFT SAFEQ 5 TO YSOFT SAFEQ 6
5.4.12.1 Summary
The purpose of the upgrade process is to migrate data (configuration, records, and reporting
records) from YSoft SafeQ 5 to newly installed YSoft SafeQ 6 during the installation process or
manually.
Migrated areas
Configuration
Users
Devices
Device templates
Queues
Spooler Controllers configuration
Price lists
Billing codes
Rule-based Engine rules
Scan workflows
Reporting records
Statistics
Areas out of the scope
Physical job data
Spooler Controller servers (have to be installed separately for each server)
Migration of YSoft SafeQ Terminal Professional v 3.5
See A Detailed Description of the Upgrade Steps and The YSoft SafeQ 5 to YSoft SafeQ 6
Upgrade Tool for more information about migrated data and exceptions.
5.4.12.2 General Prerequisites
The existing installation of YSoft SafeQ 5 is updated to the latest available version (the last
available build).
Ensure the new YSoft SafeQ 6 license is available and the new product can be properly
licensed.

There is a backup of the current YSoft SafeQ 5 installation, mainly these parts:
Database
Configuration, see article CML configuration backup page from YSoft SafeQ 5
documentation.
Expected downtime is dependent on the size and type of the database, mainly the number of
jobs, users, devices, and terminal access records. For example, an upgrade with 1,000,000
jobs, 20,000 users, 200 devices, and 30,000 terminal access records may take approximately
three hours on the MS SQL server. On the PostgresSQL server, the same upgrade can take
about four hours.
In the case of a SQL Server dedicated database used with YSoft SafeQ 5, the database must
exist on the same database machine as the future YSoft SafeQ 6 database.
Migration is possible only between identical database engines (PostgreSQL→ PostgreSQL, MS

SQL→MS SQL).
Please resolve all mentioned prerequisites above to be sure the upgrade process is as smooth
as possible.
According to the environment, there are slightly different possibilities for how to upgrade:
5.4.12.3 Upgrading a YSoft SafeQ 5 Single Server Installation (Without ORS Servers)
For automatic upgrading with the Server Installer, follow the Upgrade of YSoft SafeQ 5 single
server installation without ORS servers article.
5.4.12.4 Upgrading a YSoft SafeQ 5 Cluster Server Installation with a Non-trivial Environment
Setup
The architecture of YSoft SafeQ 5 and YSoft SafeQ 6 is completely different and may require a
change of the architecture of the current solution, so please consider whether it is necessary to
contact customer support, e.g., if there are more application servers in the cluster or a database
cluster with failover.
For semi-automatic upgrading with a server installer, follow the Upgrading a YSoft SafeQ 5 Cluster
Server Installation with a Non-trivial Environment Setup article.
5.4.12.5 Manual Upgrading of YSoft SafeQ 5 – Migration of the Database
The main purpose of the manual upgrade process is to migrate data from the previous version of
YSoft SafeQ 5 to the newer blank YSoft SafeQ 6 version if the automatic upgrade run from the
installer fails or it is necessary to upgrade to the new server. It is divided into particular steps
that are run in order, and each next step depends on the previous one, see The YSoft SafeQ 5 to
YSoft SafeQ 6 Upgrade Tool for more information about the steps.

See the The Manual Upgrading of YSoft Safe 5 - Migrating the Database article to run a manual
upgrade.
5.4.12.6 Activating YSoft SafeQ 6 with a License After Upgrading
After the installation of the new version of YSoft SafeQ 6 Management Service, the product must
be activated to enable all features.
The administrator must contact the Regional Sales Manager to get a license activation code for
their installation of YSoft SafeQ 6.
When the administrator has the activation code, the administrator must perform the activation
procedure:
1. Log into YSoft SafeQ Management Service.
2. Click the Activate new license button in the panel shown at the top of every page or go to
the System > License information tab and click the Activate new license button.
3. Check Activate new license and click Next.
4. Enter the Activation code, check the The entered activation code enables multitenant
mode checkbox if the license is for multi-tenant mode otherwise leave unchecked, and click
Next.
5. Choose the proper Activation mode and click Next.
6. Check if the message System has been successfully activated is displayed.
7. Log out and log in again to apply the license changes.
Activation must be done within 30 days after upgrading, otherwise, the devices could be
removed from the system. Also, devices will not work until reactivation because of technical
limitations.
5.4.12.7 A Detailed Description of the Upgrade Steps
Overview
The entire upgrade process consists mainly of data migration, which is divided into particular
steps to ensure the flexibility and failover of the upgrade. This document describes the current
steps in detail, see the general description of Upgrading from YSoft SafeQ 5 to YSoft SafeQ 6 and
The YSoft SafeQ 5 to YSoft SafeQ 6 Upgrade Tool to see how upgrading and data migration in
steps work in general.
Particular upgrade steps are divided into schemes according to the migration areas:
CLUSTER – the scheme for cluster management steps which is loaded automatically for
tenant_1 a database scheme

TENANT – the scheme for upgrading a tenant database
DWH – the scheme for upgrading a tenant's warehouse database
Step Overview
CLUSTER.INITIALIZE
Creates database entities for migration and cleans logging tables.
CLUSTER.COMMON
Prepares common data for migration (especially identifiers).
CLUSTER.CONFIGURATIONS
Migrates the appropriate configuration of YSoft SafeQ 5 into the cluster management scheme
(the common configuration for all tenants).
This step is run only for the default first tenant, i.e., it is not run for additional tenant
schemes.
CLUSTER.POOL
Migrates data about the file pool to be deleted.
TENANT.INITIALIZE
TENANT.COMMON
Prepares common data for migration (especially identificators).
TENANT.CONFIGURATIONS
Migrates the appropriate configuration of YSoft SafeQ 5 into the tenants scheme (the
configuration for each tenant).
TENANT.USERS
Migrates users' data about users, user roles, rights, etc.
TENANT.DEVICES
Migrates device data, including terminals, Spooler Controllers, and device groups.
Migration of ORS servers

All valid and active ORS servers are migrated as Spooler Controllers while the upgrade mechanism
expects there must be at least one Spooler Controller in the destination YSoft SafeQ 6. It means
YSoft SafeQ 6 must be installed with a local Spooler Controller or there must exist at least one
ORS server in YSoft SafeQ 5. If the condition is not fulfilled, the migration ends with a FAILED
status.
Device assignment to Spooler Controller is migrated according to the following rules:
The device from a non-ORS device group is assigned
to local Spooler Controller if it exists, or
to the first migrated Spooler Controller (i.e., the first ORS group or local Spooler Controller
installed with YSoft SafeQ 6).
The device from the ORS device group is assigned to Spooler Controller created from that
ORS group.
During the migration, the Spooler Controllers migrated from ORS groups are only created in the
database, it is necessary to install them manually at the same IP address with the same GUID.
Migration of device accounting
Because there is a slightly different accounting setting in YSoft SafeQ 6, it is possible that
migrated devices will have different accounting than the original devices. See accounting
translation details. If the accounting was changed for a device during the migration, there is an
appropriate message in the upgrade report, and the Upgrade tool returns WARNING status or a
warning message is displayed in the case of the Server installer.
Migration of hardware terminals
The hardware terminal type "Hardware terminal professional version 3.5" is not supported in
YSoft SafeQ 6, so in the case of this terminal migration, the appropriate device is migrated as
"device without terminal", and a WARNING status or a warning message is displayed in the case
of the Server installer.
TENANT.DEVICE_TEMPLATES
Migrates device templates data.
TENANT.QUEUES
Migrates device direct and user shared queues data.
TENANT.PRICELISTS
Migrates price list data.

TENANT.PROJECTS
Migrates the billing code data.
TENANT.JOBS
Migrates jobs metadata mainly because of reports and statistics.
All jobs with any possible statuses are migrated as DELETED with no previews because it is
not possible to migrate spooled job data due to the radically different architecture of YSoft
SafeQ 6. Users have to send their jobs again after a successful upgrade to be able to print
any previously spooled jobs again (even the favorite ones). Also, there a situation can occur
when jobs are accounted in YSoft SafeQ 5 but are not part of statistics yet.
TENANT.STATS
Migrates the metadata of statistics reports (Web reports, Management reports, scheduled reports
to email, file, etc.).
TENANT.RBE_RULES
Migrates the RBE data file from YSoft SafeQ 5 file format into the YSoft SafeQ 6 database.
TENANT.SCAN_WORKFLOWS
Migrates scanning workflows and related data (scan parameters, scan accesses).
Scan to email
For the workflows type Scan to email in YSoft SafeQ 5, you need to define two parameters –
from and to – which are used for specifying the sender and recipient email addresses. If either
one of them happens to be empty after migration into YSoft SafeQ 6, you will have defined user
inputs %senderEmail% and %recipientEmail% respectively.
Scan to script
For the workflows type Scan to script in YSoft SafeQ 5, you need to define the parameter
targetDir. After the migration is done in YSoft SafeQ 6, the value of this parameter will populate
the field Target folder in the workflow definition for this workflow.
The administrator must verify that this field contains the only absolute path.
The relevant message will be written in the Upgrade report file generated during the migration
process.

DWH.INITIALIZE
DWH.COMMON
Prepares common data used by the migration process (mainly, ID conversion tables).
DWH.REPORTS
Migrates the data of reports.
DWH.STATS
Migrates the metadata of statistics reports (Web reports, Management reports, etc.).
Migrating Device Accounting
The table below shows the translation between the YSoft SafeQ 5 and YSoft SafeQ 6 device
accounting type during migration. A highlighted row means that the migration run ends with a
WARNING and the administrator should revise the migration report and device data.
YSoft SafeQ 5 Device YSoft SafeQ 5 Device Accounting YSoft SafeQ 6 Accounting
Type Type
Device without terminal Offline Offline
Online No accounting
Vendor dependent No accounting
No accounting No accounting
Local printer No accounting
Device with checked Reporting Offline Offline

Terminal
Device with checked Embedded Offline Offline

Terminal
Vendor dependent Device dependent
Offline Offline

YSoft SafeQ 5 Device YSoft SafeQ 5 Device Accounting YSoft SafeQ 6 Accounting
Type Type
Device with checked Hardware Online Online

Terminal
5.4.12.8 The Manual Upgrading of YSoft Safe 5 - Migrating the Database
Summary
The main purpose of the manual upgrade process is to migrate data from the previous version of
YSoft SafeQ 5 to a newer blank YSoft SafeQ 6 version if the automatic upgrade run from the
installer fails or it is necessary to upgrade to the new server. It is divided into the particular steps
that are run in order, and each next step depends on the previous one. For details see chapter
The YSoft SafeQ 5 to YSoft SafeQ 6 Upgrade Tool.
See the general summary of upgrading for more information.
If there are ORS servers or the YSoft SafeQ 5 installation runs in a cluster, see Upgrading a YSoft
SafeQ 5 Cluster Server Installation with a Non-trivial Environment Setup on how to upgrade them
and how to upgrade more servers in a cluster in general.
Prerequisites
For details, see chapter General prerequisites.
In the case of a SQL Server database dedicated to YSoft SafeQ 5, a database must exist on the
same database machine as the future YSoft SafeQ 6 database machine. It is possible to install
YSoft SafeQ 6 onto a dedicated database and restore the database from YSoft SafeQ 5
installation there.
In the case of SQL Server, the YSoft SafeQ 5 database has a different collation than
SQL_Latin1_General_CP1250_CI_AS, which is the default. Please create the YSoft SafeQ 6
database manually with the same database collation as YSoft SafeQ 5.
Preparation of the Environment
1. Check that all prerequisites all fulfilled.
2.

2. In case of an embedded database, create a backup of the YSoft SafeQ 5 database (this
backup will be imported to the same database where YSoft SafeQ 6 will be installed).
3. Install YSoft SafeQ 6 with the server installer on the same server where YSoft SafeQ 5
CML is installed. (It is also possible to install YSoft SafeQ 6 to a new environment but the
Upgrade Tool must be obtained from the existing YSoft SafeQ 6 installation or support
team directly).
a. The installer will install the new YSoft SafeQ 6 Management Service and Spooler
Controller into the new directory. The local Spooler Controller must be installed (it is
part of the server installer) if the original YSoft SafeQ 5 installation does not have an
ORS group set up.
b. The installer will start the newly registered services and the YSoft SafeQ 6 will be
up and running.
i. Activate YSoft SafeQ 6 Management Service with a valid and recent license.
ii. Stop all YSoft SafeQ 6 services (except Bundled PostgreSQL if there is no
dedicated database).
iii. In the case of an embedded database, restore the YSoft SafeQ 5 database
backup onto the same database machine where YSoft SafeQ 6 is installed
iv. Configure the Upgrade Tool manually according to The YSoft SafeQ 5 to YSoft
SafeQ 6 Upgrade Tool.
Checks Before Upgrading
1. Verify access to both YSoft SafeQ 5 and YSoft SafeQ 6 databases.
In the case of an MSSQL dedicated database, verify both databases exist on the same
database machine, and both databases have the same collation.
2. Check YSoft SafeQ 5 services are stopped.
3. Check YSoft SafeQ 6 services are stopped (except YSoft Bundled PostgreSQL if there is
no dedicated database).
4. Check the YSoft SafeQ 5 RBE rules file (typically located at "c:\SafeQ 5\conf\rools.drl") is
available. If not, copy the file from the existing YSoft SafeQ 5 installation to an available
location.
5. Check the Upgrade Tool is properly configured (i.e., all paths included exist, database
connections work, etc.) - see The YSoft SafeQ 5 to YSoft SafeQ 6 Upgrade Tool for how to
configure the tool.
Running the Upgrade
1. Run the Upgrade Tool manually according to The YSoft SafeQ 5 to YSoft SafeQ 6 Upgrade
Tool.
2.

2. See the Upgrade Tool logs and report to see if all steps were successful.
a. If the Upgrade Tool succeeds, all YSoft SafeQ 6 services can be run again, or the
server should be restarted.
b. If there is a warning as the Upgrade Tool result, it is strongly recommended to review

the changes to adjust them to match your business requirements.
c. If there is an error or an exception as the Upgrade Tool result, the errors must be
investigated according to the previously mentioned Upgrade Tool documentation.
3. Ensure that all common-success-steps are done.
4. After the upgrade, the previous version of the YSoft SafeQ 5 is still in the system. It is
possible to uninstall it manually (later) running the appropriate YSoft SafeQ 5 installer.
Common Steps after a Successful Upgrade
upgrade.
See A Detailed Description of the Upgrade Steps for more information about particular
upgrade steps.
5.4.12.9 Upgrade of YSoft SafeQ 5 single server installation without ORS servers
Summary
This document describes how to upgrade single-server environment of YSoft SafeQ 5 without
cluster and ORS servers through Server Installer (for manual upgrade see this article).
See general summary of upgrade to see more information.
If there are ORS servers or the YSoft SafeQ 5 installation running in the cluster, see Upgrading a
YSoft SafeQ 5 Cluster Server Installation with a Non-trivial Environment Setup.
Prerequisites
See General prerequisites.

Upgrade of the first server in cluster
1. Check that all prerequisites are fulfilled.
2. Install the YSoft SafeQ 6 last build with server installer on the same server where older
YSoft SafeQ 5 CML is installed.
a. The installer will stop and set for manual start these old services.
b. YSoft SafeQ Terminal Server service is renamed to YSoft SafeQ Terminal Server 5.
c. The installer will install new YSoft SafeQ 6 Management Service and Spooler
Controller into the new directory. Local Spooler Controller must be installed (it is part
of server installer) if the original YSoft SafeQ 5 installation does not have any ORS
group set up.
d. The installer runs automatically the Upgrade Tool
i. If there is an error in the upgrade, the installer displays the error message with
detailed information about the error.
ii. If there is a warning in the upgrade, the installer displays the warning message
with information that it is strongly recommended to review the changes to
adjust them to match business requirements.
e. The installer will start newly registered services and YSoft SafeQ 6 is up and
running.
3. See upgrade tool logs and report if all steps were a success.
a. If the Upgrade Tool succeeds, ensure that all Common after successful upgrade steps
are done.
b. Otherwise, the errors must be investigated according to The YSoft SafeQ 5 to YSoft
SafeQ 6 Upgrade Tool documentation.
4. After the upgrade there is still previous version of the YSoft SafeQ 5 in the system. It's
possible to uninstall it manually (later) running appropriate YSoft SafeQ 5 installer.

Common steps after successful upgrade
upgrade.
upgrade steps.
5.4.12.10 Upgrading a YSoft SafeQ 5 Cluster Server Installation with a Non-trivial Environment
Setup
Summary
The architecture of YSoft SafeQ 5 and YSoft SafeQ 6 is completely different and may require
changing the architecture of the current solution, so please consider whether is not necessary to
customer support, e.g., if there are more application servers in a cluster or a database cluster
with fail over.
This document describes how to upgrade a non-trivial environment with YSoft SafeQ 5 with more
servers in a cluster, ORS servers, etc., through YSoft SafeQ server installer (for manual upgrading,
see this article).
See general summary of the upgrade to get more information.
Prerequisites
See General prerequisites.
If the SQL Server Express edition is used on a cluster node and a highly-available MSSQL server
will be used, then the database from one cluster node must be restored on the highly-available
server.

Upgrading the First Server in a Cluster
1. Check that all prerequisites are fulfilled.
2. Install the YSoft SafeQ 6 last build with the server installer on the same server where
older the YSoft SafeQ 5 CML is installed.
a. The installer detects the old installed version and asks if it should be upgraded.
b. The installer will stop and set these old services for manual starting.
c. YSoft SafeQ 5 Terminal Server service is renamed to YSoft SafeQ Terminal Server 5.
d. The installer will install the new YSoft SafeQ 6 Management Service and Spooler
Controller into the new directory. Local Spooler Controller must be installed (it is part
of the server installer) if the original YSoft SafeQ 5 installation does not have any
ORS group set up.
e. The installer runs the Upgrade Tool automatically.
i. If there is an error in the upgrade, the installer displays an error message with
detailed information about the error.
ii. If there is a warning in the upgrade, the installer displays a warning message
with information that it is strongly recommended to review the changes to
adjust them to match business requirements.
f. The installer starts the newly registered services, and YSoft SafeQ 6 is up and
running.
3. See Upgrade Tool logs and report if all steps were successful.
a. If the Upgrade Tool succeeds, ensure that all Common after successful upgrade
steps are performed.
b. Otherwise, the errors must be investigated according to The YSoft SafeQ 5 to YSoft
SafeQ 6 Upgrade Tool documentation.
4. After the upgrade, the previous version of the YSoft SafeQ 5 is still in the system. It is
possible to uninstall it manually (later) by running the YSoft SafeQ 5 uninstaller.
Upgrading the Second or Next Server in the Cluster
1. Install Site Server with the YSoft SafeQ 6 server installer
a. The installer detects the old node of the YSoft SafeQ 5 installation and offers the
installation of the new cluster node of YSoft SafeQ 6.
b. If the new node is not installed, there is no need to perform any manual steps, or it is
possible to install the new cluster node later (if the node is not crucial).
2.

2. After the upgrade, the previous version of YSoft SafeQ 5 is still in the system. It is
possible to uninstall it manually (later) by running the appropriate YSoft SafeQ 5
uninstaller.
3. Ensure that all Common after successful upgrade steps are performed (mainly, the re-
installation of device terminals).
Upgrading the ORS Servers
1. Install Site Server with the YSoft SafeQ 6 server installer.
a. The installer detects the old installed version of the ORS server and offers to
upgrade the Site Server.
b. If the upgrade is selected, the Site Server with the same GUID is installed, and there
is no need to perform any manual upgrade steps.
c. If the ORS server is not upgraded, it is necessary to resolve the devices connected
with this Site Server:
i. Log into Management Service > Devices > Filter devices according to the
Spooler Controller group with the same GUID as the not-upgraded ORS > Check
all these devices > Click Actions > Edit.
ii. Change the Spooler Controller group (to a migrated one), and save the form.
iii. It is possible to remove the unused Spooler Controller group in the Spooler
Controller groups submenu.
2. Ensure that all Common after successful upgrade steps are performed (mainly the
reinstallation of device terminals).
Common Steps after a Successful Upgrade
upgrade.
upgrade steps.

5.4.13 USING CARD NUMBER CONVERSION
Card number conversion can be used for the translating of card reader output (the data the
reader gets after a user swipes a card) to a card number stored in the user database (LDAP, AD,
YSoft SafeQ, etc.) if these two numbers are different.
Use the Card manager editor only if you are unable to log in with a card and the Terminal access
page or log files list different card numbers than your card has.
The more card number pairs you enter, the more exact results you get. You should enter at least
three different pairs to get a valid result.
5.4.13.1 The Conversion Function
YSoft SafeQ 6 supports conversions of card numbers as read by the card reader at Terminal
or by the LDAP replicator. If the conversion function is defined, card numbers are
automatically transformed prior to matching with (or storing to) YSoft SafeQ Identity
Database.
A typical conversion configuration looks as follows and is represented by the conversion

attribute in the YSoft SafeQ configuration:
ASCII2Hex;Hex2Dec;Substring(-8)
Each rule is represented by its name (see the description of rules) and separated by a
semicolon. Some rules have one or two parameters which are in parentheses and separated
by a comma.
Substring(2);Hex2Dec;LeftPadding(0,3) + Substring(2,6);Hex2Dec
Some conversions may contain two (or more) independent conversion rules that are
connected by the operator '+'.
The conversion is executed from the left, rule by rule. Each conversion rule takes the last
converted number and executes. Where the operator '+' appears, it takes the output from a
preceding rule, executes the rules in parallel, and returns the results of both rules. The result
in the case of operator '+' may look as follows: Conversion rule: LeftPadding(0,3) +
Substring(2,6) INPUT: 1a2b3c4d OUTPUT: (1a2b3c4d) + (2b3c) = 1a2b3c4d2b3c
5.4.13.2 A Description of Rules
The following rules are sorted alphabetically.

Please note that rule names are CASE SENSITIVE.
ASCII2Hex This rule converts a string in ASCII format (typically from a KM reader) into hex form. The
other input is not changed. ASCII format is "^([34][0-9])+([fF]{2})*$"
Syntax:
ASCII2Hex – convert only a string with a length of 32 signs
ASCII2Hex(length) – convert a string until a specific length
Example:
ASCII2Hex(16)
33303730314446383030FFFFFFFFFFFF => 30701DF800
30701DF800 => 30701DF800
Bin2Dec Converts a number from binary format into decimal format.

Syntax:
Bin2Dec
Example:
Bin2Dec
101011 => 43
Const Returns a specified string. Could be used with the operator '+'. Similar functionality
provides LeftAppend and RightAppend.
Syntax:
Const(12345)
Example:
LeftPadding(0,6) + Const(@domain.com)
12345 => 012345@domain.com
123 => 000123@domain.com
Dec2Bin Converts a number from decimal format into binary format.

Syntax:
Dec2Bin
Example:
Dec2Bin
43 => 101011
Dec2Hex Converts a number in decimal format into hexadecimal format

Syntax:
Dec2Hex
Example:
Dex2Hex
12345 => 3039
123 => 7B
DecimalAdd Adds a value in decimal format to a current value in decimal format

Syntax:
DecimalAdd(value)
Example:
DecimalAdd(1)
12345 => 12346

123 => 124
DecimalAnd Makes binary AND. Mask is in decimal format.

Syntax:
DecimalAnd(mask)
Example:
DecimalAnd(15)
7 => 7
467825 => 1
DecValue2Hex Inversion function to Hex2DecValue. Converts each pair of decimal number to a

hexadecimal digit. (08 -> 8, 11 -> B). The input must have an even length.
Example:
09101112 => 9ABC
ODD => ODD
Hex2ASCII This is the inverse function to ASCII2Hex. Converts a hexadecimal string into an ASCII
representation. The input string could have a maximum length of 16 signs. Otherwise,
the original input is returned.
Syntax:
Hex2ASCII
Example:
Hex2ASCII
12AB => 31324142
JEDNA => JEDNA
DESDecrypt Decodes a value encrypted by DES in Base64 format.

Example:
AzRapSymPps= => 1234
DESEncrypt Encodes a value into DES and Base64 format.

Example:
123 => AzRapSymPps=
Hex2ASCII Converts a hex number to its ASCII representation. It is the inversion function to
ASCII2Hex;
Example:
30701DF800 => 33303730314446383030
Hex2Dec Converts a number from hexadecimal format into decimal format.

Syntax:
Hex2Dec
Example:
Hex2Dec
12AB => 4779
Hex2DecValue Converts each hexadecimal digit into a decimal representation (8 – 08, A – 10, B – 11,
etc.).
Syntax:

Hex2DecValue
Example:
Hex2DecValue
12AB => 01021011
Hex2Oct Converts a number from hexadecimal format into octal format.

Syntax:
Hex2Oct
Example:
Hex2Oct
12AB => 11253
HexAnd Makes binary AND. Mask is in hexadecimal format. DecimalAnd contains similar
functionality.
Syntax:
HexAnd(mask)
Example:
HexAnd(FF)
7 => 7
7237B => 7B
IsEmbed Allow next processing only if a card number is from an embedded reader.
Syntax:
IsEmbed
Example:
IsEmbed;RightStrip(F)
12345FFFFFFFFF (from embedded terminal) => 12345
123F (from profi terminal) => 123F
IsEven Allow next processing only if a card number length is even.

Syntax:
IsEven
Example:
IsEven;LeftAppend(0)
12AB => 012AB
12A => 12A
IsLength Allows next processing only if the card number length is equal to a specified value.
Syntax:
IsLength(value)
Example:
IsLength(10);SwapPair
1234567890 => 2143658709
IsLengthGreat Allow next processing only if the card number length is greater than a specified value.
er Syntax:
IsLengthGreater(value)
Example:
IsLengthGreater(5);Substring(5)

12AB => 12AB
12345678 => 12345
IsLengthNot Allow next processing only if the card number length is different to a value.
Syntax:
IsLengthNot(value)
Example:
IsLengthNot(9);LeftAppend(0)
12456789 => 123456789
12345 => 012345
IsNotStartWit Allow next processing only if the card number does not start with a specified string.
h Syntax:
IsNotStartWith(string)
Example:
IsNotStartWith(~);LeftPadding(0,8)
~1234 => ~1234
1234 => 00001234
IsStartWith Allow next processing only if the card number starts with a specified string.
Syntax:
IsStartWith(PIN)
Example:
IsStartWith(PIN);Substring(3,0)
PIN1234 => 1234
12345 => 12345
LeftAppend Appends a specified string from the left side. RightAppend has similar functionality.
Syntax:
LeftAppend(prefix)
Example:
LeftAppend(YSOFT-)
12AB => YSOFT-12AB
LeftCut Cuts a specified prefix from left. If the prefix does not match, then do nothing.
Syntax:
LeftCut(prefix)
Example:
LeftCut(~1)
~12AB => 2AB
12A => 12A
LeftHexShift Unary bit operation LEFT SHIFT for a specified count of bits. Input and output are in
hexadecimal format. This operation is equivalent to multiplying by 2count
Syntax:
LeftHexShift(count)
Example:
LeftHexShift(1)
12AB => 2556

254 => 4A8
LeftPadding Pads with a specified sign from left to a specified length.

Syntax:
LeftPadding(sign,length)
Example:
LeftPadding(0,10)
1234ABCD => 001234ABCD
LeftShift Unary bit operation LEFT SHIFT for a specified count of bits. Input and output are in
decimal format. LeftHexShift has similar behavior. This operation is equivalent to
multiplying by 2count
Syntax:
LeftShift(count)
Example:
LeftShift(1)
128 => 256
LeftStrip Strips a specified sign from left.

Syntax:
LeftStrip(sign)
Example:
LeftStrip(0)
000012AB => 12AB
00000254 => 254
LowerCase Convert san alphabetical sign to its lowercase representation.

Syntax:
LowerCase
Example:
LowerCase
CARD123 => card123
LRC Computes a Longitudinal Redundancy Check http://en.wikipedia.org/wiki

/Longitudinal_redundancy_check and adds it to the end.
Example:
01044F24CC => 01044F24CCA2
MD5 Computes an MD5 hash of input.

Example:
1234 => 81dc9bdb52d04dc20036dbd8313ed055
Replace Replaces all occurrences of one sequence with another one.

Syntax:
Replace(source) – only removes a specified source (replace with an empty string)
Replace(source,dest) – replaces a specified source with dest
Example:
Replace(~,0)
~1234~ => 012340
12~34 => 12034

Reverse2 Byte reverse – it is useful only for a hexadecimal input because 2 signs represent one
byte. Therefore, this operation makes a reverse string by pair. Even the length is
necessary.
Syntax:
Reverse2
Example:
Reverse2
12345678 => 78563412
Reverse Reverse of string.

Syntax:
Reverse
Example:
Reverse
12345678 => 87654321
RightAppend This function is similar to LeftAppend. Append a specified string from the right side.
Syntax:
RightAppend(suffix)
Example:
RightAppend(-YSOFT)
12AB => 12AB-YSOFT
RightHexShift Unary bit operation RIGHT SHIFT for a specified count of bits. Input and output are in
hexadecimal format. This operation is equivalent to dividing by 2count
Syntax:
RightHexShift(count)
Example:
RightHexShift(1)
12AB => 955
254 => 12A
RightPadding Pads with a specified sign from right to a specified length.

Syntax:
RightPadding(sign,length)
Example:
RightPadding(F,10)
1234ABCD => 1234ABCDFF
RightShift Unary bit operation RIGHT SHIFT for a specified count of bits. Input and output are in
decimal format. RightHexShift has similar behavior. This operation is equivalent to
dividing by 2count
Syntax:
RightShift(count)
Example:
RightShift(1)
256 => 128
RightStrip

Strips a specified sign from the right.
Syntax:
RightStrip(sign)
Example:
RightStrip(F)
30344142FFFFFFFFFFFFFFFFF => 30344142
SignReverse This conversion takes every string in hexadecimal format and makes its binary reverse.
For example, (5 is represented in binary as 0101, reverse transfer it into 1010 that is A)
Syntax:
SignReverse
Example:
SignReverse
0123456789ABCDEF => 084C2A6E195D3B7F
Substring Selects a substring of the input. If any argument is negative, then it is used from the
right side (from the end).
Syntax:
Substring( n)
Substring(start,end)
Example:
Substring(5)
1234567890 => 12345
Substring(-5)
1234567890 => 67890
Substring(3,0)
1234567890 => 4567890
123ABCDE => ABCDE
Substring(2,-2)
1234567890 => 345678
123ABCDE => 3ABC
Substring(-7,-2)
1234567890 => 45678
123ABCDE => 23ABC
Swap1278563 Swap 4th byte with 2nd. It is only useful for hexadecimal format.
4 Syntax:
Swap12785634
Example:
Swap12785634
12345678 => 12785634
SwapPair Swaps even and odd signs.

Syntax:
SwapPair
Example:
SwapPair
123456 => 214365

UpperCase Converts an alphabetical sign into its uppercase representation.
Syntax:
UpperCase
Example:
UpperCase
card123 => CARD123
5.4.13.3 An Example of Usage
Importing PIN codes from a directory service – to be able to import PIN codes from a directory
service such as Active Directory, it is possible to use a conversion while importing a plain text
number (e.g., 1234). However, YSoft SafeQ 6, by default, expects to verify the PIN in a hash
format. Therefore, the solution would be to configure "PIN code conversion" and use the following
conversion: MD5;LeftAppend(PIN)
5.4.14 YSOFT SAFEQ MOBILE INTEGRATION GATEWAY - PRINT ACROSS

MULTIPLE SUBNETS
5.4.14.1 Document description
This document describes the configuration of DNS Service discovery (DNS-SD) on Microsoft DNS
servers to advertise the YSoft SafeQ Mobile Integration Gateway service across multiple subnets.
This configuration enables clients connected to different subnet from the one where the Mobile
Integration Gateway is installed to discover the printing service.
Without configuring DNS-SD the printing service provided by the Mobile Integration Gateway is
advertised by the mDNS (multicast traffic) which is not allowed to be transferred through the
routers. (Please note that this is not entirely true, because some routers implement special proxy
for specific multicast services including AirPrint.)
DNS-SD configuration uses standard (unicast) DNS protocol messages to advertise the services
therefore there is no limitation connected to the multicast traffic (see the DNS-SD RFC here).
Please note that following configuration examples are performed on Windows Server 2012 R2
DNS server role and may differ on other Windows Server OS versions. Configuration for other
DNS servers (e.g. BIND) is not covered by this document.
Following guide is applicable only for iOS/OS X. Discovery across multiple subnets is not
possible on Android devices due to 3rd party limitations on Android side.

5.4.14.2 Configuration
General description of the solution
1. Authoritative DNS server in the domain is configured to answer for DNS-SD queries from
the clients.
2. In the DNS answer there is a specification of the YSoft SafeQ Mobile Integration Gateway
service which from client's point of view is the IPP(S) printer.
3. AirPrint clients such as iOS devices are able to query DNS server for the network services.
Based on the answer the client connect to the Mobile Integration Gateway and user is able
to send the print job to YSoft SafeQ system.
a. DNS search domain which is queried by the client for available services is contained
in the DHCP response packet "domain" field (can be configured in Option 15 DNS
Domain Name on the DHCP server).
The testing domain used in this document is called mydomain.test the FQDN of Mobile
Integration Gateway server is autofsp .mydomain.test and the advertised IPPS printer is called
ysqmig .
Making DNS Search domain DNS-SD ready
This setting will make the DNS search domain ready accept DNS service records and enable
clients to search the domain.
1. On the Windows server open Server Manager > Tools > DNS.
2. In the right pane expand the domain you want to use for advertising of the AirPrint service
(s) (in our case it is mydomain.test domain).
3. Right click the _udp folder and in the context menu select Other new records...
4. In the window select Service Location (SRV) record type and click Create record... Fill
following values in the New Resource Record window:
a. Protocol: _dns-sd
b. Service: Fill in any string. The service will anyway be deleted in the next step. We
just need to create a folder for the service definition.
5. Highlight the _dns-sd folder in the left pane, right click created service in the right pane and
select Delete from the context menu. Confirm the delete.
6. Right click the _dns-sd folder in the left pane and form the context menu select Other New
Records...
7.
7. In the window select Pointer (PTR ) record type and click Create record... Fill following values
in the New Resource Record window:
a. Host IP Address: b
b. Host name: mydomain.test . Adjust this based on the name of your domain.
8. Click OK to crate a PTR record.
9. Repeat the steps 6 to 8 with Host IP Addresses: db, dr, lb, r.
a. These records tell Wide Area Bonjour clients how to browse your zone for services
(‘b’ for browse, ‘lb’ for legacy browse, and ‘db’ for default browse) and register their
own services (‘r’ for register and ‘dr’ for default register).
10. On the screenshot below you see how the result should look like in the DNS Manager
console window:
a.
Add service(s) to be discovered
In this section, add DNS records that describe the service offered to the AirPrint clients. The
result in the DNS manager after the procedure described below is finished should look like this:

Create a service folder
3. Right click the _tcp folder and in the context menu select Other new records...
a. Protocol: _ipps
5. Highlight the _ipps folder in the left pane, right click created service in the right pane and
Create a service definition
In this section we will be defining the service which will be advertised by the DNS server. Each
service requires set of three records PTR,SRV and TXT. The section describes creation of one
service which will be advertising one instance of YSoft SafeQ Mobile Integration Gateway. You
can replicate the procedure multiple times if you need to advertise more instances of the Mobile
Integration Gateway (for multiple sites).
PTR record
1. Right click the _ipps folder in the left pane and form the context menu select Other New
Records...
a. Host IP Address: leave this field blank
b. Host name: ysqmig._ipps._tcp.mydomain.test. (Adjust this based on the name of your

domain and desired IPPS printer name.
SRV record
Records...
a. Service: ysqmig (Adjust this according to desired IPPS printer name).
b. Protocol: _ipps
c.

c. Port number: 8050. Port on which the YSoft SafeQ Mobile Integration Gateway is
listening.
d. Host offering this service: autofsp.mydomain.test . Adjust this setting based on the
FQDN of the host on which the Mobile Integration Gateway is running.
3. Click OK to crate a SRV record.
TXT record
Records...
2. In the window select Text (TXT ) record type and click Create record... Fill following values in
the New Resource Record window:
a. Record name: ysqmig (Adjust this according to desired IPPS printer name).
b. Text: (refer to the next chapter for explanation of how to create TXT record content)
adminurl=127.0.0.1
air=username,password
kind=document,photo
note=YSoft SafeQ
pdl=application/pdf,image/jpeg,image/urf,image/pwg-raster
product=(YSoft SafeQ 6)
rp=ipp/print
Color=T
Duplex=T
Fax=F
Scan=F
Bind=F
Collate=F
Punch=0
Staple=F
PaperMax=legal-A4
TLS=1.2
ty=YSoft SafeQ 6
qtotal=1
txtvers=1
URF=V1.4,W8,SRGB24,RS600,IS1-2-3-4-5-6-7,PQ1-2-3-4-5,OB1-2-3-4-5-6-7-8-9,CP1,DM1
UUID=db0def0a-40e1-11e5-a151-feff819cdc9f
print_wfds=T
How to create TXT record
The TXT record contains information about advertised printer which the clients can understand.
You can see that apart from other fields the TXT record contains definition of supported finishing
options of the printer (Bind, Punch, Staple, ...). Explanation of meaning of the fields is out of scope
of this document. Important thing to understand about TXT record advertised by the DNS-SD is
that the client will offer options for the user based on information in the TXT record. Since we are
advertising YSoft SafeQ Mobile Integration Gateway the available options must cope with
capabilities with the IPPS printer which Mobile Integration Gateway represents in this scenario.

Configuration of the Mobile Integration Gateway already contains field which are in the TXT
record. The <SAFEQ_HOME>\MIG\bin\services\MdnsService.xml file contains xml format
representation of the same field which needs to be configured in the TXT record. To create TXT
record for your printer use the text defined in the previous chapter change and replace the URF
and UUID values by values in the MdnsService.xml.
Add printers to be discovered by the iOS/MAC OS X devices
In the previous chapter we have defined the service which will be advertised by the DNS-SD. The
service already describes the IPPS printer, however to make it all work we need to add few more
records.
3. Right click the _ipps folder and in the context menu select Other new records...
a. Protocol: _sub
5. Highlight the _sub folder in the left pane, right click created service in the right pane and
6. Right click the _sub folder in the left pane and form the context menu select Other New
Records...
7. In the window select Service Location ( SRV) record type and click Create record... Fill
a. Protocol: _universal
8. Highlight the _universal folder in the left pane, right click created service in the right pane
and select Delete from the context menu. Confirm the delete.
9. Right click the _universal folder in the left pane and form the context menu select Other
New Records...
a. Host IP Address:leave the field blank.
b. Host name: ysqmig._ipps._tcp.mydomain.test. Adjust this based on the name of your

domain and printer.

12. On the screenshot below you see how the result should look like in the DNS Manager
console window:
a.
Configuring search domain for the iOS/MAC OS X devices
The above configuration allows DNS server to correctly answer DNS-SD queries for the AirPrint
ready services. Now we need to tell the clients which domain they should search for such
services. This can either be done manually or via DHCP protocol. We will not cover the manual
options as they can differ based on the OS (iOS/MAC OS X) or version of the systems.
Configuring DHCP server to distribute search domain to the clients
This chapter will describe configuration of Windows DHCP server. The search domain is defined
by the DHCP option 15.
1. On the Windows server open Server Manager > Tools > DHCP.
2. In the right pane expand the scope for which you want to configure the search domain
distribution.
3. Right-click the Scope Options and in the context menu click on Configure Options...
4. In the list of options select 015 DNS Domain Name and write domain name into the String
value field.

a.
5. Confirm the configuration by clicking OK button.
That is it. The iOS/MAC OS X clients which are obtaining IP addresses from this DHCP will know
that they should query defined domain for the AirPrint services.
How to flush DNS on iOS device
To test the configuration it can be useful to flush cashed DNS entries from the device. To flush
DNS on the iOS device it is enough to intentionally enter wrong DNS server entry, confirm it by
going back to the network listing and configure correct DNS again.
5.4.15 HOW TO CONNECT TO DATA MART
The structure of the YSoft SafeQ Data Mart Mode feature makes importing data from Data Mart
mostly automatic.
5.4.15.1 Enable Enterprise Reporting
This is a few step recapitulation of more detail explanation from Data Mart Mode article.
Requirements
Reporting License - Data Mart Mode functionality requires the YSoft SafeQ Reporting module
license included in the environment.
How to enable
1. In YSoft SafeQ management interface, log as a user with admin access.
2. Navigate to System Settings tab.
3. Set configuration property enableCMLDataMart to Enabled .

Note: This setting is turned off by default with all YSoft SafeQ installations.

Other considerations, best practices
When Data Mart is enabled, it is recommended to disable the Web Reports functionality for
performance reasons. Set web-stats-enable to Disabled.
When Data Mart is enabled, it is recommended to disable the Management Reports

functionality for performance reasons. Set enableManagementReport to Disabled .
Use the following properties to fine-tune statistics data retention:
maxStatsMonthsBase - Maximum number of months, for which web reports and counter
reports data are stored. Default value is 36.
maximumCMLDataMartMonths - Maximum number of months, for with the data mart

measurements are kept. Default value is 36.
maxStatsDaysFull - Maximum number of days, for which unaggregated web reports are
kept. Default value is 31. It is NOT recommended to adjust the number without consulting Y
Soft.
remove-jobs-from-db - Maximum number of days, after which the print jobs metadata will
be removed (along with jobs log and jobs accounting metadata). Default value is 31. It is
NOT recommended to adjust the number without consulting Y Soft.
printJobAgeForStats - M inimum age of print jobs to include in web reports and data mart
statistics for Management Service cluster environment, in minutes. Allowed range is
between 20 and 120. It is NOT recommended to adjust the number without consulting Y
Soft.
enable-purge_reports - Either enables or disables Green Reports found on the

Administrator or End-User Dashboards. This value should be enabled in order to capture,
and report on, savings.
5.4.15.2 Connect Business Intelligence tool to Data Mart
Use Business Intelligence tool for connection with data mart and create your own customised
reports.
List of manuals for tested BI tools:
Power BI
Microsoft SQL Server Analysis Services
5.4.15.3 Microsoft SQL Server Analysis Services
Microsoft SQL Server Analysis Services (SSAS) can be used for work with OLAP cube which is
one of the possibilities how to create UI to the Data Mart.
Microsoft SQL Server must be installed and running with the following minimum components:
Database Engine

SQL Server Agent
Analysis Services
Integration Services
Workstation components (including SQL Server Management Studio)
For granting permissions to Analysis services see https://docs.microsoft.com/en-us/sql/analysis-

services/instances/configure-service-accounts-analysis-services.
Creation of the SSAS database
1. Make sure to enable all necessary Windows services on the server where Analysis services
run.
2. Run Microsoft SQL Server Management Studio and connect to the Analysis services.
3. Click New query in the menu on the top of the window .
4. Locate XMLA file inside installation package under path Complementary

Solutions\Data Mart Mode
5. Paste content of the XMLA file into the query window and click Execute button in the menu
o n t h e t o p .
6. In the messages at the bottom of the window you should see Execution complete
message.
7. If you right click the databases in the left pane and click Refresh in the context menu you
should see new SSAS database you created (e.g. SafeQOLAP).

Configuration of the data source
1. Expand the database of Analysis Services you created (e.g. SafeQOLAP) by double-click,
then expand Data sources by double-click
2. Right-click SQDB6 data source and select Properties in the context menu, then click the line
with Connection String.
3. Click the little "..." icon on the right side of the Connection string line to t o re-define data
source
In the Connection Manager window define the connection to YSoft SafeQ database
(such as server name, authentication type, database name) and test if it works, then
confirm by OK

4. If you used Windows Authentication in the previous step, click "..." next to Impersonation Info
and define Windows account that has administrative rights for Analysis Services and also
db_datareader or db_owner rights for SQDB6 database. If you used SQL Server
Authentication, skip this step.
Scheduling of the DataMart_OLAP SSAS database processing
1. In the Microsoft SQL Server Management Studio connect to the Database engine.
2.
2. Expand SQL Server Agent, right click Jobs folder and from the context menu select New job
. Fill in the Name field of the new job.
3. In the left pane select Steps and click New.. button.
a. Fill in Step name field.
b. In the Type filed select SQL Server Analysis Services Command.
c. In the server field fill localhost.
d. Paste content of the Process_DataMart_OLAP.xmla file into the Command field and
click OK to close the window.

4. Select Schedules in the left pane of the New job window and click New...
Configure the job scheduler to your liking.

5.
Note
Please note that every time this job will be performed the data from YSoft SafeQ
production database will be read and transferred over the network to the reporting
server.

6. Verify that Scheduled task finishes successfully (right-click the task → Start Job at Step...
→ wait for result). If an error is shown, add the account used to run "SQL Server Agent"
service to your OLAP database:
a. OLAP database → Roles → New Role
b. tab General → Fill in any "Role name" and tick "Process database"
c. tab Membership → add the account of "SQL Server Agent" service
d. click OK
How to configure external access to the OLAP cubes
For more information see How to Configure External Access to the OLAP Cubes.
How to Configure External Access to the OLAP Cubes
To make it possible for the users to read reporting data from the OLAP cube it is necessary to set
permissions for them. Setting user permissions for the OLAP cubes is responsibility of the
CUSTOMER. See the linked document for the best practices when setting permissions for the
cubes.
Microsoft Office Excel 365
1. Open Microsoft Office Excel 365 (referred to as Excel).
2.
2. In the Data tab, select From Database > From Analysis Services .
3. In the Data Connection Wizard, enter the database Server name and select Use Windows
A u t h e n t i c a t i o n
or enter a specific User Name and Password
4. Click Next button.
5. Choose an OLAP cube that you want to display and click Next.

5.
6. Click Finish button.
7.
7. Select a display type: pivot table, chart, or both; then click OK
8. After successful connection, you will see a window exactly as shown in picture below.
9.
9. Select dimensions or measures as described above.
Working with a YSoft SafeQ pivot table is the same as with any other pivot table.
5.4.15.4 Power BI
Integrate YSoft SafeQ with Power BI
Prerequisites
Downloaded and installed Power BI Desktop: https://www.microsoft.com/en-us/download

/details.aspx?id=45331
Enterprise Reporting is enabled and configured, see more Data Mart Mode Configuration for
more detail.
Option 1: Import Y Soft Template
To enjoy the full potential of Power BI, one will need to develop a Power BI template for the
organizations specific enterprise reporting requirements. However, to get a head-start on such an
effort, Y Soft has developed a set of Power BI templates. You can find full description of template
import in Power BI Desktop - Import Template article.

Option 2: Create Your Own Report
1. Import data from a SQL Server database.
PostgreSQL server database engine:
1. a. i. Install ODBC driver, see PostgreSQL ODBC driver for Power BI.
ii. Select More option as shown below.
iii. Select PostgreSQL database option.

iv. Specify the IP address of the database server and name of the database
associated with YSoft SafeQ:
At this point you may need to add Npgsql dependency for Power BI.
1. MS SQL server database engine:
1. a. i. Install ODBC driver, see MS SQL ODBC driver for Power BI.
ii. Select SQL Server" option as shown below.

1. a.
ii.
iii. Specify the IP address of the database server and name of the database
associated with YSoft SafeQ:
2. Filter data mart tables in Navigator and select all tables with prefix "dwhtenant_1.dm_v2".
Click on Load button.
3. Wait for the data to load, this step takes a few minutes, depending on the database size.

4. Result - The relationship diagram between the tables is available on vertical tab
Relationships.

Add a Sample Graph
Generate Chart - Select the Power BI report view from the left pane and select various data
to create and render different charts. For example, what is depicted is a simple selection of
the ACCID dimension rendered into a Bar Chart.

References:
Microsoft documentation for Power BI designers: https://docs.microsoft.com/en-us/power-bi

/power-bi-creator-landing
Microsoft documentation for Power BI admins: https://docs.microsoft.com/en-us/power-bi

/service-admin-administering-power-bi-in-your-organization
Accessing the Reports
Quick start guide: https://docs.microsoft.com/en-us/power-bi/consumer/end-user-experience
Accessing reports as consumers: https://docs.microsoft.com/en-us/power-bi/consumer/power-

bi-consumer-landing
Export to PDF: https://docs.microsoft.com/en-us/power-bi/desktop-export-to-pdf
MS SQL ODBC driver for Power BI
1. Download and install Microsoft® ODBC Driver 17 for SQL Server® - https://www.microsoft.
com/en-us/download/details.aspx?id=56567
2. Open ODBC Data Source administration for 64bit platform, switch to "System DSN" tab.

3. Add a new source, select the installed ODBC Driver 17 for SQL Server.
4. Enter database server:

5. Specify database authentication method:

6. S p e c i f y database access:
Default database name is SQDB6 or SQDB6_DWH. The namedependson selected database
deployment scenario.

7. N o c h a n g e :
You may need to adjust configuration for data encryption.

8. Finish and test connection:
9. Repeat steps 3 to 8 for 32 bit ODBC Data Source as well, use exactly the same name.

Reference:
https://github.com/mkleehammer/pyodbc/wiki/Connecting-to-SQL-Server-from-Windows
PostgreSQL ODBC driver for Power BI
1. Download PostgreSQL ODBC drivers for both 32 AND 64 bit form https://www.postgresql.
org/ftp/odbc/versions/msi/
2. Install psqlodbc_10_01_0000-x64.zip AND psqlodbc_10_01_0000-x86.zip
3. Open ODBC Data Source administration for 64bit platform, switch to "System DSN" tab
4.
4. Add a new source, select PostgreSQL Unicode (x64) .
5. E n t e r database server:
If you want to test connection you have to set all fields.

Database, server and username with password could be defined later in Power BI.
Default database name is SQDB6 or SQDB6_DWH. The namedependson selected database
6. Optional: Test connection.
7. Save
8.

8. Repeat steps 3 to 8 for 32 bit ODBC Data Source as well
a. use exactly the same name,
b. choose PostgreSQL Unicode driver.
9. Once completed, the "System DSN" tab looks as follows:
Alternative Configuration Method:
1. Download PostgreSQL ODBC drivers for both 32 AND 64 bit form https://www.postgresql.
org/ftp/odbc/versions/msi/
2. Install psqlodbc_10_01_0000-x64.zip AND psqlodbc_10_01_0000-x86.zip
3. Adjust variables $dbServer and $db to point to database server and refer database
name.
4. Run the PowerShell script:
$dbServer= "ysoft.safeq.db.server.local"
$db= "SQDB6"
Add-OdbcDsn-Name"YSoft SafeQ"-DriverName"PostgreSQL Unicode"-DsnType"System"-Platform"32-

bit"-SetPropertyValue@("Server=$dbServer", "Trusted_Connection=Yes", "Database=$db")
Add-OdbcDsn-Name"YSoft SafeQ"-DriverName"PostgreSQL Unicode(x64)"-DsnType"System"-Platform
"64-bit"-SetPropertyValue@("Server=$dbServer", "Trusted_Connection=Yes", "Database=$db")

Power BI Desktop - Import Template
1. Templates are part of full installation package You can locate them under path
<installation package>\Complementary Solutions .
The main template will render YSoft SafeQ data similarly to what is depicted below.
2. Import the template into Power BI Desktop.

3. This step requires to have ODBC connection created and working. See PostgreSQL
ODBC driver for Power BI and MS SQL ODBC driver for Power BI articles.
Enter connection information into the template
4. When prompted, enter database access account

5. Back on the main PowerBI Desktop screen, wait for the report to load data.
Where to go next: Publish Power BI Report with Power Bi Gateway

Publish Power BI Report with Power Bi Gateway
Publish/Share Power BI Report
Once the report is created (manually or using provided Y Soft template),administrators can share
the report and give users access to view it.
Both viewing and publishing the reports requires "Power BI Pro" account.
Reference:
https://docs.microsoft.com/en-us/power-bi/guided-learning/publishingandsharing?tutorial-step=2
https://docs.microsoft.com/en-us/power-bi/service-features-license-type
Power Bi Gateway
To keep the published report up to date, it needs to be refreshed periodically. There are two
options to achieve this:
1. Manually: refresh the data in Power BI Desktop and publish a new version.

2. Automatically: implement Power BI Gateway.
Implement Power BI Gateway
The Power BI Gateway requires exactly the same ODBC connection configuration as Power BI
Desktop is using. Follow respective guides to configure this on the server where deploying the
gateway:
PostgreSQL ODBC driver for Power BI
MS SQL ODBC driver for Power BI
To install the Power BI Gateway follow Microsoft documentation: https://docs.microsoft.com/en-

us/power-bi/service-gateway-install
Once installed, go to Power BI account and add a data source. Follow Microsoft
documentation: https://docs.microsoft.com/en-us/power-bi/service-gateway-manage
The ODBC data have to match in both Power BI data source and Power BI Desktop data
source:

Confirm correct configuration under your PowerBI account:
Navigate to Settings:

Navigate to "Datasets", expand "Gateway connection" section:
Select the Gateway and apply it to the report.
Confirm that status is green "Running on ..."
Again in menu "Datasets", expand "Scheduled refresh" section and enable it:

Reference:
https://docs.microsoft.com/en-us/power-bi/service-gateway-getting-started
5.4.16 YSOFT SAFEQ PERFORMANCE AND AVAILABILITY MONITORING

GUIDELINES
5.4.16.1 Executive Summary
The purpose of this document is to provide guidelines on monitoring the overall performance and
system health of YSoft SafeQ in the production environment.
This document is intended as a guide only; it is intended to supplement, not replace, the expertise
of the contracted infrastructure monitoring team.
5.4.16.2 Best Practices
From a high level perspective, monitoring the performance and health of the solution can be
answered in five questions:
Are the services running as needed?
What is the CPU utilization?
What is the memory utilization?
What is the hard disk utilization?

What is the network utilization?
Most common issues resulting in a degradation or outright denial of service will manifest by one
of these metrics falling outside of the normal boundaries. Such variances will indicate a need to
begin diagnosis for system performance issues.
Y Soft recommends looking at the general health of services using a multitude of tools. Aside
from monitoring the general health of the underlying infrastructure - which is beyond the scope of
this article - there are operating system and service-level metrics that can be leveraged. These
include standard tools, such as the use of Performance Monitor and Windows Service Monitoring,
but also the use of YSoft SafeQ-specific APIs and tools.
Windows Performance Counters
Microsoft Windows operating systems come with the standard monitoring tool perfmon.exe. This
solution is more robust than Task Manager or Resource Monitor, in that it provides a wider array
of metrics and logging support. The following metrics should be noted when analyzing YSoft
SafeQ servers for stability. Technicians familiar with perfmon can set up monitoring to alert when
deviations appear.
Values marked with a (*) indicate that each individual instance will be collected.
Values marked with a (_Total) indicate that the sum or average (where appropriate) of all
instances will be collected.
Value Collected Description (from Perfmon) Ideal Notes

Range
\Memory\Availabl Available MBytes is the amount of N/A

e Mbytes physical memory, in Megabytes,
immediately available for allocation
to a process or for system use. It
is equal to the sum of memory
assigned to the standby (cached),
free and zero page lists.
\Memory\Pages Pages/sec is the rate at which Near 0. This is an indicator of how often
/sec pages are read from or written to page files are written or read from
disk to resolve hard page faults. disk. High values indicate low
This counter is a primary indicator memory management.
of the kinds of faults that cause
system-wide delays. It is the sum
of Memory\\Pages Input/sec and
Memory\\Pages Output/sec. It is
counted in numbers of pages, so it
can be compared to other counts
of pages, such as Memory\\Page
Faults/sec, without conversion. It
includes pages retrieved to satisfy

Range
faults in the file system cache

(usually requested by applications)
non-cached mapped memory files.
\Memory\Pages Pages Input/sec is the rate at Near 0. Occasional spikes are expected.
Input/sec which pages are read from disk to
resolve hard page faults. Hard
page faults occur when a process
refers to a page in virtual memory
that is not in its working set or
elsewhere in physical memory, and
must be retrieved from disk. When
a page is faulted, the system tries
to read multiple contiguous pages
into memory to maximize the
benefit of the read operation.
Compare the value of
Memory\\Pages Input/sec to the
value of Memory\\Page Reads/sec
to determine the average number
of pages read into memory during
each read operation.
\Memory\Pool Pool Nonpaged Bytes is the size, in N/A

Nonpaged Bytes bytes, of the nonpaged pool, an
area of the system virtual memory
that is used for objects that
cannot be written to disk, but
must remain in physical memory as
long as they are allocated.
Memory\\Pool Nonpaged Bytes is
calculated differently than
Process\\Pool Nonpaged Bytes, so
it might not equal Process(_Total)
\\Pool Nonpaged Bytes. This
counter displays the last observed
value only; it is not an average.
\Memory\Pool Pool Paged Bytes is the size, in N/A

Paged Bytes bytes, of the paged pool, an area
of the system virtual memory that
is used for objects that can be
written to disk when they are not
being used. Memory\\Pool Paged
Bytes is calculated differently than

Range
Process\\Pool Paged Bytes, so it

might not equal Process(_Total)
\\Pool Paged Bytes. This counter
displays the last observed value
only; it is not an average.
\Memory\% % Committed Bytes In Use is the Less

Committed ratio of Memory\\Committed Bytes than
Bytes in Use to the Memory\\Commit Limit. 50%.
Committed memory is the physical
memory in use for which space
has been reserved in the paging
file should it need to be written to
disk. The commit limit is
determined by the size of the
paging file. If the paging file is
enlarged, the commit limit
increases, and the ratio is
reduced). This counter displays the
current percentage value only; it is
not an average.
\Network Packets Received Errors is the Near 0.

Interface(*) number of inbound packets that
\Packets contained errors preventing them
Received Errors from being deliverable to a higher-
layer protocol.
\Network Output Queue Length is the length Less Higher than an average of 2
Interface(*) of the output packet queue (in than 2. indicates a network bottleneck.
\Output Queue packets). If this is longer than two,
Length there are delays and the
bottleneck should be found and
eliminated, if possible. Since the
requests are queued by the
Network Driver Interface
Specification (NDIS) in this
implementation, this will always be
0.
\Network Bytes Total/sec is the rate at N/A

Interface(*) which bytes are sent and received
\Bytes Total/sec over each network adapter,
including framing characters.

Range
Network Interface\Bytes Total/sec

is a sum of Network
Interface\Bytes Received/sec and
Network Interface\Bytes Sent/sec.
\PhysicalDisk Avg. Disk sec/Read is the average Near 0. Useful metric for determining disk
(_Total)\Avg. time, in seconds, of a read of data latency. Higher values are bad.
Disk sec/Read from the disk.
\PhysicalDisk Avg. Disk sec/Transfer is the time, Near 0. Useful metric for determining disk
(_Total)\Avg. in seconds, of the average disk latency. Higher values are bad.
Disc sec transfer.
/Transfer
\PhysicalDisk Avg. Disk sec/Write is the average Near 0. Useful metric for determining disk
(_Total)\Avg. time, in seconds, of a write of data latency. Higher values are bad.
Disk sec/Write to the disk.
\PhysicalDisk(*) Current Disk Queue Length is the 2-3 per During spikes, check correlation to
\Current Disk number of requests outstanding spindle \Memory\Pages Input/sec
Queue Length on the disk at the time the during
performance data is collected. It idle.
also includes requests in service at
the time of the collection. This is a
instantaneous snapshot, not an
average over the time interval.
Multi-spindle disk devices can have
multiple requests that are active at
one time, but other concurrent
requests are awaiting service. This
counter might reflect a transitory
high or low queue length, but if
there is a sustained load on the
disk drive, it is likely that this will
be consistently high. Requests
experience delays proportional to
the length of this queue minus the
number of spindles on the disks.
For good performance, this
difference should average less
than two.
\PhysicalDisk Disk Bytes/sec is the rate bytes N/A Check Correlation between this
(_Total)\Disk are transferred to or from the disk and \PhysicalDisk\Current Disk
Bytes/sec during write or read operations. Queue Length and \Memory\Pages
Input/sec.

Range
\PhysicalDisk % Idle Time reports the percentage Varies Very low idle time indicates either
(_Total)\% Idle of time during the sample interval the system is being overutilized or
Time that the disk was idle. the disk isn't responsive enough.
Compare to physical disk metrics.
A very high idle time indicates the
server is being underutilized.
\Process(_Total) Working Set is the current size, in N/A Useful for comparison to the
\Working Set bytes, of the Working Set of this \Memory metrics.
process. The Working Set is the
set of memory pages touched
recently by the threads in the
process. If free memory in the
computer is above a threshold,
pages are left in the Working Set
of a process even if they are not in
use. When free memory falls below
a threshold, pages are trimmed
from Working Sets. If they are
needed they will then be soft-
faulted back into the Working Set
before leaving main memory.
\Processor % Processor Time is the Less With high values, compare to

(_Total)\% percentage of elapsed time that than processor queue length to
Processor Time the processor spends to execute a 50% determine total load on the
non-Idle thread. It is calculated by system.
measuring the percentage of time
that the processor spends
executing the idle thread and then
subtracting that value from 100%.
(Each processor has an idle thread
that consumes cycles when no
other threads are ready to run).
This counter is the primary
indicator of processor activity, and
displays the average percentage of
busy time observed during the
sample interval. It should be noted
that the accounting calculation of
whether the processor is idle is
performed at an internal sampling
interval of the system clock (10ms).
On todays fast processors, %
Processor Time can therefore

Range
underestimate the processor

utilization as the processor may be
spending a lot of time servicing
threads between the system clock
sampling interval. Workload based
timer applications are one example
of applications which are more
likely to be measured inaccurately
as timers are signaled just after
the sample is taken.
\Processor % Idle Time is the percentage of 50% or This, with \Processor(_Total)\%

(_Total)\% Idle time the processor is idle during more. Processor Time, helps us
Time the sample interval understand how much time is
spent context switching.
\System\Process Processor Queue Length is the Less

or Queue number of threads in the than 10
Length processor queue. Unlike the disk per
counters, this counter counters, processor
this counter shows ready threads .
only, not threads that are running.
There is a single queue for
processor time even on computers
with multiple processors.
Therefore, if a computer has
multiple processors, you need to
divide this value by the number of
processors servicing the workload.
A sustained processor queue of
less than 10 threads per processor
is normally acceptable, dependent
of the workload.
\TCPv4\Connecti Connection Failures is the number N/A This is an aggregator since the last
on Failures of times TCP connections have system restart. Examine the delta
made a direct transition to the between samples. A high change
CLOSED state from the SYN-SENT could be an indicator of network
state or the SYN-RCVD state, plus issues.
the number of times TCP
connections have made a direct
transition to the LISTEN state from
the SYN-RCVD state.
\TCPv4\Connecti Varies This tells us how many active

ons Established connections are present.

Range
Connections Established is the

number of TCP connections for
which the current state is either
ESTABLISHED or CLOSE-WAIT.
\TCPv4\Connecti Connections Reset is the number N/A This is an aggregator since the last
ons Reset of times TCP connections have system restart. Examine the delta
made a direct transition to the between samples. A high change
CLOSED state from either the could be an indicator of network
ESTABLISHED state or the CLOSE- issues.
WAIT state.
\TCPv6\Connecti Connection Failures is the number N/A Reserved for future use
on Failures of times TCP connections have
made a direct transition to the
CLOSED state from the SYN-SENT
state or the SYN-RCVD state, plus
the number of times TCP
connections have made a direct
transition to the LISTEN state from
the SYN-RCVD state.
\TCPv6\Connecti Connections Established is the N/A Reserved for future use

ons Established number of TCP connections for
which the current state is either
ESTABLISHED or CLOSE-WAIT.
\TCPv6\Connecti Connections Reset is the number N/A Reserved for future use
ons Reset of times TCP connections have
made a direct transition to the
CLOSED state from either the
ESTABLISHED state or the CLOSE-
WAIT state.
Additional Performance Monitoring Metrics: Microsoft SQL Server
Value Collected Description
Process Object : % Processor Time : sqlservr CPU Time consumed by the SQLSERVR process
(Microsoft SQL Server service process).
SQL Server Access Methods Object : Full Full Scan Access Method is bypassing all indexes and
Scans / Sec may indicate sub-optimal performance. Certain amount
of full-scan accesses cannot be prevented, but
extensive usage of Full Scan accesses should trigger
analysis and optimization.

Value Collected Description
SQL server Databases : Active transactions : Number of cuncurrently running transaction. Should not
All instances exceed long-term observed threshold. While this number
is closely related to user activity happening in the
system, having this metric grow continuously over a
long periods of time may indicate problems.
SQL server Databases : Transactions/sec : All Performance oriented metric indicating database engine
instances throughput.
SQL server: Transactions: Longest Transactions represent database operations, which are
Transaction Running time all time bound. Some transactions are long running, but
no transactions should run indefinitely.
SQL Server Buffer Manager Object : Cache Performance oriented metrics. If the cache hit ratio is
Hit Ratio (Buffer Cache hit ratio) steadily low, analysis of the performance profile should
be triggered to optimize cache utilization.
SQL Server General Statistics Object : User Number of concurrent user connections. While there can
Connections be up to hundreds of concurrent connections, this
number should not exceed certain threshold. Please
refer to SafeQ configuration to determine such
threshold.
Example: if the connection pool size in SafeQ is
configured to 100 concurrent connections, this
number should generally stay below this number. If it
does not, that indicates connection pool exhaustion
which should trigger an alert.
SQL Server Locks Object : Average Wait Time Average wait time on SQL Server locks - for mutual
: All instances exclusions on shared resources. Wait time should stay
below or around certain observed threshold. If this
number is steadily growing, that may indicate a problem.
SQL Server Locks Object : Number of Deadlocks indicate deadlocked transactions.

deadlocks /sec: All instances
Service Monitoring
YSoft SafeQ is comprised of several services, which vary by server role and functionality.
However, the general health of all of these services is important for stable and sustained
operation of the solution as a whole:
Service Name Description Server Notes

Roles
YSoft SafeQ Responsible for communication and Site

Terminal Server AAA (Authentication, Authorization, Server
Accounting)

Service Name Description Server Notes
Roles
YSoft SafeQ Responsible for synchronization of Site Startup type is manual by default,
Spooler Site Servers within a group Server service is running when cluster is
Controller Group formed. It is stopped when SPOC is
Service standalone.
YSoft SafeQ Business logic layer for Terminal Site

Spooler Server, FlexiSpooler, and Workflow Server
Controller Processing
YSoft SafeQ Processes print jobs submitted via Mobile Multiple instances of MPS service
Mobile Print email workflows Print can co-exist in one environment.
Server Server
YSoft SafeQ Hosting of Administrative web Manag

Management interface (Apache Tomcat), and ement
Service management of the solution Server
enterprise-wide
YSoft SafeQ Responsible for replication of user Manag

LDAP Replicator data from directory services ement
(Microsoft Active Directory) Server
YSoft SafeQ Responsible for print job reception, Site

FlexiSpooler storage, and release. Server
YSoft Bundled Responsible for centralized All

Etcd configuration of the solution
Monitoring Network Services
In general, monitoring using TCP half-handshake / half-open connections is strongly recommended

(similar monitoring technique is employed by load balancing solutions, like BIG-IP F5). Typical third
party tool which is capable of performing half-open connections is nmap.
P Service Description Implications Monitor Monitor

o on on Site
r Manage Server?
t ment?
4 Manageme Allows for the Dashboard Stopping this service has YES NO
4 nt Service impact on Dashboard availability
3 service
5 LPD Allows for job reception from If unavailable, jobs are not being NO YES
1 listener workstations received by Site Server
5
YES YES

P Service Description Implications Monitor Monitor
o on on Site
r Manage Server?
t ment?
4 Manageme Common port used for If Management service is

0 nt / Site hardware terminal unavailable, Dashboard is
9 Server communication; also can be unavailable as well (even if the
6 service used to determine the service is service is running)
up
5 Terminal Allows for Embedded Terminals If unavailable, users cannot NO YES

0 Server authentication authenticate at MFPs.
1 service
2
9 SafeQ Allows for job reception from If unavailable, users cannot print NO YES
1 Client SafeQ Client (only if failover
0 listener option 4 or 5 is in use)
0
Terminal Server API Integration
YSoft SafeQ's Terminal Server, which is present on all Site Servers, has a REST API that can be
leveraged to check availability of services. Infrastructure monitoring capable of leveraging this can
access server status through the following cURL command, replacing {example.tld} with the Site
Server's FQDN or IP address (default port is 5021):
For UNIX clients:
curl --include 'https://{example.tld}/ts/v1/hello'
For Windows clients using PowerShell (curl is an alias for Invoke-WebRequest)
curl -Uri https://{example.tld}/ts/v1/hello
If the server is operational, a HTTP Response of 200 OK will be returned, HTTP Response 500
(Internal Server Error) indicates application failure.

The HELLO resource is a diagnostics resource intentionally built into the Terminal Server
service. Many application monitoring tools provide install-able agents or connectors which are
able to invoke REST-ful Web Services and evaluate Status Code. While the resource can be
checked manually, it's main purpose is to be monitored automatically by application monitoring
solution.
Site Server Monitoring with JMX
The Site Services installation can also be monitored through Java Management EXtensions (JMX)
Management Beans (MBeans) exposed by the YSoft SafeQ Spooler Controller service. JMX (Java
Management Extensions) provide instrumentation of the Java Virtual Machine. Many application
monitoring tools leverage JMX connectors which enable automated collection and monitoring of
JMX metrics. JMX metrics can also be checked interactively using the bundled JConsole tool (see
screenshot) or 3rd party JMX command line utility (https://github.com/jiaqi/jmxterm).
By default, JMX information is exposed on localhost interface on tcp/9898. Configuration can be

changed to enforce TLS-based encryption and authentication by user / password.

Recommended JMX Mbeans and Metrics (Attributes) to include in Application Monitoring
MBean Attribute Description Expected value
distCache: clusterSize Number of The value should be equal

component=CacheManager,name=" members of Site on all members of the
cacheManager",type=CacheManager Server cluster. cluster.
java.lang:type=Threading threadCoun Number of threads

t
safeq/ymq/MessagingContext getOnlinePe Number of

ersCount connected peers
getOnlinePe List of connected Matching GUIDs for Spoolers,

ers peers Clients, and Mobile Print
servers
getDisconn Number of 0
ectedPeers disconnected peers
Count
getDisconn List of Should be empty

ectedPeers disconnected peers
safeq/eu.ysoft.safeq.ors.OrsNode getNodeSta The state of the ONLINE

te Site Server
Proactive Care
Y Soft offers a YSoft SafeQ analysis solution known as Proactive Care, which was developed in
response to monitoring requests by other customers.
The following files shall be monitored as often as every 15 minutes (shortTask configuration
property in proactive-care-agent.conf). The files mentioned below are typically located in
folder C:\SafeQ6\Proactive Care Agent\results, Those are CSV formatted files,
columns are numbered starting at 1:
sqhc-orsmonitor-[cluster name].result
1. Check column 1 for timestamp - alert if the file was not updated recently. Then the
monitoring is not running.
2. Check column 3 - alert if value is not 1. Then the server is offline.
3. Check column 16 - alert if value is other than number of members in the cluster.
sqhc-services-[server name]-SPOC.result
1.
2. Check columns 3-7 which record return value of the services. Alert if value is above
expected threshold.
XSA = ping result on https://" + hostName + ":5012/XeroxXSA/Service.asmx
XSA_IP = ping result on https://" + hostIP + ":5012/XeroxXSA/Service.asmx"
EIP = ping result on http://" + hostName + ":5011/
EIP_IP = ping result on http://" + hostIP + ":5011/
EUI = response from End User Interface
sqhc-services-[server name]-FSP.result
2. Check column 3 for LPR response - alert of not 0.
Infinispan HTTP/REST Endpoint
If advanced cluster health monitoring is required, including FlexiSpooler to Spooler Controller

connectivity, locally available Infinispan HTTP/REST endpoint can be used. This endpoint is critical
for system functionality and thus caution is advised.
FlexiSpooler Address Book registrations can be retrieved from endpoint:

http://localhost:81/distLayer/com.ysoft.safeq.spoc.addressbook.
AddressBook_distnamespace/
Please note that due to security/performance sensitivity, this endpoint is available on localhost /
loopback network interface only.
Database Maintenance on Management Servers
YSoft SafeQ 6 performs internal database maintenance tasks regularly every day (by default
configured for 1:00 / 1am).
Execution and successful finish of these maintenance tasks can be observed in the
management-service logs:
Started service: 'DATABASE_MAINTENANCE' with result 'SUCCESS' for tenant: 'ApplicationTenantIden

tification[tenantGuid=cluster_mngmt]'
on cluster node: 'skyfwzbh4t0i1k9l'
Upon successful finish, the following message is logged:

Ending invocation: 'Invocation[id=15266, invocationStatus=IN_PROGRESS, clusterNodeId='skyfwzbh4t
0i1k9l',
lastModification='2018-08-27T05:00:00.083Z', serviceIdentification=DATABASE_MAINTENANCE]'
for tenant: 'ApplicationTenantIdentification[tenantGuid=cluster_mngmt]'
Please note that the DATABASE_MAINTENANCE service task is triggered on all management
servers. If you are working with single database instance for all cluster nodes, the task will
successfully complete on only one of them.
Failure is indicated by the following message in the logs:
Started service: 'DATABASE_MAINTENANCE' with result 'FAILED' for tenant: 'ApplicationTenantIdent

ification[tenantGuid=cluster_mngmt]' on cluster node: '8612h4ol3voj5xpb'
Please note that these messages are logged with INFO severity, so you need to have INFO log
level enabled to see them.
Microsoft SQL Server: Logical Index Fragmentation
In case the regular maintenance fails to run, database indexes fragmentation will continue to
increase over time (depending on the real traffic in the system). The expected fragmentation level
is around 10%, should stay around this number and not increase over time. Expected runtime of
the DATABASE_MAINTENANCE task is up to 15 minutes, depending on your configuration and
fragmentation levels.
Fragmentation can be checked using the following query:
MS SQL Index Fragmentation
SELECT
OBJECT_NAME(ips.object_id) AS [TableName],
avg_fragmentation_in_percent,
si.name [IndexName],
schema_name(st.schema_id) AS [SchemaName], page_count
FROM sys.dm_db_index_physical_stats(DB_ID(),NULL,NULL,NULL,'SAMPLED') ips
JOIN sys.tables st WITH ( NOLOCK )
ON ips.object_id = st.object_id
JOIN sys.indexes si WITH ( NOLOCK )
ON ips.object_id = si.object_id AND ips.index_id = si.index_id
WHERE st.is_ms_shipped = 0 AND si.name IS NOT NULL
AND avg_fragmentation_in_percent
>= 10 and page_count > 1000
ORDER BY ips.avg_fragmentation_in_percent DESC;
The sample output from that query can look like this:

More detailed information (for troubleshooting) can be obtained using the following query (which
is more resource consuming and should only be used in case more detailed information is
needed):
SELECT
OBJECT_NAME(ips.object_id) AS [TableName],
avg_fragmentation_in_percent,
si.name [IndexName],
schema_name(st.schema_id) AS [SchemaName],
page_count,
index_level
FROM sys.dm_db_index_physical_stats(DB_ID(),NULL,NULL,NULL,'detailed') ips
JOIN sys.tables st WITH ( NOLOCK )
ON ips.object_id = st.object_id
JOIN sys.indexes si WITH ( NOLOCK )
ON ips.object_id = si.object_id AND ips.index_id = si.index_id
WHERE st.is_ms_shipped = 0 AND si.name IS NOT NULL
ORDER BY si.name, index_level DESC
5.4.17 HOW TO CONFIGURE A PRINT DEVICE IN SAP TO INJECT A USERNAME

INTO A PJL HEADER
5.4.17.1 How SAP Prints
SAP has two fundamentally different versions of print: front end and back end. SAPSPrint or front-
end print is executed on the computer of the end user. Background printing is executed on the
server. The following text is related to background printing.
SAP has a defined Device with Device Type. Each Device Type has a PRI file (something like a
print driver). This file describes how the content should be generated.
The default version of the PRI file does not contain a PJL header with a username. It is necessary
to update the driver and add a line there manually.
How to add a PJL header to the job
Step 1. (*voluntary) Choose an existing PRI file from SAP and back it up:
Invoke an SPAD transaction.

Click the Utilities menu, select the For device types menu, click Export.
Specify the device type, e.g., HPUTF8, and click the Execute (F8) icon.
Step 2a. Copy an existing device type to a new device type with the prefix Z or Y (= an indication
of customization),

and click Execute (F8).
Step 2b. Download the PRI file from the vendor site (e.g., https://support.hp.com/ee-en/document
/c05051702).
and import the PRI file as a Device Type that begins with Z or Y.
Step 3. Edit the custom Device Type.
Step 3.1. Go back to SPAD and select Full administration (F7).
Step 3.2. Display a list of device types.

Step 3.3. Choose the custom device type (with that prefix Z or Y) and display List of implemented
formats (F6).
Step 3.4. Choose the desired format type(s) or create a new one.
Step 3.5. Click Change and edit Printer initialization.

Step 3.6a. Add the following line if you want the username to contain the SAP name of the user
who created the output request.
@PJL USER=$(USER)\r\n
Step 3.6b. Add the following line if you want the username to contain the SAP name of the owner
(probably, the same as user).
@PJL USER=$(OWNER)\r\n

Step 3.6c. Add the following line if you want the username to contain the SAP name of the
receiver of the output.
@PJL USER=$(RECEIVER)\r\n
Step 3.7. Save the change.
Job name encoding
The default encoding in SAP is often Latin 2 or Windows-1252.
In the case of YSoft SafeQ 5, you need to set proper encoding in the YSoft SafeQ option
lprEncoding to decode users with logins that contains special characters like ä, ž, š.
In the case of YSoft SafeQ 6 up-to MU26, the option lprEncoding does not work and YSoft SafeQ
always assumes UTF-8. The solution is to switch to the UTF-8 driver in SAP, e.g., HPUTF8. Note:
do not forget to add the PJL header described in the previous section.

5.4.17.2 Frequently asked questions
Question Answer
Is this device created in SPAD seeable by all SAP Unless configured otherwise.
users?
How do you handle SAP user IDs that don't match Use aliases for accounts in YSoft SafeQ.
the users AD account?
We want to parse the user from the job title in The configuration option of YSoft SafeQ "Location
YSoft SafeQ6, but it is not working. In YSoft of username in jobtitle" - "parseUserFromTitleIndex"
SafeQ5 we had no issue at all. What could be the changed. In SQ5 the index begins with 1, in SQ6 it
cause? begins with 0. Change the option so it matches
desired position in job title.
What is the difference between device type in SAP A printer driver is an attribute of SAP device type.
and a driver or is this the same? This document is related to server-side printing.
Do you need to make the change in all formats Yes, if you want to support all formats.
within the device type?
Which method is it possible to use? Is it : User- The Z method is marked by SAP as deprecated.
Defined Formatting Routine (Host Spool Access The example will work with U or E method.
Method)?
How about the job names that are blank from You set job title at spool request creation (print
some SAP prints? Is it SAP related? parameter). It may also happen if you use
username as job title and you enable parsing
username from job title and deletion of parsed
username from job title in YSoft SafeQ Spooler
settings.
When the print Jobs come from SAP direct to This is vendor specific. Some vendors allows direct
Printer. How Can I identify who user is send this print, when Terminal is installed, the devices
printing? parses PJL header and asks YSoft SafeQ whether
it's possible to release the job. Then the YSoft
SafeQ is able to match the job even with direct
print.
Is SAP administrator account needed in order to No. It is sufficient to have an account which has
add a new print driver? permission to work with SPAD transaction. E.g.
DEVELOPER account has such permission.
Does the PJL header from SAP have to match Configuration option " Expression for username
then the syntax from the Windows driver? parsing from PJL job headers" should be
configured so it matches both cases. E.g.: @PJL
[SET]* USER[ ]*=[ ]*(.*)(@|\n|\r)

5.4.18 GREEN REPORTING - PURGED PAGES
Any device related column will have no data, the pages were not printed there for they cannot
be associated with specific devices.
5.4.18.1 Green reporting calculations
The formula used for calculation of environmental savings will never be 100% accurate because it
depends on zillions of different variables. The process of paper making is changing with
technology which in return make the whole production more and more environmentally friendly.
This trend pushes paper making companies to use old recycled paper for new production, keep
spare thermal energy for heating or electricity production which is later consumed for new paper
production.
Following premises are used for calculation:
One ream of paper is 500 sheets, and there are about 450 reams in a metric ton of paper.
One ton of paper is made from about 17 trees.
500 sheet of paper (one package/ream) requires for it’s production:
about 4% of a tree
43.8 liter of water (11.5 gallons) ….. about 20,000 liter/5000 gallons per ton of pulp
production
0.44 kg of emitted CO2 …. 200 kg of CO2 per ton in pulp production
6.8 kWh of electricity … 3 MWh per produced ton of paper
5.4.18.2 Configuring Green (Purged Pages) Reports
1. Log in to the management interface with sufficient rights to administer printers (for
example, "admin").
2. Go to System > Configuration and set view to expert and search for enable-purge_reports,
then verify that property is enabled.
If enabled, green reports are generated regularly in YSoft SafeQ.
3. Make sure print job parser - Job analysis resolution is set to Low or high ( System >
Configuration and search for jobAnalysisResolution).

If you want to parse PostScript (PS) jobs, you need to download and install GhostScript
parser, see more details in Print Job Parser Configuration article.
4. Set prices for Purge pages. Go to System > Configuration and search for purge_job_price,
then configure the price for the following settings:
a. Price for an unprinted A3 B/W page.
b. Price for an unprinted A3 color page.
c. Price for an unprinted A4 B/W page.
d. Price for an unprinted A4 color page.
5. Restart the Management Server and FlexiSpooler services.
5.4.18.3 Predefined Green (Purged Pages) Reports
The predefined Green report filters can be found as follow:
1. On the Management interface > Reports > Web reports > click Report list menu
2. Select Green report per cost center or Green report per user.

5.4.18.4 Report Samples
Green report per cost center:
Green report per user:

5.4.18.5 My Savings Widget
One of the widgets available to users after they login to the management interface is the My
savings widget, this widget described how many trees, energy, water and CO2 the user has
saved. Every non-accounted job with deleted status is counted as purged.
Data are listed for current month and also for current calendar year.
5.4.19 HOW TO RESTART A YSOFT SAFEQ ENVIRONMENT
It is recommended to test Windows Updates on a Development system before any updates

are applied to Production systems. Consult your organization's policy on Windows server
updates.

Server Type Action Temporary User Impact During Next Step
Performed Restart
Restart the YSoft SafeQ Management Servers will Restart YSoft SafeQ
External MS external be unavailable as the database is Management Servers
SQL Database Microsoft SQL inaccessible.
Server.
Server (if used)
Restart the Restarting all Management servers: Restart YSoft SafeQ

YSoft SafeQ Windows server. User authentication using Site Servers
Management See "Managemen username and password is not
t Server Restart available. New users may not
Server
Guidelines" authenticate at the Site
Server. Far roaming print jobs
may not be available.
Restarting one Management Server at
a time:
No user impact expected.
Restart the Devices installed to a specific Site Test authentication,

YSoft SafeQ Windows server. Server: print, and scan
Site Server See "Site Server All authentication and printing functionality at
Restart is unavailable until the Site devices.
Guidelines" Server has completed
restarting and is online.
Devices installed to a load balancer:
Jobs spooled to a restarting
Site Server may not be
available for printing.
5.4.19.1 Management Server Restart Guidelines
If one Management Server is installed:
Restart the Management Server.
If multiple Management Servers are installed:
Restart one Management Server at a time.
In environments with 1000+ devices wait 30 minutes before restarting the next
Management Server.
Wait until the Management Server dashboard is accessible before restarting the next
Management Server.

5.4.19.2 Site Server Restart Guidelines
If the Site Server is not part of a Spooler Controller group:
Multiple Site Servers can be restarted.
If the Site Servers are in a Spooler Controller group (any size):
Only one Site Server of a Spooler Controller group can be restarted at a time.
Proceed with the next Windows server restart after

If you restarted multiple Site Servers of a Spooler Controller group in parallel follow the
section "How to safely restart a Spooler Controller group with cache deletion" on all
members of the Spooler Controller group.
5.4.19.3 How to Safely Restart a Spooler Controller Group with Cache Deletion
Service service.
4. Repeat previous steps 1-3 on all Site Servers in the Spooler Controller group.
5. Delete the cache folder <SAFEQ_DIR>\SPOC\SpoolCache on all Site Servers in the group.
10. Repeat the previous steps 6-9 on all Site Servers in the Spooler Controller group.
Depending on the count of not-deleted jobs, wait 3-10 minutes between the start of each
Site Server services.
Previously printed jobs may not be visible in the terminal job list for 15 to 30 minutes
until spooler job recovery has completed.

5.4.20 TIPS FOR COLLECTING OF YSOFT SAFEQ 6 LOG FILES
Script can be used also for collecting logs from YSoft SafeQ 5.
As in various cases YSoft SafeQ log files are necessary, this article is providing the PowerShell
script that can effectively help you to collect them.
When editing the script it is good to use " PowerShell ISE " tool.
Kindly follow instructions from the .DESCRIPTION section of the script when using it.
5.4.20.1 Script body
<#
.SYNOPSIS
The script helps collecting log files, configuration files, Windows Event Logs of YSoft SafeQ
6.
.DESCRIPTION
The script identifies YSoft SafeQ installation and collects all possible log files and
configuration.
The script collects information from Windows Event Viewer.
The script collects information from Windows System Information
The script collects data for defined period of time (see $LogAge parameter). E.g. if the
issue happened 3 hours ago, you would collect data from the last 4-5 hours to ensure that all
data for analysis are available.
The script collects only data from the server where the command was triggered for the past X
hours (see $LogAge parameter). In case other servers may be involved (Management Server, CBPR
Client, Authentication against SPOC group, etc.) data from all affected servers has to be
provided.
- for instance an authentication issue on an MFD managed by a SPOC group hidden behind a
virtual IP address of load balancer occurs; log files from all servers in the SPOC group as
well as from the Management servers has to be provided.
- log files must cover the date and time of the occurrence
The script must be launched using PowerShell as an Administrator

Additional data such as "Support information" (YSoft SafeQ Management web interface >
Dashboard > Click "Support information" > Click "Download support information"), screenshots
and other relevant information must be collected manually and provided along with the log files.
.PARAMETER LogAge
Defines the period for how how many hours the log files will be collected from now to the
past (default configuration is past 24 hours).
.PARAMETER RootCollectionPath
Defines the folder where on the server would you like to store the data (by default a new
folder will be created on the desktop).
.PARAMETER GetLog
Determine if logs are collected ($true / $false).
.PARAMETER GetConf
Determine if the configuration files are collected ($true / $false).

.PARAMETER GetMisc
Determine if Windows Event Logs, System Information, list of Windows services, list of Memory
Dumps are collected ($true / $false).
.NOTES
Version: 1.19
Creation Date: 05/05/2020
.EXAMPLE
Define required values in $LogAge and $RootCollectionPath parameter.
Run Windows PowerShell as an administrator and launch the command as follows:
C:\Users\Administrator\Downloads> .\SQ_Collect_Logs.ps1
#>
#-----------------------------------------------------------[Parameters]
-----------------------------------------------------------
# Set the log age to gather in hours (Default: $LogAge = '24')

$LogAge = '24'
# Log collection folder (Default: $RootCollectionPath = "$($env:USERPROFILE)\Desktop")

# Example : $RootCollectionPath = "C:\Temp"
$RootCollectionPath = "$($env:USERPROFILE)\Desktop"
# Get logs ($true / $false)

$GetLog = $true
# Get configuration files ($true / $false)

$GetConf = $true
# Get Windows Event Logs, System Information, Memory Dumps ($true / $false)
$GetMisc = $true
#-----------------------------------------------------------[Execution]
------------------------------------------------------------
# Input value check

If (($GetConf -eq $false) -and ($GetLog -eq $false) -and ($GetMisc -eq $false)) {
Write-Warning 'Nothing to collect. Please review the configuration and re-run the script.'
'Press any key to exit the script.' | Out-Host
Read-Host
exit
}
#Admin rights check

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::
GetCurrent()).IsInRole(([System.Security.Principal.SecurityIdentifier]'S-1-5-32-544'))) {
Write-Warning 'Administrative rights are missing. Please re-run the script as an
Administrator.'
'Press any key to exit the script.' | Out-Host
Read-Host
exit
}
# Create function for data copying

function copydata($FileToCopy) {
ForEach ($tmp in $FileToCopy) {
$DirectoryName = $tmp.DirectoryName -replace ("\w:\\","")
$Destination = "$DataDest\$DirectoryName"

If (!(Test-Path $Destination)) {
New-Item -Path $Destination -ItemType Directory | Out-Null
}
Copy-Item $tmp.FullName -Destination $Destination
}
}
# Create functions for data extraction / archivation compatible with PowerShell lower than v5
function Expand-ZIP($file, $destination) {
Add-Type -AssemblyName System.IO.Compression.FileSystem
[System.IO.Compression.ZipFile]::ExtractToDirectory($file, $destination)
}
function Compress-ZIP($directory, $destination) {
Add-Type -AssemblyName System.IO.Compression.FileSystem
[System.IO.Compression.ZipFile]::CreateFromDirectory($directory, $destination, "optimal", $tru
e)
}
# Prepare the log collection folder

$IPaddress = (Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object {$_.
DefaultIPGateway -ne $null}).IPAddress | Select-Object -First 1
$FolderName = "$((Get-Date).ToString('yyyyMMddHHmm'))_$($env:COMPUTERNAME)_$($IPaddress)
_YSoftDiagData"
$DataDest = "$($RootCollectionPath)\$($FolderName)"
'Locating the installation directories'

# Define the services
$ServiceList = Get-ChildItem -Path HKLM:\SYSTEM\CurrentControlSet\Services | ? {(($_.Name.Split(
'\') | Select-Object -Last 1) -like 'YSoft*') -or (($_.Name.Split('\') | Select-Object -Last 1)
-like 'YSQ*')} | % {
Get-ItemProperty $_.PsPath | ? {
$_.PSChildName -ne "YSoftEtcd" `
-and $_.PSChildName -ne "YSoftSQ-LDAP" `
-and $_.PSChildName -ne "YSoftSafeQLDAPReplicator" `
-and $_.PSChildName -ne "YSoftSafeQCMLDBS" `
-and $_.PSChildName -ne "YSoftWeb"
}
}
# Find the root directory for each service

ForEach ($Service in $ServiceList) {
$tmp = $Service.ImagePath.Split()[0].Trim('`"')
$tmp = $tmp.Substring(0,$tmp.LastIndexOf('\')) -Replace ('\\?bin\\?','') -Replace ('\\?
tomcat\\?','') -Replace ('\\Service\\?','') -Replace ('PGSQL','PGSQL-data') -replace ('\\procrun
','')
$Service | Add-Member -MemberType NoteProperty -Name Path -Value $tmp
}
if ($GetConf -eq $true) {
'Copying the configuration files' | Out-Host
# Define the configuration files

$ConfList = New-Object PSObject -Property @{
'YSoftSQ-Management' = 'conf\*.properties','tomcat\conf\*.xml','validator\conf\DBVal
idator.properties'
'YSoftIms' = 'application.properties'
'YSoftPGSQL' = '*.conf'

'YSoftSQ-SPOC' = 'conf\modules\*.conf','conf\*.drl','conf\remoteConfImg.xml','
bin\wrapper.conf'
'YSoftSQ-SPOCGS' = 'config\distServer.conf','config\*.xml'
'YSoftSQ-EUI' = 'conf\*.xml','ui-conf\environment-configuration.properties'
'YSoftSQ-TS' = 'TerminalServer.exe.config'
'YSoftSQ-FSP' = 'service\*.config'
'YSoftSQ-WPS' = 'WpsService.exe.config'
'YSoftSQ-MPS' = 'Service\conf\*.config'
'YSoftSQ-MIG' = 'bin\MigService.exe.config','bin\services\MdnsService.xml'
'YSoftPS' = 'ps-conf\*.properties','ysoft\*.properties','conf\*.xml'
'YSoftSQ-JOB-SERVICE' = 'configuration\*.json'
'YSoftSQ-SPOOLER' = 'configuration\*.json'
'YSoftSQ-JSDL' = 'distServer\distServer.conf','distServer\config\*.conf','dist
Server\config\*.xml'
'YSoftSafeQCML' = 'conf\*.conf','conf\*.drl','tomcat\conf\*.xml'
'YSoftMobilePrintServer' = 'Service\conf\*.config'
'YSoftPaymentSystem' = 'ps-conf\*.properties','ysoft\*.properties','conf\*.xml'
'YSQpostgres' = '*.conf'
'YSoftSafeQORS' = 'conf\modules\*.conf','conf\*.drl','conf\remoteConfImg.xml'
}
# obtaining all the configuration files based on the predefined list

$ConfToCopy = @()
ForEach ($Service in $ServiceList) {
$ConfGrp = $ConfList.PSObject.Properties.Name -eq $Service.PSChildName
ForEach ($Conf in $ConfList.$ConfGrp) {
If ((Test-Path "$($Service.Path)\$($Conf)")) {
$ConfToCopy += Get-ChildItem -Path "$($Service.Path)\$($Conf)"
}
}
$ConfToCopy = $ConfToCopy | Sort FullName -Unique

copydata $ConfToCopy
}
if ($GetLog -eq $true) {
'Copying the log files' | Out-Host

# obtaining all the files modified in the defined period plus the two last files of each
filename pattern
$LogToCopy = @()
ForEach ($ServicePath in $ServiceList.Path) {
$LogList = @()
$LogPaths = @()
$LogList += Get-ChildItem -Path $ServicePath | ? {($_.Length -gt 0) -and ($_.extension -
eq ".log")}
$LogPaths += Get-ChildItem -Path $ServicePath -Directory -Recurse | ? {$_.Name -match "^
(pg_log|log|logs)$"} | Select-Object -ExpandProperty FullName
ForEach ($LogPath in $LogPaths) {
$LogList += Get-ChildItem -Path $LogPath -File
}
# additional location for YSoftSQ-SPOOLER install.log and client v3 log

if ($ServicePath -match 'versions\\latest'){
$LogList += Get-ChildItem -Path $($ServicePath -replace 'versions\\latest','logs') -
File -ErrorAction Ignore

$LogList += Get-ChildItem -Path $(($env:USERPROFILE -replace "[^\\]*(?:)?$") + '*\Ap
pData\Roaming\YSoft SafeQ Client\logs') -Recurse
}
$Patterns = @()
ForEach ($Log in $LogList) {
If ($Log.BaseName -match "\.") {
$Patterns += ($Log.BaseName -Split ('\.'))[0]
} Elseif ($Log.BaseName -match "postgresql") {
$Patterns += ($Log.BaseName -Split ('\-'))[0]
} Else {
$Patterns += $Log.BaseName
}
}
$Patterns = $Patterns | Select-Object -Unique
$LastLogs = @()
ForEach ($Pattern in $Patterns) {
$LastLogs += $LogList | ? {$_.BaseName -match "$Pattern"} | Sort-Object
LastWriteTime -Descending | Select-Object -First 2
}
$LogToCopy += $LogList | ? {$_.LastWriteTime -gt (Get-Date).AddHours(-$LogAge) -or $_ -

in $LastLogs}
}
$LogToCopy = $LogToCopy | Sort FullName -Unique

copydata $LogToCopy
'Extracting archived logs' | Out-Host

$ZipFiles = Get-ChildItem -Path $DataDest -Recurse | Where-Object {$_.Name -match '.zip'}
If ($ZipFiles) {
$progresstrack = 0
$command = [scriptblock]::Create('Expand-ZIP -File $($ZipFile.FullName) -Destination
$($ZipFile.Directory.FullName)')
ForEach ($ZipFile in $ZipFiles) {
Try {
Write-Progress -Activity "Extracting archived logs" -CurrentOperation "" -
PercentComplete ($progresstrack/$zipfiles.Count*100)
$progresstrack = $progresstrack + 1
& $command
Remove-Item -Path $ZipFile.FullName
} Catch {<#"File extraction failed, keeping an archive: $ZipFile"#>}
}
Write-Progress -Activity "Extracting archived logs" -Status "Ready" -Complete
}
}
if ($GetMisc -eq $true) {
If (!(Test-Path $DataDest)) {New-Item -Path $DataDest -ItemType Directory | Out-Null}
'Getting the Windows Event Logs' | Out-Host

Get-EventLog Application -After (Get-Date).AddHours(-$LogAge) | Format-Table -Property
TimeWritten, Source, EventID, EntryType, Message -wrap -auto | Out-File $DataDest\EventLog_Appli
cation.txt -Width 250
Get-EventLog System -After (Get-Date).AddHours(-$LogAge) | Format-Table -Property
TimeWritten, Source, EventID, EntryType, Message -wrap -auto | Out-File $DataDest\EventLog_Syste
m.txt -Width 250

'Getting the System Info' | Out-Host
systeminfo | Out-File $DataDest\SystemInfo.txt
'Getting details about services' | Out-Host

Get-WmiObject win32_service | Sort DisplayName | format-table -Property DisplayName, Name,
StartName, StartMode | Out-File $DataDest\Services.txt -Width 250
'Getting details about available memory dumps' | Out-Host

$dmp = Get-ChildItem -Path ([regex]::split($ServiceList.Path, '(\w:\\\w+\s?\w\\)')[1]) -
Include *.hprof,*.mdmp,*.dmp -Recurse
If (![string]::IsNullOrEmpty($dmp)) {
$dmp | Format-Table -Property FullName, Length, LastWriteTime -AutoSize | Out-File $Data
Dest\Dump_List.txt
} Else {
'No hprof/mdmp/dmp file found.' | Out-File $DataDest\Dump_List.txt
}
'Compressing the files' | Out-Host

if ($PSVersionTable.PSVersion.Major -ge 5) {
Compress-Archive -Path $DataDest -DestinationPath "$($DataDest).zip"
} else {
Compress-ZIP -Directory $DataDest -Destination "$($DataDest).zip"
}
Remove-Item -Path $DataDest -Recurse -Force
Write-Output ""
Write-Output "Work done, the output is in $DataDest"
Write-Output 'Feel free to close the script'
Read-Host
5.4.21 HOW TO UPGRADE POSTGRESQL FROM VERSION 9.4 TO VERSION 11
These guide is primary targeted for external PostgreSQL installation. Embedded PostgreSQL
upgrade is included in YSoft SafeQ server installer.
I assume default PostgreSQL binary folder is: "C:\SafeQ6\Management\PGSQL" and PostgreSQL

data folder is: "C:\SafeQ6\Management\PGSQL-data", same as default installation of YSoft SafeQ
Management Server with embedded PostgreSQL database. Please change these folders
according to your deployment options.
1. Download PostgreSQL 11 binaries from https://www.enterprisedb.com/download-postgresql-

binaries. Select PostgreSQL 11 version according to your operation system.
2. Backup PostgreSQL 9.4 data folder "C:\SafeQ6\Management\PGSQL-data".

5.4.21.2 A Step-by-step Guide
Follow next steps to upgrade PostgreSQL installation to version 11.
1. Stop PostgreSQL service and all dependent services.
2. Copy downloaded PostgreSQL 11 binaries into new folder, at example "C:

\SafeQ6\Management\PGSQL_11".
3. Create postgres_password.txt file in current directory and put postgresql user password
into the file.
4. Initialize new data folder (such as C:\SafeQ6\Management\PGSQL_11-data), run initdb:
c:\SafeQ6\Management\PGSQL_11\bin\initdb -D "c:/SafeQ6/Management
/PGSQL_11-data/" -E utf-8 --auth=md5 -U "postgres" --pwfile="postgres_passw
ord.txt"
5. Upgrade PostgreSQL data folder. Before executing pg_upgrade, make sure that
Administrator account has granted Full controll permission for both old PGSQL and PGSQL-
data directories and new PGSQL_11 and PGSQL_11-data directories.
C:\SafeQ6\Management\PGSQL_11\bin\pg_upgrade -U postgres -b "C:

\SafeQ6\Management\PGSQL/bin" -B "C:\SafeQ6\Management\PGSQL_11/bin" -d "C:
\SafeQ6\Management\PGSQL-data" -D "C:\SafeQ6\Management\PGSQL_11-data"
6. Change configuration in postgresql.conf which you required. List of changes to default

configuration by default installation of YSoft SafeQ Management Server:
listen_addresses = '*'
port = 5433
max_connections = 120
shared_buffers = 512MB
max_prepared_transactions = 20
work_mem = 128MB
maintenance_work_mem = 512MB
effective_cache_size = 1024MB
logging_collector = on
log_directory = 'pg_log'
autovacuum_naptime = 43min
datestyle = 'iso, dmy'
default_text_search_config = 'pg_catalog.simple'

7. Test if PostgreSQL will start correctly:
"C:\SafeQ6\Management\PGSQL_11\bin\pg_ctl.exe" start -D "C:

\SafeQ6\Management\PGSQL_11-data" -w
and stop the service after check:
"C:\SafeQ6\Management\PGSQL_11\bin\pg_ctl.exe" stop -D "C:

\SafeQ6\Management\PGSQL_11-data" -w
8. Remove old PostgreSQL 9.4 folders: "C:\SafeQ6\Management\PGSQL" and "C:

\SafeQ6\Management\PGSQL-data".
9. Rename "C:\SafeQ6\Management\PGSQL_11" to "C:\SafeQ6\Management\PGSQL" and "C:

\SafeQ6\Management\PGSQL_11-data" to "C:\SafeQ6\Management\PGSQL-data".
10. Delete postgres_password.txt file.
11. Start PostgreSQL service and all dependent services.
pg_upgrade fails with could not write to log file or could not connect to server errors
pg_upgrade can fail with could not write to log file error or that source database could not be
started, see screenshots below:

Administrator account should have Full control permission set for both old PGSQL and PGSQL-
data directories and new PGSQL_11 and PGSQL_11-data directories. On each directory: right
click and select Properties → switch to Security tab → click Advanced → on Permissions tab →
click Add
click on Select a principal link → fill in Administrator account (in our example it is
RND0171\Administrator, this might differ on production environment) → click OK.
Check Full control checkbox → click OK

pg_upgrade fails with fe_sendauth no password supplied error message
Set PGPASSWORD environment variable to postgres' user password (previously provided via
postgres_password.txt file.
cmd
set PGPASSWORD=<password>
powershell
$ENV:PGPASSWORD="<password>"
ALTERNATIVELY, temporarily change METHOD value from md5 (or whatever value you find there)
to trust in pg_hba.conf for both PGSQL-data and PGSQL_11-data directories.
pg_hba.conf
host all all 0.0.0.0/0 trust
For easy migration do this for all records in both pg_hba.conf files, but do not forget to change
it back after pg_upgrade successfully finishes.

If there will be some other problem during upgrade phase which you would not be able to solve
you could provide complete new installation of PostgreSQL by installer(https://www.enterprisedb.
com/downloads/postgres-postgresql-downloads). You will need to backup all necessary databases
from old PostgreSQL version and restore databases into new PostgreSQL 11 installation.
5.4.22 HOW TO REMOVE A SPOOLER CONTROLLER
5.4.22.1 Overview
In the case of environment change there might be a need to delete the Spooler Controller. When
there are devices linked with the Spooler Controller then it can be useful to move the devices to
another Spooler Controller. After the devices movement it is safe to delete the Spooler Controller
that is no longer linked with devices.
When there are devices linked with a Spoler Controller and the Spooler Controller is deleted then
the devices are impacted by that and cannot work properly. If you want to keep devices working
then follow the procedure below that instruct you on how to move devices to another Spooler
Controller.
5.4.22.2 Process description
Follow these steps to safely delete a Spooler Controller:
1. Find or create a new Spooler Controller for devices that are currently linked with the
Spooler Controller that is subject of deletion.
2. Find all devices linked with the Spooler Controller that is subject of deletion.
3. Move found devices to another Spooler Controller.
4. Delete the Spooler Controller.
5. If the Site Server was in a cluster then restart YSoft SafeQ Environment. The procedure is
described in the following link: How to Restart a YSoft SafeQ Environment.
You can find detailed description of steps below.
Find all devices linked with the Spooler Controller that is subject of deletion
In the Device > Printer section, you can view all devices registered in the YSoft SafeQ
environment.
Choose a Spooler Controller in the Group by menu at the top of the grouping panel to view all
devices to which the chosen Spooler Controller was assigned and thus there is the link between
them. Remember the list or repeat the step to see actual list.
If there is no device listed then it is safe to delete the Spooler Controller.

Move found devices to another Spooler Controller
Edit each device manually one by one and change the device setting. Assign an active Spooler
Controller group to the device. If the group contains multiple Spooler Controllers then select an
active Spooler Controller from the available options.

Delete the Spooler Controller
Ensure that the Spooler Controller is not linked to any device as described above. List of all
Spooler Controllers and groups can be accessed in Devices > Spooler Controller groups. To
delete a Spooler Controller press the additional options drop down Edit and choose Delete.
5.5 INSTALLATION AND DEPLOYMENT
5.5.1 SOFTWARE
5.5.1.1 Installing YSoft SafeQ 6 Server
YSoft SafeQ comes as several micro services that can be deployed in several ways to favor
different server landscapes or business requirements. Deployment and configuration of these
micro services are managed via the YSoft SafeQ 6 installer.Each service comes with its own
installer, and the YSoft SafeQ 6 installer encapsulates them into one seamless package and
handles their integration.The YSoft SafeQ 6 installer supports several installation scenarios:
Scenario When can it be used?
First server installation YSoft SafeQ Management Server deployment

The first Management Server can be the only server in a
single-server installation of YSoft SafeQ 6, and it has to
be the first installed server in a multi-server installation of
YSoft SafeQ 6.
If you are considering using the cluster of YSoft
SafeQ Management Servers in the future, use an
external high-available SQL server – the embedded
database is deployed on one YSoft SafeQ
Management Server only and, therefore, there is no
failure resiliency and recovery procedures may take a
long time to finish.

Scenario When can it be used?
First server installation with an external Install YSoft SafeQ 6 with an external MSSQL or
Database PostgreSQL database.
First server installation with standalone When high-availability, failure resiliency and data
data warehouse database throughput are in demand
Site Server installation Deploys dedicated Site Servers to various locations in

the environment.
Required for customers with multiple interconnected
locations where the remote locations are handled by
independent Site Server(s) and the entire system is
managed from one central location.
Management cluster installation Connect multiple Management Servers in order to form a

cluster
Make sure you use an external high-available SQL
server during the installation of First server – an
embedded database is deployed on one YSoft SafeQ
Management Server only and, therefore, there is no
failure resiliency and recovery procedures may take a
long time to finish.
YSoft SafeQ 6 update Updates any YSoft SafeQ 6 environment to a recent

build.
Update does not allow altering the existing installation or
configuration.
Advanced Scenario When can it be used?
Unattended installation Install or update YSoft SafeQ 6 automatically via a script or any central
and update management tool.
Upgrading from YSoft Upgrade SQ5 CML and YSoft SafeQ 5 ORS to YSoft SafeQ 6 First
SafeQ 5 server and YSoft SafeQ Site Server.
YSoft SafeQ in Public Cloud Describes how organizations are using YSoft SafeQ 6 in public cloud.
If port 80 is selected in the installer for the YSoft SafeQ management interface, then the IIS
site called "Default Web Site" is deleted from IIS after installation as the site overrides system
settings and uses port 80 instead of the YSoft SafeQ management interface. If IIS was
already installed before and you select this option, please make sure that there is not an
important site named "Default Web Site" configured in the external IIS otherwise it will be
deleted.

YSoft SafeQ 6 can be deployed in various environments. However, each case must be considered
and analyzed individually. Please consult any special uses of YSoft SafeQ 6 with Y Soft
representatives.
YSoft SafeQ Management Server cluster deployment
Multiple Management nodes can form a cluster. This document describes procedure how to add a
clustered Management Server to an existing environment with First Server.
Make sure to use an external high-available SQL server during installation of First Server -
embedded database is deployed on one Management Server only and thus there is no failure
resiliency and recovery procedures may take long time to finish.
Installation of additional Management Server
Mandatory subsystems: Management Service, Spooler Controller, Workflow Processing

System, FlexiSpooler.
Optional subsystems: Mobile print Server, YSoft Payment System.
Extract the installer archive to your disk. You will see several binary cabinets and one executable.
Run the executable.
Select a language
Installer uses selected language to communicate with the user with the exception of text
coming directly from the OS which is dependent on the OS language. Typically YES, NO and OK
buttons.
A number of languages depend on the localization scope for each installer.
Default language is English.

Welcome page
The user is notified that a wizard-like setup will guide him through the installation process.
License Agreement
License agreement shows standard YSoft EULA.
The user has to agree with EULA content in order to continue.

Server environment
Management server cluster is formed by connecting one or more Management servers to an

existing Management server.
Server environment
Select Additional Management server option and provide the network address of an existing
Management Server.
All Management server in a cluster share the same data and configuration.

Provide network address of any other Management server in order to form a connection.
Management servers share configuration like database backend.
Database related configuration is not required as it will be reused from Management servers
already installed.
It is highly recommended to install or update one Management node at a time. Installation or

update of multiple nodes at the same time could result in installation or update failure.
Optional features
Select which optional features shall be installed.
Spooling features - print jobs will be spooled directly on this server.
Installation folder

Provide a path to the installation folder
Each subsystem will be installed to its dedicated folder
Minimum required disk space is 2.5 GB.
Pre-installation check
Pre-installation check performs a series test in order to verify if the server environment is
suitable for installation. Currently, only basic tests are not being performed, but the list will
grow in the future.
Installer process has Administrator rights.
Server OS is intended for servers (no Windows 7,8,10 etc).

.Net framework availability - If not found installer will deploy .Net framework 4.5.2
automatically.
Other properties
The Management server is being identified by automatically generated GUID, however, you can
also provide GUID manually.
A drop-down list of all available IPv4 network interfaces.
The user can choose one network interface to which will SafeQ services bind.
MobilePrint mailbox

Setup connection to an incoming mailbox.
This configuration is required for MobilePrint feature to work properly.
Configuration is required only when MobilePrint features were selected.
Additional reconfiguration on all YSoft SafeQ Management servers
IMS Servers (responsible for update of hardware devices such as Terminal Pro 4) require a shared
storage for all its uploaded packages and related resources. It is used when uploading new
hardware packages via Management Server web interface.
1. Edit <install_dir>\Management\ims\application.properties and add the following parameter:
# path to repository directory. Example: repository.path = //clusteredstorage

/imsrepo
repository.path = <dir shared all for IMSes>
2. Change owner of the "YSoft Infrastructure Service" to the service account that has full
administrative rights on the local server and to the shared directory.
Reconfiguration of YSoft SafeQ Site Servers to connect to all YSoft SafeQ Management
Servers
All YSoft SafeQ Spooler Controllers must be always aware of all YSoft SafeQ Management
Servers, else the various failures in the environment will occur.

Thus it is necessary to inform all YSoft SafeQ Spooler Controllers that a new YSoft SafeQ
Management Server is available. Make sure to perform this task on all YSoft SafeQ Site Servers
and YSoft SafeQ Management Servers where YSoft SafeQ Spooler Controller is present.
1. Find out IP address and GUID of newly installed YSoft SafeQ Management Server.
Management Server GUID can be obtained from the web interface of a newly installed
node > Dashboard > System info widget.
2. Edit <SAFEQ6_HOME>\SPOC\conf\modules\spoc.conf and add information about newly

installed YSoft SafeQ Management Server to the bottom of the file into Connections to
CML server nodes: GUID, IP and PORT section. If you added second YSoft SafeQ
Management Server, each parameter will have suffix 2, third server will have suffix 3 and
fourth server will have suffix 4. Example of added configuration:
serverGUID2=GUID_of_second_Management_Server
serverPORT2=6010
serverIP2=10.0.20.30
3. Restart YSoft SafeQ Spooler Controller service to apply the changes
4. Edit <SAFEQ6_HOME>\SPOC\ims\application.properties and add address of every

management server to the parameter infrastructureServiceAddresses (coma separated
list)
5. Restart YSoft Infrastructure Service Proxy service to apply the changes
First server installation
Scenario that deploys Management server with additional features. Other servers like Site server
can connect to Management server in order to expand YSoft SafeQ 6 functionality.
Following services are installed as mandatory: Management, Spooler Controller, Workflow

Processing System, FlexiSpooler
Following services can be installed if required: YSoft Payment System, Mobile Print Server
Prerequisites
Please make sure there is no Windows Update in Pending Restart status before the
installation.
If the installation needs to turn on additional server roles, it might cause this pending restart
to execute without any prompt during installation.

Extracting the Archive
Extract the archive with the installer to your disk.
The installer consists of several binary cabinets and one executable. The executable file needs
to be in the same folder as all of its cabinets.
Run the executable file.
Choosing the Language
The installer uses the selected language to communicate with the user with the exception of
text coming directly from the OS, which is dependent on the OS language. Typically, this
means the "Yes", "No", and "OK" buttons.
The number of languages depends on the localization scope for each installer.
The default language is English.

The Welcome Page
The user is notified that a wizard-like setup will guide them through the installation process.

License Agreement
The license agreement shows the standard YSoft EULA.
The user has to agree with the EULA content in order to continue.

Server environment
Choose the right option by assessing what server are you about to install.
Option First server will guide you through installation process of YSoft SafeQ Management
server. This is a foundation on which every YSoft SafeQ 6 solution is based. For small or
midsize installations you probably won't need any additional servers.
Option Other servers offers deployment of additional server that can connect to YSoft SafeQ
Management server and provide features that large or enterprise environments can benefit
from.

Optional features
User can choose optional features
Install of Mobile Print Server will install the system on the server
Install of Payment System will install the system on the server and new database is
created (default name is SQDB6_YPS)
Disabled spooling feature configuration is for deployment scenarios with CBPR clients only.
CBPR will work in both enabled and disabled mode.

Destination folder
Destination folder page lets user pick up place where the product will be installed.
At least 8.9 GB of space needs to be available.
The folder's path must consist of ASCII characters only and must not contain the following
characters: ~ ` ! @ # $ % ^ & * [ ] { } ? § ! = < >

Preinstallation check
Preinstallation check performs series test in order to verify if the server environment is
suitable for installation. Currently only basic tests are being performed:
Does the installer have Administrator rights?
Is this a server OS? (no Windows 7,8,10 etc)
Is .NET framework is available in sufficient version?
Database configuration

Database configuration lets user choose which database will Management server use
Usage of a bundled PostgreSQL database (which is located on the first node) is not
recommended for a Management Server cluster.
The option "Use external database for data warehouse" will deploy data warehouse database
(used for statistics) as a separate database. For more information about this option, please,
refer to First server installation with standalone data warehouse database.
Database user password
Single server deployment scenario is able to use external database (Microsoft SQL or
PostgreSQL) or embedded and preconfigured PostgreSQL database
User provides password that will be used for accessing the database under postgres user
account
It is possible to use a generated password that will contain a random set of letters, numbers
and some of these !?{}()^,./[]|~+* special characters.
Please note that only !?{}()^,./[]|~+* special characters are supported for database
connection.

Please note that in the case when the embedded PostgreSQL database is used in other
time zone than GMT the following workaround to the known limitation must be applied
after the installation finishes.
External Databases
For the description how to configure the connection to your external database server see
First server installation with an external Database.
Other properties
Global Unique IDentifier (GUID) for Management is required for site server deployment. The
GUID is later available in configuration file of management server or on management interface
of Administrator after successful installation.
Drop-down list all available IPv4 network interfaces
User can choose one network interface to which YSoft SafeQ services will bind

Summary
Installation summary where user can validate installation properties
After clicking install, installation will begin.

Installation progress
The installation's progress is shown in the form of a progress bar.
The user can monitor installation activities.
An explanatory error message is shown if the installation fails.
In some cases, a dialogue window with a prompt for restart is displayed. Kindly restart the
server after installation of the product, if you restart the server immediately then installation
could fail.
Should you experience an error message 0x00000709 or 0x800f0247 during the installation
please refer to the article Installing Security Certificates.

Finish
The user is informed that the new version was successfully installed and it is possible to exit
the installer safely.
Where to go next
System communication hardening
Configuring supported languages in Embedded Terminal
Configuring YSoft Universal Print Driver
Site Server Deployment
This deployment scenario is designed for situations where, for some reason, Management Server
is not located in the same region as Site Server. This could be due to the corporate server
landscape, multitenancy architecture, etc.
Mandatory subsystems: Spooler Controller, Workflow Processing System
Optional subsystems: Mobile Print Server, FlexiSpooler, YSoft Payment System with an external or
embedded database
Prerequisites

Please make sure there is no Windows Update in Pending Restart status before the
installation.
If the installation needs to turn on additional server roles, it might cause this pending restart
to execute without any prompt during installation.
The installer consists of several binary cabinets and one executable. The executable file needs
to be in the same folder as all of its cabinets.
Choosing the Language
text coming directly from the OS, which is dependent on the OS language. Typically, this
means the "Yes", "No", and "OK" buttons.
The number of languages depends on the localization scope for each installer.

The Welcome Page

License Agreement
The license agreement shows the standard YSoft EULA.
The user has to agree with the EULA content in order to continue.

Server environment
Select the Other servers option when installing a Site Server or Management Server cluster.
Deployment scenario

Select Site server to deploy print or scan related features.
This is an analogy with ORS in YSoft SafeQ5.
Optional Features
Select which optional features to install.
Spooling features – print jobs will be spooled directly on this server.
In case of installation with YSoft Payment System, the suffix "_YPS" will be added to the
database name.

Installation folder
Provide the path to the installation folder
The folder's path must consist of ASCII characters only
Each subsystem will be installed in its dedicated folder
The minimum required disk space is 2.5 GB.

Preinstallation Check
The preinstallation check performs a series test to verify if the server environment is suitable
for the installation. Currently, only basic tests are not performed, but the list will grow in the
future.
The installer process has administrator rights.
Server OS is intended for servers (not Windows 7,8,10, etc.).
.Net framework availability – If not found, the installer will deploy .Net framework 4.5.2
automatically.

Connecting to Management Server
Enter the connection parameters to Management Server or the Management Server cluster.
Site Server can be connected to up to four Management Server cluster nodes.
Database configuration

Connect Site Server to the database.
This configuration is required for the Payment features to work properly.
This configuration is required only when Payment features are selected.
Database user password
This Site Server deployment scenario uses an embedded and preconfigured PostgreSQL
database when Payment features are selected for installation.
The user provides a password that will be used for accessing the database under the
Postgres user account.
It is possible to use a generated password that contains a random set of letters, numbers,
and some of these !?{}()^,./[]|~+* special characters.
Please note that only the !?{}()^,./[]|~+* special characters are supported for database
connection.
External Databases
For the description how to configure the connection to your external database server see
First server installation with an external Database.

Configure other options
The Site Server instance is identified by an automatically generated GUID, however, you can
also provide GUID manually.
There is a dropdown list of all available IPv4 network interfaces.
The user can choose the one network interface to which the YSoft SafeQ services will bind.

The MobilePrint Mailbox
Setup the connection to the incoming mailbox.
This configuration is required for the Mobile Print feature to work properly.
Configuration is required only when Mobile Print features are selected.

Installation Summary
There is an installation summary where the user can validate the installation properties.
After clicking install, the installation begins.

The installation's progress is shown in the form of a progress bar.
The user can monitor installation activities.
An explanatory error message is shown if the installation fails.
In some cases, a dialogue window with a prompt for restart is displayed. Kindly restart the
server after installation of the product, if you restart the server immediately then installation
could fail.
Should you experience an error message 0x00000709 or 0x800f0247 during the installation
please refer to the article Installing Security Certificates.

Finish
The user is informed that the new version was successfully installed and it is possible to exit
the installer safely.
YSoft SafeQ in Public Cloud
This document describes how organizations are using YSoft SafeQ 6 in public cloud (Microsoft
Azure, Amazon Web Services) . It is important to note that in any of the scenarios below, users
enjoy the full functionality of YSoft SafeQ 6 , including Automated Scan Workflows or Mobile
Print capabilities . Users print from one print queue and Print Roaming ® – the ability to pull-print
from any printer in the environmen t – is fully available . In each of the four options described
below , YSoft SafeQ is deployed in public cloud utilizing hardware and software that is isolated for
the customer.
One of the differentiating benefits of YSoft SafeQ 6 is the ability to scale throughout a single
organization or to multiple locations. The ability to easily scale is significantly increased i n public
cloud, where resources can be created as needed.

Upstream Connection Initiation Principle
The Upstream Connection Initiation principle has been used to eliminate the requirements for
open ports on workstations, laptops, and even site servers. This principle dictates that any YSoft
SafeQ components from lower tiers always open and initiate network communication on the
Network/Transport Layer (TCP and UDP/IP) to the higher tiers (green arrows) and not vice versa
(red arrow). For more information refer to YSoft SafeQ 6 Architecture Overview Whitepaper.
Especially when deploying Terminal Embedded into individual MFDs, it is required that the
server (Upper Tier) can communicate to the MFD (Lower Tier) and can initiate the connection.
As a result, it is required that, for full YSoft SafeQ functionality, the connectivity between
Public Cloud and local network exists.
Partner Managed YSoft SafeQ as a Service
When YSoft SafeQ 6 is deployed partially in public cloud and partially on-premise or entirely in the
public cloud, the opportunity exists for partners to offer management of YSoft SafeQ 6 as a
managed service. This affords a new business model for the service provider: a partner managed
YSoft SafeQ service.
Workstation Print Queues
For most implementations, there are two major touch points, where users interact with the
system:
1. Submitting a print job, and
2. authenticating at a terminal and releasing the print job.
The former is arguably a lot more complex to decide, as not one option is flaw-less. There will
always be a trade off to consider, being it availability for ease of deployment, security for speed
or serviceability for diversity. In each of the scenarios below, any option is available. More, any
combination of print queues can be deployed, they are not mutually exclusive.
Pay attention to security of a solution. See YSoft SafeQ FlexiSpooler Security considerations

Cloud First - Lean
YSoft SafeQ 6 in the public cloud is i deal for small to medium-sized businesses , typically with a
single site location, whe n cost is the major factor . Depending on the the requirements, the entire
system can be operated from a single server. Bandwidth preserved by taking advantage of Client
Based Print Roaming. The full scope of the YSoft SafeQ functionality is available in this scenario.
While there is no application level clustering, failover or load balancing in this particular sample
architecture, public cloud providers typically have many safe guards available to ensure VM's
availability, and guarantee it in their SLAs.
Cloud First - Redundant
Larger organizations are typically concerned with high availability, redundancy/failover and the
ability to scale print services as the company grows. In much the same way that YSoft SafeQ 6
can scale on-premise, it can also scale on public cloud infrastructure. This is accomplished by
Active-Active application-level clustering of the Management Server tiers and/or Site Services
tiers. On the schematics below, both Site Services and Management Servers are fully redundant.
In this option, users can print using Client Based Print Roaming, server-based Print Roaming or
both, for pull-printing to any printer in the YSoft SafeQ environment. Scan, print, copy and fax job
metadata is collected for reporting and accounting purposes.
Full scope of YSoft SafeQ functionality is available in this scenario.

Hybrid Cloud
Some organizations may wish to utilize the cloud only for print job metadata collection and
reporting/accounting purposes, keeping authentication and, most importantly, print job data
onsite. In this hybrid option, the YSoft SafeQ Site Services tier is on-premise to handle the
processing of the print job. Scan and print job meta data is collected for reporting and accounting
purposes. Schematics below shows the YSoft SafeQ 6 architecture in this way. This option can
also cluster Management servers and/or Site Services as needed, giving options for growth.
Needless to add, that full scope of YSoft SafeQ functionality is available in this scenario.
If a connection to the cloud is lost, the local Site Services can go into offline mode where
authentication and printing can still be available.

Combination
The largest organizations usually require different approaches in different locations:
some locations taking advantage of highly redundant cloud environment with CBPR,
others printing to local Site Server cluster,
and lastly the smallest branches, where local infrastructure is not feasible and bandwidth is
limited.
All those needs can be met by a single YSoft SafeQ environment, the architecture can be
modified and expanded as the organization grows. Again, full scope of YSoft SafeQ functionality is
available in this scenario.

Private Cloud over Company Network
This document covers deployments of YSoft SafeQ in organizations with "downstream"

connectivity, with VPN (or other network-bridging technology).
Quick Links:
For deployments over public internet and without VPN (or other network-bridging
technology) see YSoft SafeQ in Private Cloud over Public Internet (work in progress,
contact Y Soft support for more information).
For integrations with public cloud platforms (Azure SQL, Azure AD, AWS S3, Google Cloud
Print, ...), regardless of VPN connectivity, see YSoft SafeQ with Public Cloud Providers.
This document describes how organizations are using YSoft SafeQ 6 in private cloud. The solution
can be deployed in multiple ways:

Fully on their own infrastructure, i. e. company managed data center,
or fully utilizing infrastructure of a public cloud provider (Microsoft Azure, Amazon Web
Services, Google Cloud or others),
or a combination, i.e. hybrid cloud,
or an edge device for server-light deployments, e.g. SafeQube .
It is important to note that in any of the scenarios below, users enjoy the full functionality of
YSoft SafeQ 6 , including Automated Scan Workflows or Mobile Print capabilities . Users print
from one print queue and Print Roaming ® – the ability to pull-print from any printer in the
environmen t – is fully available . In each of the four options described below , YSoft SafeQ is
deployed in public cloud utilizing hardware and software that is isolated for the customer.
Upstream Connection Initiation Principle
The Upstream Connection Initiation Principle has been used to eliminate the requirements for
open ports on workstations, laptops, and even site servers. This principle dictates that any YSoft
SafeQ components from lower tiers always open and initiate network communication on the
Network/Transport Layer (TCP and UDP/IP) to the higher tiers (green arrows) and not vice versa
(red arrow). For more information refer to YSoft SafeQ 6 Architecture Overview Whitepaper.

Especially when deploying Terminal Embedded into individual MFDs, it is required that the
server (Upper Tier) can communicate to the MFD (Lower Tier) and can initiate the connection.
As a result, it is required that, for full YSoft SafeQ functionality, the connectivity between
Public Cloud and local network exists.
Combining the Concepts - Scalable Architecture
YSoft SafeQ architecture elements can be seamlessly combined within a single environment.
Customers can then easily use a solution similar to this one, including locations printing over
public Internet see YSoft SafeQ in Private Cloud over Public Internet (work in progress, contact Y
Soft support for more information) :
See YSoft SafeQ 6 Architecture Overview whitepaper for more details.

Partner Managed YSoft SafeQ as a Service
When YSoft SafeQ 6 is deployed partially in public cloud and partially on-premise or entirely in the
public cloud, the opportunity exists for partners to offer management of YSoft SafeQ 6 as a
managed service. This affords a new business model for the service provider: a partner managed
YSoft SafeQ service.
Workstation Print Queues
For most implementations, there are two major touch points, where users interact with the
system:
1. Submitting a print job, and
2. authenticating at a terminal and releasing the print job.
The former is arguably a lot more complex to decide, as not one option is flaw-less. There will
always be a trade off to consider, being it availability for ease of deployment, security for speed
or serviceability for diversity. In each of the scenarios below, any option is available. More, any
combination of print queues can be deployed, they are not mutually exclusive.
Pay attention to security of a solution. See YSoft SafeQ FlexiSpooler Security considerations.
Cloud First - Lean
YSoft SafeQ 6 in the public cloud is i deal for small to medium-sized businesses , typically with a
single site location, whe n cost is the major factor . Depending on the the requirements, the entire
system can be operated from a single server. Bandwidth preserved by taking advantage of Client
Based Print Roaming. The full scope of the YSoft SafeQ functionality is available in this scenario.
While there is no application level clustering, failover or load balancing in this particular sample
architecture, public cloud providers typically have many safe guards available to ensure VM's
availability, and guarantee it in their SLAs.

Cloud First - Redundant
Larger organizations are typically concerned with high availability, redundancy/failover and the
ability to scale print services as the company grows. In much the same way that YSoft SafeQ 6
can scale on-premise, it can also scale on public cloud infrastructure. This is accomplished by
Active-Active application-level clustering of the Management Server tiers and/or Site Services
tiers. On the schematics below, both Site Services and Management Servers are fully redundant.
In this option, users can print using Client Based Print Roaming, server-based Print Roaming or
both, for pull-printing to any printer in the YSoft SafeQ environment. Scan, print, copy and fax job
metadata is collected for reporting and accounting purposes.
Full scope of YSoft SafeQ functionality is available in this scenario.

Hybrid Cloud
Some organizations may wish to utilize the cloud only for print job metadata collection and
reporting/accounting purposes, keeping authentication and, most importantly, print job data
onsite. In this hybrid option, the YSoft SafeQ Site Services tier is on-premise to handle the
processing of the print job. Scan and print job meta data is collected for reporting and accounting
purposes. Schematics below shows the YSoft SafeQ 6 architecture in this way. This option can
also cluster Management servers and/or Site Services as needed, giving options for growth.
Needless to add, that full scope of YSoft SafeQ functionality is available in this scenario.
If a connection to the cloud is lost, the local Site Services can go into offline mode where
authentication and printing can still be available.

Combination
The largest organizations usually require different approaches in different locations:
some locations taking advantage of highly redundant cloud environment with CBPR,
others printing to local Site Server cluster,
and lastly the smallest branches, where local infrastructure is not feasible and bandwidth is
limited.
All those needs can be met by a single YSoft SafeQ environment, the architecture can be
modified and expanded as the organization grows. Again, full scope of YSoft SafeQ functionality is
available in this scenario.

YSoft SafeQ with Public Cloud Providers
This document covers integrations with public cloud platforms (Azure SQL, Azure AD, AWS
S3, Google Cloud Print, ...), regardless of VPN connectivity.
Quick Links:
For deployments of YSoft SafeQ in organizations with "downstream" connectivity, with VPN
(or other network-bridging technology) see Private Cloud over Company Network.
For deployments over public internet and without VPN (or other network-bridging
technology) see YSoft SafeQ in Private Cloud over Public Internet (work in progress,
contact Y Soft support for more information).

YSoft SafeQ in Public Cloud - Google Cloud Platform
Leveraging Google Cloud Platform
Google Cloud Platform provides infrastructure as a service, platform as a service, and server-less
computing environments.
Printing
Users on all kinds of workstation platforms, including Chromebook's Chrome OS, can leverage any
of the options below available to them.
OPTION 1: Google Cloud Print Connector
YSoft SafeQ can fully integrate with Google Cloud Print service over users' G Suite account and
Cloud Identity.
Step 1: Submit a Print Job
With Google Cloud Print Connector extension, a new Cloud Printer is registered in the Google
Cloud Print service. Administrators can then share this Cloud Printer with appropriate users or
groups. Users can use this Cloud Printer for Print Roaming or direct printing using Chrome.
Step 2: Receive the Print Job by YSoft SafeQ
Google Cloud Print Connector extension will "download" the print job and store it in YSoft SafeQ,
making it available for release for the respective user.

Reference:
Y Soft documentation about Print Roaming
Partner Portal Extension Store is SWC-22: https://portal.ysoft.com/products/ysoft-safeq

/extensions-store
About Google Cloud Print - https://www.google.com/cloudprint/learn/
OPTION 2: Mobile Integration Gateway (MIG) with Internet Printing Protocol (IPP)
Step 1: Submit a Print Job
For Chrome OS refer to Google documentation explaining options to use native printing, Chrome
OS utilizes CUPS:
https://support.google.com/chrome/a/topic/9045842?hl=en&ref_topic=4386913
https://support.google.com/chrome/a/answer/9042367?hl=en&ref_topic=904656
Step 2: Receive the Print Job by YSoft SafeQ
In regards to YSoft SafeQ side, it can accept print jobs sent via IPP using several mechanisms:
Enable "Internet Printing" functionality on the server and let clients (workstations) use the
shared print queue over its HTTP(S) URL address. Refer to https://support.microsoft.com/en-us
/help/246855/managing-network-printing-in-a-windows-environment
Mobile Integration Gateway (MIG) can among other features also accept IPP print jobs. Refer to

Scanning
Scanning into Google Drive
YSoft SafeQ can be configured to deliver the scanned document into users' Google Drive
repository.
Reference:
Y Soft documentation - see Edit Workflow, section Scan toScript

Partner Portal Extension Store is SWC-47:
https://portal.ysoft.com/products/ysoft-safeq/extensions-store
About Google Drive - https://www.google.com/intl/en/drive/
Identity Management
Cloud Identity - User Directory for G Suite
YSoft SafeQ can periodically import users from Directory for G Suite into its internal database, to
establish Identity Management. The following can be replicated:
Users and their mapping to the below:
Cost centers
Roles (Groups)
Role members (Group members)
Card numbers (exported only with presence of the command line argument, see the picture
below)
Reference:
Y Soft documentation about Identity Management
Y Soft documentation about CLI User Replicator
Partner Portal Extension Store is SWC-48: https://portal.ysoft.com/products/ysoft-safeq

/extensions-store
About Google Cloud Identity - https://support.google.com/cloudidentity/answer/7319251
About G Suite Directory - https://support.google.com/a/topic/20016?hl=en&ref_topic=9197

Monitoring
For more details about YSoft SafeQ application monitoring, refer to a dedicated document YSoft
SafeQ Performance and Availability Monitoring Guidelines.
Scaling
YSoft SafeQ currently does not support automatic vertical nor horizontal scaling.
Best Practices
Always secure the YSoft SafeQ installation following System communication hardening
documentation.
More servers does not translate into more availability. Consult with Y Soft, when in doubt.
Print queues shared from servers prove to be less maintenance intensive (= less expensive),
compared to any components deployed on client workstations.
YSoft SafeQ in Public Cloud - Microsoft Azure

Leveraging Azure Platform
YSoft SafeQ is fully deployable in Microsoft Azure, to take advantage of the increased scalability,
availability and reliability.
Azure SQL
Leveraging cloud database as a service is available with YSoft SafeQ.
Please note that Azure SQL support is currently available under Early Access Program.
Azure Active Directory Domain Services
Azure Active Directory Domain Services, domain controller as a service, can be utilized for identity
management. LDAP(s) protocol is used for user metadata synchronization and user
authentication.
Azure Load Balancer
YSoft SafeQ can leverage load balancing and failover on several places in the architecture. Azure
Standard Load Balancer can be utilized.
Azure Standard Load Balancer is only limited to monitor one port for health probe. This limits
its capabilities for fault detection.
Power BI
Power BI integration is fully supported and available. For documentation how to implement and
use provided template, refer to Power BI connection manual.
Monitoring
For more details about YSoft SafeQ application monitoring, refer to a dedicated document YSoft
SafeQ Performance and Availability Monitoring Guidelines.
Scaling

YSoft SafeQ currently does not support automatic vertical nor horizontal scaling as implemented
in Azure. For Azure scaling, refer to Microsoft Documentation https://docs.microsoft.com/en-us
/azure/monitoring-and-diagnostics/monitoring-overview-autoscale
Docker on Azure
YSoft SafeQ currently cannot be containerized in Docker.

Best Practices
documentation.
Print queues shared from servers prove to be less maintenance intensive (= less expensive),
compared to any components deployed on client workstations.
Azure Example: Single Server Deployment
The following is a sample schematics of YSoft SafeQ in a single server deployment with or
without CBPR.
Note that some MFD user interfaces are browser-based. In that case, they are served from the
Site Services tier. Because of this fact, the upmost importance is to keep low latency to provide a
good user experience.
How to Deploy

Examples below are created for PowerShell, but you can get the same result using Azure
portal, or CLI.
Before you begin
1. Install the Azure PowerShell.
a. Install Az module into PowerShell
Install-Module -Name Az -AllowClobber
b. For more information refer to Microsoft Azure documentation: https://docs.microsoft.

com/en-us/powershell/azure/install-az-ps?view=azps-1.5.0
2. Login to Azure Portal.
a. Example of using PowerShell (replace "SubscriptionId" value with yours):
Import-Module Az
Connect-AzAccount -SubscriptionId "yyyy-yyyy-yyyy-yyyy"

com/en-us/powershell/azure/authenticate-azureps?view=azps-1.5.0
3. Create a Resource Group (or use an existing one) and place all components in this group.
a. Example of using PowerShell (change the name and the location as needed):
$resourceGroupName = "YSoftSafeQ"
$location = "eastus"
New-AzResourceGroup -Name $resourceGroupName -Location $location
Choose Azure location which is geographically close to the printers. This will
reduce the latency and provide a good user experience.
https://azure.microsoft.com/en-us/global-infrastructure/locations/
b. For more information refer to Microsoft Azure documentation:https://docs.microsoft.

com/en-us/powershell/module/az.resources/new-azresourcegroup?view=azps-1.5.0
4. Create Network Security Group (or use an existing one).
a. Example of using PowerShell:

a.
New-AzNetworkSecurityGroup -Name "YSoftSafeQnsg" -ResourceGroupName $resourceGroupN

ame -Location $location

com/en-us/powershell/module/az.network/new-aznetworksecuritygroup?view=azps-
1.5.0
5. Create Virtual Network with subnet (or use an existing one).
a. Example of using PowerShell:
$nsgName = "YSoftSafeQnsg"
$nsgPS = Get-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $ns

gName
$subnet = New-AzVirtualNetworkSubnetConfig -Name "YSoftSafeQsubnet" -AddressPrefix
"10.0.2.0/24" -NetworkSecurityGroup $nsgPS
New-AzVirtualNetwork -Name "YSoftSafeQVNET" -ResourceGroupName $resourceGroupName -
Location $location -AddressPrefix "10.0.0.0/16" -Subnet $subnet
b. For more information refer to Microsoft Azure documentation:
https://docs.microsoft.com/en-us/powershell/module/az.network/new-
azvirtualnetworksubnetconfig?view=azps-1.5.0
https://docs.microsoft.com/en-us/powershell/module/az.network/new-
azvirtualnetwork?view=azps-1.5.0
6. (Optional) Upload the YSoft SafeQ installation package to a storage account (or
download it directly to VM).
a. This method lets you upload the installation package to only one location and attach
it to VMs as a network drive.
b. Refer to Microsoft Azure documentation: https://docs.microsoft.com/en-us/azure

/storage/common/storage-moving-data?toc=%2fazure%2fstorage%2ffiles%2ftoc.json
Prepare the Environment for YSoft SafeQ
1. Add rules to the Network Security Group
This guide disregards any firewall or proxy configuration. Make sure to also open those
communication paths, if required.
a. Make sure the communication is open - specific settings depend on required

functionality and MFD technology.

a.
Always confirm the ports needed, refer to Network Communication.
Please note that communication within the VNet is unrestricted by default (rules
AllowVnetInBound and AllowVnetOutBound are always present).
Also outbound communication to internet is unrestricted by default (rule
AllowInternetOutBound is always present).
We recommend to restrict communication further by overriding these default
rules.
b. Example of using PowerShell:
$source = "VirtualNetwork"
$destination = "VirtualNetwork"
$prioritySeed = 1000
$priorityIterator = 1
# SERVER INBOUND
$direction = "Inbound"
$ports =
@(
[pscustomobject]@{name="MGMT-smtp";port=25;protocol="Tcp";direction=$direction;
source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="SMB-1";port=110;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="MGMT-interface";port=443;protocol="Tcp";direction=$dire
ction;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="EUI-interface";port=9443;protocol="Tcp";direction=$dire
[pscustomobject]@{name="job-SQ5CLIENT";port=9100;protocol="Tcp";direction=$dire
[pscustomobject]@{name="job-LPR";port=515;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="TS-TPR";port=4096;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="TS-TE-1";port=5021;protocol="Tcp";direction=$direction;

[pscustomobject]@{name="SNMP";port=161;protocol="Udp";direction=$direction;
source=$source;destination=$destination;access="Allow"}
)
# SERVER OUTBOUND
$direction = "Outbound"
$ports +=
@(
[pscustomobject]@{name="MGMT-smtp";port=25;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="LDAP1";port=389;protocol="Tcp";direction=$direction;
source=$source;destination=$destination;access="Allow"}
[pscustomobject]@{name="job-IPP-1";port=80;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="job-IPP-2";port=631;protocol="Tcp";direction=$direction
;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="job-IPP-3";port=443;protocol="Tcp";direction=$direction
;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="job-RAW";port=9100;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="job-LPR";port=515;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="SNMP";port=161;protocol="Udp";direction=$direction;
[pscustomobject]@{name="TUL-discovery";port=64099;protocol="Udp";direction=$dir
ection;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="TPR-TS";port=4095;protocol="Tcp";direction=$direction;
[pscustomobject]@{name="TS-WS-SSL-1";port=50001;protocol="Tcp";direction=$direc
tion;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="TS-WS-SSL-2";port=50003;protocol="Tcp";direction=$direc
tion;source=$source;destination=$destination;access="Allow"},
[pscustomobject]@{name="TS-TE-10";port=7627;protocol="Tcp";direction=$direction
;source=$source;destination=$destination;access="Allow"}
)
# DEPLOY
$priority = $prioritySeed

$nsgPS = Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGrou
pName
foreach($port in $ports)
{
$priority += $priorityIterator
$name = $port.port.ToString() + '-' + $port.name + '-' + $port.direction
$nsgPS | Add-AzNetworkSecurityRuleConfig -Name $name `
-Access $port.access -Protocol $port.protocol -Direction $port.direction -
Priority $priority `
-SourceAddressPrefix $port.source -SourcePortRange * `
-DestinationAddressPrefix $port.destination -DestinationPortRange $port.port
}
$nsgPS | Set-AzNetworkSecurityGroup
c. For more information refer to Microsoft Azure documentation: https://docs.microsoft.

com/en-us/powershell/module/az.network/add-aznetworksecurityruleconfig?view=azps-
1.5.0
2. Create Virtual Machine.
a. It is important to correctly size the VM. Refer to YSoft SafeQ sizing Hardware
Requirements.
i. For small installations or testing: Standard_D2_v3
ii. For production installations: Standard_D4_v3
b. Example of using PowerShell:
$vmName = "YSoftSafeQVM"
$subnet = "YSoftSafeQsubnet"
$VNETName = "YSoftSafeQVNET"
$VMsize = "Standard_D2_v3"
$admin = "sqadmin"
$pass = "ReallyReallyStrongPassword123-_~"
# NETWORK
$nsgPS = Get-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $ns
gName
$vnet = Get-AzVirtualNetwork -ResourceGroupName $resourceGroupName -Name $VNETName
$subnetPS = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name $subnet
$nicName = $vmName + "-nic"
$nic = New-AzNetworkInterface -Name $nicName -ResourceGroupName $resourceGroupName
-Location $location -SubnetId $subnetPS.Id -NetworkSecurityGroupId $nsgPS.Id
# VM
$password = ConvertTo-SecureString $pass -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($admin, $password)
$vmConfig = New-AzVMConfig -VMName $vmName -VMSize $VMsize | `
Set-AzVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
Set-AzVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer -
Skus 2016-Datacenter -Version latest | `
Add-AzVMNetworkInterface -Id $nic.Id

# DEPLOY
New-AzVM -ResourceGroupName $resourceGroupName -Location $location -VM $vmConfig
c. For more information refer to Microsoft Azure documentation:
https://docs.microsoft.com/en-us/powershell/module/az.compute/new-azvm?
view=azps-1.5.0
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general
https://docs.microsoft.com/en-us/azure/virtual-machines/scripts/virtual-machines-
windows-powershell-sample-create-vm
Install YSoft SafeQ
Use Server Installer package and deploy First server scenario, enable Mobile Print Server
feature and select Embedded PostgreSQL 11 database. See standard documentation: First server
installation for details.
Configure YSoft SafeQ
Follow Standard documentation. Quick links:
Configuring Mobile Print Server
Mobile Integration Gateway administration
documentation.
Deploy Terminals, Connect Printers
Follow the standard YSoft SafeQ documentation for:
Embedded Terminals
External Terminals
Deploy Print Queues
Refer to YSoft SafeQ Workstation Queues Overview for design decision.
Related YSoft SafeQ documentation YSoft SafeQ as a printer at Windows and Mac and Linux
Deploy Monitoring
Refer to respective section on page YSoft SafeQ in Public Cloud - Microsoft Azure.

Unattended Installation
YSoft SafeQ6 uses a mainly GUI driven approach of deployment, however, unattended
installation is also supported for every deployment scenario.
No GUI is shown, the installation is started via a command line interface or equivalent tool.
Installation progress can be monitored from the log files.
Installation parameters are provided in the form of a property file.
The network interface needs to be a valid IPv4 address.
The installer consists of several binary cabinets and a SafeQ6.exe executable file. The
executable file needs to be in the same folder as all its cabinets.
Command Line Interface
Installation
Run the installer binary from any command-line-like tool with the following parameters:
SafeQ6.exe /S /CFG:installationProperties=@absoltute_path_to_your_configuration_file@
Please, make sure that the path to the configuration file (

absoltute_path_to_your_configuration_file parameter) contains only backslashes as a
directory separator. The installation will not work when forward slashes are used.
Example:
"C:/temp/config.conf" - WRONG
"C:\temp\config.conf" - CORRECT
Uninstallation
Run the uninstall binary located in the YSoft SafeQ6 installation folder with the /S parameter:
uninstall.exe /S
This will start unattended uninstallation.

The uninstallation progress is visible in SafeQ6-install.log.
Logging
The YSoft SafeQ6 server installer log file SafeQ6-install.log is created in the installation folder.
Installation of each subsystem is logged into its specific folder.
E.g., C:\SafeQ6\CML\sqinstall.log or C:\SafeQ6\SPOC\sc-install.log
When installation fails in its early stages (a mandatory installation parameter is missing, etc.), the
installation log can be found in the system TEMP folder.
Unattended Updating
The update scenario does not support altering any aspects of an already deployed and running
environment. Customer data and configuration remain as unchanged as possible.
Run the unattended update by executing the installer binary file from any command-line-like tool:
SafeQ6.exe /S
First Server Scenario
First server scenario facilitates the deployment of Management Server. Additional features like
Payment System, MobilePrint, or spooling of jobs can be selected. This scenario offers a selection
of three backend choices. Embedded PGSQL database or external PGSQL and MSSQL.
Please note that if the embedded PostgreSQL database is used in a time zone other than
GMT, the following workaround to the known limitation must be applied.
First Server Scenario – Example
#Mandatory parameters
deploymentScenario = FIRST_SERVER
targetDir = C:\SafeQ6
enableMobilePrint = true
enablePayment = true
enableSpooling = true
#you can choose from three database types, one has to be selected
#1
databaseLocation = EMBEDDED
databasePassword = postgres
#2
#databaseLocation = EXTERNAL
#databaseVendor = PGSQL
#databaseUser = postgres
#databasePassword = postgres
#databaseHost = 10.0.11.172

#databasePort = 5432
#3
#databaseVendor = MSSQL
#databaseUser = sa
#databasePassword = 111111
#MobilePrint specific setup

emailServer = 10.0.0.1
emailUser= test
emailPassword= test
emailPort = 995
emailProtocol = POP3
emailSecured = true
#Optional parameters
#databaseName = SQ6DB
#domainName = DOMAIN
#alwaysOnMssql = true
#managementServerGUID= Management1
#spocGUID= SPOC1
#networkInterface = 10.0.10.120
#installUPD = true
First Server Scenario Split Database – Example
deploymentScenario = FIRST_SERVER
#1
#2
#3
#databaseUser = sa
#databasePassword = 111111
#you can choose from three database mode, the default is Single Server Single Database
#a - Single Server Single Database
#b - Single Server Multi Database

#DWdatabaseName = SQ6DB_DWH
#c - Multi Server Multi Database
#DWdatabaseUser = postgres
#DWdatabasePassword = postgres
#DWdatabaseHost = 10.0.13.98
#DWdatabasePort = 5432
#DWdatabaseName = SQ6DB_DWH

emailUser= test
emailPassword= test
emailPort = 995
emailSecured = true
#managementServerGUID= Management1
#spocGUID= SPOC1
#installUPD = true
Site Server Scenario – Example
deploymentScenario = SITE_SERVER
#specify connection parameters to Management server(s) - up to 4 servers can be specified
#1
serverGUID1 = Management1
serverPORT1 = 6010
serverIP1 = 10.0.10.120
#2
#serverGUID2 = Management2
#serverPORT2 = 6010
#serverIP2 = 10.0.10.121
#3
#serverPORT3 = 6010
#serverIP3 = 10.0.10.122
#4
#serverPORT4 = 6010
#serverIP4 = 10.0.10.123

emailUser= test
emailPassword= test
emailPort = 995

emailSecured = true
#Payment specific setup

#1
#2
#3
#databaseUser = sa
#databasePassword = sa
#siteServerGUID= Site1
#installUPD = true
Add a Management Server Node to an Existing Cluster – Example
deploymentScenario = CLUSTER_NODE
nodeAddress = 10.0.10.120
enableMobilePrint = false
enableSpooling = false

#emailServer = 10.0.0.1
#emailUser= test
#emailPassword= test
#emailPort = 995
#emailProtocol = POP3
#emailSecured = true
#managementServerGUID = Management2
#spocGUID= SPOC2
#installUPD = true

Updating Using the Server Installer
Please follow Updating from MU/Build to Build for a detailed guide to the update procedure.
This page only contains a subset of the required steps!
This page describes how to update the YSoft SafeQ installation using the server installer. This
procedure is valid for First Server, Additional Management Server, and Site Server deployments.
The minimum free space required for the update is 8.8 GB.
General Information
The installer detects the previous installation and informs the user that an update instead of
a clean installation will be performed.
The update does not allow the changing of any system configurations, it updates the
environment as-is.
The update procedure can be summarized as several steps:
1. The installer stops all running services.
2. The new version is deployed.
3. A configuration that may contain user data is restored.
4. Services are started again.
Order of Update
1. Update Management Server or one of the Management Server cluster nodes first.
The first update updates the database, therefore, it is no longer expected to work with
the previous version of YSoft SafeQ Management Services.
2. Update the remaining Management Server cluster nodes one by one (i.e., start the update
of the second node after the update of the first node has finished).
Do not start Management Services manually before all nodes have finished updating.
3. Update Site Servers after the update of Management Server(s) is finished.
Preparation
Download the installation package

Download the server installer archive from the YSoft Partner Portal.
1. Use ysq-server-install.zip or YSoft-SafeQ-6-MUXX-Server-installer.zip for deployments

without an OCR engine.
2. Use ysq-server-ocr-install.zip or YSoft-SafeQ-6-MUXX-Server-installer-with-Advanced-

workflows.zip for deployments with an OCR engine.
Extract the archive
1. Extract the archive with the installer to your disk.
2. The installer consists of several binary cabinets and the SafeQ6.exe executable file. The
executable file needs to be in the same folder with all its cabi
Updating Using the Installer Wizard

Choose the language
text coming directly from the OS, which is dependent on the OS language. Typically the YES,
NO, and OK buttons.
The number of languages depend on the localization scope for each installer.
Welcome page

License agreement
The License Agreement shows the standard Y Soft EULA.
The user has to Agree with EULA content in order to continue.
Destination folder

The YSoft SafeQ 6 installation in the following directory will be updated.
The folder's path must consist of ASCII characters only.
At least 3.5 GB of available space is required.
Preinstallation check
The preinstallation check performs a series test in order to verify if the server environment is
suitable for the installation. Currently, only basic tests are not performed, but the list will grow
in the future.

The installer process has Administrator rights.
The Server OS is intended for servers (not Windows 7,8,10, etc.).
.Net Framework is available in a suitable version.
Update summary
The user is shown a summary where both the old and new version numbers are displayed.
Only assembly files will be changed, the user data and configuration remain unchanged.

The update continues in a similar manner as a clean installation.
The update's progress is shown in the form of a progress bar.
The user can monitor update activities.
An explanatory error message is shown if the update fails.
Installation finished

The user is informed that a new version of YSoft SafeQ was successfully installed and it is
possible to safely exit the installer.
Updating Using the Silent Installer
An unattended update does not support altering any aspects of the already deployed and running
environment. Customer data and the configuration remain as unchanged as possible.
Run the unattended update by executing the installer binary file from any command-line-like tool:
SafeQ6.exe /S
Individual installers
YSoft SafeQ Management Server Installation
YSoft Payment System deployment
Workflow Processing System deployment

Installation steps
1. Execute the installer.
2.
2. C l i c k Next and proceed to welcome screen.
3. Click I Agree to accept the license agreement. Clicking on Cancel will decline the license
agreement and stop the installation.
4.
4. After you accept the license agreement, the installer runs a pre-installation check. This
procedure checks several conditions and determines if the server meets all requirements
for YSoft SafeQ Mobile Integration Gateway installation.
If any of these conditions are not met, they will be displayed in either the Show warnings
or Show problems area. Installation can continue with warnings. If there are problems,
installation cannot continue. If any warnings or problems are indicated, review the warnings
and resolve the problems before proceeding with the installation.
Installer checks these conditions:
Version of Microsoft Windows
Administrator rights of the user installing YSoft SafeQ Mobile Integration Gateway
Version of .NET framework
5.
5. Select your destination folder for YSoft SafeQ Mobile Integration Gateway.
6. Fill the configuration form:
Spooler Controller network address: Address of the server where a YSoft SafeQ
Spooler Controller is located.
Spooler network address: IP address of YSoft SafeQ FlexiSpooler (FSP) installed in

server mode.
Spooler job delivery port: TCP port of the FSP used for job delivery. Default port value
is 5559.
IPP protocol port: Port on which the printer will be announced (pick a port which is
available and not used by other services)
Printer name: Name of the printer that will be visible on the devices which will be using
the YSoft SafeQ Mobile Integration Gateway.
Click Test Connection to test the connection with the YSoft SafeQ Spooler Controller. If
the Spooler Controller is not running or the connection could not be established, you should
not proceed to the next step and fix the connection problem first.

If the connection with Spooler Controller was successful, you can click Install.
7. During the installation will also be installed Apple's Bonjour.
If you have already installed Bonjour Print Services in the past, this step will be skipped.
8. After the installation, there should be one running service:
YSoft SafeQ Mobile Integration Gateway (status: Started)
If the service is not started, check <MIG_DIR>\ logs directory for any indication of
errors.
If the service will not start properly, check that you have insert right IP addresses and that
you have license for Mobile Print.
Bonjour Configuration
All information regarding the options specified in the configuration file below can be found in the
official Bonjour Printing Specification at https://developer.apple.com/bonjour/printing-specification.
This configuration is located in <MIG_DIR>\bin\services\MdnsService.xml
<?xml version="1.0" encoding="utf-8" ?>

<Service xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001
/XMLSchema">
<Name>YSoft SafeQ 6</Name>

<ServiceType>_ipps._tcp,_universal</ServiceType>
<Domain>local.</Domain>
<Port>8050</Port>
<AdminUrl>https://10.0.11.55:8050/Administration</AdminUrl>
<Air>username,password</Air>
<Kind>document</Kind>
<Note>YSoft SafeQ</Note>
<Pdl>application/pdf,image/jpeg,image/urf</Pdl>
<Product>(YSoft SafeQ 6)</Product>
<Rp>ipp/print</Rp>
<Color>T</Color>
<Duplex>T</Duplex>
<Fax>F</Fax>
<Scan>F</Scan>
<Punch>0</Punch>
<Staple>F</Staple>
<Bind>F</Bind>
<Collate>F</Collate>
<PaperMax>legal-A4</PaperMax>
<Tls>1.2</Tls>
<Urf>V1.4,W8,SRGB24,RS600,IS1-2-3-4-5-6-7,PQ1-2-3-4-5,OB1-2-3-4-5-6-7-8-9,CP1,DM1</Urf>
<Uuid>db0def0a-40e1-11e5-a151-feff819cdc9f</Uuid>
<Qtotal>1</Qtotal>
<Ty>YSoft SafeQ 6</Ty>
<TxtVers>1</TxtVers>
<SupportedPaperSizes>
<PaperSize>A4</PaperSize>
<PaperSize>Letter</PaperSize>
</SupportedPaperSizes>
<print_wfds>T</print_wfds>
<mopria-certified>1.3</mopria-certified>
<mig-version>6.0.13</mig-version>
</Service>
MIG configuration
Logging
Logs can have several level of detail. To change log level go to <MIG_DIR>\bin\NLog.config
There is an entry where you can change the minimal log level in attribute minlevel:
<logger name="*" minlevel="Info" writeTo="logfile" />
To log everything, set minlevel to Debug
To log errors and HTTP trafic, set minlevel to Info
To log only warnings and errors, set minlevel to Warning
To log only errors, set minlevel to Error
<?xml version="1.0" encoding="utf-8" ?>

<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd"

autoReload="true"
throwExceptions="false"
internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">
<targets>
<target name="logfile" xsi:type="File" fileName="../../logs/connector.log" archiveAboveSize=
"20971520" archiveNumbering="Date" archiveEvery="Day" archiveFileName="../../logs/connector.{#}.
log" concurrentWrites="false"
layout="${longdate} ${level:uppercase=true:padding=-5:fixedLength=true} ${threadid:
padding=-2}| ${callsite:padding=-70:fixedLength=true} | ${message}${onexception:${newline}
EXCEPTION\: ${exception:format=ToString}}"/>
<target name="console" xsi:type="ColoredConsole" />
</targets>
<rules>
<logger name="*" minlevel="Info" writeTo="logfile" />
<logger name="*" minlevel="Info" writeTo="console" />
</rules>
</nlog>
IP addresses and ports
To configure IP addresses and ports, go to <MIG_DIR>\bin\MigService.exe.config
In order to change YSoft SafeQ IP address, set value for "user-auth-ip" and "job-sender-ip".
To change the port used by MIG, set value for "ipp-port".
After changing the configuration, you have to restart YSoft SafeQ Mobile Integration Gateway
service.
Public user
To configure public user access you need to set value for "allow-public-user" to "T". If mobile client
supplies username via IPP protocol the supplied username will be used. If mobile client does not
supply username the "public-user-name" and "public-user-password" will be used to send job to
YSoft SafeQ. This option is convenient for print from Chromebooks. However, support for
Chromebooks is limited.
<add key="user-auth-ip" value="10.0.11.62" />

<add key="user-auth-port" value="5556" />
<add key="job-sender-ip" value="10.0.11.62" />
<add key="job-sender-port" value="5559" />
<add key="sos-license-ip" value="10.0.11.62" />
<add key="sos-license-port" value="5556" />
<add key="job-delivery-protocol" value="HTTPS" />
<add key="ipp-port" value="8050" />
<add key="allow-public-user" value="F" />
<add key="public-user-name" value="AirPrintPublic" />
<add key="public-user-password" value="AirPrintPublic" />
<add key="job-prefix" value="" />
<add key="pdf-validation" value="T" />
<add key="certificate-hash" value="" />
Change port after installation
To change port after installation
1.

1. Change the port value in <MIG_DIR>\bin\services\MdnsService.xml
<Port>8050</Port>
2. Change the port value in <MIG_DIR>\bin\MigService.exe.config as describe in MIG

configuration section on this page.
3. Restart the MigService.exe service
The firewall exception must be set for the new port number before MigService.exe is
restarted.
SSL Certificate
MIG use secure connection by default and use its own certificate. If you want to change server
certificate, you can use the administration web Mobile Integration Gateway administration, or
follow these steps:
1. Remove default certificate binding.
Execute following commands in console:
netsh
http
delete sslcert ipport=<IP>:<port>
Where IP is 0.0.0.0 or 1.1.1.1 and port is the port to which is certificate bound. If you are not
sure, you can list all the ssl certificates with following commands:
netsh
http
show sslcert
2. Import certificate to Windows
If you do not have your certificate already in Windows, you can import it following steps
here: http://windows.microsoft.com/en-us/windows/import-export-certificates-private-
keys#1TC=windows-7
3. Add SSL binding to port
Execute following command in console:
netsh
http
add sslcert ipport=0.0.0.0:<port> appid={214124cd-d05b-4309-9af9-9caa44b2b74a}
certhash=YOURCERTHASH

You can find value of certhash following these steps:
a. Open mmc.exe
b. Add snap-in Certificates and then check Computer account
c. Find your certificate and double click on it
d. Certificate hash is located in Detail page under Thumprint label
e. Remove spaces in certificate hash and past in instead of YOURCERTHASH
Troubleshooting
Installer
Log file of installer is located at the <MIG_DIR>\InstallationLog.txt.
For better identification of the issue, click Ignore on any error window that pop ups during
installation, it will keep the installation log intact. Clicking Cancel will cancel installation and
uninstall any installed files (including the log file).
If the YSoft SafeQ does not have valid license for Mobile Print, the YSoft SafeQ Mobile
Integration Gateway will refuse any print job and display information that the YSoft SafeQ has
no license. More information is in the logs located at <MIG_DIR>\logs\*.
Update from AP Connector (MU15 and earlier)
Update from AP Connector (MU15 and earlier) is not supported. Please uninstall AP Connector
before Mobile Integration Gateway installation.
If you uninstalled AP Connector and you still see related error (see picture below), try to restart
you computer.

If you are really sure that AP Connector is uninstalled, you can continue wit the installation.
Log files location
Log files of MIG are located at <MIG_DIR>\logs.

Limitations
In some cases, Bonjour logging too much errors into Windows application logs. In most cases,
it does not affect functionality of MIG.
When updating from one version to another, the default page size setting is lost and must be
set again via Mobile Integration Gateway web interface.
YSoft Payment System deployment
This page describes how to use the interactive installer to perform deployment of YSoft Payment
System.
New installation or update of YSoft Payment System
1. Run the installation file ysf-ps-install.exe on the target server.
2. Select a language of installation process.

3. Click Next and proceed through welcome screen.
5.

5. After you accept the license agreement, the installer runs a preinstallation check. This
for YSoft Payment System installation.
or Show problems area. Installation can continue with warnings. If there are problems,
installation cannot continue. If any warnings or problems are indicated, review the warnings
and resolve the problems before proceeding in installation.
Installer checks these conditions:
Version of Microsoft Windows
Administrator rights of the user installing YSoft Payment System
Existence of YSoft SafeQ installation
Existence of previous YSoft Payment System installation
Required ports must be open and free
Available disk space
6. Select your destination folder for YSoft Payment System installation.
It is not possible to change the destination folder during update from previous
installation. In this case, click on Next will immediately start installation process from
step 10.

7. Select database server type you want to use for YSoft Payment System.
8. Provide database connection details for YSoft Payment System.
Database server hostname IP address or hostname of server where database engine is

or IP address running (you can use for example YSoft SafeQ embedded
database).
TCP port Specify TCP port for database connection.
Use port 5433 for connecting to embedded PostgreSQL

database installed with YSoft SafeQ.
Named instance Instance used for connection to MSSQL database.

Username Database user name.
Password Database user's password.
Database name YSoft Payment System database name (e.g. YPSDB). The installer
will attempt to create a new database using the specified
credentials if a database of the given name does not exist.
Server requires SSL Check if database server requires SSL.

(PostgreSQL only)
Domain (MSSQL only) Database user's domain. Used in Windows Authentication. If

Windows Authentication is used, the YSoft Payment System
service logs on as a domain user.
If you want to use Windows Authentication later on, you

need to change the YSoft Payment System service's
Log On As user to a correct domain user, since the
service is by default installed to log on as Local System
Account.
Test connection Test your database connection.
PostgresSQL configuration
Microsoft SQL server configuration

9. Enter the hostname or IP address of YSoft Spooler Controler used for user management
of your YSoft SafeQ tenant. Click Install to start installation.
In former version of YSoft SafeQ 5 suite, the YSoft Payment System used to be
connected directly to YSoft SafeQ. In YSoft SafeQ 6 suite, you should always connect
YSoft Payment System to YSoft Spooler Controler.
Default IP address of YSoft Spooler Controller
When the IP address of YSoft Spooler Controller does not point to 127.0.0.1, the following
hint is shown.

10. The installer begins to copy required files. In case you wish to see detailed installation
progress, press Show details button (or D key).
11. Once installation is complete, click Finish. Proceed with Configuring Payment System.

Payment gateway plugin deployment
This page describes how to use the interactive installer to perform payment gateway plugins
installation, which are additional components for YSoft SafeQ Payment System. We use
installation of PayPal plugin as an example. DIBS plugin installation is very similar, main difference
is in its configuration (step 6).
Payment System supports two main plugin installers and many more can be ordered as an
extension. For more detail about connection of payment gateways to payment system, see YSoft
SafeQ Payment System Administration web interface.
New installation or update of payment gateway plugins for PayPal and DIBS
1. Run the installation file on the target computer. This usually means YSoft SafeQ Payment
System server, but in general payment gateway plugins can be installed on any server.
Plugin installers are named as following:
ysf-ps-paypal.exe for PayPal payment plugin
ysf-ps-dibs.exe for DIBS payment plugin
2. Select a language that will be used for the installation process.
3. It is recommended to close all other running applications in order to avoid any issues during
the installation. Click Next to proceed through welcome screen.

3.
5. Installer now runs a pre-installation check, to ensure YSoft SafeQ Payment System is
installed on the local computer. If any previous version of payment gateways plugin has
been installed on the local computer, this plugin will be updated.

6. Fill in required settings for connection to payment gateway according payment gateway
provider.
PayPal API Endpoint Use PayPal's service URL (usually https://api.paypal.com/).

URL
PayPal API Client ID Hashed username of your PayPal signature.

(hash)
PayPal API Secret Hashed password of your PayPal signature.

(hash)
DIBS Username Username of DIBS merchant's account.
DIBS Password Password of DIBS merchant's account.
DIBS MD5 Key 1 Merchant key for payments
DIBS MD5 Key 2 Merchant key for payments
DIBS Merchant ID ID of merchant's account
Allowed Cards Card, that will be accepted by the DIBS gateway. See link http://tech.
dibspayment.com/toolbox/paytypes for possible values
Information about PayPal signature should be available on your PayPal business account
profile. For more detail about obtention of PayPal signature, see Creation of PayPal API
signature.
PayPal credentials (=hashed values) can be found in https://developer.paypal.com

/developer/applications > REST API apps > click desired app > "Client ID" / "Client Secret".

Below are examples of PayPal and DIBS configuration.

7. The installer begins to copy all the required files into destination folder defined by the
location of the payment system on the local machine. In case you wish to see detailed
installation progress, press Show details button (or D key).
8. Once installation is complete, click Finish when you are ready to close the installation
wizard. Installation is now complete and you can continue by connecting payment system
to installed payment gateway plugin by following chapter YSoft SafeQ Payment System
Administration web interface.

Connecting YSoft SafeQ Payment System to payment gateway plugin
1. Login into YSoft SafeQ Payment System Administration web interface.
2. In menu Payment gateways click Create connection to plug-in and fill according to
description of attributes in YSoft SafeQ Payment System Administration web interface,
section Payment Gateways. Use related URL for PayPal or DIBS.
3. Save the connection by clicking on Connect button.
Creation of PayPal API signature
This page describes how to get API access for your business PayPal account.
1. Sign up for PayPal Business Account on PayPal home page (the process depends on your
region legislation).
2. Log into your PayPal Business Account.
3. Enter My Account tab and its Profile sub-tab. In the Profile sub-tab navigate to My selling
tools and in API access section, click Update.

4. In section Option 2, generate the certificate set by clicking Request API credentials.
5. Check Request API signature radio button and then click on Agree and Submit.

6. After you receive an email with your API signature, you can use it during installation of
PayPal gateway plugin to YSoft Payment System. For more detail see Payment gateway
plugin deployment.
Workflow Processing System deployment

YSoft SafeQ Workflow Processing System installer
To install YSoft SafeQ Workflow Processing System (Workflow Processing System), use the
Workflow Processing System installer. By default the installer installs YSoft SafeQ ORS in the c:
\SafeQ6\WPS folder.
For the correct system settings, see YSoft SafeQ Site Server pre-installation check list.
It is expected that YSoft SafeQ Workflow Processing System is installed on the same server
as Spooler Controller it is referring to.
YSoft SafeQ Workflow Processing System + YSoft SafeQ OCR installer
Installer installs YSoft SafeQ Workflow Processing System together with ABBYY FineReader
Engine. It installs YSoft SafeQ Workflow Processing System to the c:\SafeQ6\WPS folder and
OCR engine to the c:\SafeQ6\OCR-Engine folder.
The maximum number of CPU cores utilized by the ABBYY FineReader Engine on a single host
is controlled by the ocrPoolSize and ocrProcessesPerJob system settings.
Silent installation
Silent installation can be run by <installer-name>.exe /S [/D=<target-folder>].
Example

com.ysoft.safeq.wps.wps-installer-1.0.0.0-rc1.exe /S /D=C:\Program Files\Wps
The /D option should be the last parameter and can't contain quotation marks. Target folder is
the folder where YSoft SafeQ Workflow Processing System will be installed.
In case of YSoft SafeQ Workflow Processing System + YSoft SafeQ OCR installation OCR
engine is installed to the ABBYY-FineReader-Engine folder in YSoft SafeQ Workflow Processing
System parent folder (same folder level as YSoft SafeQ Workflow Processing System).
In case of YSoft SafeQ Workflow Processing System + YSoft SafeQ OCR installation ABBYY
FineReader Engine installer exit code is logged in WPS-install.log.
Upgrading YSoft SafeQ Workflow Processing System
When running new installer on computer where YSoft SafeQ Workflow Processing System is
already installed, installer ignores silent installation /D parameter and installs new YSoft SafeQ
Workflow Processing System version to the same directory as for previous installation.
YSoft SafeQ Workflow Processing System overwrites configuration files (e.g. chapter Logging
configuration) except for the WpsService.exe.config file.
Installer does not overwrite the previous local configuration file (WpsService.exe.config), if
present. In this case, the old and new application settings will be merged. All configuration items
in the new configuration file will be preserved, old items will be added if not found, and the old
values will override the default values if they differ.
YSoft SafeQ Workflow Processing System uninstallation
Run uninstallation from OS uninstallation dialog or run uninstall.exe from YSoft SafeQ Workflow
Processing System installation folder.
Silent uninstallation can be run with /S parameter
Silent uninstallation
C:\SafeQ6\Wps\uninstall.exe /S
Configuring YSoft SafeQ Workflow Processing System
Workflow Processing System is mainly configured using YSoft SafeQ management interface but
there are several configuration items provided by Wps.Service.exe.config in appSettings section.
name - Normally there is only one instance of YSoft SafeQ Workflow Processing System
running across Spooler Controller group. If several YSoft SafeQ Workflow Processing System
services are necessary, you must configure unique name for each one using this
configuration.

servicePort - port number used by YSoft SafeQ Workflow Processing System rest service
endpoint. Default value is 5600.
spoolerControllerEndpoint - Typically YSoft SafeQ Workflow Processing System service is

installed on the same machine as the spooler controller service. If YSoft SafeQ Workflow
Processing System is running on a different machine, configure spooler controller endpoint
address to the address of this machine. It should be a URI in the form of tcp://<address>:
<port>. If YSoft SafeQ Workflow Processing System runs on a different server, you have to
configure workflow storage in the YSoft SafeQ management interface.
parameterProhibitedCharacters - Configuration contains characters that can't be used in

scanned document file names. Such characters are replaced with character configured in
parameterProhibitedCharacterReplacement configuration. Default value is /\<>:"|?*~#%{}&.
parameterProhibitedCharacterReplacement - Character used for replacement of prohibited

characters configured by parameterProhibitedCharacters configuration. Default value is -.
exchangeTrace - In case of using MS Exchange connector there can be sometimes difficult to

identify problems to configure MS Exchange connection. Set this configuration to true to
switch exchange trace log on. All exchange tracing information will be placed to wps.log file.
validateMailServerCertificate - Controls server certificate validation for Email connector, set it

to false to disable the server certificate validation. Default value is true (the validation is
enabled).
checkMailServerCertificateRevocation - Enables or disables checking of revoked certificates

during communication with email server. Set this to true to enable the checking. Default value
is false (checking is disabled).
Security warning
Disabling certificate validation could allow an active network attacker to steal SMTP
credentials and scanned data. For this reason, keeping validateMailServerCertificate option on
true is highly recommended for production environments. For increased security, certificate
revocation checks can be enabled by checkMailServerCertificateRevocation property. Note
that reliable connection between the YSoft SafeQ Workflow Processing System instance and
revocation servers (of certificate authority for the mail server configured) is required in this
case.
Configuring scan storage
If you want to run YSoft SafeQ Workflow Processing System on a different server that SPOC, you
have to configure the workflow data store which is accessible by both YSoft SafeQ Workflow
Processing System and Terminal Server (Spooler Controller). You can do that via setting following
properties either in YSoft SafeQ management interface or in service local configuration (local
configuration takes precedence before remote configuration if set):

workflowStorageType - type of network storage, can be local or remote for a network shared
folder. Default: local
worfklowStorageRoot - path to scan data root folder, according to workflowStorageType

either relative path to YSoft SafeQ Workflow Processing System service or UNC path. Default:
C:\SafeQ6\SPOC\terminalserver\scan
workflowRemoteStorageUsername - username used to access remote scan storage.
workflowRemoteStoragePassword - encrypted password used to access remote scan

storage.
See Configuring Document Store for details.

Dropbox Business configuration
When using Dropbox Business, it is necessary to have access to the internet from the server
running the YSoft SafeQ Workflow Processing System. A proxy can be used in case a server
doesn't have direct access to the Internet. See Editing a Connector, section Dropbox Business
/Enterprise.
Logging configuration
YSoft SafeQ Workflow Processing System uses NLog platform for logging functionality. By default
the configuration is provided by standalone configuration file NLog.config. That file should be also
configured in Wps.Service.exe.config in nlog section using include statement. Logging is
configured to daily create new wps.config file in logs subfolder of YSoft SafeQ Workflow
Processing System installation folder. When specific logging should be set look at NLog wiki for
specification and examples.
Troubleshooting YSoft SafeQ Workflow Processing System installation
Error During Installation: "Installation of Visual C++ Redistributable failed"
YSoft SafeQ Workflow Processing System requires the "Visual C++ Redistributable for Visual
Studio 2015" package to be installed in order for "Highlighter Extraction" and "Highlighter
Redaction" processing steps to function correctly.
In case you see the following error during installation of the YSoft SafeQ Workflow Processing
System service: "Installation of Visual C++ Redistributable failed. Please consult YSoft SafeQ
Workflow Processing System installer documentation in the YSoft SafeQ 6 Administrative Guide":
1. Ensure the KB3118401 Windows Update (https://support.microsoft.com/en-us/kb/3118401) is

installed on your operating system
2. Re-install YSoft SafeQ Workflow Processing System using the YSoft SafeQ Workflow
Processing System installer
Alternative fix if the above fails:
1. Download and install the latest version of Visual C++ 2015 Redistributable Update 3 (
https://www.microsoft.com/en-us/download/details.aspx?id=53840, known to work with
version 14.0.24215.1).

2. Restart the server.
3. Re-install YSoft SafeQ Workflow Processing System using the YSoft SafeQ Workflow
Processing System installer.
Centralized YSoft SafeQ Workflow Processing System deployment
Advanced Workflows especially with OCR can be very resource intensive. There are benefits in
consolidating scanning in a central server or server farm.
Remember, YSoft SafeQ is licensed based on number of devices, amount of (Scan or any)
Servers has no influence on YSoft SafeQ license cost.
High latency between device and Scan Server negatively impacts user experience on the
terminal. Each action (tap) has high response time.
Server Roles
Management Stores and distributes system configuration including devices and terminals.
Server Replicates users from external sources. Provides a management interface for
administrators.
Site Server Serves as a caching Management Server proxy for other YSoft SafeQ server roles.
Controls devices, terminals and YSoft SafeQ Client applications in a part of the
system. Provides an end user interface (e.g. allows users to print via web upload).
Implements a server-based spooler (as opposed to a client-based spooler
implemented by the YSoft SafeQ Client).
Scan Server Enables document capture on device equipped with a YSoft SafeQ terminal,
processes scanned documents (including OCR) and delivers processed documents
to configured destinations. It contains YSoft SafeQ Workflow Processing service
only.
Scenario: Scanning to the Cloud
This scenario can optimize resource usage in distributed environments, especially when utilizing
centralized (commercial) cloud infrastructure:
The customer does not need to duplicate powerful hardware at branch offices. The resource-
intensive Scan Servers are deployed to a datacenter which already has powerful hardware.
While the Management Server requires fixed allocation of resources to guarantee timely
responses to real-time requests and does not benefit much from extra resources, Scan
Servers can benefit from dynamic allocation of extra resources for faster image processing.
All scan jobs are transferred to the data center, likely over WAN.

No third-party network load balancer is required. Each branch office uses one Scan Server.
Multiple branch offices can share a common Scan Server. See the Scanning Farm scenario below
when more Scan Servers are required to process scans from a single branch office.
The Site Server in the data center is used for Scan Server configuration and management.
Scenario: Scanning Farm
When expecting to run scanning with OCR on thousands of pages, scanning farm can be created.
Scan Servers can benefit from dynamic allocation of resources, to ensure that all the
performance is available when needed. This scenario requires a third-party load balancer.
All scan jobs are transferred to the data center, likely over WAN.
The Site Server in the data center is used for Scan Server configuration and management.

Component Communication Overview
The interface between Site Server and Scan Server is HTTP/S and it is designed as state-less.
Therefore any Scan Server can serve any requests.
Each Scan Server (or Scan Server farm) requires a Document Store. For this WebDAV or shared
folder (SMB) protocols are used, See Configuring Document Store for details about how the
communication flows.
How to Configure
For all scenarios, it is important to configure:
1. Location where the documents are being scanned into. See Configuring Document Store.
2. Point the Scan Server to a Site Server (in all scenarios there is one Site Server in the Data
Center dedicated for Scan Servers). Edit configuration file <SafeQ6>\WPS\WpsService.
exe.config:

2.
<add key="spoolerControllerEndpoint" value="tcp://SITE SERVER FQDN OR IP:5555" />
3. Point Terminal Server to the Scan Server. Edit configuration in file

<SAFEQ6>\SPOC\terminalserver\terminalserver.exe.config
<add key="wpsBaseAddress" value="http://SCAN SERVER FQDN OR IP:5600/" />
4. In case there are multiple YSoft SafeQ Workflow Processing Services (Scan Servers)
connected to a single YSoft SafeQ Spooler Controller (Site Server), you have to manually
set YSoft SafeQ Workflow Processing Service instance name to a unique value in
<SafeQ6>\WPS\WpsService.exe.config:
<add key="name" value="UNIQUE INSTANCE NAME" />
Load Balancer Intergation
Configure the load balancer to send requests coming HTTPS communication on port 5600 to the
pool of Scan Servers. Persistence per one request is 30 minutes.
Change configuration in file <SAFEQ6>\SPOC\terminalserver\terminalserver.exe.

config
<add key="wpsBaseAddress" value="http://LOAD BALANCER FQDN OR IP:5600/" />
Optimize Performance
In Management Interface, find and adjust the following parameters:
ocrProcessesPerJob - The maximum number of simultaneous OCR threads that can be used
to process a single job. Higher numbers speed up processing of large scan jobs. The maximum
supported value is 8. See also ocrPoolSize which controls the number of jobs that involve OCR
that can be processed in parallel. Note that the number of OCR threads actually used to
process a single job is further limited by the number of pages and the total number of CPU
cores in the system. Also note that the final document synthesis is done in a single thread
because it cannot be parallelized.
Example: ocrPoolSize = 2 and ocrProcessesPerJob = 2. At most two jobs are processed

simultaneously. More jobs will wait in a queue. Each job utilizes at most two CPU cores. In
total, OCR processing may utilize as many as 4 CPU cores. If the host has only 4 cores, other
applications running on the same host may not have enough resources.

ocrPoolSize - The maximum number of scan jobs that involve OCR that will be processed in
parallel by a single Workflow Processing System server (scan server). More jobs will wait in a
queue. See also ocrProcessesPerJob which controls the number of OCR threads that can be
used to process a single job. Together, these two options limit the number of CPU cores that
can be used for OCR processing.
Example, ocrPoolSize = 2 and ocrProcessesPerJob = 3 means that the system will process a
maximum of two jobs in parallel and will utilize as many as 6 CPU cores in total.
In summary:
If the customer produces a large number of small jobs, you should increase ocrPoolSize and
keep ocrProcessesPerJob low.
If the customer produces large jobs, you should keep ocrPoolSize low and increase
ocrProcessesPerJob.
Limitations
No offline mode: if connection to the Scan Server is not available, the scan application on
terminals cannot be displayed.
All scan jobs are considered equal as well as all Scan Servers. As an administrator, I cannot
have one server for large jobs (keep ocrPoolSize low and increase ocrProcessesPerJob) and
others for small jobs (increase ocrPoolSize and keep ocrProcessesPerJob low).
High latency between device and Scan Server negatively impacts user experience on the
terminal. Each action in the scanning application interface (each click) has high response time.
Configuring Document Store
Document Store is used as a data storage for scanned documents. Documents are stored from
MFD via Terminal Server and later retrieved by YSoft SafeQ Workflow Processing System for
processing and delivery. When YSoft SafeQ Workflow Processing System is running on another
computer a distributed repository visible to both Terminal Server and YSoft SafeQ Workflow
Processing System must be used instead of default local storage.
Configuration can be set on different levels:
YSoft SafeQ Management - is applied to the whole tenant, all subsystems are affected but it
has the lowest priority.

YSoft SafeQ Spooler Controller - overrides YSoft SafeQ Management configuration for one
branch, only subsystems connected to this YSoft SafeQ Spooler Controller are affected.
(Note: backslash character in spoc.conf acts as an escape sequence, if you would like to add
it, you need to double it)
YSoft SafeQ Workflow Processing System / YSoft SafeQ Terminal Server - overrides YSoft
SafeQ Management and YSoft SafeQ Spooler Controller configuration, only single subsystem
is affected, it has the highest priority.
Please note, that YSoft SafeQ Workflow Processing System and YSoft SafeQ Terminal Server
can be connected to only one document store. Different parts of YSoft SafeQ can use
different Document Stores, but keep in mind that YSoft SafeQ Workflow Processing System
which is used for processing by YSoft SafeQ Terminal Server must be configured to the same
location.
Using local folder
The default setting, use this configuration when YSoft SafeQ Workflow Processing System and
YSoft SafeQ Terminal Server are on the same computer. Data are stored locally into a temporary
folder, the default location is C:\SafeQ6\SPOC\terminalserver\scan, it is set in YSoft SafeQ Spooler
Controller configuration during the installation process.
Using shared folder (SMB)
Used when YSoft SafeQ Workflow Processing System and YSoft SafeQ Terminal Server are on
different (Microsoft Windows) computers.
It is not supported by SafeQube 2, use WebDAV server instead.
Settings on Management web UI
In the System settings, workflowStorageType, workflowStorageRoot,

update the
workflowRemoteStorageUsername, and workflowRemoteStoragePassword accordingly:
1. The workflowStorageType property has to be set to remote.
2. The workflowStorageRoot should be configured to \\server\shared_folder.
3. Insert the username and password for an account with read and write permissions into the
workflowRemoteStorageUsername and workflowRemoteStoragePassword properties.
Troubleshooting
"[\servefolder$] Failed to initialize Document Store" in Terminal Server log when setting it in YSoft SafeQ
Spooler Controller
Backslash character in spoc.conf acts as an escape sequence, so in order to make it working, you
have to double all backslash characters, e.g. change '\\server\folder' to '\\\\server\\folder'.
Using WebDAV server

Used when YSoft SafeQ Workflow Processing System and YSoft SafeQ Terminal Server are on
different (Microsoft Windows) computers. WebDAV server is not embedded into YSoft SafeQ, we
are using Microsoft IIS instead.
Installation of server roles for IIS 10.0
To configure WebDAV on older version of IIS please follow https://www.iis.net/learn/install

/installing-publishing-technologies/installing-and-configuring-webdav-on-iis#005. Procedure can
be slightly different on older versions.
1. Open Server Manager application via bottom control panel or icon on desktop
2. In Server Manager, install server roles by opening Manage menu and selecting Add Roles
and Features
3. Go through the wizard to Server Roles menu. On Server roles check Web Server (IIS) and
confirm Add feature. After that, left menu is expanded by Web server role.
In Role Services check:
1. a. Common HTTP Features > WebDAV Publishing.
b. Security > Basic authentication.
c. Click Next and finish installation.

Enabling webDAV and adding authoring rule
1. In Server Manager open IIS Manager by opening Tools menu and selecting IIS Manager. In
the Connections pane, expand the Sites node in the tree, then create a new site.
Right click on Site icon and then select Add Website.
a. Enter a name for the site and select the physical path.
b. Enter port (for example 8099)

With HTTP binding type, data including password are not encrypted. It is
recommended to use HTTPS binding. In this case, valid certificate issued by
certification authority has to be used.
If you want to use unsecure channel, you must set property webdavSsl to Disabled
2. As shown in the image below, double-click the WebDAV Authoring Rules feature.

3. Enable webDAV in right panel and also Add Authoring Rule.
4. Grant access to the user used for authentication.

4.
WebDAV users
Please note, that in this example we are granting access to a local user called 'webdav'.
You can use an already existing account or create a new one, e.g. using Computer
Management tool.
5. Select site again and enter Authentication settings and make sure that Basic
authentication is enabled.

WebDAV server validation
1.
1. In Sites find your created WebDAV site and choose Basic Settings... from them the right
hand side menu.
2. Choose Connect as... and fill in the user which exists on the machine and in YSoft SafeQ.
3. Click Test Settings... and check the errors (if any)

Settings on Management web UI
1. In the System settings, update the workflowStorageType, workflowStorageRoot,

workflowRemoteStorageUsername, and workflowRemoteStoragePassword accordingly:
a. The workflowStorageType property has to be set to webdav, OPTIONAL: If you setup
the WebDAV server on the same machine where Management service is installed
then the property has to be set to local .
b. The workflowStorageRoot should be configured to http://webdav_ip:webdav_port/ (e.

g. http://10.0.13.55:8099/).
c. Insert the username and password for an account with WebDAV permissions into the
workflowRemoteStorageUsername and workflowRemoteStoragePassword properties.
d. You can test WebDAV server access (http://webdav_ip:webdav_port/ with username
set in workflowRemoteStorageUsername option, password set in
workflowRemoteStoragePassword). You can use WinSCP or another tool you prefer.
e. Property scanServerType has to be set to webdav.
Optional settings
All those properties can be set on three different places.
1. In Management system where it is relevant to all subsystems but also has the lowest
priority.
2. In spoc.conf – it is applied on all subsystems on the Spooler Controller. If it is set, it

overwrite settings of Management
3. In YSoft SafeQ Workflow Processing System in WpsService.exe.conf or TS

TerminalServer.exe.conf. Applied only for one subsystem and overwrite all other values

Please, be aware that WebDAV instance cannot be shared across multiple YSoft SafeQ
installations . WebDAV might be used by different devices with the same ID and this could
lead to mixing unrelated scan jobs between installations because the ID is used to create
the hot folder.
Troubleshooting
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure
channel."
Please make sure that following is true:
the certificate subject matches the workflowStorageRoot address, i.e. subject is SERVER.
DOMAIN and address is http://SERVER.DOMAIN:8080/
the certificate is valid
the CA is trusted on the server with Workflow Processing System and Terminal Server
Install the YSoft SafeQ Management Server
This page describes how to use the interactive installer to perform a basic YSoft SafeQ
Management Server installation.
All nodes of the YSoft SafeQ Management Server cluster have to be in the same timezone
Usage of a bundled PostgreSQL database (which is located on the first node) is not
recommended for a Management Server cluster.
Standard installation
1. Obtain and run installation file management-installer.exe. Once you have the file and the
server is ready for installation, you can begin YSoft SafeQ Management Server installation.
In order to install YSoft SafeQ Management Server, this file is required. It contains
everything necessary for installing a fully functional YSoft SafeQ Management Server.
2. Select a language that will be used for the installation process.

2.
3. Close all other applications to avoid issues with updating the relevant system files.
4. The next screen displays full license terms and conditions, which you should read and
consider before moving forward. Click I Agree and install the product or Cancel to abort the
installation.
5. After you accept the license agreement, the installer runs a pre-installation check. This
for YSoft SafeQ Management Server installation.
or Show problems area, depending on their severity. If there are warnings, installation can
continue. If there are problems, installation cannot continue. If any warnings or problems
are indicated, review the warnings and resolve the problems, then continue.
The conditions the installer checks are:
Correct version of Windows
User installing YSoft SafeQ Management Server has administrator rights
All required ports are open and free

Enough available system memory
Presence of a previous version of YSoft SafeQ Management Server
6. You now have the option to select your own installation location. You can install YSoft
SafeQ Management Server anywhere other than a UNC path or the root folder of the drive.
7. The installer now displays YSoft SafeQ Management Server installation settings.
To use the default installation settings:

7.
Accept the default YSoft SafeQ Management Server installation folder, database engine,
and IP address. Please see the warning about using the embedded PostgreSQL in non
GMT time zone at the top of the page as this database engine is used as the default.
To use values other than the default ones:
Check I want to customize my YSoft SafeQ installation; then go to section

Customized installation or adding/replacing node for more information.
8. If you chose the default installation, the installer displays the account name and password
for the database. The password is automatically copied to the clipboard. Save this
password to a safe place so that you can either use it when you need it or change it if
you want.
Click OK.
9.
9. The installer begins to copy all the files required by YSoft SafeQ Management Server and
the database system you chose to the selected destination folder on the server. In case
you wish to see the detailed installation progress, press Show details button (or D key).
10. The last page of the wizard informs you about the results of the installation process and
gives you the option to display the YSoft SafeQ Management Interface.
Click Finish when you are ready to close the installation wizard.

Customized installation or adding/replacing node
1. If you wish to use values other than the default settings, check I want to customize my
YSoft SafeQ Management Server installation.
2. You can select which node you want to install.
If you want to install a single YSoft SafeQ Management Server installationor the first
node of a YSoft SafeQ Management Server cluster and continue by click Next.
For multiple YSoft SafeQ 6 installations on one MSSQL server, using one MSSQL
instance for each YSoft SafeQ 6 installation is required, as this will prevent overwriting
of database users and will keep both installation separated.
If you want to add a node to existing cluster, select Add or replace a node in an existing
YSoft SafeQ Management Server cluster, enter Cluster master node IP address, click
Retrieve node list. If a successful connection is established proceed by clicking Next. The
database will be shared among cluster nodes so next page is described in step 5.
Note that it is necessary to restart other cluster nodes after the successful installation
in order to refresh their cluster server list.

3. Choose the database that will be used by YSoft SafeQ Management Server:
Database type:
the default Embedded PostgreSQL 11
Use an existing external database server which you can choose if you already
have MS SQL or PostgreSQL database (check supported versions) with enough
capacity to hold the YSoft SafeQ Management Server database.
Database deployment scenario:
the default single database for production and the warehouse
separate database for production and the warehouse (on a single DBMS)
standalone database for the warehouse (on a separate DBMS)

4. Database setup
a. In the case of the Embedded PostgreSQL Server, you must specify a password for
the database user.
Passwords must be entered twice to avoid a problem with a potential typo.
You can use Generate password button to generate password for database user. On
button click, the password is generated and copied to the clipboard.
Please see the warning about using the embedded PostgreSQL database engine in
the non GMT time zone at the top of the page.

b. In case of External database you must specify information about the connection to
t h e d a t a b a s e .
c. In the case of Single database for the production and data warehouse, you must
enter the name for the YSoft SafeQ Management Server database.

c.
If the database does not exist, a popup will appear asking whether you want to
create it. To proceed to click Yes, the installer will create the database and you
will be able to proceed.
Database name should not contain special characters or white spaces.
Database name will be used as a base for IMS database name using this format:
<YSoft SafeQ Management Server database name>_IMS
d. In the case of Separate databases for the production and data warehouse (on a
single database-management system).
i. You must enter the name for the YSoft SafeQ Management Server production
d a t a b a s e .

Database name will be used as a base for IMS database name using this
format: <YSoft SafeQ Management Server database name>_IMS
ii. You must enter the name for the YSoft SafeQ Management Server data
warehouse database.

e. In the case of Standalone database for the data warehouse (on a separate database-
management systems).
i. You must specify production database connection information.
In case of standalone data warehouse deployment scenario, Database

server hostname / IP address should not be entered as local loopback
address (i.e. localhost or 127.0.0.1). If a local loopback address is entered,
the installer will automatically change the value to the IP address of the
YSoft SafeQ Management Service chosen in the previous step.
ii. You must specify data warehouse database connection information.

iii. You must also enter the names of the YSoft SafeQ Management Server
production and data warehouse databases.
5. If you are installing additional node you have to enter master node IP address and retrieve
node list information.
6. The last page of the wizard presents you with the following settings:

6.
Local GUID for currently installing Management server (node).
TCP port that the YSoft SafeQ Management Interface will use.
HTTPS TCP port for YSoft SafeQ Management Interface.
Start YSoft SafeQ services after the installation is finished: To start services after
installation, check the checkbox. To not start services, leave the checkbox empty.
Silent installation
The installer (downloaded file management-installer.exe) supports the installation of YSoft SafeQ
Management Server from command line interface or through script. Use one of the following
examples with appropriately filled in parameter values. Configuration options are divided by a
space.
Configuration options that meet the condition in the Required column have to be provided.
Example installation commands as if installed on a server with IP address 10.0.11.7 (should be ran
from cmd from location of the file management-installer.exe):
YSoft SafeQ Management with embedded PGSQL database system
management-installer.exe /S /CFG:usedLocalIp=10.0.11.7 /CFG:dbClass=PGSQL /CFG:

dbPassword=somePassword /CFG:embeddedDB /CFG:dbName=SQDB6 /D=C:\SafeQ6\Management
YSoft SafeQ Management with external PGSQL database system

dbPassword=postgres /CFG:dbUsername=postgres /CFG:dbHost=10.0.11.172 /CFG:dbPort=5432 /CFG:
dbName=SQDB6 /D=C:\SafeQ6\Management
Assumes installed PGSQL database system on server 10.0.11.172:5432 with existing user
postgres with password postgres. Please see the warning about using the embedded
PostgreSQL in non GMT time zone at the top of the page.
YSoft SafeQ Management with external MSSQL database system
management-installer.exe /S /CFG:usedLocalIp=10.0.11.7 /CFG:dbClass=MSSQL /CFG:dbPassword=sa

/CFG:dbUsername=sa /CFG:dbHost=10.0.11.172 /CFG:dbPort=1433 /D=C:\SafeQ6\Management
Assumes installed MSSQL database system on server 10.0.11.172:1433 with existing user sa
with password sa
YSoft SafeQ Management with MSSQL instance on an external databse system
management-installer.exe /S /CFG:usedLocalIp=10.0.11.7 /CFG:dbClass=MSSQL /CFG:dbPassword=sa

/CFG:dbUsername=sa /CFG:dbHost=10.0.11.172 /CFG:dbInstance=INSTANCE1 /D=C:\SafeQ6\Management
Assumes installed MSSQL database system on server 10.0.11.172 with existing instance
INSTANCE1 with existing user sa with password sa
YSoft SafeQ Management with external MSSQL database system and domain authentication
management-installer.exe /S /CFG:usedLocalIp=10.0.11.7 /CFG:dbClass=MSSQL /CFG:

dbPassword=Administrator /CFG:dbUsername=admin /CFG:dbHost=10.0.11.172 /CFG:dbPort=1433 /CFG:
dbDomain=EXAMPLE /CFG:alwaysOnMssql /D=C:\SafeQ6\Management
Assumes installed MSSQL database system on server 10.0.11.172 with existing domain
EXAMPLE with existing domain user Administrator with password admin
YSoft SafeQ Management as a second or further node in a cluster
management-installer.exe /S /CFG:usedLocalIp=10.0.11.7 /CFG:clusterMasterIP=10.0.11.107 /D=C:

\SafeQ6\Management

Assumes already installed YSoft SafeQ Management Server on server 10.0.11.107 and there
running service YSoft Bundled Etcd - database parameters will be shared with that YSoft
SafeQ Management Server
Warehouse
YSoft SafeQ Management with single database for production and the warehouse

dbUsername=postgres /CFG:dbPassword=somePassword /CFG:dbHost=10.0.13.151 /CFG:dbPort=5432 /CFG:
dbName=SQDB6 /D=C:\SafeQ6\Management
Assumes installed PGSQL database system on server 10.0.13.151:5432 with existing user
postgres with password somePassword. Please see the warning about using the embedded
PostgreSQL in non GMT time zone at the top of the page.
YSoft SafeQ Management with separate database for production and the warehouse (on a single
DBMS)
management-installer.exe /S /CFG:usedLocalIp=10.0.5.174 /CFG:dbClass=MSSQL /CFG:dbUsername=sa

/CFG:dbPassword=somePassword /CFG:dbHost=10.0.13.81 /CFG:dbPort=1433 /CFG:dbName=SQDB6 /CFG:
DWdbName=SQDB6_DWH /D=C:\SafeQ6\Management
Assumes installed MSSQL database system with existing user sa with password
somePassword with production database (SQDB6) and warehouse database (SQDB6_DWH)
on the same server 10.0.13.81:1433
YSoft SafeQ Management with standalone database for the warehouse (on a separate DBMS)

dbUsername=postgres /CFG:dbPassword=somePassword /CFG:dbHost=10.0.13.151 /CFG:dbPort=5432 /CFG:
dbName=SQDB6 /CFG:DWdbUsername=postgres /CFG:DWdbPassword=someDwPassword /CFG:DWdbHost=10.0.13.9
8 /CFG:DWdbName=SQDB6_DWH /D=C:\SafeQ6\Management
Assumes installed PGSQL database system:
Production database on server 10.0.13.151:5432 with existing user postgres with password
somePassword.
Warehouse database on server 10.0.13.98:5432 with existing user postgres with pasword
someDwPassword.
Please see the warning about using the embedded PostgreSQL in non GMT time zone at the
top of the page.

Configuration Parameters
Name Value Description Example Required
/S has no value Silent flag - signifies always

that the installation
should run silently - if
not provided the
installer graphic user
interface will appear
/CFG: IPv4 address Local IP address of the If you are actually always
usedLoc actual server on which installing YSoft SafeQ
alIp= Do not use lo you are installing the Management Server on
calhost or 12 YSoft SafeQ a computer with IP
Management Server as address (in the network
7.0.0.1 it has
is represented in the you want to use)
to be local IP
network you want to 10.0.11.7 then fill in
address as it
use for communication 10.0.11.7
can be seen with other YSoft SafeQ
from other products do not use localho
servers in
st or 127.0.0.1
the
preferred /CFG:usedLocalIp=10.
network 0.11.7
/CFG: IPv4 address IP address of another If you previously only for

clusterM cluster node which is installed and let running installation of a
asterIP= already installed and YSoft SafeQ second or further
has running service Management Server on node in a cluster
YSoft Bundled Etcd a computer with IP
address (in the network
I want to use)
10.0.11.107 then I need
to fill in 10.0.11.107
/CFG:clusterMasterIP=10.
0.11.107
/CFG: PGSQL or MSSQL For external or /CFG:dbClass=PGSQL only for non-

dbClass embedded Postgres or cluster installation
= database system /CFG:dbClass=MSSQL or for the first
provide PGSQL, for node in cluster
external Microsoft SQL
Server provide MSSQL.
Please see the warning

about using the

embedded PostgreSQL
in non GMT time zone
at the top of the page.
/CFG: recommended at Password for an /CFG: only for non-

dbPass least 7 characters existing user in the dbPassword=s10o9m8e cluster installation
word= long, with external database 7P6a5s4s3w2o1r0d or for the first
combination of system or for non- node in cluster
letters, capital existing user in the to
letters and be installed embedded
numbers, can't PGSQL.
contain these
characters: ;$"<>:
@%&\'
/CFG: has no value Flag which signifies that /CFG:embeddedDB only for
embedd embedded database installation of
edDB should be installed, only embedded PGSQL
PGSQL is supported. for non-cluster
Please see the warning installation or for
about using the the first node in
embedded PostgreSQL cluster
in non GMT time zone
at the top of the page.
/CFG: not empty - /CFG: Database system /CFG: NO, if defaults are
dbUsern dbDomain= username with dbUsername=postgres valid for your
ame= without specifying database owner rights external database
value is invalid for the given database system
default for PGSQL (non-existing database
is postgres will be created by the
default for MSSQL installer with this user)
is sa
not overwritable
default for
embedded PGSQL
is postgres
not empty - /CFG: IP address of a server /CFG:dbHost=10.0.11.217 only with external

/CFG: dbHost= without with external database database of non-
dbHost=
specifying value is system cluster installation
invalid or installation of
the first node in
cluster
numeric value /CFG:dbPort=5432

/CFG: default for PGSQL External database only with external

dbPort= is 5432 system port database of non-
default for MSSQL cluster installation
is 1433 or installation of
the first node in
cluster
/CFG: not empty - /CFG: MSSQL database /CFG: only for non-
dbInstan dbInstance= system instance name dbInstance=INSTANCE1 cluster installation
ce= without specifying or installation of
value is invalid the first node in
cluster with
external MSSQL
database with
existing named
instance
/CFG: not empty - /CFG: Domain for domain user /CFG:dbDomain= only for non-
dbDomai dbDomain= authentication in cluster installation
n= without specifying MSSQL database EXAMPLE or installation of
value is invalid system the first node in
cluster with
external MSSQL
with domain user
authentication
/CFG: has no value Flag which tells the /CFG:alwaysOnMssql only for domain
alwaysO installer to turn on authentication
nMssql Always On Availability
Group support
/CFG: the name can't Name of database to be You may provide this NO
dbName contain a space or used by YSoft SafeQ configuration option and
= any character Management Server for thus override default
from these: ~`! production database, it which is SQDB6
@#$$%^&*\|/()[]{}? will be created if it /CFG:dbName=SQDB6
§!= doesn't exist. This name
will be used as a base
for IMS database name
in format: <YSoft SafeQ
Management Server
database name>_IMS
/D= location on an Location where YSoft NO

existing disc with SafeQ Management
enough space on Server should be
(recommended is installed

to have space You may provide this

from 2 GB for configuration option and
YSoft SafeQ thus override default
Management which is C:
Server alone and \SafeQ6\Management
way more for /D=C:
installation with \SafeQ6\Management
embedded PGSQL)
Must be provided
as the last
parameter
otherwise
parameters
provided behind it
could be ignored.
/CFG: numeric value of Http port on which You may provide this NO
httpPort not already used YSoft SafeQ configuration option and
= port Management Server thus override default
web should run which is 80
/CFG:httpPort=80
/CFG: numeric value of Https port on which You may provide this NO
httpsPor not already used YSoft SafeQ configuration option and
t= port Management Server thus override default
web should run which is 443
/CFG:httpsPort=443
/CFG: not empty - /CFG: GUID by which this You may provide this NO
localGUI localGUID= without YSoft SafeQ configuration option
D= specifying value is Management Server will otherwise it will be
invalid identify itself generated
automatically, you will
find the generated
value in YSoft SafeQ
Management Server
web
/CFG:
localGUID=shrdqjjvnlsaq
/CFG: has no value /CFG:noStartSvcs NO

noStart
Svcs

Flag which tells the

installer to NOT start
services after
successful installation,
if not provided the
services will be started
/CFG: has no value Flag which tells the You may provide this NO
disableR installer to not rollback flag though it is not
ollback after FAILED installation, recommended
this allows for finding a /CFG:disableRollback
cause of the failure
more easily
/CFG: /CFG: Database system /CFG: NO

DWdbUs DWdbDomain= username with DWdbUsername=postgre Required for
erName without specifying database owner rights s standalone
= value is invalid for the given warehouse
warehouse database database
(non-existing database installation.
will be created by the
installer with this user)
/CFG: recommended at Password for an /CFG: NO

DWdbPa least 7 characters existing user in the DWdbPassword=a10l9e8 Required for
ssword= long, with external warehouse n7P6a5s4k3u2r1l0o standalone
combination of database system or for warehouse
letters, capital non-existing user in the database
letters and to be installed installation.
numbers, can't embedded PGSQL.
contain these
characters: ;$"<>:
@%&\'
/CFG: numeric value External warehouse /CFG:DWdbPort=5432 NO

DWdbPo database system port
rt=
/CFG: /CFG: MSSQL database /CFG: NO

DWdbIns DWdbInstance= system instance name DWdbInstance=INSTANC
tance= without specifying for warehouse E2
value is invalid database
/CFG: /CFG:DWdbHost= IP address of a server /CFG:DWdbHost=10. NO

DWdbHo without specifying with external 0.13.169
st= value is invalid warehouse database
system

Required for
standalone
warehouse
database
installation.
/CFG: the name can't Name of database to be /CFG: NO

DWdbNa contain a space or used by YSoft SafeQ DWdbName=SQDB6_DW Required for
me= any character Management Server for H deployments with
from these: ~`! warehouse database , it separate
@#$$%^&*\|/()[]{}? will be created if it warehouse
§!= doesn't exist. database.
/CFG: /CFG: Domain for domain user /CFG: NO

DWdbDo DWdbDomain= authentication in DWdbDomain=EXAMPLE
main= without specifying MSSQL warehouse
value is invalid database system
/CFG: true/false PostgresSQL will be /CFG:enableSSL=true NO

enableS installed using the
SL= secured connection to
database.
Troubleshooting the installation process
If an error occurred during the installation process, please check the following log files that were
created during the process. All the installation log files are located in the YSoft SafeQ
Management Server installation folder.
pginstall.log - contains information about PostgreSQL installation (if you selected PostgreSQL
as the database to install).
cml-install.log - contains information about the entire YSoft SafeQ Management Server
installation process.
If the installer has failed before the installation began check cml-install.log located in
AppData\local\Temp\1\ folder of the currently logged user account.
Installing YSoft SafeQ Management Server on external MSSQL using domain users
This page describes the installation of YSoft SafeQ Management Server on Microsoft SQL Server
database with a usage of domain users for authentication to the database engine.
Prerequisites
MSSQL server requirements met (YSoft SafeQ server requirements)
Workstation, where YSoft SafeQ Management Server will be installed is registered in domain
Domain user that will be used to connect to the database must:

have local admin rights (and the Log on as a service Right)
be used for running the installer
be specified as db_owner during the specific database creation process
Microsoft SQL database engine is installed
YSoft SafeQ Management Server installer is available
Installation of YSoft SafeQ Management Server using domain users

Configure SQL Server and create domain user
1. Connect to the database server using a user account with sufficient privileges
You must be logged in into the Windows Server with a different user than the one
which will be used for communication between YSoft SafeQ installer and the databases.
But the user must be from the same domain.
Example:
if domain user doe from domain EXAMPLE will be used for communication between
YSoft SafeQ installer and databases, then you must connect to the Windows Server
as a different user from domain EXAMPLE
do not use System Administrator (user sa) as it is not part of any Windows domain
2. Open SQL Server Management Studio and connect to the Database Engine.
3. Right-click database server and select Properties.
4. Switch to the Advanced tab and enable Containment mode.

5. Confirm the changes by click on OK button.
6. Under database server, expand Security, right-click Logins and select New Login...
7. Add domain user, who will be used for communication between YSoft SafeQ installer and
database. Enter Login name in following format 'domain\username' and select Windows
authentication as the authentication method.

8. Confirm user creation by clicking OK button.
Create YSoft SafeQ database and configure access rights
2. Right-click Databases and select New database.... Choose the name (for example SQDB6)
for the database, switch to the Options tab and select partial Containment type.

3. Confirm database creation by clicking OK button.
4. Expand Databases, find the newly created database, under the database expand Security,
right-click Users and select New user...
5. Configure access right to the YSoft SafeQ database for the domain user. On the General
tab, change User type to "Windows user", fill the Username and Login name with the user
created in the previous section.

6. On the Membership tab, select db_owner.

7. Confirm user creation by clicking OK button.
Create YSoft SafeQ data warehouse database and configure access rights
This section applies only in case you plan to use external database for data warehouse.
Repeat the steps from the Create YSoft SafeQ database and configure access rights section
(previous section) and use the same user as for the main database but choose different name for
the warehouse database (for example SQDB6_DWH).
Create Infrastructure Management database and configure access rights
2. Right-click Databases and select New database.... Use the same name as for the
Management Server database, but add the _IMS suffix. name (for example SQDB6_IMS for
SQDB6). Confirm database creation by clicking OK button.

3. Expand (server lever) Security, expand Logins, right-click the domain user (created in the
previous section) and click Properties.
4. Select User Mapping, check Infrastructure Management database and add the db_owner
role. Confirm the changes by clicking OK button.

Install YSoft SafeQ Management Server
1. Log in to the server where Management Server shall be installed using the same domain
user which is used for communication between YSoft SafeQ installer and databases
(domain user doe is used in this example)
2. Run YSoft SafeQ Management Server installer under the domain user which is used for
communication between YSoft SafeQ installer and databases. Alternatively, you can run
Server installer under the domain user. On installation settings screen check I want to
customize my YSoft SafeQ Management Server installation and click Next.

3. Select Use and existing external MSSQL database server in the database type selection
step.
4.
4. Check Use Windows Authentication (instead of SQL) checkbox and fill in Domain textbox.
Fill in connection details for user. Use users and password registered in SQL Server.
Username and domain are case-sensitive. It must match the SQL Server login.
Always On Availability Group Server checkbox is also automatically checked because

database is deployed in contained mode.
5.
5. Enter the YSoft SafeQ database name. When using the domain authentication, the
database must exist and be properly configured according to this manual.
6. Continue to further steps and start installation of Management Server
When using external database for data warehouse on the same server
After YSoft SafeQ Management Server installation finishes, open SQL Server Management Studio
and connect to the Database Engine as System Administrator (user sa) and run the following
queries:
ALTER DATABASE [SQDB6_DWH] SET CONTAINMENT = PARTIAL WITH NO_WAIT;

ALTER DATABASE [SQDB6_DWH] SET TRUSTWORTHY ON;
Do not forget to change the database name in the queries above. The queries have the
default data warehouse database name in them (i.e. SQDB6_DWH), change it to the correct
YSoft SafeQ data warehouse database name you have chosen for your deployment.
Troubleshooting
Management server is not working, there are "Invalid object name" errors in the log files
Domain user used to connect to the database cannot have sysadmin rights and cannot be the
owner of the Management Server (SQDB6) database. Check effective rights of the domain user. It
may inherit sysadmin rights from assigned groups. Check the database properties and verify that
the Owner is not set to the used domain user.

You should check domain user effective rights by database query: "SELECT user_name()". If the
result will be domain name of the user and not "dbo", current effective rights are configured well.
Usually you need to remove "sysadmin" role from "NT AUTHORITY\Authenticated Users" group.
Management server is not working, there is a "Could not obtain information about Windows NT group/user"
error in the log file
Make sure that the there is a correct database owner for both main database (e.g. SQDB6) and
data warehouse database (in case an external database for data warehouse is used, e.g.
SQDB6_DWH). It must be a domain user from the same domain as the domain user used to
connect to the database from YSoft SafeQ, but the user itself must be different (see warning at
the beginning of the Configure SQL Server and create domain user section).
To check the owner of a database
2. Expand Databases, find the database you want to check, right-click the database and
select Properties
3. Switch to Files tab
4. Check the Owner filed

Reports in Management interface are not working and there is a "The server principal is not able to access
the database" error in the log file
Make sure you have run the queries mentioned in section "When using external database for
data warehouse on the same server" after the Management service installation finished.
An example error message looks like this:
The server principal "S-1-9-3-3170424900-1339531482-4223392158-

4021304381" is not able to access the database "SQDB6" under the current
security context.
Installation freezes during starting services
Domain user does not have the Log on as a service right. Open Local Security Policy editor,
double-click Local Policies, User Rights Assignment, select Log on as a service and add the
domain user.
ALTER USER or CREATE USER errors during installation or tenant creation
Check if the YSoft Safeq database (e.g. SQDB6) and the database server have enabled the
Contained mode. Check if the Always On Availability Group Server was enabled during
installation.
Installing YSoft SafeQ Management Server on MSSQL AlwaysOn Availability group
Preconditions
1. Correctly configured Windows Failover Cluster with installed MSSQL 2012, MSSQL 2016 or
MSSQL 2017 enterprise edition (on both nodes of cluster)
Tip: you can follow f.e. following guide: [1] https://blogs.technet.microsoft.com/canitpro/2013

/08/19/step-by-step-creating-a-sql-server-2012-alwayson-availability-group/

2. Enabled SQL Server 2012/2016/2017 AlwaysOn Availability Groups feature.
3. Enabled Contained Databases
Installation steps
Using Server installer package
Use this package if you want to deploy more roles on this server (Management Server, Spool
Server, Scan Server, Mobile Print Server)
1. Run Server installer package on any server
2. On the Server environment screen select the First server installation scenario
3. On the Database configuration screen select the External Microsoft SQL database server
option
4. Fill all required fields in the Microsoft SQL database screen:
a. As database connection string set the IP/hostname of the master node of your
MSSQL cluster (Windows Failover Cluster)
b. and check the Always On Availability Group Server checkbox
5. Proceed until installation is finished
Using Management Server subsystem installer
Use this installer if you want to deploy only Management Server role.

1. Run YSoft SafeQ Management Server installation on any server
2. Continue in installation process until YSoft SafeQ Management Server installation settings
screen and select the I want to customize my YSoft SafeQ installation checkbox
3. On the Installation mode screen select the Install a new YSoft SafeQ Management server
(or the first node of a new YSoft SafeQ Management Server cluster) option
4. Select the Use an existing external MSSQL database server option
5. Fill all required fields to the MSSQL database connection:
a. As database connection string set the IP/hostname of the master node of your
MSSQL cluster (Windows Failover Cluster)
b. and check the Always On Availability Group Server checkbox
6. Proceed until installation is finished
When using external database for data warehouse on the same server

After YSoft SafeQ Management Server installation finishes, open SQL Server Management Studio
and connect to the Database Engine as System Administrator (user sa) and run the following
queries:
ALTER DATABASE [SQDB6_DWH] SET CONTAINMENT = PARTIAL WITH NO_WAIT;

ALTER DATABASE [SQDB6_DWH] SET TRUSTWORTHY ON;
Do not forget to change the database name in the queries above. The queries have the
default data warehouse database name in them (i.e. SQDB6_DWH), change it to the correct
YSoft SafeQ data warehouse database name you have chosen for your deployment.
After installation
One of the possible solutions for correct environment setup is the following guide:
Create AlwaysOn High Availability group
1. Navigate to Microsoft SQL Server Management Studio, where the databases are created (
SQDB6 and SQDB6_IMS, optionally also SQDB6_YPS - if you are using YSoft Payment
System)
2. Set Recovery model of both SQDB6 and SQDB6_IMS databases to Full (SQDB6_YPS is
configured this way by default)
3. Perform Full Backup of all SQDB6* databases
4. Navigate to AlwaysOn High Availability > Availability Groups > New Availability Group
wizard...
5. In the Specify Availability Group Name page enter the name of the Availability group
6. Next select all SQDB6* databases
7. In the Specify Replicas page > Replicas tab, click the Add Replicas button and connect to
the second SQL Server that you joined as nodes in your Windows Server Failover Cluster
and configure following [1]:

7.
Automatic Failover: Checked
Synchronous Commit: Checked
Readable Secondary: No
8. In the Endpoints tab verify that the port number is 5022
9. In the Listener tab, select Create an availability group listener option and enter the
following [1]:
Listener DNS name: Name that you will use in your application connection string
Port: 1433
10. Add IP Address in Add IP Address dialog box
11. Select Full as Initial Data Synchronization.
12. Proceed until Always On Availability Group is created
Proceed with the following steps and set up YSoft SafeQ 6
1. Navigate back to the server where your YSoft SafeQ Management Server is installed
2. Navigate to <SAFEQ6_HOME>\Management\Conf\safeq.properties file, edit it and set the

following:
database.host = <Listener DNS name>
3. Navigate to <SAFEQ6_HOME>\Management\ims\application.properties file, edit it and

replace the IP address in the spring.datasource.url with the Listener DNS name:
a. Change
spring.datasource.url = jdbc:sqlserver://<IP address>:1433;databaseName=SQDB6_IMS;

applicationName=IMS
b. To
spring.datasource.url = jdbc:sqlserver://<Listener DNS name>:1433;

databaseName=SQDB6_IMS;applicationName=IMS
4. Save changes and restart YSoft SafeQ Management Service and YSoft Infrastructure
Service services
5. Repeat steps 1.-4. on all Management Servers in cluster
If you are using YSoft Payment System, reconfigure it as well
1. Navigate to the server where your YSoft Payment System is installed
2.
2. Navigate to <SAFEQ6_HOME>\YPS\ps-conf\environment-configuration.properties file, edit
it and replace the IP address in the database.url with the Listener DNS name:
a. Change
database.url=jdbc:sqlserver://<IP address>:1433;databaseName=SQDB6_YPS;
b. To
database.url=jdbc:sqlserver://<Listener DNS name>:1433;databaseName=SQDB6_YPS;
3. Save changes and restart YSoft Payment System service
4. Repeat steps 1.-3. on all servers where is YSoft Payment System installed
Installing YSoft SafeQ Management Server on server with specific database collation for MS-SQL database
If you are installing YSoft SafeQ on server with Turkish locale using external MS SQL server 2012,
you have to create database with specific collation settings first.
Following steps require already installed MS-SQL server.
1. Before YSoft SafeQ installation described in article Install the YSoft SafeQ Management
Server, following steps are required to create database with specific collation.
2. Open SQL Server Management Studio and create new database.
3. On General tab enter SQDB6 as a Database name.

4. Switch to Options tab and set specific Collation.
Example: For Turkish locale set SQL_Latin1_General_CP1250_CI_AS .
Then click OK and new database will be created.
5. Now you can install SafeQ according to Install the YSoft SafeQ Management Server. In step
4.b. enter connection for external MS-SQL server. In step 4.c. enter database names of
already created databases (SQDB6). Install wizard will connect to created databases and
confirm connection.

Updating YSoft SafeQ Management Server
Please follow Updating from MU/Build to Build for detailed update procedure. This page
contains only subset of required steps!
This page describes how to use the YSoft SafeQ Management Server Setup Wizard to perform a
basic YSoft SafeQ Management Server update.
Minimum free space required for update is 902 MB.
Update using installer wizard
1. Download the installation package management-installer.exe from the Partner Portal. Once
you have the package and the server is ready for installation, you can begin the YSoft
SafeQ Management Server installation.
In order to install YSoft SafeQ Management Server, this file is required. It contains
everything required to install a fully functional YSoft SafeQ Management Server.
2. Run the file management-installer.exe.
3. Select the language that will be used for the installation process.
4. Continue to next page from Welcome screen.
Close all other applications to avoid issues with updating the relevant system files.

5. If you agree to all the license terms and conditions, click I Agree to continue. If you do not
agree, click Cancel to quit the installation.
6. After you accept the license agreement, the installer runs a preinstallation check. This
for YSoft SafeQ Management Server installation.
7.
7. W i z a r d will verify available free space.
8. Continue with installation
a. If you do not want to change anything, continue using Install button
b. If you do not want to start YSoft SafeQ Management Server services after the
update is finished:
i. Check the I want to customize my YSoft SafeQ installation checkbox
ii. In the following dialog untick the Start YSoft Management Server services
after the installation is finished option
iii. Continue using Install button
9.
9. The last page of the wizard indicates that the update is complete. Click Finish.
Silent update
The installer (downloaded file management-installer.exe) supports update of YSoft SafeQ

Management from command line interface or through script. Update ca not be configured through
silent interface and will always use previous configuration.
YSoft SafeQ Management with embedded PGSQL database system
management-installer.exe /S
You can verify successful installation in management-server-install.log file located in the

installation directory. It will end with " Installation of YSoft SafeQ Management Server version
<some_version> finished"
Updating YSoft SafeQ Management Server cluster
Please follow Updating from MU/Build to Build for detailed update procedure. This page
contains only subset of required steps!
This page describes how to update YSoft SafeQ Management Server cluster.
Minimum free space required for update is 902 MB.
Order of update
Update YSoft SafeQ Management Server on each server through the installer or through the
silent interface of the installer.
1. Update one of the Management servers first

1.
First update updates the database thus it is no longer expected to work with previous
version of YSoft SafeQ Management Services
2. Update remaining YSoft Management Server cluster nodes one by one (i.e. start update of
the second node after update of the first node is already finished)
Do not start not yet updated YSoft Management services manually before the update
of all nodes is finished.
See Updating YSoft SafeQ Management Server for detailed instructions.
Updating YSoft SafeQ Management Server database architecture

Manual update from single database to multi database architecture at PostgreSQL database system
Update procedure for one tenant with examples for the first tenant. You could update all tenants
data analogically. Create system backup before the update.
1. Backup single database and dwhtenant schema only
Backup YSoft SafeQ Management Server database (default name is SQDB6) in pgAdmin
utility. Right click on databse and choose backup. You could run command line command
also, at example:
pg_dump.exe --host localhost --port 5433 --username postgres --no-password --format

custom --verbose --file sqdb6.backup SQDB6
Backup YSoft SafeQ Management Server database (SQDB6) dwhtenant schema in pgAdmin
utility. Right click on dwhtenant schema and choose backup. You could run command line
command also, at example:
pg_dump.exe --host localhost --port 5433 --username postgres --no-password --format

custom --verbose --file sqdb6_dwhtenant_1.backup --schema dwhtenant_1 SQDB6
For details, see chapter Backup of databases for detailed instructions.
2. Uninstall YSoft SafeQ Management Server
Uninstall YSoft SafeQ Management Server completely including database.
3. Clean install YSoft SafeQ Management Server
Install YSoft SafeQ Management Server in multi database configuration.
4.
4. Get configuration data
Get necessary configuration data from production database (SQDB6):
-- get tenant password and tenant schema name [@tenant_password@, @tenant_schema_name@]

select db_pass, schema_name from cluster_mngmt.tenants;
-- get dwhtenant password and dwhtenant schema name [@dwhtenant password@,
@dwhtenant_schema_name@]
select db_pass, schema_name from cluster_mngmt.tenant_warehouses;
-- get server guid and id [@server_guid@, @server_id]
select server_guid, id from cluster_mngmt.cluster_server;
Write it down, you will use these values later for Update configuration data in step 6.
5. Stop YSoft SafeQ services
For details, see chapter Updating from Build to Build, section Stop YSoft SafeQ services.
6. Drop new production database and restore the old one
Drop production database (SQDB6) in pgAdmin. Right click on production database and
choose drop database. You could run sql command also, at example:
DROP DATABASE "SQDB6";
In pgAdmin create new production database (SQDB6). You could run sql command also, at
example:
CREATE DATABASE "SQDB6" WITH ENCODING='UTF8';
In pgAdmin restore whole database (SQDB6) from step 1. Right click on production database
(SQDB6) and choose restore database. You could run command line command also, at
example:
pg_restore.exe --host localhost --port 5433 --username postgres --dbname SQDB6 --no-
password --verbose sqdb6.backup
7. Update configuration data
Update necessary configuration data in production database (SQDB6):
-- update server guid

update cluster_mngmt.cluster_server set server_guid = '@server_guid@' where id =
@server_id@;
-- update tenant password

update cluster_mngmt.tenants set db_pass = '@tenant_password@' where schema_name = '@tenan
t_schema_name@';
-- update dwhtenant password
update cluster_mngmt.tenant_warehouses set db_pass = '@dwhtenant password@' where
schema_name = '@dwhtenant_schema_name@';
Replace placeholders by values from step number 4.
8. Drop dwhtenant schema from production database
IMPORTANT Make sure you drop ONLY the schema.

Drop dwhtenant schema in production database (SQDB6) via pgAdmin. You could run sql command
also, at example
DROP SCHEMA dwhtenant_1 CASCADE;
9. Restore dwhtenant schema to warehouse database
Restore dwhtenant schema backup into warehouse databse (default name is

SQDB6_SQDW) in pgAdmin utility, choose "Restore option #1": Only data. You could run sql
command also, at example:
pg_restore.exe --host localhost --port 5433 --username postgres --dbname SQDB6_SQDW --no-
password --data-only --schema dwhtenant_1 --verbose sqdb6_dwhtenant_1.backup
Ignore all errors and warnings.
Multitenant environment
If you have multitenant environment backup all dwhtenant schemas in step 1, second part
and repeat steps 8-9 for remaining tenants.
Updating YSoft SafeQ Management Server database architecture - MS SQL MSMD

Manual update from single database to multi server multi database architecture at Microsoft SQL Server
Update procedure for one tenant with examples for the first tenant. Target database architecture
is multi server and multiple database, database deployment is with SQL Server authentication.
You could update all tenants data analogically. Create system backup before the update.
1. Backup single database.
a. Backup YSoft SafeQ Management Server database (default name is SQDB6) in SQL
Server Management Studio utility. Right click on database and choose Tasks > Back
Up. You could also run command line command, for example:
BACKUP DATABASE [SQDB6] TO DISK = N'SQDB6.bak' WITH NOFORMAT

See Backup of Databases for detailed instructions.
b. In case of non-default database collation following query can be used to get the
current collation:
SELECT collation_name FROM sys.databases WHERE name = 'SQDB6';
2. Uninstall YSoft SafeQ Management Server completely. Uninstall YSoft SafeQ Management
Server including database.
3. Clean install YSoft SafeQ Management Server. Install YSoft SafeQ Management Server in
multi server and multi database configuration.
a. In case of non-default database collation create the databases manually before new
installation - Installing YSoft SafeQ Management Server on server with specific
database collation for MS-SQL database
4. Get configuration data.
a. Get necessary configuration data from production database (SQDB6):
-- get tenant password and tenant schema name [@tenant_password@,

@tenant_schema_name@]
b. Write it down, you will use these values later for Update configuration data in step 7.
5. Stop YSoft SafeQ services. For detailed instructions see Updating from MU/Build to Build,
section Stop YSoft SafeQ services.
6. Drop new production database and restore the old one.
a. Drop production database (SQDB6) in SQL Server Management Studio. Right click on
production database and choose drop database. You could also run sql command, for
example:
DROP DATABASE [SQDB6];
b. In SQL Server Management Studio restore whole database (SQDB6) from step 1.
Right click on Databases (SQDB6) and choose Restore Database. You could also run
sql command, for example:

RESTORE DATABASE [SQDB6] FROM DISK = N'SQDB6.bak' WITH FILE = 1, NOUNLOAD,
STATS = 5
7. Update the configuration data.
a. Update necessary configuration data in production database (SQDB6):

@server_id@;
update cluster_mngmt.tenants set db_pass = '@tenant_password@' where schema_name =
'@tenant_schema_name@';
b. Update Server Link credentials in the data warehouse database (SQDB6_DWH):
i. Log in to Microsoft SQL Server Management Studio.
ii. Navigate to Server Objects > Linked Servers > SQDB6_LINKED_SERVER, right-
click on the Linked Server and choose Properties.
iii. In the Linked Server Properties window, select the Security page in the Select
a page navigation.
iv.
iv. On the Security page, update the Remote Password field for all the tenant
users (i.e. update all the login mappings with Local Login in format "
dwhtenantuser_i"). Use the tenant passwords from step number 4 (the values
of '@tenant_password@' placeholder).
8. Alter users and grant permissions.
-- Alter user with login

ALTER USER cluster_mngmt WITH LOGIN = cluster_mngmt;
ALTER USER cluster_guest WITH LOGIN = cluster_guest;
ALTER USER tenantuser_1 WITH LOGIN = tenantuser_1;
9. Drop and clean up schema.
a. Drop dwhtenant schema from production database (SQDB6).
b. Create procedure from the cleanUpSchema.sql file into production database (SQDB6).
The file is distributed inside installation package under path [Installation
package]\Complementary Solutions\Data Mart Mode.
c. Execute procedure at production database (SQDB6):
exec CleanUpSchema 'dwhtenant_1','w'
10. Go to Warehouse SQL Server engine.
11. Restore the old one database and copy data into warehouse database.
a.

11.
a. On the warehouse server in SQL Server Management Studio restore whole database (
SQDB6) from step 1. Right click on Databases (SQDB6) and choose Restore Database
. You could also run sql command, for example:
RESTORE DATABASE [SQDB6] FROM DISK = N'SQDB6.bak' WITH FILE = 1, NOUNLOAD, STATS
= 5
b. Run queries from the select at warehouse database (default name is SQDB6_DWH):
select 'insert into dwhtenant_1.'+TABLE_NAME+' (' + (select stuff(list,1,1,'') fro

m ( select ',[' + cast(c.COLUMN_NAME as varchar(64)) + ']' as [text()] FROM
INFORMATION_SCHEMA.COLUMNS c where c.TABLE_NAME = t.TABLE_NAME AND c.TABLE_SCHEMA
= t.TABLE_SCHEMA ORDER BY c.ORDINAL_POSITION for xml path('') ) as Sub(list)) + ')
select ' + (select stuff(list,1,1,'') from (select ',[' + cast(c.COLUMN_NAME as v
archar(64)) + ']' as [text()] FROM INFORMATION_SCHEMA.COLUMNS c where c.TABLE_NAME
= t.TABLE_NAME AND c.TABLE_SCHEMA = t.TABLE_SCHEMA ORDER BY c.ORDINAL_POSITION for
xml path('') ) as Sub(list)) + ' from SQDB6.dwhtenant_1.'+TABLE_NAME+' where id
not in (select id from dwhtenant_1.'+TABLE_NAME+')'
from INFORMATION_SCHEMA.TABLES t where TABLE_SCHEMA = 'dwhtenant_1' and TABLE_TYPE
= 'BASE TABLE' and TABLE_NAME not like 'smartq_jobs%'
order by case when TABLE_NAME like '%dimension' then 2 when TABLE_NAME like '%
measures' then 3 when TABLE_NAME like '%junction' then 4 else 1 end,TABLE_NAME
c. Example of the insert returned by the query above: "insert into dwhtenant_1.
color_type_accids select * from SQDB6.dwhtenant_1.color_type_accids where id not
in (select id from dwhtenant_1.color_type_accids)".
12. Update warehouse sequences.
a. On the warehouse server run queries from the select at warehouse database
(default name is SQDB6_DWH):
SELECT 'DECLARE @x_sql'+CAST(object_id as NVARCHAR(32))+' as NVARCHAR(1024) select

@x_sql'+CAST(object_id as NVARCHAR(32))+' = ''ALTER SEQUENCE ['+SCHEMA_NAME
(schema_id)+'].['+name+'] RESTART WITH '' + (select CAST(coalesce((max(id)+1),1)
AS NVARCHAR(32)) from ['+SCHEMA_NAME(schema_id)+'].['+SUBSTRING(name,1,(LEN(name)
-7))+'] WHERE id != 0) EXECUTE(@x_sql'+CAST(object_id as NVARCHAR(32))+')'
FROM sys.sequences
WHERE name like '%_id_seq' AND SCHEMA_NAME(schema_id) = 'dwhtenant_1'
b. Example of the insert returned by the query above: "DECLARE @x_sql14623095 as

NVARCHAR(1024) select @x_sql14623095 = 'ALTER SEQUENCE [dwhtenant_1].
[dm_v2_device_dimension_id_seq] RESTART WITH ' + (select CAST(coalesce((max(id)
+1),1) AS NVARCHAR(32)) from [dwhtenant_1].[dm_v2_device_dimension] WHERE id !=
0) EXECUTE(@x_sql14623095)".
13. Drop old database (SQDB6) from warehouse server.
a.
13.
a. Drop old database (SQDB6) in SQL Server Management Studio on warehouse server.
Right click on old database and choose drop database. You could also run sql
command, for example:
If you have multitenant environment repeat steps 8-12 for remaining tenants.
Spooling Management
If you have spooling Management server you need to update SPOC guid according to new
installation (<install_dir>\SPOC\conf\modules\guid.conf).
UPDATE tenant_1.spooler_controllers SET spooler_controller_guid = '@new_spoc_guid@' WHERE id =

1;
Updating YSoft SafeQ Management Server database architecture - MS SQL SSMD

Manual update from single database to multi database architecture at Microsoft SQL Server
Update procedure for one tenant with examples for the first tenant. Target database architecture
is single server and multiple database, database deployment is with SQL Server authentication.
You could update all tenants data analogically. Create system backup before the update.
1. Backup single database and dwhtenant schema only.
Backup YSoft SafeQ Management Server database (default name is SQDB6) in SQL Server
Management Studio utility. Right click on database and choose Tasks > Back Up. You could
run command line command also, at example:
BACKUP DATABASE [SQDB6] TO DISK = N'SQDB6.bak' WITH NOFORMAT
2. Uninstall YSoft SafeQ Management Server completely. Uninstall YSoft SafeQ Management
Server including database.
3. Clean install YSoft SafeQ Management Server. Install YSoft SafeQ Management Server in
multi database configuration.
4. Get configuration data.
Get necessary configuration data from production database (SQDB6):
-- get tenant password and tenant schema name [@tenant_password@, @tenant_schema_name@]


Write it down, you will use these values later for Update configuration data in step 7.
5. Stop YSoft SafeQ services. See Stop YSoft SafeQ services for detailed instructions.
6. Drop new production database and restore the old one.
Drop production database (SQDB6) in SQL Server Management Studio. Right click on
production database and choose drop database. You could run sql command also, at
example:
In SQL Server Management Studio restore whole database (SQDB6) from step 1. Right click
on Databases (SQDB6) and choose Restore Database. You could run sql command also, at
example:
RESTORE DATABASE [SQDB6] FROM DISK = N'SQDB6.bak' WITH FILE = 1, NOUNLOAD, STATS = 5
7. Update the configuration data.
Update necessary configuration data in production database (SQDB6):

@server_id@;
update cluster_mngmt.tenants set db_pass = '@tenant_password@' where schema_name = '@tenan
t_schema_name@';
8. Alter users and grant permissions.
-- Alter user with login

ALTER USER cluster_mngmt WITH LOGIN = cluster_mngmt;
ALTER USER cluster_guest WITH LOGIN = cluster_guest;
ALTER USER tenantuser_1 WITH LOGIN = tenantuser_1;
ALTER USER [dwhtenantuser_1] WITH LOGIN = [dwhtenantuser_1], DEFAULT_SCHEMA = [tenant_1];
-- Grant permissions
EXEC('exec sp_addrolemember db_datareader, dwhtenantuser_1');
EXEC('exec sp_addrolemember db_datawriter, dwhtenantuser_1');
EXEC('exec sp_addrolemember db_ddladmin, dwhtenantuser_1');
GRANT DELETE ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
GRANT EXECUTE ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];

GRANT INSERT ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
GRANT REFERENCES ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
GRANT SELECT ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
GRANT UPDATE ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
GRANT VIEW DEFINITION ON SCHEMA::[tenant_1] TO [dwhtenantuser_1];
9. Copy data into warehouse database.
Run queries from the select at warehouse database (default name is SQDB6_DWH):
select 'insert into dwhtenant_1.'+TABLE_NAME+' select * from SQDB6.dwhtenant_1.'+TABLE_NAM

E+' where id not in (select id from dwhtenant_1.'+TABLE_NAME+')'
from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = 'dwhtenant_1' and TABLE_TYPE = 'BASE
TABLE' and TABLE_NAME not like 'smartq_jobs%'
order by case when TABLE_NAME like '%dimension' then 2 when TABLE_NAME like '%measures' th
en 3 when TABLE_NAME like '%junction' then 4 else 1 end,TABLE_NAME
Example of the insert returned by the query above: "insert into dwhtenant_1.
color_type_accids select * from SQDB6.dwhtenant_1.color_type_accids where id not in
(select id from dwhtenant_1.color_type_accids)".
10. Update warehouse sequencies.
Run queries from the select at warehouse database (default name is SQDB6_DWH):
SELECT 'DECLARE @x_sql'+CAST(object_id as NVARCHAR(32))+' as NVARCHAR(1024) select @x_sql'

+CAST(object_id as NVARCHAR(32))+' = ''ALTER SEQUENCE ['+SCHEMA_NAME(schema_id)+'].['+name
+'] RESTART WITH '' + (select CAST(coalesce((max(id)+1),1) AS NVARCHAR(32)) from ['+SCHEMA
_NAME(schema_id)+'].['+SUBSTRING(name,1,(LEN(name)-7))+'] WHERE id != 0) EXECUTE(@x_sql'+C
AST(object_id as NVARCHAR(32))+')'
FROM sys.sequences
WHERE name like '%_id_seq' AND SCHEMA_NAME(schema_id) = 'dwhtenant_1'
Example of the insert returned by the query above: "DECLARE @x_sql14623095 as

NVARCHAR(1024) select @x_sql14623095 = 'ALTER SEQUENCE [dwhtenant_1].
[dm_v2_device_dimension_id_seq] RESTART WITH ' + (select CAST(coalesce((max(id)+1),1)
AS NVARCHAR(32)) from [dwhtenant_1].[dm_v2_device_dimension] WHERE id != 0) EXECUTE
(@x_sql14623095)".
11. Drop dwhtenant schema from production database (SQDB6).
Create procedure from the cleanUpSchema.sql file into production database (SQDB6). The
file is distributed inside installation package under path [Installation package]
\Complementary Solutions\Enterprise Reporting.
Execute procedure at production database ( SQDB6 ):
exec CleanUpSchema 'dwhtenant_1','w'

If you have multitenant environment repeat steps 8-11 for remaining tenants.
Spooling Management
If you have spoolinh Management server you need to update SPOC guid according to new
installation.
Antivirus Exclusions for YSoft SafeQ
YSoft SafeQ is I/O-intensive system working with print jobs, documents, rendered images and log
files. Any false positive detection resulting in denial of file accesses will influence user experience
and may lead to service interruption. A specific set of exclusions is recommended for seamless
operations.
Server Exclusions
It is recommended to exclude the following folders and file types from real-time content
inspection (such as anti-virus on-access scans):
Folder Content Folders File Extensions
embedded PostgreSQL \SafeQ6\Management\PGSQL-data *.*

database executable and
data directory
(exclude if used)
PostgreSQL database (exclud c:\Program Files\PostgreSQL\9.4\data (example *.*

e if used) location)
MS-SQL database (exclude if \MSSQLServer *.*

used)
Please see Microsoft documentation for
detailed guide if you do not want to
exclude whole directory.
Spooler Controller cache \SafeQ6\SPOC\SpoolCache *.log

*.odb
*.odb$
\SafeQ6\SPOC\SpoolCache\replicator *.db
*.lg
Terminal Server cache \SafeQ6\SPOC\terminalserver\DS9DB * (No file

extension)
*.rhp
*.rol

\SafeQ6\SPOC\terminalserver\etcd\TS- *.snap
<IP>\member\snap (example location)
\SafeQ6\SPOC\terminalserver\etcd\TS- *.wal
<IP>\member\wal (example location)
Folders for log files \SafeQ6\FSP\logs *.[0-9][0-9]

\SafeQ6\Management\logs (only on Management *.log
Server) *.txt
\SafeQ6\MPS\logs (optional feature) *.zip
\SafeQ6\SPOC\logs
\SafeQ6\SPOC\terminalserver\logs
\SafeQ6\SPOC\EUI\logs
\SafeQ6\WPS\logs
\SafeQ6\YPS\logs (optional feature)
Other locations which may be considered for exclusion:
Windows spooler \Windows\system32\spool *.*
Folder for print job data \SafeQ6\FSP\Service\JobStore *.controller

storage *.job
*.jobinfo
*.png
Please note that .job files store the print job payload, which may contain Adobe PostScript,
Adobe PDF and other data formats which may carry viruses and exploits. They should not be
exempted from scanning unless the impact on performance is too significant and the threat is
deemed acceptable.
Workstation Exclusions
If the YSoft SafeQ FlexiSpooler is installed on workstation, it is recommended to exclude the

following folders and file types from real time content inspection (such as anti-virus on-access
scans):
Folders for log files \SafeQ6\FSP\logs *.[0-9][0-9]

*.log
*.txt
*.zip
Other locations which may be considered for exclusion:

Folder for print job data storage \SafeQ6\FSP\Service\JobStore *.controller

*.job
*.jobinfo
*.png
If JobStore is configured to other location (example: %ProgramData%\JOBSTORE), then the

other location shall be excluded.
Please note that .job files store the print job payload, which may contain Adobe PostScript,
Adobe PDF and other data formats which may carry viruses and exploits. They should not be
exempted from scanning unless the impact on performance is too significant and the threat is
deemed acceptable.
Upgrading from YSoft SafeQ 5
The installer automates the process of upgrading to YSoft SafeQ 6 by configuring and running
the upgrade tool. Detailed information can be found in upgrade tool documentation.
Details for each deployment scenario of YSoft SafeQ 5 are covered below.
Payment System and Mobile Print Server migration is not supported at the moment.
General facts about the update procedure
YSoft SafeQ 6 is installed side by side with YSoft SafeQ 5.
YSoft SafeQ 5 CML will be mapped to the First Server scenario.
YSoft SafeQ 5 ORS will be mapped to the Site Server scenario.
The installer detects the configuration of YSoft SafeQ 5 and preselects choices that need to
stay consistent in YSoft SafeQ 6.
YSoft SafeQ 5 will be stopped during the installation, and its services will be set to manual
start.

Data migration will be configured and executed automatically. The user will be notified about
the migration result. Data migration can fail or finish with warnings. The user can run data
migration again later on after installation finishes.
When installation or data migration fails, YSoft SafeQ 6 services can be turned off or
uninstalled, and YSoft SafeQ 5 can be turned back on again by starting YSoft SafeQ 5
services.
Data migration can be re-run manually by executing a batch script from <YSoft SafeQ
6_HOME>\upgrade\
YSoft SafeQ CML with an embedded PostgreSQL database
1. Run the YSoft SafeQ server installer.
2. The installer will preselect First Server with an embedded database deployment scenario.
3. Navigate through the rest of the YSoft SafeQ 6 installer screens the usual way, and click
Install.
4. The installer will automatically dump and restore YSoft SafeQ 5 databases. Also, YSoft
SafeQ 5 will be stopped at this point.
5. Check the result of the data migration. This can take up to several hours, depending on the
YSoft SafeQ 5 database size.
6. Wait for the installer to finish.
YSoft SafeQ CML with an embedded Microsoft SQL server
2.
2. The installer will preselect First Server with an external Microsoft SQL database deployment
scenario as an embedded Microsoft SQL scenario was discontinued in YSoft SafeQ 6.
3. Dump the SQDB5 and SQDB5_SQDW databases and restore them to an external Microsoft
SQL server. This server will become the main database server for YSoft SafeQ 6.
4. Configure the connection to this database server as well as the names of both YSoft
SafeQ 5 databases. The YSoft SafeQ 6 and YSoft SafeQ 5 databases need to be present
side by side on the same database server in order to perform the data migration.
Install.
YSoft SafeQ CML with an external PostgreSQL server
2. The installer will preselect First Server with an external PostgreSQL database deployment
scenario.
3. Dump the SQDB5 and SQDB5_SQDW databases and restore them to an external
PostgreSQL server. This server will become the main database server for YSoft SafeQ 6.
Please check the minimal required version of PostgreSQL for YSoft SafeQ 6.
Install.
YSoft SafeQ CML with an external Microsoft SQL server
2. The installer will preselect First Server with an external Microsoft SQL database deployment
scenario.
3. Dump the SQDB5 and SQDB5_SQDW databases and restore them to another external
Microsoft SQL server or upgrade your existing Microsoft SQL server. This server will
become the main database server for YSoft SafeQ 6. Please check the minimal required
version of Microsoft SQL for YSoft SafeQ 6.

Install
YSoft SafeQ ORS
2. The installer will preselect a Site Server deployment scenario and reuse YSoft SafeQ 5 ORS
GUID.
Install.
YSoft SafeQ CML cluster
1. Migrate the first YSoft SafeQ 5 CML node of the CML cluster by using one of the above-
mentioned scenarios.
2. Remove all other YSoft SafeQ 5 CML nodes.
3. Install the rest of the YSoft SafeQ 6 management server nodes by using the YSoft SafeQ 6
management server cluster installation procedure.
YSoft SafeQ and Payment System
The upgrade process of YSoft SafeQ 5 and Payment System with various deployment scenarios.
Please contact support services for more details.
The YSoft SafeQ 6 Upgrade Path Check-list

I want to upgrade to YSoft SafeQ 6 from YSoft SafeQ 5
Use the checkboxes below to verify the feasibility of the upgrade, as well as the most notable
prerequisites.
Known limitations
See known limitations paragraph in the Release Notes documents for unsupported features
and functionalities. If found, then UPGRAD ING IS NOT SUPPORTED
Unsupported configuration

Charging and Quotas are used – AUTOMATIC UPGRADING IS NOT SUPPORTED
YSoft Payment System is not automatically upgradeable at the moment. When the YSoft
Payment System is a part of the YSoft SafeQ 5 system, a special manual upgrade must be
provided. Contact your Y Soft Regional Sales Manager for additional information.
YSoft SafeQ Mobile Print Server installed – AUTOMATIC UPGRADING IS NOT SUPPORTED
YSoft SafeQ Mobile Print System is not automatically upgradeable at the moment. However, when
the Mobile Print Server is a part of the YSoft SafeQ 5 system, an automated upgrade of other
components is still available. If needed, a possible workaround is to install the YSoft SafeQ Mobile
Print Server and configure it during the installation manually.
A customization is installed and used by the customer – AUTOMATIC UPGRADING IS NOT

SUPPORTED
Contact your Y Soft Regional Sales Manager to verify the possibility of updating the
customization to be compatible with YSoft SafeQ 6.
YSoft SafeQ Terminal Professional v3.5 is used to support the scanning functionality –
UPGRADING IS NOT SUPPORTED
Terminal Professional v3.5 does not support scan workflows. However, print and copy
functionality is fully supported.
Prerequisites
An existing installation of YSoft SafeQ 5 updated to the latest available version (the last
available MU).
Ensuring the new YSoft SafeQ 6 license is available and the new product could be properly
licensed.
Please note, only customers with valid Software Support are entitled to make the upgrade.
There is a backup of the current YSoft SafeQ 5 installation, mainly these parts:
Database
Configuration, see article CML configuration backup page from YSoft SafeQ 5 documentation.
In the case of SQL Server with a dedicated database used with YSoft SafeQ 5, the database
must exist on the same database machine as the future YSoft SafeQ 6 database.
The appropriate procedure is prepared based on the architecture, see Upgrade from YSoft
SafeQ 5 to YSoft SafeQ 6 - MU8 and later (guidepost).
I want to upgrade to YSoft SafeQ 6 from YSoft SafeQ 4

A direct upgrade from YSoft SafeQ 4 to YSoft SafeQ 6 is not supported. Therefore, a migration
over YSoft SafeQ 5 has to be performed. See the most notable prerequisites and tasks related to
upgrading to YSoft SafeQ 5. Then follow the procedure for upgrading to YSoft SafeQ 6.
Unsupported configuration
A customization is installed and used by the customer - AUTOMATIC UPGRADING IS NOT

SUPPORTED
Contact your dedicated Regional Sales Manager to verify the possibility of updating the
customization to be compatible with YSoft SafeQ 6.
Prerequisites
A license upgrade from YSoft SafeQ 4 to YSoft SafeQ 5 is requested and properly fulfilled.
We recommend requesting the license upgrade at least three weeks before the actual
upgrade. Once the request is processed, the YSoft SafeQ 4 license will be converted into a
YSoft SafeQ 5 license. To request the license upgrade, kindly contact orders@ysoft.com and
include the Support ID of your current YSoft SafeQ 4 license in the request. Once your
request is validated, you will receive a new activation key, and you can proceed with the
upgrade.
Please note, only customers with valid Software Support are entitled to make the upgrade.
For updating to the latest service release of YSoft SafeQ 4, it is not required that the installation
is re-activated instead after the installation of the update has finished to proceed with the
upgrade to YSoft SafeQ 5.
Toshiba devices have to be deleted before upgrading and created again after upgrading is
complete.
If you want to keep print jobs, copy the content from the YSoft SafeQ 4 spool folder (e.g., c:
\SafeQ4\server\spool\) into YSoft SafeQ 5 (e.g., c:\SafeQ5\server\spool\).
If you want to keep custom firmware update files, copy the content from the YSoft SafeQ
update folder (e.g., c:\SafeQ4\server\update\) into YSoft SafeQ 5 (e.g., c:
\SafeQ5\server\update\).
Rules for Rule-based Engine are not automatically migrated, they have to be created again or
the rools.drl file should be copied from the YSoft SafeQ 4 directory (e.g., c:\SafeQ4\conf\) into
YSoft SafeQ 5 (e.g., c:\SafeQ5\conf\).
To be performed after upgrading
Check if the settings of the embedded terminals are correct. If necessary, correct these
settings before use.

All embedded devices have to be reinstalled.
Upgrade Terminal Professional firmware, if necessary.
Rules for Rule-based Engine are not automatically migrated. They have to be created again or
the rools.drl file should be copied from the YSoft SafeQ 4 directory (e.g., c:\SafeQ4\conf\) into
YSoft SafeQ 5 (e.g., c:\SafeQ5\conf\).
5.5.1.2 YSoft SafeQ as a printer at Windows and Mac and Linux
Most users continue printing from Windows, Mac or Linux devices. YSoft SafeQ can be configured
as the primary target for printing, including Windows Server shared printers.
Configuring YSoft SafeQ as a Printer at a macOS Workstation or Server
Configuring YSoft SafeQ as a Printer in macOS Using IPPS
IPPS is secure version of Internet Printing Protocol (IPP). This approach requires having YSoft
SafeQ Mobile Integration Gateway installed on the server.
Adding and Setting Up a New Printer in the Graphical User Interface
1. To add a new printer, go to System Preferences > Printers & Scanners, and click '+'.

2. macOS will display printers and servers discovered in the local subnet (using the Bonjour
protocol). Select YSoft SafeQ 6 (or the name that was configured in YSoft SafeQ Mobile
Integration Gateway), and click Add. Make sure that Use is set to Secure AirPrint.
Adding and Setting Up a New Printer in the Command Line
Adding and setting up a new printer from Terminal (command line) without using mDNS/Bonjour
discovery.

#!/bin/bash
PRINTER="YSoftSafeQ6"
sudo lpadmin -E -p "${PRINTER}" -v "ipps://safeq6.ysoft.local:8050/ipp/print" \

-m 'everywhere' \
-o 'printer-is-shared=false' \
-o 'auth-info-required=username,password'
sudo cupsenable "${PRINTER}" -E

sudo cupsaccept "${PRINTER}"
Replace "safeq6.ysoft.local" with the hostname or IP address of your YSoft SafeQ Mobile
Integration Gateway installation.
The other option is to use an mDNS name to locate YSoft SafeQ Mobile Integration Gateway in
the network. This approach requires having the computer and YSoft SafeQ Mobile Integration
Gateway in the same subnet:
#!/bin/bash
sudo lpadmin -E -p "${PRINTER}" -v "dnssd://YSoft%20SafeQ%206._ipps._tcp.local./" \

-m 'everywhere' \

Note: The dnssd line contains a URL encoded reference to Mobile Integration Gateway. The string
"YSoft%20SafeQ%206" means "YSoft SafeQ 6".
Configuring YSoft SafeQ as a Printer in macOS Using LPR
LPR is a network protocol for submitting print jobs to a remote printer or print server. YSoft SafeQ
6 can behave as a print server in this case. This page explains how to configure a printer on a
Mac to use LPR for printing jobs via YSoft SafeQ 6.
The method for adding and setting up a new printer in a macOS X system varies according to
the distribution and working environment.
1. To add a new printer, go to System Preferences > Printers & Scanners, and click '+'.

2. Click the Advanced icon and select LPD/LPR Host or Printer. Fill in the necessary data. The
URL is in the format lpd://hostname/queue. Hostname is the IP address or hostname of
your YSoft SafeQ server. Queue is the name of the queue to which print jobs will be sent.

3. Select the driver for the printer from the Use: menu, or select Other Software to display a
list of available printing software drivers from the database, or select Other to use a PPD
file. Choose the appropriate print driver that works with the printers in your environment.

4. Once everything is done, finish the wizard.
5. Now it is possible to send print jobs to the newly created printer, which is configured to
send the jobs to YSoft SafeQ 6.
Configuring YSoft SafeQ as a Printer at Linux Workstation or Server
Configuring YSoft SafeQ as a Printer at Linux Using IPPS
IPPS is a secure version of Internet Printing Protocol (IPP). This approach requires having YSoft
SafeQ Mobile Integration Gateway installed on the server.
Make install Nginx proxy according to document Slow printing using IPPS from Linux.
Adding and Setting Up a New Printer in the Command Line
This how to add and set up a new printer from Terminal (command line) without using mDNS
/Bonjour discovery.
#!/bin/bash
sudo lpadmin -E -p "${PRINTER}" -v "ipps://safeq6.ysoft.local:8050/ipp/print" \

-m 'everywhere' \

Replace "safeq6.ysoft.local" with the hostname or IP address of your YSoft SafeQ Mobile
Integration Gateway installation.

Note 1.: lpadmin might take about one minute to perform a proper configuration.
Note 2.: If you are using .local domains, make sure that your /etc/nsswitch.conf has a proper
configuration (order of items: dns mdns), and the machine is able to resolve the address.
Configuring YSoft SafeQ as a Printer at Linux Using LPR
can behave as a print server in this case. This page explains how to configure a printer in Linux to
use LPR for printing jobs via YSoft SafeQ.
The method for adding and setting up a new printer in a Linux system varies according to the
distribution and working environment. Various display managers are available, but the
instructions here guide you through the installation process in the popular Gnome
environment, and Ubuntu distribution. For other display managers (or the command line), the
procedure may be different, but the basics are always the same.
1. To add a new printer, go to System Settings > Printing - localhost and click Add.
2. In the device list, expand the Network Printer list and select LPD/LPR Host or Printer. Fill
in the necessary data. Host is the IP address or hostname of your YSoft SafeQ server.
Queue is the name of the queue to which print jobs will be sent.

3. Select the driver for the printer from the database, PPD file, or download it from the
Internet. Choose the appropriate print driver that works with printers in your environment.
4. Follow the wizard and fill in all the information according to your needs. Once everything is
done, finish the wizard.

5. Now it is possible to send print jobs to the newly created printer, which is configured to
send the jobs to YSoft SafeQ.
Adding and Setting Up a New Printer in the CUPS Interface

Adding and setting up a new printer in the graphical user interface
The method for adding and setting up a new printer in a Linux system varies according to the
distribution and working environment. Various display managers are available, but the
instructions here guide you through the installation process in the popular Gnome
environment, and Ubuntu distribution. For other display managers (or the command line), the
procedure may be different but the basics are always the same.
The procedure for adding and setting up a new printer in the CUPS interface is almost the same
as for the graphical user interface. All you need to do is to select a hostname and queue for your
printer as follows:
1. Open the CUPS interface (usually http://<CUPS IP address>:631). Select the Administration
tab, then click Add Printer. If necessary, enter the CUPS administrator credentials.

2. In the Other Network Printers section, select LPD/LPR Host or Printer, then* click
*Continue.
3. The Connection text box is filled according to the following example lpd://hostname/queue
Example: If the server has the IP address 10.0.2.232 and the queue name secure, the
connection string is lpd://10.0.2.232/secure

4. Proceed through the remaining steps and set up the printer according to your needs. Once
you complete all the steps of the Add Printer wizard, your printer can send prints to YSoft
SafeQ.
Using LPR and LPRNG Settings
This section is for experienced administrators and describes printcap settings.
This is an example of local printcap for printing to YSoft SafeQ:
With these settings, a print sent to the safeq_printer will be sent directly to the YSoft SafeQ
server.
Configuring YSoft SafeQ as a printer at Windows 8/Windows 10
can behave as a print server in this case. This page explains how to configure a printer in
Windows to use LPR for printing jobs via YSoft SafeQ.
1. Open the Devices and Printers and select Add a printer.
2. Select the printer you want to install from the list or press The printer that I want isn't
listed.
In the case you have directly selected printer to install from the list, the printer will be
automatically installed.

In the case you have selected The printer that I want isn't listed, continue with
following steps.
3. Choose Add a printer using TCP/IP address or hostname.
4. For Hostname or IP address, enter the address of the printer; then enter a name for the
port.

5. Skip Additional port information required by pressing Next button (optional step).
6. From the list of printer drivers, select the appropriate driver (or select a driver from the
disk). Choose the appropriate print driver that works with printers in your environment.
7. Enter a name for the new printer; then wait for the installation process to finish. Select
other options according to your needs (sharing, setting the printer as default, test page
printing); then finish the wizard.
8.
8. Right-click the new printer; then select the Printer properties option. Select the Ports tab.
The port you created should already be selected and highlighted. Click Configure Port.
9. Change the Printer Name or IP Address to the IP address of the YSoft SafeQ server.
In the Protocol section, select LPR.
On the LPR Settings page, enter the name of the queue that will be used for the printer
(for example my-print-queue).
If necessary, change other settings on the page (LPR Byte Counting, SNMP status).
In the case, you won't be able to edit Port settings, select the printer in Devices and
Printers tab > click Print server properties > Ports > Change Port Settings > select
the port you created in step 4 and click Configure Port

10. Click OK to save the changes.
Configuring YSoft SafeQ as a Printer in Windows 7
can behave as a print server in this case. This page explains how to configure a printer in
Windows 7 to use LPR for printing jobs via YSoft SafeQ.
1. Open Devices and Printers from Control Panel and select Add Printer.
2. Select Add a local printer.
3. On the Choose a printer port page, select Create a new port. For Type of port, select
Standard TCP/IP Port.

4. For Hostname or IP address, enter the address of the printer, then enter a name for the
port.
5. From the list of printer drivers, select the appropriate driver (or select a driver from the
disk). Choose the appropriate print driver that works with the printers in your environment.
6. Enter a name for the new printer, then wait for the installation process to finish. Select
other options according to your needs (sharing, setting the printer as default, test page
printing), then finish the wizard.
7. Right-click the new printer, then select New Printer properties option.Select the Ports tab.

7.
8. The port you created should already be selected and highlighted. Click Configure Port.
9. Change the Printer Name or IP Address to the IP address of the YSoft SafeQ server.
In the LPR Settings section, enter the name of the queue that will be used for the
printer (for example, secure).
If necessary, change other settings on the page (LPR Byte Counting, SNMP status).
10.

10. Click OK to save the changes.
Configuring YSoft SafeQ as a shared printer from Windows Server 2012
can behave as a print server in this case. This page explains how to configure a shared printer in
Windows Server 2012 to use LPR for printing jobs via YSoft SafeQ.
1. Open the Devices and Printers wizard and select Add a printer.
2. Select The printer that I want isn't listed.
3. Select Add a local network printer as an administrator. By selecting this you will reopen
the Devices and Printers wizard as an administrator.
4.

4. Select The printer that I want isn't listed.
5. Select Add a printer using a TCP/IP address or hostname.
6. For Device type, select TCP/IP Device. For Hostname or IP address, enter the address of
the YSoft SafeQ Management Server or YSoft SafeQ Site Server; then enter a name for
the port.

7. Select Custom and click on Settings.
8. The Hostname or IP address of the YSoft SafeQ Management Server or YSoft SafeQ Site
Server created should already be visible in Port Name and Printer Name or IP Address
On the LPR Settings page, enter the name of the queue that will be used for the printer
(for example secure when using print roaming).
If necessary, change other settings on the page to disable LPR Byte Counting and
SNMP status.

9. From the list of printer drivers, select the appropriate driver or select a driver from the disk.
Please make sure that the selected driver is supported by all MFPs in the print roaming
group.
10. Enter a name for the new printer for example SafeQ_Print_Roaming.

11. To share the printer select Share this printer so that others on your network can find it
and use it.
12.
12. To give access right to the group Everyone, follow the procedure below. Open Devices and
Printers, right-click selected device and select Printer properties .
On the Security tab, make sure the group Everyone has the permission to Print.
13. To add a x86 print driver go to the tab Sharing in order to add support for 32bit Windows
OS. Select Change Sharing Options.

Then select additional Drivers.
In the additional drivers window please select x86.

Then select the Location of the print driver.
14. Because the print driver has no direct access to any printer, it is necessary to uncheck
Bidirectional support to prevent a time-out caused by unsuccessful attempt for such
communication. On the Ports tab, make sure Enable bidirectional support is left unchecked.
When the print driver has any other kind of bidirectional support embedded, it has to be
disabled as well such as Auto Acquire Settings, Bi-Directional Communication, etc.
15. Because the driver is in default configuration, it is necessary select all available extensions
and options such as finishers, paper trays, staplers, booklets to meet the highest available
hardware configuration.
16.

16. Send a test page to validate that the printer was installed correctly. Go to the tab General
and select Print Test Page.
17. Enable Print Pooling and create another 4 LPR ports.
5.5.1.3 YSoft SafeQ 6 Pre-installation Checklists
A pre-installation checklist is available in Partner Portal (search for Pre-installation Checklist YSoft
SafeQ 6).
YSoft SafeQ 6 server pre-installation check list
YSoft SafeQ Management Server pre-installation check list
YSoft SafeQ Site Server pre-installation check list
YSoft SafeQ Management Server pre-installation check list

Following features has to be installed and available on the server for YSoft SafeQ Management Server
installation
To see list of supported platforms, please visit Software requirements page.
No Web server may be installed on the computer. (If installed, it must not listen on TCP port
80).
The latest version of web browser shall be installed (IE, Chrome or Firefox).
No other software shall be installed, except as agreed by Y Soft.
IP addresses for the local YSoft SafeQ Management Servers are prepared before the
installation of MFDs and terminals.

Dedicated shared folder accessible from all YSoft SafeQ Management Server nodes is set up
and reachable from all YSoft SafeQ Management Server nodes (necessary for installation from
network folder).
Management Servers (all nodes of the clusters) meets minimum requirements. See Hardware
requirements for details.
Latest security patches installed on operating system.
See Antivirus Exclusions for YSoft SafeQ page to make sure system performance is not
affected by Antivirus software.
There is no other software that can interfere with YSoft SafeQ installed on the servers,
especially database (unless it is intended for YSoft SafeQ 6), or other print solution, except as
specified in this document.
For automated/silent installation, the Y Soft Corporation, a.s. codesigning CA (ysoft-codesigning.

cer) certificate needs to be present in the system. See Installing Security Certificates for
more details.
Administrator rights are required in order to perform the installation.
"LPD service" not installed in case "Print Server" role is used.
External user source for replication (LDAP) requirements
Primary LDAP server IP address
Domain name(s)
DN of container(s) with users
LDAP contains user login information
LDAP contains user name and surname information
Department number is available in following attribute
Card numbers are available in following attribute
Unique user ID is available in following attribute
User email addresses are available in LDAP
Data replication from LDAP to YSoft SafeQ is preferred. Frequency of replication is

configurable (for example: full replication is executed once a day, and differential replication is
executed each hour).
Administrator will be available to provide LDAP server access credentials. User account with
'list all records' and 'read attributes' credentials must be available as integration account for
YSoft SafeQ.
Network communication overview
For proper functionality of the YSoft SafeQ environment following ports have to be opened on the
server side. Visit the Network Communication page for more details.

Following features has to be installed and available on the server for Site Server installation
To see list of supported platforms, please visit Software requirements page.
Microsoft .NET 4.8 or higher and Windows Installer 4.5 shall be installed.
No other software installed, except as agreed by Y Soft.
IP addresses for the local YSoft SafeQ Site Server are prepared before the installation of
MFDs and terminals.
Site Servers (all nodes of the clusters) meets minimum requirements. See Hardware
requirements for details.
Latest security patches shall be installed on operating systems.
See Antivirus Exclusions for YSoft SafeQ page to make sure system performance is not
affected by Antivirus software.
There is no other software that can interfere with YSoft SafeQ installed on the servers or
Other Print Solution, except as specified in this document.
For automated/silent installation, the Y Soft Corporation, a.s. codesigning CA (ysoft-codesigning.

cer) certificate needs to be present in the system. See Installing Security Certificates for
more details.
"LPD service" not installed in case "Print Server" role is used.
Following criteria shall be met in order to install Site Server in near roaming group (NRG):
Multicast IP address for discovery
1 Gbit stable LAN connection
Following criteria shall be met in order to install Site Server with Managed Workflows module:
Recommended Windows Updates should be installed, especially KB2919442, KB2919355 and

KB3118401 is necessary for highlight/redact feature.
Internet connection or network proxy is required for cloud connectors.
Network communication overview
For proper functionality of the YSoft SafeQ environment following ports have to be opened on the
server side. Visit the Network Communication page for more details.
5.5.1.4 YSoft SafeQ 6 Workstation Installation

Please make sure that Y Soft certificates are installed in a Windows environment. Especially
before using a silent installation. See Installing Security Certificates for details.
Installation
The YSoft SafeQ client installer installs the YSoft SafeQ client components: FlexiSpooler,
Universal Print Driver, and Desktop Interface. It is distributed as a single executable file which
runs the installation process.
1. Language selection – Select your language for the installation. The language selected is
valid only during the installation. After the installation, the client components applications
use the language of your environment.
2. Introduction – Click Next to continue.
3. License Agreement – Read and click I Agree to continue.
4. Depending on the result of the preinstallation check, you will see one of these:
a. Installation readiness – Click Next to continue with the installation process.
b.
b. Requirements not fulfilled – In case of temporary issues (e.g., port blocked), it is
possible to continue with the installation. In case of a blocking one (e.g., .NET
framework not installed), it is necessary to remove the obstacles before continuing
t h e i n s t a l l a t i o n .
5. Choose install location – Select the destination folder, and click Next to continue.
6. Controller and printer setup – Enter the data (all fields are required), and click Install to
install the YSoft SafeQ client.
Controller host: The IP or FQDN of the server where YSoft SafeQ Spooler Controller is
installed.
Enable spooling: When enabled, print jobs are stored locally on the machine, otherwise,
the jobs are forwarded to the server.

Default print layout: The default printer layout selection used by the YSoft SafeQ
universal driver. The available options are A4 and Letter. If the customer uses Letter
size paper rather than A4 paper, set Default print layout configuration variable to
'Letter'.
If any mandatory information is missing, an error screen is shown. Enter the missing
information and try again. When the Controller host is not entered in the expected format
or the host given is not reachable, a warning is shown. It is possible to continue with the
current (currently unreachable) host or to edit the value.
7. Installing – Please wait until the installation is complete. You can display the details by
clicking the Show details button.
8. Confirmation – Click Finish to finish the installation.
After installation
The secure print queue Ysoft SafeQ is created (for more information, see section About
drivers).
The installation log files are located in the YSoft SafeQ client components installation folder.
spooler-install.log – contains information about the YSoft SafeQ client components

FlexiSpooler connects to YSoft SafeQ Spooler Controller and downloads the configuration.

If the parameter deviceUpdate is enabled in the management interface, FlexiSpooler regularly
checks direct queue settings in the management interface according to the parameter
deviceUpdateIntervalMinutes a nd installs or updates direct queues. The names of the direct
queues consist of names set in the devices module of the management interface: Device
name(Direct_queue).
As it starts, FlexiSpooler service (whether after restart, during installation or update) attempts
to launch Desktop Interfaces for all the logged in users, see section Automatic launching of
Desktop Interfaces from FlexiSpooler service at start.
About the Drivers
YSoft Printer Driver PCL
Ysoft SafeQ secure print queue uses these drivers:
Windows 8, Windows 10, Windows Server 2012, and newer: YSoft Printer Driver PCL is
automatically installed during FlexiSpooler installation
Windows 7 and Windows Server 2008: YSoft Universal Print Driver is not supported, and
FlexiSpooler expects the HP Driver is already installed (HP Driver is a standard part of these
systems – HP Color LaserJet 2700 Series PCL6).
Creating a Direct or Secure Print Queue Using a Vendor Driver
If you want to create print queue with vendor driver and you want print jobs to be handled and
managed by YSoft SafeQ, you can but do not use ports that are automatically created by
FlexiSpooler (IP_local for secure queue, SafeQPort-direct_queue_name for direct queues), but
create your own TCP/IP port that is directed to IP where FlexiSpooler is installed (usually
127.0.0.1).
For secure printing, use protocol LPR with port 515 and queue name secure.
For direct printing, set correct Direct queue name up on a device in the management interface.
See picture below:

Uninstallation
1. Language selection – Select your language for the uninstallation.
2. Confirmation – The screen shows the application path from where it will be uninstalled.
Click Uninstall to continue.
3. Uninstalling – Please wait until the uninstallation is complete. You can display the details
by clicking the Show details button.
4. Finish – In the case of the need of a restart, the options Restart now and Restart later are
provided. Otherwise, click Finish to quit the installation application.
Silent uninstallation
c:\SafeQ6\FSP\uninstall.exe /S
Update
The update can be performed using the new version of the YSoft SafeQ client installer. You can
use either the GUI wizard or a silent (unattended) installation.
The minimum version to the upgrade is defined by each new version (e.g., in version 6.0.0.1,
upgrading from version 5.8.x.x is not supported, the minimum version is "6.0.0.1"). The
FlexiSpooler version must be the same version as Spooler Controller version.

Performing a GUI Wizard Update
When running the installer, it will detect the last installed version during the preinstallation check
. You can continue the update using the latest version installer. All configurations stay the same
and will not be changed by the update. The update will not affect print jobs that have already
been sent.
Performing a Silent (Unattended) Update
Please make sure that the current valid certificates are installed in the Windows environment
before performing a silent installation/update.
VeriSign Universal Root Certification Authority(vsign-universal-root.cer) and Thawte Primary

Root CA (thawte-root.cer) for Troubleshooting trust errors
Thawte SHA256 Code Signing CA (thawte-codesigningCA.cer)
Y Soft Corporation, a.s. codesigning CA (ysoft-codesigning.cer) for Automated (silent)

i n s t a l l a t i o n
See Installing Security Certificates for details.
To run a silent installation of the client installer, run this command. Run it in the folder where you
have downloaded ysq-client-install.exe
ysq-client-install.exe /S

After Updating
Installation log files are located in the YSoft SafeQ client components installation folder.

As it starts, FlexiSpooler service (whether after restart, during installation or update) attempts to
launch Desktop Interfaces for all the logged in users, see YSoft SafeQ 6 Workstation Installation,
section Automatic launching of Desktop Interfaces from FlexiSpooler service at start.
Silent Installation
The installer (downloaded file ysq-client-install.exe) supports the installation of a client installer
from the command line interface or through a script. For running a silent installation, run this
command with the filled in values of the parameters. Run it in the folder where you have
downloaded ysq-client-install.exe
Examples:
FSP Client in spooling mode - The default page size for a printer queue is A4.
ysq-client-install.exe /S /CFG:controllerHost=<controller IP or hostname> /CFG:

defaultPrintLayout=A4
FSP Client in spooling mode - The default page size for a printer queue is A4. DHCP Options 9
is disabled
ysq-client-install.exe /S /CFG:controllerHost=<controller IP or hostname> /CFG:

defaultPrintLayout=A4 /CFG:noServerDiscovery
FSP Client in nonspooling mode - The default page size for a printer queue is A4.
ysq-client-install.exe /S /CFG:controllerHost=<FSP server IP or hostname> /CFG:noSpooling /CFG:

defaultPrintLayout=A4
For a full list of possible silent installation parameters, see Silent Flexispooler installation
parameters.
Automatic launching of Desktop Interfaces from FlexiSpooler service at start
launch Desktop Interfaces for all the logged in users (once for each interactive session, i.e. logged
in user).

This feature can be configured via two options (configurable from Management Service and
locally overridable):
uiLaunchAttemptTimeoutSeconds
uiLaunchAttempts
The FlexiSpooler service detects logged in users by obtaining list of interactive sessions by
enumerating all running explorer.exe processes (there is at least one running for each
interactive session)
For each session (from which there is no Desktop Interface connected to FlexiSpooler) it
conducts number of attempts to start Desktop Interface (in parallel per user), specified by
uiLaunchAttempts:
If the Desktop Interface process is not running it launches it
Either way the FSP waits for a connection from Desktop Interface for the session
(identified by domain\username ) until timeout specified in
uiLaunchAttemptTimeoutSeconds is reached
These attempts to launch Desktop Interfaces are only conducted as the service is starting (result
of the whole endeavour is logged)
Impact on installation/update of FlexiSpooler
There is no need to restart the target workstation after FlexiSpooler is installed to start
desktop interface for all users of the workstation
Users that log in after FlexiSpooler service is started have their Desktop Interface started
based on the appropriate entry in Windows Registry
Desktop Interface can run only once per logged in user on one workstation
One user cannot have multiple instances of Desktop Interface running at the same time on
single workstation (the second instance will shutdown as soon as it detects the previously
started one).
This is achieved by using lock file located at <USER_PROFILE>\.

safeq6\YSoftSafeQDesktopInterface.lock, which only one instance per user can
acquire
This lock file is automatically deleted by OS after the original Desktop Interface process is
terminated, a special system flag is used when this file is created to achieve this

Troubleshooting the Installation Process
If an error occurs during the installation process, please check the following log files that were
created during the process. All the installation log files are located in the YSoft SafeQ client
components installation folder.

spooler.log – contains information about the entire service running.
desktopinterface.log – contains information about the entire "Desktop interface" running. (e.g.,
billing codes window, authentication window, etc.)
If the installer failed before the installation began, check sqci-install.log located in
AppData\local\Temp\ of the currently logged user.
Silent Flexispooler installation parameters
For running silent installation of YSoft SafeQ FlexiSpooler installer run this command with filled in
values of parameters. Run it in folder where you have downloaded <installer_name>.exe. The
installer may have different name, if so, the <installer_name>.exe should be replaced by the
appropriate name.
Configuration Parameters
<installer_name>.exe /S /CFG:controllerHost=<controller_hostname> /CFG:

defaultPrintLayout=<A4|Letter> /CFG:noSpooling /CFG:spoolerMode=<Server|Client> /CFG:
serverSpoolerHost=<server_spooler_hostname> /CFG:locationsCfgPath=<path_to_locations.config>
/CFG:noUpdateLocations /CFG:noServerDiscovery /CFG:noDefaultQueue /CFG:noQueue
/D=<destination_folder>
controllerHost - parameter is required or you must provide locationsCfgPath with already

filled in controllerHost
locationsCfgPath - using parameter locationsCfgPath you may provide path to already

filled in configuration file which will used then by the YSoft SafeQ FlexiSpooler
noUpdateLocations - it disables update of locations used by YSoft SafeQ FlexiSpooler
spoolerMode - it can have only values of "Server" or "Client". If not provided, "Client" is
default value. The mod "Server" can only be used for a standalone installer. The "Client"
mode can be used for both installers (Standalone, Client)
noSpooling - by default spooling is enabled, for disabling spooling provide flag noSpooling
defaultPrintLayout - it is used by installer only on OS where universal-pcl-driver is used. It

can have only values "A4" or "Letter".

noServerDiscovery - it disables Spooler Controller IP addresses discovery from DHCP
(DHCP Option 9). If it is not present, sever discovery over DHCP is enabled.
serverSpoolerHost is considered only for Server mode. For "Server" spoolerMode the
parameter serverSpoolerHost can be assigned, default is 0.0.0.0
noQueue - if the noQueue flag is provided, the installer will not install printer queue nor
YSoft Universal Print Driver (for systems Windows 8, Windows 10, Windows 2012). Without
print driver, direct queues cannot be installed and deviceUpdate that enables automatic
print queue deployment needs to be disabled in configuration.
noDefaultQueue - if the noDefaultQueue flag is provided, the installer will not set the
installed print queue as a default queue.
D=<destination_folder> - If you want to specify installation directory (

/D=<destination_folder>) it must be the last parameter of the call and there should be no
quotation marks, e.g. <installer_name> /S <parameters> /D=<destination_folder>
5.5.1.5 Installing Security Certificates
For the installation of the YSoft Universal PCL driver, which is part of YSoft SafeQ FlexiSpooler,
both in server and client mode, there are two certificates needed for an installation and the third
one for smooth installation without additional interaction.
These certificates are:
VeriSign Universal Root Certification Authority (vsign-universal-root.cer), seeTroubleshooting

trust errors
Thawte Primary Root CA (thawte-root.cer), see Troubleshooting trust errors
Y Soft Corporation, a.s. codesigning CA (ysoft-codesigning.cer) used for smooth installation or

unattended installation, see Automated (silent) installation
This driver will be installed only on the following Windows versions: Windows Server 2012,
Windows Server 2012 R2, Windows Server 2016, Windows 8, Windows 8.1, Windows 10.
Troubleshooting Trust Errors
In order to install the YSoft SafeQ FlexiSpooler component, the Windows environment has to have
the Thawte Primary Root CA certificate installed. This may already be present on the server as
Thawte is a third-party certification authority commonly trusted in most systems. However, if the
certificate is missing for some reason, installation of the component will result in the following pop-
up errors:
Error 0x800f0247:

Error 0x00000709:
As of now, installers do not fail the overall installation when these errors occur, but the
component will NOT work properly, therefore consider the installation as failed.
If you happen to encounter these errors, uninstall the product, install the certificates as
described further on, and install the product again.
Installing thawte-root.cer and vsign-universal-root.cer into Trusted Root Certification

Authorities
1. Find the Thawte Primary Root CA and VeriSign Universal Root Certification Authority
certificates, located, e.g., in the Certificates folder in the YSoft SafeQ installation package
(Complete pack).
2. Double-click the downloaded files thawte-root.cer and sign-universal-root.cer on the machine

where you want to install YSoft SafeQ FlexiSpooler. The following window should appear.

a n d
3. Click Install Certificate... The following window should appear

4. Select Local Machine and click Next
5. Select Place all certificates in the following store and click Browse...
6. Select Trusted Root Certification Authorities

7. Click OK and Next
8. Click Finish
9. Repeat these steps for second certificate.

Automated (Silent) Installation
If you plan an automated installation, it is required to have the Y Soft Corporation, a.s. codesigning
CA certificate present in the system. Otherwise, you will be prompted to confirm trusting Y Soft
Corporation, a.s. software. The confirmation looks like this:
In order to prevent this Windows Security popup, import the certificate into all the environments
where you want to install the product.
Installing ysoft-codesigning.cer on Trusted Publishers
The process is basically the same as with the previous certificate, except the location:
1. Find the Y Soft Corporation, a.s. codesigning CA certificate, located in the Certificates
folder in the YSoft SafeQ installation package (Complete pack).
2. Double-click the downloaded file ysoft-codesigning.cer on the machine where you want to
install YSoft SafeQ FlexiSpooler
3. Click Install Certificate...
4. Select Local Machine and click Next
5. Select Place all certificates in the following store and click Browse...
6. Select Trusted Publishers

7. Click OK and Next
8. Click Finish
Mass Deployment of Certificates
If the certificates are needed on all environments where you want to deploy the product, you may
prefer to install them automatically using PowerShell:
&certutil -addstore -enterprise -user root c:\thawte-root.cer

&certutil -addstore -enterprise -user root c:\vsign-universal-root.cer
&certutil -addstore -enterprise -user trustedpublisher c:\ysoft-codesigning.cer
For installation of certificates through GPO, read more here.
For other options, read more here.
5.5.1.6 First server installation with an external Database
This section describes scenario that deploys Management Server with additional features with
the use of an external database server.

When selected to use external database, you will be prompted to enter the connection settings
to the database. These connection settings differ based on the type of the database vendor
selected.
When you select the option "Use external database for data warehouse", you will need to enter
the name of the data warehouse database as well.
Standalone data warehouse database
If you plan to have the data warehouse database on completely different server, please refer
to First server installation with standalone data warehouse database section.

Microsoft SQL database server
Provide the parameters needed to connect to the external MSSQL database server.
Test your connection parameters, and refer to the installation log in case of connection errors.
SQL Authentication
SQL Authentication is the typical authentication composed of a username and password. The
installation guide asks you to provide credentials for the user that later on will be used for
accessing the database.
The installation guide uses the provided database account to automate most of the database
related installation tasks (the creation of databases, database schemes, tables, etc.)
Database account requirements:
A detailed description of required database credentials: YSoft SafeQ server requirements.
The provided credentials are saved to the YSoft SafeQ configuration and, therefore, the
credentials must remain unchanged (unless a corresponding change is made to the YSoft
SafeQ configuration).

Windows Authentication
Windows authentication uses credentials from your windows account and domain environment to
authenticate to MS SQL Server.
The installation guide does NOT automate database configuration tasks to avoid security risks.
Databases need to be created and configured manually beforehand.
For more detailed information, follow this step-by-step guide. Server installer must be run under
the domain user used to connect to database. The installer checks if SQDB6 and SQDB6_IMS
(and also SQDB6_YPS if YSoft Payment System is enabled) databases are present to avoid an
installation failure later on. SQDB6 serves as a prefix that can be customized.
PostgreSQL database server
The database must be accessible from the network
Please make sure that Database server hostname/IP address is permitted in the PostgreSQL's
pg_hba.conf.
Provide the parameters needed to connect to the external database server.
Test your connection parameters using Test connection button, and refer to the installation
log in case of connection errors

5.5.1.7 Configuring the PostgreSQL Time Zone for Correct Print Job and Report Data
This is a description of the workaround for a known issue with the incorrect print job and
report data for YSoft SafeQ 6 Management Server installed with an embedded PostgreSQL in
another time zone than GMT.
The PostgreSQL database server uses the GMT time zone by default. If you have YSoft SafeQ
Management Server in a different time zone, you must change the PostgreSQL time zone to the
same one.
Step-by-step Guide
1. Edit <install_dir>\Management\PGSQL-data\postgresql.conf.
2. Set the timezone property according to https://www.postgresql.org/docs/11/datetime-config-

files.html. The easiest approach is to use syntax GMT+<hours>, the example below sets the
CET timezone which equals to GMT+1:
PostgreSQL connection properties
timezone = 'GMT+1'
3. Restart the YSoft SafeQ Bundled PostgreSQL 11 service.
4. Run the following command: <install_dir>\Management\tomcat\bin\tomcat8w.exe //ES

//YSoftSQ-Management.
5. Go to the tab Java.
6. Add the following text at the end of the Java Options section: -Duser.timezone="
<TIMEZONE NAME>", for example, -Duser.timezone="Europe/Prague". You can find a list of
time zone values in column TZ of the table at https://en.wikipedia.org/wiki
/List_of_tz_database_time_zones
7. Apply the change and restart the Management Service.
8. Wait at least three minutes the for change to take effect. From this time, any jobs sent to
YSoft SafeQ 6 will have the correct time on the web interface.
5.5.1.8 First server installation with standalone data warehouse database
This section covers scenario that deploys Management Server with standalone data warehouse
database server.
When the data warehouse database is deployed on a separate server, all statistics related
operations does not affect the performance of production database (expect for generating the
statistics).

This section describes only the database configuration specific pages of the installer. For the
description of the pages preceding and following the database configuration, see the First
server installation section.
Use this deployment mode only when you know you will need this due to the extra
performance it brings. There is some advanced configuration necessary to be done for this
deployment mode to work.
Microsoft SQL database server
1. On the Database configuration page select "External Microsoft SQL database server"
option, check the "User external database for data warehouse" option and select "Different
server" from the options below the checkbox. Then click Next.
2. On the Microsoft SQL database page for the production database, fill in the connection
settings to the production database. Then click Next.

Production database must be accessible from the network
It is advised to enter the Database server hostname/IP address as a non-loopback (e.g.

localhost or 127.0.0.1) network address. The installer will convert such loopback network
address to the Network interface chosen on a latter page in the installer, but entering
the non-loopback address will immediately test if the connection to the database works
from such network interface correctly.
3. On the Microsoft SQL database page for the data warehouse database, fill in the
connection settings to the data warehouse database. Then click Next.

Database user permissions
Connection between production database and standalone data warehouse database is

implemented using T-SQL function sp_addlinkedserver. This function requires special
privileges when installing the database. Please make sure the database user for the
data warehouse database is having the sysadmin role assigned.
4. Following pages are the same as in the First server installation section.
After the installation, follow this guide to allow the connection between both databases
Configuring MS SQL for Server link.
PostgreSQL database server
1. On the Database configuration page, you can select either "Embedded PostgreSQL 11
database server" or "External PostgreSQL 11 database server" option, check the "User
external database for data warehouse" option and select "Different server" from the options
below the checkbox. Then click Next.

2. Depending on what type of database (embedded or external) you chose in the previous
step, on the you will either:
a. On the Embedded database configuration page, enter the password of the

"postgres" user of the embedded PostgreSQL database. Then click Next.

The database must be accessible from the network
The database will be created and available on the port 5433. Please, make sure
that the port is accessible from the network (i.e. from the server where the data
warehouse database will be located). The installation will fail otherwise.
b. On the PostgreSQL database page for the production database, fill in the
connection settings to the production database. Then click Next.
Production database must be accessible from the network
It is advised to enter the Database server hostname/IP address as a non-

loopback (e.g. localhost or 127.0.0.1) network address. The installer will convert
such loopback network address to the Network interface chosen on a latter page
in the installer, but entering the non-loopback address will immediately test if the
connection to the database works from such network interface correctly.
3. On the PostgreSQL database page for the data warehouse database, fill in the connection
settings to the data warehouse database. Then click Next.

4. Following pages are the same as in the First server installation section.
After the installation, follow this guide to allow the connection between both databases
Configuring PostgreSQL for remote database connection.
5.5.1.9 Configuring MS SQL for Server link
When installing standalone data warehouse MS SQL database (deployment scenario First server
installation with external data warehouse database) the Distributed Transaction Coordinator
(MSDTC) has to be properly configured between both communicating databases - production
database and data warehouse database.
MSDTC on virtual machines
When running databases on virtual machines, the MSDTC may still not work with the following
error message (when executing any transnational procedure that uses server link)
OLE DB provider “SQLNCLI” for linked server “XXX” returned message “No
transaction is active."
This is most likelly caused by the fact, that virtual machines are created through cloning, resulting
in MSDTC on all VM's having the same unique identity, thus preventing the proper communication.
To fix this issue, MSDTC needs to be uninstalled and installed again on both servers, following
these steps:
1. On the server hosting the production database. open the cmd console window
2.
2. T y p e and execute the below 3 commands
n e t s t o p m s d t c
m s d t c - u n i n s t a l l
msdtc -install
3. MSDTC configuration will be most likely lost, follow the steps above
4. Restart the server
5. Repeat the same for the server hosting data warehouse database
MSDTC configuration step-by-step
1. On the server with production database open Component Services (C:

\Windows\System32\msdtc.exe)
2. Navigate to Computers > My Computer > Distributed Transaction Coordinator > Local DTC
3. Go to Local DTC > Properties > tab Security and change the configuration as follows:
Check options Network DTC Access, Allow Remote Clients, Allow Remote
Administration, Allow Inbound, Allow Outbound, Enable XA Transactions
Select No Authentication Required option

4. Restart the MSDTC service explicitly in Services
5. Restart the MS SQL database server
6. Repeat steps 1. - 5. on the server with data warehouse database
When the setup of the Distributed Transaction Coordinator is changed, a popup windows
appears saying that the service will be restarted. Confirm this restart, but make sure to still
restart the MSDTC service at the end as said in step 4.
For more information about MSDTC configuration eg. firewall settings and configuration
options, please refer to Troubleshooting Problems with MSDTC.
MS SQL server configuration
To allow connections from another server, check that inbound connections are allowed on both
database servers.
Check option: Microsoft SQL Server Management Studio > database name > Properties >
Connections > Allow remote connection to this server

5.5.1.10 Configuring PostgreSQL for remote database connection
When installing standalone data warehouse for PostgreSQL database (deployment scenario First
server installation with standalone data warehouse database) the production database has to be
configured to allow inbound connection from data warehouse database server.
PostgreSQL configuration
In PostgreSQL installation folder add the following line to the data/pg_hba.conf file where
data_warehouse_ip without is the IP address of the data warehouse database.
pg_hba.conf
host all all <data_warehouse_ip>/32 md5
You can read more about file structure and configuration options in PostgreSQL
documentation article The pg_hba.conf File.
5.5.1.11 Configuring PostgreSQL SSL/TLS connection
To allow connection to the PostgreSQL database using secured SSL/TLS connection, both the
database server and client (or another PostgreSQL database server) have to be properly
configured.

Step-by-step guide
Configure PostgreSQL server for SSL/TLS connection
1. Create / download trusted root certificate.
2. Create server certificate and private keys for your PostgreSQL server.
server.crt (server certificate)
server.key (private key)
Please note that certificate's subject CN (Common Name) must be equal to PostgreSQL
server's domain name.
In case your key/certificate is in a different format than specified, you can convert it
following the guide in Conversions between different keystores and certificate types.
3. Copy your root certificate, server certificate and private key to PostgreSQL's /data folder,
named as root.crt, server.key and server.crt .
4. Verify if the file postgresql.conf in PostgreSQL's data folder supports SSL connection,
meaning the configuration property "ssl" has to be set accordingly: ssl = on
5. Configure the hosts that are required to use SSL/TLS connection in pg_hba.conf in
PostgreSQL's data folder, by using hostssl instead of host, e.g.
hostssl <database name> <db user name> <IP of the client>/32 md5
6. Restart the postgresql service
Configure the client
1. Create client certificate and private key and sign the certificate by the server's root
certificate.
root.crt ( trusted certificate authorities )
postgresql .crt (client certificate)
postgresql .key ( client private key )
Note that certificate's CN (Common Name) must be equal to the database user name
you’ve set in the pg_hba.conf server configuration.
2. These files must be in the following directories:

%appdata%\postgresql\ - This directory is used by the installer
C:\Windows\system32\config\systemprofile\AppData\Roaming\postgresql\ - This
directory is used by YSoft SafeQ
Using option clientcert=1 in pg_hba.conf will require the presence of the certificate on client
machine.
For more information how to create a certificate please see System communication hardening
article.
More information about the SSL configuration could be found in official PostgreSQL
documentation https://www.postgresql.org/docs/11/ssl-tcp.html and https://www.postgresql.org
/docs/11/libpq-ssl.html.
Useful article https://dzone.com/articles/establish-a-secure-ssl-connection-to-postgresql-db.
5.5.1.12 Configuring MS SQL for SSL/TLS
1. Provide a private key and certificate (.key and .crt files) on both machines.
2. Configure any non-server clients to trust the certificate's root signing authority. For more
information please see: https://support.microsoft.com/en-us/help/316898/how-to-enable-ssl-
encryption-for-an-instance-of-sql-server-by-using-mi
3. Configure the server(s) to force all incoming connections to use SSL/TLS so that any
clients that do not support this will fail to connect. In SQL Server Configuration Manager,
set the ForceEncryption parameter to "Yes" in the Protocols section.

This solution is not bullet-proof. The database links are generally a potential security risk, when
the user permissions are not configured properly and e.g. xp_cmdshell with admin rights is
accessible on some of the database nodes. For more information please refer to https://blog.
netspi.com/how-to-hack-database-links-in-sql-server/.
For more information how to create a certificate please see the chapter System
communication hardening
5.5.1.13 YSoft SafeQ Workstation Queues Overview
At a Glance

This overview only covers the most often used scenarios, it is not a complete or
comprehensive overview. There are other methods and approaches which can be used,
consult Y Soft when in doubt.
# Print Queue Description Pros Cons
1.1 Windows print queue is No client components When traveling to another

created on a Site Server required. location, it is required to
and shared to Centralized queue defaults attach to local print queue.
workstations. management (e.g. change Impact of not doing so is that
from simplex to duplex on all print jobs will have delay
workstations is done when appearing on the device
centrally). terminal and will travel over
Updates of YSoft SafeQ 6 WAN twice.
are only performed on the This configuration implies
server level, no changes are server spooling, additional
required on the workstations. HDD and CPU is required
compared to client-based
spooling option.
Site Server is a single point of
failure (SPoF), its unavailability
means that the shared print
queue becomes offline.
1. Windows print queue is … the same as option 1.1 Requires Load Balancer.
2 created on Site Server The SPoF shifted from Site Only Windows 8 or newer
and shared to Server to Load Balancer support this.
workstations. Only supports LPR, no data-in-
transit encryption from
workstation to Site Server.
No support on Mac or Linux.
2 Windows print queue is Updates and hotfixes of The same as 1.1 plus the
created locally on YSoft SafeQ 6 are only below:
workstations. performed on the server No central queue
level, no changes are required management, changes to
on the workstations. drivers or driver settings
OS agnostic. require workstation updates.
Requires driver, port and
queue deployment on the
workstations.
3 YSoft SafeQ Client Can be configured for failover Requires YSoft SafeQ 6 Client
(spooling) is installed on with Site Server application and driver to be installed on
each workstation. Spooling cluster. each workstation (e.g. using
mode means that print MSI package).
jobs are stored locally on

# Print Queue Description Pros Cons
the workstation and only Provides desktop interface Updates and hotfixes of YSoft
metadata sent to a Site (billing codes, notifications to SafeQ 6 are performed on
Server. end users, etc.). both the server level and
Provides "Offline Print" (when workstations. New MSI
Site Server is unavailable, package has to be created
offers to submit print jobs and pushed to all clients.
locally). Workstation unavailability (off
network, closed lid, sleep
mode, ...) means that print job
cannot be released from the
MFD.
Not all operating systems are
supported.
4 YSoft SafeQ Client (non- Can be configured for failover Requires YSoft SafeQ 6 Client
spooling) is installed on when Site Server cluster is and driver to be installed on
each workstation. Non- available. each workstation (e.g. using
spooling mode means that Provides desktop interface MSI package).
print jobs as well as (billing codes, notifications to Updates and hotfixes of YSoft
metadata are sent to a end users, etc.). SafeQ 6 are performed on
Site Server. both the server level and
workstations. New MSI
package has to be created
and pushed to all clients.
This configuration implies
server spooling, therefore
additional HDD and CPU might
be required.
Does not provide "Offline
Print" capability.
Not all operating systems are
supported.
Shared Print Queue
Print queue is shared form a Windows-based server and made available to all users.
Standard Sharing from Site Server
Windows print queue is created on a Site Server and shared to workstations. When using
Windows 8 and newer, it is possible to encrypt data-in-transit from workstation to server using
SMB 3.0. Once the data arrive to the Site Server, it can be load balanced between other nodes
within the cluster using external load balancer or YSoft SafeQ 5 Client in enterprise mode
(installed on the server queue). In the latter case, the data-in-transit can be encrypted.

References:
https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-enhancements-in-
windows-server-2012/
https://blogs.technet.microsoft.com/josebda/2013/10/02/windows-server-2012-r2-which-version-
of-the-smb-protocol-smb-1-0-smb-2-0-smb-2-1-smb-3-0-or-smb-3-02-are-you-using/
Branch Office Direct Printing with Load Balancer
Windows print queue is created on Site Server and shared to workstations.This option is
combining major benefits of availability (option 2) and serviceability (option 1.1). Important
limitation for this scenario is that it does not allow data-in-transit encryption, LPR is the only
supported protocol.
Branch Office Direct Printing (BODP) support was first included in those operating systems:
Windows Server 2012
Windows 8

References
Branch Office Direct Printing overview - https://docs.microsoft.com/en-us/previous-versions

/windows/it-pro/windows-server-2012-R2-and-2012/jj134156(v=ws.11)
How to enable - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-

server-2012-R2-and-2012/jj134191%28v%3dws.11%29
Locally Created Print Queue
Windows print queue is created locally on workstations. When it comes to avoiding client
software on workstations, while still requiring high availability of the print queue, deploying local
queue with load balancer is a good option to consider. In combination with IPP over HTTPS it also
provides encrypted data stream to server. Trade off is loss of central management as queues are
deployed along with drivers and configuration.
Y Soft does not provide tools to deploy the local print queues.

Client Based Print Roaming (CBPR)
YSoft SafeQ Client (spooling) is installed on each workstation. Spooling mode means that print
jobs are stored locally on the workstation and only metadata sent to a Site Server.
References
Client Based Print Roaming
Configuring Offline Print
Using the YSoft SafeQ Desktop Interface
YSoft SafeQ Client (non-spooling)
YSoft SafeQ Client (non-spooling) is installed on each workstation. Non-spooling mode means
that print jobs as well as metadata are sent to a Site Server. Using both YSoft SafeQ Client
version 5 or 6 is possible.

Print Queues and Their Configuration
YSoft SafeQ knows three types of queues: direct, secure and shared:
Direct queues are mainly suitable for small network printers where authentication is not
required because there is only a limited number of users who send submit print jobs to them.
Their configuration requires a non-trivial amount of effort by administrators who need to
configure them in YSoft SafeQ, create a shared printer for every device and deploy them to
the right people.
Configuration of secure queue is easy, as it does not require any configuration on YSoft
SafeQ side and only one shared printer and GPO for every spooling YSoft SafeQ server. The
biggest challenge here is how to deploy the queue for traveling users who change their
location and therefore need to send print job into a different server.
Standard shared queues (print delegation) are similar to direct queues because each of them
needs to have a unique name and a unique shared printer. In addition, when a change is
needed, it must be done by administrators. This is significantly improved by self-managed
shared queues where only one shared printer per YSoft SafeQ server is needed and users
can manage members of their personal shared queues by themselves in the web portal
provided by the SWC-49 product extension.
This article describes how these queues can be created in YSoft SafeQ and deployed to users
using Group Policy Objects (GPO) in Active Directory, which is the most widely used deployment
method.
Direct Queues
The main benefit of direct queues is that they are transparent to users, all print jobs are released
at the print device as soon as they are accepted and (optionally) analyzed by YSoft SafeQ. Users
will not notice any significant delay while metadata of their jobs is captured by YSoft SafeQ for
reporting purposes. Every direct queue has a specific name and is assigned to a particular print
device as shown below. Each of the following license modules activates direct queues:

Authentication, Print Roaming, Reporting, Credit and Billing and Rule-Based Engine.
When we want to deploy this printer with the direct queue to users, the easiest way is to create
a shared printer in Windows. When setting up the printer port, the printer name or IP address is
our YSoft SafeQ server and queue name matches the direct queue name assigned to the printer
in the previous step. Do not forget to mark the printer as shared.
The Group Policy Object for printer deployment to users needs to contain network path to the
shared printer created beforehand and it needs to be assigned to an Organizational Unit with
users. An example of a group policy object follows.

At this moment, the print queue will be connected to all user accounts in the Organizational Unit
and users will see the printer in their Windows accounts when they log in. All print jobs will go
through YSoft SafeQ with stopping there and will be immediately printed and accounted.
These steps need to be done for every printer with a direct queue, which might be time-
consuming especially in environments with a large fleet because all Group Policy Objects must be
carefully assigned to appropriate Organizational Units in Active Directory for users to see only
what they are supposed to see. It may be challenging especially for traveling users.
Secure Queue
Secure queue is the most widely used option because they hold jobs until their owner
authenticates at a print device. When users want to release their print job securely, then there is
no need to do any special configuration on YSoft SafeQ side, as all print jobs will end up in the
secure queue when there is no other queue type with the given name. The name set in LPR
headers is usually "secure" but only for clear understanding of the destination not because it
would change anything on print job processing. From license perspective, the only module, which
activates secure queue is Print Roaming.
Deployment to user workstations is similar to the previous example. It is recommended to create

a shared printer pointing to a spooling YSoft SafeQ server. The queue name set in LPR port
configuration can be for example "secure" bu, as it was explained before, the only rule is that
there shall not be any other direct or shared queue in YSoft SafeQ with the same name.

Configuration of the Group Policy Object is the same as in the previous example, only the printer
name is different.
Shared Queues (Print Delegation)
Finally, the last type are shared queues which provide similar user experience to the secure
queues (authenticate before release) and are configured similarly as direct queues (specific queue
name). The difference is that there are multiple users who are assigned to the shared queue, who
can release the waiting shared print jobs. A real-world example is the boss-secretary scenario
when the boss writes a letter and asks their secretary to print and send it. Let's explain how this
is achieved in YSoft SafeQ. Shared queues are activated only by the Print Roaming license
module in the same way as secure queue.
First, an administrator needs to create a shared queue and assign members.

Then create a new shared printer in Windows. The queue name specified in YSoft SafeQ is used
in LPR port configuration.
In the last step, an administrator needs to create a Group Policy Object, which will make sure that
the printer is connected to the right Windows account(s). In this case, it is enough to assign the
policy to the boss as he is the only person who should be able to send print jobs into the shared
queue. It means that the boss will see two printers in Windows – one for secure print and the
other for shared print.

Shared queues in YSoft SafeQ are managed by administrator and only administrators are allowed
to create them and set their members. Mind that those print jobs can be submitted by any user
regardless of their queue membership or access.
Self-Service Shared Queues (Print Delegation)
Standard shared queues, as documented above, can be a burden to manage as all work is done
by administrator. Some customers prefer to let users do the work themselves, for which we can
use Rule-Based Engine and the SWC-49 product extension (Web interface for delegated print
queue), see https://portal.ysoft.com/products/ysoft-safeq/extensions-store
. With that approach the administrators can improve the user experience:
1. Only create and deploy a single shared printer to be used by all eligible users who want to
delegate their print jobs, regardless of which shared queue group they belong to.
2. Use the SWC-49 product extension so that every user can self-manage who belongs into
their personal shared queue list.
3. Utilize Rule-Based Engine to redirect all print jobs from the specific shared printer into
user's personal shared queue.

From configuration point of view, it is necessary to create a new rule in Rule-Based Engine, which
redirects all print jobs from the shared printer into user's personal shared queue.
Next, create a shared printer.
And deploy it to all users who should be able to send print jobs to personal shared queues.
Finally, users log in to the queue self-management portal where they can look for colleagues who
they want to add to their personal shared queue or remove from it.

5.5.1.14 PostgreSQL cluster
This guide explains how to add standby PostgreSQL 11 database to existing YSoft SafeQ 6
installation running with embedded PostgreSQL 11 database.
Overview
PostgreSQL offers various ways how to achieve high availability, replication and archiving of
PostgreSQL databases. This guide is aimed to describe how to setup a database cluster with one
primary and one standby database (in hot-standby mode), that will use Streaming Replication

mechanism to replay all data from primary to standby database. It will also describes how to
configure automatic fail-over service with user notification and describe how to recover failed
databases in order to restore the replication feature.
More information about Streaming Replication, WAL files and others PostgreSQL concepts could
be seen in official documentation here https://www.postgresql.org/docs/11/admin.html
Supported database architectures
There is possibility to use replication for all database deployment types. Now we support Single
Server Single Database deployment only.
Single Server Single Database deployment (SSSD)
Basic deployment with all schemes placed in one database. We replicate all data. Supported
embedded and external PostgreSQL installation.
Single Server Multiple Database deployment (SSMD)
Enterprise deployment with separated warehouse database. We replicate all data. Inter database
connectivity is provided by db_link via localhost IP, because of replication needs. Supported
embedded and external PostgreSQL installation.

Multi Server Multiple Database deployment (MSMD) - not supported yet
Special deployment with separated warehouse server. We replicate only working database.
Warehouse database fail-over is provided by regular database backup. Supported external
PostgreSQL installation only.

Limitations
Database validation
Running database validation within PostgreSQL cluster requires that database referenced in
DBValidator.properties file is current master (read/write mode). Before running validation it
is recommended to check out which database is current master, then adjust DBValidator.
properties according these findings and then run database validation.

External data warehouse database replication is not supported
Streaming Replications, Automatic fail-over and Recovery scenarios are not designed to be used
on external data warehouse database. Hence in the deployment scenario First server installation
with standalone data warehouse database only production database could be setup using
Streaming Replications and automatic fail-over.
Network connectivity
Guaranteed network connectivity between database nodes is required.
YSoft SafeQ 6 server update
Unless installer contains PostgreSQL 11. Update between builds is not supported.
In case of Updating YSoft SafeQ 6, the database role has to be the same as it was in the time of
the installation - meaning the database, that was configured as master has to be master again,
and previously configured standby database has to be also standby database now. In case the
Fail-over and subsequent Recovery had been applied, the roles of the databases has been
switched in which case one of the following action has to be taken to restore the original
database deployment, either:
Promote current slave to primary master and recover current slave to primary master.
Change etcd configuration to follow current database cluster state (Reconfiguration or

recovery of etcd cluster in Management Service).
Configuration
Prerequisites
Windows administrator privilege to give Full control permission on database folders
Sufficient disk space on both primary and standby database servers. In addition to database
size, the WAL replication files may require several GB, depending on the configuration, see
bellow examples for wal_keep_segments configuration property
PostgreSQL 11 binaries
PostgreSQL binaries location
PostgreSQL 11 binaries are located in the full installation package <installation

package>\Complementary Solutions/PostgreSQL or could be downloaded from the internet on this
addresshttps://www.enterprisedb.com/download-postgresql-binaries

Both single node and clustered installations are supported. This guide refers to the original
database created during installation as a primary database and newly added database is referred
as a standby database.
This guide will use following placeholders with sample values:
PATH_TO_PRIMARY_DATABASE_ROOT_FOLDER <safeq_folder>\Management\PGSQL
PATH_TO_PRIMARY_DATABASE_DATA_FOLDER <safeq_folder>\Management\PGSQL-data
PRIMARY_DATABASE_IP_ADDRESS 10.0.124.110
PATH_TO_STANDBY_DATABASE_ROOT_FOLDER C:\PGSQL
PATH_TO_STANDBY_DATABASE_DATA_FOLDER C:\PGSQL-data
STANDBY_DATABASE_IP_ADDRESS 10.0.124.151
This guide refers to pg_hba.conf, recovery.conf and postgresql.conf files. All these
reside in PostgreSQL data directory (e.g. in case of embedded PostgreSQL installation the path is
<safeq_folder>\Management\PGSQL-data). All SQL command in this guide could be
executed either using psql CLI tool (located in PGSQL/bin folder) or using pgAdmin 4 web
interface.
PostgreSQL cluster setup
1. Stop YSoft SafeQ services. In clustered environment this needs to be done on each cluster
node.
2. Use binary database files from full installation package (path <installation
package\Complementary Solutions\PostgreSQL\) or download PostgreSQL 11
binaries.
3. Extract database binaries to target directory on server for standby database, for example: c:
/PGSQL.
4. Create data directory for standby database, for example: c:/PGSQL-data.
5. Make sure Administrator account has Full control permission granted on both directories.
On each directory: right click and select Properties → switch to Security tab → click
Advanced → on Permissions tab → click Add

Click on Select a principal link → fill in Administrator account (in our example it is
RND0171\Administrator, this might differ on production environment) → click OK.
Check Full control checkbox → click OK.

6. On primary database create user for replication,
CREATE USER replicator

WITH REPLICATION
ENCRYPTED PASSWORD 'replicator'
7. On primary database, configure following options in postgresql.conf file.
postgresql.conf
listen_addresses = '*'
max_wal_senders = 2
wal_level = replica
# Set the wal_keep_segments property according to your deployment size. These settings
are approximated for 6 hour outage.
#wal_keep_segments = 36 # For deployment with throughput 1 job per second (Extra space
600 MB for logfiles)
wal_keep_segments = 180 # For deployment with throughput 5 jobs per second (Extra space
3 GB for logfiles)
#wal_keep_segments = 360 # For deployment with throughput 10 jobs per second (Extra space
6 GB for logfiles)
8. On primary database, add following entries in pg_hba.conf
pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD

host all all <PRIMARY_DATABASE_IP_ADDRESS>/32 md5
host replication replicator <PRIMARY_DATABASE_IP_ADDRESS>/32 md5

host replication replicator <STANDBY_DATABASE_IP_ADDRESS>/32 md5
host all all <STANDBY_DATABASE_IP_ADDRESS>/32 md5
with example values in place entries in pg_hba.conf will like this:
pg_hba.conf

host all all 10.0.124.110/32 md5
host replication replicator 10.0.124.110/32 md5
host all all 10.0.124.151/32 md5
Please note, that allowing connection for replicator user on both primary and standby
databases is required by recovery scenarios.
9. On standby database, take base backups with following command:
pg_basebackup execution
pg_basebackup -h <PRIMARY_DATABASE_IP> -U replicator -p 5433 -D

<PATH_TO_STANDBY_DATABASE_DATA_FOLDER> -Xs -R -P -v
with example values in place, pg_basebackup will execute as
pg_basebackup with real values
pg_basebackup -h 10.0.124.110 -U replicator -p 5433 -D "c:/PGSQL-data/" -Xs -R -P -v
The default location of pg_basebackup CLI tool is in

<PATH_TO_STANDBY_DATABASE_ROOT_FOLDER>/bin. After the execution, a recovery.
conf file should be generated in PostgreSQL data directory with the following content
(assuming 10.0.124.110 was used as primary database IP address -
PRIMARY_DATABASE_IP_ADDRESS)
recovery.conf
standby_mode = 'on'
primary_conninfo = 'user=replicator password=replicator host=10.0.124.110 port=5433
sslmode=prefer sslcompression=0 krbsrvname=postgres target_session_attrs=any'
SSL support
sslmode=prefer in recovery.conf is default and backward compatible, but it is not

recommended for secure deployments. Use sslmode=verify-full for data
encryption and for protection against man-in-the-middle attacks. See official SSL guide
for more details.

hot_standby option should be enabled in postgresql.conf on standby database
postgresql.conf
hot_standby = on
pg_hba.conf on standby database should have following entries
pg_hba.conf for standby database

host all all <STANDBY_DATABASE_IP_ADDRESS>/32 md5
host replication replicator <STANDBY_DATABASE_IP_ADDRESS>/32 md5
host replication replicator <PRIMARY_DATABASE_IP_ADDRESS>/32 md5
host all all <PRIMARY_DATABASE_IP_ADDRESS>/32 md5
with example values in place, pg_hba.conf entries will look like:
pg_hba.conf on standby database

host all all 10.0.124.151/32 md5
host all all 10.0.124.110/32 md5
10. Update safeq.properties.
safeq.properties
database.host = <PRIMARY_DATABASE_IP_ADDRESS>
database.url = jdbc:postgresql://${database.host}:${database.port},
<STANDBY_DATABASE_IP_ADDRESS>:5433/${database.name}?charSet=UTF-8&targetServerType=master
Management cluster
In case of Management clustered environment, update safeq.properties each

Management cluster node.
with example values in place:
safeq.properties
database.host = 10.0.124.110
database.url = jdbc:postgresql://${database.host}:${database.port},10.0.124.151:5433
/${database.name}?charSet=UTF-8&targetServerType=master

For multidatabase deployments - deployments with separate database for warehouse -
make sure that connection URL for warehouse database is configured with both primary
database and standby database.
safeq.properties
databaseWarehouse.url = jdbc:postgresql://${database.host}:${database.port},
<STANDBY_DATABASE_IP_ADDRESS>:5433/${databaseWarehouse.name}?charSet=UTF-
8&targetServerType=master
with example values in place
safeq.properties
databaseWarehouse.url = jdbc:postgresql://${database.host}:${database.port},10.0.124.151:
5433/${databaseWarehouse.name}?charSet=UTF-8&targetServerType=master
11. Update application.properties for IMS service. In clustered environment this needs
to be done on each cluster node.
application.properties
spring.datasource.url = jdbc:postgresql://<PRIMARY_DATABASE_IP_ADDRESS>:5433,
<STANDBY_DATABASE_IP_ADDRESS>:5433/SQDB6_IMS?charSet=UTF-8&targetServerType=master
application.properties
spring.datasource.url = jdbc:postgresql://10.0.124.110:5433,10.0.124.151:5433/SQDB6_IMS?
charSet=UTF-8&targetServerType=master
12. If you have installed YSoft Payment System update environment-configuration.

properties.
environment-configuration.properties
database.url=jdbc:postgresql://<PRIMARY_DATABASE_IP_ADDRESS>:5433,
<STANDBY_DATABASE_IP_ADDRESS>:5433/SQDB6_YPS?targetServerType=master
environment-configuration.properties
database.url=jdbc:postgresql://10.0.124.110:5433,10.0.124.151:5433/SQDB6_YPS?
targetServerType=master
13.

13. Setup PostgreSQL database service Startup type to Manual on both primary database and
standby database.
14. Start database services on both primary database and standby database. On standby
database there is no PostgreSQL service registered in local services. Switch to directory
with extracted PostgreSQL 11 binaries (this guide uses: C:\PGSQL), navigate to its bin
subdirectory. Use following command to start PostgreSQL service from command line.
Starting PostgreSQL from command line
pg_ctl.exe start -D "<PATH_TO_STANDBY_DATABASE_DATA_FOLDER>" -w
Starting PostgreSQL from command line
pg_ctl.exe start -D "c:/PGSQL-data" -w

For ease of use, you can register a service from pg_ctl executable:
Service registration example
SC CREATE "YSoftPGSQL" start=demand binpath=""

<PATH_TO_STANDBY_DATABASE_ROOT_FOLDER>\bin\pg_ctl.exe" runservice -N "YSoftPGSQL" -D
"<PATH_TO_STANDBY_DATABASE_DATA_FOLDER>" -w
Service registration example
SC CREATE "YSoftPGSQL" start=demand binpath=""C:\PGSQL\bin\pg_ctl.exe" runservice -N

"YSoftPGSQL" -D "C:\PGSQL-data" -w"
On standby database, check PostgreSQL logs. In newest log following log entries should
indicate that database cluster is up and running.
LOG: entering standby mode

LOG: redo starts at 0/945AFF8
LOG: consistent recovery state reached at 0/945B0D8
LOG: database system is ready to accept read only connections
LOG: invalid record length at 0/945B0D8: wanted 24, got 0
LOG: started streaming WAL from primary at 0/9000000 on timeline 1
15. Start YSoft SafeQ services. There should be no errors in service logs. Data created by
services should be present in both databases.
PostgreSQL cluster monitoring
For monitoring database cluster, various 3rd party monitoring tools exists that are leverage
PostgreSQL logging, events and specific queries. However, this section will not cover any external
tool, but will rather give a slight overview upon PostgreSQL built in monitoring mechanisms,
Database logs
By default, database logs are located in data folder (e.g. PGSQL-data/pg_log) and is rolled over
based on both log file size and file age. Log configuration could be changed in postgres.conf file.
Log files should be checked whenever the recovery and/or fail-over is taking place, as well as
when the database had started, to verify the process is behaving as expected.
In the context of Streaming Replications used for synchronizing databases between primary and
standby databases, when starting the standby database , the following message should appear
in the database log:

LOG: redo starts at 0/10000028
LOG: consistent recovery state reached at 0/10000130

LOG: started streaming WAL from primary at 0/11000000 on timeline 3
It signifies, that all the changes from the primary database has been successfully applied, and the
database is started in hot-standby mode, accepting read only connections.
When the primary database fails and the automatic fail-over is setup, the following logs will be
recorder on the standby database:
LOG: replication terminated by primary server

DETAIL: End of WAL reached on timeline 3 at 0/1100B158.
FATAL: could not send end-of-streaming message to primary: no COPY in progress
LOG: invalid record length at 0/1100B158: wanted 24, got 0
FATAL: could not connect to the primary server: could not connect to server: Connection
refused (0x0000274D/10061)
Is the server running on host "10.0.124.177" and accepting
TCP/IP connections on port 5432?
...
... after some time when the automatic fail-over promotes this standby database server to be a n
ew primary database ...
...
LOG: received promote request
LOG: redo done at 0/1100B0E8
LOG: last completed transaction was at log time 2019-09-10 12:36:18.353551+02
LOG: selected new timeline ID: 4
LOG: archive recovery complete
LOG: database system is ready to accept connections
More about database logging could be seen in official PostreSQL documentation here https://www.
postgresql.org/docs/current/runtime-config-logging.html
Monitor database role
To check, which database is currently the primary database, execute the following query
select pg_is_in_recovery();
If the result is true, queried database is standby; if false, it is primary.
Optionally, pgmetrics tool could be used to list a handy overview of database current status also
with various details not only about replication.
pgmetrics.exe -h <IP_address> -U <user_name>

Queries for primary database
To get list of all standby servers as well as their current replication performance, run the
following query:
select
pid,
client_addr,
application_name,

usename,
state,
sync_state,
pg_wal_lsn_diff(pg_current_wal_lsn(), sent_lsn) sending_lag,
pg_wal_lsn_diff(sent_lsn, flush_lsn) receiving_lag,
pg_wal_lsn_diff(flush_lsn, replay_lsn) replaying_lag,
pg_wal_lsn_diff(pg_current_wal_lsn(), replay_lsn) total_lag
from pg_stat_replication;
sending_lag could indicate heavy load on primary
receiving_lag could indicate network issues or replica under heavy load
replaying_lag could indicate replica under heavy load
To find out which file is currently used for write ahead log, execute this query:
select pg_walfile_name(pg_current_wal_lsn());
Queries for standby database
To check delay on the standby, execute the following query:
SELECT
CASE
WHEN pg_last_wal_receive_lsn() = pg_last_wal_replay_lsn()
THEN 0
ELSE EXTRACT (EPOCH FROM now() - pg_last_xact_replay_timestamp())
END AS log_delay;
The result is the number of seconds between the transaction was aborted or committed on
primary and the time it was received on the standby. If the replication did not started or failed to
start, this query will return NULL.
Please note, that if the system time of these servers differs, the resulted number may be
misleading.
Automated monitoring
Automated monitoring is based on checking all the databases from any server on the network
(will refer to this server as Monitoring server) in the predefined intervals and automatically log
Windows Log Events in the following cases:
primary server is inactive
any standby server is inactive
more than one primary server is active

This is achieved by Windows Scheduler invoking Powershell script which is using the same
monitoring tools as described in this section above - executing SQL queries. Script could be
scheduled on any server in the network, if the following preconditions have to be met:
server has a network visibility to monitored databases, with allowed connection to the
database ports
PostrgreSQL CLI utilities has to be in PATH system environment variable (YSoft SafeQ 6 with
embedded PostreSQL has CLI tools at '<PATH_TO_STANDBY_DATABASE_ROOT_FOLDER>\bin'
folder. Default installation path of PostgreSQL CLI utilities is C:\Program Files\PostgreSQL\11\bin
).
Script location
Script are located in the full installation package <installation package>\Complementary

Solutions/PostgreSQL/pg-failover.zip
1. For executing the script, a new database user with limited privileges has to exists. Its
possible to reuse existed user, but its recommended to create a specific one for monitoring
purposes only. On the primary database, create new user "cluster_monitor" (user will be
replicated to the standby database automatically).
CREATE USER cluster_monitor ENCRYPTED PASSWORD '<CLUSTER_MONITOR_USER_PASSWORD>';
2. Add the IP address of the Monitoring server to the pg_hba.conf file on both primary and
standby database.
host postgres cluster_monitor <IP_ADDRESS_OF_THE_MONITOR_SERVER>/32 md5

2.
3. On the monitoring server add an entry to the pgpass.conf file for each database server.
Default location of pgpass.conf is in %APPDATA%\postgresql\pgpass.conf (where %
APPDATA% refers to the Application Data subdirectory in the user's profile) . This is
standard PostgreSQL security feature - for more details refer to the official documentation:
https://www.postgresql.org/docs/current/libpq-pgpass.html
<PRIMARY_DATABASE_IP_ADDRESS>:<DATABASE_PORT>:postgres:cluster_monitor:
<CLUSTER_MONITOR_USER_PASSWORD>
<STANDBY_DATABASE_IP_ADDRESS>:<DATABASE_PORT>:postgres:cluster_monitor:
<CLUSTER_MONITOR_USER_PASSWORD>
1. Copy the PowerShell script PgMonitor.ps1 to the Monitoring server
2. On the Monitoring server
a. create a new scheduled task in the Task Scheduler
b. In "General" tab, fill the name, description, check "Run whether user is logged on or
not" and "Run with highest privileges".

c.
c. In "Triggers" tab, create new trigger, that will run every 5 minutes and never expires.
d. In the "Actions" tab, create a new action that will start a script. Use Powershell as
program to start and add following arguments. At least 2 IP addresses are required.
-File "<path_to_script>\PgMonitor.ps1" <PRIMARY_DATABASE_IP_ADDRESS>,

STANDBY_DATABASE_IP_ADDRESS cluster_monitor

3. Save the scheduled task and trigger it manually to ensure it will run in predefined interval.
Wait till the task runs at least once and check Windows Event Application log for errors. In
the case of properly configured task, no event is listed there.
4. (Optional) if you are not sure if the script is invoked correctly, you can turn on logging by
add log parameter to turn logging on. Example: -log "C:\logs\PgMonitor.log"
-File "<path_to_script>\PgMonitor.ps1" <PRIMARY_DATABASE_IP_ADDRESS>,

STANDBY_DATABASE_IP_ADDRESS cluster_monitor "C:\logs\PgMonitor.log"
When automatic monitoring script detects the failure, it logs a Warning Windows event in Event
Log.

The following events are logged to the Windows Event Log.
Eve Title Description Leve Source

ntID l
1 Environment Some of the PostgreSQL CLI utilities were not found on Error PostgreSQ
check failed PATH or the invalid arguments have been provided. See LMonitorS
the error message which tells you what happen. cript
2 Any of the Number of active standby databases differs from the War PostgreSQ
standby number of all provided databases minus one primary ning LMonitorS
database is not database. cript
responding
3 Primary database The primary database is not responding. War PostgreSQ

is not responding ning LMonitorS
cript
4 More than one More than one active primary database exists. War PostgreSQ
primary database ning LMonitorS
has been cript
detected
Windows Event
Please note, that the PgMonitor.ps1 script creates only a Windows Event. Its up to each
administrator to setup a subsequent notification. Also there is no internal memory/history of the
previous runs. This means the scheduler will execute the PgMonitor.ps1 script every time
(according to configured interval), and in case the error, the Windows Event Log is created until
the detected issue is fixed or the scheduled task is disabled/removed.
It is recommend to add a custom action on the event ID 2, 3 and 4 (for example to send an email
to the administrators).

PostgreSQL Failover and Recovery
Fail-over overview
This solution is based on Streaming replication that allows a database server to send a stream of
data modifications to another server. PostgreSQL physical replication constructs a stream of
logical data modifications from the WAL (write ahead log) and allows the data changes from
individual tables to be replicated. In case of primary database fails, the standby database could be
promoted to primary, as depicted below. This fail-over functionality could be either manual or
automatic.
Manual fail-over
1. Check if the primary database is accepting connections by running command below.
a. 'pg_isready.exe' is utility in '<PATH_TO_PRIMARY_DATABASE_ROOT_FOLDER>\bin'

folder. The command can be run from any computer with network visibility to primary
database.
pg_isready execution
pg_isready.exe --host=<PRIMARY_DATABASE_IP> --port=<PRIMARY_DB_PORT> --

username=<ALLOWED_USERNAME> --timeout=<timeout_in_seconds>
pg_isready with real values
pg_isready.exe --host=10.0.124.110 --port=5433 --username=replicator --timeout=60
2. Promote 'stand-by' database.

2.
a. Connect to the computer with standby database.
b. Change directory to '<PATH_TO_STANDBY_DATABASE_ROOT_FOLDER>\bin' folder if

you don't have it on a PATH.
c. Run the command below to promote database to the primary (usual value of
'<PATH_TO_STANDBY_DATABASE_DATA_FOLDER>' eg 'C:\Program
Files\PostgreSQL\11\data').
pg_ctl.exe promote -D <path_to_postgres_data_folder>
3. Check if the newly promoted database is primary.
a. Check if the newly promoted database is primary by executing query below on a

newly promoted database. Result should be false.
select pg_is_in_recovery()
b. Check the management interface authentication works. You should be able to log in
and use the interface for administrative tasks.
Automated monitoring and Fail-over
Automated fail-over is based on checking primary database from the server with the stand-by
database in periodic intervals and automatically promote stand-by database if the primary
database is down. In this setup, we will use the Windows schedule task to invoke PowerShell
script that follow the same steps as described in Manual fail-over section.
Script location
Script are located in the full installation package <installation package>\Complementary

Solutions/PostgreSQL/pg-failover.zip
1. On the server with stand-by database, add PostrgreSQL CLI utilities to PATH system
environment variable.
a. YSoft SafeQ with embedded PostreSQL has CLI tools at

'<PATH_TO_STANDBY_DATABASE_ROOT_FOLDER>\bin' folder. Default installation
path of PostgreSQL CLI utilities is C:\Program Files\PostgreSQL\11\bin .
2. Copy the PowerShell script PgPromote.ps1 to server with stand-by database.
3. On the server with stand-by database:
a. Create a new scheduled task in the Task Scheduler.

b. In "General" tab, fill the name, description, check "Run whether user is logged on or
not" and "Run with highest privileges".
c. In "Triggers" tab, create new trigger, that will run every minute and never expires.

d. In the "Actions" tab, create a new action that will start a script. Use Powershell as
program to start and add following arguments.
-File "<path_to_script>\PgPromote.ps1" -masterAddress

<PRIMARY_DATABASE_IP_ADDRESS> -port <PORT_OF_PRIMARY_DATABASE> -username
<ALLOWED_USERNAME> -path "<PATH_TO_STANDBY_DATABASE_DATA_FOLDER>"
<ALLOWED_USERNAME> is replicator user allowed in pg_hba.conf.

4. Save the scheduled task and trigger it manually to ensure it will run every one minute. Wait
one minute so the scheduled task runs at least once and check Windows Event Application
log for errors.
5. (Optional) if you are not sure if the script is invoked correctly, you can turn on logging by
add log parameter to turn logging on. Example: -log "C:\logs\PgWatcher.log"
-File "<path_to_script>\PgPromote.ps1" -masterAddress <PRIMARY_DATABASE_IP_ADDRESS> -port

<port_of_primary_DB> -username <ALLOWED_USERNAME> -path "<PATH_TO_STANDBY_DATABASE_DATA_FO
LDER>" -log "<PATH_TO_LOG_FILE>"
In case of planned server outage, please consider disabling the fail-over script to
avoid the need to do the manual recovery afterwards.

Notifications
When automatic fail-over script detects that standby database is down, it logs a Warning
Windows event in Event Log.
Automatic fail-over script logs the following events to the Windows Event Log.
Eve Title Description Lev Source

ntI el
D
1 Environment check Some of the PostgreSQL CLI utilities were not found Err PostgreSQLP
failed on PATH or path of PostgreSQL folder doesn't or romoteScript
exists. See the error message which tells you what
happen.
2 Stand-by database The primary database went down, stand-by Wa PostgreSQLP

promoted to primary database was promoted. rnin romoteScript
g
Recommended
It is recommend to add custom action on the event ID 2, (for example to send an email to the
administrators) to avoid data loss or data inconsistency. Please refer to Caveats section below.
Recovery scenarios
Based on the role of the failed database, either one of the options is available:
in case of failed primary database, the remaining standby database has all the data since the
failure, so it could be promoted to primary database and failed previous primary has to be
recovered as future standby

in case of failed standby database, either reconnect the database and let the replication
replay all the changes or recover the database from scratch
The below sections describe both scenarios in greater detail.

Recover failed standby database server
In case the standby database server fails, primary database server is still serving the
application.
Primary database is still recording the transaction in WAL files, but only for a limited time
(depending on the configuration option wal_keep_segments, refer to the PostgreSQL cluster).
Until the number of WAL files does not reach the wal_keep_segments, the state of the standby
database could be still replayed from these backups - we refer to this as Temporary connection
outage. In the other case, when the WAL files max count is reached, the primary database starts
to reusing the WAL files starting from the older ones and the automatic replay is not an option
anymore. This is considered as Long term connection outage and different solution has to be
applied.
Temporary connection outage to the standby database
In case of temporal connection outage, the standby database will "catch up" with the primary
database as soon as the connection is established, replaying all the changes done in primary
database since the last synchronization. To verify that, the similar log messages should be found
in the standby log files:

LOG: redo starts at 0/B000E20
LOG: consistent recovery state reached at 0/B000F00

Please note, that time for which the standby database could be offline is limited. The maximum
time, for which all the changes done in primary database will be automatically replayed on
standby is determined by the wal_keep_segments configuration option (refer to PostgreSQL
cluster for more details). If the standby database is taken online after the primary database starts
reusing the following error message will appear in standby's database log file and the replication
fails. In such case, do the entire database restore as described below.
FATAL: could not receive data from WAL stream: ERROR: requested WAL segment
00000002000000000000000B has already been removed
Long term connection outage to the standby database
If the standby database is offline while the primary database's count of WAL files reached its
maximum and starts reusing the earlier WAL files, the recovery via streaming replication is no
longer available due to missing data. In such case, the standby server data has to be recreated
again in the same way as when configuring the standby database for the first time (refer to
PostgreSQL cluster).
1. Stop the database service YSoftPGSQL (if not stopped already due to failure).
2. Backup the content of the data folder. In case of embedded database installation, the folder
is located in C:\<safeq_folder>\Management\PGSQL-data .
3. Delete the content of the data folder.
4. Run the following command, replacing the placeholders <...> with correct values a confirm
with password.
<DB_IP_ADDRESS> - IP address of the primary database that will serve as source of

replication
<USER_NAME> - name of the database user that either has a superadmin role or user with
REPLICATION option (refer to PostgreSQL cluster for user creation)
<DB_PORT> - database port for accepting incoming connections
<DATA_FOLDER_LOCATION> - location of the database's /data folder. This value may be

omitted if it is set as the PGDATA environment variable.
pg_basebackup -h <DB_IP_ADDRESS> -U <USER_NAME> -p <DB_PORT> -D <DATA_FOLDER_LOCATION> -

Xs -R -P -v
5. After the command competition, verify the data folder is present and contains recovery.
done file - this signals the recovery completion.
6. Remove the recovery.done file as well as current_logfiles file and the entire
pg_log folder. These files have been copied from the recovery source database and will
only confuse readers.
7.

7. Start up the YSoftPGSQL service again. Verify that the most recent log file in the pg log file
contains similar log messages:
LOG: redo starts at 0/E000028

LOG: consistent recovery state reached at 0/E0000F8
FATAL: the database system is starting up
LOG: started streaming WAL from primary at 0/F000000 on timeline 2
8. Check if the automatic fail-over is setted automatically on the new Slave as described in
section above.
Recover failed primary database server
In case of the primary database server fails, the administrator is notified about standby database
promotion by event in Windows event log on (see Notifications in Automated Failover section).
Standby database is promoted to be new primary database, but the previous primary database
has to be manually recovered to become part of the cluster again - now in the role of standby. In
other words, database that was a standby had been promoted to primary, and database that
was primary has to be recovered to be a standby.

The recover operation will replay all the data from the current primary database, and enabling the
standby mode. To apply this, follow these steps:
1. Stop the database service YSoftPGSQL (if not stopped already due to the failure).
2. Backup the content of the data folder. In case of embedded database installation, the folder
is located in C:\<safeq_folder>\Management\PGSQL-data .
3. Delete the content of the data folder.
4. Run the following command, replacing the placeholders <...> with correct values a confirm
with password.
<DB_IP_ADDRESS> - IP address of the primary database that will serve as source of

replication
<USER_NAME> - name of the database user that either has a superadmin role or user with
REPLICATION option (refer to PostgreSQL cluster for user creation)
<DB_PORT> - database port for accepting incoming connections
<DATA_FOLDER_LOCATION> - location of the database's /data folder. This value may be

omitted if is set as the PGDATA environment variable.
pg_basebackup -h <DB_IP_ADDRESS> -U <USER_NAME> -p <DB_PORT> -D <DATA_FOLDER_LOCATION> -

Xs -R -P -v
5. After the command competition, verify the data folder is present and contains recovery.
done file - this signals the recovery completion.
6. Remove the recovery.done file as well as current_logffiles file and the entire
pg_log folder. These files have been copied from the recovery source database and will
only confuse readers.
7. Start up the YSoftPGSQL service again. Verify that the most recent log file in data folder
/pg_logs contains this log message.
Database will accept only read only connections - meaning this database is in hot-standby
mode - all data changes done in primary database are immediately replicated into this hot-
standby database, but only read only queries could be executed there.
Do not forget

Once the previously failed primary database is recovered as standby database, do not forget to
setup automatic fail-over as described in section above.
Fail-over and Recovery caveats
Please be aware about the following limitations of the solution.

Avoid having two primary databases
In case of promoting standby database to primary due to failed primary database (either
automatically or manually), it is vital not to start failed primary database. Having two primary
databases up and running will lead to data inconsistency, because primary databases does not
replicate data between themselves.
To mitigate this issue, always have PostgreSQL service Startup type set to Manual, as
described in configuration section
Recommendation
It is recommended to check the status of failed primary database whenever the fail-over
notification is received and do the recovery steps in order to minimize potential data loss or data
inconsistency. For notification setup, please refer to Automated fail-over Notifications section
above, for monitoring databases, refer to PostgreSQL cluster monitoring.
Delay between promoting standby server to primary
Even with the automatic fail-over script in place, there is some time (currently limited to 90
seconds) for which the primary database is down and standby database is serving read-only
requests. For this period, the following happens:
any request made to the running standby server with read only queries will be handled
any request made to the running standby database server with read/writes queries will be
rejected
any request made to Management server with read/writes queries will be rejected
any request made to Management server GUI will be served with the HTTP 500 response
status
5.5.2 HARDWARE
5.5.2.1 Guide for Hardware Administrators
This guide is for administrators who need to control one piece of YSoft hardware device. By YSoft
hardware device we mean:
YSoft be3D eDee,
YSoft SafeQ Terminal Pro 4 or
YSoft SafeQube 2.

The term device is used in the rest of this guide for any of the products
How to rescue flash the device
Rescue flashing is only needed for manufacturing or when the device is broken and the admin
wants to clear the device and remove all configuration. For normal OS update see section
Operation system update below.
This guide is for operating systems 4.x.x. For flashing older systems contact Y Soft.
Prerequisites
USB flash disc
micro USB (male) - USB (female) cable (OTG)
Flash preparation steps
1. Download OS files according to the version you want to flash:
For versions newer than 4.2.0 you need signed_fitimage.rescue, uaos-4.x.x.

tar.gz
For versions older than 4.2.0 you need files signed_fitimage-rescue,

signed_fitimage-rescue.sig, signed_os-ua-devel-4.1.25.tar.gz,
signed_os-ua-devel-4.1.25.tar.gz.sig
2. Format USB disc to FAT32.
3. Copy all files from step 1 to flash disc.
Now the flash disc is ready for flashing. If you want to customize the flash you can add additional
apps or configuration.
Adding apps to the flash
1. Download .tar.gz install file of the app.
2. Copy this file to the app/ directory on the flash disc.
Flashing
1. Insert the flash drive into the USB port (using OTG cable).
2. Turn on device.
3. The device will automatically erase old OS and install a new one. The process takes few
minutes.

4. When message "Unplug flashdisk" is displayed, unplug the flash drive. The device will reboot
itself.
5. After the new system boots, device will:
a. Apply DB patch and init the database to initial state.
b. Communicate certificate with the CA (if mTLS is enabled and there was pairing-key in
the customization file).
c. Install apps that were copied to the device from the flash drive.
After that the device is ready to to use. It will display IP address on the screen and admin could
login to the device using one of the methods listed below.
How to login
There are two ways how to control the device:
A management console accessible over SSH. The management console is a command line
utility, which allows administrators to configure the devices.
All available commands can be listed in the console by command 'help '. More more
specific help for particular command will be displayed after typing ' <command> --help '
.
The console has autocomplete function - press the [Tab ] key for the console to show
you available commands in the current context or automatically complete the current
command.
The command history can be browsed by up and down keys.
The management console session can be terminated by the ' exit ' command.
To clear the screen use ' clear '.
A management web interface which allows:
Browsing and exporting log files.
Update and reboot of OS.
Installation and uninstallation of applications.
Starting, stopping, restarting and configuring of applications.
Most common device configuration (network, timezones, NTP, Infrastructure servers (IMS)).
Credentials
Username: manager
Default password: oCfpB112g5bZpOcywAp7

The credentials are the same for both the management console and the management web. If you
change your password in one of them then the other will accept only the new password.
The password is valid for all devices. It is highly recommended to change the password. For
more information see section How to change manager password below.
For more information on how to log to the management console see Management console section
Login.
For more information on how to log to management web see Management web section Login.
How to change manager password
The new password has to have at least 6 characters.
For more information on how to change the password on the management console see
Management console section Change Password.
For more information on how to change the password on the management web see Management
web section Change Password.
How to reboot the device
Rebooting the device is possible only from management console. For more information see
Management console section How to reboot the device.
Connection to YSoft Infrastructure Service (IMS)
The YSoft Infrastructure Service is part of YSoft SafeQ Management Service and allows to
control groups of YSoft Hardware devices. Device is usually connected to the IMS during
installation or deployment steps. Once the device is connected to IMS, it can download OS
images, applications, or configuration from there.
For more information see Management console section Connection to YSoft Infrastructure
Service (IMS) .
For more information see Management web section Connection to YSoft Infrastructure Service
(IMS) .
The server connection timeout cannot be set from the web interface.
Operating system update
For more information see Management console section Operating system update.
For more information see Management web section Operating system update.
Applications
The YSoft hardware device is delivered with pre-installed applications according its type.

Configuring application
For more information see Management console section Configuring application.
For more information see Management web section Configuring application parameters.
Controlling applications
For more information see Management console section Controlling applications.
For more information see Management web section Configuring Application.
Application update
It is not possible to update the application in one step. The update procedure consists of
application package upload, uninstalling or stopping the old application, and then installing the new
application. The data and configuration are shared by different versions of the same application.
Installing application with IMS connection
For more information see Management console section Installing application – With IMS connection.
Installing application without IMS connection
For more information see Management console section Installing application – Without IMS
connection.
For more information see Management web section Installing application.
The application installation package is deleted after successful installation.
Uninstalling applications
For more information see Management console section Uninstalling application.
For more information see Management web section Uninstalling application.
How to see logs
For more information see Management console section How to check logs.
For more information see Management web section Logs.
Other configuration
Networking
For more information see Management console section Other configuration – Networking.
For more information see Management web section Other configuration – Networking.
Time

To simplify international shipping, the device doesn't have a battery to backup time
information while it is powered down. The time right after start may not be accurate and will
be synchronized with NTP server at the earliest possible time according to timezone and NTP
server settings.
For more information see Management console section Other configuration – Time.
For more information see Management web section Other configuration – Time.
Services control
For more information see Management console section Other configuration – Services control.
For more information see Management web section Controlling system services – only for OS
version 4.4 and higher.
SNMP configuration
Only for OS version 4.5. and higher.
For more information see Management console section Other configuration – SNMP configuration.
For more information see Management web section SNMP.

CPU information
For more information see Management console section Operating system status and info – CPU
and RAM information.
Display backlight
For more information see Management console section Other configuration – Display backlight.
Sound
For more information see Management console section Other configuration – Sound.
Management console
Guide how to use Management console for administration of YSoft hardware.
Login
1. Open SSH connection to your device (https://en.wikipedia.org/wiki/Secure_Shell, http://www.

putty.org/).
2. Login as manager (default login is manager and password oCfpB112g5bZpOcywAp7).
For all others command assume that administrator is already logged in.
Change Password
1. Run command "password set -user manager."

1.
draco-84$ password set -user manager

Enter password(6):
Enter password again:
Password changed
How to reboot the device
os reboot - reboot the device. If some applications prevents the reboot, it will wait until the
application allows it. Note: The application has to report its state, to be able to use this
functionality.
os reboot -force - reboot the device immediately, it does not reflect the state of
applications.
1. Check the settings - "server show address".
2. Set the connection to IMS - "server set -address protocol://<IMS address>:

port". It is possible to enter more addresses separated by "," (comma). This command
replaces all previously configured connections.
3. Addresses can be added or removed by "server add" or "server remove".
4. Test the connection - "server test".
draco-84$ server show address

uams.address: https://10.0.13.171:7348
draco-84$ server set -address https://10.0.11.12:7348
Operation was successful.
draco-84$ server add -address https://10.0.13.55:7348
uams.address: https://10.0.11.12:7348,https://10.0.13.55:7348
draco-84$ server test
https://10.0.13.55:7348: Not reachable
https://10.0.11.12:7348: Ok (212 ms) [used]
draco-84$ server remove -address https://10.0.13.55:7348
https://10.0.11.12:7348: Ok (192 ms) [used]
5. The timeout of the connection can be set by "server set timeout -timeout
<number>". The timeout is in seconds.
draco-84$ server set timeout -timeout 10

draco-84$ server show timeout
uams.timeout: 10

Operating system status and info
Overall OS status
Shows current system metrics, such as load, cpu usage, free space on system and application
partition etc..
Available from OS version 4.6
1. run "os show status"
draco-02ce$ os show status

Uptime: 3 hours 1 minute 49 seconds
CPU:
[0] Load: 4.04%
System load: 1.19
RAM: 159.36 / 492.37 MB used (32.37%)
Storage:
System: 918 MB / 3.49 GB used (25.69%)
Applications: 392 MB / 2.34 GB used (16.35%)
For autorefreshing of results use "os show status -autorefresh x" where x is interval in
seconds. To stop autorefresh press Ctrl-C.
CPU and RAM information
CPU information are available for monitoring and troubleshooting purposes.
os cpu model - get CPU Model.
os cpu cores - get number of cores.
os cpu temp - get core's temperature.
os cpu - get overall information in one output.
os show ram free - get available RAM.
os show ram total - get total amount of RAM.
os show ram - get overall information in one output.
HW information
os show serialnumber
os show hw - overall info about hardware, serial numbers, MAC address, ...

1. Check version available on IMS - "os show versions".
2. Download OS update package - "os update fetch -version <version>".
3. Login to the management console after the upload finishes.
4. List available versions - "os show versions".
5. Run command "os update -version <new version>".
draco-84$ os show versions

hw.osversions: versions:4.2.3
4.3.0
draco-84$ os update -version 4.3.0
Finished successfully
6. The device is rebooted automatically during the update.
7. Check the version after update.
draco-84$ os show version

hw.osversion: 4.3.0
OR
1. Download and install the update in one command by "os update -version <version>
".
2. The system is updated and rebooted into new version.
1. Set application configuration.
a. one parameter at a time - "applications set configuration -appname

<appname> -key <parameter> -value <value>".
b. more parameters in one command - "applications set multiple -appname

<appname> -keys <parameter1>=<value1> <parameter2>=<value2> ...
".
2. Check the configuration - "applications show configuration -appname

<appname>". Note that the configuration is shared by different versions of the application,
therefore the command does not contain the argument version.
3. Remove unwanted parameters - "applications remove configuration -appname

<appname> -key <parameter>".

You may list applications with commands:
applications show installed - display all applications installed on the system including
their states.
applications show running - list all applications currently running on the device.
applications show deployed - list all applications ready for installation on the device.
applications show available - list all applications available on IMS.
applications show capabilities - list all applications' assigned capabilities. available

from version 4.5.
You can find more information about what are the capabilities here. For now there are allowed
just three: CAP_NET_RAW, CAP_NET_ADMIN, CAP_NET_BROADCAST and they have to be
requested in applicaton manifest (app.desc).
You may start, stop, restart applications with commands:
applications start -appname <app_name> -version <version>.
applications stop -appname <app_name> -version <version>.
applications restart -appname <app_name> -version <version>.
Application stop and restart checks if the application is busy before stopping it. If the
application is not ready to be interrupted at the moment then it schedules the required action
for the earliest moment application gets into non-busy state.
You may set autostart for an application (application with set autostart on will automatically start
after boot):
applications autostart -appname <app_name> -version <version> -enable

<on/off> - set/unset the start of application after the device powers on.
Installing application
With IMS connection
1. List applications available on IMS - "applications show available".
2. Download the required application package - "applications fetch store -appname

<appname> -version <version>".

OR
1. List applications available on IMS - "applications show available".
2. Download and install the application in one step - "applications install store -
appname <appname> -version <version> -autostart <on/off>". If autostart is
set to [on] then the application is started after installation and starts automatically after
the device starts.
Without IMS connection
1. Install the application from an url - " applications install uri -appname <appname> -url <url> -
version <version> -autostart <on/off> ". If autostart is set to [on] then the
application is started after installation and starts automatically after the device starts.
Uninstalling application
To uninstall the application run " applications uninstall -appname <app_name> -

version <version>". All applications data are kept and can be used by different version of
the same application.
To remove the application completely from the system run "applications uninstall -
appname <app_name> -version <version> -cleanup on."
Other configuration
Networking
Management console enables to set up static or dynamic network configuration.
network show configuration - display the current network configuration.
network set dhcp - set dynamic network settings. The device will fetch its network
configuration from the DHCP server.
network set static -ip <IP address> -gateway <gateway IP address> -

static network settings.
network set -dns <dns server IP address> - change the DNS server address.
Ping
To test internet connection administrator can run traditional ping command. Output is same as
Linux ping command.
Run "os ping -address <address>"

draco-84$ os ping -address 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=3.43 ms
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 1503ms
rtt min/avg/max/mdev = 2.637/2.863/3.435/0.331 ms
Administrator can specify number of packets by appending "-count X" option where X is the
number of packets to send (default is 4).
Time
server settings.
Administrator may use following commands in the management console for setting up a time
zone and NTP servers for device time synchronization:
time show - shows time in this format: YYYY-MM-DD hh:mm:ss (<time difference from UTC>
TIMEZONE).
timezone show - shows actual timezone set on the device as it is named in IANA time zones
library.
timezone show groups - shows available groups for setting time zone.
timezone show available -group <group> - shows available time zones in a group of
time zones.
timezone set -group <group> -place <place> - command for a change of time
zone. Both the group and the place have to be selected from the list of groups or places given
by their respective commands.
Setting up NTP servers is possible through the following commands.
time ntp show - shows the actual list of NTP servers separated by a comma.
time ntp set -servers <ntp_server_1>,<ntp_server_2>,... - sets the list of

NTP servers to the provided servers (replaces any previous settings). There must be at least
one server.
time ntp set default - resets the actual NTP server list to default. The default list
contains 5 well known servers located on the internet.

time ntp remove -servers <ntp_server_1>,<ntp_server_2>,... - removes the
provided NTP servers from the list. There must be at least one left in the actual settings.
time ntp add -servers <ntp_server_1>,<ntp_server_2>,... - adds provided

NTP servers at the end of the actual settings.
Services control
Some basic commands are enabled for control of services available in the operating system:
services list - lists all the services available for controlling in the current version of the
device's operating system.
services detail -name <service_name> - shows detailed information about the

specified service.
services start -servicename <service_name> - starts the specified service.
services stop -servicename <service_name> - stops the specified service.
services autostart -servicename <service_name> -enabled <on/off> - enable

/disable service to start after boot. Enabling or disabling does not affect the service
immediately, it is applied after next boot.
SNMP configuration
Available from OS version 4.5 and higher
You may configure SNMP security name, types of encryption and passphrases with:
network show snmp configuration - lists all available configuration. does not list passphrases,
actual values of passphrases are not retrieveable anywhere.
network set snmp configuration -securiytname <security_name> -

authtype <auth_type> -privtype <priv_type> - sets security name, authentication
encryption type and privacy encryption type.
network set snmp conifguration authpassphrase - prompt for insertion of

password like value appears and confirmed value is saved as the authentication passphrase.
network set snmp configuration privpassphrase - prompt for insertion of

password like value appears and confirmed value is saved as the privacy passphrase.
Display backlight
Management also enables to change the display brightness and get information about current
display setting.
display show brightness level - print the current level of display brightness.

display show brightness maximum - print the maximum level of display brightness.
display set brightness -level <value> - set the display brightness to a specified
level.
Sound
sound set volume -level <level 0-100> - sets the volume as a percentage of
highest value possible.
test sound - plays test_sound.wav file located in user's home folder.
How to check logs
For seeing logs in command line, there is a special account.

Login

putty.org/).
2. Login as user uam
3. Default password is Z4WXJQRD9elR0g1LDxKq
Get logs
Use command 'journalctl' to get the logs.
journalctl > logs-`date +"%Y-%m-%d_%H-%M-%S"`.log - saves the logfile to /home

/uam/logs-*.log, the log can then be downloaded using SCP.
journalctl -f - follows the logs as they are being written.
journalctl -u UNIT - show logs only for specified unit
For more options see https://www.freedesktop.org/software/systemd/man/journalctl.html
Management web
Guide how to use Management web for administration of YSoft hardware.
Screenshots
Screenshots in this guide are from OS version 4.8, on older versions there may be slightly
different colors and layout.
Basic operations
Login
1.
1. Go to https://<device IP address>:8083/web. On OS versions lower than 4.2 the address
has to contain the particular tab, e.g https:// <device IP address> :8083/web/logs/ for logs
tab.
2. Login as manager (default login is manager and password oCfpB112g5bZpOcywAp7)
3. Use web interface to interact with the device. When no activity is done for longer than 30
minutes you will be automatically logout.
For all others examples assume that administrator is already logged in.
Dashboard - System information
This is the default page you will be after successful login. It is accessible by Dashboard option in
the left menu.
It contains some useful system metrics such as uptime, system load, cpu, ram and disk usage.
For automatic refresh you should change refresh interval from 5 to 60 seconds.
Page layout:
Main menu on the left side - these options brings you to the pages (each page may consist
from several tabs) by clicking on them. Active page is highlighted (Dashboard on this
screenshot).

Tab switcher bellow title bar (not use on the Dashboard page) - on pages with several tabs
you may switch these tabs by clicking on them.
User drop down menu in the top right corner - display/hide by clicking on the arrow symbol.
Content in the middle with Refresh interval dropdown menu, where you may choose interval
for updating displayed info without reloading whole page (not used on all pages).
Logout
1. Click in the right top corner near your login name on arrow down symbol. A popup menu will
show up.

2. Click on the Log out option.
Change Password
1. Click in the right top corner near your login name on arrow down symbol. A popup menu will
show up.

2. Click on the Change password option.
3. Fill in fields (your current password with which you have signed in to Current password
field and new password twice to the other fields).
4.

4. Press Save changes button.
Applications
1. Login to the web interface and go to the Applications page.
2. Press Install application button .
3. Select an application package (in tar.gz format). The name of the application package is
parsed during installation, the part before first dash ("-") is used as a name of an application,
whatever is after it until the .tar.gz is used as a version of the application. The application
version is optional. If there is no dash in the installation package name, the application will
be installed without specified version. For example: application with package name demoapp-
1.2.tar.gz will be installed as application with name demoapp and version 1.2.
4. Select whether automatically start installed application after system boot by Auto start
switch. Application with active auto start will be started immediately after the installation.

5. Click Submit button to start application upload and install. You will be informed about
upload status by progress bar.
The application installation package is deleted from device after successful installation.
1. Login to the management web and go to Applications page.
2. Check applications which you want to uninstall on the left side of applications table (on
picture bellow the orange-1.2 app is chosen for uninstall).

3. Press Uninstall application button in top right corner and confirm uninstallation by clicking
on the Uninstall button.
4. You will be informed about app uninstallation.

When the uninstalled application is in busy state its uninstallation may be postponed until it
completes its job. You will be informed about that by status message.
Reloading of the Applications page may be needed to refresh applications list after
uninstallation.
Configuring Application
You may see installed and running (status RUNNING) applications after logging in to the web
interface and going to Applications page.
It is possible to control installed applications using icons on the right side (see picture above):
Stop (rectangle icon) running application.
Start (play button/arrow right) stopped application.
Restart (circle) running application (shadowed arrows in circle is disabled because application
is stopped so it can't be restarted).
Rest of the icons may be used to access more detailed info about each application:
Edit and details (wrench icon) - see sections Setting autostart and Configuring application
parameter below for more info.
Show logs (stack icon) - display logs filtered for this application, see section Logs below for
more info.

Setting application autostart
In the Applications page click wrench icon for a specific application. You will get to Application
details page where you may enable autostart (or disable it when it is enabled), start, stop and
restart the application.
Configuring application parameters
Only parameters defined in application description file can be changed over web interface.
1. Login to the web interface and go to the Applications page.

2. Click on wrench picture in row of application you want to configure to get into Application
details page.
3. At the bottom of the page see configuration table. Table describes configuration of the
application with keys on the left, values in the middle and descriptions on the right.

4. Configure displayed parameters.
5. Press the Save changes button.
For configuring applications first specify to which IMS server the device should connect (see
Connection to YSoft Infrastructure Service (IMS) bellow)
System
1. Login to the web interface and go to the System page. You may see current OS version
t h e r e .
2. Press Update operating system button.
3. Select operating system package from your file system (.tar.gz file) and click Submit button.

4. Operating system will be uploaded, updated and device will automatically reboot. You will be
informed about upload process by progress bar.
5. After the restart login to web interface again and check on Dashboard tab actual OS
version.
Controlling system services
This feature is available in OS version 4.4 and higher.
You may see supported and running (status RUNNING) services after logging in to the web
interface and going to System services page.

It is possible to control these services using icons on the right side (see picture above):
Stop (rectangle icon) running service.
Start (play button/arrow right) stopped service.
Restart (circle) running service (shadowed arrows in circle is disabled because service is
stopped so it can't be restarted).
Set autostart (switch in the middle), services with autostart will be started automatically
after system boot.
Rest of the icons may be used to access more detailed info about each service:
Service details (info icon) - see section System service details below for more info.
Show logs (stack icon) - display logs filtered for this service, see section Logs below for more
info.
System service details
When you login to the web, go to System services tab and then click 'info' icon for a specific
service you will get to a detail page of the given service where you may enable autostart (or
disable it when it is enabled), start, stop and restart the service.

You can see logs of given service by using 'Show logs' button. This action will redirect you to
prefilled Logs page.
Logs
Viewing and downloading logs
1. Login to the web interface and go to the Logs page.
2. Select whether you want to see logs for all units (default), OS unit, some application unit or
custom filter.

3. Insert dates and times to filter by (from date and time are required).
4. Choose output formatting (JSON or text).
5. For simple viewing press View, for download of logs in the specified format press Download
and for viewing with real time addition of new logs press Auto refresh.
6. After logs are displayed you may turn on/off wrapping long lines using Wrap lines switch
above displayed logs (default position of this switch is persisted in a cookie in your
browser).

The application dropdown contains only currently installed applications. Previously installed
applications can be filtered by Custom filter.
Changing log level
1. Login to the web interface and go to the Configuration page and further to Logs tab.

2. Select log level from the Log level dropdown menu (all messages with more verbose log
level than the selected level will not be saved into log, order of verbosity is ERROR,
WARNING, INFO, DEBUG).
Enabling logs persistency
By default logs are not persistent - they are not saved on the flash storage and they disappear
after device reboot.
Logs persistency could be enabled for predefined time, during this time logs are saved on the
flash storage.
1. Login to the web interface and go to the Configuration page and further to Logs tab.

2. Click on the Log persistency switch to display more settings.
3. Select period for which will be persistence of logs enabled by selecting from the
Persistence logging period drowdown menu.
4.

After saving changes or when persistence is already enabled you will see information about how
long is persistency running and remaining time until persistency will be automatically turned off:
Other configuration
Networking
1. Login to the web interface and go to the Configuration page and further to Network tab.

2. In field next to Test connection you may insert an IP address and press Test button to
test whether the device can ping the IP address successfully.
3. In the form bellow it you may configure networking (DHCP on/off, static IP address, ...).
4. Press Save changes button after setting all the values.
You may be disconnected from the device if you misconfigure your network connection. Be
aware of all the settings before saving.
Time
1. Login to the web interface and go to the Configuration page.
2. Press Time horizontal tab.

3. Configure timezone and NTP servers (you may use '+' and 'x' buttons to add or remove NTP
servers to maximum number of 7 servers).
1. Login to the web interface and go to the Configuration page and further to Infrastructure
Server (IMS) tab.

2. Enter IMS address in format protocol://<IMS address>:port. It is possible to enter more
addresses by pressing the '+' button on the right side of Infrastructure servers field and
inserting new addresses into new fields which will appear (these fields could be removed
by pressing the 'x' button on the right side).
3. Ensure that the Enabled checkbox is on (on the picture above it is on).
4. With filled in fields you may test connection to the filled in servers by pressing blue Test
button on the right side of each Infrastructure server field. It will test network connection
to that server not specifically connection to IMS.
5. You can specify period in which the device will be sending heartbeats to the IMS, default
Synchronization period is 4 seconds.
6. Press the Save changes button.
The server connection timeout can not be set from the web interface.
SD card setup
SD card is not supported on ursa device type.
1.
1. Insert SD card into your device's SD card slot. Correct insertion produces an audible click.
2. Login to the web interface and go to the Configuration page and further to SD card tab.
SD card status informs whether card is not inserted , present or mounted. All
applications using the card are listed here when the card is mounted.

3. Press the Format SD Card button.
Warning
Formatting SD Card will erase all of its contents!

4. Go to the Dashboard page. You can see the sdcard storage in right bottom section. The
size and usage of SD cards are only shown if there is running application that uses the
card.

SNMP
Available from OS version 4.5 and higher
1. Login to the web interface and go to the System services tab.

2. Proceed to detail of snmpd service (by clicking on info icon).
3. Configure SNMP parameters.
5.

5. Go to System services tab and start/stop snmpd service. Also you may want to enable
autostart for the snmpd service to be automatically started after boot.
5.5.2.2 Card Reader Installation Guide
USB Reader tool for Reader configuration
USB Card reader v2/v3 can be configured only with software utility called "usbrdrtool". The
software runs in a system console. It is not a gui application, it is an application running in text
mode.
The usbrdrtool configuration tool is designed for USB readers v2/v3 only!
The usbrdrtool prerequisites:
Windows 2000 and higher
Linux kernel 2.4 or higher with glibc 2.3.2 or higher
Root access on Linux or possibility of sudo
usbfs support for libusb-0.12 library on Linux
usbrdrtool.exe (WIN32) or usbrdtool (Linux) exacutable binaries
Note: The program requires "root" privileges under Linux, therefore it must be run as user root or
sudo must be used.
The purpose of the usbrdrtool is:
Show information about connected USB readers.
Set basic parameters of each reader such as USB reader class type, reader protocol, debug
mode etc.
Card testing for verifying correct reader functionality and reading distance.
Display of card type during testing (with readers where applicable)
Update of USB reader normal firmware.
Update of USB reader service firmware.
Download log from USB reader for debugging purposes.
Configuration of the USB reader by usbrdrtool
Start the usbrdrtool under your operation system. When the program is run without any
command line parameter the following screen is shown. The main menu should appear with the
selection you want to do.

Picture 6 – Main menu
Here can user select the following numbers depends on the intervention administrator wants to
do.
Card reader configuration screen
When administrator selects the number of the reader from the reader list, the reader
configuration screens will be shown with general information about reader and following steps for
next administration:

Picture 7 - Reader configuration screen
Action 1 sets the USB reader configuration to defaults. This includes USB mode, reader
protocol, debug mode and other parameters. This option does not format data that are stored
on USB reader internal file system.
Action 2 sets USB mode. This option is available only for specific OEM USB reader type.
Available usb modes are described in chapters 4.2.1 and 4.2.2.
Action 3 sets card reader protocol. For some card readers it is necessary to enable support
for another card types. Default card reader protocol is 0 which means that the reader default
protocol will be used. If invalid card reader protocol is selected then the default protocol will be
used.
Note: Please see Y Soft Card Readers Protocols.pdf for more details about card reader protocols.
This*. pdf file is always attached to the zip file with released FW of the USB reader.

Action 4 enables debugging in case something goes wrong with the reader (for example hang-
up or reboot or anything similar). Please note that debugging enabled causes wear-out of
the internal flash so enable it only in cases when it is necessary!
Action 5 enables or disables sound on the USB reader. Please note that there is no visual
identification of successful card reading so users in some cases cannot guess what may
be wrong if the card reader makes no sound
Action 99 returns user to the previous menu. If any changes are made, the card reader is
rebooted and the changes are applied.
Action 100 returns user to the previous menu. If any changes in settings are made they are
discarded and original settings remain.
USB keyboard
USB keyboard – Optional mode
In this mode the USB reader works as a standard USB keyboard and can be switched to mode 3
only.
NOTE:
Typing of the keys is emulated as numeric keypad for 0-9 and A-F keys on standard EN/US
keyboard layout. If the card number contains any other characters, they are ignored. Caps-lock
and Num-lock are enabled and disabled if necessary and returned back to previous state after the
card number is read.
The "Shift", "Ctrl", "Alt" keys must not be held during card placing or it will collide with caps-
lock and num-lock setting and incorrect card number will be read
If a national keyboard layout is used (such as French, Russian, Chinese or other) a wrong card
number will be entered. In such cases a switch to US/EN keyboard layout is necessary before
placing the card.
USB serial
USB serial – Optional mode
This mode emulates operation of COM port and can be switched to mode 1 only.
On Windows platform the installation of the USB reader in this mode requires usb2-reader.inf file.
This file is distributed along with the usbrdrtool application and should be selected in the "new
hardware" wizard after the USB reader plugging/reconfiguration.
On Linux platform the driver for the serial port is installed automatically.
Card testing in usbrdrtool application will work in this mod

Action 3 - Setting card reader protocol
When you are on the main page select appropriate number of the reader. If you want to change
card reader protocol for specified reader type (selected number), then you need to open the value
3 "Set card reader protocol"
Picture 8 - Selecting of card reader
To choose appropriate reading protocol, please see Y Soft Card Readers Protocols.pdf for more
details about card reader protocols. This*. pdf file is always attached to the zip file with released
FW of the USB reader.
Select the number and confirm by "enter" confirmation.
Picture 9 - Reader protocol confirmation
After selecting the appropriate number of protocol, you will be navigated to submenu page, when
you need to save currently changed settings. Select "99" to save settings for changed reading
protocol and confirm.

Picture 10 - Saving of changes after protocol change
Card reader testing screen
Card testing screen menu can be started by number 100 from the main menu. See Picture 6 –
Main menu.
When testing window will appear you can test the reader by placing a card above the reader.
Picture 11 - Test card window 1
Reader should display result from reading inside this window like example on the Picture 12 - Card
testing result.
Picture 12 - Card testing result
Multiple card readers can be tested at once. The screen automatically recognizes disconnected
and newly connected readers so it may be used for mass-production card reader testing.
If the connected reader supports card presence detection then the card number and type is
visible only when the card is placed at the card reader.
If the connected reader does not support card presence detection, a "tmout" is displayed.

The card number will be automatically erased after a couple of seconds of inactivity. This feature
is intended to make sure that the reader works properly and card numbers are read correctly
every time a card is placed.
Please note that displaying the correct card type depends on card reader used and card reader
protocol set.
Before using usbrdrtool as a tool for customer card testing please consult USB card reader
testing guidelines.
It is also possible to start the card testing screen directly by specifying -t command line option to
the usbrdrtool application.
Card reader Update firmware
Update of firmware for USB card reader can be done by issuing the following command in the
Windows command like (CMD) or on Linux OS:
Windows:
usbrdrtool.exe -u -i usb2-2.0.1.fw --k
Picture 13 - FW update example
Linux:
sudo ./usbrdrtool -u -i usb2-2.0.1.fw -k
'-k' option will cause the new firmware to be booted after successful update.
Note: This command can be run form CMD windows or Linux, this is not a command inside the
usbrdrtool.
Card reader Update Service firmware
Update of service firmware for USB card reader can be done by issuing the following command in
the Windows command like (CMD) or on Linux OS:
Windows:
usbrdrtool.exe -w -i usb2_service-1.0.1.fw -k

Picture 14 - Example of the service firmware update
Linux:
sudo ./usbrdrtool -w -i usb2_service-1.0.1.fw --k
'-k' option will cause the new firmware to be booted after successful update.
Note: This command can be run form CMD windows or Linux, this is not a command inside the
usbrdrtool.
Card reader settings for downloadeing the log files
For the configuration of USB card reader to downloading log files from the reader is possible to
run following command in the Windows command like (CMD) or on Linux OS:
Windows:
usbrdrtool.exe -j -o USBLOG.TXT
Picture 15 - Get log enabling
Linux:
sudo ./usbrdrtool -j -o USBLOG.TXT
Note: Please note that logging must be enabled before using this function
Card reader USBRDRTOOL starting with predefined commands
Administrator can start the USB card reader configuration with predefined usage. The pre-
configuration list is listed bellow as command lines parameters. For example write in cmd
windows command line:

Picture 16 -Command line starting with pre-configuration
In the Linux OS the usage is similar with command:
Usage: ./usbrdrtool -<parameter> <value> ...
Parameters:
-i input file (otherwise stdin)
-ooutput file (otherwise stdout)
-l list all configurable readers
-r select reader number to configure, if not specified then first reader will be used
-sselect serial number of reader to configure
-k reset the usb device after successful operation
-u update standard firmware (file on stdin or input file)
-w update service firmware (file on stdin or input file)
-j get log (data on stdout or output file)
-h this help screen
-v verbose operation
-t start card testing mode
Information BeeP codes
Here is the list of beep codes, which give the result on the behavior of USB reader v2/v3.
Legend:
- Long beep sound
. Short beep sound
Sound Behavior
- Card read error. Please try placing the card again or use the different card.
...- Hardware configuration damaged cannot continue in booting
.-.- Update of firmware failed.
--.- Software configuration cannot be saved. Probably faulty onboard eeprom.
..-- Software configuration damaged, loading defaults.
.--- Firmware damaged.
-... No reader connected and reader required for correct functionality.
-.-. Service firmware damaged, re restore required.
.--. Error in reader power-up sequence.

Note: This option is available only if sound is enabled.
USB Card Reader v3 Administrative Guide
Introduction
Purpose of this document
This document provides essential information on the installation and configuration of YSoft USB
Card Reader version 3.
Validity of this document
This document applies to YSoft USB Card Reader v3.

Goals and objectives
That YSoft USB Card Reader v3 can be connected simply to a multi-functional device and serve
for user authentication using a card. The card must be assigned to a user in the YSoft SafeQ
system. After successful authentication, the user can work the with device and perform their
print, copy, or scan jobs (depending on the device).
YSoft USB Card Reader v3 can also be connected to workstations and used with a credit charger
application or with the YSoft SafeQ client for authentication.
Terms and abbreviations
MFD - Multi-Functional Device
USB Card Reader v3 - YSoft USB Card Reader version 3
Prerequisite knowledge
The person installing USB Card Reader v3 must meet the following requirements:
knowledge of the YSoft SafeQ system (installation/administration/attendance)
Disclaimer
A user that makes changes or modifications not expressly approved by the party responsible for
compliance (Y Soft Corporation a.s.) could void the user’s authority to operate the equipment.
Hereby, Y Soft Corporation, a.s. declares that the radio equipment type YSoft USB Card
Reader v3 is in compliance with Directive 2014/53/EU. The full text of the EU declaration of
conformity is available at the following internet address https://www.ysoft.com/en/legal
/european-union-declaration-of-conformity.
This equipment has been tested and found to comply with the limits for a Class A digital
device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio frequency energy and, if

not installed and used in accordance with the instruction manual, may cause harmful
interference to radio communications. Operation of this equipment in a residential area is likely
to cause harmful interference, in which case the user will be required to correct the
interference at their own expense.
This device complies with Industry Canada’s licence-exempt RSSs. Operation is subject to the
following two conditions: (1) This device may not cause interference; and (2) This device must
accept any interference, including interference that may cause undesired operation of the
device.
Le présent appareil est conforme aux CNR d'Industrie Canada applicables aux appareils radio
exempts de licence. L'exploitation est autorisée aux deux conditions suivantes : (1) l'appareil ne
doit pas produire de brouillage, et (2) l'utilisateur de l'appareil doit accepter tout brouillage
radioélectrique subi, même si le brouillage est susceptible d'en compromettre le
fonctionnement.
สำ หรับลูกค้ำที่ซื้อผลิตภัณฑ์นี ขอบคุณท่ ท่านกรุณาเลือกซื้อผลิตภัณฑ์น้ ก่อนการใชผ ลิตภัณฑ์
โปรดอ่านขอ มูลและคา แนะนา ต่อไปน้ อย่างถ่ ถว นเพื่อการใชงานอย่างปลอดภัย ข อบังคับ เครื่อง
โทรคมนาคมและอุปกรณ์น้ ม ความสอดคลอ งตามขอ กา หนดของ กทช
埋込み型心臓ペースメーカーおよび埋込み型除細動器を装着されている場合は、本装置または
本装置のワイヤレスカードシステムのリーダライタ部（アンテナ部）から12cm以上離れて携
行および使用してください。電波により埋込み型心臓ペースメーカーおよび埋込み型除細動器
の動作に影響を与える場合があります。
The product conforms with Directive 2002/96/EC of the European Parliament and of the
Council of 27 January 27, 2003 on waste electrical and electronic equipment (WEEE) and
Directive 2003/108/EC of the European Parliament and of the Council of December 8, 2003
amending Directive 2002/96/EC on waste electrical and electronic equipment (WEEE).
Only for indoor use
Overview
System overview
YSoft SafeQ® USB Card Reader has the following characteristics:
Connection and power supply of the card reader are via the USB host interface
Exchange of the card reader is possible without turning off the MFD (hot-plug)
Compatibility with some MFD additions
Hardware components

USB card reader specifications
Parameter Value
Identification Using a card reader
Voltage 5 V DC
Maximum current input 0.5 A
Transmitting frequency 125 kHz, 13.56 MHz
Usage
Please use the card by placing it on the edge of the reader as indicated below.

LED indicator
LED color meaning
LED off The USB device has not been initialized yet or the device is in sleep mode.
Orange Initializing
Green Card reader initialized. Ready to read a card.
White Card read OK
Red Card read error or card refused
Blue Programming card processing
Yellow Firmware update
Mounting instructions
Please mount the card reader to an MFD using the mounting kit.
Keep unprotected cords out of the path of foot traffic to prevent tripping. Do not leave cords
dangling anywhere where they can be pulled down and tripped over.

Configuration
For configuration, see USB Reader tool for Reader configuration.
Risk Description Control Measures Risk Analysis Additional Measures

(details of all (details of all additional
O P Risk
existing controls) checks
Rating
to be carried out)
Falling of object A mounting kit is Small Possible L (C4) Correct mounting is indicated
/component supplied with the in the manual.
device.
Tripping over a The cable is fitted Serious Possible M (C3) A recommendation on cable
cable with a connector placement is indicated in the
at both ends that manual.
can be
disconnected.
Entry of water The device is Small Possible L (C4) The manual states the user
into electronic damaged. is to prevent water from
components entering the device.
Exposure to non- The device Small Improb. L (D4) The norms the device meets
ionizing radiation produces are listed in the manual:
(radiofrequency) radiofrequency EN 55032:15
radiation below EN 55024:10
limits indicated by ETSI EN 301489-3 V1.6.1:13
relevant norms. ETSI EN 301489-1 V1.9.2:11
ETSI EN 301489-1 V2.2.0:17
ETSI EN 301489-3 V2.1.1:17
ETSI EN 300330-2 V1.6.1:15
ETSI EN 300330-1 V1.8.1:15
ETSI EN 300330 V2.1.1:17

Risk Description Control Measures Risk Analysis Additional Measures
(details of all (details of all additional
O P Risk
existing controls) checks
Rating
to be carried out)
EN 60950-1:2006+A11:
2009+A1:2010+A12:2011+A2:
2013
EN 62368-1:2014/AC:2015
Y SOFT CORPORATION, a.s. Technology Park, Technická 2948/13 616 00 Brno Czech Republic
Phone: +420 533 031 500 info@ysoft.com
Network Card Reader Beep and LED Code Sequences
The Network Card Reader contains status LEDs that serve for interacting with the user. This
chapter describes the beeps the terminal emits and LED codes it displays to notify the user
about various status conditions.
Beep Code Sequences
In the following table, a period ( . ) represents a short beep, and a dash ( - ) represents a long
beep.
This option is only available if sound is enabled.
Sequenc Description
e
- Card read error. Please try placing the card again or use a different card.
.- Reader validation failed. Server reports that the terminal is not registered in YSoft SafeQ.
Please consult the administrator manual.
-.- User validation failed. User card is not registered in the system.
.-- Received an error or warning message from the server.
--- Connection to the YSoft SafeQ server failed.
...- Hardware configuration damaged, cannot continue booting
-..- The maximum number of update attempts reached but no valid firmware detected.
.-.- Firmware update failed.
--.- Software configuration cannot be saved. Probably faulty onboard EEPROM.
..-- Software configuration damaged, loading defaults.
-.-- The maximum number of update attempts reached, resuming normal boot.

Sequenc Description
e
---- Network initialization failed.
-... No reader connected and a reader is required for correct functionality.
.-.. Firmware update failed. Error in server response, the YSoft SafeQ server is probably not
configured correctly.
--.. Firmware update failed. Cannot connect to the YSoft SafeQ server.
-.-. Service firmware damaged, re-restore required.
-...- Debug mode, not for public release.
YSoft SafeQ Ethernet Reader Flash Code Sequences
The following table shows the various LED code sequences and explains what they indicate.
The following colors are used for icons:
Green – Led is green
Red – Led is red
Orange – Led is orange
Grey – Led is off
All leds are switched off

Ethernet reader power is off.
Animated
Ethernet reader is processing, please wait.
Animated
Firmware upgrade in progress, please wait (service firmware working).
Firmware upgrade in progress, please wait (service firmware working).
Similar to the previous one.
Place card.

Flashing
An error occurred, see beep codes for details.
During init sound

Ethernet reader model (3). Please note that ethernet reader operation can
be a configuration selected on UltraLight or UltraLight print only models.
In such a case, the read software configuration command can read the
current settings.
Using the Emergency Button
The correct procedure for using the emergency button is the following:
Use a paper clip or a tiny screwdriver to push the emergency button in. Hold the button
pressed for more than five seconds.
Alternatively, you can unplug the terminal power cable, hold the emergency button, and plug
the terminal power back while still holding the emergency button.
The terminal now starts with a short series of beeps with a longer pause between them. The
action is selected by releasing the button during the pause. Once the beep count reaches the
selectable maximum, it starts again from one. To cancel any selection, unplug the power cable
and release the button.
One beep – do a set default configuration.
Four beeps – do the emergency reload – reset the configuration to default and start an
emergency update.
Five beeps – set the network configuration to use a DHCP server.
Six beeps – push update expected, do not try to connect to the server for updating.
After the action is selected, it is processed, and the terminal is rebooted after that.
Network Card Reader - Continuous Reading and Logging Off by Card Removal
Overview
This feature enables users to be logged into a device while their card is placed on Network Card
Reader (NCR) and logged out when the card is removed from Network Card Reader.

Configuration
This feature is implemented since firmware 1.2.8. To be enabled, continuous card reader protocol
has to be set. Contact Customer Support Services for more information about card reader
protocols.
How to Set the Card Reader Protocol
Run Remote configuration tool for hardware terminals (Termtool)
Select Network Card Reader from the list.
Select 4) Card reader and IO module setup.
Enter the number of the required card reader protocol in the Reader protocol dialog. (For
example, for ASK/FSK and Multireader LF/LF+HF, insert 94).
Press ENTER and save changes to the terminal.
Using
A user with an assigned card comes to Network Card Reader and places the card on the reader
(the card stays on the reader and is not removed). The user is logged in while the card is placed
on the terminal. The user can perform prints/scans/copies. After the user has finished, they
remove the card from the reader and is logged out.
The YSoft Card Reader Tool
About
This document describes the configuration tool version 1.3.0 for YSoft USB Card Readers v2/v3
The tool consists of the following parts:

Configuration
A list of connected readers with basic details
Operations on one or multiple selected readers
Configure readers (Custom configuration, Reader protocol, USB mode, Debug setting, etc.)
Update main firmware
Update service firmware
Show full reader details
Download reader log
Reading test
A list of connected readers with the last read card number and card type
Save read logs as a text file
Advanced Configuration
A list of connected readers with the last read of YSoft Configuration Card label
Format compatible cards as YSoft Configuration Card
Define the configuration content for Configuration Card (import existing configuration, define
custom configuration, reader protocol, device configuration, card label, etc.)
Custom configuration can be:
Loaded from a text file
Manually defined
Reused from predefined protocols
Repeatedly evaluated and tested on connected readers
Stored to connected readers
Write the configuration to Configuration Card or export to disk
Advanced configuration is intended for advanced users/experts only and is described in a

separate document.

Command Line Parameters Overview
Configuration Page Overview
1. Connected Card Readers
The table is sortable. Sort by the desired column by clicking its header.
Operations are performed on selected readers. Select them by clicking the select checkbox, or
anywhere on the line (except the detail button).
The checkbox at the upper left-hand side acts as Select/Deselect all

2. Reload readers (F5)
Refresh the list of connected readers using the Reload readers button.
3. Configure Selected Card Readers

Open the configuration dialog for the selected card readers using the Configure button. Card
Reader Configuration.
4. Update Firmware on Selected Card Readers
Open the update firmware dialog for the selected card readers using the Update FW button.
Firmware update
Click Browse, then select the latest firmware package, and click Update.
Starting from firmware 2.3.0, it is necessary to manually update the service firmware of the
USB reader at least to version 1.0.9
With any older versions, 2.3.0 and newer firmware will not be recognized as valid firmware.
5. Update Service Firmware on Selected Card Readers
Open the service update firmware dialog for the selected card readers using the Update Service
FW button.
Service firmware update
Click Browse, then select the latest service firmware package.
Another possibility is to click the button with the name of the embedded service firmware. The
embedded firmware file name appears as the selected file.
Then click Update. Do not disconnect USB card readers during the update procedure!

6. Card Reader Detail
Show the card reader detail page using the Detail button:

Copy to Clipboard
Copy the reader details to the clipboard or to a text file.

Save to File
Save reader details to a text file.

Download log
Download logs from the card reader and save to a text file. If the log file is empty, then check if
debug mode is correctly set in the configuration.
Card Reader Configuration
Configuration Options

Keep current protocol
Do not change the configured protocol or custom configuration.

Select available protocol
Select a protocol from the list of available protocols.
When you configure more than one type of card reader at once, this mode is not available. You
can set the protocol number manually.
Manually input protocol number
Manually set the protocol number.

Upload custom configuration
Upload a binary file with the custom configuration.

USB Mode
Change the mode of the USB interface.
Keep current setting
Do not change the USB mode.

USB keyboard emulation

In this mode, the USB reader works as a standard USB keyboard.
The typing of keys is emulated as a numeric keypad for 0-9 and A-F keys in standard EN/US
keyboard layout. If the card number contains any other characters, they are ignored. Caps-lock
and Num-lock are enabled and disabled if necessary and returned to their previous state after the
card number is read. The "Shift", "Ctrl", and "Alt" keys must not be held during card placement, or it
will collide with Caps-lock and Num-lock settings, and an incorrect card number will be read. If an
international keyboard layout is used (such as French, Russian, Chinese, or another), a wrong card
number will be entered. In such cases, switching to US/EN keyboard layout is necessary before
placing the card.
Parameters:
msec key pressed
msec key released
USB virtual serial (COM) port
This mode emulates the operation of a COM port.
On a Windows platform, installation of the USB reader in this mode requires a usb2-reader.inf file.
This file is distributed along with the USB reader firmware and should be selected in the "new
hardware" wizard after USB reader plugging/reconfiguration.
On a Linux platform, the driver for the serial port is installed automatically.
USB reader for Konica Minolta MFD
This mode is for Konica Minolta (KM) MFDs.
KM mode
Legacy – ASCII mode
AU201 – binary mode
USB reader for Sharp MFD

This mode is for Sharp MFDs.
USB reader for HP MFD
This mode is for HP MFDs. It is not supported on USB v2 card readers.

USB reader in HID raw mode
This mode is intended for special cases.

Enable sound
Values:
- Enable Sound
- Disable sound
- Do not change sound configuration
Debug mode
Values:
Keep current setting – do not change the logging configuration
Disabled – logging is disabled
Warnings only – only log warning messages
Full log – debug logging.
Debug logging causes a wear-out of the internal flash memory. For short-term use only.
The log is a 32Kb circular buffer with 10k erase cycles. Card reader operation with worn-out
flash memory has not been verified.
Disable further usage of Configuration Cards

Values:
- Disable further usage of Configuration Cards
- Enable further usage of Configuration Cards
- Do not change the configuration setting
Reset to defaults
Values:

- Do not perform configuration reset
- Perform configuration reset to manufacturing defaults (Could not be

combined with other options)
Reading Test
In this section, you can test the reading of your card readers and save testing results to a file.
Multiple card readers can be tested at once.
When the status of the card reader is OK, you can start placing cards on the card reader.
Reload readers (F5)
Refresh the list of connected readers and clean the card reading log.
Card number and type
You can find the number and type of the last placed card.
When using in KM mode, the card number also includes MFP data emitted from a loadable driver (in
parenthesis).
Save Read Logs
Download a log of all cards numbers read by the card readers using the Save Read Logs button.
Log example

YSoft Card Reader Tool Advanced Configuration
Starting from version 1.2 of YSoft Card Reader Tool, it is possible to create or upload an advanced
configuration for Y Soft card readers. The advanced configuration includes:
1. Customized card reading
2. Device operational parameters
3. Creating of custom configuration cards
A step-by-step guide for advanced configuration
Step 1:
Select which reader you want the advanced configuration tested on in the next reading
configuration dialog. This step can be omitted if no testing is required.

Step 2:
Select the card reader configuration either by:
1. Custom card reader configuration. See below for a custom configuration step-by-step.

2. Or by protocol selection from the list of protocols.
3. Or by manual protocol selection by protocol number.

3.
4. Or set "No reading configuration"
Step 3:
Select device configuration.

May be left without any change if no changes are required. Items correspond to the options in the
configuration dialog.
Step 4:
Save the configuration
a) Save the configuration to a file by clicking export configuration. The file can be later used in the
Configuration > Configure dialog > Upload custom configuration.
b) Or the config can be written on a configuration card, see below for step-by-step configuration
cards.

Users may start with already existing custom configuration. Then it is possible to import it and
define only the overriding changes. Redefining custom configuration is not supported.
Step-by-step configuration cards
See the "Card Reader Custom Configuration" document for details and limitations about the
configuration cards usage. Please ask your sales representative for the document.
Configuration Cards are supported from firmware version 2.4.0 on these readers only:
USB Reader 3 MF
USB Reader 3 MF+
USB Reader 3 MF&Legic
USB Reader 3 MF SAM
USB Reader 3 MFX
Step 1: Format empty card.
Place the compatible card and click FORMAT CARDS. This step is skipped if the card is already
formatted.

Compatible cards are:
1. Mifare DESFire EV1 8k
2. Mifare DESFire EV2 8k
The card must have a default master key (like a blank card) before formatting.
Formatting will erase all data stored on the card.
Step 2: Prepare reading configuration and device configuration (see above)
Step 3: Write the configuration onto a card
1. Select the reader you wish to write the config card on and place the formatted config card
on it.
2. Select if you want to disable the further processing of the configuration cards. Generally, it
is not safe to leave it on. However, for debug and testing purposes, it is better to leave it
enabled.
3. Edit the card label. The label is initially generated based on the configuration settings,
however, it can be changed to anything to suit customer needs. The label can be read back
by an NFC-enabled mobile phone or tablet.
4. Write the configuration card

4.
Step-by-step custom card reader configuration
Step 1:
Select the card readers you want the custom configuration tested on:

Step 2:
Make sure you have card readers selected.
a) Load a custom configuration text file, or
b) Edit the custom configuration in the text box, or
c) You can use the "Edit as custom configuration" button on the selection of protocols.
See the "Card Reader Custom Configuration" document for details about what can be used as a
custom configuration. Please ask your sales representative for the document.

Step 3: Click Enable testing
The reader now read cards in its original configuration. You may place the card and check the
result on the list below.

Step 4: Click Upload to test.
Place the card and check the result on the list below. If you are not satisfied with the result and
want to modify the custom configuration, just edit it and repeat step 4 – click the upload button.
Using configuration card to configure Y Soft USB Card Reader
Supported Card Readers
Y Soft USB Card Reader 3 MF
Y Soft USB Card Reader 3 MF+
Y Soft USB Card Reader 3 MF&Legic
Y Soft USB Card Reader 3 MF SAM
Y Soft USB Card Reader 3 MFX
Requirements
Firmware version 2.4.0 or higher
HF technology must be enabled either by protocol selection or in custom card reader

configuration (enabled by default)
Configuration cards processing is enabled in device configuration (enabled by default)
Configuration cards work only within 2 minutes from the device power-up or restart
Put configuration card on a card reader
Wait 15 seconds
Card reader programming is indicated by blue LED color.

Successful programming is indicated by green LED color and beep sound.
Remove configuration card
USB reader will reboot and use new configuration.
Check that MFD and card reader are working properly. Some MFDs might need restart after card
reader programming.
5.5.2.3 YSoft USB reader v2 installation and configuration
Mounting/dismounting YSoft USB reader v2 on a device
Following chapter displays how to mount USB reader v2 on a device. The configuration may vary
from device or vendor type. As you can mount the card reader not only on the device, but also to
a workstation (YSoft SafeQ 5 Client application) or YSoft Payment Machine, the mounting may
also vary according to the usage.
Mounting of the reader module
The mounting kit enables both right-handed and left-handed installation on the MFD.
The following components are included in the mounting kit package:

plastic holder
screws
reader module
Prepare the plastic holder by removing the plastic releasing tool. This tool can be used later to
remove the cart reader from the holder. See following pictures.
You can fix the holder directly on the MFD using screws. If it is not possible to use screws, use double sided
tape to fix the plastic holder.
Attach the reader module to the plastic holder.
Finally, connect the reader's USB cable to a free USB slot.

Dismounting of the reader module
Release the reader module by pushing the releasing tool, screw driver, or a similar tool into the
plastic holder while moving the reader module upwards. See following pictures.
Disconnect the reader module's USB cable and remove the reader module.
Loosen the screws and remove the plastic holder from the device.
5.5.2.4 YSoft SafeQube 2
Configuring an Environment with YSoft SafeQube 2
When you want to integrate YSoft centralized scan processing with an environment using YSoft
SafeQube 2, you need to meet the following requirements and follow the installation guide.
Typical environment
Management node
Management Server
Spooler Controller
YSoft SafeQube 2 branch node(s)
Spooler Controller
Terminal Server
Configuring WebDAV to Enable Scanning on YSoft SafeQube 2
The default configuration of Document Store (local) is not suitable for YSoft SafeQube 2, please
follow the instructions in Configuring Document Store to set up a WebDAV document store
instead.

If you want to use unsecure channel, you must set property webdavSsl to Disabled and in
SafeQube terminal server configuration set property TS_workflowStorageRoot to use http, not
https.
Configuring Spooler Controllers
1. Install the YSoft SafeQube 2 node in the environment:
a. Configure YSoft SafeQube 2 (follow the YSoft SafeQube 2 Deployment).
b. Stop the YSoft SafeQube 2 applications: Spooler Controller and Terminal Server.
2. Add a Spooler Controller for the YSoft SafeQube 2 node Devices > Spooler Controller
Groups > Add Spooler Controller.
3. Fill in a name (e.g., YSoft SafeQube).
4. Enter the YSoft SafeQube IP address in the Network address property.
5. Enter the YSoft SafeQube 2 spoc.localGUID value in the GUID property.
6. Start the YSoft SafeQube 2 applications (Spooler Controller and Terminal Server), and wait
until they are ready.
7. Install all terminals.
a. Do not use Central Spooler Controller, the terminals must be installed from YSoft
SafeQube 2 Spooler Controller.
Terminal Server
Known Limitations
Cryptographic protocol TLS 1.0 and its predecessor SSLv3 are supported. MFDs with TLS 1.1 or
TLS 1.2 only will not work. It should be fixed in the Mono 4.6.0 release. See http://www.mono-
project.com/docs/about-mono/releases/4.6.0/.
Administrators cannot change the SSL server certificate.
All used ports must be above 1024.

Double-byte support for job names is not available.
MFD Installation Failure Due to SSL/TLS Configuration

Known Affected Devices
Fuji Xerox ApeosPort-IV C2270
All MFDs that require only TLS 1.1 or TLS 1.2
SSL/TLS Installation Failure Workaround
A workaround can be applied to devices that do not require secure communication only and
can communicate via HTTP instead of HTTPS protocol.
1. Go to Management and log in as an administrator.
2. Go to System > Configuration.
3. Click the Expert button in the top right-hand corner.
4. Enter Secured Terminal Server connections into the search input.
5. Click the search button.
6. Change Secured Terminal Server connections to Disabled.
7. S a v e c h a n g e s .
8. Restart Spooler Controller and Terminal Server.
9. Install the MFD that failed due to an SSL/TLS error.

Configuring the YSoft Payment System API Timeout
It is recommended to increase the default timeout to eight seconds.
1. Go to Management and log in as an administrator.
3. Click the Expert button in the top right-hand corner.
4. Enter Terminal Server connection timeout into the search input.
5. Click the search button.
6. Change Terminal Server connection timeout to 8.
7. Save changes.
8. Restart all services mentioned in the confirm changes dialog.
YSoft SafeQube 2 Deployment
Prerequisites
YSoft SafeQ Management Service installed and running.
YSoft SafeQube 2 with installed YSoft SafeQ Spoler Controller (SPOC), Terminal Server and
IMS proxy application.
Deployment steps:
Start the device
1. Plug in the network cable to any of its available Ethernet ports.
2. Plug in the power cable and wait until the device is up.
Login to SafeQube 2 web management

Go to https://<device IP address>:8083
the IP address is displayed on the OLED display
Username: manager
Change manager password
The password is the same for all devices. Therefore, it is highly recommended to change it.
1. Click on manager > Change password
2. Fill the Current password and type new password twice for confirmation
Install/update your applications
1. Go to Applications section in the left panel
2. Check versions of the applications that are already installed on the device. If there are
none, or they don't match the version of Management, continue with the next steps.
3. Download the "Complete Pack" installation archive from the Partner portal and unpack the
UA update package archive (you will find it under Complementary
Solutions\Hardware Packages)
4. In the UA update package archive, find the packages of the applications you want to install
/update (with the .tar.gz extension)
5. For each application, click INSTALL APPLICATION button in the Applications section of the
SafeQube web interface and select the application package and click SUBMIT

Connect SafeQube 2 to Infrastructure Server (IMS)
1. Make sure the IP address of the SafeQube is stable. Either set a static IP address or create
a reservation in DHCP server.
2. Fill in the Infrastructure server 1 with its valid address an Infrastructure Server (IMS)
running on a Management Server. The default format is
https://<management_server_address>:7348 (HTTPS is mandatory, 7348 is the
default IMS port number). Using DNS records instead of IP addresses is possible.
3. Test the connection by pressing Test button
4. Press Save button.
After changing the IP address of the SafeQube, it is necessary to re-login to web management
with the new IP address.
Configure Spooler Controller and Terminal Server
1. Go to https://<device IP address>:8083
2. Go to Applications section in the left panel

2.
3. Click on configure icon for terminalserver application, fill in all fields and press Save and
Restart Application.
for terminalserver the following parameters must be set if a WPS scan server is to be
used:
TS_wpsBaseAddress – WPS server API endpoint URL (e.g. http://10.0.13.230:5600/).

Please make sure the URL ends with a forward slash character as in the example.
TS_workflowStorageType – set to webdav if you will use a scan server (WPS), or

leave as none .
TS_workflowStorageRoot – central WebDAV server for scanned data (e.g. http://10.

0.13.55:8099/). Please make sure the URL ends with a forward slash character as in
the example.
TS_workflowRemoteStorageUsername – the username for an account with WebDAV

permissions.
TS_workflowRemoteStoragePassword – the password for an account with WebDAV

permissions in encrypted form.
Login to Management Server as administrator

Go to Dashboard, enter text to encrypt to Text encryption widget and click on
Encode
TS_validateWebDavServerCertificateOnUnix – set to false if you will use a scan

server.
4. Click on configure icon for spoc application, fill in all fields and press Save and Restart
Application.
for Spooler Controller following parameters must be set:
spoc.localGUID - SPOC GUID (e.g. local_GUID )

spoc.serverGUID1 - GUID of Management server (e.g. Management_GUID)
spoc.serverIP1 - IP address of Management server (e.g. 10.0.13.230)
spoc.serverPORT1 - communicator port of Management server (usually 6010)
spoc.smartQ-server-ip - Spooler Controller IP address (e.g. 10.0.5.145)
spoc.tenantDomain - tenant name on Management server (e.g. tenant_1)
Verify configuration
1. Connect to SafeQube's management console (SSH connection using the IP address of

SafeQube and the same credentials as are used for web management) and run console
command "server test". It should return OK for configured IMS address.
2. For terminalserver application check logs on https://<device IP address>:8083/logs. Look for

message "TS fully started".
3. For spoc application, check if Spooler Controller is registered and has status "Online" on the
management interface (Devices > Spooler Controller groups).
4. Check that imsproxy application is running.
All settings can also be performed from YSoft hardware management console. See YSoft
hardware administrator guide for more details.
Troubleshooting
Spooler Controller
Spooler Controller reconnected to the different YSoft SafeQ Management does not register
Scenario
Spooler Controller has successfully registered to the first YSoft SafeQ Management
You changed value of parameter spoc.serverIP1 and restarted Spooler Controller application
Spooler Controller does not register to the second YSoft SafeQ Management because of SQ
error:
Sender GUID '<spoc.localGUID>' is not known to the tenant resolver service!"
Solution
After changing spoc.serverIP1, delete the Spooler Controller cache by rebooting the SafeQube.

YSoft SafeQube 2 Service menu
Service menu overview
YSoft SafeQube 2 Service menu is designed for first turn-on and for basic network setup. More
complex operations (apps installation, configuration, ...) are intended to be done through IMS,
Management Console or Management Web.
Capabilities of YSoft SafeQube 2 Service menu are:
Setting DHCP on/off
Setting IP address, network mask, gateway and DNS
Setting address of IMS
Setting PIN
Menu is displayed on OLED panel on the front side of SafeQube 2. It is controlled by 12 buttons
touch keyboard with sound feedback placed near it.
Display overview
This is example of default status screen, there you can see:
Status bar at bottom of screen (is displayed on each screen):
IP address and network mask (in format IP/number mask) in bottom left corner
Current local time of SafeQube 2 in bottom right corner
Navigation help - symbol > means, that pressing the > key brings you to other screen on
perform some action
Screen content - an Y Soft logo in that case
Keyboard usage
There are keys 0-9 used for entering numbers and keys < and > used for navigation. There are
three main operation modes:
Menu navigation: Keys < and > are used as up and down arrows, (0) is used for selecting
menu item. Alternatively (2) may be used as up arrow, (8) as down arrow and (5) for selecting
item.

Number input: Used for IP addresses and for PIN. In that mode < is used as "Cancel" and > is
used as "Confirm", numbers are used for input.
Text input: Numbered keys may be also used for entering text, in that mode repeatedly
pressing one number cycles through given set of letters - set of letters for each key is printed
below it on keyboard and special characters are located under key 0 (.,:_-@/).
Key < acts like "Backspace" and > is used for ending input (displaying "Save or discard"
message).
Display dimming, auto logout and auto sleep
There are several timeout based on inactivity (no key pressed):
After 15 seconds of inactivity: The display starts to dimming. Pressing any key will bring it to
full brightness (key press acts normally, e.g. writing number, ...)
After 1 minute of inactivity: Auto logout, the screen is reset to default status screen
After 5 minutes of inactivity: The display is turned off into sleep mode (the SafeQube 2
continues to run normally). Pressing any key will turn it on (key press is dismissed).
Service menu usage

Logging into service menu
Starting on status screen. To get on Service menu login screen you may:
Repeatedly pressing > to cycle through status screens
Press any number
On Service menu login screen enter device PIN and press > to enter the menu, or press < to
return on status screen.
When PIN is wrong, error message appears, otherwise main menu is displayed.
Default PIN on newly installed devices is 0000, PIN can be changed in service menu.

Main menu and network menu
Navigation in main menu or network menu is similar. Selected item is highlighted, pressing (0) or
(5) activates this item.
From main menu you can:
Logout
Enter the network menu
Change IMS server address
Enter into time settings to setup NTP servers
Change PIN
From network menu you can:
Go back to main menu
Set DHCP on/off
(DHCP off only) Enter network setup wizard - changes are saved at once after finishing whole
wizard
(DHCP off only) Set IP/network mask/gateway/DNS addresses individually
Network Setup
Network can be configured in network menu. By default, the DHCP is enabled and other network
config is hidden from menu.
After disabling DHCP, menu runs through network setup wizard to set up all network parameters
(if DHCP was previously enabled, defaults are taken from it) and everything is saved at once after
the last step.
After disabling DHCP, you can change network setting by:

Individual setup screens for each network parameter - quicker, but network configuration
must be valid after each step (for example IP and gateway must be in the same subnetwork, if
you want to change both of them, you cannot do it this way)
Network setup wizard which runs through all network parameters and saves them at once at
the end. Intended for bigger network changes.
DHCP setup screen allow you to change DHCP setting. It acts like menu (navigation with < and >,
confirmation by (0)) and current state of DHCP is shown at the top of screen.
You can:
Go back with no change
Select "Enable DHCP" (when DHCP previously disabled) - it returns to the network menu and
turns on DHCP
Select "Disable DHCP" (when DHCP previously enabled) - it runs network setup wizard
Setup screens for network parameters are all similar. You can navigate through the following
screens:
Set IP address screen
Set network mask screen
Set gateway screen
Set DNS screen

On each screen there is predefined mask to enter IPv4 address. Highlighted position is cursor -
when you press some number, it is written to this position and cursor moves one position ahead.
Cursor is cyclic - after the last position it moves to the first position.
Address must be entered with leading zeroes (for example when entering number 42 on some
position, you need to press (0) (4) (2)).
Control differ if the screen was entered individually or as part of network setup wizard:
Entered individually (top image): Key < cancels changes, key > saves them.
Part of network setup wizard (bottom image): Key < moves back (on first screen it changes to
"Cancel"), key > moves ahead (on last screen it changes to "Save all")
Setting IMS address
To set IMS address choose IMS address item from main menu. This brings you to the overview
screen (highlighted symbol of eye), from which you can go back by pressing < key, or start edit
mode by pressing > key.
In Edit mode (highlighted symbol of pen) you can modify the server address. Some basics:
Pressing numbered keys writes letters (as old mobile keyboard, see Keyboard usage section
above)
Server address is entered without "http://" prefix
< key is used as backspace, you can hold it to delete more letters
> key is used to stop input and bring you to the Discard/save screen
On Discard/save screen you may choose to discard changes or to save them by pressing < or >
key.
Time settings - NTP servers

To set time settings choose Time settings item from main menu. This brings you to the time
settings menu (first image).
It is normal menu screen, where you can:
Set NTP servers – similar edit screen as IMS server address edit screen - please refer to
Setting IMS server address part of documentation. NTP servers are separated by , (comma).
Reset default NTP servers – after confirmation resets NTP servers to the defaults.
Change PIN
To change PIN, select Change PIN from main menu. Firstly you must enter current PIN (acts in
same way, as login screen).
After that, you may enter new PIN. PIN can be any number (with at least one digit) and you must
enter it twice to confirm. When both PINs matches, PIN is changed immediately and saved to
UAM.
Error screen
In the event of an error, similar screen will appear. Please contact support.
5.5.2.5 YSoft SafeQ Terminal Pro 4 installation guide
Installing YSoft SafeQ Terminal Pro 4
This guide will help you to set up and install YSoft SafeQ Terminal Pro 4 from the YSoft SafeQ 6
user interface.

Disclaimer
Users that make changes or modifications not expressly approved by the party responsible for
compliance (Y Soft Corporation a.s.) could void the user’s authority to operate the equipment.
Hereby, Y Soft Corporation, a.s. declares that the radio equipment type Multifunctional
Terminal Appliance – YSoft SafeQ Terminal Pro 4, model number MT00001 is in
compliance with Directive 2014/30/EU .The full text of the EU declaration of conformity is
available at the following Internet address https://www.ysoft.com/en/legal/european-union-
declaration-of-conformity.
This device complies with Part 15 of the FCC Rules. Its operation is subject to the following
two conditions: (1) this device may not cause harmful interference, and (2) this device
must accept any interference received, including interference that may cause undesired
operation.
The product is in conformity with Directive 2002/96/EC of the European Parliament and of
the Council of January 27, 2003, on waste electrical and electronic equipment (WEEE) and
Directive 2003/108/EC of the European Parliament and of the Council of December 8, 2003,
amending Directive 2002/96/EC on waste electrical and electronic equipment (WEEE).
Only for indoor use
Prerequisites
Check that YSoft SafeQ Server is correctly installed and configured. For more information, please
see the article Installing YSoft SafeQ 6 Server.
Initial Configuration
Once you have unpacked YSoft SafeQ Terminal Pro 4, plug in the power cord and the network
cable accordingly.

1. After the initial boot, the YSoft SafeQ Terminal Pro 4 Service Menu displays.
Picture: Service Menu authentication screen.
2. Enter the Administrator PIN and press OK. By default, the PIN is set to 7777.
3. Select Network in Service Menu.

Picture: Service Menu with Network section highlighted.
4. Check the IP address of YSoft SafeQ Terminal Pro 4.
Picture: Network Settings with the IP Address configuration highlighted.
5. If necessary, set up network settings accordingly, as described in the Configuring YSoft

SafeQ Terminal Pro 4 section.

Installing YSoft SafeQ Terminal Pro 4 from YSoft SafeQ 6
Follow the procedure below to connect YSoft Terminal Pro 4 to a multi-function device and YSoft
SafeQ 6.
1. Log into the web administration, use an account authorized to manage the system.
2. Open Devices > Printers from the menu. Click the ADD DEVICE button.
Picture: Button ADD DEVICE to add a new device to YSoft SafeQ 6.
3. Enter the necessary details to identify a multi-function device: the Name, Device group,
Network address of the device (the printer's IP address), and Spooler Controller group.
Note that Name and Network address must be unique.
Picture: Filling in all required fields to add a new device.
4. Open the Terminal type selector and select YSoft SafeQ Terminal Professional.

Picture: Selecting the YSoft SafeQ Terminal Pro 4 terminal type.
5. Enter Terminal network address to identify YSoft SafeQ Terminal Pro 4, and select the
required Authentication method. Note that Terminal network address is required and
must be unique.
Picture: Filling in all required fields to configure YSoft SafeQ Terminal Pro 4
6. Enter non-mandatory options if needed.
a. General section
Location or description – you can specify further details to recognize the device
in the system and to describe the exact placement of the device.
Accounting type – configuration defines the type of accounting to be used.
No accounting – jobs performed on the terminal will not be accounted. Jobs

will be visible in Job list on YSoft SafeQ Management Server.
Offline Accounting – print jobs will be accounted based on the output from the
job parser. Copy and scan jobs will not be accounted.
Online Accounting – jobs will be accounted based on the difference of the

device's counters.
Price list – configured prices are used for accounting print, copy, and scan jobs
performed at the device. Prices are defined in the assigned price list.

Reporting cost center ID – device may belong to a particular cost center. Choose
from the existing cost centers.
Online accounting (Available only when Accounting type is Online accounting) –

select which type of jobs are accounted by online accounting
Use Online accounting for printing and copying – all jobs (prints, copies, scans)
are accounted by Online accounting.
Use Offline accounting for printing and online for copying – prints are
accounted based on the output from the parser and copies and scans are
accounted by online accounting.
Note: To scan a document, the device's native scan application must be used.
Accounting driver (Available only when Accounting type is Online accounting) –

select accounting driver exactly based on your device model.
b. Terminal section
(Advanced only) Admin username – if you want to use a different administrator

name instead of the global administrator login to access the terminal, enter it
here.
(Advanced only) Admin password – if you want to use a different password

instead of the global password to access the terminal, enter it here.
(Advanced only) Scan feature – enable this option if you want to enable YSoft
SafeQ scanning features. Note that only the device's native scan application can
be used.
(Advanced only) Printing application layout – select the layout of the print
application and folders displayed to the user.
c. Direct Printing section
This part allows you to specify the direct queue(s) that enable the device to receive
jobs without the need for a user to authenticate at the terminal (note: the print job is
still authorized in YSoft SafeQ). Direct print together with Online accounting is
not supported yet.
d. Tags section
The Tags tab enables different print languages or user tags for the device. All
print languages are enabled by default. This configuration must match tags for
each job and also the supported options on the device.
e. SNMP section (Advanced)
This part allows the configuration of SNMP v2 and SNMP v3 used with the device.
SNMP read-only community for remotely accessing the device states.

SNMP read-write community for remotely reading and writing to the device
p r o p e r t i e s .
Require terminal reinstallation
f. Backend section (Advanced)
This part refers to the network protocol used for communication with the device and
for printing at the device.
Backend – network protocol used for communication. The following network

protocols are available:
IPP – provides a standard network protocol for remote printing as well as for
managing print jobs, media size, resolution, etc.
IPPSSL – a basic IPP with job encryption over SSL.
LPR – a general TCP/IP utility that is used to send print jobs from clients to
print servers.
LPR (PJL Copies) – a basic LPR extended with the PJL method for switching
printer languages at the job level.
TCP/IP Raw – a TCP/IP with a raw socket that allows access to the underlying
transport provider.
TCP/IP Raw NoMap – same as TCP/IP Raw, but with a NoMap function.
Network port – the port number that a device uses for communication. This
option depends on the selected print backend.
Queue name – the queue name used for communication with the device.
Job encoding – the encoding type used by the device. Encoding is defined by the
print driver used by the users at the time of creating a print job.
g. Miscellaneous (Advanced)
Delete jobs after print – all jobs (except favorite jobs) printed on the device will
be deleted after they are printed.
h. Advanced Accounting section (Advanced)
Here, it is possible to select to enable a particular accounting method (this is an

optional configuration and is available only when the Accounting type is Offline
accounting or Online accounting with offline accounting for printing).
Coverage accounting – black and white prints will be accounted based on the
coverage. Coverage is calculated by the job parser.
Coverage accounting – color prints will be accounted based on the coverage.

Coverage is calculated by the job parser.

Some options are available for editing only in the Advanced view. You can choose
between Basic and Advanced in the top right-hand corner.
7. Press the SAVE CHANGES button. The installation progress bar will display.
8. The device with YSoft SafeQ Terminal Pro 4 is now installed.
Picture: An administrator can see the terminal ID of any terminal by pressing the EDIT
button.
9. The YSoft SafeQ Terminal Pro 4 will be automatically connected to YSoft SafeQ Server and
configured.
Picture: The User authentication screen is displayed.
10. You can check that the correct IP address has been set up in the YSoft SafeQ Terminal Pro
4 Network Settings menu as described in the Configuring YSoft SafeQ Terminal Pro 4
section.

Picture: Network Settings menu with YSoft SafeQ network address highlighted.
Manufacturer Y SOFT CORPORATION, A.S. Technology Park, Technicka 2948/13 616 00 Brno
Czech Republic Tel: +420 533 031 500 info@ysoft.com
Configuring YSoft SafeQ Terminal Pro 4
Service Menu Overview

Service Menu Access
An administrator can access a service menu login screen via tapping alternately the top left-hand
and bottom left-hand corners of the user login screen or error screen. Four taps in sequence are
needed to access the service menu. The administrator must start at the top left-hand corner. If
the administrator succeeds taps successfully, they access the Terminal Pro 4 service menu login
screen. If the administrator fails to access the Terminal Pro 4 service menu login screen, then
they must wait a while before another attempt.

Picture: The User authentication screen with marked corners (red circles). By tapping the corners,
an administrator can access the service menu.
To proceed to service menu, an administrator must enter the service menu PIN. The default
service menu PIN is 7777. The service menu PIN can be changed.
Picture: The Terminal Pro 4 Service Menu login screen
Using the back button (left arrow), the administrator returns to the user login screen (or an error
screen if the URL has not been configured yet and the device cannot connect to YSoft SafeQ 6).
Service Menu
An administrator can set up the basic device configuration in the service menu. Additionally, the
administrator can manipulate the Terminal Pro 4 device. The administrator can open device doors,
park the print bed, insert or remove filament, pause or stop the current job, etc.

Picture: The main Terminal Pro 4 service menu screen with the configuration items.
When the red exit button in the top right-hand corner of the screen is tapped, the service menu
closes, configuration changes are saved and applied, and the user authentication screen displays.
When an administrator selects a configuration item (e.g., network), then the back button is
available on the left side. By tapping the back button, the administrator returns to the main
Terminal Pro 4 service menu screen. Some configuration changes are not applied immediately (e.
g., network setting). Some changes, however, take immediate effect (e.g., display brightness or
door opening). Behavior is described case by case.
Picture: The back (in the left) and exit buttons.

Items in the Service Menu
Network
The administrator can configure the network settings by tapping the network configuration item:
Picture: The network configuration item in the service menu.

SafeQ Address
The SafeQ Address can be configured manually via the service menu.
The address must consist of the IP address of SafeQ, port (5021 for HTTP or 5022 for HTTPS),
and terminal ID (the last number).
An example of a SafeQ Address setting: https://10.0.13.121:5022/et/v1/1/
To enter network values, a keyboard displays when an administrator clicks inside the edit box.

Picture: The keyboard displayed to insert SafeQ Address
To test the connection with YSoft SafeQ 6, the administrator can use the Test connection
button.
If the Terminal Pro 4 device is able to connect to YSoft SafeQ 6, then the administrator will see a
green tick. If the connection does not work, the administrator will see a red cross.
Picture: A green tick confirming the Terminal Pro 4 device is able to connect to YSoft SafeQ 6,
and a red cross indicating a problem with the connection with YSoft SafeQ 6.
DHCP setting
An administrator can use DHCP to configure networking. If DHCP is enabled, then the IP address
of the Terminal Pro 4 device, network mask, gateway IP, and DNS server IP will be set
automatically. Network fields are disabled for editing.
Picture: An enabled DHCP switch.
If the administrator disables DHCP, then the IP address of the Terminal Pro 4 device, network
mask, gateway IP, and DNS server IPs must be configured manually.
Picture: A disabled DHCP switch.
If DHCP is disabled, then the network fields are editable.

Picture: When DHCP is disabled, the network fields are enabled for editing.
Note that an administrator can add more DNS Server IP addresses. It is similar to adding another
SafeQ address. A green plus button is used for adding and a red minus button for removing a
DNS address.
If DHCP is disabled and the administrator configures networking manually, then the administrator
can press the SAVE and reboot button to force an OS reboot. Therefore network changes take
effect once the OS boots.
Card reader setting
An administrator is able to check and configure a protocol that is used by the hardware terminal
for communication with a card reader.
On the Card reader setting screen an administrator can see the card reader ID and the current
card reader protocol.
By pressing the button Change an administrator can select another protocol from the list:

By pressing the button Test card reader on the Card reader setting screen an administrator can
swipe by a card over the card reader to see how it is interpreted:
After the swipe an administrator can see the card ID and the card type as seen on the picture
above. It is possible to swipe more times in a row. If card reading does not work as expected, for
example the card ID is not interpreted correctly, then an administrator can change the protocol as
described above or configure the card reader.
Smart Cable
An administrator accesses Smart cable configuration by clicking the Change button .

Usually many smart cable types can be used for MFD blocking. The smart cable type can be
changed by clicking the Change button.
When a different smart cable type is selected, it is recommended to test it. You can start a smart
cable test by clicking the Test cable button.
When the following screen displays, the administrator can start unlocking the MFD by tapping
buttons.
MFD blocking instructions can be found in the Hardware Compatibility List (HCL) section.
Access
The Access screen offers the possibility to change the default PIN.

The user should enter the current PIN followed by the new PIN and new PIN confirmation.
Terminal Interface
An administrator can configure the volume, display brightness, display timeout, and default
language in the Terminal interface settings.
Picture: The Terminal interface settings.
Sound: Volume
Sound configuration sets the volume from 0 (off) to 100%. This configuration change takes
immediate effect.
Display: Brightness
Display brightness can be set from 1 (the darkest) to 10 (the brightest). This configuration change
takes immediate effect.
Display: Display timeout
To prevent unnecessary energy consumption and display wear, the display can be set to fade
after some time. It is strongly recommended to set the display timeout to 10, 30 or 60 seconds
(one minute). The configuration change takes effect once the user login screen displays.
Currently, display timeout takes effect only on the user login screen.
Default language

Default language is the language which is preselected at the login screen. Therefore, the
language that is most used in a given environment can be preselected, and most users do not
bother to set it. When a user changes the language, logins and logouts, then the language resets
to the default one.
For example, when English is set as the default language and a French speaker switches the
language to French, then at the terminal, all screens are in French. Once the user log outs, the
language resets to English.
The default language can be changed by clicking the Change button. A list of available languages
displays, and the administrator can select one language as the default one.
If there is no string resource translation for a given language, then there is the fallback to
English.
Current timezone
A time zone is a region where the same standard time is used.
The current timezone can be changed by clicking the Change button. A list of available time zones
displays, and the administrator can select one suitable for the current location.
Information
In the Information screen, the administrator can read all licenses that are used for the terminal.
Each license can be read by clicking the Read license button.

Picture: The Information screen with a list of used licenses.
Limitations
Changing print options at the terminal is not supported on vast majority of devices.
Enabling application failover on Terminal Pro 4
Application failover configuration
YSoft SafeQ Terminal Pro 4 is communicating to the YSoft SafeQ Spooler Controller via YSoft
SafeQ Terminal Server. In case that YSoft SafeQ Terminal Server becomes unavailable and there
is another YSoft SafeQ Terminal Server configured and currently available then YSoft SafeQ
Terminal Pro 4 starts using the another one for further communication. If there is a outage of
YSoft SafeQ Terminal Server during user session then the user session is lost. However when
YSoft SafeQ Terminal Pro 4 successfully switches to another available YSoft SafeQ Terminal
Server then the user can login again right away the login screen is displayed on the screen of
YSoft SafeQ Terminal Pro 4.
Standard procedures for the load balancing and failover via Microsoft Cluster Server or
Failover using Windows Network Load Balancing Services (NLB) does not apply YSoft SafeQ
Terminal Pro 4.
Multiple failover IP addresses configuration
YSoft SafeQ Terminal Pro 4 failover is enabled in SafeQ by default provided that there is more
than one IP address of YSoft SafeQ Terminal Server configured. Multiple IP addresses for
application failover is configurable via Spooler Controller Group. Follow Near Roaming section in
Configuring Print Roaming. The configuration of multiple IP addresses is propagated to the YSoft
SafeQ Terminal Pro 4 either by reinstallation of YSoft SafeQ Terminal Pro 4 or upon every user
logout operation. The administrator can check whether all configured IP addresses were properly
propagated to YSoft SafeQ Terminal Pro 4 in the service menu.

Primary node selection
Default primary node is the one which is used during YSoft SafeQ Terminal Pro 4 installation. The
primary node can be changed in the service menu of YSoft SafeQ Terminal Pro 4.
On the picture below administrator can select one primary server.
Application failover behavior
If the primary YSoft SafeQ Terminal Server becomes unavailable, YSoft SafeQ Terminal Pro 4 will
automatically find another YSoft SafeQ Terminal Server according to strategy selected in
configuration. Then the YSoft SafeQ Terminal Pro 4 will use the resolved YSoft SafeQ Terminal
Server as the primary until it becomes unavailable or until some preconfigured time interval
passes. Then another server is found and selected as primary in dependency on selected failover
strategy. With some strategies, the YSoft SafeQ Terminal Pro 4 may automatically switch back to
a preferred YSoft SafeQ Terminal Server if its functionality is restored.
Limitations
This failover configuration does not provide Load-balancing.
When the copy job is in progress and current YSoft SafeQ Terminal Server becomes
unavailable then the job is not accounted.
Strategies for server selection for YSoft SafeQ Terminal Pro 4

Default strategy
With this strategy, the YSoft SafeQ Terminal Pro 4 will always check for the YSoft SafeQ Terminal
Server server with the fastest response. The servers are checked for their availability in parallel
and the first YSoft SafeQ Terminal Server which responses is taken as the primary for all ongoing
communication.
Primary node preferred

With this strategy, the primary node is always preferred. In this scenario, the primary node is the
YSoft SafeQ Terminal Server from which the YSoft SafeQ Terminal Pro 4 was originally installed. If
the primary node is not available, another server is selected using the default strategy described
above. If the "primary node" becomes available, the YSoft SafeQ Terminal Pro 4 will connect to it
when the current one becomes unavailable or after the preconfigured time interval passes.
Configuring failover strategy for YSoft SafeQ Terminal Pro 4
1. Log in to the YSoft SafeQ management interface with sufficient rights to administer
printers (for example, "admin")
2. Go to System > Configuration from the menu
3. Set enableNetworkLoadBalancer property to enabled
4. Set srteFailoverStrategy property to required strategy. The option determines how the
primary server is resolved in the case when the current server becomes unavailable. The
strategies are described in the section above.
5. Set srteFailoverCheckInterval property to required value. It sets the maximal time (in
minutes) after which the primary YSoft SafeQ Terminal server is resolved according to
selected strategy. The minimal allowed value of this property is one.
6. Save the configuration and reinstall all affected YSoft SafeQ Terminal Pro 4. Alternatively
login in and logout at YSoft SafeQ Terminal Pro 4. Configuration is propagated upon user
logout operation.
On the screens below, you can see failover in progress. On the first picture, there is information
that current connection to the server is lost and the new server is being searched for. On the
second picture, there is information that new active server was found.

Scanning with YSoft SafeQ Terminal Pro 4
There is a possibility of scanning with the YSoft SafeQ Terminal Pro 4 when the MFD supports a
scan to a file repository.
Scanning with Terminal Pro 4 requires an MFD capable of FTP or SMB scan file delivery. Each MFD
requires its own folder, which serves as a staging area for the scan files from MFD. Once YSoft
SafeQ processes the files and sucessfully deliveres them to their destination (email, SharePoint,
etc.), the folder's content is purged.
Terms
FTP - File Transfer Protocol - network protocl used for transfer of files between client and
server on a computer network
SMB - Server Message Block - network protocol providing shared access to files, printers
and serial ports (sometimes called also CIFS)
Only Windows SMB is supported
MFD - Multifunction Device - officemachine which incorporates the functionality of

multiple devices in one e.g. E-Mail, Fax, Photocopier, Printer, Scanner
WPS - Workflow Processing System - YSoft SafeQ component responsible for scan
processing
Scan process
A user logs in into the Terminal Pro 4, navigates to the scan module and selects a Scan
workflow.
On the UI of the MFD user navigates to a pre-configured native scan feature and performs a
scan.

The MFD stores scan files in the Scan destination.
YSoft SafeQ fetches scan files from the Scan folder and starts actions in accordance with
the Scan workflow.
User formally finishes the physical scanning on the Terminal Pro 4 by touching Finish scanning
button.
Scan workflows and YSoft SafeQ Terminal Pro 4
The Scan workflows defined in the YSoft SafeQ management interface are common definitions
for all types of YSoft SafeQ terminals. Consider, that HW related settings, like dpi, color or page
format are not supported with the YSoft SafeQ Terminal Pro 4. The administrator presets these
HW settings while configuring the native scanning feature of the MFD. In some cases, the user
can change it personally just before the scanning, if allowed. Reconciliation of the Scan workflows
and MFD's native scanning settings is up to a handy administrator.
Recommended default settings of the native scanning features are: 300dpi, color (if requested)
and JPG as the output format. Nonetheless, the full list of supported formats is: JPG, PDF, TIFF,
multipage TIFF, compact PDF.
Do not use any native OCR scan function when the YSoft SafeQ OCR is switched on in the
YSoft SafeQ scan workflow.
Configuration
We assume that the Terminal Pro 4 is already assigned to an MFD and basic functions like copy
and print are fully configured and working. Provide next steps to configure scanning.
Two different configurations are allowed - Scan using FTP and Scan using SMB. In accordance
with the MFD's possibilities, choose one of them.
Scan using FTP
In the YSoft SafeQ management interface edit appropriate device in the menu Devices/Printers.
Choose the Advanced option.
In the section General and item Terminal Type, check that YSoft SafeQ Terminal Pro 4 is
selected.
In the section Terminal, check the Scan feature checkbox and in the Scan delivery protocol
item select the FTP.
Write down the Scan destination folder visible just below the Scan delivery protocol.
Save changes.
Collect FTP credentials necessary for MFD native scan feature settings. In case you already know
the FTP credentials from previous activities, you can use it.

If the installation of YSoft SafeQ server is new or you missed the information, you can set up
new ones in the the YSoft SafeQ management interface. Simply head to System > Configuration
> Advanced view and search for FTP. An ftp/WebDAV username is property named
scanServerUsername and n ftp/WebDAV password is property named scanServerUserPassword.
After changing these properties the restart of Terminal server service will be necessary.
Configure MFD native scan feature for scanning and storing scan files in the Scan destination
folder.
Scan using SMB
Create a special folder in a file system for the Scan destination usage. For example, it can be D:
\Scans\MFD_03.
Create a special service account with full access (Read, Write, Manage,..) to this folder and
also can run services (more info in note in the end of this chapter)
Setup sharing of the Scan destination for MFD settings purposes and grant the service
account to access the share.
In the YSoft SafeQ management interface edit appropriate device in the menu Devices/Printers.
In the section General and item Terminal Type, check that YSoft SafeQ Terminal Pro 4 is
selected.
In the section Terminal, check the Scan feature checkbox and Scan delivery protocol choose
Samba.
In the Scan destination folder item write the full path to the Scan destination. In our example:
D:\Scans\MFD_03
In case of Site Server cluster scenario use the shared path of Scan destination instead of
local path. Make sure that accounts used for running Terminal Server services in cluster
can read and delete files in the shared folder.
Save changes.
Configure MFD native scan feature for scanning and storing scan files in the Scan destination
folder.
The WPS service runs under the regular system account when workflowStorageType is set to
Local . In case, when workflowStorageType is set to Remote , use
workflowRemoteStorageUsername and workflowRemoteStoragePassword as account
having appropriate permissions for folder set in workflowStorageRoot.

The scan session (when using SMB scan) has a default 180 minutes timeout period. If the
scan session is in progress and the user does not press Finish button within the 30 minutes
time frame the session will be closed (provided that no files were delivered into the SMB
folder, which is an action that resets the timeout). In case of doing really huge scan jobs this
timeout default value can be changed in Terminal server config. You need to add this line:
<add key="terminalProfessionalGlobalTimeoutInMinutes" value="180" />
to the "TerminalServer.exe.config" file and increase the value to your desired timeout.
Limitations:
The user inputs (e.g. filename, reference number, email of a recipient, ...) are not supported on
the Terminal Pro 4 at the time. Such workflows are filtered out and not displayed on the
Terminal Pro 4 at all.
FTP file transfer is unencrypted.
Scan settings like file type, color, resolution, simplex/duplex, etc. are not controlled by the
Terminal Pro 4. The MFD's native scan feature needs to be configured.
5.5.2.6 YSoft SafeQ Terminal Professional Installation Guide
FCC Statements
that form.
expense.

Complete the Before-You-Begin checklist
Before you begin installing the terminal, complete this checklist:
1. If possible, register and acquire access to the Y Soft online help desk a day or two before
you begin the installation.
2. Obtain the Terminal Professional installation packages and a small Phillips screwdriver.
3. Make sure YSoft SafeQ Server is installed and running.
Property startTerminalProfessionalLegacyServer has to be enabled.
4. Write down the terminal's serial number (located on the back of the terminal).
5. Make sure the Smart cable is the correct cable for the MFD you are connecting the terminal
to.
Refer to the MFD/cable part number compatibility list that Y Soft provided you or go to
Hardware Compatibility List (HCL) and check the list there.
6. If the cable you have is not correct, find the correct cable before you proceed. The cable
may be among other Y Soft packages at the location where you are installing the terminal.
7. Obtain the following information:
a. The YSoft SafeQ Server IP address
b. Does the network support DHCP?
c. If it does not support DHCP, obtain this additional information:
d. Terminal IP address
e. Netmask address
f. Gateway IP address
g. DNS server IP address
8. Information about the MFD or printer:
a. IP address
b. Serial number
c. Model number
Check package contents
Check to make sure you have the following items (included in several packages):

Main package:
Terminal Professional
Ethernet cable
Power supply adapter
The package also includes clear plastic cable wrap for the Ethernet cable.
Accessory packages:
Smart cable
MFD Universal Mounting Kit (bracket, screws, washers)
The Smart cable for your MFD may be different from the one shown here.

Connect cables
Connect cables in the order shown in this diagram.
You must connect the Smart cable before you connect the Power Supply Adapter cable.
The printer has to be connected to the network directly or by a switch in the Terminal
Professional.
1. On the back of the terminal, remove the cover and expose the connectors.
2. Connect the cables as shown here:

Replace the back cover of the terminal
1. Replace the terminal’s cover and tighten the screw.
Mount the terminal
Depending on the type of bracket included with the terminal, mount the bracket to the MFP, to
the wall, or to a nearby object such as a desk or table.
1. Remove the two screws from the back of the terminal.

1.
2. Attach the mounting bracket to the terminal.
3. If you have not already done so, write down the terminal’s serial number (located on the
back of the terminal).
4. Use the screws and washers included with the mounting bracket to mount the bracket and
terminal onto the MFP.
5. Cover all cables with the clear plastic wrap (included in the plastic bag with the cable).
Start the wrap about 4 or 5 inches (10 to 12 cm) from the back of the terminal.

5.
Verify installation
Before you verify installation:
If a user (with an associated card or PIN) has not been created in YSoft SafeQ, create one now
for testing purposes as follows:
1. In the YSoft SafeQ web interface, add a new user named "test".
2. Assign a card and a PIN to the test user (for example, PIN1111).
If the terminal does not include a card reader:
1. On the terminal’s PIN entry screen, enter 1111 (or whatever PIN you assigned to the test
user); then touch OK.
2. Check to make sure the MFP panel unlocks (that is, the panel lights up and comes on).
If the terminal includes a card reader:
1. Touch the PIN button to display the PIN entry screen.
2. Enter 1111 (or whatever PIN you assigned to the test user); then touch OK.
3. Check to make sure the MFP panel unlocks (that is, the panel lights up and comes on).
If the MFP unlocks and the user is authenticated, installation is now complete.
Terminal Professional Overview
YSoft SafeQ Terminal Professional provides external interface for users to access multifunction
devices (MFDs) and network printers to perform print, copy, and scan operations. The terminal
supports Print roaming, print job management, printing shared documents, and self-serve printing
/copying. The terminal supports scan via workflows, defined by YSoft SafeQ administrator.

The terminal has a graphical user interface with touchscreen and is equipped with a 4-port
network adapter.
The terminal also features:
Microcomputer
Flash EEPROM
Network interface
Various optional card readers are available to meet the compatibility requirements of your existing
identification cards. Both contactless and contact readers are available. (Users can alternatively
authenticate via PIN instead of identification card.)
The terminal communicates with YSoft SafeQ server over Ethernet network (default
communication port 4096). RJ45 connectors connect the terminal to the network. MFDs and
printers communicate with the YSoft SafeQ server via the terminal. Administrator can define
whether users are required to authenticate at the terminal before using the MFD or network
printer.
Each terminal has a MAC address allocated by Y Soft.
For more information, see Terminal Professional specification.
Terminal Professional capabilities
The terminal has the following capabilities:
Supports Print roaming, printing, copying, and scanning.
Displays accounting and credit information.
Supports authorization by PIN, card, and login – alone or in a variety of combinations.

Enables one-time authorization by activation code or login and password if the user has no
active card.
Supports project accounting.
Beeps and displays a warning when copying timeout period expires.
Enables central configuration.
Supports remote administration.
Optimizes data transfer between the YSoft SafeQ server and printers.
Includes power management feature that enables brightness to be decreased or turned off
when the terminal is idle for a configured length of time.
Terminal Professional user options
The terminal offers users the following options:
Print, copy, and scan.
View and select jobs (jobs to print, favorite jobs, and printed jobs).
Print favorite jobs by selecting them at the terminal.
Delete jobs from queue.
View information about print/copying status and detailed price accounting on the terminal
screen.
Mark selected jobs as favorite.
Display print job preview.
Configure the connection between the terminal and the YSoft SafeQ server
1. Display the Service menu and touch Server settings.

2. Touch Find server.
3. If the terminal finds the server, skip to step 7
OR
If the terminal does not find the server, touch Server IP.

4. Enter the YSoft SafeQ server’s IP address in the format shown in this example and touch
OK.
10.0.1.1 is entered as 010 000 001 001.
5. Touch Server port.

6. Enter the YSoft SafeQ server’s port; then touch OK.
The default port is 4096.
7. Touch Cluster support and Enable this option

8. Touch Network settings.
9. Touch DHCP and according to your network setting select Enable or Disable.

10. If DHCP is enabled, touch DHCP hostname.
11. Enter the hostname that will be sent by the DHCP client; then touch OK. Go to step 21.
The hostname can contain a maximum of 31 characters. The terminal’s serial number is
used as the hostname by default.

OR
12. If DHCP is disabled, touch Uplink interface.
13. Touch IP address.

14. Enter the terminal’s IP address in the format shown in this example and touch OK.
10.0.1.1 is entered as 010 000 001 001.
15. Touch Netmask.

16. Enter the subnet mask in the format shown in this example and touch OK.
255.255.255.0 is entered as 255 255 255 000.
17. Touch Back. Touch Gateway.

18. Enter the gateway’s IP address in the format shown in this example and touch OK.
10.0.1.1 is entered as 010 000 001 001.
19. Touch DNS Server.

20. Enter the DNS server’s IP address in the format shown in this example and touch OK.
10.0.1.1 is entered as 010 000 001 001.
21. Touch Back. Touch Save and restart to save the changes.

Multiple initialize requests to Terminal Server of not registered Terminal Professional
devices is expected behavior.
Displaying the Service menu at Terminal Professional
To access most settings, first display the Site admins Service menu as described in this section.
1. If the terminal displays a Place Card screen, tap the top corners 4 times: Tap left top
corner > Tap right top corner > Tap left top corner > Tap right top corner.
OR
If the terminal displays a Keypad screen, touch the 0 button 9 times (000000000).

2. The terminal displays a keypad. Enter the PIN, then touch OK.
There are two levels of service menu (Y Soft partners service menu and Site admins
service menu). It depends on entered PIN code. Default PIN for Site admins menu is
0000. To get PIN for Y Soft partners menu, please contact Customer Service Support.
3. The terminal displays the Site admins Service menu or Y Soft Partners service menu,
depending on entered PIN on login screen.

4. The is difference between this two levels of service menu in following options, which are
available only from the Y Soft partners Service menu:
Cluster support
Debug mode
Card reader
Card reader test
Interaction mode
I/O Module
I/O Module test

Emergency update
Change part. PIN
Test the connection between the terminal and the YSoft SafeQ server
1. Display the Service menu and touch Diagnostic utils.
2. Touch Test server connect.
3. If the connection is successful, the terminal displays this screen:

3.
OR
4. If the connection is not successful, the terminal displays this screen:
5.5.2.7 YSoft SafeQ Terminal UltraLight Installation Guide
FCC statements

that form.
expense.
Complete the Before-You-Begin checklist
Before you begin installing the terminal, complete this checklist:
1. If possible, register and acquire access to the Y Soft online help desk a day or two before
you begin the installation.
2. Obtain the Terminal Ultralight installation packages and a small Phillips screwdriver.
3. Make sure YSoft SafeQ Server is installed and running.
Property startTerminalProfessionalLegacyServer has to be enabled.
4. Write down the terminal's serial number (located on the back of the terminal).
5. Make sure the Smart cable is the correct cable for the MFD you are connecting the terminal
to.
Refer to the MFD/cable part number compatibility list that Y Soft provided you or go to
Hardware Compatibility List (HCL) and check the list there.
6. If the cable you have is not correct, find the correct cable before you proceed. The cable
may be among other Y Soft packages at the location where you are installing the terminal.
7. Obtain the following information:
a. YSoft SafeQ Server IP address
b. Does the network support DHCP?
c. If it does not support DHCP, obtain this additional information:
d. Terminal IP address
e.

e. Netmask address
f. Gateway IP address
g. DNS server IP address
8. Information about the MFD or printer:
a. IP address
b. Serial number
c. Model number
Check package contents
Check to make sure you have the following items (included in several packages):
Main package:
Terminal Ultralight
Ethernet cable
Power supply adapter
The package also includes clear plastic cable wrap for the Ethernet cable.

Accessory packages:
Smart cable
MFD Universal Mounting Kit (bracket, screws, washers)
The Smart cable for your MFD may be different from the one shown here.
Connect the cables
Connect the cables in the order shown in this diagram.
You must connect the Smart cable before you connect the Power Supply Adapter cable.
The printer has to be connected to the network directly or by the switch in Terminal
UltraLight.

Configuring the terminal
Terminal Ultralight requires a TCP/IP connection to YSoft SafeQ Server. The terminal has its own
IP and MAC address.
For the correct network configuration, you can go to Configuring YSoft SafeQ Terminal UltraLight.
YSoft SafeQ Server configuration
1. Log into the YSoft SafeQ web administration with sufficient rights to manage devices.
2. Go to Devices > Printers and click Add Device.
3. In the General section select the Terminal type and in the Terminal section enter the
Serial number of your Terminal Ultralight. This serial number must equal the serial number
written in Remote configuration tool for hardware terminals. Then click Save changes.

Mounting the terminal
Depending on the type of bracket included with the terminal, mount the bracket to the MFD, to
the wall, or to a nearby object such as a desk or table.
To mount the terminal onto the MFD, follow these steps:
1. Remove two screws from the back of the terminal.
2. Attach the mounting bracket to the terminal.

3. If you have not already done so, write down the terminal's serial number (located on the
back of the terminal).
4. Use the screws and washers included with the mounting bracket to mount the bracket and
terminal onto the MFD.
5. Cover the Ethernet cable with the clear plastic wrap (included in the plastic bag with the
cable). Start the wrap about 4 or 5 inches (10 – 12 cm) from the back of the terminal.
Verify installation
1. At the terminal, enter a PIN, then press OK.
The PIN you use must be one that you have already added in the YSoft SafeQ system.
2. Check to make sure the MFD panel unlocks (that is, the panel lights up and comes on).
If the MFP unlocks and the user is authenticated, installation is now complete.

Configuring YSoft SafeQ Terminal UltraLight
To configure YSoft SafeQ Terminal UltraLight, you can use:
The Remote configuration tool for hardware terminals (Termtool)
It is possible to configure the following properties using Remote configuration tool for hardware
terminals (Termtool):
Terminal IP address
Netmask address
Gateway IP address
Enable/disable DNS server IP address
YSoft SafeQ Server IP address
Enable/disable sound
Level of debug mode
Card reader protocol
Enable/disable Refresh server IPs
Refresh Server IPs
The following property enables/disables automatic server IP configuration (main server and
nodes):
Enabled - (Default) Servers IP addresses are automatically configured based on running YSoft
SafeQ servers.
Disabled - Currently configured servers' IP addresses stay unchanged. This also applies to non-
standard situations such as servers behind NAT or cold backup servers.
How to Set Refresh Server IPs on Terminal UltraLight
1. You need the following tools: termtool.exe and squl_cfg_set.bat. They are distributed with
Terminal UltraLight firmware.
2. Prepare the configuration file. For example cfg.txt.
3. This file will contain only one line: NOSRVREFRESH=0 if you want to enable Refresh server
IPs, or: NOSRVREFRESH=1 if you want to disable Refresh Server IPs.
4. In command line, run the following command: "squl_cfg_set.bat <IP address of Terminal
Ultralight> <configuration file>". (Real example: "squl_cfg_set.bat 10.0.5.122 cfg.txt")

Performing Terminal UltraLight Service Procedures
This page describes the service procedures available for Terminal UltraLight and Network Card
Reader. For a better understanding, we use the word terminal on this page, which refers to
Terminal UltraLight, and also Network Card Reader.
Update Firmware
1. Download the new firmware files from https://portal.ysoft.com/ to YSoft SafeQ Server.
Alternatively, locate the firmware file in Complete Pack under " Complementary
Solutions\Ultralight FW" file structure.
2. Copy the new firmware files into the "update" folder (typically: C:/SafeQ/server/update).
3. Start termtool.exe application.
4. Use update firmware procedure described in Remote configuration tool for hardware
terminals section (-ug) update standard firmware of YSoft SafeQ Terminal UltraLight.
5. Try to authenticate on the terminal.
If you are able to authenticate, you have successfully performed one of the selected
procedures.
Default Configuration Settings

Default configuration settings for Network Card Reader:
DHCP: Disabled
IP:192.168.0.100
Netmask: 255.255.255.0
Gateway: 192.168.0.254
DNS: 192.168.0.254
Primary server: 192.168.0.254:5011
Server list: empty
Update server: 192.168.0.254:4096
Sound: Enabled
Default configuration settings for Terminal UltraLight:
DHCP: Disabled
IP:192.168.0.100
Netmask: 255.255.255.0

Gateway: 192.168.0.254
DNS: 192.168.0.254
Primary server: 192.168.0.254:4096
Server list: empty
Locking: Immediate
Auth. type: Card or PIN
Mode: Normal
Sound: Enabled
Debug mode: No log
IOmodue mode: 0
Terminal UltraLight and Network card reader are shipped with the configuration reset to
default.
YSoft SafeQ Terminal UltraLight beep and LED code sequences
The YSoft SafeQ Terminal UltraLight contains status LEDs that serve for interaction with the
user. This chapter describes the beeps the terminal emits and LED codes it displays to notify the
user about various status conditions.
Beep code sequences
In the following table, a period ( . ) represents a short beep and a dash ( - ) represents a long
beep.
This option is available only if the sound is enabled.
Sequenc Description
e
- Card read error. Place the card again or use a different card.
.- Terminal validation failed. Server reports that the terminal is not registered on YSoft SafeQ.
-- No print job is waiting in queue.
..- User quota has been exceeded or user has no billing code assigned.
-.- User authentication failed. The PIN is not valid or the ID card is not registered in YSoft SafeQ.
If YSoft Payment System is used, it can indicate account is disabled.
.-- The terminal received an error or warning message from the YSoft SafeQ server.

Sequenc Description
e
If YSoft Payment System is used, it can indicate insufficient credit balance for current user
(according YSoft SafeQ system settings for YSoft Payment System - pricePerPageReservatio
nStrategyForCopyOnHwTerminal ) to perform copies/scans.
--- Connection to YSoft SafeQ server failed.
...- Hardware configuration is corrupt and the terminal cannot continue booting.
- .. - Maximum number of firmware update attempts reached but no valid firmware detected.
.-.- Firmware update failed.
--.- Software configuration cannot be saved. Probably faulty terminal EEPROM.
..-- Software configuration is damaged and the terminal is loading defaults.
-.-- Maximum number of firmware update attempts reached and the terminal is resuming normal
boot.
---- Network initiation failed.
.... Keyboard PCB failure.
-... No reader is connected. Reader is required for operation.
.-.. Firmware update failed. Error in server response. YSoft SafeQ server is probably not
configured correctly.
--.. Firmware update failed. Cannot connect to YSoft SafeQ server.
LED code sequences
The following table shows the various LED code sequences and explains what they indicate.
There are following colors used for icons:
Green - Led is green
Red - Led is red
Orange - Led is orange
Grey - Led is off

Sequence Description
Animated
Unsuccessful authentication. The terminal does not
recognize the card, PIN, or Card Activation Code code.
All LEDs are off

Terminal power is off.
Animated
Terminal is processing; please wait.
Animated
Firmware upgrade in progress; please wait.
Firmware upgrade in progress; please wait.
Swipe card or enter PIN.
Enter PIN (when authentication requires card + PIN).
Enter Card Activation Code (when Card Activation Codes

are enabled on the YSoft SafeQ server).
Print jobs are available and copying is possible. Press the P

rint or Copy icon.
NOTE: This code appears only on YSoft SafeQ Terminal
UltraLight Print & Copy.
No print jobs are available in the queue. Copying is

possible. Press the Copy icon.

Sequence Description
Flashing
Copying in progress. To cancel, press X or OK, or place a
card.
Flashing
Copying in progress. Server issued a warning. See the
MFD display panel for details.
Flashing
Printing in progress. Please wait until the print job is
finished.
Flashing
Printing in progress. Server issued a warning. See the MFD
display panel for details.
Flashing
An error occurred. See beep codes for details (page).
Sequential...
Sequence that appears as a user enters a PIN.
Terminal has not been fully configured. Please contact Y

Soft Customer support services.
During boot
WARNING: Do not perform this action unless instructed
to do so by Y Soft.
Enter the terminal model. For UltraLight Print & Copy,
press 1. For UltraLight Print Only, press 3.
During initialization beep sequence

Indicates UltraLight Print & Copy model.

Indicates UltraLight Print Only model.

Indicates Ethernet Reader model.

Scanning with YSoft SafeQ Terminal UltraLight
Terms
SMB - Server Message Block – shared access to the file systems, one version which is
also known as CIFS
Only Windows SMB is supported
MFD - Multifunction Device
WPS - Workflow Processing System – the YSoft SafeQ component responsible for scan
processing
There is the possibility of scanning with YSoft SafeQ Terminal UltraLight when the MFD supports
scanning to a file repository.
A shared disk space called the Scan destination folder has to be prepared. This Scan destination
folder has to be unique for every pair of MFD and Scan workflow . It is only a working space
dedicated to transferring scan files from the MFD to the YSoft SafeQ. Scan files stay there for a
limited time and are deleted when YSoft SafeQ reads it. The scan destination is accessible using
SMB.
Scan Process
A user logs into Terminal UltraLight and presses the copy icon.
On the UI of the MFD, the user navigates to a pre-configured native scan feature, selects a
destination from the address book of the MFD (make sure that you communicate to the user
which address book entry to use), and performs a scan.
The MFD stores the scan files in the Scan destination folder.
After the user logs out of Terminal UltraLight, YSoft SafeQ fetches the scan files from the
Scan destination folder and starts actions according to the Scan workflow.
Scan Workflows and YSoft SafeQ Terminal UltraLight
The Scan workflows defined in the YSoft SafeQ management interface are common definitions
for all types of YSoft SafeQ terminals. Consider that HW-related settings, like dpi, color, or page
format, are not supported with YSoft SafeQ Terminal UltraLight. The administrator presets these
HW settings while configuring the native scanning feature of the MFD. In some cases, the user
can change it personally just before scanning, if allowed. Reconciliation of the Scan workflows
and the MFD's native scanning settings is up to a handy administrator.
The recommended default settings of the native scanning features are: 300 dpi, color (if
requested), and JPG as the output format. Nonetheless, the full list of supported formats is: JPG,
PDF, TIFF, multipage TIFF, and compact PDF.

Do not use any native OCR scan functions when the YSoft SafeQ OCR is switched on in the
Scan workflow.
Setting Up Scanning on Terminal UltraLight

Precondition
Create a special folder in the file system for the Scan destination folder usage. For example, it
can be D:\Scans\MFD_03.
Create a special service account with full access (Read, Write, Manage,..) so this folder and
this account can also run services (more info in the note at the end of this chapter).
Setup sharing of the Scan destination folder for MFD settings purposes and grant the service
account to access the share.
Configuration
Configure the MFD's native scan feature for scanning and storing scan files in the Scan
destination folder
The best way to do so is to create a record in the address book of your MFD (if you are
not sure how to do this, please refer to the chapter Configuring MFDs for Scanning with
YSoft SafeQ hardware terminals where you can find detailed guides).
The WPS service runs under the regular system account. If the scan destination is not
accessible by services running under such an account (e.g., the scan destination is
located on a different computer than WPS), please make sure that you run the WPS
service using the account that you created at the beginning of this chapter.
In the YSoft SafeQ management interface, edit the appropriate device in the menu Devices /
Printers.
In the section General and the item Terminal Type, check that YSoft SafeQ Terminal
UltraLight is selected.
In the section Terminal, check the Scan feature checkbox.
In the Scan workflows section, click Assign workflows.
Select workflow from the Workflow drop-down list.
As you can see, it is possible to select only workflows without user input. Workflows
with user inputs are not supported on Terminal UltraLight and might not work properly.
So, keep that in mind when editing a workflow and adding a user input into it.

In the Scan destination folder, provide a full address/path to which the MFD will deliver the
scan (The record in the address book of your MFD). E.g., \\10.0.0.1\scans...
Since you can assign multiple workflows to the Terminal UltraLight, do not use the
same destination for all workflows.
Save changes.
Limitations
Due to a bug in online accounting, the copy/scan of big files fails if a user tries to initiate a logout
during the scanning process.
5.5.2.8 Configuring MFDs for Scanning with YSoft SafeQ hardware terminals
Configuring Konica Minolta devices for Scanning with YSoft SafeQ hardware terminals
YSoft SafeQ Terminal UltraLight only supports scanning using SMB.
Adding FTP connection to address book via device web interface

Prerequisites
Make sure that you add device into YSoft SafeQ first.
Credentials for YSoft SafeQ FTP server
1. Simply head to System > Configuration > Advanced and search for "ftp".
2. An ftp/WebDAV username is property named scanServerUsername
3. An ftp/WebDAV password is property named scanServerUserPassword
After you install Terminal Pro 4 into YSoft SafeQ (add as a device), the terminal server creates
FTP folder. The folder has same name as is devices' id. Check in devices' settings with
Advanced view. As you can see, in our case it is number "1".
How to proceed
1. Login into device web interface and go to Store Address and click New Registration.

2. Select FTP radio button and click OK.
3. Fill in all necessary fields and click OK.
a. Fill IP address of machine on which your Terminal Server is running, leave the port at
its default value.
b. Into a File Path put a name of FTP folder created by YSoft SafeQ (more info in
precondition).
c. For User ID use scanServerUsername property value (more info in precondition).
d. For Password use scanServerUserPassword property value (more info in

precondition).

4. Created FTP connection is saved into Address Book list.
5. When the user authenticates on Terminal Pro 4, he/she selects workflow and enters Scan
menu on device, he/she just selects created FTP connection and performs scan. Scans will
be delivered according to the workflow settings.
Adding SMB folder to address book via device web interface

Prerequisites
Credentials that will be used by MFD to authenticate in filesystem (read/write).
Path to a shared folder to which the scan will be stored.
How to proceed
1. Login into device web interface and go to Store Address and click New Registration .

1.
2. Select SMB radio button and click OK.
3. Fill in all necessary fields and click OK.

4. Created SMB folder is saved into Address Book list.
5. When user authenticates on terminal and enters Scan menu on device, he just selects
created SMB folder and performs scan. Scans will be delivered to this folder, and after
logging out from Terminal Pro 4, scan files will be delivered to target destination according
to configuration in used scan workflow.
SMB folder must be equal to Triggered hot folder for used scan workflow.

Configuring Xerox devices for Scanning with YSoft SafeQ hardware terminals

Prerequisites
FTP folder. The folder has same name as is device's id. Check in device's settings with
Advanced view. As you can see, in our case it is number "1"
How to proceed
1. Login into device web interface and go to Address book and click Add .
2.

2. Fill in display name (It is best to use the same name like name of the scan workflow in
YSoft SafeQ) and then click on Add Destination .
3. Fill in all necessary fields and click Save.
a. It is OK to put anything you want into a Nickname
b. From Protocol drop down list, please select FTP value
c. Fill IP address of machine on which your Terminal Server is running, leave the port at
its default value
d. Fill the number of scan destination folder that was created during device addition into
YSoft SafeQ in Document Path
e. For Login Name use scanServerUsername property value (more info in precondition)
f. For Password use scanServerUserPassword property value (more info in

precondition)

5. When the user authenticates on Terminal Pro, he selects workflow and enters Scan menu
on device, he just selects created Address Book connection and performs scan. Scans will
be then delivered according to the workflow settings.

Prerequisites

Credentials that will be used by MFD to authenticate in filesystem.
Path to a folder to which the scan should be stored.
How to proceed
1. Login into device web interface and go to Address book and click Add.
2. Fill in display name (It is best to use the same name like name of the scan workflow in
YSoft SafeQ) and then click on Add Destination.
a. It is ok to put anything you want into a Nickname

3.
b. From Protocol drop down list, please select SMB value
c. Fill IP address (and port) of machine on which the scan should be delivered.
Note that default SMB port is 445.
d. Put a name of a shared folder into Share
e. If there are sub-folders in your shared folder and you would like to deliver scans into
one of them please fill it in Document Path
f. For Login Name and Password use credentials with read/write access rights
4. Created SMB connection is saved into Address Book list.

Configuring Ricoh devices for Scanning with YSoft SafeQ hardware terminals

Prerequisites
2. An ftp / WebDAV username is property named scanServerUsername
3. An ftp / WebDAV password is property named scanServerUserPassword

After you install Terminal Pro 4 into YSoft SafeQ, the terminal server creates FTP folder. The
folder has same name as is devices' id. Check in devices' settings with Advanced view. As
you can see, in our case it is number "1"
How to proceed
1. Login into device web interface and go to Address Book.
2. You can see list of created users scan destinations. To add new one touch Add user.

a. Folder authentication
i. For Login User Name use scanServerUsername property value (more info in
precondition).
ii. For Login Password use scanServerUserPassword property value (more info in
precondition).
b. Protocol = FTP
c. Path = name of FTP folder created by YSoft SafeQ (more info in precondition).
Then click OK to save new destination.

4. Created profile with FTP connection is saved into Address Book list.

Prerequisites
Make sure that you add device into YSoft SafeQ first
Path to a shared folder to which the scan will be stored.
How to proceed
1. Login into device web interface and go to Address Book.

2. You can see list of created users scan destinations. To add new one touch Add user.
3. Now fill in all required fields and also Folder part as following:
Protocol = SMB

3.
Path = path to your Triggered hot folder (same as on scan tab in device settings).
Then click OK to save new destination.
4. Created profile with SMB folder is saved into Address Book list.

Configuring Sharp devices for Scanning with YSoft SafeQ hardware terminals

Prerequisites
3.

FTP folder. The folder has same name as is device's id. Check in device's settings with
How to proceed
2. Fill in all necessary fields and click Submit.
a. It is ok to put anything you want into a Address Name (It is best to use the same
name like name of the scan workflow in YSoft YSoft SafeQ)
b. Scroll down and select FTP tab
c. Fill IP address / hostname of machine on which your Terminal Server is running
YSoft SafeQ in Directory (more info in precondition)
e. For User Name use scanServerUsername property value (more info in precondition)
f. For Password (Check the "Change Password" checkbox to make this field editable)
use scanServerUserPassword property value (more info in precondition)

4.
4. When user authenticates on Terminal Pro, selects workflow and enters Scan menu on
device, he just selects created Address Book connection and performs scan. Scans will be
then delivered according to the workflow settings

Prerequisites
Make sure that you add device into YSoft SafeQ first
Credentials that will be used by MFD to authenticate in filesystem
Path to a shared folder to which the scan will be stored
How to proceed
2. Fill in all necessary fields and click Submit.
a. It is OK to put anything you want into a Address Name (It is best to use the same
name like name of the scan workflow in YSoft SafeQ).
b. Scroll down and select Network Folder tab.
c. User with rights to access the shared folder (Read/write).

3. Created SMB connection is saved into Address Book list.

Configuring Fuji Xerox devices for Scanning with YSoft SafeQ hardware terminals

Prerequisites
Make sure you add device into YSoft SafeQ first.
2. An ftp / WebDAV username is property named scanServerUsername
3. An ftp / WebDAV password is property named scanServerUserPassword
FTP folder. The folder has same name as is devices' id. Check in devices' settings with
How to proceed
1. Login into device web interface and go to Address book and click Add New Name.
2. Fill in all necessary fields and click Apply
a.
2.
a. Display name (It is best to use the same name like name of the scan workflow in
YSoft YSoft SafeQ)
b. select Server from Address Type drop down menu
c. select FTP
YSoft SafeQ in Save in
e. For User Name use scanServerUsername property value (more info in precondition)
f. For Password use scanServerUserPassword property value (more info in

precondition)
4. When the user authenticates on Terminal Pro, he selects workflow and enters Scan menu
on device, he just selects created Address Book connection and performs scan. Scans will
be then delivered according to the workflow settings.

Prerequisites

Path to a folder to which the scan should be stored.
How to proceed
1. Login into device web interface and go to Address book and click Add New Name.
2. Fill in all necessary fields and click Apply
a. Display name (It is best to use the same name like name of the scan workflow in
YSoft YSoft SafeQ)
b. select Server from Address Type drop down menu
c. select SMB
d. Fill IP address of machine on which the scan should be delivered
e. Put a name of a shared folder into Shared Name
f. If there are sub-folders in your shared folder and you would like to deliver scans into
one of them please fill it in Save in
g. For User Name and Password use credentials with read/write access rights

5.5.2.9 Remote configuration tool for hardware terminals
Remote configuration tool for hardware terminals (Termtool)
The Termtool configuration tool is designed for legacy YSoft Hardware terminals (YSoft SafeQ
Terminal Professional 3.x, YSoft SafeQ Terminal UltraLight and YSoft SafeQ Network Card Reader).
Purpose
Show information about detected terminals.

Set basic parameters of each terminal such as reader protocol, IO module, network settings,
debug mode etc.
Forcing of normal firmware update.
Update of service firmware.
Download log from terminal for debugging purposes.
Prerequisites
Windows 2000 and higher
Linux kernel 2.4 or higher
Termtool.exe (WIN32) or Termtool (Linux) executable binaries
Limitations
Not all functions are supported on all previous releases of terminal firmwares.
Description
The program runs in a system console. It is not a GUI application, it is an application running in
text mode.
How to obtain Termtool
Termtool is standard part of installation package. You can find it in the Complementary
Solutions folder of the Complete Pack installation package.
Main program screen
When the program is run without any command line parameter the Termtool loads terminal list
from fixed file (termlist.txt) and tries to detect all other accessible terminals. Then the following
screen is shown:
YSoft terminal configuration utility ver. 0.9, PARTNERS release
List of available terminals:

----------------------------------------------------------------------------
0) TP 10.1.6.245 SQPRC053535E94E 3.11.0(450) TCP only
----------------------------------------------------------------------------
Additional detected terminals:

----------------------------------------------------------------------------
1) TP 10.1.5.232 SQPR9493534CD6E 3.11.4(505) TCP and bcast
2) SPM 10.1.5.221 SQPRB213537842E 3.12.0(514) TCP and bcast
3) ULPC 10.1.5.217 SQULB47151A344E 1.2.0ul TCP and bcast
4) ULPC 10.1.5.253 SQULB47151A348E 1.2.0ul TCP and bcast
----------------------------------------------------------------------------
Actions:
99) Exit application
Terminal list:
101) Refresh 102) Load 103) Save 104) Purge

Terminal :
111) Add by IP 112) Add by SN 113) Delete
Cfg. template:
121) Apply to all terminals
SM PIN for further operations (TP only): Currently: none

131) Enter PIN L 1 132) Enter PIN L 2 133) Clear PIN
Enter number:
Screen shows information about terminals:
Terminal type
TP = YSoft SafeQ Terminal Professional
SPM = YSoft Payment Machine
TP-NCR = YSoft SafeQ Terminal Professional in Network Card Reader mode
ULPC = YSoft SafeQ Terminal UltraLight Print&Copy
ULPO = YSoft SafeQ Terminal UltraLight Print only
NCR = YSoft SafeQ Network Card Reader
Terminal IP address
Serial number
Firmware version
Terminal availability
TCP and bcast = Terminal is reachable by both TCP connection or by broadcast - terminals
in same subnet with correct IP address setting
TCP only = Only TCP connection - terminals in different subnet, but correctly configured IP
address (and netmask etc.)
bcast only = Only broadcast connection - like terminal in same subnet, but without
correctly configured IP address
unreachable = Terminal is not on last known IP and is not reachable via broadcast (not in
same subnet)
User may select concrete terminal number (0-98) to be configured or run one of these commands:
"99) Exit application" - completely exit application
"101) Refresh" - Redetect all terminals and refresh list
"102) Load" - Load terminal list from fixed file (termlist.txt) and rescan terminals status
"103) Save" - Save current terminal list to fixed file (termlist.txt)
"104) Purge" - Clear current terminal list and redetect all terminals
"111) Add by IP" - Add single terminal to list by entering its IP address

"112) Add by SN" - Add single terminal to list by entering its serial number
"113) Delete" - Delete single terminal in list
"121) Apply to all terminals" - Apply stored configuration template (termtempl.txt) to all terminals
on list
"131) Enter PIN L 1" - Define service menu pin level 1 (site admins) for future operations on
terminal professional that requires it
"132) Enter PIN L 2" - Define service menu pin level 2 (partners) for future operations on
terminal professional that requires it
"133) Clear PIN" - Clear currently defined pin
Terminal configuration screen
According to terminal type, only some of following items may be displayed. Terminal configuration
screen (after selecting terminal number from the main menu):
YSoft SafeQ Terminal Professional:
Terminal information:
Type : Professional
Firmware ver. : 3.11.4(505)
Servicefw ver.: 2.2.3-12
Servicefw stat: OK
Hardware information:
HW version : 3.5.3
Serial number : SQPR9493534CD6E
Manuf. date : Tue Dec 1 11:52:42 2009
Network information:
Pri. MAC addr.: 00:0A:59:F4:4C:D6
Sec. MAC addr.: 00:0A:59:F4:4C:D7
Link-0 speed : 0
Link-0 mode : 0
Link-1 speed : 0
Link-1 mode : 0
Link-2 speed : 0
Link-2 mode : 0
Up-link speed : 0
Up-link mode : 0
IP information:
DHCP : Enabled
DHCP IP : 10.1.5.232
DHCP Netmask : 255.255.255.0
DHCP Gateway : 10.1.5.100
DHCP DNS : 10.1.0.100
Host name : TEST0001
Server information:
Primary server: 10.1.5.121:4096
Server list :
Locking : Immediate
Cluster supp. : Enabled
Cluster mode : Balanced
Advanced information:
Auth. type : 8 = Card or PIN or Login
Mode : Normal
Joblist mode : Queue/printed

PIN dlg. text : Without characters count
P/C alert msg.: Enabled
Sum. after P/C: Pages and price
Menu timeout : 60
Info timeout : 20
Sound : Enabled
Debug mode : Log all
Card reader and IO module:

Reader type : 48 = B-041 MultiReader LF + HF
Reader proto : 90 = EM4000 compatible + HF UIN
IOmodule type : 1 = N/A Generic iomodules
IOmodule mode : 9 = Autodetect smartcable
Language information:
Default lang. : 2 = English
Other langs. : 11 = Japanese;14 = Chinese (Simplified);17 = Chinese (Traditional);21 = Arabic;25 = Korean;
Lang. selector: Globe always
----------------------------------------------------------------------------
Terminal:
1) IP setup
2) Server setup
3) Advanced setup
4) Card reader and IO module setup
5) Languages setup
Actions:
99) Exit without saving
100) Save changes to terminal and exit (may need service menu pin)
Cfg. template:
101) Load template 102) Save changes as template
Enter number:
YSoft SafeQ Terminal UltraLight:
Terminal information:
Type : UltraLight Print&Copy
Firmware ver. : 1.2.0ul
Servicefw ver.: 1.7.0svcul
Servicefw stat: OK
Hardware information:
HW version : 1.5.1
Serial number : SQULB47151A344E
Manuf. date : Fri Nov 25 16:40:37 2011
HW features : 00000000
Keyb. type : 2
Network information:
MAC address : 00:0A:59:F4:A3:44
Port 0 speed : 0
Port 0 mode : 0
Port 1 speed : 0
Port 1 mode : 0
IP information:
DHCP : Enabled
DHCP IP : 10.1.5.217
DHCP Netmask : 255.255.255.0
DHCP Gateway : 10.1.5.100
DHCP DNS : 10.1.0.100 10.0.0.100 10.0.0.101
Host name : Ulko_007
Domain :
Server information:
Primary server: 10.1.5.121:4096
Server list :
Locking : Immediate

Advanced information:
Auth. type : 3 = Card or PIN
Mode : Normal
Sound : Disabled
Debug mode : Log all
Card reader and IO module:

Reader type : 44 = B-087 MultiReader HF
Reader proto : 105 = Card UIN
IOmodule type : 0 = Unknown
IOmodule mode : 0 = Unknown
----------------------------------------------------------------------------
Terminal:
1) IP setup
2) Server setup
3) Advanced setup
4) Card reader and IO module setup
Actions:
99) Exit without saving
100) Save changes to terminal and exit (may need service menu pin)
Cfg. template:
101) Load template 102) Save changes as template
Enter number:
When some value is incorrect in relevant behavior or could not be obtained from terminal then
"FAILED" or "unknown" is shown. When user selects terminal configuration change relevant
information are repeated before entering new values.
Terminal "IP setup" allows to set DHCP support, terminal IP, netmask, gateway, dns, hostname.
Terminal "Server setup" allows to set server IP:port, cluster nodes IP, update server for network
card reader, locking mode, cluster support and cluster mode.
Terminal "Advanced setup" allows to set authentication type, terminal mode, joblist type, pinbox
text, timeouts, sound setting, debug setting and other interface related settings.
Terminal "Card reader and IO module setup" allows to set reader type and protocol, IO module type
and its mode.
Terminal "Languages setup" allows to set default language, other selectable languages, and
language selector type.
"YSoft SafeQ Payment Machine setup" allows to set money removal PIN and print receipt setting.
Action "99) Exit without saving" returns user to the previous menu. If any changes in settings are
made they are discarded and original settings remain.
Action "100) save changes to terminal and exit (may need service menu pin)" returns user to the
previous menu. If any configuration settings are changed, then changes are stored into terminal
and applied. Some settings require service menu pin on terminal professional so user is asked to
enter it.
Action "101) Load template" loads from fixed file (termtempl.txt) configurations changes. These
changes are shown in listing.
Action "102) Save changes as template" stores all currently prepared changes on selected
terminal to file (termtempl.txt) for future use as a configuration template.

Command line parameters
When the program is run with -h parameter, the following help screen is shown:
YSoft terminal configuration utility ver. 0.17, PARTNERS release

Usage: ./termtool -<parameter> <value> ...
Parameters:
-i input_file (otherwise stdin)

-o output_file (otherwise stdout)
-p pin SM pin
-I ip_addr select IP address of terminal to configure

-t id select terminal # to configure (if not specified then first detected terminal will be used)
-s serno select terminal with given serial number
-l list terminals
-L list terminals, but do NOT list unreachable ones
-n do NOT search for new terminals (use only stored list)
-g get configuration (data on stdout or output file)

-G1 get configuration via authorized access (SM pin level 1) (data on stdout or output file)
-G2 get configuration via authorized access (SM pin level 2) (data on stdout or output file)
-GR get reader configuration checksum (TP only) (requires SM pin level 1) (data on stdout or output file)
-c set configuration (data on stdin or input file)

-C1 set configuration via authorized access (SM pin level 1) (data on stdin or input file)
-C2 set configuration via authorized access (SM pin level 2) (data on stdin or input file)
-CU set configuration via UDP access (data on stdin or input file)
-CR set reader configuration of terminal professional (requires SM pin level 2) (data on stdin or input file)
-Cr set reader configuration of terminal ultralight (data on stdin or input file)
-j get terminal log (data on stdout or output file)

-J1 get SPM processing log - charges (data on stdout or output file)
-J2 get SPM processing log - items (data on stdout or output file)
-k get lowlevel information (TP only) (data on stdout or output file)
-bs TPv3 logo - set image (req. SM pin l 2)(image data on stdin or input file)
-bt TPv3 logo - set text (req. SM pin l 2)(text data on stdin or input file)
-bc TPv3 logo - clear logo setting (req. SM pin l 2)
-ms SPM - set receipt template (req. SM pin l 2)(template data on stdin or input file)
-mc SPM - clear receipt template (req. SM pin l 2)
-Axs Feature Addon - IEEE802.1X - set configuration (req. SM pin l 1)(cfg on stdin or input file)
-Axc Feature Addon - IEEE802.1X - clear configuration (req. SM pin l 1)
-uu update standard firmware from server (Normal mode)

-ue update standard firmware from server (Emergency mode)
-uU update standard firmware from URL (Full update of TP only) (URL on stdin or input file)
-uP update standard firmware from URL (Patch update of TP only) (URL on stdin or input file)
-us update service firmware (update file on stdin or input file)
-ur update service firmware from URL (TP only) (URL on stdin or input file)
-uS update SPM data files (update file on stdin or input file)
-uf update standard firmware of terminal professional (update file on stdin or input file)
-ug update standard firmware of terminal ultralight (update file on stdin or input file)
-uA update feature addon (TP v.3.5 only) (update file on stdin or input file)
-r Perform terminal reboot
-h this help screen

-v verbose operation (on stderr)
-V very verbose operation (on stderr)
NOTE: Some of the functions require a specific product or a certain minimum firmware version.
NOTE: Remote control works only with TP and when enabled in service menu.
NOTE: Remote control works only with -I and implies -n.

Terminal select
Terminal could be selected by
(-I) IP address - terminal must have properly configured network settings and be accessible via
TCP connection to entered IP.
(-t) id - Select terminal on id offset in stored terminal list (termlist.txt)
(-s) serial number - terminal must be accessible via broadcast or already stored in list, then it
could be selected by its serial number
Input/output
When command produces some output then it is shown to user (printed on stdout). It could be
also redirected by system to file or written to file by program when user uses option (-o out_file)
When command requires additional data file then user may enter them on stdin, redirect output of
other program to stdin or specify input file (-i input_file)
Linux examples:
echo "SOUND=0" | ./termtool -I 10.0.0.1 -c
./termtool -I 10.0.0.1 -c
SOUND=0
^D
./termtool -I 10.0.0.1 -c -i cfg_file.txt
Windows examples:
echo SOUND=0 | termtool.exe -I 10.0.0.1 -c
type con | termtool.exe -I 10.0.0.1 -c

SOUND=0
^Z

termtool.exe -I 10.0.0.1 -c -i cfg_file.txt
(-p) SM pin
Configuration of some values in YSoft SafeQ Terminal Professional or in YSoft Payment Machine
requires service menu pin. So by this option user should specify pin value. Useful with -G1 -G2 -C1 -
C2 -ms -mc.
List terminals
There is option to detect and list almost all terminals on same segment of network. Also program
use stored list (termlist.txt) to add other terminals which should be outside network segment, but
still accessible via IP address. Output listing have same format as stored list (termlist.txt) and
should modified in following ways:
(-l) list all terminals, stored ones and newly detected
(-L) list all terminals (stored ones and newly detected), but do NOT list unreachable ones.
Previous commands should be modified with (-n) option which force to do NOT search for new
terminals (use only stored list) so stored list will be only updated with current values and
optionally removed unreachable terminals.
(-g) (-G1) (-G2) get configuration
Downloads terminal configuration and shows it to user or store it to file (-o out_file). Options (-G1) (-
G2) are only for terminal professional to authorize via service menu pin level 1 or 2 - optionally
combine with parameter (-p pin).
Example on linux:
./termtool -I 10.0.0.1 -g -o CFG.TXT

./termtool -I 10.0.0.1 -G1 -p 0000 -o CFG.TXT
or on Windows:
termtool.exe -I 10.0.0.1 -g -o CFG.TXT

termtool.exe -I 10.0.0.1 -G1 -p 0000 -o CFG.TXT
(-c) (-C1) (-C2) (-CU) set configuration
Upload configuration entered on stdin or from input file (-i input_file) to terminal. Options (-C1) (-C2)
are only for terminal professional to authorize config upload via service menu pin level 1 or 2 -
optionally combine with parameter (-p pin). Parameter (-CU) force different way of configuration
upload - via broadcasts - so terminal have to be in same network segment.
Configuration file should contain only fields which user needs to change! Storing of read only
value is considered as error so final result of run will be also error.

Example on linux:
./termtool -I 10.0.0.1 -c -i CFG.TXT

./termtool -I 10.0.0.1 -C1 -p 0000 -i CFG.TXT
or on Windows:
termtool.exe -I 10.0.0.1 -c -i CFG.TXT

termtool.exe -I 10.0.0.1 -C1 -p 0000 -i CFG.TXT
(-CR) (-Cr) set card reader custom configuration
Upload reader configuration entered on stdin or from input file (-i input_file) to terminal. Option (-
CR) is only for terminal professional to authorize config upload via service menu pin level 2 -
optionally combine with parameter (-p pin). Option (-Cr) is only for terminal ultralight.
Reader configuration may be generated by YSoft Card Reader Tool.
Example on linux:
./termtool -I 10.0.0.1 -CR -p 0000 -i cust_cfg.bin
or on Windows:
termtool.exe -I 10.0.0.1 -CR -p 0000 -i cust_cfg.bin
(-j) get terminal log
Downloads terminal log and shows it to user or store it to file (-o out_file).
Please note that logging must be enabled before using this function
Example on linux:
./termtool -I 10.0.0.1 -j -o LOG.TXT
or on Windows:
termtool.exe -I 10.0.0.1 -j -o LOG.TXT

(-J1) (-J2) get YSoft Payment Machine processing logs
Downloads two different types of SPM logs and shows it to user or store it to file (-o out_file).
These files also enclose when reporting problem with SPM via Service desk incident reporting.
Example on linux:
./termtool -I 10.0.0.1 -J1 -o SMP_LOG1.TXT

./termtool -I 10.0.0.1 -J2 -o SMP_LOG2.TXT
or on Windows:
termtool.exe -I 10.0.0.1 -J1 -o SPM_LOG1.TXT

termtool.exe -I 10.0.0.1 -J2 -o SPM_LOG2.TXT
(-k) get lowlevel information
YSoft SafeQ Terminal Professional only - Show information about boot loaders and service
firmware or store them to file (-o out_file).
(-bs) (-bt) (-bc) YSoft Terminal professional - logo
Only for YSoft Terminal professional v 3.5 with color display. These commands requires service
menu pin level 2 (combine with -p pin). By option (-bs) users shall upload new logo image (combine
with -i input_file), set logo text (-bt) or clear currently stored logo configuration (-bc)
NOTE: Image have restricted format. Supported is only size 300x72 pixels, format 16-bit BMP(5:6:
5), horizontally flipped.
Example on linux:
./termtool -I 10.0.0.1 -bs -i logo.bmp -p 0000

echo "Demo" | ./termtool -I 10.0.0.1 -bt -p 0000
./termtool -I 10.0.0.1 -bc -p 0000
or on Windows:
termtool.exe -I 10.0.0.1 -bs -i logo.bmp -p 0000

echo Demo | termtool.exe -I 10.0.0.1 -bt -p 0000
termtool.exe -I 10.0.0.1 -bc -p 0000
(-ms) (-mc) YSoft Payment Machine - receipt template

Only for YSoft Payment Machine equipped with optional printer. These commands requires service
menu pin level 2 (combine with -p pin). By option (-ms) users shall upload new receipt template
(combine with -i input_file) or clear currently stored one (-mc)
Example on linux:
./termtool -I 10.0.0.1 -ms -i receipt.xml -p 0000

./termtool -I 10.0.0.1 -mc -p 0000
or on Windows:
termtool.exe -I 10.0.0.1 -ms -i receipt.xml -p 0000

termtool.exe -I 10.0.0.1 -mc -p 0000
(-Axs) (-Axc) YSoft Terminal professional feature addon - IEEE802.1X configuration
Only for YSoft Terminal professional with installed feature addon. These commands requires
service menu pin level 1 (combine with -p pin). By option (-Axs) users shall upload new
configuration (combine with -i input_file) or clear currently stored one (-Axc)
Example on linux:
./termtool -I 10.0.0.1 -Axs -i ieee8021x.cfg -p 0000

./termtool -I 10.0.0.1 -Axc -p 0000
or on Windows:
termtool.exe -I 10.0.0.1 -Axs -i ieee8021x.cfg -p 0000

termtool.exe -I 10.0.0.1 -Axc -p 0000
(-uu) update standard firmware from server (normal mode)
Invoke terminal to reboot into service firmware and do full update of firmware from YSoft SafeQ
server.
Example on linux:
./termtool -I 10.0.0.1 -uu
or on Windows:

termtool.exe -I 10.0.0.1 -uu
(-ue) update standard firmware from server (emergency mode)
Invoke terminal to reboot into service firmware and do emergency full update of firmware from
YSoft SafeQ server.
Example on linux:
./termtool -I 10.0.0.1 -ue
or on Windows:
termtool.exe -I 10.0.0.1 -ue
(-uU) update standard firmware from URL (Full update)
Invoke terminal to reboot into service firmware and do full update of firmware from defined URL.
Example on linux:
echo "http://my_server:port/downloads/FULL-sq-3.12.0.fw" | ./termtool -I 10.0.0.1 -uU

./termtool -I 10.0.0.1 -uU -i download.url
or on Windows:
echo http://my_server:port/downloads/FULL-sq-3.12.0.fw | termtool.exe -I 10.0.0.1 -uU

termtool.exe -I 10.0.0.1 -uU -i download.url
(-uP) update standard firmware from URL (Patch update)
Invoke terminal to do patch update of firmware from defined URL.
Example on linux:
echo "http://my_server:port/downloads/sq-3.12.0.fw" | ./termtool -I 10.0.0.1 -uP

./termtool -I 10.0.0.1 -uP -i download.url
or on Windows:

echo http://my_server:port/downloads/sq-3.12.0.fw | termtool.exe -I 10.0.0.1 -uP
termtool.exe -I 10.0.0.1 -uP -i download.url
(-us) update service firmware
Sends service firmware update to terminal.
NOTE: This "server-less" style of service firmware update is supported from firmware 3.8.0 on
YSoft SafeQ Terminal Professional and 1.1.0 on YSoft SafeQ Terminal Ultralight.
Example on linux:
./termtool -I 10.0.0.1 -us -i emergency-2.2.2-12.enc

./termtool -I 10.0.0.2 -us -i ultralight_service-1.7.fw
or on Windows:
termtool.exe -I 10.0.0.1 -us -i emergency-2.2.2-12.enc

termtool.exe -I 10.0.0.2 -us -i ultralight_service-1.7.fw
(-ur) update service firmware from URL
Invoke terminal to do service firmware update from defined URL.
Example on linux:
echo "http://my_server:port/downloads/emergency-2.2.2-12.enc" | ./termtool -I 10.0.0.1 -ur

./termtool -I 10.0.0.1 -ur -i download.url
or on Windows:
echo http://my_server:port/downloads/emergency-2.2.2-12.enc | termtool.exe -I 10.0.0.1 -ur

termtool.exe -I 10.0.0.1 -ur -i download.url
(-uS) update SPM data files
YSoft Payment Machine have possibility to update firmwares of banknote/coin acceptors. These
firmwares are stored in SPM. To update these stored data use this command with the latest data
file package.
Example on linux:

./termtool -I 10.0.0.1 -uS -i spm_data-2012-05-11.enc
or on Windows:
termtool.exe -I 10.0.0.1 -uS -i spm_data-2012-05-11.enc
(-uf) update standard firmware of YSoft SafeQ Terminal Professional
Sends main firmware update directly to YSoft SafeQ Terminal Professional.
For YSoft SafeQ Terminal UltraLight or YSoft SafeQ Network Card Reader see option (-ug)
Important note: This command may fail in some situations. In this case try to perform it again.
e.g.: Message "Failed to switch terminal to update mode" may mean that there is currently an
active user/admin session.
This "server-less" style of firmware update is supported on terminals that already have service
firmware 2.3.1-13 or newer, or that have standard firmware 3.8.0 or newer.
Warning: This command may automatically update terminal service firmware to minimal
required version.
Example on linux:
./termtool -I 10.0.0.1 -uf -i FULL-sq-3.13.3.fw
or on Windows:
termtool.exe -I 10.0.0.1 -uf -i FULL-sq-3.13.3.fw
(-ug) update standard firmware of YSoft SafeQ Terminal UltraLight
Sends main firmware update directly to YSoft SafeQ Terminal UltraLight or YSoft SafeQ Network
Card Reader.
For YSoft SafeQ Terminal Professional see option (-uf)

Important note: This command may fail in some situations. In this case try to perform it again.
e.g.: Message "Failed to switch terminal to update mode" may mean that there is currently an
active user/admin session.
This "server-less" style of firmware update is supported on terminals that have standard
firmware 1.1.5 or newer.
Warning: This command may automatically update terminal service firmware to minimal
required version.
Example on linux:
./termtool -I 10.0.0.2 -ug -i ultralight-1.2.4.fw
or on Windows:
termtool.exe -I 10.0.0.2 -ug -i ultralight-1.2.4.fw
(-uA) update feature addon
YSoft Terminal Professional hardware version 3.4.x or 3.5.x have possibility to include additional
firmware features. To update these additional firmware data use this command with the latest
addon package.
Only for YSoft SafeQ Terminal Professional hardware version 3.4.x and greater.
Example on linux:
./termtool -I 10.0.0.1 -uA -i feature_addon-2017-07-03.enc
or on Windows:
termtool.exe -I 10.0.0.1 -uA -i feature_addon-2017-07-03.enc
(-r) Perform terminal reboot
Invoke terminal to reboot.

Example on linux:
./termtool -I 10.0.0.1 -r
or on Windows:
termtool.exe -I 10.0.0.1 -r
(-v) (-V) verbose operation (on stderr)
By specifying '-v' (debug) or '-V' (verbose debug) on command line an extended debug mode is
enabled. This may provide developers with important information in case anything during Termtool
operation fails.
Return value
When command line execution is successfully done program returns 0. In case of errors any non
zero value is returned.
Files format
Terminals list (termlist.txt)
This file stores currently known terminals.
10.0.0.1 SQPR9173533BB0E 512 3.11.6(507)

10.0.1.200 SQPRC053535E94E 512 3.11.0(450)
10.0.0.2 SQPRB213537842E 768 3.12.0(490)
0.0.0.0 SQULB47151A344E 2 1.2.0ul
10.0.0.3 SQULB47151A348E 2 1.2.0ul
List contains these values separated by space:
IP address
Serial number
Number defining type of terminal
Firmware version
If you need to import terminal list you should replace termlist.txt with list where are only IP
addresses, then call Termtool to list terminals. Termtool will try to contact all terminals and
update information in output listing.
Configuration template (termtempl.txt)

# 24
DEFLANG=1
# 24
LANGUAGES=2;11;
File contains optional internal data in comments (line starting with '#') and configuration values
which have to be changed. So format allows to get current configuration from terminal and copy
relevant items to template file without any modifications.
Appendix A - Common use cases

Configure YSoft SafeQ server settings on one newly connected terminal
Terminal is configured to DHCP by default and this is correct in this situation so we need only to
configure server IP. Terminal will be connected directly to the same network subnet.
1) Interactively
Connect terminal to network and let it boot
Run Termtool
Termtool has to list all accessible terminals where newly connected one have to be listed
By comparing serial numbers search corresponding line and enter its number
Enter number 2 - to invoke "Server setup"
On prompt for entering primary server enter new server settings (IP address and port in
format: IP:PORT) - for example 10.0.0.1:4096
On other prompts for configuring other values simply press enter to leave current values
After return to menu enter number 100 - "Save changes to terminal and exit"
Now terminal will be configured
Enter number 99 - "Exit application" to leave utility
2) Via command line
Connect terminal to network and let it boot
Open command line window where your copy of Termtool is
Enter following command on Linux (replace IP address and serial number with yours):
echo "SERVERIP=10.0.0.1:4096" | ./termtool -s SQPRC013531234E -c
on Windows:

echo SERVERIP=10.0.0.1:4096 | termtool.exe -s SQPRC013531234E -c
NOTE: Configuration item "SERVERIP" stands for primary YSoft SafeQ server. Other
configuration items could be found in documentation enclosed in remote configuration tool
Now terminal will be configured
Configure multiple items on many terminals connected to large network while we know their IP addresses
Terminals are properly configured in customer's network, but they are on many subnets. We have
list of their IP addresses.
1) First prepare configuration template
Run Termtool
Select any suitable terminal or add one of required terminal by its IP address from list( 111) Add
by IP ).
Enter all required changes of configuration by selecting appropriate items and entering values
After configure enter 102) "Save changes as template"
Enter number 99 - Exit without saving
All this could be also done manually by direct editing of termtempl.txt with correct configuration
values (items documentation enclosed in remote configuration tool).
2) Modify termlist.txt See section "Files format" for details.
Terminal list file could contain only IPs - one per line so replace current termlist.txt file with
your list of terminals IPs.
3) Apply to all terminals new settings
Run Termtool without detecting new terminals, so only list will be used
termtool -n
Alternatively you could run Termtool normally, then tool detects also other terminals, then
selects purge terminal list and loads list so you will have only terminals stored in list
When you configure some options that requires service menu pin on terminal professional
then select option to enter it first. (Enter PIN L 1/2)
Enter number 121 - "Apply to all terminals" to apply configuration template

Now all terminals will be configured
Disable all downlink ports on few terminals connected to large network while we know their IP addresses
Terminals are properly configured in customer's network, but they are on many subnets. We have
list of their IP addresses.
Ethernet ports could not be interactively configured in Termtool so you have to use remote
configuration with correct configuration values. In enclosed documentation (Terminal
Configuration Details_SQPR_fw3.12.0.xlsx) you could found that ethernet port settings are stored
in values PORT_X_SPEED, where X stands for 0-3 and 3 means uplink. So we need to configure
items PORT_0_SPEED, PORT_1_SPEED, PORT_2_SPEED and they are configurable via authorized
access with service menu pin level 1. Best way how to get correct value of required item is to get
it from terminal.
Manually configure one terminal to disable all downlink ports
use Termtool to download configuration to file:
termtool -I 10.0.0.1 -g -o old_config.txt
edit stored config file to contain only required items (PORT_0_SPEED, PORT_1_SPEED,
PORT_2_SPEED). So file will contain this content:
PORT_0_SPEED=5
PORT_1_SPEED=5
PORT_2_SPEED=5
now for each terminal upload configuration change. Replace IP address with correct one and
0000 with service menu pin level 1.
termtool -I 10.0.0.2 -C1 -p 0000 -i new_config.txt
Update service firmware on terminal
All terminals have service (emergency) firmware which could be updated.
NOTE: This style of service firmware update is supported from firmware 3.8.0 on YSoft SafeQ
Terminal Professional and 1.1.0 on YSoft SafeQ Terminal Ultralight.

Obtain the newest service firmware file (files like YSoft SafeQ Terminal Ultralight/YSoft SafeQ
Network Card Reader: ultralight_service-1.7.fw YSoft SafeQ Terminal Professional/YSoft
Payment Machine: emergency-2.2.2-12.enc)
Terminal must have properly configured network settings so it have to be accessible via IP
address. (for this example we will suppose that IP address for YSoft SafeQ Terminal
Professional is 10.0.0.50 and 10.0.0.51 for YSoft SafeQ Terminal Ultralight)
Check current version of service firmware
For YSoft SafeQ Terminal Professional/YSoft Payment Machine (obtain low level information
- service firmware and boot-loaders statuses)
For YSoft SafeQ Terminal Ultralight/YSoft SafeQ Network Card Reader you have to
download whole configuration and search for the version on linux:
./termtool -I 10.0.0.50 -k
./termtool -I 10.0.0.51 -g
on Windows:
termtool.exe -I 10.0.0.50 -k
termtool.exe -I 10.0.0.51 -g
Search for values of items SERVICE_STATUS and SERVICE_VER which contain information
about current service firmware status and version.
Update service firmware by entering following command on linux:
./termtool -I 10.0.0.50 -us -i emergency-2.2.2-12.enc

./termtool -I 10.0.0.51 -us -i ultralight_service-1.7.fw
on Windows:
termtool.exe -I 10.0.0.50 -us -i emergency-2.2.2-12.enc

termtool.exe -I 10.0.0.51 -us -i ultralight_service-1.7.fw
Wait for about 2 minutes
check if update was successful by getting current versions of service firmware

./termtool -I 10.0.0.50 -k
./termtool -I 10.0.0.51 -g
on Windows:
termtool.exe -I 10.0.0.50 -k
termtool.exe -I 10.0.0.51 -g
5.5.2.10 How to connect Smart Cable to MFD
Page and its child pages describe information about MFD configuration for using Terminal Pro
4.
In order to prevent using an MFD without a successful authentication, an MFD panel has to be
locked and can be unlocked via a hardware terminal communication with MFD over blocking cable
only.
How to block CANON devices
Compatible blocking cables
YSQC0-016-0000 Smart Cable Canon (4-pin) SSR
YSQC0-028-0000 Smart Cable Canon (4-pin, Female v2)
YSQC0-041-0000 Smart Cable Canon (9-pin DSUB, Male)
YSQC0-045-0000 Cable Canon (Type 1)
Procedure
1. Open level 2 service menu.
2. Select Copier and then Options.
3. Blocking is set under ACC menu in settings called CC-SPSW.
a. 0 is unlocked (normal settings)
b. 1 is locked by the SafeQ cable. Unlocking is done by login on the Terminal Professional
/Ultralight

Scan workflows
To make the scan workflows work, you need to set up Address Book entry on the machine
(through web interface). This sets the address for scan upload to a shared folder on YSoft SafeQ
server. Note that each machine and each workflow needs to use own folder (e.g.
\\server\scan\canon1\email and \\server\scan\canon333\home)
Examples of blocking cable connection

Canon iR 1133(i)
Connect cable to left side of the machine
Canon iR 2520(i)/2530(i)/2535(i)/2545(i)

Canon iR C1028i
Canon iR 1024i

Canon iR ADV C5051
Canon iR 3245i
This connector is in use by another cable which is not used.
Therefore unplug the old cable and plug in the blocking cable.

Smart Blocking Cables for Hardware Terminals
Required for copy control
Y S Q C 0 - 0 1 6 - 0 0 0 0
Smart Cable Canon (4-pin) SSR - (TP)
Y S Q C 0 - 0 2 8 - 0 0 0 0
Smart Cable Canon (4-pin, Female v2)

Y S Q C 0 - 0 4 1 - 0 0 0 0
Smart Cable Canon (9-pin DSUB, Male)
Y S Q C 0 - 0 4 5 - 0 0 0 0
Cable Canon (Type 1)

Y S Q C 0 - 0 4 7 - 0 0 0 0
Cable Canon (Type 3)
How to block FujiXerox devices
YSQC0-002-0000 Cable Xerox (FDI Required)

YSQC0-003-0000 Cable Xerox Type 2 (FDI Required)
YSQC0-048-0000 Smart Cable Xerox v2 (FDI Required - Recommended for Fuji Xerox MFP)
Blocking FujiXerox device
The device will be blocked after connecting the FDI with switches configured to 1111101000
1. Enter service mode.
2. Configure each Key chain value to Enable.
3. After entering each value, touch Exit (keep log) > YES.
Each partner shall obtain pass code to enter service mode as well as Key Chain values from
Fuji Xerox. YSoft cannot disclose this information which is covered by NDA.
Description NVN NVN Value

Parameter
A NVN for EPA accessory - enable Ask Fuji Ask Fuji

Xerox Xerox
B NVM for BARE - enable (For blocking with YSoft Terminal Professional Ask Fuji Ask Fuji
/Ultralight) Xerox Xerox
C NVM for FX IC CARD GATE - enable (For YSoft SafeQ Terminal Ask Fuji Ask Fuji
Embedded) Xerox Xerox
D NVN for Copy/print control - enable Ask Fuji Ask Fuji

Xerox Xerox
E NVN for FAX/Scan control - enable Ask Fuji Ask Fuji

Xerox Xerox
To unblock the device it is necessary to disable NVN B or C and A before unplug Bare FDI /
EPA Card reader.
How to choose a correct blocking cable mode on YSQC0-048-0000
On devices supporting blocking cable YSQC0-048-0000 requires selecting a correct blocking cable
mode (mode can be found in HCL on Partner Portal). Here is the procedure:
Terminal Professional:
1. In the service menu of terminal proceed following way: I/O Module settings -> I/O module
2.
2. Select YSQC0-048-0000 Smart Cable Xerox v2 is chosen and on the next screen set it to
be operating in mode corresponding with the device used.
Terminal Ultralight:
1. Use the termtool utility, how to use guide can be found in Configuring Terminal UltraLight
article.
2. After selecting the proper terminal to configure continue with entering 4 – Car reader and
IO module setup and confirm with Enter. Press Enter one more time to skip the card reader
setting.
3. By entering '?' You can list all the available types. Choose YSQC0-048-0000 Smart Cable
Xerox v2.
4. Choose mode corresponding with the used device. confirm by pressing Enter.
5. Press Enter one more time and continue entering 100 in order to reboot the terminal and
save changes made in its configuration.
Examples of blocking cable connection:
Xerox WorkCenter 7120
YSQC0-048-0000 Smart Cable Xerox v2 (FDI Required)

Requires Bear Solutions EPSV kit and Smart blocking cable
YSQC0-048-0000
Cable Xerox v2 (Bear Solutions EPSV Required)

How to block HP devices
YSQC0-011-0000
YSQC0-057-0000
Blocking of HP devices using FIH tool (Foreign Interface Harness)
Using the FIH tool can Block/Unblock the copy on an HP Devices. Contact the copy-tracking
vendor of the desired choice to arrange for the necessary hardware and cabling.
Download and install the FIH software. The software is available from the hp website give below:
Click here to visit the HP website at http://www.hp.com.
Once on this web page, type "lj637en.exe" (without quotes) into the search window and click the
arrow to the right of the search window. This will then display a web page with a link to download
the FIH Harness software (lj637.exe). The software is used to enable or disable the FIH portal. Use
the software to set and change the administrator personal identification number (PIN).
Administrators can use the PIN option to configure the FIH to prevent any unauthorized changes.
Changes can be made only with the correct PIN authentication. It is important to remember the
PIN that is assigned to the FIH administration software. The PIN is required to make any changes
to the FIH.
Details
Enabling the Foreign Interface Harness portal
Download the lj637.exe utility.
Run extracts the lj637.exe to default folder.
Double-click FIH.EXE to begin the configuration of the FIH portal. The Foreign Interface Harness
dialog box appears.
Click OK.

Click Enable.
If the PIN is entered before, click No . If a PIN is entered before, click Yes.
If clicked No, enter and confirm the PIN, and then click OK. If clicked Yes, enter the PIN (1234) and
click OK.
The PIN must be in numeric form.
Click the appropriate button for the type of connection: Direct or Network.
If Direct button is selected, enter the printer port. If Network button is selected, enter the IP
address and port for the printer.

The IP address for the HP Device can be found on the printer’s Configuration page. You can
print a Configuration page from the printer control panel by selecting MENU, CONFIGURATION
MENU, and then PRINT CONFIGURATION PAGE
If an incorrect IP address is entered, it gives an error message. Otherwise, the portal has been
enabled.
Disabling the Foreign Interface Harness portal
Double-click the FIH.EXE file. The Foreign Interface Harness dialog box appears.
Click OK.
Click Disable.
Enter the PIN and click OK.
If Direct button is selected, enter the printer port and click OK. If Network button is selected,
enter the IP address and port for the printer, and then click OK. The portal is disabled.
If the PIN number gets lost and the portal needs to be disabled try using the default listed to
disable it.
Changing the PIN

Double-click the FIH.EXE file. The Foreign Interface Harness dialog box appears.
Click OK.
Click Change PIN.
Enter the current PIN and click OK.
Enter and confirm the new PIN, and then click OK.
If Direct is selected, enter the printer port and click OK. If Network button is selected, enter the
IP address and port for the printer, and then click OK. The PIN is changed.
Blocking of HP devices using PJL commands
On some devices admin login may be required for the Print options to be visible on the Web
interface.

These commands will only work when the control PJL commands are enabled on the device and
authentication is disabled.
Enabling FIH using PJL commands
1. Create new text file.
2. Paste following content:
Please note that there have to be special ESC characters on the beginning of the first and
last line. Since they are not printable in all systems, screenshot is included next to the file
syntax. The special character can be inserted by key combination ALT + 027. The file with
correct escape characters can be also downloaded on the Partner Portal (search for "HP
blocking" in the CSS Downloads section).
%-12345X@PJL JOB
@PJL DEFAULT FIH=ON
@PJL EOF
%-12345X
3. Save file as *.prn (e.g.: enablefih.prn)
4. Send this print job to device via device's web interface.
a. Navigate to web interface of device.
b. Go to Information tab.
c. Select Print.
d. Click Browse.
e. Select *.prn file.
f. Click Print.
Disabling FIH using PJL commands
1. Create new text file.
2. Paste following content:

2.
Please note that there have to be special ESC characters on the beginning of the first and
last line. Since they are not printable in all systems, screenshot is included next to the file
syntax. The special character can be inserted by key combination ALT + 027. The file with
correct escape characters can be also downloaded on the Partner Portal (search for "HP
blocking" in the CSS Downloads section).
%-12345X@PJL JOB
@PJL DEFAULT FIH=OFF
@PJL EOF
%-12345X
3. Save file as *.prn (e.g.: enablefih.prn)
4. Send this print job to device via device's web interface.
a. Navigate to web interface of device.
b. Go to Information tab.
c. Select Print.
d. Click Browse.
e. Select *.prn file.
f. Click Print.

HP 4345MFP
YSQC0-011-0000
Please note that a connector of the blocking cable is not locked by screws to the machine. In
case that the connector is not plugged in correctly, the MFD panel cannot be unlocked by the
terminal once the communication between cable and MFD cannot be established.

YSQC0-011-0000
Smart Cable HP SSR - (TP)

Y S Q C 0 - 0 5 7 - 0 0 0 0
Smart Cable HP v3
How to block Konica Minolta devices
Applicable also for Olivetti, Develop and Aurora devices.
YSQC0-004-0000 Cable KM KeyCounter – Male
YSQC0-005-0000 Cable KM KeyCounter – Female
YSQC0-039-0000 KM Vender2 v5 (8-pin)
YSQC0-044-0000 Smart Cable KM Vender2 v5 (8-pin,Type2)
Configuration of device using Key counter cable(YSQC0-004-0000, YSQC0-005-0000)
1. Enter service menu of the device
2. Press STOP - 9
3. Click on Counter settings
a. Total counter mode must be setup on MODE 2 and large size counter mode must be
setup on "A3/B4/11x17/8½x14".
4. Click on Management function choice
a. In Authentication device must be setup Key counter only
b. In this menu is also possible to change type of predefined message which is

displayed in case of blocked panel.
c. Item Key counter > Message1-Message4
Configuration of device using Key counter cable on bizhub PRESS
1. Switch-off the MFD
2. Uncover the MFD in order to allow access to a Key counter connector
3. Unplug a small yellow/beige plug which covers the Key counter connector
4. Connect the Key counter blocking cable to the Key counter connector
5. Switch-on the MFD
6. Verify that the MFD is blocked (message Please insert key counter is displayed on the MFD
panel) and can be unblocked by the terminal

Configuration of device using KM Vender2 cable(YSQC0-039-0000, YSQC0-044-0000)
Leaving the blocking cable connected to MFD and disconnecting it from Terminal Professional
/Ultralight may cause inability to start the MFD or infinite reboots of the MFD.
2. Press STOP - 9
setup on "A3/B4/11x17/8½x14".
a. In Service menu > Management function choice > must be setup vender 2
Alternative configuration for bizhub C3350 (firmware A3GN30G0206-999 or newer required)
2. Press STOP > 2 > 2 > 2 > 0 > 0
setup on "A3/B4/11x17/8½x14".
a. In Service menu > Management function choice > must be setup vender 2
Additional setting
To enable printing with Vender 2 cable setup:
Tools/counters > 3 Administrator setting > 9 Security Setting > 7 Management Function setting >
1 Function setting
Copy – ON
Print – OFF
Send Scan/Fax – ON

KM bizhub C364

KM bizhub C364

KM bizhub C554
KM bizhub C654 / C754 / C654e / C754e

KM bizhub PRESS 1250
If the depicted wire conjunction is present (default state) - the device is unblocked.
If this is removed - device becomes blocked and blocking cable can be attached and used for un-
blocking.
KM bizhub PRESS C6000
If the depicted wire conjunction is present (default state) - the device is unblocked.

If this is removed - device becomes blocked and blocking cable can be attached and used for un-
blocking.
KM bizhub C224e / C284e / C364e / C454e / C554e / 224e / 284e / 364e / 454e / 554e

KM bizhub Cxx4e / xx 4e
KM bizhub C368/C308/C258
YSQC0-044-0000 Smart Cable KM Vender2 v5 (8-pin, Type2)

YSQC0-004-0000 Cable KM KeyCounter Male
KM bizhub 758/808/958

KM bizhub C3350/C3850

KM bizhub C3351/C3851
KM bizhub C659/C759

KM bizhub 4052/4752
Y S Q C 0 - 0 4 4 - 0 0 0 0
Smart Cable KM Vender2 v5 (8-pin,Type2)
Y S Q C 0 - 0 3 9 - 0 0 0 0
Smart Cable KM Vender2 v5 (8-pin)

Y S Q C 0 - 0 3 8 - 0 0 0 0
Smart Cable KM Vender2 v5 (9-pin)
Y S Q C 0 - 0 0 5 - 0 0 0 0
Smart Cable KM Key-counter - Female SSR - (TP)

Y S Q C 0 - 0 0 4 - 0 0 0 0
Smart Cable KM Key-counter - Male SSR - (TP)
How to block KYOCERA MITA devices
YSQC0-008-0000 Smart Cable Kyocera SSR
YSQC0-009-0000 Smart Cable Kyocera (4-pin) SSR - (TP)

YSQC0-010-0000 Smart Cable Kyocera (Type 2) SSR - (TP)

TASKalfa 3010i/3510i
TASKalfa 2551ci

YSQC0-008-0000 Smart Cable Kyocera SSR - requires optional "Key counter wire"
TASKalfa 3050ci/4350ci/4550ci/5550ci

TASKalfa 2552ci/3252ci/3552ci/4052ci/5052ci/6052ci
(requires additional "Key counter wire" between Smart Cable and device main board)

Y S Q C 0 - 0 0 8 - 0 0 0 0
Smart Cable Kyocera SSR
Y S Q C 0 - 0 0 9 - 0 0 0 0
Smart Cable Kyocera (4-pin) SSR - (TP)
Y S Q C 0 - 0 1 0 - 0 0 0 0
Smart Cable Kyocera (Type 2) SSR - (TP)

How to block OKI devices
YSQC0-022-0000 Cable Toshiba Harness
YSQC0-035-0000 Cable Toshiba v2 (Type 4)
YSQC0-050-0000 Cable OKI v2
Setting via device service menu
After entering device service menu, following steps have to be performed:
1. open registry 9016(type) and set up option 0 or 1 (0 disabled, 1 - insert coin message)
Quit registry settings
Compatible devices
OKI ES9460
OKI MC760

Setting via device Web Interface
After you Login to the device Web interface using Administrator login perform following:
1. Click Admin setup
2. Click Management
3. Click System setup
4. Select Accounting Device from Access Control drop down menu
5. Click Submit
HW setup for testing:
1. I/O Module settings
2. I/O Module
3. N/A – Generic iomodules
4. Autodetect smartcable
Compatible devices
OKI ES4191

OKI ES9460

OKI ES4191
YSQC0-050-0000 Cable OKI v2
OKI MC760

Y S Q C 0 - 0 1 7 - 0 0 0 0
Smart Cable Oki SSR - (TP)
Y S Q C 0 - 0 2 2 - 0 0 0 0
Cable Toshiba Harness

Y S Q C 0 - 0 3 5 - 0 0 0 0
Cable Toshiba v2 (Type 4)

Y S Q C 0 - 0 5 0 - 0 0 0 0
C a b l e O K I v 2
Blocking cable is not yet massively produced. For more information contact your account
manager.
Y S Q C 0 - 0 5 6 - 0 0 0 0
Cable Toshiba v2 (Type8)
20-Pin & 7-Pin Connector
How to block RICOH devices
YSQC0-012-0000 Cable Ricoh (20-pin)
YSQC0-059-0000 Cable Ricoh (4-pin) v2
1. Navigate to system settings > operator tools > key counter administration
2. Here choose what features have to be blocked (usually copy, scan)

In case that the standard procedure does not work - a device cannot be unlocked by the cable,
you can try another way (for example MP 4002, MP 5002, MP C3002, MP C3502, MP C4502, MP
C5502):
1. Activate support for enhanced external charge unit management (SP mode 5-113-002 to 1)
2. Navigate to System Settings > Administrator Tools > Enhanced External Charge Unit
Management
4. Also make sure the Key Counter Management in administrator tab has all functions turned
OFF.
Procedure for MP C2003, MP C3003, MP C3503, MP C4503, MP C5503 and MP C6003 devices:
In case YSQC0-013-0000 Cable Ricoh (4-pin)/YSQC0-059-0000 Cable Ricoh (4-pin) v2 is

used set SP 5113-1 to value 0 and SP 5113-2 to value 0.
1. Navigate to system settings > administrator tools > key counter management
In case YSQC0-012-0000 Cable Ricoh (20-pin) is used set SP 5113-1 to value 1 and SP 5113-2
to value 0.
1. Navigate to system settings > administrator tools > external charge unit management

Ricoh MP 4002

Ricoh MP 2501sp
Type A reduction for 20pin connector needed.

Ricoh Aficio MP C2050
Ricoh Aficio MP C2500

Ricoh Aficio MP C3003 / C3503 / C4503 / C5503 / C6003
Connector is different by design and needs to be modified according to image.
Optional Counter Interface Type A needs to be installed on device.

Ricoh MP 2555/3055/3555/4055/5055/6055
Ricoh MP C307/C407

Y S Q C 0 - 0 1 2 - 0 0 0 0
Smart Cable Ricoh (20-pin)
EXTENSION SET FROM RICOH MUST BE ATTACHED BEFORE THE CABLE CAN BE CONNECTED

Y S Q C 0 - 0 1 3 - 0 0 0 0
Cable Ricoh (4-pin)
Y S Q C 0 - 0 5 9 - 0 0 0 0
Cable Ricoh (4-pin) v2
How to block Samsung devices
YC01000 030 - Samsung
YC01000 051 - Samsung (Type 2)
The FDI Kit allows blocking the machine enabling support of other devices such as swipe card
terminals.
How to enable the FDI and block an MFP
1. Click on Machine setting > security

2. Log in with admin.
3. Click Accounting.
4. Select Foreign Device Interface.
5. Select Inhibit Services.
6. Select Copy and Scan.
7. Save and logout.

Blocking cable YC01000 030
Blocking cable YC01000 0051
FDI
Compatible FDI:
The part no of the FDI for Samsung 9201, 9251, 9301, 8123, 8128 is CLX-kit10F
The part no of the FDI for Samsung 6555, 6545, 8385 is FX-kit20F

How to block SHARP devices
YSQC0-026-0000 Cable Sharp (Type 3)
1. Press 26

2. Press Start
3. Press 3
4. Press Start
5. Select outside auditor as VENDOR-EX, vendor mode as MODE3
6. Press Start
7. Press CA
Quit registry settings
Compatible devices
Sharp MX-2610N
Sharp MX-2614N

Sharp MX-2610N
Sharp MX-M264N
YSQC0-058-0000 Cable Sharp v2 (Type 5)
Sharp MX-3060N/3560N/4060N

YSQC0-058-0000 Cable Sharp v2 (Type 5)
Y S Q C 0 - 0 2 4 - 0 0 0 0
Sharp cable type 1

Y S Q C 0 - 0 2 5 - 0 0 0 0
Sharp cable type 2
Y S Q C 0 - 0 2 6 - 0 0 0 0
Sharp cable type 3

Y S Q C 0 - 0 2 7 - 0 0 0 0
Sharp cable type 4
Y S Q C 0 - 0 2 9 - 0 0 0 0
Sharp cable type 5

Y S Q C 0 - 0 5 8 - 0 0 0 0
Sharp v2 cable type 5
How to block TOSHIBA devices
YSQC0-022-0000 Cable Toshiba Harness
1. Open registry 202 (type) and set up option 0 up to 3 (0 disabled, 1, 2,3 messages)
Quit registry settings.
Setting via device service menu for e-STUDIO 2505/2505H/2505F
1. Open registry and set (08)9016 to 1 to enable cost recovery mode.
2. Set (08)9017 to 1 (determines what is covered in cost recovery mode).
Quit registry settings.

Toshiba e-STUDIO 2820c

Toshiba e-STUDIO 255
Toshiba e-STUDIO 2555C/3055C/3555C/4555C/5055C/2555CSE/3055CSE/3555CSE/4555CSE/5055CSE

and Toshiba e-STUDIO 477S/527S
YSQC0-056-0000 Cable Toshiba v2 (Type8)

Y S Q C 0 - 0 1 4 - 0 0 0 0
Cable Toshiba

Y S Q C 0 - 0 1 5 - 0 0 0 0
Cable Toshiba (Type 2)
Y S Q C 0 - 0 2 2 - 0 0 0 0
Cable Toshiba Harness
Y S Q C 0 - 0 3 2 - 0 0 0 0

Y S Q C 0 - 0 3 3 - 0 0 0 0
Y S Q C 0 - 0 3 4 - 0 0 0 0

Y S Q C 0 - 0 3 5 - 0 0 0 0
Y S Q C 0 - 0 3 6 - 0 0 0 0

Y S Q C 0 - 0 3 7 - 0 0 0 0
Y S Q C 0 - 0 4 2 - 0 0 0 0

Y S Q C 0 - 0 5 6 - 0 0 0 0
Cable Toshiba v2 (Type8)
How to block Triumph Adler
YSQC0-010-0000 Smart Cable Kyocera (Type 2) SSR - (TP)
Configuration of devices for blocking cables
Login to the service menu of the device. Consult service manual for device on how to access
service menu of the device.
Use maintenance mode U204 to change the blocking type:
a) Key counter for most devices
b) Key card for older devices
Press Start to set the configuration, power off and power on the device.
3060i/3560i

2500ci

DCC 2930/2935/2945/2950
2506ci, 3206ci, 4006ci, 5006ci, 6006ci
(requires additional "Key counter wire" between Smart Cable and device main board)

required for copy control
Y S Q C 0 - 0 0 8 - 0 0 0 0
Smart Cable Kyocera SSR
Y S Q C 0 - 0 0 9 - 0 0 0 0
Smart Cable Kyocera (4-pin) SSR - (TP)

Y S Q C 0 - 0 1 0 - 0 0 0 0
Smart Cable Kyocera (Type 2) SSR - (TP)

How to block XEROX devices
YSQC0-002-0000 Cable Xerox (FDI Required)
Blocking Xerox WorkCenter 5875 and other ConnectKey based printers
1. Navigate to Tools > Accounting settings > Accounting mode
2. Select Auxiliary access
3. In auxiliary device type select one you want to and press Save
4. Under Services Access & Accounting you can select services you wish to restrict - select
all services as restricted except printing.
5. Under Job Timeout check Enabled and set Job Timeout to 1 second
Blocking Xerox WorkCenter 7120 ( FujiXerox based controller )
The device will be blocked after connecting the FDI with switches configured to 1111101000
After connecting FDI following steps have to be done via device service menu:
1. Navigate to Common Service Settings > Maintenance/Diagnostic > NVM Read/Write
2. Write “850-007“, click on Confirm/Change, write 3, click on Save
3. Close > Exit (Keep Log) > Yes
4. MFD is restarted
If the scan/fax function is not blocked automatically, change switch 850 015 to 1.
To unblock the device it is not sufficient only to revert back the change of Switch 850-007 back
to 0 but also it is necessary to set 850-001 switch to 0. This was changed automatically by FDI
connection. After performing these changes FDI can be disconnected.
Blocking Xerox VersaLink devices
Do not connect the FDI before configuration of the device.
1.

1. Login to Web interface of the device.
2. Navigate to Permissions > Login/Logout Settings.
3. Select Convenience.
4. Enter dummy IP address - does not need to be working IP address.
5. Apply change and restart device.
6. Log in to Web interface of the device.
7. Navigate to Permissions > Accounting Method.
8. Select Auxiliary Device.
9. Configure Device type to Subtractive.
10. Enable Copies in What to track.
11. Apply changes and turn off the device after restart. Error message may appear on the
device display.
12. Configure the FDI DIP switches according to the device used.
13. Connect the FDI to the device.
14. Start the device.
15. Navigate to Service Menu of the device.
16. Navigate to Diagnostics > NVM Read/Write.
17. Select NVM configuration 850-007 and change the value to 3.
18. Verify that the NVM configuration 850-001 is changed to 1. This should be changed
automatically when FDI is connected to the device.
19. Save changes.
20. Close the service menu.
21. Device restart will be prompt - restart the device.
How to choose a correct blocking cable mode on YSQC0-048-0000
On devices supporting blocking cable YSQC0-048-0000 requires selecting a correct blocking cable
mode (mode can be found in HCL). Here is the procedure:
Terminal Professional:
1. In the service menu of terminal proceed following way: I/O Module settings > I/O module
2. Select YSQC0-048-0000 Smart Cable Xerox v2 is chosen and on the next screen set it to
be operating in mode corresponding with the device used.
Terminal Ultralight:
1.
1. Use the termtool utility, how to use guide can be found in Configuring Terminal Ultralight
article.
2. After selecting the proper terminal to configure continue with entering 4 – Car reader and I
/O module setup and confirm with Enter. Press Enter one more time to skip the card reader
setting.
3. By entering '?' you can list all the available types. Choose YSQC0-048-0000 Smart Cable
Xerox v2.
4. Choose mode corresponding with the used device. Confirm by pressing Enter.
5. Press Enter one more time and continue entering 100 in order to reboot the terminal and
save changes made in its configuration.


Type A reduction for 20pin connector needed.

Y S Q C 0 - 0 0 2 - 0 0 0 0
Cable Xerox (FDI Required)
Y S Q C 0 - 0 0 3 - 0 0 0 0
Cable Xerox Type 2 (FDI Required)
Y S Q C 0 - 0 1 9 - 0 0 0 0
Cable Xerox Type 3 (FDI Required)
Y S Q C 0 - 0 4 8 - 0 0 0 0
Smart Cable Xerox v2 (FDI Required)

It's necessary to chose correct cable mode in the terminal settings. The cable mode can be found
at device comment column.
These statements are used on following pages:
YSoft SafeQ Terminal UltraLight Installation Guide
Using YSoft SafeQ Terminal UltraLight
YSoft SafeQ Terminal Professional Installation Guide
Using YSoft SafeQ Terminal Professional
that form.
expense.

5.5.3 BACKUP AND RECOVERY SCENARIOS
Use one of the links below to select the topic you are interested in:
5.5.3.1 Backup
The backup consists of database backup and configuration files backup. It is the
customer's responsibility to perform the backup and copy backup files from the servers to
a safe location, e.g., off-site network-attached storage or backup tapes.
We strongly recommend performing the database backup minimally on a daily basis and
also prior to updating to any newer version of YSoft SafeQ 6. Non-regular backing up of
the database and configuration may lead to irreversible data loss.
Backing Up Configuration and Binary Files
The YSoft SafeQ solution consists of multiple components. Most of the configuration is stored in
the database, which should be backed up regularly. However, for a complete backup, all
configuration files or folders of a particular component need to be backed up to a safe location (e.
g., network storage or backup tape).
Backing Up Configuration Files
To perform a configuration files backup, copy all files or folders in the Configuration files path
column to a backup location. When copying, preserve the folder structure to avoid mixing up the
configuration files.
Component Configuration files path
Management Service \SafeQ6\Management\conf
Management Service \SafeQ6\Management\ims\application.

properties
Management Service \SafeQ6\Management\tomcat\conf
Management Service \SafeQ6\Management\validator\conf
Management Service (if an embedded database is used) \SafeQ6\Management\PGSQL-data\ *.conf
Spooler Controller \SafeQ6\SPOC\bin\wrapper.conf
Spooler Controller \SafeQ6\SPOC\conf
Spooler Controller \SafeQ6\SPOC\distServer\config\distServer.

conf
Spooler Controller \SafeQ6\SPOC\EUI\conf
Spooler Controller \SafeQ6\SPOC\EUI\ui-conf

Component Configuration files path
Spooler Controller \SafeQ6\SPOC\tomcat\conf
Spooler Controller \SafeQ6\SPOC\terminalserver\*.config
FlexiSpooler \SafeQ6\FSP\Service\configuration.bin
FlexiSpooler \SafeQ6\FSP\Service\*.config
Workflow Processing System \SafeQ6\WPS\*.config
Workflow Processing System: Scanning scripts* <path to scanning scripts>
YSoft Payment System \SafeQ6\YPS\conf
YSoft Payment System (MU25 or older) \SafeQ6\YPS\ysoft
YSoft Payment System (MU26 or later) \SafeQ6\YPS\ps-conf
YSoft Payment System (if an embedded database is used \SafeQ6\PGSQL-data\*.conf

on SPOC)
Mobile Print \SafeQ6\MPS\Service\conf
Mobile Print \SafeQ6\MPS\Service\*.config
Mobile Integration Gateway \SafeQ6\MIG\bin\connector\ConnectorServic

e.exe.config
Mobile Integration Gateway \SafeQ6\MIG\bin\connector\services\MdnsSe

rvice.xml
*Scanning scripts can be used with Workflow Processing System. For more information, please
check the Workflow Processing System documentation.
Backing Up Binary Files (optional)
Backing up binary files is optional in standard deployment scenarios. Backing up binary files is
recommended only in the case of a product customization.
Component Binary files path
Management Service \SafeQ6\Management\bin
Management Service \SafeQ6\Management\dbsync
Management Service \SafeQ6\Management\ldapreplicator
Management Service \SafeQ6\Management\libs
Management Service \SafeQ6\Management\utilities
Spooler Controller \SafeQ6\SPOC\bin
Spooler Controller \SafeQ6\SPOC\drivers

Component Binary files path
Spooler Controller \SafeQ6\SPOC\extensions
Spooler Controller \SafeQ6\SPOC\libs
Spooler Controller \SafeQ6\SPOC\terminalserver
Spooler Controller \SafeQ6\SPOC\server
Spooler Controller \SafeQ6\SPOC\utilities
Spooler Controller \SafeQ6\SPOC\versions
The Backup Script for Collecting Configuration Files
Should you want to automate the YSoft SafeQ configuration files backup, you can use the
following PowerShell script:
If you want to change the backup destination folder, modify the attribute backupfolder in the
script accordingly.
Note that you should alter the script if you also want to back up Scanning scripts specific for
your environment.
BackupConfigurationFiles.ps1
$backupfolder = $env:USERPROFILE + '\Desktop\YSQ_backup_' + (Get-Date).ToString('yyyy-MM-dd_hh-

mm-ss')
$path = Get-WmiObject Win32_Service `

| Where-Object Name -Like "YSoft*" `
| Select -ExpandProperty "PathName" `
| Foreach-Object {(-split $_)[0].Trim("`"") -replace "\\SafeQ6\\.*", "\SafeQ6\"} `
| Measure-Object -Minimum `
| Select -ExpandProperty "Minimum"
function createBackup($backupfolder) {
if (Test-Path $path"Management\conf") {
New-Item -Path $backupfolder"\Management\conf" -Type directory | Out-Null
Copy-Item $path"Management\conf\*" $backupfolder"\Management\conf\" -Recurse
}
if (Test-Path $path"Management\ims") {
New-Item -Path $backupfolder"\Management\ims" -Type directory | Out-Null
Copy-Item $path"Management\ims\application.properties" $backupfolder"\Management\ims\"
}
if (Test-Path $path"Management\tomcat\conf") {
New-Item -Path $backupfolder"\Management\tomcat\conf" -Type directory | Out-Null
Copy-Item $path"Management\tomcat\conf\*" $backupfolder"\Management\tomcat\conf\" -Recurse
}
if (Test-Path $path"Management\validator\conf") {
New-Item -Path $backupfolder"\Management\validator\conf" -Type directory | Out-Null
Copy-Item $path"Management\validator\conf\*" $backupfolder"\Management\validator\conf\" -
Recurse

}
if (Test-Path $path"Management\PGSQL-data\") {
New-Item -Path $backupfolder"\Management\PGSQL-data\" -Type directory | Out-Null
Copy-Item $path"Management\PGSQL-data\*.conf" $backupfolder"\Management\PGSQL-data\" -Recurse
}
if (Test-Path $path"SPOC\bin") {
New-Item -Path $backupfolder"\SPOC\bin" -Type directory | Out-Null
Copy-Item $path"SPOC\bin\wrapper.conf" $backupfolder"\SPOC\bin\" -Recurse
}
if (Test-Path $path"SPOC\conf") {
New-Item -Path $backupfolder"\SPOC\conf" -Type directory | Out-Null
Copy-Item $path"SPOC\conf\*" $backupfolder"\SPOC\conf\" -Recurse
}
if (Test-Path $path"SPOC\distServer\config") {
New-Item -Path $backupfolder"\SPOC\distServer\config" -Type directory | Out-Null
Copy-Item $path"SPOC\distServer\config\distServer.conf" $backupfolder"\SPOC\distServer\config\
" -Recurse
}
if (Test-Path $path"SPOC\EUI\conf") {
New-Item -Path $backupfolder"\SPOC\EUI\conf" -Type directory | Out-Null
Copy-Item $path"SPOC\EUI\conf\*" $backupfolder"\SPOC\EUI\conf\" -Recurse
}
if (Test-Path $path"SPOC\EUI\ui-conf") {
New-Item -Path $backupfolder"\SPOC\EUI\ui-conf" -Type directory | Out-Null
Copy-Item $path"SPOC\EUI\ui-conf\*" $backupfolder"\SPOC\EUI\ui-conf\" -Recurse
}
if (Test-Path $path"SPOC\tomcat\conf") {
New-Item -Path $backupfolder"\SPOC\tomcat\conf" -Type directory | Out-Null
Copy-Item $path"SPOC\tomcat\conf\*" $backupfolder"\SPOC\tomcat\conf\" -Recurse
}
if (Test-Path $path"SPOC\terminalserver") {
New-Item -Path $backupfolder"\SPOC\terminalserver" -Type directory | Out-Null
Copy-Item $path"SPOC\terminalserver\*.config" $backupfolder"\SPOC\terminalserver\" -Recurse
}
if (Test-Path $path"FSP\Service") {
New-Item -Path $backupfolder"\FSP\Service" -Type directory | Out-Null
Copy-Item $path"FSP\Service\configuration.bin" $backupfolder"\FSP\Service\"
Copy-Item $path"FSP\Service\*.config" $backupfolder"\FSP\Service\" -Recurse
}
if (Test-Path $path"WPS") {
New-Item -Path $backupfolder"\WPS" -Type directory | Out-Null
Copy-Item $path"WPS\*.config" $backupfolder"\WPS\" -Recurse
}
if (Test-Path $path"YPS\conf") {
New-Item -Path $backupfolder"\YPS\conf" -Type directory | Out-Null
Copy-Item $path"YPS\conf\*" $backupfolder"\YPS\conf\" -Recurse
}
if (Test-Path $path"YPS\ysoft") {
New-Item -Path $backupfolder"\YPS\ysoft" -Type directory | Out-Null
Copy-Item $path"YPS\ysoft\*" $backupfolder"\YPS\ysoft\" -Recurse
}
if (Test-Path $path"YPS\ps-conf") {
New-Item -Path $backupfolder"\YPS\ps-conf" -Type directory | Out-Null
Copy-Item $path"YPS\ps-conf\*" $backupfolder"\YPS\ps-conf\" -Recurse
}
if (Test-Path $path"PGSQL-data") {
New-Item -Path $backupfolder"\PGSQL-data" -Type directory | Out-Null
Copy-Item $path"PGSQL-data\*.conf" $backupfolder"\PGSQL-data\" -Recurse
}

if (Test-Path $path"MPS\Service\conf") {
New-Item -Path $backupfolder"\MPS\Service\conf" -Type directory | Out-Null
Copy-Item $path"MPS\Service\conf\*" $backupfolder"\MPS\Service\conf\" -Recurse
Copy-Item $path"MPS\Service\*.config" $backupfolder"\MPS\Service\" -Recurse
}
if (Test-Path $path"MIG\bin\connector") {
New-Item -Path $backupfolder"\MIG\bin\connector" -Type directory | Out-Null
Copy-Item $path"MIG\bin\connector\ConnectorService.exe.config" $backupfolder"\MIG\bin\connecto
r" -Recurse
Copy-Item $path"MIG\bin\connector\services\MdnsService.xml" $backupfolder"\MIG\bin\connector"
-Recurse
}
}
createBackup($backupfolder)
Backup of Databases
The following pages describe the procedure how to backup YSoft SafeQ databases. YSoft SafeQ
solution uses main databases for its basic operations, such as devices information, reporting, etc.
These are the different databases you might find in the different YSoft SafeQ deployments:
SQDB6 - Main database used by the whole solution.
SQDB6_DWH - Database used as Data Warehouse, for external process of Reporting.
SQDB6_IMS - Database used by the Infrastructure Management Service
SQDB6_YPS - Database used by the Payment System
Based on the database type and the deployment scenario, in order to backup the database,
please follow the guide described in the links below:
Backup of Internal and External PostgreSQL Database
MS SQL Database and Data Warehouse Backup
Backup of Internal and External PostgreSQL Database

Before the backup
It is recommended to stop YSoft SafeQ services before database backup is performed.
The backup of databases shall be done at the same time to prevent inconsistency among
databases.
1. Stop all YSoft SafeQ services in the whole environment (Management Servers, Site
Servers) except the following (leave the services listed below running):
a. YSoft Bundled Etcd
b. YSoft Bundled PostgreSQL (available if an embedded PostgreSQL DB is used)
i.

b.
i. You can use the following PowerShell script to perform the task:
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftPGSQL' -and $_.Name -ne

'YYSoftPGSQL' -and $_.Name -ne 'YSoftEtcd'} | Stop-Service
c. pgAdmin4
PostgreSQL Backup
Important information
All backup procedures should be consulted first with Database Administrator/Owner in case an
external PostgreSQL database is used.
Please note that this is just a quick guide for pgAdmin tool. Latest documentation is always
available on PostgreSQL web pages.
Backup using pgAdmin administration tool
1. On the database server, run the pgAdmin administration tool
2. On pgAdmin tool click on Add New server
3. Fill SQDB6 in Name section and continue to Connection tab

4. Fill the connection information of the database
5. In browser window, double-click the newly added item to connect to the server
6. Right-click in the database to backup and click the Backup... option

7. Set a Filename of your choice
8. Keep Format set as Custom
9. Set the Role name as postgres
10. Press the Backup button
11. If everything is correct, a popup should appear with information that the procedure ended
successfully

a. You can check the log if you click on More details
Additional information
The backup process is executed by the tools using Python (embedded with PG Admin).
The installer adds a path to Python libraries into the PATH system variable.
If the backup process fails and displays the Cannot locate Python36.dll error message,
make sure that the "PATH" system variable contains the path to the "bin" folder of
pgAdmin (f or Embedded PostgreSQL, this path is " %SAFE_HOME%\PGSQL\pgAdmin
4\bin")
12. Repeat steps 1. - 11. for SQDB6_DWH database on the appropriate server
13. Repeat steps 1. - 11. for SQDB6_IMS database on the appropriate server
14. Repeat steps 1. - 11. for SQDB6_YPS database on the appropriate server
Backup using command line
If you prefer to use command line and YSoft SafeQ was installed with the embedded PostgreSQL
database, use the following commands:
"%SAFEQ_HOME%\PGSQL\bin\pg_dump.exe" --host localhost --port 5433 --username "postgres" --role "

postgres" --format custom --blobs --verbose --file "SQDB6.backup" "SQDB6"
postgres" --format custom --blobs --verbose --file "SQDB6_IMS.backup" "SQDB6_IMS"
<# Use the command below only when Data Warehouse deployment is used #>
postgres" --format custom --blobs --verbose --file "SQDB6_DWH.backup" "SQDB6_DWH"
<# Use the command below only when using Payment System #>
postgres" --format custom --blobs --verbose --file "SQDB6_YPS.backup" "SQDB6_YPS"
You might need to enter password for the "postgres" user after executing the command.
Backup will be created in the folder from which the command is run.

For running these commands in PowerShell, replace %SAFEQ_HOME%\PGSQL\bin\pg_dump.
exe with &$env:SAFEQ_HOME\PGSQL\bin\pg_dump.exe
%SAFEQ_HOME%\PGSQL is the default location of the PostgreSQL that comes embedded in
SafeQ.
When using an external PostgreSQL server, you need to locate the executable "pg_dump.exe"
which comes as part of PostgreSQL installation and adjust the script accordingly:
replace the "%SAFEQ_HOME%\PGSQL\bin\pg_dump.exe" with path to "pg_dump.exe"
replace also --host and --port values if needed
After the backup
Start YSoft SafeQ services with Automatic startup type on Management Servers again
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by YSoft SafeQ
Spooler Controller service when proper configuration is ready.
1. Start YSoft SafeQ Management Service first
2. Start remaining YSoft SafeQ services in no particular order
Start YSoft SafeQ services with Automatic startup type on Site Servers again
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by YSoft SafeQ
Spooler Controller service when proper configuration is ready.
1. Start YSoft SafeQ Spooler Controller first
2. Start remaining YSoft SafeQ services in no particular order
MS SQL Database and Data Warehouse Backup

Before the backup

It is recommended to stop YSoft SafeQ services before database backup is performed.
The backup of databases shall be done at the same time to prevent inconsistency among
databases.
except YSoft Bundled Etcd
MS SQL backup
All backup procedures should be consulted first with the Database Administrator/Owner.
Please note that this is just a quick guide for MS SQL Server Management Studio. Latest
documentation is always available on Microsoft web pages.
1. On the database server, run Microsoft SQL Server Management studio
2. Click File - Connect to Object Explorer
3. Choose a Database engine as a Server type and connect to the database server
4. In the Object Explorer (menu on the left) click Databases
5. Right-click the SQDB6 database and select the Tasks > Shrink > Database ... option and
proceed using OK button
6. Right-click the SQDB6 database and select the Tasks > Back up ... option
7. Select the destination of your choice

7.
8. Click OK and wait until the backup is successfully finished
9. Repeat steps 5. - 8. for SQDB6_DWH database (if it exists in the deployment scenario).
10. Repeat steps 5. - 8. for SQDB6_IMS database
11. Repeat steps 5. - 8. for SQDB6_YPS database (if using Payment System)
MS SQL multiple server warehouse database backup
All backup procedures should be consulted first with the Database Administrator/Owner.
If you have multiple server database deployment please follow next steps to backup warehouse
database otherwise skip this section.
Please note that this is just a quick guide for MS SQL Server Management Studio. Latest
documentation is always available on Microsoft web pages.
1. On the warehouse database server, run Microsoft SQL Server Management studio
2. Click File - Connect to Object Explorer
3.

3. Choose a Database engine as a Server type and connect to the database server
4. In the Object Explorer (menu on the left) click Databases
5. Right-click the SQDB6_DWH database and select the Tasks > Shrink > Database ... option
and proceed using OK button
6. Right-click the SQDB6_DWH database and select the Tasks > Back up ... option
7. Select the destination of your choice

8. Click OK and wait until the backup is successfully finished
After the backup
1. Start YSoft SafeQ services with Automatic startup type on Management Servers again
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by YSoft
a. Start YSoft SafeQ Management Service first
b. Start remaining YSoft SafeQ services in no particular order
Get-Service*YSoft* | Where-Object{$_.Name -ne'YSoftSQ-SPOCGS'}

| Start-Service
2. Start YSoft SafeQ services with Automatic startup type on Site Servers again

2.
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by YSoft
a. Start YSoft SafeQ Spooler Controller first
b. Start remaining YSoft SafeQ services in no particular order
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftSQ-

SPOCGS'} | Start-Service
5.5.3.2 Recovery Scenarios
Recovery scenarios for YSoft SafeQ 6 and its components are described on the following pages.
YSoft SafeQ databases
Recovering Databases – steps that need to be taken to recover YSoft SafeQ 6 databases.
Follow this guideline when databases are corrupted, but the rest of solution is intact. If the
whole installation is corrupted, follow a different guideline.
Management – How to move a Microsoft SQL database to a new server with a different
hostname and IP address – this can be used if the databases are hosted on a Microsoft SQL
server, and you need to move the Microsoft SQL server to a new location.
YSoft SafeQ Management Server
Typically used in an environment where YSoft SafeQ Management Server runs on the
same server as other components (such as Spooler Controller, Payment system,...).
How to Change the IP Address of YSoft SafeQ Management Server – steps necessary for
changing the IP address of the server.
Recovery procedure for a standalone YSoft SafeQ Management Server (server installer) –
steps for recovering a destroyed server – only applicable for a server that was not part of a
Management Server cluster.
Recovery procedure for a node of a YSoft SafeQ Management Server cluster (server installer)
– steps for recovering a destroyed server – applicable for a member of a Management Server
cluster.

Typically used in an environment where YSoft SafeQ Management has its own server
that is not used for another purpose (such as Spooler Controller, Payment system...).
How to change the IP address of YSoft SafeQ Management Service – steps necessary for
changing the IP address of the server.
Recovery procedure for standalone YSoft SafeQ Management Service - standalone installer –
steps for recovering a destroyed server – only applicable for a server that was not part of a
Recovery procedure for a node of a YSoft SafeQ Management Service cluster (standalone
installer) – steps for recovering a destroyed server – applicable for a member of a
YSoft SafeQ Site Server
How to Change the IP Address of YSoft SafeQ Site Server – steps necessary for changing
the IP address of a server.
The Recovery Procedure for a Standalone Site Server - steps for recovering a destroyed
server – applicable only on a server that was not part of Spooler Controller Group.
The Recovery Procedure for a Site Server That Was Part of a Spooler Controller Group - steps
to recover a destroyed server – applicable for a member of Spooler Controller Group.
YSoft SafeQ FlexiSpooler
YSoft SafeQ FlexiSpooler (CBPR) does not have a persistent local configuration. Reinstall it
the same way as it was originally installed. See YSoft SafeQ 6 Workstation Installation for
detailed instructions.

YSoft SafeQ Payment System can only be deployed as part of Management Server or Site
Server, so its recovery is described in the respective recovery guides.
If you are using Payment Gateway Plugins, deploy them again the same way as before. See
Payment gateway plugin deployment for detailed instructions.
Deploy YSoft Mobile Integration Gateway again the same was as before. See Mobile
Integration Gateway deployment for detailed instructions. Use configuration files from a
backup (ConnectorService.exe.config, MdnsService.xml) to see the previous configuration
values.
How to move a Microsoft SQL database to a new server with a different hostname and IP
address
This document describes how to move Microsoft SQL database from one server to another
server.
This article describes moving a single database (i.e. Single server Single database deployment
scenario). In case you want to perform moving of another database deployment scenario,
please contact our Customer Support Service.
Stop YSoft SafeQ services and backup the YSoft SafeQ databases
Select and remmeber tenant database user logins and passwords from current Management
Service database (SQDB6):
select db_login, db_pass from cluster_mngmt.tenants;

select db_login, db_pass from cluster_mngmt.tenant_warehouses;
Follow the MS SQL section of the Backup of Databases documentation chapter to backup the
databases. Do not follow the "After the backup" section of the documentation chapter mentioned
(we do not want the YSoft SafeQ services to be started at this point yet).

Create the database SQL Logins
This step only applies when you are using standard SQL Server authentication and database
without containment, but that is the most common scenario.
SQL Logins that need to be added in this step are cluster_guest , cluster_mngmt, tenantuser_1
and dwhtenantuser_1. For tenantuser_1 and dwhtenantuser_1 use passwords from previous
step. Also, if you don't use sa user to connect to the database, please, add the user you will want
to connect to the database with as well.
Please, perform the following steps for all the SQL Logins mentioned above:
1. Log in to Microsoft SQL Server Management Studio.
2. Navigate to Security > Logins.
3. Right-click on Logins and select New Login...
4. In the New Login window, fill in the following values:
a. Enter Login name of the login you want to create (e.g. cluster_mngmt).
b. Choose SQL Server authentication option.
c. Choose a Password for the login. Please, write down the password as you will need
this password in the next section of this procedure.
d. Uncheck the Enforce password expiration option.
e. Click OK to create the login.
Caution with multi-tenancy
Only SQL Logins for single tenant are mentioned here. It is necessary to add all tenant logins
in case of multi-tenancy. You can check cluster_mngmt.tenants and cluster_mngmt.
tenant_warehouses database tables for the list of tenant logins required.
Change the configuration of YSoft SafeQ to point to the new database server
Change the configuration of the Management Service
In the file "<SafeQ_folder>\Management\conf\safeq.properties", update the following configuration

properties:
database.host property should point to the new SQL Server.
database.cluster.management.password property should be updated with a password

of the cluster_mngmt SQL Login (created in the previous section).

database.cluster.guest.password property should be updated with a password of the
cluster_guest SQL Login (created in the previous section).
In case you will use a different main SQL Login to connect to the database, both database.
global.management.username.without.domain and database.global.
management.password properties should be updated with the new SQL Login credentials.
In case you will be changing the database name when restoring it on the new SQL Server,
database.name property should be updated with the new database name.
Change the configuration of the Database validator
In the file "<SafeQ_folder>\Management\validator\conf\DBValidator.properties", update the

following configuration properties:
connectionInfoSQ.databaseIP , connectionInfoDW.databaseIP,
connectionInfoSQ.databaseServerName and connectionInfoDW.
databaseServerName properties should point to the new SQL Server.
connectionInfoSQ.userManagementPassword and connectionInfoDW.

userManagementPassword properties should be updated with a password of the
cluster_mngmt SQL Login (created in the previous section).
In case you will use a different main SQL Login to connect to the database, then
connectionInfoSQ.userLogin , connectionInfoSQ.userPassword,
connectionInfoDW.userLogin and connectionInfoDW.userPassword properties
should be updated with the new SQL Login credentials.
In case you will be changing the database name when recovering it on the new SQL Server,
both connectionInfoSQ.databaseName and connectionInfoDW.databaseName
properties should be updated with the new database name.
Change the configuration of the Infrastructure Management Service
In the file "<SafeQ_folder>\Management\ims\application.properties", update the following

configuration properties:
in the value of the spring.datasource.url property, change the IP address to point to

the new SQL Server.
In case you will use a different main SQL Login to connect to the database, then both
spring.datasource.username and spring.datasource.password properties should
be updated with the new SQL Login credentials.
In case you will be changing the database name when restoring it on the new SQL Server,
property dbName should be updated with the new database name. Also, in the value of the
spring.datasource.url property, the databaseName parameter should be updated.

Change the configuration of the YSoft Payment System
If you have payment system installed, then also in the file " <SafeQ6_folder>\YPS\ps-
conf\environment-configuration.properties" , update the following configuration properties:
In the value of the database.url property, change the IP address to point to the new SQL
Server.
In case you will use a different main SQL Login to connect to the database, then database.
username and databse.password properties should be updated with the new SQL Login
credentials.
Change the configuration of ETCD
Follow the How to Change the Password of a Database User .
Update the following configuration properties: encryptedClusterGuestPassword,

encryptedUserPassword, dbHost and encryptedClusterPassword;
Restore the YSoft SafeQ databases on the new database server
Follow the Recovering Databases documentation chapter to restore the database on the new
server. This documentation chapter contains all the steps necessary for completing the
restoration of the database including steps to make YSoft SafeQ fully running again.
Reconfiguration or recovery of etcd cluster in Management Service
This document describes the way how to reconfigure a node or restore whole etcd cluster which
is used by Management Service.
Follow this guide only in case you were referred to it from a different chapter from a
documentation (e.g. How to Change the IP Address of YSoft SafeQ Management Server).
b.

4.
When etcd cluster is healthy

cluster is healthy
example.

failed to respond.

cluster is healthy

2380
ETCD_NAME="MGMT3"
MGMT2=http://10.0.5.155:2380"

b.

cluster is healthy
When etcd cluster is unhealthy
Unfortunately, you cannot add or remove nodes when etcd quorum was lost. It is needed
to manually restore etcd cluster health before you can install or reconfigure the other
node again.
Example two node environment:
First node is installed on server with hostname MGMT1 and IP 10.0.5.147
Second node is installed on server with hostname MGMT2 and IP 10.0.5.155
Create dump of etcd storage content from a node which is reported as healthy
1. Connect to the node which is still functional
2. Start PowerShell and move to "SafeQ installation directory\Management\etcd\" folder

3.
It will create a file etcddump.ps1 which will contain commands for restoring the
content of etcd.

http://127.0.0.1:2379 mk $($_ -replace `"/`", `"`") `"$(.\etcdctl.exe get $_)`"" | out-
file etcddump.ps1 -append }
4. Copy etcddump.ps1 to a safe place
Check if the healthy node is the first or an additional node
i.e. which node remained running or which node is without IP change
3. YSoft Bundled Etcd Properties will open
4. Move to the Startup tab and scroll down at the end of Arguments: field
a. The first installed node has the following line there:
-initial-cluster-state=new
b. Any additional node has the following line there:
-initial-cluster-state=existing
Restore etcd cluster health
1. Stop YSoft Bundled Etcd service on all nodes
a. Backup folder SERVER_HOSTNAME.etcd in "SafeQ installation

directory\Management\etcd\" on all nodes. (MGMT1.etcd and MGMT2.etcd
regarding the example).
b.
b. Delete SERVER_HOSTNAME.etcd
folder in "SafeQ installation
directory\Management\etcd\" on all nodes.
2. When the healthy node is the first node:
a. Start YSoft Bundled Etcd service on the first node
3. When the healthy node is an additional node:
a. Reconfigure etcd to act as the first node of the new etcd cluster:
i. Return to YSoft Bundled Etcd Properties dialog which was opened in

previous section (2.2., step 3.)
ii. Copy whole content of the Arguments: field and paste it to some plain text
editor (i.e. notepad) for easier editing
iii. Change the last two lines of the text
Remove the non-local cluster node from the -initial-cluster line
Change -initial-cluster-state to new
1. original
-initial-cluster=MGMT1=http://10.0.5.147:2380,MGMT2=http://10.0.5.155:
2380
2. after change
-initial-cluster=MGMT2=http://10.0.5.155:2380
iv. Copy the whole changed text (not only the last two lines) and insert into
the YSoft Bundled Etcd Properties dialog into Arguments: field
v. Use OK or Apply button to confirm the changes
b. Start YSoft Bundled Etcd service on the healthy node
4. Check etcd cluster health on the node where YSoft Bundled Etcd service was started in
previous steps:
a. Start PowerShell and move to "SafeQ installation directory\Management\etcd\"

folder
b.

b. Run this command:
c. Output should look like this:

cluster is healthy
Restore etcd storage content
If you have a dump of etcd storage available
Use the previously created dump to restore etcd storage content.
1. Copy the etcddump.ps1 file which was created in section 2.1 into "SafeQ installation
directory\Management\etcd\" folder
3. Use the existing etcddump.ps1 file or copy the one from the safe place (section 3.1,
step 4.)
5. The etcd storage is now re-populated. If you want to list all keys and their values run
following command:
If you do not have a dump of etcd storage available
If you do not have a dump of etcd storage available, the etcd key/value storage must be re-
populated manually by values stored in safeq.properties file and YSoft SafeQ 6 database.
For easier manipulation please open the safeq.properties file located in "SafeQ installation
directory\Management\conf\".

Each key in database which should be re-populated by a value from safeq.properties file
will be expressed below as property name with suffix.value.
a. Run following commands (replace parameters with suffix.value by the value from
safeq.properties file):
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk embeddedDb (select from values 0

or 1 - 0 external database, 1 - embedded database)
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbClass database.type.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbDbName database.name.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbHost database.host.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbPort database.port.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbInstanceName database.msSql.
instance.value (if named instance is configured on MSSQL server)
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbDomain database.global.
management.domain.value (if Windows authentication is used for MSSQL server)
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk dbDbUsername database.global.
management.username.without.domain.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk encryptedUserPassword "database.
global.management.password.value"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk encryptedClusterPassword
"database.cluster.management.password.value"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk encryptedClusterGuestPassword
"database.cluster.guest.password.value"
b. If Data Warehouse use a different database located on the same database server
as YSoft SafeQ database (SSMD deployment) add also the following record:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWdbName databaseWarehouse.name.

value
c. If Data Warehouse use a different database located on a different database

server than YSoft SafeQ database (MSMD deployment) add also the following
records:

value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWdbHost databaseWarehouse.host.
value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWdbPort databaseWarehouse.port.
value

.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWdbUsername databaseWarehouse.
global.management.username.without.domain.value
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWencryptedUserPassword
"databaseWarehouse.global.management.password.value"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWencryptedClusterPassword
"databaseWarehouse.cluster.management.password.value"
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk DWencryptedClusterGuestPassword
"databaseWarehouse.cluster.guest.password.value"
3. Open the database management tool (pgAdminIII/MS SQL Management Studio)
a. Login the YSoft SafeQ database
b. Navigate to the SQDB6 database
c. Open table cluster_mngmt.tenants
d. Find a row where the column schema_name is equal to the name of your tenant
("tenant_1" by default)
e. Copy the content of db_pass column to clipboard or write it down
4. Open Internet browser
a. Navigate to YSoft SafeQ administration web interface
b. Login as an admin
c. On the Dashboard navigate to widget for text encryption
d. Enter the password (either paste from keyboard or type it in)
e. Press Encode
f. Copy the encoded password to clipboard or write it down
5. Go to the PowerShell prompt
a. Move to "SafeQ installation directory\Management\etcd\" folder
b. Run following command:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 mk encryptedTenantPassword "<type

in the encrypted password or paste it in from keyboard>"
Enclose the encrypted password with quotation marks, e.g. "code,

-3,5,98,45,18,-7,-125,-92"
c.
c. The etcd storage is re-populated. If you want to list all keys and their values run
following command:
d. If a key contains a wrong value then the key must be deleted by the command
below and re-created again with correct value:
.\etcdctl.exe --endpoint http://127.0.0.1:2379 rm <keyName>
Add or reconfigure the remaining node(s)

If the remaining node is not installed yet and need to be reinstalled again
i.e. if a Management node has crashed, etcd cluster lost quorum and the Management node
needs to be reinstalled again to restored etcd cluster
1. Etcd cluster is now healthy again so you can reinstall the node using the installer.
2. Choose the Add or Replace node option as we are adding an additional node to the etcd
cluster now.
The first node is either available or an additional node was reconfigured to act as first
etcd node in section 3.3, step 3. a.
If the remaining node is already installed and needs to be reconfigured
i.e. if IP address of a Management node was changed without following proper procedure, etcd
cluster lost quorum and Management node needs to be added to restored etcd cluster
1. Connect to the node which is now acting as the first node

2380

Replace MGMT2 with actual hostname of the other node and 10.0.5.155 with
actual IP of the other node.
b. Output should look like this:
Added member named MGMT2 with ID a522606ea77f5003 to cluster
ETCD_NAME="MGMT2"
ETCD_INITIAL_CLUSTER="MGMT1=http://10.0.5.147:2380,MGMT2=http://10.0.5.155:2380"
3. Connect to the remaining node, start PowerShell and move to "SafeQ installation
b. In the General tab use the Start button to start the YSoft Bundled Etcd service
We need to start YSoft Bundled Etcd service this way to create proper etcd
c. YSoft Bundled Etcd shall be started
4. Check etcd cluster health again
b. Output should look like this:

cluster is healthy
c. You can now close YSoft Bundled Etcd Properties on the remaining node. YSoft
Bundled Etcd service will remain running.
d. etcd cluster is now reconfigured.
Reconfiguring or Recovering an etcd Cluster in Terminal Server
This document describes how to reconfigure an etcd node or restore a whole etcd cluster that is
used by Terminal Server.

Follow this guide only if you were referred to it from a different chapter from the
documentation.
Checking a Terminal Server etcd Cluster's Health
1. Connect to a server where YSoft SafeQ Management Service is installed
a. Start Command line (CMD) and navigate to the "SafeQ installation

b. Check the Terminal Server etcd cluster's health
i. Run this command:
etcdctl.exe --endpoint http://10.0.5.217:2377 cluster-health
Replace 10.0.5.217 with the actual IP of a server where is Spooler

Controller still functional or where the configuration will not be changed.
ii. The output will contain a list of Terminal Server etcd cluster members, and the
last line will report the Terminal Server etcd cluster's health – it can be:
1. cluster is healthy
2. cluster is unhealthy
When the Terminal Server etcd Cluster Is Healthy
If the etcd quorum is not lost, then you can remove the affected node from the etcd cluster
configuration and add a new or reconfigured node.
If you do not mind that all Embedded Terminals that are managed by the affected Spooler
Controller Group will need to be reinstalled, you can use the when TS etcd cluster is
unhealthy procedure, which is much simpler.
Example environment:
Management Service is installed on IP address 10.0.13.148
First Site Server is installed on IP address 10.0.5.217 – etcd member ID

5df1a03e6509526c

Second Site Server is installed on IP address 10.0.5.218 – etcd member ID
4698d36b2a32ca93
Third Site Server is installed on IP address 10.0.5.219 – etcd member ID

54237a9912a7236 (this node will be reinstalled and recovered)
Example Situation
1. The Third Site Server was reinstalled as an example
a. Stop the YSoft SafeQ Terminal Server service on the affected node
b. Delete the folder TS-XX.XX.XX.XX in " SafeQ installation directory

\SPOC\terminalserver\etcd\" on the affected node
Example Result of a Terminal Server etcd Cluster Health Check
failed to check the health of member 54237a9912a7236 on http://10.0.5.219:2377: Get http://10.

0.5.219:2377/health: dial
tcp 10.0.5.219:2377: connectex: No connection could be made because the target machine actively
refused it.
member 54237a9912a7236 is unreachable: [http://10.0.5.219:2377] are all unreachable
member 4698d36b2a32ca93 is healthy: got healthy result from http://10.0.5.218:2377
member 5df1a03e6509526c is healthy: got healthy result from http://10.0.5.217:2377
cluster is healthy
Remove the Affected Node from the etcd Cluster
The affected node is the one with failed to check the health of member.
1. Remove the affected node.
etcdctl.exe --endpoint http://10.0.5.217:2377 member remove 54237a9912a7236
Replace 10.0.5.217 with the actual IP address of a server where Spooler

Controller is still functional or where the configuration was not hanged.
Replace 54237a9912a7236 with the actual etcd member ID of the reinstalled

server.
Removed member 54237a9912a7236 from cluster

b.
2. Verify the cluster health again.

Controller is still functional or where the configuration was not changed.

cluster is healthy
Add the Affected Node to the etcd Cluster Again
1. Add the affected node again.
etcdctl.exe --endpoint http://10.0.5.217:2377 member add TS-10.0.5.219 http://10.

0.5.219:2378

Replace 10.0.5.219 (the IP address of the affected server) with the actual IP
address of the affected server.
Added member named TS-10.0.5.219 with ID 188abf215116e622 to cluster
ETCD_NAME="TS-10.0.5.219"
ETCD_INITIAL_CLUSTER="TS-10.0.5.219=http://10.0.5.219:2378,TS-10.0.5.218=http://10.
0.5.218:2378,TS-10.0.5.217=http://10.0.5.217:2378"
2. Verify the cluster health again.

2.
a.

member 188abf215116e622 is unreachable: no available published client urls

cluster is healthy
Connect to the Affected Node
1. Start Command line (CMD) and move to the " SafeQ installation directory
\SPOC\terminalserver\etcd\" folder.
Do not use PowerShell!
2. Run etcd manually to create the proper etcd configuration:
This is needed only once after the changes.
etcd64.exe -name TS-10.0.5.219 -data-dir "c:\SafeQ6\SPOC\terminalserver\etcd\TS-

10.0.5.219" -initial-advertise-peer-urls http://10.0.5.219:2378 -listen-peer-urls
http://10.0.5.219:2378 -listen-client-urls http://10.0.5.219:2377,http://127.0.0.1:2377 -
advertise-client-urls http://10.0.5.219:2377 -initial-cluster-token safeq-cluster -
initial-cluster TS-10.0.5.219=http://10.0.5.219:2378,TS-10.0.5.218=http://10.0.5.218:2378,
TS-10.0.5.217=http://10.0.5.217:2378 -initial-cluster-state existing
Replace 10.0.5.219 (the IP address of the affected server) with the actual IP address of
the affected server.
Copy -initial-cluster values from the step 2.4. b. result, ETCD_INITIAL_CLUSTER line.
a. Start the YSoft SafeQ Terminal Server service.
b. Verify that "Offline storage refreshed" can be seen in the Terminal Server log at
least at ten minutes after the start of Terminal Server.
Connect to a Server Where YSoft SafeQ Management Service Is Installed and Verify the etcd Cluster's
Health Again.

1. Start Command line (CMD) and navigate to the "SafeQ installation directory\Management\
etcd\" folder.
Replace 10.0.5.217 with the actual IP of a server where is Spooler Controller still
functional or where the configuration was not changed.
member 188abf215116e622 is healthy: got healthy result from http://10.0.5.219:2377

cluster is healthy
c. The node is now reconfigured.
When the Terminal Server etcd Cluster Is Unhealthy
Unfortunately, you cannot add or remove nodes if the Terminal Server etcd quorum was lost.
You can only recreate the Terminal Server etcd cluster again.
All data stored inside the Terminal Server etcd cluster will be lost, so you will need to reinstall
all affected YSoft SafeQ Embedded Terminals after cluster recreation.
1. Stop the YSoft SafeQ Terminal Server service on all nodes in the affected Spooler
Controller Group.
a. Back up the TS-XX.XX.XX.XX

folder in "SafeQ installation directory
\SPOC\terminalserver\etcd\" on all nodes.
b. Delete the TS-XX.XX.XX.XX
folder in " SafeQ installation directory
\SPOC\terminalserver\etcd\" on all nodes.
2. Start the YSoft SafeQ Terminal Server service on all nodes.
a. Verify that "Offline storage refreshed" can be seen in the Terminal Server log after
the start of Terminal Server (it might take up to 10 minutes before this record
appears)
3. Reinstall all YSoft SafeQ Embedded Terminals that are managed by the affected Spooler
Controller Group.

3.
Recovering Databases
The following pages describe the procedure how to restore YSoft SafeQ databases. YSoft SafeQ
solution uses main databases for its basic operations, such as devices information, reporting, etc.
These are the different databases you might find in the different YSoft SafeQ deployments:
SQDB6 - Main database used by the whole solution.
SQDB6_DWH - Database used as Data Warehouse, for external process of Reporting.
SQDB6_IMS - Database used by the Infrastructure Management Service
SQDB6_YPS - Database used by the Payment System
Based on the database type and the deployment scenario, in order to backup the database,
please follow the guide described in the links below:
PostgreSQL Database recovery
MS SQL Database and Data Warehouse Recovery
MS SQL Database and Data Warehouse Recovery
Please note that this is just a quick guide for MS SQL Studio. The latest documentation is
always available on Microsoft's web pages.
Before proceeding with the recovery, make sure that current backup files are available
before you start with the restore procedures.
You can backup your database following the guide in MS SQL Database and Data Warehouse
Backup.
Preparation
Stop related services in the environment
YSoft SafeQ services need to be stopped before a database restore is performed and the
cache on Spooler Controllers needs to be cleared before they are started again to avoid
possible inconsistencies.
except YSoft Bundled Etcd.
Dispatcher Paragon services need to be stopped before a database restore is performed and
the cache on Spooler Controllers needs to be cleared before they are started again to avoid

Stop all Dispatcher Paragon services in the whole environment (Management Servers, Site
Servers) except Dispatcher Paragon Bundled Etcd.
Recovering in a new SQL Server
In case you are recovering your database in a new SQL Server instance, you need to modify the
following files, located in the Management Service installation folder:
{SAFEQ_INSTALLATION_FOLDER}/Management/conf/safeq.properties
{SAFEQ_INSTALLATION_FOLDER}/Management/validator/DBValidator.properties
{SAFEQ_INSTALLATION_FOLDER}/Management/ims/application.properties
Deleting the current databases
1. On the database server, run Microsoft SQL Management studio.
2. Click File - Connect to Object Explorer.
3. Choose a Database engine as a Server type and connect to the database server.
4. In the Object Explorer (menu on the left), click Databases.
5. Delete current databases:
a. SQDB6
b. SQDB6_DWH (if it exists in the deployment scenario)
c. SQDB6_IMS
d. SQDB6_YPS (if Payment System is installed)

Deleting the current warehouse database in case of multiple server deployment
If you have multiple server database deployment please follow next steps to delete warehouse
1. On the warehouse database server, run Microsoft SQL Management studio.
2. Click File - Connect to Object Explorer.
3. Choose a Database engine as a Server type and connect to the database server.
4. In the Object Explorer (menu on the left), click Databases.
5. Delete current database SQDB6_DWH.
Restoring Databases from Backup
1. Right-click Databases > New Database...
2. Create new databases with the same names as the original ones:
If you are using domain users, create the databases according to the article Installing
YSoft SafeQ Management Server on external MSSQL using domain users.
a. SQDB6
b. SQDB6_DWH (if it exists in the deployment scenario)
c. SQDB6_IMS
d. SQDB6_YPS (if Payment System is installed)

3. Restore each database from its backup files, following the steps below (example for
SQDB6).
a. Right-click the database name and select Tasks > Restore > Database... option.
b. Switch source to Device and select your backup file > enable the checkbox in the
Restore column.
c. Navigate to the Options page.
i. Check the Overwrite the existing database (WITH REPLACE) option.
ii. Uncheck the Take a tail-log backup before restore option.

ii.
d. Click OK.
e. Backup will be restored.
Restoring warehouse databases from backup in case of multiple server deployment
If you have multiple server database deployment please follow next steps to restore warehouse
1. Right-click Databases > New Database...
2. Create new database with the same names as the original one SQDB6_DWH.
If you are using domain users, create the databases according to the article Installing
YSoft SafeQ Management Server on external MSSQL using domain users.
3. Restore database SQDB6_DWH in same way like in previous section "Restoring Databases
from Backup" indent 3.

SQL Server authentication - Reconfiguration section
Restoring Databases final steps with SQL users
1. Run the following query on the SQDB6 database
ALTER USER [cluster_mngmt] WITH LOGIN = [cluster_mngmt];

ALTER USER [cluster_guest] WITH LOGIN = [cluster_guest];
2. If you do not use sa user, also run the following query on the SQDB6 database:
ALTER USER [<safeq_user>] WITH LOGIN = [<safeq_user>];
Replace <safeq_user> in both places with the value of the database.global.management.

username.without.domain property from the SafeQ installation
directory\Management\conf\safeq.properties file.
Restoring warehouse databases final steps with SQL users
If you have multiple database deployment please follow next steps to finalize database restore
otherwise skip this section. You need to connect to appropriate database server according to
your deployment type.
1. Run the following query on the SQDB6_DWH database
ALTER USER [cluster_mngmt] WITH LOGIN = [cluster_mngmt];

ALTER USER [cluster_guest] WITH LOGIN = [cluster_guest];
2. If you do not use sa user, also run the following query on the SQDB6_DWH database:
ALTER USER [<safeq_user>] WITH LOGIN = [<safeq_user>];
Replace <safeq_user> in both places with the value of the database.global.management.

Reconfiguring the SQDB6 Database
1. If you have YSoft SafeQ 6 MU9 or later and if you have database user passwords in plain
text (default configuration), run the following procedure on the SQDB6 database:
EXEC cluster_mngmt.spu_recover_tenant_db_passwords;
2.

2. If you have YSoft SafeQ 6 MU8 or older or if you have encrypted database user
passwords, follow these manual steps:
a. Reconfigure the tenantuser_1 user:
i. Find the tenantuser_1 password by running the following query on the SQDB6
database.
SELECT db_pass FROM cluster_mngmt.tenants WHERE db_login='tenantuser_1'
ii. Prepare the following query:
IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = '@t

enantUser@') BEGIN CREATE LOGIN [@tenantUser@] WITH PASSWORD = '@tenantPasswo
rd@'; END; ELSE BEGIN ALTER LOGIN [@tenantUser@] WITH PASSWORD = '@tenantPass
word@'; END;
IF NOT EXISTS(select * from sys.database_principals where name = '@tenantUser
@') BEGIN CREATE USER [@tenantUser@] WITH DEFAULT_SCHEMA = [@tenantSchema@];
END; ELSE BEGIN ALTER USER [@tenantUser@] WITH LOGIN = [@tenantUser@]; END;
EXEC('exec sp_addrolemember db_datareader, @tenantUser@');
EXEC('exec sp_addrolemember db_datawriter, @tenantUser@');
EXEC('exec sp_addrolemember db_ddladmin, @tenantUser@');
iii. Replace variables with real values:
@tenantUser@ = tenantuser_1
@tenantPassword@ = tenantuser_1 password from step a (which must be
decrypted).
@tenantSchema@ = tenant_1
iv. Run the modified query on the SQDB6 database.
b. Also reconfigure the dwhtenantuser_1 user in a similar way:
i. Find the dwhtenantuser_1 password by running the following query on the

SQDB6 database.
SELECT db_pass FROM cluster_mngmt.tenant_warehouses WHERE db_login='dwhtenant

user_1'
ii. Prepare the following query.
IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = '@d

whTenantUser@') BEGIN CREATE LOGIN [@dwhTenantUser@] WITH PASSWORD = '@tenant
Password@'; END; ELSE BEGIN ALTER LOGIN [@dwhTenantUser@] WITH PASSWORD = '@t
enantPassword@'; END;
IF NOT EXISTS(select * from sys.database_principals where name = '@dwhTenantU
ser@') BEGIN CREATE USER [@dwhTenantUser@] WITH DEFAULT_SCHEMA =
[@dwhTenantSchema@] END; ELSE BEGIN ALTER USER [@dwhTenantUser@] WITH LOGIN
= [@dwhTenantUser@]; END;

EXEC('exec sp_addrolemember db_datareader, @dwhTenantUser@');
EXEC('exec sp_addrolemember db_datawriter, @dwhTenantUser@');
EXEC('exec sp_addrolemember db_ddladmin, @dwhTenantUser@');
@dwhTenantUser@ = dwhtenantuser_1
@tenantPassword@ = dwhtenantuser_1 password from step a (which must be
decrypted).
@dwhTenantSchema@ = dwhtenant_1
c. If you have more tenants, repeat the steps from section a. for all additional
tenantuser_X and the steps from section b. for all corresponding dwhtenantuser_X
Reconfiguring the SQDB6_DWH warehouse Database in case of multiple server deployment
If you have multiple database deployment please follow next steps to reconfigure database
otherwise skip this section. You need to connect to appropriate database server according to
your deployment type and follow these manual steps:
1. Reconfigure the dwhtenantuser_1 user:
a. Find the dwhtenantuser_1 password by running the following query on the SQDB6
database.
SELECT db_pass FROM cluster_mngmt.tenant_warehouses WHERE db_login='dwhtenantuser_1

'
b. Prepare the following query.
IF NOT EXISTS (SELECT name FROM master.sys.server_principals WHERE name = '@dwhTena

ntUser@') BEGIN CREATE LOGIN [@dwhTenantUser@] WITH PASSWORD = '@tenantPassword@';
END; ELSE BEGIN ALTER LOGIN [@dwhTenantUser@] WITH PASSWORD = '@tenantPassword@'; E
ND;
IF NOT EXISTS(select * from sys.database_principals where name = '@dwhTenantUser@')
BEGIN CREATE USER [@dwhTenantUser@] WITH DEFAULT_SCHEMA = [@dwhTenantSchema@] END;
ELSE BEGIN ALTER USER [@dwhTenantUser@] WITH LOGIN = [@dwhTenantUser@]; END;
EXEC('exec sp_addrolemember db_datareader, @dwhTenantUser@');
EXEC('exec sp_addrolemember db_datawriter, @dwhTenantUser@');
EXEC('exec sp_addrolemember db_ddladmin, @dwhTenantUser@');
c. Replace variables with real values:
@tenantPassword@ = dwhtenantuser_1 password from step a (which must be decrypted).
d.

d. Run the modified query on the SQDB6_DWH database.
2. Reconfigure the tenantuser_1 user in Linked Server:
a. Find the tenantuser_1 password by running the following query on the SQDB6
database.
b. Open Linked Server SQDB6_LINKED_SERVER properties and update tenantuser_1

password from step a (which must be decrypted).
3. If you have more tenants, repeat the steps from section a. for all additional tenantuser_X
and the steps from section b. for all corresponding dwhtenantuser_X
Re-validate database
1. If you have YSoft SafeQ 6 MU9 or later, run the following procedure on the SQDB6
database:
EXEC cluster_mngmt.spu_clean_validator_tables;
2. If you have YSoft SafeQ 6 MU8 or older build, follow these manual steps:
a. Delete the records from all validator related tables.

2.
a.
delete from dbo.smartq_validator;

delete from cluster_mngmt.smartq_validator;
Foreach tenant_id do:
delete from tenant_%i.smartq_validator;

delete from dwhtenant_%i.smartq_validator;
3. If you have multiple database deployment and you have YSoft SafeQ 6 MU9 or later please
connect to warehouse database server run the following procedure on the SQDB6_DWH
database, otherwise skip this paragraph:
EXEC cluster_mngmt.spu_md_clean_validator_tables;
4. If you have multiple database deployment and you have YSoft SafeQ 6 MU8 or older build
please connect to warehouse database server and delete the records from all validator
related tables, otherwise skip this paragraph:
delete from dbo.smartq_validator;

5. Run DB Validator Tool
Windows authentication - Reconfiguration section

Restoring Databases final steps with domain users
1. Run the following queries on database SQDB6:
CREATE USER [<domain>\<safeq_user>] FOR LOGIN [<domain>\<safeq_user>] WITH DEFAULT_SCHEMA=

[cluster_mngmt]
ALTER ROLE [db_owner] ADD MEMBER [<domain>\<safeq_user>]
If USER [<domain\safeq_user>] already exists you need to drop this user.
DROP USER [<domain>\<safeq_user>]
2. Run the following queries on all databases SQDB6_IMS, SQDB6_DWH (if it exists in the
deployment scenario) and SQDB6_YPS (if Payment System is installed):

2.
CREATE USER [<domain>\<safeq_user>] FOR LOGIN [<domain>\<safeq_user>] WITH DEFAULT_SCHEMA=

[dbo]
ALTER ROLE [db_owner] ADD MEMBER [<domain>\<safeq_user>]
3. Drop old domain user if it is different from the current domain user on all databases SQDB6
, SQDB6_DWH (if it exists in the deployment scenario), SQDB6_IMS and SQDB6_YPS (if
Payment System is installed):
DROP USER [<old_domain>\<old_safeq_user>];
Replace <domain> in all places with the value of the database.global.management.

Replace <safeq_user> in all places with the value of the database.global.management.
Replace <old_domain> in all places with the value of the database.global.management.
username.without.domain property from the previous SafeQ installation
Replace <old_safeq_user> in all places with the value of the database.global.
management.username.without.domain property from the previous SafeQ installation
Re-validate database
If your database backup was an older version you need to run DB Validator Tool to update the
database.
Finalization
Clear the Cache on Spooler Controllers and Restart All Services
inconsistencies.


PostgreSQL Database recovery
All restore procedures should be consulted first with the Database Administrator/Owner in
case an external PostgreSQL database is used.
Please note that this is just a quick guide to the pgAdmin tool. The latest documentation is
always available on PostgreSQL's web pages.
Please check that the current backup files are available before you start with the restore
procedures.
Preparation
Stop related services in the environment

YSoft SafeQ services need to be stopped before a database restore is performed and the
cache on Spooler Controllers needs to be cleared before they are started again to avoid
1. Stop almost all YSoft SafeQ services on the Management and Site Servers:
ii. YSoft Bundled PostgreSQL 11
b. You can use the following PowerShell script to perform the task:
Run PowerShell as Administrator.
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftPGSQL' -and $_.Name -ne 'YYSo
ftPGSQL' -and $_.Name -ne 'YSoftEtcd'} | Stop-Service
Delete the current databases
1. On the database server, run the pgAdmin administration tool.
2. In the Object browser window, double-click the SafeQ PostgreSQL server connection item
and connect to the server.
3. Delete the current YSoft SafeQ databases:
a. SQDB6

b. SQDB6_IMS
c. SQDB6_YPS (if YSoft SafeQ Payment System is installed)
d. SQDB6_DWH (if Data Warehouse is in a separate database, the database might be

deployed on a different server)
Create new databases
1. Right-click Databases > Create > Database

2. Create new databases with Owner set to postgres using the same names as the original
ones:
a. SQDB6
b. SQDB6_IMS
c. SQDB6_YPS (if YSoft SafeQ Payment System is installed)

d. SQDB6_DWH (if Data Warehouse is in a separate database, the database might be
deployed on a different server)
Restore the databases from the backup files
1. Restore the SQDB6 database from a backup file:
a. Right-click the database name and select the Restore... option.
b. Select your backup file.

c. Click Select.
d. Popup appears with information that procedure ended successfully
e. Click on More details to see log.
2. Restore the SQDB6_IMS database from a backup file.
3. Also restore the SQDB6_YPS database from a backup file (if YSoft SafeQ Payment System
is installed).
4. Also restore the SQDB6_DWH database from a backup file (if Data Warehouse is in a
separate database, the database might be deployed on a different server)
Reconfiguring the SQDB6 Database
1. If you have YSoft SafeQ 6 MU9 or later and if you have database user passwords in plain
text (default configuration), run the following procedure on the SQDB6 database:
SELECT cluster_mngmt.spu_recover_tenant_db_passwords();
2.

2. If you have YSoft SafeQ 6 MU8 or older or if you have encrypted database user passwords
, follow these manual steps:
a. Reconfigure tenantuser_1 user:
i. Find the tenantuser_1 password by running the following query on the SQDB6
database:
DO $body$ BEGIN IF NOT EXISTS(SELECT * FROM pg_catalog.pg_user WHERE usename

= '@tenantUser@') THEN CREATE ROLE @tenantUser@ LOGIN PASSWORD '@tenantPasswo
rd@'; ELSE ALTER ROLE @tenantUser@ WITH PASSWORD '@tenantPassword@'; END IF;
END $body$;
GRANT ALL ON SCHEMA @tenantSchema@ TO @tenantUser@;
ALTER USER @tenantUser@ SET search_path TO @tenantSchema@,cluster_mngmt,PUBLI
C;
GRANT ALL ON SCHEMA cluster_mngmt TO @tenantUser@;
@tenantUser@ = tenantuser_1
@tenantPassword@ = tenantuser_1 password from step a (which must be
decrypted).
b. Reconfigure the dwhtenantuser_1 user:
i. Find the dwhtenantuser_1 password by running the following query on the

SQDB6 database:
SELECT db_pass FROM cluster_mngmt.tenant_warehouses WHERE db_login='dwhtenant

user_1'
DO $body$ BEGIN IF NOT EXISTS(SELECT * FROM pg_catalog.pg_user WHERE usename

= '@dwhTenantUser@') THEN CREATE ROLE @dwhTenantUser@ LOGIN PASSWORD '@tenant
Password@'; ELSE ALTER ROLE @dwhTenantUser@ WITH PASSWORD '@tenantPassword@';
END IF; END $body$;
GRANT ALL ON SCHEMA @dwhTenantSchema@ TO @dwhTenantUser@;
ALTER USER @dwhTenantUser@ SET search_path TO @dwhTenantSchema@,
cluster_mngmt,PUBLIC;
GRANT ALL ON SCHEMA @tenantSchema@ TO @dwhTenantUser@;
GRANT ALL ON SCHEMA cluster_mngmt TO @dwhTenantUser@;

@tenantPassword@ = dwhtenantuser_1 password from step a (which must be
decrypted).
c. If you have more tenants, repeat the steps from section a. for all additional
tenantuser_X and the steps from section b. for all corresponding dwhtenantuser_X
Re-validating the Database
1. a. If you have YSoft SafeQ 6 MU9 or later, run the following procedure on the SQDB6
database:
b. If you have SafeQ 6 MU8 or older, follow these manual steps:
i. Delete records from all validator related tables.
delete from public.smartq_validator;

delete from tenant_%i.smartq_validator;

c. Run DB Validator Tool.
d. Continue with the Finalization section.
Finalization
Clear the Cache on Spooler Controllers and Restart All Services
inconsistencies.


Recovery procedure for standalone YSoft SafeQ Management Service - standalone installer
This page describes recovery of single Management Server (which is not part of any cluster) and
which was installed using ysq-management-server-install.exe package.
Please enable license reactivation before transferring the license to a new server (e.g. when
original hardware fails or when OS is reinstalled).
This guide assumes that you have Backup of Databases and Backing Up Configuration and
Binary Files available.

Recovery
1. Prepare a server (or a virtual machine) with the samehostname/IP as the original
Management Server had used.
a. If the external database is damaged, perform Recovering Databases but skip the
3. Check backup of configuration files and note the following:
a. Management Server GUID. It is noted in the safeq.properties file as the value of

communicator.cml.guid option. For example:
# COMMUNICATOR
4. Reinstall the Management Server using the same build installation package.
b. Choose Install a new YSoft SafeQ Management Server... option.
c. Use the same database type as was used before.
d. Provide wizard with the same Management Server GUID which was used before (see
step 3.a.)
See Install the YSoft SafeQ Management Server for detailed procedure.
5. Stop almost all YSoft services after installation is finished.
ii. YSoft Bundled PostgresSQL 9.4 (available if embedded PostgresSQL DB is

used).
b. Stop all other YSoft services.

'YSoftEtcd' } | Stop-Service
6.
6. If you are using embedded PostgreSQL database, perform Recovering Databases but skip
the Finalization part for now (as new empty databases were created during installation).
7. Start YSoft services again.
8. Re-activate YSoft SafeQ license using your preferred method (online/offline). See
a. If you used customized configuration (such as your own certificates for the web
services), seek the relevant documentation and set the configuration again
Finalization
Clear cache on Spooler Controllers and start all services again
inconsistencies.


The Recovery Procedure for a Node of a YSoft SafeQ Management Server Cluster - Server
Installer
This page describes the recovery of a single node of a Management Server cluster which was
installed using the Server installer package – a First Server or Additional Management Server
If the affected node is the one on which the YSoft SafeQ license was activated, enable
license reactivation before transferring the license to a new server (e.g., when the original
hardware fails or when an OS is reinstalled).
We expect that an external database is being used – i.e., there is no local database on any
cluster node.
This guide assumes that you have a Backup of Databases and Backing Up Configuration and
Binary Files available.
Jobs stored on the non-functional server will be lost and users will need to submit them again.
Check the etcd Cluster Health
3.

When the etcd Cluster Is Healthy
You can use the installer to reinstall the affected node.
1. Prepare a server (or a virtual machine) with the same hostname/IP as the original
i. Mobile Print Server – The MPS folder is available in backup files
ii. YSoft Payment System – The YPS folder is available in backup files
b. Management Server GUID. It is noted in the safeq.properties file as the value of the
# COMMUNICATOR
c. SPOC GUID. It is noted in the guid.conf file as the value of the LocalGUID option. For
example:
localGUID = j23892stpkfmvri9
3. Reinstall Management Server using the same build installation package.
a. Select the Other servers and Additional Management server options.
b. Enable optional features if they were used before (see step 2.a.).
c. Provide the wizard with the same Management Server GUID that was used before
(see step 2.b.).
d.

d. If you have YSoft SafeQ 6 MU11 or later build, also provide the wizard with the same
SPOC GUID that was used before (see step 2.c.).
See YSoft SafeQ Management Server cluster deployment for a detailed procedure.
4. If you have YSoft SafeQ 6 MU10 or older build, stop almost all YSoft SafeQ services after
the installation is finished.
a. Leave only this YSoft SafeQ service running:
b. Stop all other YSoft SafeQ services.
Get-Service *YSoft* | Where-Object { $_.Name -ne 'YSoftEtcd' } | Stop-Service
c. Edit <SAFEQ_DIRECTORY>\SPOC\conf\modules\guid.conf and rewrite the localGUID to

the value that was used before (see step 2. c.).
d. Delete the SPOC cache by deleting the whole folder

<SAFEQ_DIRECTORY>\SPOC\SpoolCache (e.g., c:\SafeQ6\SPOC\SpoolCache).
e. Start the YSoft SafeQ services with the Automatic startup type again.
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by
YSoft SafeQ Spooler Controller service when the proper configuration is ready.
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftSQ-SPOCGS'} | Start-

Service
5. Add the GUIDs, ports, and IP addresses of other Management Server cluster nodes into the
configuration of YSoft SafeQ Spooler Controller on the reinstalled Management Server.
a. Open the <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf file on the other

Management Server cluster node and copy the content of the Connections to CML
server nodes: GUID, IP and PORT section (this node contains the correct configuration
where all Management Server cluster nodes are listed).
b. Paste these values into the Connections to CML server nodes: GUID, IP and PORT
section of the <SAFEQ_DIRECTORY>\SPOC\conf\modules\spoc.conf file on the
reinstalled Management Server and save the changes.
c.

c. Restart the YSoft SafeQ Spooler Controller service on the reinstalled Management
Server to apply the changes.
d. For more information see YSoft SafeQ Management Server cluster deployment
section Reconfiguration of YSoft SafeQ Site Servers to connect to all YSoft SafeQ
Management Servers.
6. If the reinstalled node was the one on which the YSoft SafeQ 6 license was activated, re-
activate the YSoft SafeQ 6 license using your preferred method (online/offline). See
8. Restore the customized configuration:
restore those scripts from backup.
c. If you used customized configuration (such as your own certificates for the web
services), seek the relevant documentation and set up the configuration again.
If the YSoft SafeQ Spooler Controller That Is Installed on this Server Is connected to a Spooler Controller
Group, Continue with the Following Steps:
If the failover for Embedded Terminals is being used and the parameter enableEtcd is enabled, then the
etcd cluster in Terminal Server must also be reconfigured
1. Follow Reconfiguring or Recovering an etcd Cluster in Terminal Server.
Check the number of Site Servers forming the Spooler Controller group using JConsole
Please do no change anything in the MBeans tab. Just check the values in the Attributes leaf.
1. Run <SAFEQ_DIRECTORY>\SPOC\utilities\sqjconsole.bat
2. Connect to a Site Serverthat is a member of the target Spooler Controller group on port
9999.

3. Confirm the Insecure connection.
4. Switch to MBeans tab.
5. Expand distCache > CacheManager > DefaultCacheManager > CacheManager and select
Attributes.
6. Check the value of clusterSize – it must correspond to the number of Site Servers in the
desired Spooler Controller group.

When the etcd Cluster Is Unhealthy
Unfortunately, you cannot add or remove nodes when etcd quorum was lost. It is needed to
manually restore etcd cluster health before you can install or reconfigure the other node
again.
It will create a file etcddump.ps1 which will contain commands for restoring the content
of etcd.

a.

4.
a. Backup folder SERVER_HOSTNAME.etcd in "SafeQ installation directory\Management\

etcd\" on all nodes. (MGMT1.etcd and MGMT2.etcd regarding the example).
b. Delete folder SERVER_HOSTNAME.etcd in "SafeQ installation directory\Management\
etcd\" on all nodes.
i. Return to YSoft Bundled Etcd Properties dialog which was opened in previous
section (2.2., step 3.)
1. original
2380
2. after change
iv.

iv. Copy the whole changed text (not only the last two lines) and insert into the
YSoft Bundled Etcd Properties dialog into Arguments: field
previous steps:
a. Start PowerShell and move to "SafeQ installation directory\Management\etcd\" folder

cluster is healthy

3. Use the existing etcddump.ps1 file or copy the one from the safe place (section 3.1, step 4.)
following command:

Each key in database which should be re-populated by a value from safeq.properties file will be
expressed below as property name with suffix.value.

b. If Data Warehouse use a different database located on the same database server as
YSoft SafeQ database (SSMD deployment) add also the following record:

value
c. If Data Warehouse use a different database located on a different database server

than YSoft SafeQ database (MSMD deployment) add also the following records:

value
value
value

e. Press Encode

Enclose the encrypted password with quotation marks, e.g. "code,-3,5,98,45,18,-7,

-125,-92"
following command:
d. If a key contains a wrong value then the key must be deleted by the command below
and re-created again with correct value:

d.
Restore the Other Node
1. Continue by following the When etcd cluster is healthy section (the steps are the same
now).
The Recovery Procedure for a Site Server That Was Part of a Spooler Controller Group
This page describes the recovery of a single Site Server from a Spooler Controller group which
was installed using a Server installer package – the Site Server deployment scenario. It is
expected that the server is no longer functional and a new one will be used to replace it.
This guide assumes that you have a backup of databases and a backup of configuration (and
Site Server Recovery
1. Prepare a server (or a virtual machine) with the same hostname/IP as the original Site
Server had used.
i. Mobile Print Server – the MPS folder is available in backup files.
ii. YSoft Payment System – the YPS folder is available in backup files.
b. Site Server GUID (SPOC GUID). It is noted in the guid.conf file as the value of the
LocalGUID option. For example:
3. Reinstall Site Server using the same build installation package.
a. Enable optional features if they were used before (see step 2.a).
b. Configure the connection to Management Server(s) the same way as was configured
before.
c. Provide the wizard with the same Site Server GUID that was used before (see step
2.b).

d.
See Site Server Deployment for a detailed procedure.
4. If YSoft Payment System with an embedded PostgreSQL database was installed on the
Site Server that is being restored, perform the following steps:
a. Stop almost all YSoft SafeQ services after installation is finished.
i. Leave only the YSoft Bundled PostgresSQL 11 service running.
ii. Stop all other YSoft SafeQ services.
Get-Service *YSoft* | Where-Object {$_.Name -notmatch 'YSoftPGSQL'}

| Stop-Service
b. Run the pgAdmin administration tool <SAFEQ_DIRECTORY>\PGSQL\bin\pgAdmin4.exe

(e.g., c:\SafeQ6\PGSQL\bin\pgAdmin4.exe)
c. In the Object browser window, double-click the SafeQ 6 item and connect to the
server
i. Delete the current SQDB6_YPS database:
ii. Create a new SQDB6_YPS database:
1.
ii.
1. Right-click Databases > Create > Databese...
2. Create a new SQDB6_YPS database with Owner set to postgres:
iii. Restore SQDB6_YPS database from the backup file:
1. Right-click the database name and select Restore... option.

iii.
1.
2. Select your backup file
3. Click Restore.
4. The backup will be restored.
5. Popup appears with information that procedure ended successfully

5.
6. Click on More details to see log.
d. Start YSoft SafeQ services with the Automatic startup type again.
Do not start the YSoft SafeQ Spooler Controller Group Service. It will be started
by the YSoft SafeQ Spooler Controller service when the proper configuration is
ready.
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftSQ-SPOCGS'} | Start

-Service
6. Check the Management Web interface, the Spooler Controller must be correctly shown as
online.
Spooler Controller Group Verification

If the failover for Embedded Terminals is being used and the parameter enableEtcd is enabled, then the
etcd cluster in Terminal Server must also be reconfigured
1. Follow Reconfiguring or Recovering an etcd Cluster in Terminal Server.
Check the number of Site Servers forming the Spooler Controller group using JConsole
Please do no change anything in the MBeans tab. Just check the values in the Attributes leaf.
1. Run <SAFEQ_DIRECTORY>\SPOC\utilities\sqjconsole.bat

2. Connect to a Site Serverthat is a member of the target Spooler Controller group on port
9999.
3. Confirm the Insecure connection.
4. Switch to MBeans tab.
5. Expand distCache > CacheManager > DefaultCacheManager > CacheManager and select
Attributes.
6. Check the value of clusterSize – it must correspond to the number of Site Servers in the
desired Spooler Controller group.

The Recovery Procedure for a Standalone Site Server
This page describes the recovery of a single Site Server (which is not part of any Spooler
Controller group) that was installed using the Server installer package – a Site Server
deployment scenario. It is expected that the server is no longer functional and a new one will be
used to replace it.
Site Server Recovery
1. Prepare a server (or a virtual machine) with the same hostname/IP as the original Site
Server had used.
i. Mobile Print Server – the MPS folder is available in backup files.
ii. YSoft Payment System – the YPS folder is available in backup files.
b. Site Server GUID (SPOC GUID). It is noted in the guid.conf file as the value of the
LocalGUID option. For example:
3. Reinstall Site Server using the same build installation package.
a. Enable optional features if they were used before (see step 2.a).
b. Configure the connection to Management Server(s) the same way as was configured
before.
c. Provide the wizard with the same Site Server GUID that was used before (see step
2.b).
See Site Server Deployment for a detailed procedure.
4.
4. If YSoft Payment System with an embedded PostgreSQL database was installed on the
Site Server that is being restored, perform the following steps:
a. Stop almost all YSoft SafeQ services after installation is finished.
i. Leave only the YSoft Bundled PostgresSQL 11 service running.
ii. Stop all other YSoft SafeQ services.
Get-Service *YSoft* | Where-Object {$_.Name -notmatch 'YSoftPGSQL'}

| Stop-Service
b. Run the pgAdmin administration tool <SAFEQ_DIRECTORY>\PGSQL\bin\pgAdmin4.exe

(e.g., c:\SafeQ6\PGSQL\bin\pgAdmin4.exe)
c. In the Object browser window, double-click the SafeQ 6 item and connect to the
server
i. Delete the current SQDB6_YPS database:
ii. Create a new SQDB6_YPS database:
1.
1. Right-click Databases > Create > Databese...
2. Create a new SQDB6_YPS database with Owner set to postgres:
iii. Restore SQDB6_YPS database from the backup file:
1. Right-click the database name and select Restore... option.

iii.
1.
2. Select your backup file
3. Click Restore.
4. The backup will be restored.
5. Popup appears with information that procedure ended successfully

5.
6. Click on More details to see log.
d. Start YSoft SafeQ services with the Automatic startup type again.
Do not start the YSoft SafeQ Spooler Controller Group Service. It will be started
by the YSoft SafeQ Spooler Controller service when the proper configuration is
ready.
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftSQ-SPOCGS'} | Start

-Service
6. Check the Management Web interface, the Spooler Controller must be correctly shown as
online.
The Recovery Procedure for a Standalone YSoft SafeQ Management Server - Server Installer
This page describes the recovery of a single management node (which might be part of a Spooler
Controller group) and that was installed using the Server installer package – First server
Please enable license reactivation before transferring the license to a new server (e.g., when
the original hardware fails or when an OS is reinstalled).

Recovery
1. Prepare a server (or a virtual machine) with the samehostname/IP as the original
a. If the external database is damaged, perform a Recovering Databases but skip the
i. Mobile Print Server - an MPS folder is available in backup files.
ii. YSoft Payment System - a YPS folder is available in backup files.
b. Management Server GUID. It is noted in the safeq.properties file as the value of the
# COMMUNICATOR
c. SPOC GUID. It is noted in the guid.conf file as the value of the LocalGUID option. For
example:
4. Reinstall Management Server using the same version build of the installation package.
a. Enable optional features if they were used before (see step 3.a.).
b. Provide the wizard with the same Management Server GUID that was used before
(see step 3.b.).
c. If you have YSoft SafeQ 6 MU11 or later build, also provide the wizard with the same
SPOC GUID that was used before (see step 3.c.).

d.
See First server installation for a detailed procedure.
5. Stop almost all YSoft services after installation finishes.
ii. YSoft Bundled PostgresSQL 9.4 (available if embedded a PostgresSQL DB is

used)
b. You can use the following PowerShell script to perform the task:
Get-Service *YSoft* | Where-Object {$_.Name -ne 'YSoftPGSQL' -and $_.Name -ne 'YSof
tEtcd'} | Stop-Service
6. If you are using an embedded PostgreSQL database, perform a Recovering Databases but
skip the Finalization part for now (as new empty databases were created during the
installation).
7. If you have YSoft SafeQ 6 MU10 or older build , edit

<SAFEQ_DIRECTORY>\SPOC\conf\modules\guid.conf (e.g., c:\SafeQ6\SPOC\conf\modules\guid.
conf), and rewrite the localGUID to the value that was used before (see step 3.c.).
8. Delete the SPOC cache by deleting the whole folder
<SAFEQ_DIRECTORY>\SPOC\SpoolCache
9. Start the YSoft SafeQ services with the Automatic startup type again.
Do not start YSoft SafeQ Spooler Controller Group Service. It will be started by the
YSoft SafeQ Spooler Controller service when the proper configuration is ready.
10. Re-activate the YSoft SafeQ 6 license using your preferred method (online/offline). See
restore those scripts from the backup.
c. If you used customized configuration (such as your own certificates for the web
services), seek the relevant documentation and set the configuration up again.
12.

Finalization
Clear the Cache on Other Spooler Controllers and Start All Services Again
inconsistencies.


Reconfigure the etcd Cluster in Terminal Server if Failover for Embedded Terminals Is Being Used
1. If failover for embedded terminals is being used and parameter enableEtcd is enabled, then
the etcd cluster in Terminal Server must also be reconfigured.
a. Follow Reconfiguring or Recovering an etcd Cluster in Terminal Server.
The Recovery Procedure for a YSoft SafeQ Management Service Cluster Node - Standalone
Installer
This page describes the recovery procedure for a single node of the Management Service cluster
that was installed using ysq-management-server-install.exe package.
If the affected node is the one on which the YSoft SafeQ license was activated, enable
license reactivation before transferring the license to a new server (e.g., when original
hardware fails or when the OS is reinstalled).
We expect that an external database is being used – i.e., there is no local database on any
cluster node.
Check etcd Cluster Health
When the etcd Cluster Is Healthy
You can use the installer to reinstall the affected node.

1. Prepare a server (or a virtual machine) with the same hostname/IP the original Management
Service node had used.
2. Check the backup of the configuration files of the original Management Service node and
note the following:
a. Management Server GUID. It is noted in the safeq.properties.properties file as the

value of the communicator.cml.guid option. For example:
# COMMUNICATOR
3. Reinstall the Management Service node using the same build installation package.
b. Choose the Add or replace a node in an existing YSoft SafeQ Management Server
cluster option.
c. Enter the IP address of one of the remaining cluster nodes and Retrieve node list.
i. You should see that a node will be replaced.
d. Provide the wizard with the same Management Server GUID that was used before
(see step 2.a.)

See Install the YSoft SafeQ Management Server for a detailed procedure.
f. If the reinstalled node was the one on which the YSoft SafeQ license was originally
activated, re-activate the YSoft SafeQ license using your preferred method (online
/offline). See Management Interface - License Activation for detailed instructions.
g. Restore the customized configuration:
i. If you used a customized configuration (such as your own certificates for the
web services), seek the relevant documentation and set up the configuration
again.
When the etcd Cluster is Unhealthy
Unfortunately, you cannot add or remove nodes when etcd quorum was lost. It is needed to
manually restore etcd cluster health before you can install or reconfigure the other node
again.

3.
It will create a file etcddump.ps1 which will contain commands for restoring the content
of etcd.

a. Backup folder SERVER_HOSTNAME.etcd in "SafeQ installation directory\Management\

etcd\" on all nodes. (MGMT1.etcd and MGMT2.etcd regarding the example).
b. Delete folder SERVER_HOSTNAME.etcd in "SafeQ installation directory\Management\
etcd\" on all nodes.
a.

3.
i. Return to YSoft Bundled Etcd Properties dialog which was opened in previous
section (2.2., step 3.)
1. original
2380
2. after change
iv. Copy the whole changed text (not only the last two lines) and insert into the
YSoft Bundled Etcd Properties dialog into Arguments: field
previous steps:
a. Start PowerShell and move to "SafeQ installation directory\Management\etcd\" folder

cluster is healthy


3. Use the existing etcddump.ps1 file or copy the one from the safe place (section 3.1, step 4.)
following command:
Each key in database which should be re-populated by a value from safeq.properties file will be
expressed below as property name with suffix.value.


b. If Data Warehouse use a different database located on the same database server as
YSoft SafeQ database (SSMD deployment) add also the following record:

value
c. If Data Warehouse use a different database located on a different database server

than YSoft SafeQ database (MSMD deployment) add also the following records:

value
value
value
e.

e. Press Encode

Enclose the encrypted password with quotation marks, e.g. "code,-3,5,98,45,18,-7,

-125,-92"
following command:
d. If a key contains a wrong value then the key must be deleted by the command below
and re-created again with correct value:
Restoring the Other Node
1. Look at the When etcd Cluster Is Healhy section (the steps are the same now).
2. The only difference will be in step 3.c.i. where the node will not be replaced, but a new node
will be added (as we are creating the cluster again from scratch).

5.5.3.3 System Sanity Checks
Spooler Controller Near Roaming Health Check
Near Roaming group among multiple Spooler Controller servers is based on existence of
Distributed Layer Cache for the Cluster. This cluster cache is created automatically when
Near Roaming group is created. The goal of this check is to verify that all the members of
Near Roaming group successfully joined cluster. Following example shows ten SPOC servers
in one Near Roaming group.
Please make sure you exactly follow described steps. Incorrect use of the jConsole tool
may permanently damage your YSoft SafeQ installation!
Java Management Console (jConsole) is used to verify that all SPOC servers joined Near Roaming
group. Please follow these steps to access mentioned tool:
1. Run following file: <SPOC_dir>\utilities\sqjconsole.bat
2. Once the jConsole starts, select Remote Process radio button and enter text: localhost:
9999, then press Connect.

NOTE: You might be warned about failed SSL connection. In that case, proceed with insecure
connection.
When logged in to jConsole browse to following path (see picture below):
a) select tab MBeans
b) choose category distCache\CacheManager\"cacheManager"\CacheManager\Attributes
Check following attributes:
a) CacheManagerStatus: Status must be running. This status is saying that the Cache Manager
is up and running. Other statuses than Running means that the Cache Manager is not running
b) ClusterMembers: This attribute must be showing all nodes that are part of Near Roaming
Group. You can find here host names or IP addresses.
c) ClusterSize: This attribute must be showing number of SPOC servers which are members of
particular Near Roaming Group. If the number is not equal to the number of SPOC servers in Near
Roaming Group then Near Roaming Cluster is not complete and it is needed to find out which
server is missing.

Make sure that the attributes are displayed correctly on all SPOCs in Near Roaming Group
The log files that relate to Distributed Layer (<SPOC_dir>\logs\dist-layer-service.log and

<SPOC_dir>\logs\dist-layer-lifecycle.log) may be analyzed in order to catch any inconvenient
exception that may signal cache corruption or general failures. If the status is STARTED in dist-
layer-lifecycle.log and there are no ERRORs/EXCEPTIONs in dist-layer-service.log then we may now
consider the Spooler Controller in Near Roaming Group as Fully operational.
Basic Health Checks
This document is intended to help an administrator check the status of YSoft SafeQ Spooler
Controller components.
YSoft SafeQ Services
Check that all product services are running on YSoft SafeQ Site Server
YSoft SafeQ Terminal Server
YSoft SafeQ Spooler Controller Group Service
The YSoft SafeQ Spooler Controller Group service will start itself and will be running only
on YSoft SafeQ Spooler Controller servers that are members of Spooler Controller Group,
do not start it manually.
YSoft SafeQ Spooler Controller
YSoft SafeQ End User Interface
YSoft SafeQ Infrastructure Service Proxy

and others...
YSoft SafeQ Spooler Controller connection status on YSoft SafeQ Management Server
Check that YSoft SafeQ Spooler Controller server is successfully connected to all YSoft SafeQ
Management Servers and that all services are reporting an Online status. This can be done on
the YSoft SafeQ Management Server web interface. Go to Devices > Spooler Controller groups
and check the Status column.
YSoft SafeQ Spooler Controller data replication to YSoft SafeQ Management Server
Verify that the YSoft SafeQ Spooler Controller server is replicating its data to YSoft SafeQ
Management Server(s).
How to test:
Send a print job to YSoft SafeQ 6 and check that job is visible in Reports > Job list on YSoft
SafeQ Management web interface with the status Accepted (please note that data is
synchronized once per minute by default).
Release the job sent in the previous step on any of the devices connected to YSoft SafeQ 6
and check whether Job List on YSoft SafeQ Management Server is updated (e.g., the print job
has the status Printed and Detailed job information contains Job history with several rows,
a delay may occur).
Check that Reports > Terminal access is updated on the web interface of YSoft SafeQ
Management Server after releasing the job from the previous step.
5.5.4 EMBEDDED TERMINALS INSTALLATION AND CONFIGURATION
The following guides provide step-by-step instructions on how to deploy Embedded Terminals to a
device from the YSoft SafeQ management interface.
In order to install Embedded Terminals, please follow these steps.
1. Configure network and operating system settings.
You can skip this step if you are using Workstation OS or you've configured this via
centralized domain policy. These settings is important for proper working of Terminal Server
and YSoft Payment System.
1. a. Make sure TCP ports 5010 – 5025 are not used by other programs. (YSoft SafeQ
Terminal Server requires that these ports be free.)
b. Turn off Automatic Root Certificates Update as follows:
NOTE: To perform this procedure, you must be a member of the local

Administrators group, or you must have been delegated the appropriate authority.
On the Windows Desktop, click Start > Run.

Type gpedit.msc; then click OK.
If the User Account Control dialog box appears, confirm that the action it displays
is what you want; then click Continue.
Then go to: Computer Configuration > Administrative Templates > System >
Internet Communication Management > Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update; then click Enabled,
Apply, and OK.
Close the Local Group Policy Editor window.
Apply the new policy settings by running gpupdate /force in the command line
2. Configure your MFDs
Device Configuration for YSoft SafeQ Embedded Terminal
3. Install Embedded Terminals
Embedded Terminal installation
5.5.4.1 Configuring supported languages in Embedded Terminal
When administrator wants to change set of languages from which the user can choose at the
panel.
1. Login to YSoft SafeQ web administration as an administrator.
3. Make sure Expert view is enabled and you are in tenant configuration.
4. Search supported-lang-priority.
5. Edit list with preferred languages.
List of language codes available to the Terminal Server ordered by priority. If a device
cannot use a language, it uses the next one in the list.
6. Save changes.
7. Reinstall embedded terminal to apply changes
Languages codes are used according ISO 639-1

Supported languages and their codes
co langu co lang co lang co lang co lang co lang co lan co lang co lang

de e de uage de uage de uage de uage de uage de gua de uage de uag
ge e
ja Japa sv Swe hr Croa af Afrik bn Beng fa Persi he Heb ka Geor lo Lao

nese dish tian aans ali an rew gian
en Engli no Nor uk Ukrai am Amh bo Tibet fj Fijian hi Hin kk Kaza lt Lith

sh wegi nian aric an di kh uani
an an
fr Frenc fi Finni ro Rom as Assa br Bret fo Faro hy Arm kl Kala lv Lat

h sh ania mes on ese enia allis vian
n e n ut
it Italia hu Hung sl Slov ay Aym ca Catal fy West ia Inte km Cent m Mal

n arian enia ara an ern rlin ral g aga
n Frisia gua Khm sy
n er
nl Dutc el Gree ar Arabi az Azer co Corsi ga Irish id Ind kn Kan mi Mao

h, k c baija can one nada ri
Flemi ni sian
sh
es Spani tr Turki th Thai ba Bash cy Wels gd Gaeli ie Inte ks Kash mk Mac

sh, sh kir h c rlin miri edo
Casti gue nian
lian
da Danis zh- Chin ml Mala be Belar dz Dzon gl Galici ik Inu ku Kurd m Mon
h tw ese- yala usia gkha an piaq ish n goli
Taiw m n an
an

co langu co lang co lang co lang co lang co lang co lan co lang co lang
de e de uage de uage de uage de uage de uage de gua de uage de uag
ge e
cs Czec zh- Chin pl Polis bg Bulg eo Espe gn Guar is Icel ky Kirg m Mol
h cn ese- h arian rant aní andi hiz o davi
Chin o c an
a
pt- Portu ko Kore aa Afar bh Bihar et Esto gu Gujar iu Inuk la Lati mr Mar
pt gues an i nian ati titu n athi
e lang t
uage
s
de Germ ru Russ ab Abkh bi Bisla eu Basq ha Haus jv Jav ln Ling

an ian azia ma ue a ane ala
n se
mt Malte or Oriya rw Kiny sk Slov ss Swa tg Tajik tw Twi w Wolo

se arwa ak ti o f
nda
m Burm pa Panj sa San sm Sam st Sout ti Tigri ug Uyg xh Xho

y ese abi skrit oan hern nya hur sa
Soth
o
na Naur ps Pash sd Sind sn Shon su Sund tk Turk ur Urd yi Yiddi

u to hi a anes men u sh
e
ne Nepal qu Quec sg San so Som sw Swa tl Taga uz Uzb yo Yoru

i hua go ali hili log ek ba
oc Occit rm Raet sh Serb sq Alba ta Tamil tn Tsw vi Viet za Zhu

an o- o- nian ana na ang
Rom Croa me
ance tian se
o Orom rn Kirun si Sinh sr Serbi te Telu tt Tata vo Vol zu Zulu

m o di ala an gu r apü
k
Double-byte character set support
You can turn on double-byte character support for devices which does not support certain
character set (e.g. lack of Hebrew or Japanese characters) by enabling
enableDoubleByteSupport option in web administration.
All job names will be replaced by server rendered images instead of text.

5.5.4.2 Device Configuration for YSoft SafeQ Embedded Terminal
Configuring an OKI Device
Requirements
Auto-installation of YSoft SafeQ Embedded Terminal requires an MFD firmware version supporting
SDK 2.4 or higher.
Other limitations can be found on page Requirements and Known Limitations of YSoft SafeQ
Embedded Terminal for OKI and OKI sXP2.
Authentication
Enabling property internalLdapAllowNonsecureProtocol allows sending user credentials

(entered on Oki device) unencrypted which could be misused by an attacker for unauthorized
access. Use it only when there is no other option.
Certificates
After the first installation of YSoft SafeQ Terminal Embedded, it is necessary to upload a CA
certificate to the device to make sure that communication with Terminal Server is trusted.
If you do not mind security issues you can use SafeQTerminalServer.crt certificate from the
Certificates folder in the installation directory of the Terminal Server.
In the case of updating from MU38 or lower, it is necessary to upload the safeqds.cer
certificate from the product installation package.
How to with certificates
How to generate new specific certificate - System communication hardening
How to select a certificate on Terminal Server - Configuring secured connection between

terminals and Terminal Server
How to convert from Personal Information Exchange to the common PEM files - Conversions
between different keystores and certificate types
Uploading the CA certificate
1. Go to Administration > Security > Certificate Management.
2. In the section CA certificate, select the CA certificate (PEM) radio button.
3.

3. Click Browse..., and choose the correct certificate file in PEM format.
4. Press Upload.
Oki made the security more stricker and generic certificates might not work. For devices
based on new architecture, generation of IP-specific certificate is necessary to supress SSL
/TLS warnings.
Allowing Direct Printing
If you want to use direct printing, it is necessary to allow printing for unauthenticated jobs.
Navigate to Administration > Security > Authentication. You need to configure the section User
Authentication Setting.
Configure the option Authentication failed print job/Raw Print Job to Print.
As a consequence, any print performed directly to the printer would be printed with this
setting. To prevent unwanted prints, set up IP filtering (Administration > Setup > Network >
Filtering).
Allowing Card Readers
If you do not see the configuration for card authentication, turn off the device and follow these
steps:
1. Connect the USB card reader.
2. Enter the service menu.
3. On the next screen, enter 3500 and press the green start button.
4. Now enter 90001 and press OK.
5. Now enter 9398 and press the green start button again.
6. Enter eBMUserCard and restart the printer.

7. The LDAP server will be automatically configured with the next installation of YSoft SafeQ
Embedded Terminal for OKI.
Configuring Time Settings
Time settings have to be configured for the proper accounting of jobs and the assignment of
billing codes to these jobs.
Go to Administration > General and configure Daylight Saving Time Settings to comply with the
configuration of your server where Terminal Server is running.
Daylight Saving Time does not work correctly on devices with older versions of the firmware
(older than O290HD0W21xx ). This can cause problems with the assignment of billing codes
and the time of the performed jobs. To check the version of your firmware, go to
Administration > General > Version.
If you plan on using the SNTP server, it is recommended to disable the Daylight Saving Time
feature.
Next, there are two options possible, based on the availability of an SNTP (time) server in your
network:
1. If an SNTP server is available, set all the necessary details in the section SNTP Service,
and set your timezone
2. If an SNTP server is not available, in the section Date & Time, set the timezone, date, and
time to the time of the Terminal Server. Also, disable the SNTP server.

WARNING: Be sure to set the time as precisely as possible (in means of seconds) to
avoid errors in assigning billing codes to scan jobs and copy jobs. It is better for the MFD
to have the clock set slightly ahead, than behind.
Displaying the YSoft SafeQ application Screen after a Successful login
To improve the experience with YSoft SafeQ Embedded application in OKI, we recommend doing
the following steps to display the YSoft SafeQ application as the initial screen after a successful
login.
2. Press 9955 to change the Extension label to YSoft SafeQ, and click OK to save.
3. Press 9132 and enter the value 99.
Configuring Accounting
If you are planning to install the accounting feature, you need to delete old job logs before
installing the embedded terminal.
Go to Administration > Logs > Export Logs and click on all the buttons that are highlighted
below. Optionally, the logs can be exported using the Create New File buttons.

C onfiguring the HTTP and HTTPS Ports
The MFP uses port numbers 40629 and 40630 for HTTP and HTTPS communication.
If you are planning to use different port numbers, you have to change the values of the
configuration properties openPlatformHttpPort and openPlatformHttpsPort and change the port
numbers on the MFD web interface.
1. Set the property openPlatformHttpPort (expert view) for HTTP communication .
2. Set the property openPlatformHttpsPort (expert view) for HTTPS communication .
3. Go to Administration > Setup> ODCA and change the values of the ports. Then click the
Save button.

Configuring a Sharp OSA5 Device
Limitations can be found on page Requirements and known limitations of YSoft SafeQ
Embedded Terminal for Sharp
Installing an Embedded Terminal
On OSA 5 devices, the installation has the following limitations:
IC Card mode has to set manually via the web interface.
Automatic uninstallation is not implemented, manual steps are needed.
Installation expects both EAX2 and EAX3 modules to be installed.
User Authentication setting (under User Control and its Default Settings), if present, has to be
set to Disable.
If automatic installation fails, it is also possible to install the embedded terminal manually using
the guide below.
Configuring IC Card Mode
When Sharp Embedded Terminal is installed with the authentication method containing Card
(e.g., Card or PIN), and you want to use a card reader in IC Card mode, you have to configure it
manually via the Sharp web interface.

Uninstalling Sharp Embedded Terminal
When you need to uninstall Sharp Embedded Terminal completely, you need to remove the
terminal in the standard manner, and then remove YSoft SafeQ settings from the Sharp device.
Remove all YSoft SafeQ applications: System Settings > Standard Application Settings.
Select all YSoft SafeQ applications and click the Delete button.

Remove the External Accounting application: System Settings > External Accounting
Application Settings. Set External Account Control to Disable, and submit changes.

Manually Installing Sharp Embedded Terminal
When automatic installation fails, you can still install Sharp Embedded Terminal, but installation
contains several manual steps that have to be done.
Stop the Terminal Server service.
Insert <add key="forceSharpOsa5InstallationSuccess" value="true" /> before the tag <

/appSettings> to the TerminalServer.exe.config file.

Start the Terminal Server service.

Install Sharp Embedded Terminal.
The next steps contain placeholders <SQ_IP> and <terminalId>. Both of them have to be
replaced by the correct value otherwise Sharp Embedded Terminal will not work properly. The
placeholder <SQ_IP> has to replaced by the IP address of YSoft SafeQ and <terminalId> has
to be replaced by the current Terminal ID which can be found in the Terminal Server log after
the installation of Sharp Embedded Terminal.
Register YSoft SafeQ and YSoft SafeQ Scan as the default application. Go to System
Settings > Standard Application Settings > Add
Register YSoft SafeQ. Set Application Name: YSoft SafeQ, Address of Application UI:
https://<SQ_IP>:5012/et/<terminalId>/default.ashx and Timeout: 20. Submit all changes.

Register YSoft SafeQ Scan. Set Application Name: YSoft SafeQ Scan, Address of
Application UI:https://<SQ_IP>:5012/et/<terminalId>/scan.ashx and Timeout: 20. Submit all
changes.

Register External Accounting Application. Go to System Settings > External Accounting
Settings.
Set Application Name: YSoft SafeQ, Address of Web Service: https://<SQ_IP>:5012

/sharpWebServices/<terminalId>/SharpExternalAuthorityService.asmx, Address of Application
UI: https://<SQ_IP>:5022/et/v1/<terminalId>/auth, Timeout: 20. Submit all changes.
Check if User Authentication under User Control and its Default Settings, if present, is set to
D i s a b l e .
Restart the Sharp device.

Configuring a Toshiba Device
Requirements
YSoft SafeQ currently supports models based on the eBX architecture. A list of compatible
devices is available on the Partner Portal in the Hardware Compatibility List (HCL).
Auto-installation of YSoft SafeQ Terminal Embedded requires an MFD firmware version

supporting SDK 2.4 or higher.
Limitations can be found on page Requirements and Known Limitations of YSoft SafeQ
Embedded Terminal for Toshiba.
Authentication
Enabling property internalLdapAllowNonsecureProtocol allows sending user credentials

(entered on Toshiba device) unencrypted which could be misused by an attacker for
unauthorized access. Use it only when there is no other option.
Certificates
After the first installation of YSoft SafeQ Terminal Embedded, it is necessary to upload a CA
certificate to the device to make sure that communication with Terminal Server is trusted.
If you do not mind security issues you can use SafeQTerminalServer.crt certificate from the
Certificates folder in the installation directory of the Terminal Server.
In the case of updating from MU38 or lower, it is necessary to upload the safeqds.cer
certificate from the product installation package.
How to with certificates
How to generate new specific certificate - System communication hardening
How to select a certificate on Terminal Server - Configuring secured connection between

terminals and Terminal Server
How to convert from Personal Information Exchange to the common PEM files - Conversions
between different keystores and certificate types
Uploading the CA certificate
1. Go to Administration > Security > Certificate Management.
2.

2. In the section CA certificate, select the CA certificate (PEM) radio button.
3. Click Browse..., and choose the correct certificate file in PEM format.
4. Press Upload.
Toshiba made the security more stricker and generic certificates might not work. For devices
based on e-BRIDGE NEXT or later architecture, generation of IP-specific certificate is necessary
to suppress SSL/TLS warnings.
Allowing direct printing
If you want to use direct printing, it is necessary to allow printing for unauthenticated jobs.
Navigate to Administration > Security > Authentication. You need to configure the section User
Authentication Setting.
Configure the option Authentication failed print job/Raw Print Job to Print.
As a consequence, any print performed directly to the printer would be printed with this
setting. To prevent unwanted prints, set up IP filtering ( Administration > Setup > Network >
Filtering).
Allowing card readers
If you do not see the configuration for card authentication, turn off the device and follow these
steps:
1. Connect the USB card reader.
2. Turn on the device.
4. On the next screen, enter 3500 and press the green start button.
5. Now enter 60001 and press OK.

6. Now enter 9398 and press the green start button again.
7. Enter eBMUserCard and restart the printer.
8. Now you should be able to continue configuring the LDAP server.
A list of Toshiba devices with the required FW versions that support USB card readers and
the card reader registration procedure (needed when the Toshiba MFD FW is a lower version
than the FW the YSoft USB card reader has already preregistered) can be found in the
Configuring Toshiba to work with YSoft USB Card Reader.
Configuring the time
Time settings have to be configured for proper accounting of jobs and assignment of billing codes
to these jobs.
Go to Administration > General and configure Daylight Saving Time Settings to comply with the
configuration of your server where Terminal Server is running.
Next, there are two options possible, based on the availability of an SNTP (time) server in your
network:
1. If an SNTP server is available, set all the necessary details in the section SNTP Service and
set your timezone.
2. If an SNTP server is not available, in the section Date & Time, set the timezone, date, and
time to the time of the Terminal Server. Also, disable SNTP server.

Be sure to set the time as precisely as possible (in means of seconds) to avoid errors in
assigning billing codes to scan jobs and copy jobs. It is better for the MFD to have the
clock set slightly ahead, than behind.
Displaying the YSoft SafeQ application screen after a successful login
To improve the experience with the Toshiba Embedded application, we recommend performing the
following steps to display the YSoft SafeQ application as the initial screen after a successful
login.
2. Press 9955 to change the Extension label to SafeQ and click OK to save.
3. Press 9132 and insert value 99.
Configuring Accounting
If you are planning to install the accounting feature, you need to delete old job logs before
installing the embedded terminal.
Go to Administration > Logs > Export Logs and click all the buttons that are highlighted below.
Optionally, the logs can be exported using the Create New File buttons.

C onfiguring the HTTP and HTTPS ports
The MFP uses port numbers 40629 and 40630 for HTTP and HTTPS communication.
If you are planning to use different port numbers, you have to change the values of the
configuration properties openPlatformHttpPort and openPlatformHttpsPort and change the port
numbers on the MFP web.
1. Set the property openPlatformHttpPort (expert view) for HTTP communication .
2. Set the property openPlatformHttpsPort (expert view) for HTTPS communication .
3. Go to Administration > Setup> ODCA and change the values of the ports. Then click the
Save button.

Additional requirements
YSoft SafeQ verifies the originating device against the list of active devices in the database. For
this purpose, the translation of the MFD's IP address to the hostname/FQDN using standard
Windows features (DNS/NetBIOS) is performed. Please make sure the MFD is properly registered in
the DNS or WINS server as delays in translation may lead to timeouts or failures during
authentication.
Configuring Toshiba for scanning

Follow these steps to configure the MFD
Enable the HTTP Protocol
1. Navigate in your browser to the IP address of MFD to access web interface of MFD called
TopAccess.
2. Log in with valid credentials and navigate to Administration > Setup > Network and click
on HTTP Network Service
3. Make sure option Enable HTTP Server is Enabled.

Enable the WSD Scan Service
TopAccess.
2. Log in with valid credentials and navigate to Administration > Setup > Network and click
on Web Services Setting.
3. Make sure Web Services Scan is Enabled.
4. Fill in Scanner Name (any name will be accepted)
5. Fill in Scanner Information (any string will be accepted)
6. Set Authentication For PC Initiated Scan to Accept the job if user name is valid
7. Save all taken changes.

If Authentication For PC Initiated Scan change is not possible please follow the
documentation Configuring Toshiba for browser-based authentication with SDK 3.1, section
Enable WSD scan with MDS mode.
Rights Management
TopAccess.
2. Log in with valid credentials and navigate to Administration > Security> Authentication.
3.

3. Set User Authentication to Enable.
4. Save all taken changes.
Configuring Toshiba to work with YSoft USB Card Reader

Devices that supports YSoft USB Card Reader
On the latest MFD FW the YSoft USB card reader is already preregistered, so the registration
procedure is not required for proper working of the USB card reader. On the older MFD FW the
YSoft USB card reader must be registered to the device manually.
Please see the following table regarding MFD FW version:
Device MFD FW version MFD FW version with already

supporting preregistered Y Soft USB card
registration readers
e-STUDIO287CS / e-STUDIO347CS / e- The first firmware The first firmware already

STUDIO407CS already supports this supports this function
e-STUDIO477s / e-STUDIO527s function
e-STUDIO2050C / e-STUDIO2051C / e- Higher than 1510 Higher than 1510

STUDIO2550C / e-STUDIO2551
e-STUDIO2555C / e-STUDIO3055C / e- The first firmware The first firmware already

STUDIO3555C / e-STUDIO4555C / e- already supports this supports this function
STUDIO5055 function
e-STUDIO2040C / e-STUDIO2540C / e- Higher than 3404 Higher than 3404

STUDIO3040C / e-STUDIO3540C/ e-
STUDIO4540C

Device MFD FW version MFD FW version with already
supporting preregistered Y Soft USB card
registration readers
e-STUDIO5540C / e-STUDIO6540C / e-
STUDIO6550C
e-STUDIO256 / e-STUDIO306 / e- Higher than 1604 Higher than 1610

STUDIO356 / e-STUDIO356 / e-STUDIO456 /
e-STUDIO506
e-STUDIO656 / e-STUDIO756 / e-
STUDIO856
e-STUDIO306 LP The first firmware The first firmware already

already supports this supports this function
function
It is recommended to update your device's FW to the latest version. Latest FW versions already
have YSoft USB card reader preregistered, so it is not required to perform registration procedure.
The USB card reader has to be set to the USB keyboard mode.
Connecting YSoft USB card reader
1. Navigate to Toshiba service menu and set 3500 (write this number and press green Start
button) to 60001.
2. Connect the USB reader to the MFD.
3. Reboot the MFD.
Turn the power OFF before connecting the device. If you do not, the device may not be
correctly recognized. In that case, reboot the MFD with the device connected.
YSoft USB card reader registration on devices with older FW
YSoft USB Card Reader registration must be done when the Toshiba MFD FW is lower version
than FW which has YSoft USB card reader already preregistered.
Prerequisites:
debug_s_usbcr.sh
usbhidReaderListAdd.txt
YSoft USB card reader
Toshiba device

Files debug_s_usbcr.sh and usbhidReaderListAdd.txt are part of installation package. They
are stored in directory Card Reader Registration available under path _support\YSoft SafeQ
Toshiba Terminal Embedded.
Get Vendor ID, Product ID of your USB card reader
For YSoft USB readers, following VID and PID are used:
Product VID (Vendor ID) PID (Product ID)
YSoft USB card reader - USB keyboard mode 214C 0202
YSoft USB card reader - USB Sharp mode 214C 0205
Other products than listed above are NOT supported on the Toshiba MFD.
Create usbhidReaderListAdd file according to your Vendor ID, Product ID
1. Open the supplied sample device list, ”usbhidReaderListAdd.txt”, by the text editor.
2. Enter the Vendor ID, Product ID and Reader Name.
3. Registration should be 1 line per a unit. The Vendor ID, Product ID, and Reader Name should
be divided by “:” (colon).
The maximal number of the devices to be registered should be 16.
Register USB card reader on your MFD
1. Copy the files usbhidReaderListAdd.txt and debug_s_usbcr.sh to the root of the USB
memory.
2. Insert the USB memory to the device.
3.

3. Normally start up the device.
4. A beep sounds when registration finishes. Remove the USB memory from the MFD to
complete registration.
Configuring Aurora
This manual is also applicable to Aurora devices.
Configuring Brother
Configuration of MFD
Brother Solutions Interface must be fully activated before starting installation YSoft SafeQ
Embedded Terminal for Brother.
Device should have newest firmware installed before starting installation YSoft SafeQ
No error messages must be displayed on the device display before starting the installation.
There can be maximum 5 CA certificates uploaded on the device before installation of the
YSoft SafeQ Embedded Terminal for Brother. To check that, go to the MFD's administration
web page tab Network > Security > CA Certificate > Import CA Certificate.
Other limitations can be found on page Requirements and known limitations of YSoft SafeQ
Secure HTTPS communication
For the HTTPS configuration the Brother MFDs always check the certificate sent to them by the
server they are connecting to. The checks performed are the following:
The subject has a valid name matching the name of the page to be viewed, in this case the IP
address of the machine with Terminal Server installed.
The date is valid, certificate is not expired.
It is issued by a trusted certification authority.

Since the certification authority is uploaded to the MFD during YSoft SafeQ Embedded Terminal
installation, the default Terminal Server certificate meets all of these conditions right after the
installation.
All firmware released on production machines (except inkjet machines) after April 2019 will
support the automatic certificate upload.
The automatic certificate upload is not guaranteed for firmware released before April 2019 and
thus needs to be checked manually.
Inkjet machines need to have the certificate manually uploaded via the embedded web server
of the device.
You can check the Certification Authorities trusted by your MFD in the MFD's administration web
page in the tab Network > Security > CA Certificate > Import CA Certificate
The maximum amount of CA certificates on Brother MFD is 6. On some models it is possible to

have 10 CA certificates.
In the case of updating from MU38 or lower and not having configured the custom
certificates, it is necessary to create a valid certificates manually and configure the Terminal
Servers to use them according to Configuring secured connection between terminals and
Terminal Server guide. In order to upload it to the Brother MFD, just reinstall the YSoft SafeQ
Embedded Terminal on this device after you correctly configure certificates on all your
Terminal Servers.
Time Configuration
HTTPS communication with Brother MFDs requires precise date and time configuration. It is
recommended to use SNTP server.

Card reader configuration
If you install Brother device with authentication method that includes Card authentication you
need to configure Card reader first.
1. In YSoft Card Reader Tool configure your Card reader and set values as follows:
a. USB mode set to "USB keyboard emulation"
b. Keyboard layout set to "1 - US"
Before device installation, it's necessary to ensure, that full screen error message "Unusable
device" on the device display is closed.
Second option is unplug the card reader before device installation and plug it back after
success installation procedure.
Add YSoft SafeQ applications to home screen

Add SafeQ Print and SafeQ Scan application to home screen for logged in users
Screen customization is not available on all BSI enabled Brother devices.
Option 1 - device admin is allowed to log in via MFD display
1. Log in by some user to Embedded terminal.
2. Tap the configuration icon in top right corner.
a.
3. Enter device administrator password.

a.
4. Click on Home Screen Settings menu.
a.
5. Click on Icons:
a.
6. Click on + sign where you want to add SafeQ icon.

a.
7. On next screen select Solutions option:
a.
8. Confirm modification of the selected menu icon.
a.
9. Select SafeQ Print or SafeQ Scan.
10. Confirm application selection for the shortcut.

10.
a.
11. Confirm name for the shortcut.
a.
12. After changes are done press Home button to save.
a.
Option 2 - device admin is not allowed to login via display
1. Install Embedded terminal on the Brother device.
2. Navigate to Web interface of the MFD.
3.

3. Navigate to Solutions.
a.
b. Switch "Login Portal" to OFF and "Screen displayed after Login" to "Home Screen"
c. Save changes.
d. Wait for MFD restart.
4. On MFD display navigate to Settings → Screen settings:
a. Set Home Screen to "Shortcuts 1"
b.
5. Navigate back to main screen.

a.
6. Click on + sing on desired location.
7. Add new shortcut - Solutions option.
a.
8. Locate SafeQ Print or SafeQ Scan
a.
9. Confirm.

a.
10. Repeat steps 5-9 with all other desired applications.
a.
11. Navigate back on Web interface of MDF - lock the device.
a. Set "Login Portal" to On and leave "Screen displayed after Login" to "Home Screen"
b.
12. Save changes and wait for MFD restart.
13. After login the logged in user is presented with selected apps and copy in this case. User is
not able to change the Shortcuts.

13.
a.
Brother - configure single function scanner after ET installation
1. After you installed the embedded terminal, navigate to the web interface of the Brother
device.
2. Navigate to Solutions - Solutions Application Entry.
3. Click YSQPrint.
4.
4. Remove all entries from the fields for Application ID , Display Name , URL .
5. Click Submit.
6. After saving the change, the Solutions Application Entry screen looks like this:
7. Navigate back to the Solutions screen.
a. Set Login portal to ON.
b. Set Screen displayed after Login to Solutions Menu.

c. Save the changes.
d. Wait for the device to restart.
8. After the user logs in to device they will be taken directly to YSoft SafeQ Scan application.
(The example above shows two scan workflows Scan packing slip and Scan application form
.
Configuring Epson
Devices based on Epson Open Platform Version 1.0+ are supported. No special settings of
Epson devices are required for being used with the YSoft SafeQ Embedded Terminal.
Embedded Terminal for Epson.
Enabling Epson Open Platform
It is required to enable Epson Open Platform of the printer before executing the Application. To
enable that function, access Webconfig of the printer using the PC browser and enter the
product key on it as described in the following sections.
1. Access the following URL of the printer using the PC browser in the same network
segment.
http://[IP address of the printer]/
Note: How to confirm the IP address of your printer
The current IP address of the printer can be retrieved by pressing the upper right corner of the
button on the Printer’s home menu as described below.

2. You will see the following Webconfig page when you access the printer. Please click [Epson
Open Platform Settings] -> [Product Key].
3. Enter the product key and click [OK].

Certificate validation configuration
In order to proper functioning of YSoft SafeQ application with default Terminal Server
certificate you have to disable Certificate Validation on Browser.
1. Access the http://[IP address of the printer]/
2. Go to [Epson Open Platform Settings] → [Authentication System] → [Basic]
3. Change Certificate Validation on Browser to Disable

Initial screen setup
1. Log into YSoft SafeQ management interface as an administrator.
3. Make sure Expert view is enabled, and you are in the tenant configuration.
4. Search initial-screen.
5. Set either sqprint or sqscan, Other options are not supported for Epson devices.
6. Save changes.
7. Reinstall the Epson embedded terminal to apply changes.
Card reader configuration
1. In YSoft Card Reader Tool, configure your Card reader, and set values as follows:
a. USB mode set to "USB keyboard emulation"
b. Keyboard layout set to "1 - US"
2. Connect the USB reader to Service USB port of the device.
a. On A4 devices the Service USB port is usually located on backside of the device
covered by thick sticker.
b. On A3 devices the Service USB port is usually located inside Card reader slot near
the display.
3. (optional) Set the VID/PID of the USB reader via web interface of the device.

3.
a. Log in as administrator, and navigate to Card Reader settings.
b. Set Vendor ID to 0000 and Product ID to 0000 to disable whitelisting of USB readers.
This is default configuration.
c. Set Vendor ID to 214C and Product ID to 0202 to accept only YSoft USB readers.
Configuring Fuji Xerox
Requirements
1. Device has to support the YSoft SafeQ Embedded Terminal, supported devices are listed on
the Partner Portal in the Hardware Compatibility List (HCL).
2. External Access Kit (Web Browser, EBW v4) is enabled (Should be done by Fuji Xerox
service engineer)
3. Proper NVM is set in service mode (Should be done by Fuji Xerox service engineer)
General Notes
During MFD configuration, MFD sometimes requires reboot. When prompted for reboot, follow
the instruction displayed either on CentreWare Internet Service or on MFD operation panel.
Make sure that External Access Kit is installed and configured at the MFD.
Embedded Terminal for FujiXerox.
MFD Configuration
Configure MFD via operational panel
Login to MFD as a system administrator
Default credential is 11111.

Clear job history by deleting all data
Optional operation
System Settings > Common Service Settings > Maintenance > Delete all data
Configure static IPv4 address
System Settings > Connectivity & Network Setup > Protocol Settings
Configure date, time and time zone same as server running YSoft SafeQ
System Settings > Common Service Settings > Machine Clock/Timers
Date
Time
Time Zone
Configure NTP settings
Optional settings
NTP time synchronization: On
NTP server address
Minimize waiting time to release print job
Auto Print: 1 Seconds
YSoft SafeQ Terminal Application - 1st Gen.:

Place Web Application Server 1 on home screen
System Settings > Common Service Settings > Screen/Button Settings > Service Home
YSoft SafeQ Terminal Application - 2nd Gen.:
Place Web Application Server 1 (Print) on home screen
Place Web Application Server 2 (Scan) on home screen
Place Web Application Server 3 (Billing Codes) on home screen
System Settings > Common Service Settings > Screen/Button Settings > Service Home
Enable auto completion of email address in native scanning application
Optional settings
System Settings > E-mail / Internet Fax Service Settings > E-Mail Control
Add Me to "To" Field
Add Me to "Cc" Field
Configure MFD via CentreWare Internet Service
1 Access to MFD at http://MFD_IP_Address using Web Browser.
Following screen will be displayed. Then click [Properties] tab. Authentication dialog pops up. Type
in admin credentials. (Default credential is username: 11111, password: x-admin)
2 Generate Machine Digital Certificate
Select Machine Digital Certificate Management > Create New Self signed Certificate.

Public Key Size: leave it as default.
Issuer: MFD address (entered by default)
Days of Validity:
Click Apply
3 Enable SSL/TLS
Go to Security > SSL/TLS settings
Enable HTTP - SSL/TSL Communication
Click Apply

Please make sure to keep [Verify Remote Server Certificate] disabled. Otherwise, users would
get an error message when opening the YSoft SafeQ application on the MFD panel due to an
untrusted certificate.
4 Verify Secure HTTP(SSL) is enabled (By default it's enabled)
Go to Connectivity > Protocols
Check that Secure HTTP(SSL) is enabled. If it is not checked, please check it and click Apply.

5 Verify both SOAP and FTP Client are enabled (by default, they are enabled)
Go to Connectivity > Port Settings
Check that both SOAP and FTP Client are enabled. If not, please check it and click Apply.

6 Enable SNMP and define SNMP Read/Write community
Go to Connectivity > SNMP configuration.
Enable SNMP Port Status.
Enable SNMP SNMP v1/v2c Protocols.
Click Edit SNMP v1/v2c properties.

Define Community Name (Read Only) as "public"
Define Community Name (Read/Write Only) as "private"
Click Apply
7 Configure Authentication System (Authentication Agent)
Go to Security > Authentication System
Set Authentication System to Authentication Agent
Click Apply

Machine will reboot. Click Reboot Machine.
After ApeosPort will be rebooted, device configuration is complete and you can continue with
installing YSoft SafeQ Embedded Terminal.
8 Change Filename Format
In order to use scan workflow feature, perform following steps:
Go to Services > Scan Services > General
Change Filename Format option to img-MDDHHMMSS
Click Apply

9 Disable Track Print Jobs with Accounting/Billing device
In order to use direct print feature without authentication to device before print perform following
steps:
Go to Accounting > Accessory settings
Uncheck/disable option Track Print Jobs with Accounting/Billing device
Click Apply

Reboot machine to apply changes.
Configuring Fuji Xerox XCP ApeosPort-VI and older
Requirements
1. Device has to support the YSoft SafeQ Embedded Terminal, supported devices are listed on
the Partner Portal in the Hardware Compatibility List (HCL).
2. Device has to support eXtensible Customizing Platform (XCP) versions 1.2+ (for YSoft
Terminal Application - 2nd Gen. is required version 1.4+).
3. External Access Kit (Web Browser, EBW v4) and Customize Extension Kit (XCP, Plug-in)
are installed (Should be done by Fuji Xerox service engineer).
4. Proper NVM is set in service mode (Should be done by Fuji Xerox service engineer).
5. If you are planning on using Elatec TWN4 reader, make sure the reader has Keyboard
standard firmware.
Embedded Terminal for FujiXerox.
General Notes
During MFD configuration, MFD sometimes requires reboot. When prompted for reboot, follow
the instruction displayed either on CentreWare Internet Service or on MFD operation panel.
Make sure that External Access Kit and Customize Extension Kit are installed and configured
at the MFD.
General configuration
Login to MFD as a system administrator and go to Tools.
Default credential is 11111.

Clear job history by deleting all data
This is optional.
If you want to clear all previous settings and job data, you can do so by the operation bellow.
Go to System Settings > Common Service Settings > Maintenance and tap Delete all data
Configure network
Configure static IPv4 address.
Go to System Settings > Connectivity & Network Setup > Protocol Settings
Configure timezone
Configure time zone, date and time according to the server running YSoft SafeQ.
Go to System Settings > Common Service Settings > Machine Clock/Timers
Time Zone
Date
Time
Set these options in the aforementioned order, because the Time Zone setting has effect on
the Time setting.

Configure NTP
This is optional
NTP time synchronization: On
NTP server address

Configure waiting time to release print job
This is optional
Auto Print: 1 Seconds

Configure auto completion of email address in native scanning application
This is optional
Go to System Settings > E-mail/Internet Fax Service Settings > E-Mail Control
Add Me to "To" Field
Add Me to "Cc" Field

Configure access control
Configure access to device functions
To restrict access to walk up functions by YSoft SafeQ user access right setting, the setting
bellow need to be configured.
Go to Tools > Authentication/Security Settings > Authentication > Access Control > Device
access and s et Device Access to Locked.
By configuring this, YSoft SafeQ authentication screen becomes the home screen and the user
need to authenticate to access to any functions.
If the administrator wants to define access to individual function separately, configure Service
Access instead of Device Access.
After uninstallation of the Embedded Terminal from the MFD, these settings need to be set to
Unlocked in order to allow access to the MFD's functions again.

Configure color copy restriction
For XCP plugin terminal to restrict access to Full color copy by YSoft SafeQ user access right
setting, the setting bellow need to be configured.
Go to Tools > Authentication/Security Settings > Authentication > Access Control > Feature
access and s et Color Copying to Locked.

Configure security
Access to MFD at http://MFP_IP_Address using Web Browser
Following screen will be displayed. Then click Properties tab. Authentication dialog pops up. Type
in admin credentials. (Default credential is username: 11111, password: x-admin.)
Machine Digital Certificate
Go to Security > Machine Digital Certificate Management > Create New Self signed Certificate

Public Key Size – Leave it as default.
Issuer – MFD address (entered by default).
Days of Validity – Set a number of days.
Click Apply.
SSL/TLS
Go to Security > SSL/TLS settings
Enable HTTP - SSL/TSL Communication.
Click Apply.

Make sure to keep Verify Remote Server Certificate disabled. Otherwise, users would get an
error message when opening YSoft SafeQ application on the MFD panel due to an untrusted
certificate.
Configure protocols
1 Verify Secure HTTP/S port is enabled. (By default enabled)
Go to Connectivity > Protocols > HTTP
Check that Secure HTTP(SSL) is enabled. If it is not checked, check it and click Apply.

2 Enable SNMP and define SNMP Read/Write community
Go to Connectivity > SNMP configuration.
Enable SNMP Port Status.
Enable SNMP SNMP v1/v2c Protocols.
Click Edit SNMP v1/v2c properties.

Define Community Name (Read Only) as public.
Define Community Name (Read/Write Only) as private.
Click Apply.
3 Verify both SOAP and FTP Client are enabled
Go to Connectivity > Port Settings.
Check that both SOAP and FTP Client are enabled. If not, check them.

The port 9100 needs to be disabled only for improving security. You need to enable this port
when performing a firmware upgrade.
Configure Plug-in
Go to Security > Plug-in Settings > Plug-in Settings
1 Enable Plug-in Settings(Default disabled)

2 Disable Signature Verification when Adding/Updating (Default enabled)
Disabling Signature Verification when Adding/Updating is important, or XCP terminal

installation fails.
Configure scan related settings
1 Change Scan Filename Format (only required for YSoft Terminal Aplication - Generation 1
Embedded Terminal)
In order to use scan workflow feature, perform following steps:
Device panel: Go to Services > Scan Service Settings > Other Settings

Web administration interface: Go to Services > Scan Services - Common Settings
Change Filename Format option to img-MDDHHMMSS.
Device panel Web administration interface
Configure Track Print Jobs with Accounting/Billing device for direct printing
Do this configuration if your device has this configuration menu.
In order to use direct print feature without authentication to device before print perform following
steps:
Go to Accounting > Accessory settings.
Uncheck/disable option Track Print Jobs with Accounting/Billing device.
Click Apply.

Reboot machine to apply changes.
Configure card reader support
If you are planning on using authentication with card, set the following property to Enabled,
otherwise set it to Disabled.
Device panel: Go to Authentication/Security Settings > Authentication > User Details Setup
Web administration interface: Go to Security > Smart Card Settings > General
Set Use of Smart Card to Enabled,
Print to Card Validation Off (if set to ON, releasing print jobs requires Card swipe),
Fax/Scan to Card Validation Off or On.
Click on Save.
Do not enable Use of Smart Card when Card Reader is not connected or you will not be using
authentication with card.

Device panel Web administration interface
Configure accounting settings
For ApeosPort to report accounting of print jobs to print jobs delivered by the YSoft SafeQ
system, this configuration is required. Also if this configuration is not done, ApeosPort requires
authentication for print request and stores print jobs without authentication information to the
internal storage.
This requires Fuji Xerox Customer Engineer do this onsite.
1 Input in Chain-Link and corresponding value as 701-436=0

2 Reboot the machine if required.
Configure YSoft SafeQ Payment System settings
This configuration is required if SCAN should be also managed based on credit/quota via Payment
System.
This requires Fuji Xerox Customer Engineer do this onsite.
1 Input in Chain-Link and corresponding value as 850 -015=0
2 Reboot the machine if required.

Configure SafeQ application buttons on Home screen
After installation of Terminal Embedded to ApeosPort, you can customize the home screen button
layout so that you have easier access to YSoft SafeQ applications.

1 Navigate to System Settings > Common Service Settings > Screen/Button Settings > Service
Home
2 Press a button item which you want to replace with SafeQ application and press Change
Settings
3 Press Web Application Server 1 ~ 3 (YSoft SafeQ applications) you want to set and press Save
.
YSoft SafeQ Terminal Application - 1st Gen
Web Application Server 1
YSoft SafeQ Terminal Application - 2nd Gen
Web Application Server 1 (Print)
Web Application Server 2 (Scan)
Web Application Server 3 (Billing Codes)

Configuring HP
Embedded Terminal for HP.
Devices based on OXPd 1.7.X and newer platform are supported so far. No special settings are
required for using with YSoft SafeQ Embedded Terminal.
YSoft SafeQ Embedded Terminal has to be reinstalled after any change of MFP configuration
(for example change of UI language, adding of a new application to home screen, etc.).
Only HP devices with FutureSmart 4 are supported.
Secure HTTPS communication
For the HTTPS configuration the HP MFDs always check the certificate sent to them by the
server they are connecting to. The checks performed are the following:

Since the certification authority is uploaded to the MFD during YSoft SafeQ Embedded Terminal
installation, the default Terminal Server certificate meets all of these conditions right after the
installation.
You can check the Certification Authorities trusted by your MFD in the MFD's administration web
page in the tab Security > Certificate Management
In the case of updating from MU38 or lower and not having configured the custom
certificates, it is necessary to create a valid certificates manually and configure the Terminal
Servers to use them according to Configuring secured connection between terminals and
Terminal Server guide. In order to upload it to the HP MFD, just reinstall the YSoft SafeQ
Embedded Terminal on this device after you correctly configure certificates on all your
Terminal Servers.
In case you have problems with SSL/TLS communication, it can be switched off entirely. This
is, however, not recommended in a production environment.
To switch off the SSL/TLS, change the YSoft SafeQ configuration property dsSslEnabled to
'false'.
Client certificate validation
It is possible to increase security by enable client certificate validation.
To enable client certificate validation, change the YSoft SafeQ configuration property
clientCertificateValidationMethod to 'Always' and restart needed subsystems.
You can create certificate signing request and later install it or import already signed identity
certificate on MFD's administration web page in tab Security > Certificate Management.

Installed or imported certificate shall be located in Certificates table and has to be marked as '
Network Identity', if not then select required identity certificate and click to 'Use for Netwok
Identity' button.
Identity certificate has to be signed by trusted Certificate Authority which must be placed in the
Trusted Root Certification Authorities or the Intermediate Certification Authorities.
Time Configuration
to these jobs.
Go to the MFD's administration web page to the tab General > Date and Time, and configure
Product time Settings and Time Zone Settings to comply with configuration of your server,
where Terminal Server is running.
Next, there are two options possible, based on availability of NTS (time) server in your network
change NTS Settings accordingly.
Inactivity Timeout
To configure timeout after which the user is logged out due to inactivity, go to the MFD's
administration web page to the tab General > Control Panel Customization > Display Settings >
Inactivity Timeout and set up the timeout as required. The value is in seconds.
The timeout set in YSoft SafeQ web administration is applied only to screens of the YSoft
SafeQ Terminal Application.

Cancel print jobs after unattended error
Enable this feature to prevent unauthorized users from printing jobs after clearing an error. All
jobs are deleted from the print queue after the inactivity timeout period. To configure go to
Security > General security and enable Cancel print jobs after unattended error.
USB Print
Print from USB drive needs to be enabled in the MFD's administration web page. To do that, go to
Copy/Print > Retrieve from USB setup > Enable Retrieve from USB and click Apply.

To add Print from USB drive application to home screen, in the MFD's administration web page to
the tab General > Control Panel Customization > Home Screen Customization and drag and
drop the application icon from the Hidden Items into the Home Screen.
Position of the YSoft SafeQ application on the home screen
When the YSoft SafeQ Embedded Terminal is installed for the first time, the YSoft SafeQ
application is always on the 1st position on the home screen.
To change the position of the application, go to the MFD's administration web page. In the tab
General > Control Panel Customization > Home Screen Customization, drag and drop the items
to reorder them.
It is possible to disable some of the native application moving application icon to Hidden items
. To ensure that the position of the YSoft SafeQ application won't change after the Embedded
Terminal reinstallation, do not place any disabled applications on the positions prior to the
position of the YSoft SafeQ application.
Configuration of SLP keep alive on HP Device
Some infrastructure devices, such as switches, delete devices from their device tables due to
inactivity on the network.

For that HP recommends to use the slp-keep-alive which configures the time (in minutes) the print
server waits to send multicast packets on the network to prevent deletion from network device
tables.
If the device is not listed on the network it is not able to communicate with the terminal server
and this is why it will not work properly.
1. Log in to the device web → Networking → Other Settings and enable Telnet config
2. Open CMD and connect to the device using telnet (telnet <device IP>)
3. login as admin <ENTER>
Enter password <ENTER>
4. Type menu <ENTER>

4.
5. Type 2 (TCP/IP Menu) <ENTER>
6. Type 5 (TCP/IP - Other Settings) <ENTER>
7. Type Y and then <ENTER> to change the settings

8. Press <ENTER> until you get to SLP Keep Alive and set it to 1
9.
10. Press <ENTER> until you are asked if you would like to change the settings, type N and
then <ENTER>
11. Then press 0 <ENTER>

12. Again press 0 <ENTER>
13. Y to save the settings and <ENTER>
14. Done

HP Embedded Terminal - Tips and Tricks
Note: YSoft SafeQ Embedded Terminal has to be reinstalled after any change of MFD
configuration (e.g. change of UI default language, adding of a new application to home screen,
etc.).
Login as administrator
Most or all of the tips need administrator rights so login first, on any page press the sign in
button
Then sign in again

By default there is no password.
Remote control the device panel (and restart it)
Go to Remote Control-Panel -> Launch Remote Control-Panel
A new window will open with the remote panel:

Now you are in control of the device panel.
On the bottom left you have the restart button
Remove unused Icons from the device panel
Go to General > Control Panel Customization > Home Screen Customization

then just drag and drop any icon from or to the left Home screen window

Add the customer logo (wallpaper) on the device
Go to General > Control Panel Customization > Home Screen Customization > Set Wallpaper
Note - The logo is added as wallpaper so make sure it is not overlapped by the Icons.
Only image files (.jpeg, .png, .gif, .bmp) can be used as wallpaper. Use an 800x484 pixel file or
smaller.
Select the picture and add it:

you will be notified by the device that the wallpaper was changed
To clear the wallpaper select clear wallpaper
Customize the login message on the device
Go to Security > Access Control and click Use a custom message , then enter the custom
message message you would like to use.

Now on the device you can see the
Cancel print jobs after unattended error
Go to Security > General security and enable Cancel print jobs after unattended error.

Note - All jobs are deleted from the print queue after the inactivity timeout period.
To set the inactivity timeout period go to General > Control Panel Customization > Display
Settings and set the Inactivity Timeout in seconds
Display panel and device web interface language settings
To change the display panel default language, go to General > Control Panel Customization >
Control Panel Language and Keyboard Layouts, then select the wanted Control Panel Language
and Keyboard Layouts

Hint - our customer complained that there are to many languages in the keyboard selection
so we removed all languages and left only the Hebrew and English
By default the device web display language is using your browser language,
To change the device web display language go to General > Language and select the wanted
language

Slow authentication after some time of inactivity
User authentication on MFD includes lots of network requests between Terminal server and MFD.
This communication slows down authentication process, therefore Terminal server uses cache
for most requests. Data from request are stored in cache on first request to MFD after Terminal
server restart / MFD installation. Cache uses sliding expiration with default value 24 hours, which
means, that cache is cleared after 24 hours of inactivity (i.e. no login on device happens for 24
hours). Interval can be easily changed in Terminalserver.exe.config file located in
"<installation_directory>\SPOC\terminalserver\" by adding key "cacheExpirationMinutes" with
desired cache expiration interval in minutes - i.e. adding <add key="cacheExpirationMinutes"
value="60" /> will set the cache expiration interval to 60 minutes.
Limit access to applications
Administrator is able to modify default access restrictions to applications of HP Embedded

terminal by defining properties in Terminalserver.exe.config file located in
"<installation_directory>\SPOC\terminalserver\". To modify default access restrictions use
application names as seen on MFD display. Multiple values in one property have to be in comma
delimited list form.
For technical reasons there is no post-processing on config properties, so "settings,

networking" property value will be handled as ["settings", " networking"] which is incorrect.
Correct property value is "settings,networking".
Properties
hpAlwaysAllowedApplications

property used to allow access to applications which are by default blocked.
hpBlockedApplicationsForUnauthorizedUser
property mostly used to block applications accessible by unathorized user when is Embedded
Terminal installed with "To Application" authentication
hpAlwaysBlockedApplications
property Used to block access to applications which are by default accessible.
Not all applications can be (un)blocked with these properties (e.g. Print), but likely applications
accessible sub-menu can be blocked (e.g Print from USB Drive).
Example of usage
In this case is Embedded terminal installed with "To Application" authentication. "Settings"
application is by default blocked and administrator wants to allow access to it and block only
"Networking" submenu.
<add key="hpAlwaysAllowedApplications" value="settings" />
<add key="hpBlockedApplicationsForUnauthorizedUser" value="Settings" />
<add key="hpAlwaysBlockedApplications" value="networking" />
Configuring YSoft USB Card Reader to work with HP Embedded terminal

Device FW that supports YSoft USB Card Reader
MFD with Firmware Bundle Version 4.6.0.1 or higher the YSoft USB card reader is supported . On
the older MFD FW the YSoft USB card reader is not registered and FW update of the device is
needed to a minimum of FW 4.6.0.1.
Configure the YSoft USB Card Reader
Run the YSoft Card Reader Tool and set the reader to “USB reader for HP MFD” :
The tool can be found in the complete Pack under: \YSoft SafeQ Complementary Solutions\YSoft
USB Readers\YSoft_Card_Reader_Tool.exe
1.1: Run the YSoft Card Reader Tool mark the reader (1) and click configure (2):

1.2: Set the USB mode to “USB reader for HP MFD”, click to edit the USB mode (1) and select “USB
reader for HP MFD” option (2) then click configure (3):
1.3: Click OK and The YSoft USB Card Reader is ready to mount to the device:
Supported USB card readers
all YSoft USB V3 reader models in HP USB mode

Configuring Konica Minolta
Embedded Terminal for Konica Minolta.
Automatical deletion of jobs from printers in failure state

Introduction
YSoft SafeQ is capable to periodically check a status of printers and MFPs and evaluate it
continuously. If the MFP is not ready (ie. due to a paper jam, the printer is out of paper, a cover
door is opened, etc.) for print for defined time, the jobs spooled in the MFP are automatically
deleted. This feature the improves security of the documents to be printed, as it prevents
another user to print the documents while their owner left the MFP to obtain new paper sheets
or to contact the administrator to solve the incident preventing the MFP to print.
How it works
YSoft SafeQ follows RFC about IPP to obtain the current status of the MFP and to evaluate it.
Therefore, this feature should be enabled only on the MFPs supporting IPP and having it enabled
and available via the network (ipp://MFP_ADDRESS/ipp or https://MFP_ADDRESS:443/ipp). YSoft
SafeQ Spooler Controller periodically obtains the current state of printer/MFP via IPP attributes
"printer-state" and "printer-state-reasons". RFC is followed in sense of evaluation of the values of
these attributes. So the accuracy of status evaluation depends on printer/MFP capabilities to
report values of these attributes correctly.
By default YSoft SafeQ evaluates the only value of "printer-state" IPP attribute, administrator of
YSoft SafeQ can improve accuracy of the evaluation by enabling checking value(s) of "printer-
state-reasons".
If the status of the printer is consequently evaluated as NOT READY for (at least) defined time,
YSoft SafeQ initializes deletion of jobs spooled in the printer/MFP. The deletion itself is done via
SNMP, therefore, it must be enabled and correctly configured on the printer/MFP. The
administrator can also set individual periods of status checks based on the last known state of
the printer - typically the printers that are offline (switched off) are not required to be monitored
as often as the printers being ready.
If there is Near Roaming Group of several YSoft SafeQ Spooler Controllers, the status of each
printer/MFP is monitored by just one Spooler Controller.
Licensing
There is no special/separate license required.

Configuration
Administrator of YSoft SafeQ can enable this feature for individual printers via YSoft SafeQ
Management web interface. There is a drop-down menu in Miscellaneous part of the screen for
adding or editing printers named Monitor ready state. The drop-down is displayed only for
printers with YSoft SafeQ Embedded Terminal for Konica Minolta, Olivetti, Develop or Aurora and

contains following values 'Disabled', 'Enable via IPP' and 'Enable via IPP over SSL'. As default it's
set to 'Disabled'. If administrator select one of 'Enabled via IPP ...' values and saves the printer in
the web interface, the state of the printer is started to be monitored periodically in secure mode
if SSL is selected or in plain non-secure mode. The printer has to be correctly configured for SSL
or non-SSL mode depending on value selected. If 'Disabled' value is selected and the printer is
saved again, the state of the printer is not monitored anymore. The state is monitored only for
printers/MFPs having the Terminal Embedded installed (if the status of the terminal installation is
Change in progress or Installation failed the status of the printer/MFP is not monitored).
There are several configuration properties for the SafeQ administrator to fine tune the feature in
the environment, all the properties are available in YSoft SafeQ Management web > System >
Configuration, and all of them could be set individually for each tenant in multi-tenant
environment.
Name of the Property Description Default

value
mfpStatusMonitorEvaluateIpp Evaluate the value of the "printer-state-reasons" IPP attribute disabled

PrinterStateReasons for MFP status detection.
If enabled, the value of the "printer-state-reasons" IPP
attribute is evaluated during regular the monitoring of MFP
status. If disabled, the value of this attribute is ignored and
only the value of the "printer-state" IPP attribute is evaluated.
mfpStatusMonitorPeriodForRe The period to monitor the state of the MFP for when its last 120
adyDevices known state was Ready. seconds
After how long the status of the device should be detected
again if the last check evaluated the state as Ready. The
value is defined in seconds. It is not recommended to use
values lower than 60 seconds.
mfpStatusMonitorPeriodForNo The period to monitor the state of the MFP for when its last 60
tReadyDevices known state was Not Ready. seconds
again if the last check evaluated the state as Not Ready. The
value is defined in seconds. It is not recommended to use
values lower than 30 seconds.
mfpStatusMonitorPeriodForOf The period to monitor the state of the MFP for when its last 240
flineDevices known state was Unknown/Offline. seconds
again if the last check evaluated the state as Unknown
/Offline. The value is defined in seconds. It is not
recommended to use values lower than 120 seconds.
mfpStatusMonitorThreadsMini The minimum number of threads used for monitoring the 2

mum state of the MFPs.
The minimum number of parallel threads used for monitoring
the state of the MFPs installed in the YSoft SafeQ

Name of the Property Description Default
value
environment. The total number of threads running is changed

dynamically based on the number of MFPs with YSoft SafeQ
Embedded Terminal installed and on configuration properties m
fpStatusMonitorThreadsMaximum and mfpStatusMonitorThrea
dsRatio. It is highly recommended not to use values lower
than 2 and higher than 10.
mfpStatusMonitorThreadsMax The maximum number of threads used for monitoring the 20

imum state of the MFPs.
The maximum number of parallel threads used for monitoring
the state of the MFPs installed in the YSoft SafeQ
environment. The total number of threads running is changed
dynamically based on the number of MFPs with YSoft SafeQ
Embedded Terminal installed and on configuration properties m
fpStatusMonitorThreadsMinimum and mfpStatusMonitorThrea
dsRatio. It is highly recommended not to use values lower
than mfpStatusMonitorThreadsMinimum and higher than 30.
mfpStatusMonitorThreadsRati The ratio of the MFPs being monitored and the threads 10
o performing the detection of the state of the MFPs.
Up to how many MFPs should be monitored by one thread.
The real number of threads running in parallel never drops
below the value of mfpStatusMonitorThreadsMinimum, and
never goes higher than the value of mfpStatusMonitorThreads
Maximum. The real value is changed dynamically based on the
on the number of MFPs with YSoft SafeQ Embedded Terminal
installed and the configuration properties mentioned.
mfpStatusMonitorNotReadyTi How long an MFP in a NOT READY state must be monitored 240
meBeforeDeletion before the job deletion operation is started. seconds
Sets how many seconds (minimum) an MFP is monitored in a
Not Ready state before the job deletion operation is
triggered. It is not recommended to set a value lower than
120 (= two minutes).
Known limitations
Currently, the feature is supported only on MFPs/printers having YSoft SafeQ Embedded Terminal
for Konica Minolta, Olivetti, Develop or Aurora installed.
If the Monitor ready state is set to 'Disabled' value and the printer is saved, it is possible there
will be one additional check of the printer state more.
When IPP over SSL is set, device has to have IPP configured on HTTPS port 443.
Authorization of user is not available neither for IPP nor for IPPoverSSL.

If the network address of the printer/MFP whose status is being monitored is changed via YSoft
SafeQ Management web, it is possible there will be one more check to the original network
address (but all the following checks of the printer/MFP state would be done correctly to the new
address).
Canceled jobs on MFP might or might not be accounted. It depends on particular vendor and
model.
Detection, when the MFP is in the Not Ready state, is vendor and model specific. E.g. one MFP
model is considered as Ready when it has empty one tray and the other MFP model might be
considered as Not Ready when it has empty one tray. It depends on what state is read from the
MFP through IPP protocol.
Configuring Custom Application Names
You can change the YSoft SafeQ Print application name, the YSoft SafeQ Scan application name
and the YSoft SafeQ Authentication application from YSoft SafeQ web administration.
How to Change
1. Log into YSoft SafeQ web administration as an administrator.
3. Make sure Expert view is enabled, and you are in the tenant configuration.
4. Search printApplicationName, scanApplicationName or authenticationApplicationName

depending on which application name you want to change.
5. Edit the value for each configuration option.
6. Save changes.
7. Restart Terminal Server.
8. Reinstall the Konica Minolta embedded terminal to apply changes.

Configuring Konica Minolta devices
This manual is applicable for Konica Minolta - Zeus/Minerva series
This manual is applicable also for Develop, Olivetti and Aurora devices.
Requirements
Correct firmware is installed on MFD (for more details see HCL – Konica Minolta)
MFD is OpenAPI 3.5 or higher if embedded accounting / application shortcuts / web browser
terminal functionality is required. Models that support OpenAPI 3.5 or higher may need HDD and
/or additional memory installed (for more details see HCL – Konica Minolta)
At Glance
1. Configure and enable SSL
2. Disable the Certificate Verification Settings option
3. Enable OpenAPI on a device
4. Configure SSL for OpenAPI and TCP Socket communication
5. Configure region (Develop only)
6.
6. Disable all other authentications (User Account Track, ID & Print, key counter, Vender2 cable
etc.)
7. Add domain DNS suffix in Network settings - Default DNS domain name (in case a host
name for SPOC is used)
8. Configure the Windows print driver
9. Install loadable driver (if Card authentication is required)
10. Configure USB card reader settings (if authentication by CARD is required)
Konica Minolta - Configure and enable SSL
1. Open your Web browser and enter the MFD's IP address. The MFD Web interface,"
PageScope®," opens.
2. On the PageScope Web Connection Login screen, select Administrator; then click Login. (If
you are automatically logged in as a guest, log out and then log in again using the
administrator account).
The Page Scope Web interface varies according to the specific MFD.
3. Enter the Administrator password for the MFD; then click OK.
The default password is 1234567812345678.
4. Select the Security tab; then select Device Certificate Setting; Continue with selecting
New registration.

4.
If the device already has a factory default settings certificate, delete it first and then
create a new one.
5. Select Create and install a self-signed Certificate and click OK.
6. Enter information for the SSL certificate; then click OK.

6.
The information you enter does not have to be valid (for example, the Admin E-mail
Address does not have to be valid), except the Validity Period , recommend is 3650
days. The Mode using SSL/TLS setting applies only to PageScope Web Connection; you
can set it to None without affecting OpenAPI's SSL capabilities.
We recommend select some RSA based Encryption Key Type (e.g. RSA-2048_SHA-256).
7. When the message "Certificate has been successfully created" appears, click OK.
8. Log out of PageScope® Web Connection. If a message appears saying that it is necessary
to reboot, reboot the MFD.
If the MFD does not request a reboot, you must log out of the Web interface before
continuing the terminal installation.
Konica Minolta - Configure IPP and IPPSSL

Configuration of IPP and IPPSSL
This configuration is required for using IPP and IPPSSL.
1. Login MFD's web interface as administrator
2. Navigate to the Network tab
3. Continue to IPP Setting

4. Change the settings as shown below:
5. Enable IPP Setting option
6. Enable Accept IPP job option
Configuration of IPP over SSL
This configuration is required for using IPPSSL.
1. Navigate to the Security tab
2. Continue to PKI Settings > Device Certificate Setting
3. Use the New Registration button
4. Select the Request a Certificate option > OK
5. Insert details of your organization > OK
6. A message: Certificate Request was successful is displayed > OK
7.
7. Copy or Save a Certificate Signing Request Data and submit them to your certification
authority
8. Create a certificate with your certification authority
9. Continue on Security tab > PKI Settings > Device Certificate Setting
10. Select your Requesting Certificate and press the Setting button
11. Use Install a Certificate option > OK
12. Add certificate from your certification authority (the certificate you have created in step 8)
> Press the Install button
13. A message with the result of installation will be displayed
14. Continue to PKI Settings > SSL Setting
15. Set Mode using SSL/TLS to Admin. Mode and User Mode
16. Set Encryption Strength to encryption which you use (if you are not sure which
encryption use, set attribute to AES-256, 3DES-168, RC4-128, DES-56, RC4-40)
Konica Minolta - Configure SSL for OpenAPI and TCP Socket communication
Configure additional required SSL settings as described here.
You can configure the settings by using either the MFD's Web interface or the MFD panel.
Konica Minolta - Configure SSL via MFD panel
If you did not set OpenAPI and TCP Socket settings via the MFD's Web interface, use the MFD's
panel to set them as follows:
1.

1. Make sure the MFD is idle — not copying, printing, scanning, or otherwise busy.
2. Open the Utility menu.
3. Tap Administrator Settings.

4. Enter the Administrator password for the MFD; then tap OK.
5. Tap SystemConnection.

6. Tap OpenAPI Settings.
7. Tap SSL/Port Settings.

8. Select settings as shown below; then tap OK.
SSL Setting – SSL Only
Port No. – 50001
Port Number (SSL) – 50003
9. Return to Administrator Settings as follows: Tap Close twice or select Administrator

Settings from the menu on the left.
10. Tap Network Settings.

11. Tap TCP Socket Settings (on second page of the Network Settings menu).
12. Tap TCP Socket.

13. Change the settings for Use SSL/TLS to ON; then tap OK.
Konica Minolta - Configure SSL via MFD Web
The following settings can also be done on the MFD panel. This might be necessary if OpenAPI
was disabled manually (for example if Terminal Professional was used before on the MFD).
See the Konica Minolta - Configure SSL via MFD panel article for details on the manual
procedure.
1. Log In the MFD's Web interface as administrator.
2. Select the Network tab, then select OpenAPI Setting and choose the SSL Only option;
Then Click OK.

3. With the Network tab still selected, from the menu, select TCP Socket Setting and check
the Use SSL/TLS check box. Then Click OK.

4. Turn the main switch OFF and then ON again to apply changes to TCP Socket settings.
For remote reset use the web interface of the MFD, menu Maintenance > Reset > Reset.
Develop - Configuring the Region
For Develop, only Europe region and Others2 region are supported. It is recommended to use
the Europe region.
Follow these steps to set a supported region.
1. Tap Service Mode > System 1 > Marketing Area

For instructions for opening the Service Mode with the Management Function Choice
option for your specific MFD, contact your Develop distributor.
2. Tap Europe (or possibly Others2)
3. Tap End
4. Tap Exit
Konica Minolta - Configure USB card reader settings
Follow these steps to implement authentication via USB card reader. If a card reader will not be
used, skip these steps.
Configuration on Zeus/Minerva models
1. Enter the Service Mode menu on MFD.

1.
For instructions on opening Service Mode and for your specific MFD, see Service manual
available on InfoHub or contact your Konica Minolta distributor.
2. Enter the Billing Setting menu.
For instructions on opening the Billing Setting menu, see Service manual available on
InfoHub or contact your Konica Minolta distributor.
3. Tap Management Function Choice.

4. Tap Authentication Device 2.
5. Tap Card.
6. On the ID Card Type screen, tap CARD (to specify the USB reader). Then tap END.
7. Turn OFF the main power switch for at least 10 seconds.
8. Connect USB card reader.
9. Turn ON main power switch.
Configuration on ZeusS, ZeusS BK, Heslios, MinervaS BK, Poseidon, iSeries models
1. On Billing Setting menu select Authentication Device2 menu.
2. On Billing Setting/Authentication Device2 menu tap Authentication Device2
3. Tap Card (to specify the USB reader). Then tap END.

3.
4. Turn OFF the main power switch for at least 10 seconds.
5. Connect USB card reader.
6. Turn ON main power switch.
Konica Minolta - Configure User Authentication and Account Track
1. Right-click the Konica Minolta MFD driver; then select Printer properties > Configure.
2. On the Configure tab, click Acquire Settings or Obtain settings.
Depends on your printers driver .

3. Uncheck Auto checkbox.
4. Click OK.
5. Back on the Configure tab, set ID&Print, User Authentication and Account Track to
disable.
6. Click OK.
Konica Minolta - Disable the Certificate Verification Settings option
1. Log in to the MFD's Web interface as administrator
2. Select Security (see page).
3. From the menu, select Certificate Verification Settings.
4. For the Certificate Verification Settings option, select Off and save settings with OK.

4.
It is also recommended to turn off validation of certificate period. This prevents a situation when
user authenticates with invalid credentials (invalid card, invalid PIN) and it takes 1 minute to
display the information about invalid credentials.
If you don't turn off Certificate Verification, the warning message will be displayed only once
after the reboot your MFD.
1. Log in to the MFD's Web interface as administrator.
2. Navigate to Network > OpenAPI setting.
3. Under Certificate Verification Level Settings configure Validity Period to Do not confirm.

Konica Minolta - Disable the ID and print option on the MFD
At the MFD, disable the ID & Print option as follows:
2.

4. Tap User Authentication/Account Track.

5. Tap option User Authentication Settings.
6. Tap Administrative Settings.

7. Tap ID & Print Settings.
8. Select options as shown below; then tap OK.

ID & Print – OFF
Public User – Print Immediately.
Konica Minolta - Enable OpenAPI on a device
Enable OpenAPI function on at the MFD panel as follows:
1. Make sure the MFD is idle — not copying, printing, scanning, or otherwise busy.


5. Tap System Connection.
6. Tap option OpenAPI Settings.

If SSL and port number options appear, continue to chapter Konica Minolta - Configure
SSL via MFD panel.
7. Tap Access Setting; then set it to Allow.
Konica Minolta - Install loadable driver
This operation should be done by authorized Konica Minolta technician. The exact steps to enter
the Service Mode menu and to install loadable driver for specific models can be found in their
respective Service Manuals. The manuals and the current drivers are available at the Konica
Minolta InfoHub page.
Models in Zeus a Minerva lines

Product Konica Minolta Develop models Olivetti models
lines models
Minerva C754, C654 ineo+ 754, ineo+ 654 d-COLOR MF752Plus, d-COLOR MF652Plus
Minerva C754e, C654e ineo+ 754e, ineo+ 654e d-COLOR MF752, d-COLOR MF652
2nd
series
Zeus C554, C454, ineo+ 554, ineo+ 454, ineo+ d-COLOR MF552, d-COLOR MF452, d-COLOR
C364, C284, 364, ineo+ 284, ineo+ 224 MF362, d-COLOR MF282, d-COLOR MF222
C224
Zeus C554e, C454e, ineo+ 554e, ineo+ 454e, d-COLOR MF552Plus. d-COLOR MF452Plus,
MLK C364e, C284e, ineo+ 364e, ineo+ 284e, d-COLOR MF362Plus, d-COLOR MF282Plus,
C224e ineo+ 224e d-COLOR MF222Plus
Installation
1. Copy the loadable driver file to the root directory of a USB flash drive.
2. Insert the USB flash drive into the USB port on MFD.
3. Enter the Service Mode on the MFD.
4. Tap System 2.

5. Tap Driver Install.
6. Tap Install.
7. Select Loadable Driver and tap START.
8. Wait for confirmation message and when told to, turn OFF the main switch for at least 10
seconds.
9. Remove the USB flash drive.
Loadable driver uninstallation procedure
The exact steps to enter the Service Mode menu and to uninstall loadable driver for specific
models can be found in their respective Service Manuals. The manuals are available at the Konica
Minolta InfoHub page.
Overview of product lines

Product Konica Minolta Develop models Olivetti models
lines models
Minerva C754, C654 ineo+ 754, ineo+ 654 d-COLOR MF752Plus, d-COLOR MF652Plus
Minerva C754e, C654e ineo+ 754e, ineo+ 654e d-COLOR MF752, d-COLOR MF652
2nd
series
Zeus C554, C454, ineo+ 554, ineo+ 454, ineo+ d-COLOR MF552, d-COLOR MF452, d-COLOR
C364, C284, 364, ineo+ 284, ineo+ 224 MF362, d-COLOR MF282, d-COLOR MF222
C224
Zeus C554e, C454e, ineo+ 554e, ineo+ 454e, d-COLOR MF552Plus. d-COLOR MF452Plus,
MLK C364e, C284e, ineo+ 364e, ineo+ 284e, d-COLOR MF362Plus, d-COLOR MF282Plus,
C224e ineo+ 224e d-COLOR MF222Plus
Zeus/Minerva
1. Call the Service Mode to the screen.
2. Tap System 2 > Driver Install > Uninstall.
3. Select a driver to be uninstalled.
4. Tap Start to uninstall the data.
5. Check that data is normally uninstalled from the message that appears on the control
panel.
6. Turn OFF/ON the main power switch.
Konica Minolta - Configure Print without authentication option
Print without authentication option allows printing of documents, that are sent directly to the
MFD's IP address.
This function needs to be allowed for the Public users to be able to print.
Terminal Embedded reinstallation resets the configuration back to restricted.
Follow these steps to set the MFD's Print without authentication option:
1. Tap the hardware Home button on MFD.
2. Tap Utility.

3. Tap option 3 - Administrator Settings.
The default is 1234567812345678.

5. Tap option 4 - User Authentication/Account Track.
6. Tap option 4 - Print without Authentication.

7. Set this option to Full Color/Black or Black Only to enable printing of the documents sent
directly to the MFD's IP address. To disable the printing, set the option to Restrict. Tap OK
to confirm the setting.
Be sure to have your print driver configured correctly according to Konica Minolta - Configure
User Authentication and Account Track.
Konica Minolta - Configure inactivity timeout
The terminal inactivity timeout setting in the user's additional configuration is supported only
for YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen.. The timeout is also set
directly on the machine.
Follow these steps to set the terminal inactivity timeout:

1. Press the hardware Home button on the MFD.
2. Tap Utility.
4. Enter the Administrator password for the MFD, and then tap OK.
The default is 1234567812345678.

5. Tap System Settings.
6. Tap Reset settings.

7. Tap System Auto Reset.
8. Press C on the keyboard and then press the number according to your preferred timeout in
minutes. Confirm changes by tapping OK.

9. Change timeouts in Auto Reset screen (see point 7) in a similar way.
Configuring Konica Minolta - iSeries devices

Requirements
Latest firmware is installed on MFD (or at least a minimum version mentioned in HCL – Konica
Minolta).
MFD is OpenAPI 3.5 or higher if embedded accounting / application shortcuts / web browser
terminal functionality is required. Models that support OpenAPI 3.5 or higher may need HDD and
/or additional memory installed (for more details see HCL – Konica Minolta).
MFD is accessible from Spooler Controller subnet. IP Filtering of the Konica Minolta iSeries
has to be adjusted if MFD and SPOCs are in different subnets. The Quick IP Filtering setting
(Administration > Network > TCP/IP Setting > Quick Ip Filtering) is enabled by default, allowing
only connections from the MFDs subnet.
At Glance
1. Configure and enable SSL
2. Configure inactivity timeout
3. Disable the Certificate Verification Settings option
4. Configure SSL via MFD Web
5. Configure region (Develop only)
6. Disable all other authentications (User Account Track, revert configuration for blocking
cables (key counter, Vender2 cable, see How to block Konica Minolta devices)
7. Add domain DNS suffix in Network settings - Default DNS domain name (in case a host
8.

8. Enable Web Browser for Web-based terminal
9. Configure the Windows print driver
10. Configure USB card reader settings (if authentication by Card is required)
11. Install loadable driver
Konica Minolta iSeries - Configure and enable SSL
1. Open your Web browser and enter the MFD's IP address. The Public user web interface
opens.
2. Press the Logout button in the upper right corner and confirm the logout.
3. Select User Type Administrator, insert password and press Login in the bottom right
corner.
The default password is 1234567812345678
4. Administrator web interface opens, navigate to Security, PKI Settings, Device Certificate
Setting and press New Registration.

If the device already has a factory default settings certificate, delete it first and then
create a new one.
5. Select Create and install a self-signed Certificate and click OK.
6. Enter information for the SSL certificate; then click OK.
7. When the message "Certificate has been successfully created" appears, click OK.
8. Log out of the session. If a message appears saying that it is necessary to reboot, reboot
the MFD.

8.
If the MFD does not request a reboot, you must log out of the Web interface before
continuing the terminal installation.
Konica Minolta iSeries - Configure inactivity timeout
If you need to change the time limit of inactivity, after which user gets automatically logged
out, follow these instructions.
1. Log in to the MFD's Web interface administrator (instructions here).
2. Administrator web interface opens, navigate to System Settings, Reset Settings, System
auto reset, enable System auto reset function and set desired timeout in System Auto
Reset Time (in minutes).
3. Press OK to confirm.
Konica Minolta iSeries - Configure SSL via MFD Web
1. Log in to the MFD's Web interface administrator (instructions here).
2.
2. Administrator web interface opens, navigate to Network, OpenAPI Setting, choose the SSL
Only option and click OK.
The Client Certificate request should be off.
3. In the network tab, select TCP Socket Setting and check the Use SSL/TLS checkbox.

4. Turn the main switch OFF and then ON again to apply changes to TCP Socket settings.
For remote reset use the web interface of the MFD, menu Maintenance > Reset > Reset
.
Konica Minolta iSeries - Configure USB card reader settings
Please refer to Konica Minolta - Configure USB card reader settings, section Configuration on
ZeusS, ZeusS BK, Heslios, MinervaS BK, Poseidon, iSeries models.
Konica Minolta iSeries - Configure User Authentication and Account Track
1. Open Control Panel, select Devices and printers, right click on your desired MFD and select
Printer properties

2. In the Advanced tab, make sure to select your Konica Minolta device and press Apply
3. In the Configure tab, click Obtain settings (button might be named Acquire Settings)
4. Uncheck Auto checkbox and click OK
5. Select Specify IP Address or Printer Name and provide the real IP address of a MFD having
a common configuration for trays.

6. Back in the Configure tab, set ID&Print, User Authentication and Account Track to Disable
and click OK
Konica Minolta iSeries - Disable the Certificate Verification Settings option
1. Log in to the MFD's Web interface administrator (instructions here)
2. Navigate to Security, Certificate Validation Setting and make sure the Certificate
Verification Settings slider is in the off position (see image)

Konica Minolta iSeries - Enable Web Browser for Web-based terminal
1. Log in to the MFD's Web interface administrator (instructions here)
2. Administrator web interface opens, navigate to Network, Web Browser Setting, Web
Browser Settings and make sure Web Browser is enabled.

Konica Minolta iSeries - Install loadable driver
The procedure is identical to older devices and can be found here.
Configuring Konica Minolta - older models

Requirements
Correct FW installed (for more details see HCL – Konica Minolta)
MFD must be OpenAPI 3.5 or higher if embedded accounting / application shortcuts / web
browser terminal functionality is required.
Models that support OpenAPI 3.5 or higher usually need HDD and/or additional memory
installed (for more details see HCL – Konica Minolta )
If SafeQ on-line print accounting is required
No ZERO counters. Normal (A5/A4/letter) page copy, normal page print, large (A3/legal
/tabloid) page copy, large page print counter must not be 0
MFD Service Menu > Counter setting > total counter mode – MODE 2 is set!
At Glance
1. Install loadable driver (if authentication by CARD is required)
2. KM - Configuring and Enabling SSL
3. KM - Disable the Certificate Verification Settings option
4. KM - Enable OpenAPI on a device (especially when external terminal was used before
embedded installation)
5. KM - Configure SSL for OpenAPI and TCP Socket communication
a. KM - Using the MFP Web interface to configure SSL settings
b. KM - Using the MFP Panel to configure SSL settings
6. KM - Configure switches
7. KM - Configuring USB Card Reader Settings (if authentication by CARD is required)
8. KM - Configure Print without authentication option (if printing of documents, that are sent
directly to the MFP's IP address is required)
9. KM - Disable the ID and print option on the MFD
10. KM - Configure User Authentication and Account Track
11. KM - Install loadable driver
12. KM - Disable all other authentications (User Account Track, key counter, Vender2 cable etc.)
13. KM - Add domain DNS suffix in Network settings - Default DNS domain name (in case a host

Configure print driver as follows:
1. Printer properties - Configure - Device Options are configured to support all possible
features (Punch unit, Finisher etc.)
2. Printer properties - Configure - Obtain Settings - Auto = not checked
3. Printer properties - Configure - User Authentication = disabled
4. Printer properties - Configure - Account Track = disabled
5. Printer properties - Ports - Enable printer pooling is checked + additional ports are created
and checked to be used (remove windows print spooling bottleneck)
KM - Configuring and Enabling SSL
Open your web browser and enter the MFD's IP address. The MFD web interface, PageScope
opens.
On the PageScope web connection login screen, select Administrator, then click Login. (If you are
automatically logged in as a guest, log out and then log in again using the administrator account.)
The PageScope web interface varies according to the specific MFD.
Enter the administrator password for the MFD, then click OK.
Select the Security tab, then select Device Certificate Setting. Continue by selecting New
Registration.

Select Create and install a self-signed Certificate and click OK.
Enter information for the SSL certificate, then click OK.
The information you enter does not have to be valid (for example, the Admin E-mail Address
does not have to be valid), except for the Validity Period, the recommended length is 3650
days. The Mode using SSL/TLS setting applies only to PageScope web connection. You can
set it to None without affecting the OpenAPI's SSL capabilities.

Ensure that Encryption Key Type value RSA-1024_MD5 is selected for newer Konica Minolta
devices.
When the message Certificate has been successfully created appears, click OK, then log out of
PageScope web connection.
If a message appears saying that it is necessary to reboot, reboot the MFD.
If the MFD does not request a reboot, you must log out of the Web interface before continuing
the terminal installation.
KM - Disable the Certificate Verification Settings option
Log in to the MFD's Web interface as administrator; then select Security (see page).
From the menu, select Certificate Verification Settings.
For the Certificate Verification Settings option, select Off and save settings with OK

If you don't turn off Certificate Verification, the warning message will be displayed only once
after the reboot your MFD.
KM - Enable OpenAPI on a device
Make sure the MFD is idle — not copying, printing, scanning, or otherwise busy.
Tap the Utility/Counter button. (This is a physical button.)

Tap option 3 — Administrator Settings.
Enter the Administrator password for the MFD; then tap OK.
Tap option 9 — System Connection.

Tap option 1 — OpenAPI Settings.
If SSL and port number options appear, continue to chapter KM - Configure SSL via MFD panel
Tap Access Setting; then set it to Allow.
KM - Configure SSL for OpenAPI and TCP Socket communication
Configure additional required SSL settings as described here.
You can configure the settings by using either the MFD's Web interface or the MFD panel.
KM - Configure SSL via MFD Web
Log In the MFD's Web interface as administrator.
Select the Network tab, then select OpenAPI Setting and choose the SSL Only option; then click
OK.

It may not be possible to configure SSL via MFD Web, as the setting may be disabled (greyed
out). In such case you need to KM - Configure SSL via MFD panel.
With the Network tab still selected, from the menu, select TCP Socket Setting and check the
Use SSL/TLS check box. Than Click OK.
KM - Configure SSL via MFD panel
If you did not set OpenAPI and TCP Socket settings via the MFD's Web interface, use the MFD's
panel to set them as follows:
Make sure the MFD is idle — not copying, printing, scanning, or otherwise busy.

Tap the Utility/Counter button. (This is a physical button.)
Tap option 3 — Administrator Settings.
Tap option 9 — System Connection.

Tap option 1 — OpenAPI Settings.
Tap SSL/Port Settings.
Select settings as described below; then tap OK.

SSL Setting – SSL Only
Port No. – 50001
Port Number (SSL) – 50003
Return to Administrator Settings as follows: Tap Close twice or select Administrator Settings
from the menu on the left.
Tap option 5 — Network Settings.
Tap the Forward button to go to the second page of Network Settings.
Tap option 1 — TCP Socket Settings.
Tap option 1 — TCP Socket.

Change the selection to On; then tap OK.
KM - Configure switches
Please note, that this change is required for multilevel billing codes selection on Konica Minolta
devices from product lines older than Zeus. If you are using Zeus product line or newer
device, do not change the default value of switch No. 25.
Follow these steps to set right value of switch No. 25
No. 25 is just general name of this switch, please contact your Konica Minolta distributor to
tell you the appropriate equivalent of the switch name for your specific MFD.
1. Tap Service Mode > System 2 > Software switch settings
For instructions for opening Service Mode with the Management Function Choice option
for your specific MFD, contact your Konica Minolta distributor.
2. Tap Switch No.
3. Enter 25 (or switch number which is the equivalent to SW 25)
4. Tap HFX Assignment
5. Enter the appropriate value (20)
6.

6. Tap Fix
7. Tap End
8. Tap Exit
KM - Configuring USB Card Reader Settings
Follow these steps to implement authentication via a USB card reader if you want to use
authentication with a card reader.
If a card reader will not be used, skip to the Print without authentication option.
Connect the USB card reader to the MFD.
Tap Service Mode > Billing Setting > Management Function Choice.
For instructions for opening the Service Mode with the Management Function Choice option
for your specific MFD, contact your Konica Minolta distributor.
Tap Authentication Device 2.
Tap Card.
On the ID Card Type screen, tap CARD2 (to specify the USB reader), then tap OK. If CARD2 does
not work and an internal error comes up, you must use CARD1.
KM - Configure Print without authentication option
Print without authentication option allows or disables printing of documents, that are sent
directly to the MFD's IP address.
Follow these steps to set the MFD's Print without authentication option:

Press the Utility/Counter button. (This is a physical button.)
Tap option 3 - Administrator Settings.
The default is 12345678.
Tap option 4 - User Authentication/Account Track.
Tap option 4 - Print without Authentication.

Set this option to Allow to enable printing of the documents sent directly to the MFD's IP
address. To disable the printing, set the option to Restrict.
Tap OK to confirm the setting.
Be sure to have your print driver configured correctly according to KM - Configure User
Authentication and Account Track.
KM - Disable the ID and print option on the MFD
At the MFD, disable the ID & Print option as follows:
Tap option 3 - Administrator Settings.

Tap option 4 - User Authentication/Account Track.
Tap option 2 - User Authentication Settings.
Tap option ID & Print Settings.
Select options as described below; then tap OK.

ID & Print – OFF
Public User – Print Immediately
KM - Configure User Authentication and Account Track
Right-click the Konica Minolta MFD; then select Printer properties > Configure.
On the Configure tab, set set ID&Print/User Authentication/Account Track to disable.
Than click to Acquire Settings or Obtain settings
Depends on your printers driver

Uncheck Auto checkbox
Click OK
Click OK.

KM - Install loadable driver
Overview of product lines
Product lines Models
Thames C353, C253, C203
Mosel C650, C550, C451
Donau C652, C552, C452
GangesM 501, 421, 361
Amur C360, C280, C220
Taiga 423, 363, 283, 223
LaplataM 751, 601
Citrine C35, MF30-1
TaigaY bizhub 42, bizhub 36, MF42-1, MF36-1
Minerva C754, C654
Zeus C554, C454, C364, C284, C224
Symphony PRESS1250, PRESS1250P, PRESS1052, PRO951
Thames\Mosel devices
Model Thames vs. Mosel
C353 Thames 1(ti1)
C253 Thames 2(ti2)
C203 Thames 2.5(ti2_5)

Model Thames vs. Mosel
C650 Mosel 1(mi1)
C550 Mosel 2(mi2)
C451 Mosel 3(mi3)
Thames/Mosel
1. Insert CF card (max 256 MB).
2. Extract Thames/Mosel archive with drivers to disk.
3. Go to the directory according to the device code name.
4. Run command mkcfldr.bat (device code) (CF drive letter) - for example mkcfldr.bat mi2 e:
5. Turn off the MFD.
6. Insert the CF card in MFD.
7. Turn on the MFD.
8. Wait for driver download.
9. Turn off the MFD and remove the card.
10. Turn on the MFD.
11. Go to service mode and choose.
12. Set authentication device > CARD2.
GangesM/LaplataM
1. Copy LoadableDeviceDriverROM directory to the root of USB flash disk.
2. Insert the flash disk to the MFD.
3. Enter the Service Mode.
4. Press the System 2 in Service mode screen.
5. Press ISW.
6. Press the Board Type Selection.
7. Select Loadable Device Driver and press OK.
8. Press the File Selection.
9. Select the relevant firmware version and press OK.
10. Press Execute.
11. Press Start.
12. Check to see the message ISW was completed.

Amur
1. Copy A0EDFW.tar to the root directory of a USB flash drive.
2. Insert the USB flash drive into the USB port at the rear side of the main body.
3. Turn on the main switch.
4. Select YES and touch the START button displayed on the panel.
5. When the downloading process was finished, the message of Download Complete comes
out on the panel.
6. Turn off the main switch and remove the USB flash drive.
Donau
1. Copy A0P0FW.tar to the root directory of a USB flash drive.
2. Insert the USB flash drive into the USB port for service at the rear side of the main body.
(Remove the screw and lift up the cover of the USB port)
out on the panel.
Taiga
1. Copy A1UDFW.tar to the root directory of a USB flash drive.
2. Insert the USB flash drive into the USB port for service at the rear side of the main body.
(Remove the screw and lift up the cover of the USB port)
out on the panel.
KM - Configure IPP and IPPSSL
This topic describes how to configure IPP/IPPSSL on Konica-Minolta printers.

Configuration of IPP and IPPSSL
This configuration is required for using IPP and IPPSSL.
1. Login MFD's web interface as administrator.
2. Navigate to Network tab.
3.

3. Continue to IPP Setting.
4. Enable IPP Setting option and enable Accept IPP job option.
When available set IPP-SSL Settings to SSL Only
Configuration of IPP over SSL
This configuration is required for using IPPSSL.
1. Navigate to Security tab.
2. Continue to PKI Settings > Device Certificate Setting.
3. Use New Registration button.
4. Select Request a Certificate option > OK.
5. Insert a details of your organization > OK.
6. A message: Certificate Request was successful is displayed > OK.
7. Copy or Save a Certificate Signing Request Data and insert them to your certification
authority.
8. Create a certificate on your certification authority.
9. Continue on Security tab > PKI Settings > Device Certificate Setting.
10. Select your Requesting Certificate and press Setting button.
11. Use Install a Certificate option > OK.
12. Add certificate from your certification authority (the certificate you have created in step 8)
> Press Install button.
13. A message with the result of installation will be displayed.

14. Continue to PKI Settings > SSL Setting.
15. Set Mode using SSL/TLS to Admin. Mode and User Mode. Set Encryption Strength to
enctyption which you use (if you are not sure which encryption use, set attribute to AES-
256, 3DES-168, RC4-128, DES-56, RC4-40).
KM - Recommended settings
OpenAPI Certificate Verification Level Settings - Validity Period
When user authenticates with invalid credentials (invalid card, invalid PIN) and the setting of
Validity Period is configured to Confirm, it will take 1 minute until the information about invalid
credentials is displayed.
Recommended setting: OpenAPI > Validity period = Do not confirm
1. Navigate to MFD web interface
2. Login as administrator
3. Navigate to Network > OpenAPI setting
4. Configure Certificate Verification Level Settings > Validity Period = Do not confirm
Configuring Secured Communication for Only Downloading a Device Description

Requirements
The correct Konica Minolta firmware that allows downloading a device description via an SSL
must be installed on the device, otherwise, the installation fails. Setting property
kmOpenApiVersion to version 4.2 is required in order to successfully establish secure connection.
How It Works
A part of the Konica Minolta installation is downloading the description of the installed device. By
default, Terminal Server uses secured communication to download the device description, and if
the secured communication fails, an unsecured communication is used.
You can change the default behavior to use only secured communication, so if the secured
communication fails, the installation process fails.
How to Enable
1. Log into YSoft SafeQ web administration as an administrator.
2. Go to System > Configuration
3.

3. Make sure Expert view is enabled and you are in the tenant configuration.
4. Search for forceSecuredDeviceDescription.
5. Change value to Enabled
6. SAVE CHANGES
Configuring the bizhub PRO 1100
There is a software switch on the bizhub PRO 1100 that controls whether each large page is
counted as two large pages, and the default value of that switch is different for Europe versus
the BUS region.
Therefore, when configuring bizhub PRO 1100 in the BUS region, a Konica Minolta field engineer
must visit the site and change the value of the software switch on the bizhub PRO 1100 that
controls "Counting Method of White/Black Large Size" to 0.
Embedded web browser application access
There is a possibility to allow or forbid access to the web browser application on a Konica Minolta
embedded terminal (in case the embedded terminal supports it) for all users.
How
By using Management configuration property Allow web browser application ("

allowWebBrowserApplication ").
Using value "Enabled" means that all users have access to the web browser application.
Using value "Disabled" means that all users have no possibility to access the web browser
application.

Enabling Authentication cache on Konica Minolta devices
Overview
With Authentication cache enabled, the users authenticating on the printer and their
authentication information are stored to the local MFD cache.
This allows users to log in to the embedded terminal even when the MFD is unable to
communicate with YSoft SafeQ server and use the native MFD's functions such as copying,
scanning or printing from USB.
The performed operations are accounted when the connection to server is restored.
Feature is enabled by the "Enabling the authentication cache" (authenticationCacheEnabled)

configuration property in System Settings in the YSoft SafeQ web administration.
It is also possible to define the period for which the authentication cache is stored (in the "
terminalserver.exe.config" file in the key "kmCacheInfoValidatePeriod").
How to configure MFD how to behave in case YSoft SafeQ server is down
Log in to MFD administrator setting as administrator
Go to "User Authentication / Account track"
Go to "Max allowance when Enhanced Server down" on the 2nd page.
Select one of the options
OFF - No Limit. User can use service as many as they want.
ON - Administrator can set Max limit for each service. When reaching the limit, user is
notified with the message on the panel: "The maximum allowance when the external
server is down has been reached. Press access to log out. Please contact the
administrator."
Limitations
This feature is available only on Konica Minolta devices.
MFD's firmware must support OpenAPI 4.2.
The first authentication at the printer after the Terminal Server goes offline takes about 30
seconds. Any following authentication is immediate.
It is not possible to use this feature with billing codes enabled.
It is not possible to use Registration of unknown card feature when MFD is not able to
communicate with YSoft SafeQ system.
Authentication cache limitations
It stores information about max 1000 users.
Information are stored for users who once authenticated to the MFD.

If more than 1000 user authenticated, the first cached user is replaced with the last user who
authenticated as latest (first user stored is the first one out).
Retention of the cache is configurable in the device administration.
Authentication cache is stored in MFD's internal HDD.
Authentication cache and credit
Payments application in YSoft SafeQ Embedded Terminal for Konica Minolta can not be used
with authentication cache enabled. (the fix depends on a third party).
Needs to be updated.
Combination with Konica Minolta's Universal Print feature (LK-114)
Authentication cache can be used in combination with Universal Print feature (LK-114) on
Konica Minolta's MFDs. More information about this feature can be found in Konica Minolta's
manuals.
File Format Change on Embedded Terminal for Konica Minolta Native
To switch on this feature, you need to set the system parameter

"enableWorkflowFileFormatSelection" to true.
It will allow the MFD user to switch output file type settings like other available scan settings
(color, resolution, etc.) on Embedded Terminal for Konica Minolta (native).
For the OCR processing step, which defines the output file format by itself, and for delivery
overwrite behavior append to PDF and prepend to PDF, this possibility is still disabled because
processing logic depends on the file format.
Hiding user credit information in native applications on Konica Minolta devices
In the System Setting go to Terminal UI and set the configuration property kmShowBalance to
disabled and reinstall terminal on MFD. This option allows hiding user balance in native copy
application and native scan application when payment feature installed. Works with native and
browser based terminal.
Configuring Lexmark Devices
Only devices based on the eSF 3.0, eSF 4.0 and eSF 6.0 platforms are supported so far.
Embedded Terminal for Lexmark.

Differences in installation steps among Frameworks
There are differences among Lexmark Frameworks. Framework 3 and 4 are similar and do not
require special configuration related to users and security settings during and after installation
via Terminal Server. However, framework 6 (Android devices) do require special configuration of
user access and security before installation and also after the installation of YSoft SafeQ
Embedded Terminal for Lexmark. Please ensure to which framework YSoft SafeQ Embedded
Terminal for Lexmark is to be installed and take appropriate steps described below.
How to find out version of framework in a devise has
Administrator can find out framework version on device's web interface. The procedure how to
find out the framework version might differ per device and framework. Common steps are
described below per framework versions.
Framework 3 and 4
To verify the version on devices having framework version 3 or 4 go to: Reports > Device
Settings. In section Embedded Solutions there is an item Framework and version number
starting with number 3 or 4. It might look like on the picture below:
Framework 6 (Android device)
To verify the version on devices having framework version 6 go to: Settings > Reports > Device
> Device Information. After clicking to Device Information there is a modal dialog where is an
item Embedded Solutions and version number starting with number 6. It might look like on the
picture below:
If Android device can be recognized by looking at User Interface it is very probably Framework
6. You can also find the information in device documentation.
Configuring the MFD (Framework 3 and 4)

Time Configuration
Time settings have to be configured for the proper accounting of jobs and the assignment of
billing codes to these jobs.
Go to Web Administration > Settings > Security > Set Date and Time, and configure Daylight
Saving Time Settings and Time Zone Settings to comply with the configuration of your server
where Terminal Server is running.
Next, there are two options possible based on the availability of the NTP (time) server in your
network:
1.
1. If an NTP server is available, set all the necessary details in the section Network Time
Protocol, and tap Submit.
2. If an NTP server is not available, in the section Set Date and Time, set the timezone, date
and time to the time of the server where Terminal Server is running, and tap Submit. If set,
this will disable the NTP server.
WARNING: Be sure to set the time as precisely as possible (in means of seconds) to
avoid errors in assigning billing codes to scan and copy jobs. It is better for the MFD to
have the clock set slightly ahead, than behind.
Security Configuration
If you have installed YSoft SafeQ Embedded Terminal in To each application mode (see
Embedded Terminal installation), you might want to also configure other applications to be
protected by YSoft SafeQ authentication (note that YSoft SafeQ Embedded Terminal is protected
by default).
After YSoft SafeQ Embedded Terminal installation, go to Web Administration > Settings > Security
> Security Setup > Access Controls

Then open, for instance, the Function Access folder and select the feature you want to protect
with YSoft SafeQ authentication by selecting the YSoft SafeQ authentication profile and tapping
Submit.

WARNING: If you have previously configured any application or feature to authenticate via
YSoft SafeQ, then reinstallation of the embedded terminal will cause such a configuration to
be deleted. In this case, you should manually export the security settings of the printer before
terminal reinstallation and then recover the device to its original state. To achieve that, go to
Web Administration > Links&Index > Import/Export and pick whether you want to import or
export the security settings via Import/Export Security Setups File.
You might want to limit access to the web interface or configuration menu so that a non-
administrator user will not be able to change device security settings. To achieve that, go to
Web Administration > Settings > Security > Security Setup and enter the PIN, password or
username/password combination into the Basic Security Setup section. Using this approach,
the web administration and device configuration will always require the credentials you
entered in this step. Note that YSoft SafeQ Embedded Terminal installation might not work if
basic security is configured.
Panel Login Timeout
To configure the timeout after which a user is logged out from the Home screen, go to Web
Administration > Settings > Security > Miscellaneous Security Settings > Login Restrictions
and set up the timeout as required. The value is in seconds.
The timeout set in YSoft SafeQ management interface cannot be used with a Lexmark device.

Framework 6 Installation Details (Android devices)
Ensure that YSoft SafeQ Embedded Terminal is not present on the device before the installation.
If it is the case then please remove it via device web's interface. It is recommended to restart the
device before the installation.
Installation of YSoft SafeQ Embedded Terminal for Lexmark consists of two sections. The first
section relates to preparation steps of a device for installation of YSoft SafeQ Embedded Terminal
for Lexmark and the installation process itself. The second section relates to post installation
configuration steps needed for allowing usage of YSoft SafeQ Embedded Terminal for Lexmark.
Installation of YSoft SafeQ Embedded Terminal for Lexmark
First of all, an administrator account has to created on a device to be able to configure

permissions of Public user. This step is important since most permissions of public user will be
taken away after the installation of YSoft SafeQ Embedded Terminal for Lexmark and
administrator still needs to have access to device web interface. Once Public user has all
permissions granted an administrator can install YSoft SafeQ Embedded Terminal for Lexmark via
YSoft SafeQ management interface. After the successful installation the user permissions will be
changed via device web interface. This step is described in the second section.
1. Go to device web interface.
2. Go to Setting > Security > Local Accounts and press Add User button.
3. Select User Name > Password.

4. Then create the admin account by selection of Admin or All checkbox in Permission Groups
section. At the and click to Save button.
5. Now you have created an administrator account which can always change configuration
after login to device web interface.
6. To be able to install or reinstall YSoft SafeQ Embedded Terminal for Lexmark an

administrator has to grant all permissions to Public user. Public user is used by the Terminal
Server for the installation and without permissions the
installation fails. Go to Setting > Security > Manage Permissions.

7. In the Manage Permissions page grant all permissions and click to Save button.
8. Go to YSoft SafeQ web interface and add new Lexmark device. You can select
Authentication mode To device or To Application. Based on this option authentication
screen will be displayed either once when user wants to use a device or when user wants
to use any device application.
a. Authentication mode To device:
b. Authentication mode To each application:
9.

9. Finish the installation. If the installation succeeds then continue with post installation
configuration steps described below.
Post installation configuration of a device for YSoft SafeQ Embedded Terminal for Lexmark
This section describes how to configure a device after successful installation of YSoft SafeQ
Embedded Terminal for Lexmark. It is about setting permissions and setting YSoft SafeQ
Embedded Terminal for Lexmark as authentication method for a device.
1. Login as an administrator to device web interface.
2. Manage permissions of Public user. Go to Setting > Security > Public section > Manage
Permissions.
3. Take away all permissions except BW print and Color Print which are in Function Access.
These permissions are necessary for print and copy functions. Administrator might consider
keeping more permissions to users.

4. Setup YSoft SafeQ Login screen as authentication method. Go to Settings > Security >
Local Accounts section > Default Browser Login (Change) and click to button Change.
5. Set YSoft SafeQ Authentication Module as a default login option for Control Panel and
click to Save button.

5.
6. Go to Security > Additional Login Methods section and click to Manager Permissions.
7. Click to item in menu All users.
8. Grand all permissions. Administrator might be more restrictive with granting permissions but
must ensure that an user can login and access YSoft SafeQ Embedded Terminal for
Lexmark.

9. Go to device. Login as an user and ensure that it is possible to print and copy.
Configuring OKI sXP2
Embedded Terminal for OKI and OKI sXP2.
Time Configuration
to these jobs.
Go to Web Administration > Admin Setup > User Install > Time Setup and configure Time Zone
Settings and Daylight Saving Time Settings to comply with configuration of your server, where
Terminal Server is running.
Next, there are two options possible, based on availability of SNTP (time) server in your network:
1. If SNTP server is available, set all necessary details in section Network Time Protocol and
press Submit.
2. If SNTP is not available, in section Manual Setup set date and time to the time of the
server where Terminal Server is running and press Submit.
Be sure to set the time as precisely as possible (in means of seconds) to avoid errors in
assigning billing codes to scan jobs and copy jobs. It is better for the MFD to have the
clock set slightly forward, than backward.

Application Configuration
After application installation to the printer ensure, that YSoft SafeQ application is permitted on
the device.
Go to Web Administration > User Management > Role List.
Open installed roles and ensure that YSoft SafeQ is permitted in Role Information:

Application startup after login
If you want to start YSoft SafeQ application on the device right after login, you have to perform
the following actions:
1. Login to SafeQ web application
Go to System > Configuration > Terminal UI
a. Change Initial screen displayed when a user logs in at the terminal value to 'sq'.
2. Open MFD Web interface
Go to Web Administration > sXP Application.
a. Select Default Mode for YSoft SafeQ application and click Submit.

3. Login to MFD using local administrator account
Go to Device Settings > Admin Setup > Manage Unit > Default Mode (path can be slightly
different on different MFDs).
Select Web Browser from the list.
LDAP Configuration
Automatic setup of LDAP connection settings is currently not supported. Please follow the
steps below to configure LDAP manually. To find out how to setup a secure LDAP connection
for your device, please contact the supplier. In other case, in SafeQ system settings, enable
the property internalLdapAllowNonsecureProtocol to enable usage of plain LDAP, which is
not encrypted.
LDAP settings have to be configured for proper user authentication, using SafeQ internal LDAP
server.
1. Go to Web Administration > Admin Setup > Network > LDAP.
2. Change the following settings:
a. Server Settings:
LDAP Server to your SpoC IP address
Port Number to 389 (defualt configuration)

in case the port 389 is already in use by other service the port for internal
LDAP can be configured in Management System configuration → Terminal
Administration → internalLdapPort property.
Search Root to dc=safeq
b. Authentication:
Method to Simple
User ID to cn=safeq,dc=safeq
Password to safeq
c. Encryption:
Encryption to None

Output Management Configuration
The MFD supports communication via HTTP or HTTPS.
Go to Web Administration > Output Management and configure Communication Protocol.
Security Configuration
1. Go to Web Administration > Admin Setup > Management > Access Control Setup
2. Change the following settings:
3. Confirmation method:
a. Enable LDAP authentication
b.

3.
b. Disable Local authentication
c. Guest user use Enable
Configuring Ricoh for 1st Gen. Embedded Terminal
Embedded Terminal for Ricoh

Follow these steps to configure the MFD to allow installation of YSoft SafeQ Embedded Terminal:
Enable external accounting features of the MFD
1. If the Java VM card is not a built-in part of the MFD's hardware, insert the card into the
MFD's lowest SD slot.
Turn off the MFD before proceeding, to avoid damaging the Java VM card or the MFD.
The MFD includes as many as three SD card slots. The lowest slot is reserved for the
Java VM card and firmware update cards. The slot may be covered with a metal or
plastic cover, which you must remove.
2. Turn on the MFD. Wait 2 or 3 minutes while Java VM and the default version of the
embedded terminal are installed.
3. On the MFD panel, select the options shown below to activate support for enhanced
external charge unit management: SP mode 5-113-002 to 1.
4. Check that the SP mode 5-113-001 is set to 0 (default value). If not, change it to the
default value.
5. Check that the SP mode 5-401-230 is set to 00000000 (default value). If not, change it to
the default value.
6. Check that the SP mode 5-401-240 is set to 00000000 (default value). If not, change it to
the default value.
7. Perform a soft restart of the MFD (on the keypad, press and hold * and # for 10 seconds).
8.
8. Select System Settings > Administrator Tools > Enhanced External Charge Unit
Management; then select/deselect options as shown below to enable enhanced external
charge unit management to block Copier, Printer, Document Server, Facsimile and Scanner.
WARNING: Java™/X must not be blocked.
Setup Key Counter Management
Select System Settings > Administrator Tools > Key Counter Management; then deselect all
options as shown bellow to disable device blocking with blocking cable.
Setup user authentication management
Select System Settings > Administrator Tools > User Authentication Management; then turn
off User Authentication Management.

Set the Heap and Stack size to the maximum available
1. Go to the Ricoh MFD web interface (Web Image Monitor)
2. Login as the Machine Administrator
3. Go to Configuration > Extended Feature Settings > Administrator Tools
4. Change the Heap and Stack size to the maximum available amount, for example:

Same setting can be done on the device panel, go to: User tools > Extended Feature Settings
> Extended Feature Settings > Administrator Tools
Time settings
1. Go to the Ricoh MFD web interface (Web Image Monitor).
2. Login as the Machine Administrator.
3. Go to Configuration > Date/Time.

4. Set the time to match the YSoft SafeQ server time or specify automatic time configuration
via NTP server.
Configuring USB Card Reader on 12.x Java devices
Select System Settings > General Features > Program/Change USB Device List; then enter
values for Vendor ID - 214C and Product ID - 0202 for Device 01

Configuring MFD to print with watermarks in Rule Base Engine
3. Go to Configuration > Printer > Basic Settings
4. Change Host Interface > I/O Buffer to 256 KB

WARNING: RBE Watermark feature is only supported on PS printers.
Create a MFD certificate on Ricoh devices
Before Build 36 strongly recommended. For Build 36 and higher it is mandatory.
1. Go to device web interface (accessible via device IP address)
2. Log in as an administrator
a. Default credentials admin/keep password field empty
3. Navigate through Device Management → Configuration → Device Certificate
4. Certificate setup
a. If you have your own certificate
i. Click Upload button
ii. Fill up the form
iii. Click Upload button
b. If you don´t have your own
i. Click on Create button
ii. Fill up the certificate details
iii.

iii. Recommended to prolong validity period
iv. Click OK button
5. Machine will restart itself and certificate will be ready to be used
Recommended configuration of shared Windows printer used for secure and direct print queue
When you are configuring shared printer for secure print, follow the the recommendations bellow
to increase performance of the driver installed in environment when it is used for printing on
printers with a different feature configuration. The same recommendations can be applied for
direct print as well since there is no direct access between the driver and the printer and feature
configuration has to be selected manually.
Printer properties - Accessories are configured to support all possible features (Punch unit,
Finisher, etc.)
Printer properties - Accessories - Disable automatically update printer Information
Printer properties - Ports - Disable bidirectional settings
Printer properties - Ports - Enable printer pooling to remove Windows print job spooling
bottleneck
Function key settings

Overview
This feature allows you to define your own key shortcut to quickly access YSoft SafeQ
application by clicking function key button.
Function Key
Specify YSoft SafeQ application for a key accessible via MFD panel.
Setting Function Key in MFD web interface
1. Log in to the MFD web interface with administrator rights.
2. Go to Device Management > Configuration > Function Key Allocation/Function Priority.

Set Function Key 5 to SafeQ by clicking Change button.

3. Select SafeQ and touch OK.
4. Now your Function key is set.
Setting Function Key on MFD panel
1. Go to System Settings > General Features > Function Key Allocation > Function Key 5 >
Extended Feature > SafeQ.

Function Priority
Specify YSoft SafeQ application for as a default function/application displayed after a successful
authentication.
Setting Function Priority in MFD web interface
1. Log in to the MFD web interface with administrator rights.
2. Go to Device Management > Configuration > Function Key Allocation/Function Priority.

Set Function Priority to SafeQ by clicking Change button.
3. Select SafeQ and touch OK.
4.

4. Now your Function priority is set.
Setting Function Priority on MFD panel
Go to System Settings > General Features > Function Priority > Extended Feature > SafeQ.
WARNING: Always set function priority back to its default value before you uninstall YSoft
SafeQ from an Android device (Z series), otherwise the device may get frozen.
Web Configuration Interface

Accessing Web Configuration Interface
1. Log in to the YSoft SafeQ Embedded Terminal for Ricoh ESA (SRET) Web Configuration
Interface at http://MFP_IP:8080/sqet/Login (where MFD_IP is the MFD's IP address) through
your web browser.
2. Enter the login code (the default is 14569).
Web Configuration Interface description
YSoft SafeQ Embedded Terminal for Ricoh ESA Web Configuration Interface provides number of
information and configuration settings as shown on image below.

Information
Version - Exact version of SRET installed on device
Serial Number - Serial number of SRET installed on device
USB card reader state - Current state of USB card reader (connected/disconnected)
Configuration settings
SafeQ server IP - IP adress(es) of YSoft SafeQ server(s) communicating with SRET. SRET can
communicate with multiple YSoft SafeQ servers. YSoft SafeQ server currently communicating
with SRET, is listed first. Order of servers reflects priority of communication attempts in case
of terminal failover.
SafeQ server port - Port on which SRET is communicating with SafeQ server.
Debug Memory - Settings turns ON/OFF logging of memory consumption. In case this setting
is turned on, SRET logs will contain detailed information about consumption of device's
memory (Stack size).
Enable color pdf scans rotation - Settings turns ON/OFF pdf rotation. In case this setting is
turned on, SRET will rotate all scanned PDF files.
Automatic user logout - Time (in seconds) after which user will be logged out from SRET.
Print jobs from SafeQ server if language is unknown - Settings turns ON/OFF print of jobs
with unknown language.
Logs obtainment
YSoft SafeQ Embedded Terminal for Ricoh ESA logs and additional information about SRET are
available via Web Configuration Interface.
On Web Configuration Interface main page click on Logs button and following status page will
appear:

To download logs, click on file you wish to download. If you see only part of logs (e.g. only serverlet
), refresh the page once again.
Configuring Ricoh for 2nd Gen. SOP Embedded Terminal
Reboot of the MFD can take up to 10 minutes (usual time is around 5 minutes). For remote
reboot: Login to Web Image Monitor (WIM) and go to Device Management > Reset the Machine.
For limitations of Ricoh SOP terminal, please refer to Requirements and Known Limitations of
YSoft SafeQ Embedded Terminal for Ricoh SOP.
Follow all these steps to configure the MFD in order to allow installation of YSoft SafeQ
Embedded Terminal. It is highly recommended to go sequentially through these instructions.
If you encounter any issues, please refer to Troubleshooting YSoft SafeQ Embedded Terminal
for Ricoh SOP.
Configuration based on device generation (G2/G2.5)
Configuring Ricoh SOP - Recommended configuration
Configuring Ricoh SOP - Terminal Server CA installation
Most of the configuration steps on the Smart Operations Panel will either require no
authentication application to be installed (configuring before installing Ricoh SOP terminal), or
being logged in as Machine administrator (configuring with Ricoh SOP terminal already
installed).

Refer to Configuring Ricoh SOP - Recommended configuration for enabling Machine
administrator (if it is not already enabled)
Refer to Logging in on Ricoh SOP as admin when Terminal Embedded is installed for details
on how to login as Machine administrator
G2.5
Most configuration steps are done automatically
G2
G2 devices that come with preinstalled Java (for list of these devices, please refer to official
SDK/J Compatibility chart provided by Ricoh), can be remotely configured only with Java
enabled (limitation of the devices)
If the Java is not turned on, admin will be notified about this during the installation
G2 devices that have preinstalled Java, need to have it turned on during the installation.
Otherwise remote configuration of the device is not possible and will need to be done
manually according to Configuring Ricoh SOP - Automated configuration steps.
For details on how to enable Java on the MFD, please refer to Configuring Ricoh SOP - Enabling
Java on G2 devices.
If Ricoh TE was previously installed, this should be turned on by default
Manual configuration steps

Time settings
This steps ensures, that the time of the device matches the time of the YSoft SafeQ server. If
you are positive, that the device has the same time as server, you can skip this step. In
opposite case, accounting and billing codes will be negatively affected by this mismatch.
2. Login as the Machine Administrator.
3. Go to Configuration > Date/Time.

4. Set the time to match the YSoft SafeQ server time or specify automatic time configuration
via NTP server.
This step currently cannot be automated due to bug in the Ricoh rxop implementation
Create a MFD certificate on Ricoh devices
If the device was previously already used, you can skip this step, unless some issues appear,
or if you want to use your own certificate.
1. Go to device web interface (accessible via device IP address)
2. Log in as an administrator
a.

2.
a. Default credentials admin/keep password field empty
3. Navigate through Device Management → Configuration → Device Certificate
4. Certificate setup
a. If you have your own certificate
i. Click Upload button
ii. Fill up the form
iii. Click Upload button
b. If you don´t have your own
i. Click on Create button
ii. Fill up the certificate details
iii. Recommended to prolong validity period
iv. Click OK button
5. Machine will restart itself, and certificate will be ready for us
Configuring Ricoh SOP - Automated configuration steps
All of the steps listed in this document are done automatically during the installation. In
following cases, they need to be done manually:
On G2 machines without Java enabled (admin is informed about this during the
installation)
Remote configuration fails due to unexpected error (admin is notified about this situation
during installation)
Configuring USB Card Reader

Configure card reader in System Settings.
1. Select System Settings > General Features > Program/Change USB Device List
2. Then enter values for Vendor ID - 214C and Product ID - 0202 for Device 01

1. Set up card reader in Smart Operational Panel
2. User Tools / Settings -> Screen Features -> Screen Device Settings -> IC Card Bluetooth
Software Settings / External Interface Software Settings -> Select IC Card Reader ->
select " Proximity Card Reader "
3.
3. Go into Proximity Card Reader Software Settings
4. F o l l o w i n g screen will appear
5. Connect or reconnect a card reader to USB on the Smart Operational Panel

Note that you can use only Smart Operational Panel USB - either visible one, or hidden
micro-USB through an adapter. Card reader will not work with MFD ports (on back or on
a side of the device).
6. Check the settings, confirm the change and restart the MFD
Service menu settings
Firmware update should be updated to newest version.
1. SP mode 5-113-001 is set to 0 (default value).
2. External optional Counter Type option to activate support for enhanced external charge
unit management: SP mode 5-113-002 to 0.
3. Access Control - SDK Certification Device 5-401-230 to 00000001 (Enables Custom

Authentication) .
4. Access Control - Detail Option 5-401-240 to 00001000 .
Authentication settings in Web Image Monitor (WIM)
2. Login as an administrator.
3. Under Device Management > Configuration change the following settings to allow display
of authentication application.
a. In Administrator Authentication Management set User Administrator Authentication

to On.

b. In User Authentication Management set User Authentication Management to
Custom Authentication.
c. In User Authentication Management check that all functions are enabled.

c.
Set appropriate timers
Terminal inactivity timeout is a value for user automatic logout. It is defined for Cost centers
and can be specified per user but now it is not supported, see page Requirements and Known
Limitations of YSoft SafeQ Embedded Terminal for Ricoh SOP.
Default value on MFD is a utomatically set to more than 3 minutes. It can be manually
changed after installation.
1. Login to WIM (Web Image Monitor) as machine administrator.
2. Go to Device Management → Configuration → Timer (under Device Settings).
3. As default set all timers higher than Terminal inactivity timeout (so for default Terminal
inactivity value, set all values to more than 3 minutes).
a. Most of the timers can be turned off if they are not needed.

Key Counter Management settings on the MFD
1. Go to the User Tools on MFD.
2. Select Machine Features.
3.
3. G o to System Settings.
4. Go to Administrator Tools > Key Counter Management (on a second page)
5. U n b l o c k all functions.
6.
6. T u r n off Document Server Feature.
Configuring Accounting on the MFD
1. Go to the User Tools on MFD.
2. Select Machine Features.
3. G o to System Settings.
4.
4. Go to Administrator Tools > Enhanced Print Volume Use Limitation (on a second page)
5. T r a c k i n g Permission must be On.
In case, that the Embedded Terminal will be uninstalled, Tracking Permission must be
switch to Off. In case of re-installation it can remain On.
Configuring Ricoh SOP - Configuring Direct Print on Ricoh driver

Printer Properties
To be able to perform Direct print when not using YSoft SafeQ FlexiSpooler, authentication
has to be configured in Printer Properties and installed Ricoh driver.
1. Allow User Authentication in Advanced Options

Printing Preferences
1. Go to Ricoh MFD driver printing preferences > Detailed settings
2. Go to Job Setup
3. Go to Authentication
4.

4. Set Windows Login Name (may depend on LDAP/accounts setting) and confirm all dialog
windows
Configuring Ricoh SOP - Enabling Java on G2 devices
G2 devices that have preinstalled Java, need to have it turned on, during the installation.
Otherwise remote configuration of the device is not possible and will need to be done
manually according to Configuring Ricoh SOP - Automated configuration steps.
Turn on JavaTMPlatform if present on the MFD
3. Go to Configuration > Extended Feature Settings > Administrator Tools
4. Change the JavaTMPlatform to Active if present. (Reboot is required.)
5. Check that JavaTM Platform is present in Configuration > Extended Feature Settings >
Startup Settings and is started / starting up, otherwise start it up and reboot the MFD.

Configuring Ricoh SOP - Recommended configuration
Management configuration options
Following configuration options in management interface, related to communication timeouts,

might need some adjustments, depending on device reboot speed during installation process.
All of the following configuration options are Expert level under the "Terminal administration"
category.
tsCommunicationTimeoutSeconds - Request timeout for communications between Terminal

Server and SPOC - installation of embedded terminal is one of the communications and this
timeout combined with the "tsCommunicationRetriesCount" affect how long can single
installation of embedded terminal lasts before termination. The value of this configuration
option is in seconds.
Suggested value: 360
tsCommunicationRetriesCount - Most communications between Terminal Server and SPOC

are automatically retried when the communication timeouts or the communication could not
be established. This count shows how many times should the communication be retried.
Suggested value: 5
Final maximum installation duration is tsCommunicationTimeoutSeconds *

(tsCommunicationRetriesCount + 1). If this duration is exceeded the installation will result in
failure.
maxEmbeddedInstallationStatusAge - Maximum duration for single installation step during

embedded terminal installation process. This timeout is completely unrelated to the timeouts
above, if this time is exceeded the installation process might not properly terminate in the
management UI and get stuck in change in progress. In background the installation process is

properly terminated and will not continue. Default value of this timeout is "5m", but because of
the multiple device reboots required during installation it might be required to increase this
value to "10m".
Suggested value: 20m
Configuring MFD to print with watermarks in Rule Base Engine
3. Go to Configuration > Printer > Basic Settings
4.
4. C h a n g e Host Interface > I/O Buffer to 256 KB
WARNING: RBE Watermark feature is only supported on PS printers.
Recommended configuration of shared Windows printer used for secure and direct print queue
When you are configuring shared printer for secure print, follow the the recommendations bellow
to increase performance of the driver installed in environment when it is used for printing on
printers with a different feature configuration. The same recommendations can be applied for
direct print as well since there is no direct access between the driver and the printer and feature
configuration has to be selected manually.
Printer properties - Accessories are configured to support all possible features (Punch unit,
Finisher, etc.)
Printer properties - Accessories - Disable automatically update printer Information
Printer properties - Ports - Disable bidirectional settings
Printer properties - Ports - Enable printer pooling to remove Windows print job spooling
bottleneck
Print & Delete Scanner records
If other settings are used, based on customer preference, and this records log are fully filled,
scanning will not be possible, until the records are printed on the machine
1.

1. Login to WIM (Web Image Monitor) as machine administrator.
2. Navigate through Device Management → Configuration → Scanner → General Settings
3. Change Print & Delete Scanner Records to Do not Print: Delete Oldest
4. Confirm the change by OK button.
Enabling Machine administrator login
3. Under Device Management > Configuration
a. In Administrator Authentication Management set Machine Administrator

Authentication to On.

Configuring Ricoh SOP - Terminal Server CA installation
Note that this prompt will appear only if certificate has not been installed before and SSL
communication is enabled.
If Terminal Server communicates with the SOP application over SSL/TLS, then CA certificate of
Terminal Server must be installed into SOP application.
To switch off the SSL/TLS, change the YSoft SafeQ configuration property dsSslEnabled to
'false'. This option is enabled by default.
During terminal installation Terminal Server pushes its root certificate into the SOP application.
However, it is not installed automatically. Administrator needs to confirm installation manually on
MFD. SOP will display following prompt:

Administrator needs to confirm certificate installation. The certificate name is set by default as a
Common Name (CN) of the CA certificate, but it can be changed arbitrarily. If Administrator does
not confirm certificate installation then the SOP application will display warning to users about
invalid certificate (unless the certificate is signed with publicly trusted CA).
Note that this will not work if Terminal Server uses self-signed certificate. This automatic
procedure installs CA certificate which is used to sign Terminal Server certificate.
You can repeatedly launch this prompt by reinstalling terminal in the management interface (eg. if
CA used for signing Terminal Server certificate is changed).
Logging in on Ricoh SOP as admin when Terminal Embedded is installed

Logging in with machine administrator account
You have the option to use the authentication application to log in as the machine administrator
to change settings and configure the device.
When the authentication method is set to username/password you can use it to enter your
administrator credentials. In the event that the authentication method is set to something else
the administrator login form is hidden and can be access by long pressing the Y Soft logo for at
least 4 seconds.

Note that this form does not allow regular users to log in using the username and password only
the administrator accounts that are configured on the device.
Configuring Samsung
Embedded Terminal for Samsung.
Devices based on XOA-E / Android platform are supported so far. No special settings are
Apply home screen settings to all users
This section applies only to the devices with Android OS.
1. Log into the device as administrator (you need to use YSoft SafeQ admin account).
2.

2. Configure the home screen (e.g.: Add the YSoft SafeQ application to the home screen)
The YSoft SafeQ application can be found in a XOA Apps menu.
3. Press and hold background on the home screen until the following window appears.
4. Select the bottom option to apply the home screen to all users.
The YSoft SafeQ application icon may occasionally disappear from the the home screen and
needs to be placed there manually again. It is a limitation on the Samsung side.
Configuring Sharp
General Notes
Supposed you are configuring new MFD with default settings. If you are configuring older device
with lot of customized settings, it may be useful to reset it to factory defaults first.
Most settings can be configured via internal web page of MFD with administration interface. Web
interface of each device can be different, depending on device model. Language of the interface
is mostly controlled by preferred language setting of the browser. Note that support of various
browsers can differ between particular MFDs. To enter web interface, insert <MFD IP> to the
browser address bar (you will be connected to http or https page based on MFD's current
setting).
Embedded Terminal for Sharp.

General MFD Configuration
Sharp MFD requirements
The device must support OSA 3.5 and have MX-AMX2 and MX-AMX3 modules installed for full
YSoft SafeQ Embedded Terminal functionality. It is customer's responsibility to have it
installed. Available terminal functionality may differ in case only MX-AMX2 or MX-AMX3 module
is installed.
How to check if MX-AMX modules are installed:
For Sharp model MX-2600N, check menu Status.
This method does not work for model MX-2610N since it shows only Options and not Software
Options Installed.
For model MX-2610N go to menu System Setings > Product Key and check if both modules are
marked with [Enable].

The MFD must be configured to communicate via the SSL protocol and the associated certificate
must have been created.
How to create and enabled SSL certificate:
YSoft SafeQ Embedded Terminal for Sharp
YSoft SafeQ Embedded Terminal for Sharp is implementation of YSoft Terminal Professional in
Sharp devices supporting a combination of OSA technologies, allowing usage of embedded
accounting and GUI. Terminal is integral and inseparable part of the YSoft SafeQ Server solution
and operates only when connected to the server. Terminals work within the TCP/IP enabled
networks only.
Sharp MFD configuration
SafeQ embedded installation, should be able to configure the device itself if previous
requirements are met. If installation should not be successful you can check if device is
having following settings.
This part describes first how to configure Sharp MFD in general; Installation and configuration of
Sharp embedded terminal is automatically provided and distributed during SafeQ installation
procedure. This means that installer of SafeQ Sharp embedded terminal should configure device
automatically. You need to configure each device in case that first installation of Sharp embedded
terminal will not be successful.
Navigate to the web administrator menu of the device and log in as administrator. Default
values are admin/admin for login and password.
Navigate to Application Settings > External Applications Settings > Standard Application
Settings and check that YSoft SafeQ application and YSoft SafeQ scan application are
created.
If not, create them with the add button.
Enter YSoft SafeQ as Application Name (YSoft SafeQ Scan for scan application).
Check the address for Application UI where TERMINAL_SERVER_IP is IP of the server

where the terminal server is running.

Optionally, icon for application can be uploaded on some machines. Please upload icon file
<TSHome>\Sharp\Terminal\icon100.png
Now continue with the configuration of the authentication/external accounting, if module MX-
AMX3 is installed. Navigate to Application Settings > External Applications Settings >
External Accounting Application Settings and select Enable for External Account Control
to enable MX-AMX3 module.
If authentication method is To device, also enable Set Authentication Server (Server 1). Then fill
in these fields:
Server 1 (Enable)
Application Name (YSoft SafeQ)
Address for Application UI
Address for Web Service
Press Submit. Restart of the device will be automatically required. YSoft SafeQ Terminal Server
must be running during each device restart, otherwise, new restart will be required.

If User Authentication setting is present (under User Control and its Default Settings), it has to
be set to Disable.
USB Card Reader configuration
Configuration is possible on web interface of Sharp device: User Control > Card Type/Card
Reader Settings
There are two possible settings for USB card reader:
USB Card reader set to keyboard mode and option Use IC Card for Authentication disabled.
USB Card reader set to Sharp mode and option Use IC Card for Authentication enabled.
Configuring Sharp-eSF Devices
Embedded Terminal for Sharp-eSF.

Installation Details
Ensure that YSoft SafeQ Embedded Terminal is not present on the device before the installation.
If it is the case then please remove it via device web's interface. It is recommended to restart the
device before the installation.
Installation of YSoft SafeQ Embedded Terminal for Sharp-eSF consists of two sections. The first
section relates to preparation steps of a device for installation of YSoft SafeQ Embedded Terminal
for Sharp-eSF and the installation process itself. The second section relates to post installation
configuration steps needed for allowing usage of YSoft SafeQ Embedded Terminal for Sharp-eSF.
Installation of YSoft SafeQ Embedded Terminal for Sharp-eSF
First of all, an administrator account has to created on a device to be able to configure

permissions of Public user. This step is important since most permissions of public user will be
taken away after the installation of YSoft SafeQ Embedded Terminal for Sharp-eSF and
administrator still needs to have access to device web interface. Once Public user has all
permissions granted an administrator can install YSoft SafeQ Embedded Terminal for Sharp-eSF
via YSoft SafeQ management interface. After the successful installation the user permissions will
be changed via device web interface. This step is described in the second section.
1. Go to device web interface.
2. Go to Setting > Security > Local Accounts and press Add User button.
3. Select User Name > Password.
4. Then create the admin account by selection of Admin or All checkbox in Permission Groups
section. At the and click to Save button.

4.
5. Now you have created an administrator account which can always change configuration
after login to device web interface.
6. To be able to install or reinstall YSoft SafeQ Embedded Terminal for Sharp-eSF an

administrator has to grant all permissions to Public user. Public user is used by the Terminal
Server for the installation and without permissions the
installation fails. Go to Setting > Security > Manage Permissions.
7. In the Manage Permissions page grant all permissions and click to Save button.

7.
8. Go to Network/Ports > TCP/IP.
9. Select TCP/IP Port Access.
10. Set TPC 21 (FTP) to Open. Click the Save button.

10.
11. Go to YSoft SafeQ web interface and add new Sharp-eSF device. You can select
Authentication mode To device or To Application. Based on this option authentication
screen will be displayed either once when user wants to use a device or when user wants
to use any device application.
a. Authentication mode To device:
b. Authentication mode To each application:
12. Finish the installation. If the installation succeeds then continue with post installation
configuration steps described below.
Post installation configuration of a device for YSoft SafeQ Embedded Terminal for Sharp-eSF

This section describes how to configure a device after successful installation of YSoft SafeQ
Embedded Terminal for Sharp-eSF. It is about setting permissions and setting YSoft SafeQ
Embedded Terminal for Sharp-eSF as authentication method for a device.
1. Login as an administrator to device web interface.
2. Manage permissions of Public user. Go to Setting > Security > Public section > Manage
Permissions.
3. Take away all permissions except BW print and Color Print which are in Function Access.
These permissions are necessary for print and copy functions. Administrator might consider
keeping more permissions to users.

4. Setup YSoft SafeQ Login screen as authentication method. Go to Settings > Security >
Local Accounts section > Default Browser Login (Change) and click to button Change.
5. Set YSoft SafeQ Authentication Module as a default login option for Control Panel and
click to Save button.

5.
6. Go to Security > Additional Login Methods section and click to Manage Permissions.
7. Click to item in menu All users.
8. Grant all permissions. Administrator might be more restrictive with granting permissions but
must ensure that an user can login and access YSoft SafeQ Embedded Terminal for Sharp-
eSF.

9. Go to device. Login as an user and ensure that it is possible to print and copy.
Configuring Xerox Devices
General Information
Intended for when you are configuring a new MFD with default settings. If you are configuring an
older device with a lot of customized settings, it may be useful to reset it to the factory default
first. Most settings can be configured via the internal web page of an MFD with an administration
interface. The web interface of each device may be different, depending on the device model. The
language of the interface is mostly controlled by the preferred language setting of the browser.
Embedded Terminal for Xerox.
The default credentials (as described in Xerox Admin Guides) are login: admin, password:
1111. For some devices, the default credentials are login: 11111, password: x-admin.
It is often referred to as SNMP community in this guide – this always means SNMP Write
community.
Newer devices support Self Address Assignment – it is recommended to turn this feature
off.
Note that the support of various browsers may differ between particular MFDs. To enter
the web interface, enter <MFD IP> into the browser address bar (you will be connected to
an HTTP or HTTPS page based on the MFD's current setting).

Configuring Xerox Devices
This part describes first how to configure Xerox MFD in general; then particular MFDs are
discussed more in details. You need to configure each device first in order to communicate with
YSoft SafeQ.
Xerox MFD Firmware
Xerox ColorQube® 8700 FW 071.160.223.04200+ see Configuring a Xerox MFD Built

/8900 on ConnectKey
Xerox ColorQube® 9201 FW 060.050.009.30823 (rechecked see Configuring Xerox MFD built on
/9202/9203 against FW 061.050.225.10300) Endeavor and Xerox ColorQube
93xx configuration differences
Xerox ColorQube® 9300 FW 071.180.203.23400+ see Configuring Xerox MFD built on

series Endeavor and Xerox ColorQube
Xerox Phaser 3635 - see Configuring Xerox MFD with

Samsung controller
Xerox WorkCentre® 5222/25 FW 1.207.8 see Xerox WorkCentre 52xx EIP

/30 Configuration
Xerox WorkCentre® 5325 FW 1.201.2 see Configuring Xerox MFD with Fuji
/5330/5335 Xerox controller
Xerox WorkCentre® 5632/38 FW 025.054.060.00035 validated see Configuring Xerox MFD built on
/45/55/65/75/87 against 025.054.065.00260, Note: Endeavor
This is the Single Board Controller
(SBC) FW version. For the Multi-
board Controller (MBC), replace the
025.054 with 021.120)
Xerox WorkCentre® 5800 071.190.103.23400+ see Configuring a Xerox MFD Built

series on ConnectKey
Xerox WorkCentre® 6400 - see Configuring Xerox MFD built on

Endeavor
Xerox WorkCentre® 5700 System FW 061.130.220.35400, see Xerox WorkCentre 57xx

series Controller FW 061.130.32701 configuration differences
Xerox WorkCentre® 7120/25 FW 071.013.041 see Configuring Xerox MFD with Fuji
Xerox controller
Xerox WorkCentre® 7425 System FW 75.3.1, Controller + PS see Xerox WorkCentre 74xx EIP
/7428/7435 ROM 1.222.18 updated based on Configuration
System FW 75.14.43
FW 071.030.103.23400+ see Configuring a Xerox MFD Built

on ConnectKey

Xerox WorkCentre® 7200
series (7220/7225, but not
7228/7235/7245)
Xerox WorkCentre® 7500 FW 061.121.224.2730+ see Configuring Xerox MFD built on

series Endeavor
Xerox WorkCentre® 7800 FW 071.010.103.23400+ see Configuring a Xerox MFD Built

series on ConnectKey
Xerox D95, D110, D125, C60 similar to Configuring Xerox MFD

/70 with Fuji Xerox controller
Xerox WorkCentre® 7600 FW 040.033.53375 see Configuring Xerox MFD built on

series Endeavor and Xerox WorkCentre
Xerox® VersaLink™ - see Xerox VersaLink EIP

Configuration
Xerox® AltaLink™ - see Xerox AltaLink EIP configuration
If incorrect device credentials are used three times, the device locks out access from that
particular IP address for an hour. It is possible to erase the device lockout table manually.
Ensure that device timeout is lower than the user or cost center inactivity timeout (used to
automatically log out users). If the device timeout is higher, users might be able to continue
copying until device timeout expires.
Default application after user authentication
Using system property initial-screen can be changed default application showed after user
authentication:
initial-screen Action
value
Default, Application home (list of all services)

Shortcuts
Copy open native Copy application
Scan open native Scan application
sq, sqprint, open "YSoft SafeQ Terminal Application - 1st Gen."

browser open "YSoft SafeQ Terminal Application - 2nd Gen."
"T erminal mode " from device configuration define which embedded application
generation will be used.

initial-screen Action
value
sqscan open "YSoft SafeQ Terminal Application - 1st Gen."

open "YSoft SafeQ Terminal Application - 2nd Gen."
"T erminal mode " from device configuration define which embedded application
generation will be used.
sqbillingcodes open "YSoft SafeQ Terminal Application - 1st Gen."

open "YSoft SafeQ Billing Codes Application"
Configuring a custom look of the login screen - Xerox
Some devices (i.e. Versalink series) may not support this configuration option.
It is possible to configure what a Xerox MFD displays on the login screen. For example, an
administrator might use this to display the company logo and environment-specific user
authentication instructions including contact to an internal help desk. This is a feature of the
Xerox devices themselves.
Configuration pages can be found on Properties → Login / Permissions / Accounting → Login

Methods page in Customize blocking screen section.

YSoft SafeQ configures its own Title and Instructional Text on the login screen when you install
a Xerox embedded terminal.

However, in the default configuration, any manual changes made to these fields are overwritten
any time a user selects a different language on the device, or the first time a user logs in after a
server restart. This is done so that users can see login instructions in their own language. To
customize the look, the administrator has two options:
Take advantage of a configuration option in YSoft SafeQ that allows defining custom Title and
Instructional Text, or
Configure the custom look after terminal installation using Xerox tools, and disable the screen
overwriting in YSoft SafeQ.
How to configure a custom Title and Instructional Text on the login screen
Use the configuration property authenticationScreenTitle, welcome-to-safeq-text

and authenticationScreenInformation in YSoft SafeQ System Configuration, in the
Terminal UI category.
authenticationScreenTitle is placed on the top of authentication screen and is limited

by device to 44 characters.
welcome-to-safeq-text is placed as the first line,

authenticationScreenInformation as the next lines of Instructional text. Most Xerox
devices allow usage of some basic HTML formatting like <b>, <br>, <font color="">
etc. Please keep in mind, that total length of text from both properties is limited by device to
255 characters.

For compatibility reasons welcome-to-safeq-text configuration property has to be filled
to allow usage of authenticationScreenInformation.
How to disable login screen overwriting
Add the configuration property keepCustomXeroxLoginScreen with the value "true" to the
<spoc_folder>\terminalserver\TerminalServer.exe.config configuration file (usually C:
\<installation directory>\SPOC\terminalserver\TerminalServer.exe.config).
Configuring a Xerox MFD Built on ConnectKey
This manual was created based on Xerox WorkCentre 7835, and should be applicable to most
MFDs built on ConnectKey™, although slight differences may occur.
Before Installing YSoft SafeQ Embedded Terminal

Time settings
Go to the Properties tab > General Setup > Date and Time.
Make sure you set the time to match the YSoft SafeQ Server time or specify automatic time
configuration via an NTP server.
FTP mode
Go to the Properties tab > Connectivity > Setup. Click Edit in the FTP/SFTP Filling row, and then
set the Mode to Active.

Include User Name with validation request
Go to the Properties tab > Services > Workflow Scanning > Validation Options. Enable the
Include User Name with validation request option.
Scan services for scanning with workflows
You will need to enable Scan Template Management in device configuration for scanning with
workflows later.
Go to the Properties tab > Services > Printing > Printing Web Services, and then enable the
options Scan Template Management and Scan Extensions. Also make sure that Xerox Secure
Access and Authentication & Accouting configuration are enabled:

You might also want to check that the Confirmation Sheets for Scanning Workflows are set to
print only in case of an error. Otherwise, there might be a page printed every time someone uses
the Scan option in the YSoft SafeQ terminal.
Go to the Properties tab > Services > Workflow Scanning > General Settings. Set Confirmation
Sheet to Errors Only.

SNMP settings
Go to the Properties tab > Connectivity > Setup. Click Edit in the SNMP row, and then enable the
option Enable SNMP v1/v2c Protocols.
On the same page, click Edit SNMP v1/v2c Properties. Set the Community Name (Read/Write)
accordingly:

Proceed with the MFD installation in YSoft SafeQ to complete the installation of YSoft SafeQ
Embedded Terminal. Check the installation status and installation steps.
If there some warnings appear during the installation, you will need to do some further
settings of the MFD based on the messages you see. In that case, the following information
should help you with configuring your Xerox MFD.
After the Installation of YSoft SafeQ Embedded Terminal
These settings are necessary only if requested by the YSoft SafeQ Embedded Terminal
installation or if customization of the configuration is requested.
Accounting Workflow, User Accounting Prompts, Validation for Accounting Codes
Go to the Properties tab > Login / Permissions / Accounting > Accounting Method
Then, configure the Accounting Workflow, User Accounting Prompts and Validation for
Accounting Codes. Click the respective Edit buttons.

Accounting Workflows:
Please note that there are two possible configurations depending on the selected features.
When payments are used, Pre-Authorization and Capture Usage must be used. In other
cases, Capture Usage must be used. (Please note that without payments, the Pre-
Authorization will cause a malfunction. For example, selecting the copy function and starting
copying will perform the scanning part of the process, but then the MFD will wait for user
verification.)
Payments are used
Standard configuration

User Accounting Prompts:
Validation for Accounting Codes:
Extensible Service Browser
Go to the Properties tab > General Setup > Extensible Service Setup. Enable the Extensible
Services Browser option and the Export password to Extensible Services option.

Xerox Secure Access
Properties tab > Services > Printing > Printing Web Services. Enable the Xerox Secure Access
option.
User Permissions Roles
Go to the Properties tab > Login/Permissions/Accounting > User Permissions. In the User
Permissions Roles row, click Edit

On the Non-Logged-In Users tab, click Edit to edit the Non-Logged-In User role.
If you use the device authentication mode To device, on the Services & Tools tab, check that the
Role State of the Services Pathway is set to Not Allowed.
You can configure the Machine Status Pathway and Job Status Pathway locks freely.
If you use the device authentication mode To each application, set the options accordingly. Note
that for some WorkCentre models, it is necessary to use only Per application settings for proper
functionality.

Convenience Authentication Setup
Go to the Properties tab > Login/Permissions/Accounting > Login Methods. Then click Edit next
to Convenience Authentication Setup.

On the Convenience Authentication Setup page, check that Accounting Information is applied
automatically. It can be modified by selecting Automatically apply Accounting Codes from the
server.
Job Limits
To enable the Job Limits service, go to the Properties tab > Services > Printing > Printing Web
Services, and select the check box for Job Limits. Click Apply.

Email
For the proper functioning of the native scan to email (E-mail application) on the MFD, you need to
disable the possibility to change the "From" address.
Go to the Properties tab > Services > Email > Setup. Then click Edit next to From Field.
Fill in Default From Address and select Yes next to Always use Default From Address.

Card Reader Policies
Its function is to determine whether a USB card reader needs to be plugged in for authentication
to take place. For example, if this is set to yes and there is no USB Card Reader attached, you
can not use pin only authentication.
Go to the Properties tab > Login/Permissions/Accounting > Login methods
Creating color copy rule
Color copy restriction rules documented below are used only when property
xeroxAccessDefinitionMethod is set to LDAP and property enableXeroxAccessDefinition is
set to Enabled. Rules for application restriction are created during product installation.
Go to Properties > Login/Permissions/Accounting > User Permissions and then edit User
Permission Roles. Then change tab to Logged-In User.
1. Deleting generated copy rule
a.

1.
a. Ask Xerox field technician for assistance. Generated Copy rule assigned to Copy
application(s) has to be deleted. This action can be done using Access configuration
client contained in Xerox EIP.
2. Creating Copy rule
a. Click on button Make Your Own Permission Roles.
b. Fill role name (e.g. copy) and press Create.
c. In tab Assign Groups to Role into Find / Add Groups input copy and press Add. In list
of Assigned Groups should be visible item copy.
Inserted group name in this step has to be set to copy.
d. In tab choose Services & tools and then set all applications except Copy and ID Card
Copy to Not Allowed. Copy and ID Card Copy should be set to Allowed if not. Color
Copy should be set to Not al lowed.
e. Press Apply and then Close.
3. Creating Copy color rule
a. Fill role name (e.g. copycolor) and press Create
b. In tab Assign Groups to Role into Find / Add Groups input copycolor and press Add.
In list of Assigned Groups should be visible item copycolor .
Inserted group name in this step has to be set to copycolor .

c. In tab choose Services & tools and then set all applications except Copy and ID Card
Copy to Not Allowed. Copy and ID Card Copy should be set to Allowed if not.
d. Press Apply and then Close
Install Certificate Authority certificate
Go to Properties > Security > Certificates > Security Certificates.
Select tab Root/Intermediate Trusted Certificate(s).
Press Install Certificate.
Choose a certificate file path. Enter decryption password. Press Next and follow instructions to
complete installation process.
Secured LDAP
By default secured LDAP (without server certificate validation) is configured during installation
of the device. You can disable it by enabling property internalLdapAllowNonsecureProtocol
and manually disable secured LDAP on device. But you can allow an attacker to bypass
access restrictions for operations on Xerox devices.

Enable server certificate validation for secured LDAP
Issuer of server certificate (CA certificate) has to be uploaded at first.
Go to Properties > Login/Permissions/Accounting > Login Methods. and edit LDAP Servers.
Press Edit... on selected LDAP server.
Scroll to section Secure LDAP Connection.
1. Enable Secure Connection (LDAPS)
2. Enable Validate Server Certificate (trusted, not expired, correct FQDN).
3. Select issuer of the server certificate from dropdown menu Root/I ntermediate Trusted
Certificates.
LDAP server certificate is the same which is configured in Terminal Server for secured
connection with devices. Follow these instructions Configuring secured connection between
terminals and Terminal Server.

Press Apply.
Some devices need reboot. If notification appears on the screen then press OK.
Xerox ColorQube 93xx configuration differences
This document has been created based on Xerox WorkCentre ColorQube 9303 (FW
072.180.104.14800).
Enabling Network accounting
1. Go to Service menu on the embedded terminal Tools > Accounting Settings > Accounting
Mode.
2. Set Accounting Mode to Network Accounting and then use Customize Prompts.

2.
3. Set Customize User Prompts to Display No Prompts and use Save.
Configuring custom application names - Xerox
You can change YSoft SafeQ Print application name, YSoft SafeQ Scan application name and
YSoft SafeQ Billing Codes application from YSoft SafeQ web administration.
How to change
4. Search printApplicationName, scanApplicationName or billingCodesApplicationName

depending on which application name do you want to change.
5. Edit value for each configuration option.
6. Save changes.
7.

8. Restart printers to load new application name (On some devices user login/logout is enough
to load new application name).
Configuring Xerox MFD built on Endeavor
This manual was created based on Xerox WorkCentre 7535 and should be applicable to most
MFPs built on Endeavor™, although slight differences may occur. Please note additional
documents for the 56xx, 57xx and 76xx.
Before installation of YSoft SafeQ Embedded Terminal

Time settings
Go to the Properties tab > General Setup > Date and Time.
Make sure to set the time to match the YSoft SafeQ server time or specify automatic time
configuration via NTP server.

Network Accounting
Go to the Properties tab > Accounting > Setup and click on Edit...
On some older firmwares this menu is not available and Network accounting must be set
using a device panel.
Then choose Network accounting and save the changes.

Then go to User Accounting Prompts/Validation.
Choose to Display Prompts for labels, disable Validation and enable Prompt for all services.

FTP mode
Go to the Properties tab > Connectivity > Protocols > FTP/SFTP Filing. Set the Mode to Active
and click Apply.
Include username with validation request
Go to the Properties tab > Services > Custom Services > Validation Options. Enable the Include
User Name with validation request option.

Web Services for Devices
Go to the Properties tab > Connectivity > Protocols > WSD and enable the Web Services for
Devices (WSD).
Scan services for scanning with workflows
You will need to enable Scan Template management in device configuration for scanning with
workflows later.
Go to the Properties tab > Connectivity > Protocols > HTTP > Web Services and then enable the
options Scan Template Management and Scan Extensions.

print only in case of an error. Otherwise, there might be a page printed every time someone uses
the Scan option in YSoft SafeQ terminal.

Go to the Properties tab > Services > Workflow Scanning > General. Set Confirmation Sheet to
Errors Only.
SNMP settings
Go to the Properties tab > Connectivity > Protocols > SNMP. Enable the option Enable SNMP v1
/v2c Protocols. Click Apply and continue to Edit SNMP v1/v2c Properties.

Set the Community Name (Read/Write) accordingly:
USB Card Reader settings
Go to the Properties tab > Security > Authentication > Setup > Xerox Secure Access Setup,
click on Manually Override Settings on the bottom of the page and make the configuration
according to the picture below:

Save the settings and check whether your card reader is supported.
You may need to reload the page after some time to see the proper status of the card reader.

Proceed with the MFD installation in SafeQ to complete the installation of YSoft SafeQ
If there are some warnings present during the installation, you will need to do some further
settings based on the messages.
After installation of YSoft SafeQ Embedded Terminal
These settings are necessary only if requested by the Embedded Terminal installation or if
some customization of configuration is requested.
Extensible Service Browser
Go to the Properties tab > General Setup > Extensible Service Setup. Enable the Extensible
Services Browser option and Export password to Extensible Services option (you can also
check that Verify server certifcates is disabled).

User Permissions Roles
Go to the Properties tab > Security > Authentication > Tools & Feature Access. Select Custom
Access.
If you use device authentication mode To device, on the Services & Tools tab check that the
Role State of the Services Pathway is set to Not Allowed.
You can configure Machine Status Pathway and Job Status Pathway locks freely.

If you use device authentication mode To each application, set the options accordingly. Note that
for some WorkCentre models, it is necessary to use only Per application settings for proper
functionality.

Convenience Authentication
Go to the Properties tab > Security > Authentication > Setup > Xerox Secure Access Setup,
click on Manually Override Settings on the bottom of the page.

Check that Accounting Information is applied automatically. It can be modified by selecting
Automatically apply Accounting Codes from the server.
Job Limits
Some devices may not support this feature.
This setting is necessary only if you are using the Payments feature of the YSoft SafeQ
Embedded Terminal.
To enable Job Limits service, go to the Properties tab > Accounting > Setup and click Edit next
to the Job Limits item. Select the check box for Job Limits. Click Apply.

Xerox ColorQube 92xx configuration differences
1. Go to Service menu on the embedded terminal Tools > Accounting Settings > Accounting
Mode.

2. Set Accounting Mode to Network Accounting and then use *Customize Prompts*.
3. Set Customize User Prompts to Display No Prompts and use Save.

Xerox WorkCentre 56xx configuration differences
This document has been created based on Xerox WorkCentre 5655 (FW 025.054.060.00035)
Setting Date and time (on the 56xx series this is set form the local UI).
1. Log on the device as admin and access the tools menu. Select System Settings.
2. Select Time and Date.
3. Select Greenwich Mean Time Offset and set the time zone.

4. Select Date and Time and set the values.
5. Make sure that you set both date and time before selecting reboot.

6. Once all values are set, select the Reboot button
1. Disable Xerox Standard Accounting: Properties > Accounting > Xerox Standard Accounting
> Enablement.

2. Go to Service menu on the embedded terminal Access and Accounting.
3. Go to the Authentication Mode.
4. Set Network Accounting on.
5. Go to the Network Accounting Setup.

6. Go back and use Network Accounting Authentication.
7. Disable Network Accounting Authentication Setup.
8. Go back and use Network Accounting Login Display Mode.

9. Set Network Accounting Login Display Mode to Display User ID Details and Display
Account ID Details.
This document has been created base on Xerox WorkCentre 5755 (System FW
061.130.220.35400, Net Controller FW 061.130.32701).
1. Disable Xerox Standard Accounting: Properties > Accounting > Xerox Standard Accounting
> Enablement.
2.

2. Go to Service menu on the embedded terminal Tools > Accounting Settings >
Authentication.
3. Set Network Accounting – on.
4. Go to the Network Accounting Setup.

5. Select Network Accounting Authentication.
6. Disable Network Accounting Authentication Setup.

7. Go back and use Network Accounting Login.
8. Set Network Accounting Login Display Mode to Display User ID Details and Display
Account ID Details.

This document has been created based on Xerox WorkCentre 7665 (FW 040.033.53375)
Setting Date and time (on the 76xx series this is set form the local UI).
1. Log on the device as admin and access the tools menu. Select Device Settings > General.
2. Select Date and Time.

2.
3. Enter the Date and select Set Time.
4. Make sure that you set both date and time before selecting reboot.
5. Once the device is back online, log back on the device as admin and access the tools menu.
Select Device Settings > General.

1. Disable Xerox Standard Accounting: Got to Properties > Accounting > Xerox Standard
Accounting > Enablement.
2. Go to Service menu on the Device UI, login and access Accounting.

3. Go to the Accounting Mode.
4. Set Network Accounting on.
5. Go to the Customize Prompts.
6. Select Display Prompt 1 and 2.
7. Enter any string for the defaults.

7.
8. Save, go back and use Code Entry Validation and select Disable.
9. Select Save.
Configuring device SSL Certificate
1. Select Connectivity > Protocols > HTTP.
2. Depending on the customers environment you can either create a self signed certificate or
work with their IT to load their device certificate.
3.

3. Select the link Configure Machine Digital Certificate and follow choices.
4. Enable both ports 80 and 443 as below. Select Save.
5. Go to services WSD and enable as below.
6. Go to Properties > Accounting > Xerox Standard Accounting > Enablement and disable
Xerox Standard Accounting.

7. Select Save.
Set Include username with validation request
Go to the Properties tab > Services > Custom Services > Validation Options. Enable the Include
User Name with validation request option.
Set scan reports to errors only
Go to Properties > Services > Network Scanning > General and set confirmation sheet to Errors
Only.
Configure SNMP Settings
1. Go to the Properties tab > Connectivity > Protocols > SNMP. Enable the option Enable
SNMP v1/v2c Protocols. Click Apply and continue to Edit SNMP v1/v2c Properties.

1.
2. Configure the Community Name (Read/Write) accordingly:
Enable Web Services
1. Go to Properties > Connectivity > Protocols > HTTP.
2. Select Web Services.
3. Enable all.

Configuring Xerox MFD with Fuji Xerox controller
This manual was created based on Xerox WorkCentre 5335 and should be applicable to most
MFDs with Fuji Xerox controller, although slight differences may occur.

Network Accounting
This option may not be present on your MFD.
Go to the Properties tab > Accounting > Accounting Configuration and configure accounting
according to the image below.

Time configuration
At the printer control panel, press the Machine Status button and switch to the Tools tab. Then
touch System Settings > Common Service Settings > Machine Clock/Timers.
FTP
Go to the Properties tab > Connectivity > Port Settings > FTP and enable the FTP Client.
Go to the Properties tab > Connectivity > Protocols > FTP and set Transfer Mode to Active
Mode. Click Apply.
Extensible Service Setup
You will need to enable plug-in support in General Setup > Extensible Service Setup > Edit.

Then you can enable all extensible services: Scan Services, Security, Remote System
Management.
Once you apply the changes set above, navigate back to the Extensible Service Setup page and
enable Export password to Extensible Services and Enable the Extensible Services Browser.
Apply the configuration changes.

SNMP
You will later need to fill proper SNMP community in device configuration. You can check current
MFD setting under Properties > Connectivity > Protocols > SNMP Configuration > Edit SNMP v1
/v2c Properties.
In device configuration, corresponding Community Name (Read/Write) has to be filled.

Scan Services
workflows.
Then you need to enable scan accounting in Accounting > Accounting Configuration > Auditron
Mode*.

Apply accounting codes
This option may not be present on your MFD.
Go to the Properties tab > Security > Remote Authentication Servers > Xerox Secure Access
Settings and enable Get Accounting Code. Click Apply.
USB Card Reader

You will need to enable plug-in support in Security > Plug-in Settings > Plug-in Settings.
Please note that you can obtain the plug-in from Xerox, Y Soft Group has no rights for its
distribution.
Then you can upload a new plug-in in Security > Plug-in Settings > List of Embedded Plug-ins.

Choose path to file with the plug-in and upload it to the printer.
Successful plugin installation and activation can be verified in Security > Plug-in Settings > List
of Embedded Plug-ins in Status column.

Device and Service Access
User access rights must be configured globally (only if LDAP is properly set-up, user logins/aliases
can be used for per group access rights, but it still has to be configured manually per device). Go
to the Properties tab > Security > Authentication Configuration and click Next.
Configure the Device Access and Service Access.

For Device Access:
a) If you chose device authentication mode To device, make sure that Services Pathway is
locked.
b) If you chose device authentication mode To each application, make sure that Services
Pathway is unlocked.
In both cases you can configure locks on other services freely.
For Service Access:

a) If you chose device authentication mode To device, there are no settings to do here
b) If you chose device authentication mode To each application, make sure that YSoft SafeQ is
locked, other services may be unlocked.
Configuring Xerox MFD with Samsung controller
This manual was created based on Xerox Phaser 3635 and should be applicable to most MFDs
with Samsung controller, although slight differences may occur.

Time configuration
At the printer control panel, press the Machine Status button and switch to the Tools tab.
You may need to be logged on as the devise Admin account to perform these settings. Then
touch Device Settings > Common Service Settings > Machine Clock/Timers.

Custom Services
Go to the Properties tab > Services > Custom Services and do the following settings:

SSL
Create a new secure certificate and enable SSL.

Go to the Properties tab > Security > Machine Digital Certificate and check Installed
Certificates. When a certificate is not created, create new Self signed certificate.
Then go to Connectivity > Protocols > HTTP and enable the SSL.

That you have to reload the page after you enable SSL if it was disabled before. Next time,
you will be redirected to secured page (https). Also remember you have to recreate the
certificate if you change the IP address of the device, as the certificate is IP-relative.
Network Accounting
Go to MFD panel and log in as admin, then go to Tools > Accounting > Accounting Enablement >
Authentication Mode, choose Network Accounting and save the settings.
Then go to Network Accounting Setup > Network Accounting Authentication and Disable
authentication.
Save all values and log out from the menu.

Authentication
Go to the Properties tab > Security > Authentication > Authentication > and choose Require
Network Authentication and other required options:

You may need to set the "Default From" address, so go to Services > E-mail Settings >
Defaults and set From Address to any e-mail value, e.g. test@safeq.com
SNMP
MFD setting under the Properties tab > Connectivity > Protocols > SNMP.

Click Edit and set community names accordingly:
Scan Services
Go to the Properties tab > Services > Network Scanning > Scan Template Management and
select the enabled check-box.

USB Card Reader
Go to the MFD panel and log in as admin, then go to Tools > User Interface > General > SFO and
enable 35 and save.

Device and Service Access
This feature is unavailable on this MFD.
Configuring Xerox WorkCentre 4265 EIP
This document has been created using WorkCentre 4265
You must enable Network accounting using Network Accounting Kit 098S04928.
Enabling SSL
SSL can only be enabled and configured from an internal web page of the MFD. Create a new
secure certificate, and enable SSL.
Go to Properties tab > Security > Machine Digital Certificate, and check Installed Certificates.
If a certificate has not been created, create a new Self Signed Certificate.

Select Self Signed Certificate in order to Establish a Self Signed Certificate on this machine.
Enter the company information, set the days of validity to max, and press Apply.

Then go to the Properties tab > Connectivity > Protocols > HTTP, and enable SSL.
Note that you have to reload the page after you enable SSL if it was disabled before. The next
time, you will be redirected to a secured page (HTTPS). Also remember that you have to
recreate the certificate if you move the device to another IP as the certificate is IP related.
Enabling JBA ("Network Accounting")
Turn on the Network Accounting (formerly called JBA) technology if you are using MFD
specific accounting instead of SNMP or job analysis accounting.

It is also required for On-box and Off-box user verification (otherwise, it must be turned off)
Go to the Properties tab > Login/Permissions/Accounting > Accounting method, and select
Network Accounting.
You then must configure the Accounting workflows, User Accounting Prompts, and Validation for
Accounting Codes. Click the respective Edit buttons.
Accounting Workflows:
Note that settings other than Capture Usage will cause a malfunction. For example, selecting
the copy function and starting copying will do the scanning part of the process but then MFD
will wait for user verification.

User Accounting Prompts:
Validation for Accounting Codes:
Time Settings
The device time setting should be the same as the YSoft SafeQ server.
Go to the Properties tab > General Setup > Date and Time. Make sure you set the time to match
the YSoft SafeQ server time or specify automatic time configuration via an NTP server.

SNMP Community Setting
You will later need to enter a proper SNMP community in the device configuration.
Go to the Properties tab > Connectivity > Protocols > SNMP. Enable SNMP, and then click Edit in
the Edit SNMP properties row.
Set the Community Name (Read/Write) accordingly:

Checking Enabled Features
A Xerox device might come with many options disabled by the factory settings. Go to
Template Management Services: Properties > Services > Web Services
Please ensure the following options are enabled:

Custom Services: Properties > General Setup > Extensible Service Setup
Scan Confirmation Sheet:
print only in case of an error. Otherwise, a page might be printed every time when someone
uses the Scan option in YSoft SafeQ Embedded Terminal.
Go to the Properties tab > Services > Workflow Scanning > Confirmation Report Override

Set Confirmation Report Override to Errors Only.
Disabling the Device Start-Up Page and Banner Page
Disabling the Device Start-Up Page
Go to the Properties tab > Services > Printing, and set Device Start-Up Page to Disabled.
Disabling the Banner Page
Go to the Properties tab > Services > Printing, and set Banner Page to Disabled.
Configuring Global User Access
Configuring the Convenience Authentication settings
Go to the Properties tab > Login / Permissions / Accounting > Login Methods and select
Convenience Authentication.
Also enable User can login at device if card is not available.

Configuring User Permissions Roles
Go to the Properties tab > Login / Permissions / Accounting > User Permissions. Click the
yellow pen Edit icon in the Non-Logged-In (Guest) User Role.
In Manage Permissions, set the permissions so that all Services Pathway options are set to Not
Allowed.

Go ahead and finish the installation as described in Installing YSoft SafeQ Embedded
Terminal for Xerox EIP, then return to do the next settings.
After Installation – Access Checking
After you have installed the YSoft SafeQ Embedded Terminal, you can check that Convenience
Authentication is set correctly:
Go to the Properties tab > Login/Permissions/Accounting > Login Methods.
Then click the yellow pen Edit icon next to Convenience Authorization Setup .
On the Convenience Authentication Setup page, check that Accounting Codes are applied
automatically. It can be modified by selecting Automatically apply Accounting Codes from the
server.
Xerox AltaLink EIP configuration
This manual was created based on Xerox AltaLink C8030 and should be applicable to most
AltaLink MFDs, although slight differences may occur.
Xerox AltaLink EIP configuration - Before installation of YSoft SafeQ Embedded Terminal
SNMPv3
Go to Properties → Connectivity → Setup then edit SNMP from list of protocols.

Enable SNMP v3 Protocol and allow SNMP v3 Set. Edit SNMP v3 Properties.
Choose Authentication/Encryption algorithm, enable Administrator Account and fill

Authentication Password and Encryption password used in your organization.

The same SNMP3 settings have to be used in device configuration in SafeQ.
Necessary settings prior to use of Altalink devices for scanning with WebDAV
To be able to scan via WebDAV on Altalink devices you need to change following setting: MFD
Properties menu > General setup > Extensible service setup > Proxy server set to "No proxy"
Xerox AltaLink EIP configuration - After installation of YSoft SafeQ Embedded Terminal when some
installation error occurred
These settings are necessary only if requested by the Embedded Terminal installation.
The "Allow Open Access to Job Information" has to be enabled manually.

The option is available in the MFD Properties menu > Apps > Printing > Printing Web Services >
Web Services:
You need to enable both Job Management Extension and Allow Open Access to Job
Information in order to make it work in Altalink without credentials. It will allow access to any
request to JobManagement API called from localhost and it's totally independent from the
Jobs app in the MFD.
The setting available under Login/Permissions/Accounting > User Permissions > Non-logged-
in User > Apps & Tools is actually just for the Jobs app which is in the device screen and it
seems that actually enables somehow JobManagement API (probably because of
depencencies).
Login without card
Go to Properties > Login/Permissions/Accounting > Login methods and edit Card Reader Setup.
Change Prevent use of device when USB card reader is disconnect to No.

Xerox AltaLink EIP configuration - After installation of YSoft SafeQ Embedded Terminal
Creating color copy rule
Color copy restriction rules documented below are used only when property
XeroxAccessDefinitionMethod is set to LDAP and property enableXeroxAccessDefinition is
set to Enabled. Rules for application restriction are created during YSoft SafeQ 6 installation.
Go to Properties > Login/Permissions/Accounting > User Permissions and then edit User
Permission Roles. Then change tab to Logged-In Users.
1) Restrict color copy for user with copy rights:
a) Press Edit user mapping for __EIP__Copy and __EIP__ID Card Copy (application names are
generated by MFD)
b) In tab choose Apps & tools and change Color copy to Not allowed
c) Press Apply and then Close
2) Create new rule for user with allowed color copy:
a) Press Add new Role. Fill role name (e.g. copycolor) and press Create.

b) In tab Assign Groups to Role into Find / Add Groups input copycolor and press Add. In list of
Assigned Groups should be visible item copycolor.
Inserted group name in this step has to be set to copycolor.
c) In tab choose Apps & tools and then set all applications except Copy and ID Card Copy to Not
Allowed. Copy and ID Card Copy should be set to Allowed if not.
d) Press Apply and then Close

Go to Properties > Security > Certificates > Security Certificates.
Select tab Root/Intermediate Trusted Certificate(s).
Press Install Certificate.

Choose a certificate file path. Enter decryption password. Press Next and follow instructions to
complete installation process.
Secured LDAP
By default secured LDAP (without server certificate validation) is configured during installation
of the device. You can disable it by enabling property internalLdapAllowNonsecureProtocol
and manually disable secured LDAP on device. But you can allow an attacker to bypass
access restrictions for operations on Xerox devices.
Enable server certificate validation for secured LDAP
Issuer of server certificate (CA certificate) has to be uploaded at first.
Go to Properties > Login/Permissions/Accounting > Login Methods. and edit LDAP Servers.

Press Edit... on selected LDAP server.
Only LDAP server with is used for authentication or access restrictions control.
Scroll to section Secure LDAP Connection.
Enable Validate Server Certificate (trusted, not expired, correct FQDN).
Select issuer of the server certificate from dropdown menu Root/Intermediate Trusted
Certificates.
LDAP server certificate is the same which is configured in Terminal Server for secured
connection with devices. Follow these instructions Configuring secured connection between
terminals and Terminal Server.
Press Apply.

Some devices need reboot. If notification appears on the screen then press OK.
Xerox VersaLink EIP Configuration
This manual was created based on Xerox VersaLink C405DN and should be applicable to most
VersaLink MFDs, although slight differences may occur.

Administrator password
Go to Permissions > Login/Logout Settings.
Press Change Password button and insert new administrator password.

Log in as Admin user for next steps.
Disable Automatic print of Startup Page
Automatic print of Startup Page can block device installation. Then some installation steps
fails.
Go to System > Defaults and Policies and click on Startup Page.
In new window choose Do Not Auto Print.

Enable HTTPS, SOAP and WSD
Go to Connectivity then choose HTTP from list of protocols and enable HTTPS, SOAP and WSD.
HTTP configuration:

SOAP configuration:
WSD configuration:

SNMPv3
Go to Connectivity then choose SNMP from list of protocols. New window will appear and then
click on SNMPv3.
Enable SNMPv3. Then enable System Administrator Account and fill Authentication Password
and Encryption password used in your organization.

Same Authentication Password and Encryption password have to be used in device
configuration in YSoft SafeQ.
EIP Settings
Go to the Apps > EIP Settings and enable Export password to EIP Apps.
USB Card Reader
You will need to enable Plug-in feature in System > Plug-in Settings. Also enable Authentication
on Registration. Restart device will be necessary - press Restart Now.
Please note that you can obtain the plug-in from Xerox, Y Soft Group has no rights for its
distribution.

After restart open same window (System > Plug-in Settings) and press Add button.
Choose path to file with the plug-in and upload it to the printer.

After plugin installation restart device is needed.
Successful plugin installation and activation can be verified in System > Plug-in Settings in
Status column.

Proceed with the MFD installation in YSoft SafeQ to complete the installation of YSoft SafeQ
How to enable Job Management API in the MFD
The option is available in Apps > EIP Settings > EIP Web Services > Job Management Extension

VersaLink does not have a “Allow open access to Job Information” setting. This is enabled by
default for localhost calls.
It is important to have the latest software installed in the printer, to avoid any potential
problems.
Network Accounting
Go to Permissions > Accounting Method and Select Network.

In new window Setup Limits. Service URL should contain address of your server and Id of printer
in YSoft SafeQ. In What to Limit section all should be checked.
Pattern of Service URL is https://{ServerIP}:5012/xeroxauthentication/{DeviceId}

/JobLimitsAppServer.asmx
In Tracking Information click on Edit and configure accounting according to the image below.

Lock Guest Access
Go to Permissions and in Guest Access click on Edit > Device User Role.
In new window choose No Access option.

Go to System > Security and select Security Certificates
Select Trusted Root CA Certificates from dropdown menu and press Import.

Press Select to select a certificate from file system. Enter decryption password.
Press Import to import certificate to the device.

Application and feature (color copy, 1-sided) restrictions
Setup LDAP server
This setup should be done automatically during installation process.
Go to Connectivity > LDAP.

Select LDAP Servers/Directory Services.
Fill in IP Address, Port and Search Directory Root. Click OK.
Search Directory Root format: DC=safeq,DC=com.

Enable secured LDAP
You can enable non-secure LDAP communication by enabling property

internalLdapAllowNonsecureProtocol. But you can allow an attacker to bypass access
restrictions for operations on Xerox devices.
Go to System > Security and select SSL/TLS Settings.

Enable LDAP - SSL/TLS Communication and Verify Remote Server Certificate. Then click OK.
Certificate authority certificate used to sign the server certificate has to be uploaded to the
device in order to secured LDAP can work.

Enable LDAP for roles permissions
Rules documented below are used only when property xeroxAccessDefinitionMethod is set
to LDAP and property enableXeroxAccessDefinition is set to Enabled. Rules for application
restriction are created during SafeQ installation.
Go to Permissions > Roles and select Setup LDAP Permissions Groups.

Select LDAP and click OK.
Add User Role
Create roles with appropriate permissions for all LDAP groups listed here.
copycolor Rights to use color copy in native copy application.
copy Rights to use native copy application.
fax Rights to use native fax application.
notrestricte Without any restrictions.

d
sq Rights to use YSoft SafeQ application (YSoft SafeQ Terminal Application - 1st
Gen).
sqbillingcod Rights to use YSoft SafeQ Billing Codes application (YSoft SafeQ Terminal
es Application - 2nd Gen).
sqprint

Rights to use YSoft SafeQ Print application (YSoft SafeQ Terminal Application
- 2nd Gen).
sqscan Rights to use YSoft SafeQ Scan application (YSoft SafeQ Terminal Application
- 2nd Gen).
Go to Permissions > Roles and select Device User Roles.
Click on Edit for Basic User. Then choose Custom Permissions and press Setup.
In Custom permission Setup dialog set Access value of each application in list to Hide.

When all applications are set to Hide then close Custom permission Setup dialog and press OK
button to save changes.
Click on
on the right hand side. Then select Add New Role.

Write down any user role name. Select Custom Permissions and then click Setup.
Example of Copy permissions.

Set access value of others application to Hide to properly working application restriction. Allow
value should be set only for role where we expect application will be enabled.
For Basic User set all application to Hide.
Add LDAP Group
Go to Permissions > Roles and select Edit LDAP Groups.

Click on
on the right hand side.
Fill in the search text and click on
. Select LDAP group. Click Next.
LDAP server has to be configured in order to fetch the LDAP groups.

Select previously created Device User Role and click Next.
Select default Printing User Role and click Done.

Xerox WorkCentre 52xx EIP Configuration
This document has been created based on Xerox WorkCentre 5230 (FW 1.207.8)
Enabling JBA ("Network accounting")
If JBA technology is required for accounting (you are using MFD specific accounting instead of
SNMP or job analysis accounting), it must be turned on.
Furthermore, for Onbox and Offbox user verification has to be set on (otherwise, it has to be set
off).
Enable Network Accounting: Properties > Accounting > Accounting Configuration.
Enable Custom Services: Properties > Services > Custom Services > *Custom Services.

Checking enabled features
Xerox device may come with many options disabled by factory settings. Please ensure following
options are enabled:
FTP: Properties > Connectivity > Protocols > FTP
Check Export User validation: Properties > Services > Custom Services > Validation Options >
Enable Export User Name.

Configuring Xerox Secure Access
Xerox secure access: Properties > Security > Remote Authentication Services > Xerox Secure
Access Settings.
SNMP Community setting
/v2c Properties.

Scan Services
workflows later. You can check current MFD setting under Properties > Connectivity > Protocols
> HTTP. Scan Template Management and Scan Extensions should be enabled (You can check
also Security setting – Xerox Secure Access and Authentication & Authorization Configuration).

Post-installation checks and additional settings
can be used for per group access rights but it still has to be configured manually per device).
Authentication mode: Properties > Security > Authentication Configuration
Check current settings and click Next.
Click on Configure... button for Service Access.

Click on Next button for Service Access (on previous page).
a) If you chose device authentication mode To device, make sure that all services are locked.
In case you change title of your application and reinstall the embedded terminal, the YSoft
SafeQ application can get unlocked. In that case, please lock the application again manually.
Xerox WorkCentre 74xx EIP Configuration
This document has been created based on Xerox WorkCentre 7435 (System FW 75.3.1,
Controller + PS ROM 1.222.18) and updated based on System FW 75.14.43
Enabling JBA ("Network accounting")

If JBA technology is required for accounting (you are using MFD specific accounting instead of
SNMP or job analysis accounting), it must be turned on.
Furthermore, for Onbox and Offbox user verification has to be set on (otherwise, it has to be set
off).
Enable Network Accounting: Properties > Accounting > Accounting Configuration and
Customize User Prompts.
Match the settings in the screenshot below and select Apply. Select reboot.
Hide mask for login screen: Properties > Accounting > Accounting Login Screen Settings.
Checking enabled features
Xerox device may come with many options disabled by factory settings. Please ensure following
options are enabled:
FTP: Properties > Connectivity > Port Settings > FTP Client.
Make sure proper settings are applied, select Apply. Select reboot.

Check Export User validation: Properties > Services > Custom Services > Validation Options >
Enable Export User Name.
Match the settings in the screenshot below and select Apply. Reboot is not required.
Configuring Xerox Secure Access
Xerox secure access: Properties > Security > Remote Authentication Services > Xerox Secure
Access Settings (texts illustrate situation before SafeQ Embedded Terminal installation).

SNMP Community setting
/v2c Properties.

Scan Services
workflows later. You can check current MFD setting under Properties > General Setup >
Extensible Service Setup. Export password and Enable the Extendable Services Browser
should be enabled.
Edit Extensible Services Setup. Scan Template Management and Scan Extensions should be
enabled.

Proceed to MFD installation in SafeQ (Page ) to complete the installation in SafeQ.

Post-installation checks and additional settings
can be used for per group access rights, but it still has to be configured manually per device).
Authentication mode: Properties > Security > Authentication Configuration.
Check current settings and click Next.

Click on Configure... button for Service Access.
Click on Next button for Service Access (on previous page).
a) If you chose device authentication mode To device, make sure that all services are locked.

In case you change title of your application and reinstall the embedded terminal, the YSoft
SafeQ application can get unlocked. In that case, please lock the application again manually.
5.5.4.3 Embedded Terminal installation
Before installation
1. Make sure that the device is configured properly. See the configuration guides for more
information.
2. Configure the device. See the configuration guides for more information.
Adding a device with terminal to YSoft SafeQ
1. Log in to the YSoft SafeQ web administration, and use account authorized to manage the
system.
2. Open Devices > Printers from the menu. Click the Add Device button.

3. General section
Here enter the necessary details to identify a device. Please note that Name and Network
address are mandatory and must be unique. Here is a list of all available options for each
device.
Name - name your device. The name will be used to identify the device in YSoft SafeQ.
Tip: Make sure to call all devices in a similar manner (e.g. model number) for easier
troubleshooting.
Location or description - you can specify further details to recognize the device in the
system and to describe exact placement of the device.
Device Group - this option defines in which group will the device be placed. Choose
from existing groups.
Terminal type - you can choose embedded terminal for the exact vendor.
Network address - mandatory configuration. Network address must be unique within a

group or the Spooler Controller server. You can also use a domain name instead of IP
address.
Spooler controller group - this option defines in which Spooler Controller will the device
be registered. Choose one from the existing Spooler Controller groups.
Accounting type - configuration defines the type of accounting to be used.
Accounting driver - it is used for online accounting on external devices and also for
device monitoring in the rest of terminals.
Price list - configured prices are used for accounting print, copy and scan jobs
performed at the device. Prices are defined in the assigned price list.
Reporting cost center ID - device may belong to a particular cost center. Choose from
existing cost centers.

Terminal section
Here is a list of all available options for each device.
Authentication method – Select the authentication method.
Terminal type - When multiple types of terminal are available for the given vendor,
select the terminal type to install
QR code size - Select the size of QR code. The link for the QR code will be available after
the device is saved for the first time.
(Advanced only) Admin username and Admin password
If it's necessary to use another admin username or password than global ones, it
must be filled in.
In case the admin username or password is filled, then these custom credentials are
used, thus only in case when both administrator username and password is empty,
then global credentials are used.
(Advanced only) Scan feature - Enable this option if you want to enable YSoft SafeQ
scanning features.
(Advanced only) Application feature - Enable this option if you want to enable YSoft
SafeQ printing features.
(Advanced only) Payment feature - Enable this option if you want to use Payment
System with this device. When enabled, users with money accounts will be charged for
print, copy and scan activity according to the appropriate price list.
(Advanced only) Printing application layout – Select the layout of the print application
and folders displayed to the user.

(Advanced only) Authentication mode – Keep the To device option. Users must
authenticate to unlock the device and access any of the features. This option is
available only for specific vendors.
1. Direct printing section
This part allows you to specify direct queue(s) which enable the device to receive jobs
without the need for the user to authenticate at the terminal (note: the print job is still
authorized in YSoft SafeQ). For each direct queue, you can enable or disable deleting the
print jobs after being printed out (released at the printer) by choosing the option Delete
after printing (in the Miscellaneous part).Tags section
Tags - tab enables different print languages or user tags for the device. All print
languages are enabled by default. This configuration must match tags for each job and
also supported options on the device.
For Xerox devices that use XCPT tickets, make sure the checkbox XCPT-Xerox (in
Device detail page) is checked when installing the Embedded Terminal. Otherwise, some
finishing options might not work.

SNMP section (Advanced)
This part allows configuration of SNMP v2 and SNMP v3 used with the device.
SNMP read-only community for remotely accessing the device states.
SNMP read-write community for remotely reading and writing to device properties.
Context
Context name
Privacy password
Privacy algorithm
Authentication username
Authentication password
Authentication algorithm
Message encoding
Meta section (Advanced)
Equipment ID
Service Agreement ID
Contact person
Backend section (Advanced)
This part refers to network protocol used for communication with the device and used for
printing at the device.
Backend - network protocol used for communication. The following network protocols
are available:
IPP - provides a standard network protocol for remote printing as well as for
managing print jobs, media size, resolution, etc.
IPP over SSL - basic IPP with job encryption over SSL.
TCP/IP Raw - TCP/IP with a raw socket that allows access to the underlying
transport provider.
Network port - a port number that device uses for communication. This option depends
on the selected print backend.
Queue name - queue name used for communication with the device.
Job encoding - encoding type used by the device. Encoding is defined by print driver
used by the users at the time of creating a print job.
Miscellaneous section (Advanced)
Limit scan addressee

Delete jobs after print
Monitor device state (available only for YSoft SafeQ Embedded Terminal for Konica
Minolta, Develop, Olivetti and Aurora)
Advanced accounting section (Advanced)
Here it is possible to select to enable particular accounting method (this is an optional

configuration).
Online accounting
Offline print accounting
Offline copy accounting
Coverage accounting - black prints
Coverage accounting - color prints
Some options are available for editing only in the Advanced view. You can choose
between Basic and Advanced in the top right corner. If any Advanced option is changed
from its default value it will become editable also in the Basic view until its value is
changed again to default.
2. Once you have entered all necessary information, click on the Save changes button. After
confirmation, the device will be automatically reinstalled with updated configuration and
embedded terminal.
3. The embedded terminal is being installed. A new window with installation progress will
appear.
4. After installation is completed, a message Device installation is complete is displayed.
Should the installation process encounter any issues, please open the installation details
with more information about the error.
5. If you need to change the settings of an already installed device or terminal, go to Devices >
Printers, click the edit icon of the required printer. Please note, that some settings may
require terminal reinstallation, which will occur automatically after saving the changes.
After an installation of the first OKI or Toshiba device, it is necessary to restart the Spooler
Controller service. Otherwise users would not be able to authenticate.

External authentication method installation
External (other methods) authentication method is valid only for Xerox devices.
Enable external authentication method
4. Search and enable allowExternalAuthentication.
This authentication method is disabled by default.
5. Save changes.
Setup device to use external authentication
2. Go to Devices > Printers.
3. Click on Edit on a selected device.
4. Scroll down to Terminal section.
5. Select External (other methods) in authentication method dropdown.
6. R e i n s t a l l terminal.
This configuration only disable YSoft SafeQ authentication feature. Authentication itself has to
be configured manually on every device.

Limitations
SW logout button cannot perform logout from the device. HW button has to be used instead.
Time on Xerox devices has to sync with terminal server time to ensure that correct billing
code will apply.
Billing code change on terminal is not reset to default when user is logged out from device.
Print All after authentication is not supported.
Payment System can not be used with this type of authentication.
External authentication method is enabled in YSoft SafeQ (allowExternalAuthentication set

to enable). Then any device with installed External authentication method can be used by
attacker to steal user jobs data.
5.5.5 CONFIGURING TERMINAL FAILOVER
Terminal failover in YSoft SafeQ 6 can be achieved using Spooler Controller Groups. Once you add
two servers into a Spooler Controller Group, you can start using terminal failover. Creating Spooler
Controller Groups is described in Configuring Print Roaming.
When you create a Spooler Controller Group, you also need to choose how you want to achieve
the terminal failover. YSoft SafeQ 6 supports two options: application-level failover and network-
level failover. For network-level failover, you need a 3rd party network failover solution, which is
not part of YSoft SafeQ 6 installation. This includes software like Windows NLB, NetScaler, or
hardware load balancers like F5 BIG-IP.
5.5.5.1 Application-level failover
Application-level failover does not require any other 3rd party solutions and terminals are
connecting directly to Site Servers, choosing a node from the Group automatically. When one
server fails, the terminal will automatically reconnect to another healthy node.

Application-level failover configuration for each supported terminal:
Enabling application failover on YSoft SafeQ Embedded Terminal for Konica Minolta
Enabling application failover on YSoft SafeQ Embedded Terminal for Ricoh (Java)
Enabling application failover on Terminal Pro 4
Automatic configuration of failover servers
The list of IP addresses from which the terminals choose a server to connect to is, by default, the
same as the list of IP addresses of the Site Servers in the Group.
Manual configuration of failover servers (optional)
failoverAddresses is applicable for YSoft Terminal Pro 4, Terminal Professional v3.5 and
Terminal Ultralight. For Embedded Terminals, it is currently available for Ricoh (Java).
Do not use failoverAddresses in environments where enableEtcd property is set to Enabled.

This might lead to misconfigured etcd on some nodes in certain failoverAddresses
configurations.
If you need to use only a subset of IP addresses of the Site Servers in the Group, you can add
the configuration property "failoverAddresses" into the <appSettings> section in the
<SafeQ_dir>\SPOC\terminalserver\TerminalServer.exe.config file. The value should be a comma-
separated list of IP addresses. The list shall include the IP address of the server on which it is
configured. Then, terminals installed from the server with this configuration will use only the IP
addresses listed in the configured value.
Example

<add key="failoverAddresses" value="IP_address_1,IP_address_2" />
5.5.5.2 Network-level failover
Network-level failover can be used in case YSoft SafeQ 6 does not support application-level
failover for the terminal type you need or if you seek advanced features like protection against
DDoS attacks.
Network-level failover is supported on the following terminal types:
YSoft SafeQ Embedded Terminal for Brother
YSoft SafeQ Embedded Terminal for Epson
YSoft SafeQ Embedded Terminal for Fuji Xerox
YSoft SafeQ Embedded Terminal for Fuji Xerox XCP
YSoft SafeQ Embedded Terminal for HP
YSoft SafeQ Embedded Terminal for Konica Minolta
YSoft SafeQ Embedded Terminal for Lexmark
YSoft SafeQ Embedded Terminal for OKI
YSoft SafeQ Embedded Terminal for Sharp-eSF
YSoft SafeQ Embedded Terminal for Sharp OSA5

YSoft SafeQ Embedded Terminal for Toshiba
YSoft SafeQ Embedded Terminal for Xerox
You need to use a third party HW/SW failover/load balancer or Microsoft Windows Network Load
Balancing Cluster (WNLB), see the following guides:
Configuring a Third-party Load Balancer for Terminal Failover
Configuring Windows Network Load Balancing for Terminal Failover
And then enable support for Terminal Failover in YSoft SafeQ 6:
Configuring YSoft SafeQ for Network-level Terminal Failover
5.5.5.3 Configuring a Third-party Load Balancer for Terminal Failover
The Requirements for a Third-party Load Balancer
The solution must be based on software or hardware load balancer in the customer's network
(black box Failover and Load balancing). The unit of failover and load balancing is one Spooler
Controller Group. The Spooler Controller Group is represented from the perspective of MFDs by
one and only one virtual IP address or FQDN (reverse lookups have to be configured) which is
held by the load balancer. This virtual address will be used by MFDs and YSoft SafeQ Terminals.
Following requirements are expected to be delivered by the load balancer for Terminal Failover:
It shall make failover decision based on the state of appropriate Windows Services as reported
by Service Control Manager of individual servers running SPOC/TS services AND/OR based on
the availability of selected TCP ports. If TCP based monitor is in place, required ports for
monitoring are 5555 (for SPOC service) and 5022 (for TS service). The TCP monitor must
finish connection after SYN - ACK with RST, not with FIN. Our recommendation for monitoring
period is 5 seconds with node considered down after 3 unsuccessful attempts. Node shall not
be considered up immediately but after defined time which must be based on real time
required for Management/Site Server to start.
The load balancer shall honor affinity between MFDs and particular SPOC/TS service instances
in the Spooler Controller Group based on the prior decisions made by the load balancer and
configurable timeout window. I.e., when the load balancer decides to connect an MFD with a
particular SPOC/TS service, it must connect the MFD to the same SPOC/TS service if
connection (incl. DNS lookup) attempts are made by the MFD before the configurable timeout
elapses. Affinity needs to be set for a minimum of 30 minutes.
The load balancer shall distribute requests among SPOC/TS nodes in the Spooler Controller
Group uniformly.
The load balancer shall distribute requests from MFDs to SPOC/TS based on Network
Communication (typically TCP ports 5011 - 5025 and ports for FTP/WebDAV)

The load balancer shall handle monitoring and reporting of the service failures on its own.
Health Check
Ports required to be monitored using TCP Half Open health check:
Port Service Method
5555 SPOC Service TCP Half Open
5022 Terminal Server TCP Half Open
Ports Pass through
The following ports are required to be passed to a specific node of the load balancer:
Please note, all the ports should be passed to the same node per request window as defined
by persistence, please do not split the ports to different nodes.
Ports Service Method Affinity /

Persistence /
Stickiness
5011 through to 5025 Terminal Least 30 Minutes

Server connection
Method
5610 Terminal Least 30 Minutes

Server Connection
(WebDav) Method
21 Terminal Least 30 Minutes

Server (FTP) Connection
FTP Implementation is PASSIVE FTP and will Method
require port > 1024 to be passed, refer to
FTP explanation below.
FTP Tech Note
The most popular FTP implementation is the Passive or PASV mode. PASV-mode FTP connections
are the default on most popular browsers. One of the major advantages of PASV mode is that the
server does not need to create a new inbound connection to the FTP client. As we’ll see later,
this makes PASV-mode FTP a bit more firewall-friendly.
A PASV mode FTP sequence of events would go like this:
1. FTP client: This opens random response ports in the high number range. (For the purposes
of this example, we’ll assume ports TCP 6000 and TCP 6001.)
2.

2. FTP client: This sends a request to open a command channel from its TCP port 6000 to
the FTP server’s TCP port 21.
3. FTP server: This sends an “OK” from its TCP port 21 to the FTP client’s TCP port 6000. The
command channel is now established.
4. FTP client: This sends a PASV command requesting that the FTP server open a port
number that the FTP client can connect to establish the data channel.
5. FTP server: This sends over the command channel the TCP port number that the FTP client
can initiate a connection to establish the data channel. In this example, the FTP server
opens port 7000.
6. FTP client: This opens a new connection from its own response port TCP 6001 to the FTP
server’s data channel 7000. Data transfer takes place through this channel.
Note that the PASV-mode FTP client initiates all connections. The FTP server never needs to
create a new connection back to the FTP client.
Firewalls and FTP
FTP modes pose distinct security challenges, depending on whether you’re the client-side or the
server-side firewall administrator.
PORT-mode FTP client-side firewall
How do you handle PORT-mode requests made from your FTP clients?
You need to allow both inbound and outbound connections to support PORT-mode FTP client
requests made from behind your firewall:
Outbound: TCP port 21
Inbound: TCP ports 1024 and above
YSoft SafeQ settings
1. Log in to the YSoft SafeQ Web Interface with sufficient rights to administer printers (for
example, "admin").
2. Go to System > System settings
3. Set enableNetworkLoadBalancer property to enabled and save the configuration.
Terminal Server settings
Please note that it is assumed all the SPOC servers part of the NLB group are also in SPOC Group
configuration.

Configuration file on Terminal Server nodes
Perform these steps on all YSoft SafeQ servers that are part of the Spooler Controller group:
1. Set YSoft SafeQ Terminal Server to use the Load Balancer's virtual DNS name:
a. Edit the file <SafeQ_dir>\SPOC\terminalserver\TerminalServer.exe.config.
b. Set the Load Balancer's virtual DNS name in the networkAddress parameter.
c. Into the AppSettings section of the config file add new scanServerIp parameter and
set it to the physical IP address of the local TS node.
<add key="scanServerIp" value="physical_IP_address" />
d. Save the file.
2. Restart YSoft SafeQ Terminal Server services to apply the settings.
Additional YSoft SafeQ Configuration
Finish YSoft SafeQ configuration by following Configuring YSoft SafeQ for Network-level Terminal
Failover.

5.5.5.4 Configuring etcd for failover support in Terminal Server
Enable etcd
example, "admin").
3. Set enableEtcd property to enabled and save the configuration.
4. Restart the YSoft SafeQ Terminal Server service on all Management and/or Site servers.
5. Reinstall Embedded terminals after this change.
When enabled, etcd will be run with Terminal Server.
Configure etcd ports
example, "admin").
2. Go to System > Configuration
3. You can change etcdServerPort and etcdClientPort properties.
4. After changing properties, restart the YSoft Terminal Server service on all Management and
/or Site servers.
5.5.5.5 Configuring Windows Network Load Balancing for Terminal Failover
This article describes how to configure YSoft SafeQ to utilize Windows Network Load Balancing
(WNLB) services for the Terminal Server (an MFD with an embedded terminal) failover.

A Description of the Environment (Terminal Server Failover Using WNLB):
Expected behavior:
A printer with an embedded terminal is able to operate if the node to which it was originally
connected is not running.
Implementation:
In case of a failure or shutdown of the YSoft SafeQ Terminal Server service or SPOC service, the
WNLB node is deregistered from the cluster.
Environment Requirements
MS Windows 2008 R2 servers (Standard or Enterprise) or newer
A properly configured and functional Windows Network Load Balancing cluster
At least one physical IP address for each member of the WNLB cluster reachable from
client workstations (for print job delivery) and from other members of the WNLB cluster
(for cluster synchronization).
A shared virtual IP address of the WNLB cluster reachable from all MFDs on ports
according to Network Communication.
Filtering mode (WNLB Manager > Cluster properties > Port Rules > Edit) is set to Multiple
host with Affinity: Single + Timeout: 30minutes.
If Network Card Reader (NCR) is used in the environment, filtering mode must be set to
Single host and virtual IP of WNLB cluster configured in NCR.
In all host properties - initial host state is set to Stopped (Terminal Server will register the
host to the WNLB once it is ready to accept a connection from the MFD).

Limitations
If the etcd quorum is lost then jobs on an MFD with pull accounting are not accounted during
the downtime of the Terminal Server node that was pulling them (they will be accounted after
the Terminal Server node recovery).
Print jobs stored on the server that encountered the failure are not available for printing.
Best practices
All members of the WNLB cluster must reside on the same subnet.
NLB in unicast mode:
NLB in unicast mode is not compatible with WMware vMotion. If you need vMotion, use NLB in
multicast mode instead. See https://kb.vmware.com/s/article/1573 for details.
Each computer has two network cards.
Two IP addresses per server and one additional clustered IP.
Make sure that the second network adapter (the adapter that is failed over via WNLB) has no
gateway configured.
Make sure the network adapter with the gateway is at the top of adapters and bindings list
(on versions prior to 2016, go to Control Panel > Network and Sharing Center > Change
adapter settings > press F10 on the keyboard > Advanced > Advanced Settings > tab Adapters
and Bindings; for 2016 and newer, use the adapter Metric to set the priority).
Some network monitoring tools (e.g., MAC spoofing prevention) may block the WNLB
communication due to its nature (the MAC address is being masked).
VMware: All members of the NLB cluster must be running on the same ESX host (must be
connected to the single Portgroup on the virtual switch).
VMware: Forged Transmit on the Portgroup is set to Accept.
VMware: Notify Switches Portgroup is set to No.
VMware: MAC Address Changes on the Portgroup is set to Accept.
NLB in multicast mode:
Manual entry of ARP records is required on routers:
since NLB packets are unconventional, meaning the IP address is Unicast while the MAC
address of it is Multicast, switches and routers might drop NLB packets
an example of the command needed to add into switch:

arp [NLB virtual IP] [cluster's multicast MAC] ARPA
arp 192.168.1.100 03-bf-c0-a8-01-64 ARPA
The cluster’s multicast MAC address can be obtained from the Network Load Balancing
Properties dialog box.
A Basic Example of a Network Load Balancing Services Configuration
The following example serves only as a basic demonstration of the WNLB configuration. It
does not serve as a guideline for an implementation in a real environment. The
implementation of the WNLB is not performed by Y Soft. Due to the nature of Windows
Network Load Balancing, a detailed analysis of the customer's network environment and the
proper selection of the load balancing mode has to be done prior to setting up the WNLB.
Incorrect configuration of the WNLB may have a severe impact on the overall performance of
the local area network.
Please note that this example applies to Windows Server 2008R2. The list of steps might differ
slightly in newer versions of Windows Server OS.
1. Install the NLB feature on all nodes including the management client
a. dism /online /enable-feature /featurename:NetworkLoadBalancingFullServer
b. dism /online /enable-feature /featurename:NetworkLoadBalancingManagementClient
2. Open NLB manager
a. nlbmgr.exe
3. Create a new cluster
a. Connect to first node and select the NIC to be clustered
i. In unicast mode we usually use first NIC for standard network communication
and its IP address shall be used during SafeQ installation
ii. The second NIC shall be used purely for NLB clustering and you shall not use it
for anything else

b. Enter clustered IP
c. Enter cluster name and choose multicast or unicast mode (depends on your network
configuration), finish the wizard
d. Select Add host to cluster on cluster
e. Connect to second node and select the NIC to be clustered. Finish the wizard.
f. Both nodes should be in "converged" status
4. In Cluster properties > Port Rules > Edit set filtering mode to Multiple host with Affinity:
Single + Timeout: 30minutes
5. In every host properties - change initial host state to Stopped value (Terminal Server will
start the host once it is ready to accept connection from printer)
6. List of ports used by NLB: Network Communication
7. Example of running NLB Cluster:
8. Windows 2008 R2 introduces a strong host model that does not allow different NICs to
communicate with each other. For example, if a request comes in on the 2nd NIC and if
there is no default gateway setup, then the IC will not use the 1st NIC to reply to the
requests (even though there is a default gateway setup on that 1st NIC).
a. To change that behavior and go back to the 2003 model (weakhost), run these
commands from the command prompt:
"Local Area Connection 2" is the name of the clustered network interface
i. netsh interface ipv4 set interface "Local Area Connection 2" weakhostsend=enable
ii. To verify that weakhostsend is enabled on both adapters run following

command:

ii.
netsh interface ipv4 show interfaces level=verbose | findstr /R /i "interface weak.host.sends"
b. To improve the security, add the static routes for outgoing data for the NLB adapter
instead of using the weakhost. For example the WNLB adapter is part of 10.0.11.xx
subnet and it has a network connectivity to gateway at 10.0.11.1; but as mentioned
above, gateway is not configured on the NLB adapter. To keep the stronghost model
active and to be able to communicate with MFPs in a different subnet 10.20.xx.xx, we
can add a static route on WNLB adapter as:
route add -p 10.20.0.0 mask 255.255.0.0 10.0.11.1
i. The usage of netsh command is even better while static route is added to the
WNLB adapter only.
"Local Area Connection 2" is the name of the clustered network interface
netsh interface ipv4 add route 10.20.0.0/16 "Local Area Connection 2" 10.0.11.1
Configuring YSoft SafeQ for Correct WNLB usage
1. Install YSoft SafeQ cluster on the IP address that is not used by WNLB (not the WNLB
virtual IP, not the IP address used by WNLB adapter in case of unicast mode).
2. In YSoft SafeQ Web Interface go to System > Configuration > set

enableNetworkLoadBalancer and operateWnlb properties to enabled.
3. Perform these steps on all YSoft SafeQ servers that are part of WNLB cluster:
a. Set Terminal Server to use WNLB virtual IP address:
i. edit file <SafeQ_dir>\SPOC\terminalserver\TerminalServer.exe.config
ii. set WNLB virtual IP address in the networkAddress parameter
iii. into the AppSettings section of the config file add new scanServerIp
parameter and set it to the physical IP address of the local TS node
b. Configure de-registration of the failed node from the WNLB cluster in case of a failure:
i. Open properties of YSoft SafeQ Terminal Server service (via services.msc) >
go to Recovery tab > set the following configuration:

b.
i.
1. First failure: Run a Program
2. Program: nlb.exe
3. Parameters: stop
4. Repeat steps 1.-3. also for YSoft SafeQ Spooler Controller service
c. Restart YSoft SafeQ Spooler Controller and YSoft SafeQ Terminal Server services
to apply the settings.
4. Configure YSoft SafeQ regarding Configuring YSoft SafeQ for Network-level Terminal Failover
.
5. Reinstall embedded terminal on all devices that should be connected to WNLB cluster.
6. Test of functionality
a. Try to stop Terminal Server service > WNLB manager shows Stopped state on the
node where Terminal Server was stopped (change can take up to one minute)
b. Try to start Terminal Server service > WNLB manager shows Started state on the
node where Terminal Server was started (change can take up to one minute)
c. It is possible to authenticate on MFP when just one node shows "Converged" state

Resources and further reading
There are various ways to configure WNLB depending on the network architecture. A
description in Microsoft TechNet:
http://technet.microsoft.com/en-us/library/bb687542.aspx
http://technet.microsoft.com/en-us/library/cc770689%28v=ws.10%29.aspx
Selecting the Unicast or Multicast Method of Distributing Incoming Requests:
https://technet.microsoft.com/cs-cz/library/Cc782694(v=WS.10).aspx
Netsh commands for Interface Internet Protocol version 4 (IPv4). A description in Microsoft
TechNet:
http://technet.microsoft.com/cs-cz/library/cc731521(v=ws.10).aspx
Sample configuration is described in VMware KB:
Sample Configuration – Network Load Balancing (NLB) Multicast Mode Configuration
http://kb.vmware.com/selfservice/microsites/search.do?
language=en_US&cmd=displayKC&externalId=1006558
Sample Configuration – Network Load Balancing (NLB) Multicast mode over routed subnet -
Cisco Switch Static ARP Configuration
cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1006525
The configuration required with Unicast mode:
language=en_US&cmd=displayKC&externalId=1556
5.5.5.6 Configuring YSoft SafeQ for Network-level Terminal Failover
Network-level Failover Is Supported on the Following Terminal Types:
YSoft SafeQ Embedded Terminal for Brother
YSoft SafeQ Embedded Terminal for Epson
YSoft SafeQ Embedded Terminal for Fuji Xerox
YSoft SafeQ Embedded Terminal for Fuji Xerox XCP
YSoft SafeQ Embedded Terminal for HP
YSoft SafeQ Embedded Terminal for Konica Minolta
YSoft SafeQ Embedded Terminal for Lexmark
YSoft SafeQ Embedded Terminal for OKI

YSoft SafeQ Embedded Terminal for Sharp-eSF
YSoft SafeQ Embedded Terminal for Sharp OSA5
YSoft SafeQ Embedded Terminal for Toshiba
YSoft SafeQ Embedded Terminal for Xerox
Prerequisites
A third-party load balancer or Windows NLB (WNLB) must be properly configured for Terminal
Failover.
Etcd must be enabled.
Enable etcd
example, "admin").
Additional Configuration for OKI and Toshiba Embedded Terminals
Certificate configuration
Each MFD needs to have uploaded certificates from all Terminal Servers connected to the failover
group. Before uploading certificates it is necessary to rename the files to unique ones since these
MFDs are unable to store more certificates with the same file names.
IP configuration
1. Set the property forceInternalLdapServerIp (expert view) to the failover/load balancer

virtual IP address/hostname.
2. Install or reinstall YSoft SafeQ Embedded Terminal for each OKI and Toshiba device.

When most of the cluster members are offline for about 24 hours, there is a possibility that
the user will not be able to enter the YSoft SafeQ application. If the problem occurs, restart
the Terminal Server service on all nodes or wait for an hour.
Additional Configuration for Brother and HP Embedded Terminals
For the HTTPS configuration these MFDs always check the certificate sent to them by the server
they are connecting to. The checks performed are the following:
It is necessary to create a valid certificate issued for the virtual address and configure all the
Terminal Servers to use it according to Configuring secured connection between terminals and
Terminal Server guide. After this is set up, install or reinstall the YSoft SafeQ Embedded Terminal
on all Brother and HP MFDs in order to upload the certification authority to these devices.
5.5.5.7 Enabling application failover on YSoft SafeQ Embedded Terminal for Konica Minolta
YSoft SafeQ Embedded Terminal for Konica Minolta support native application failover. That means
that the Authentication, Print and Scan applications installed on the device can have registered 2
different YSoft SafeQ servers to connect to. When the current endpoint fails to response to an
application request, the application switches to the other one and use it as long as the endpoint
is responding.
Limitations
Jobs history is not working correctly.
Only native Terminal mode is supported.
Prerequisites
MFD must support OpenAPI setup version 4.1 or higher.
Spooler controllers must be in the same Spooler controller group.
Etcd must be enabled.
Enable etcd
example, "admin").
2.

Enabling application failover
For SafeQ 6 MU15 and newer:
example, "admin").
2. Go to System > System settings.
3. Set KMApplicationFailover property to enabled.
4. Set also enableNetworkLoadBalancer property to enabled and save the configuration.
For SafeQ 6 MU14 and older:
This way can also be used if you want to enable application failover only for a SPOC group but
not globally.
1. In the TerminalServer.exe.config file insert the following line into <appSettings>

section:
<add key="KMApplicationFailover" value="true" />
2. This must be done on all nodes of the Spooler Controller group.
3. Restart of Terminal Server service is required after this change.

5.5.5.8 Enabling application failover on YSoft SafeQ Embedded Terminal for Ricoh
YSoft SafeQ Embedded Terminal for Ricoh ESA is communicating directly to the "YSoft SafeQ
SPOC" with some exceptions when support from "YSoft SafeQ Terminal Server" service is
required. Therefore, standard procedures for the loadbalancing and failover via Microsoft Cluster
Server or Failover using Windows Network Load Balancing Services (NLB) does not apply for this
type of embedded terminal.
YSoft SafeQ Embedded Terminal for Ricoh ESA failover is enabled in SafeQ by default. MFP will
obtain the list of IP addresses for all the SPOC nodes after the first successful authentication. If
the primary SPOC becomes unavailable, embedded terminal will automatically find another SPOC
according to strategy selected in configuration. Then the embedded terminal will use the resolved
SPOC as the primary until it becomes unavailable or until some preconfigured time interval
passes. Then another server is found and selected as primary in dependency on selected failover
strategy. With some strategies the MFP may automatically switch back to a preferred SPOC if you
restore its functionality. The server can be resolved as active only if both YSoft SafeQ SPOC and
YSoft SafeQ Terminal Server are responding to MFP requests.
Limitations
This failover configuration does not provide Load-balancing.
Strategies for server selection for YSoft SafeQ Embedded Terminal for Ricoh
Default strategy
With this strategy the MFP will always check for the SPOC server with fastest response. The
servers are checked for their availability in parallel and the first SPOC server which responses is
taken as the primary for all ongoing communication.
Primary node preferred
With this strategy the "primary node" is always preferred. In this scenario, the "primary node" is
the SPOC from which the MFP was originally installed. If the "primary node" is not available,
another server is selected using the default strategy described above. If the "primary node"
becomes available, the MFP will connect to it when the current one becomes unavailable or after
the preconfigured time interval passes.
Configuring failover strategy for YSoft SafeQ Embedded Terminal for Ricoh
1. Log in to the YSoft SafeQ Management interface with sufficient rights to administer
printers (for example, "admin")
2. Go to System > Configuration from the menu
3. Set enableNetworkLoadBalancer property to enabled
4.

4. Set srteFailoverStrategy property to required strategy. The option determines how the
primary server is resolved in case when the current server becomes unavailable. The
strategies are described in following section.
5. Set srteFailoverCheckInterval property to required value. It sets the maximal time (in
minutes) after which the primary SPOC server is resolved according to selected strategy.
The minimal allowed value of this property is one.
6. Save the configuration and reinstall all the devices with YSoft SafeQ Embedded Terminal
for Ricoh ESA.
How to verify the correct functionality
1. Authenticate at the YSoft SafeQ Embedded Terminal for Ricoh ESA with the valid account.
Authentication must not fail.
2. Log in to the YSoft SafeQ Embedded Terminal for Ricoh ESA Web Configuration Interface at
http://MFP_IP:8080/sqet/Login (where MFP_IP is the MFP's IP address). Please note the
HTTP address is case-sensitive. Enter the login code. (The default is 14569.)
3. Verify that you see the IP address of all your SPOCs in the list.
4. Optionally you can stop the SPOC which is listed as the first. Then verify that
authentication is still working. In the YSoft SafeQ Embedded Terminal for Ricoh ESA Web
Configuration Interface you will see that the order of the servers has switched.
5.6 UPDATE GUIDE
This part of the documentation should guide you on how to update between individual YSoft
SafeQ 6 builds and related components.

5.6.1 UPDATING TERMINALS
5.6.1.1 Updating YSoft be3D eDee
When software packages on YSoft be3D eDee are outdated, there is the possibility to update
them with an update package via YSoft SafeQ Management.
Before updating
Make sure that YSoft be3D eDee is configured properly. See the YSoft be3D eDee
Administrator Guide for more information.
Updating via YSoft SafeQ Management Interface
1. Log into the YSoft SafeQ management interface as an administrator, and use an account
authorized to manage the system.
2. Make sure your device is properly registered on YSoft Infrastructure Service. You should
find it the list in Devices > Hardware.
3. Online status indicates whether the device is connected and online or it is disconnected.
For updating, it is necessary for the device to be online.
4. The Software update status property indicates the status of the update.
a. Pending – The update of the device has not started yet.
b. Updating – The device is in the process of updating.
c. Up to date – The device is updated with the latest update package.
5. The update package can be uploaded in Actions > Upload software package. After the file
is uploaded and correctly unpacked, the notification center displays a message. If the
system does not inform you about a successful upload, it is not possible to proceed with
the device update.
6.

6. After the package is properly uploaded, in the Action menu, select Update devices.
7. Select the device to update.
8. Choose a package version from the list.
9. An update can by scheduled for any time or started immediately by selecting Update now.
10. Save the settings, and if Update now was selected, the updating process will start
immediately.
When printer is printing or waiting for the user to pickup model, then update will start
immediately after printer is not printing.
11. After the updating process finishes, Software update status changes to Up to date.
Reinstalling the YSoft be3D eDee Terminal after Updating
2. Open Devices > Printers from the menu. Choose the device you want to edit, and click the
Edit button.

3. Device edit – edit your device according to the instructions in the YSoft be3D eDee
Administrator Guide.
4. Once you have entered all necessary information, click the Save changes button. After
confirmation, the device is automatically reinstalled with the updated configuration and
embedded terminal.
5. The embedded terminal is installing. A new window with the installation's progress appears.
6. After installation is completed, the message Device reinstallation is complete displays.
for more information about the error.
5.6.1.2 Updating YSoft SafeQ Embedded Terminal
Before Updating
1. Make sure the device is configured properly. See the configuration guides for more
information.
2. Edit the device's configuration. See the configuration guides for more information.
Updating a Device with a Embedded Terminal to YSoft SafeQ
1. Log into the web administration, and use an account authorized to manage the system.
Edit button.

3. Device edit – edit your device according to the instructions on the following page
confirmation, the device is automatically reinstalled with the updated configuration and
embedded terminal.
5. The embedded terminal is being installed. A new window with the installation's progress
appears.
6. After installation is complete, the message Device reinstallation is complete is displays.

5.6.1.3 Updating YSoft SafeQ Terminal Pro 4
When software packages on YSoft SafeQ Terminal Pro 4 are outdated, there is the possibility to
update them with an update package via YSoft SafeQ Management.
Before updating
Make sure that YSoft SafeQ Terminal Pro 4 is configured properly. See the configuration guide
for more information.

Updating via YSoft SafeQ Management
1. Make sure your device is properly registered to IMS. If yes, in YSoft SafeQ Management >
Devices > Hardware, there is a device present on the list.
2. Online status indicates whether the device is connected and online or disconnected. For
updating, it is necessary for the device to be online.
3. The Software update status property indicates the status of an update.
a. Pending – The update of the device has not started yet.
c. Up to date – The device has been updated with the latest update package.
4. The update package can be uploaded in Actions > Upload software package. After the file
the device update.
5. After the package is properly uploaded, in the Action menu, select Update devices.

8. An update can be scheduled for any time or started immediately by selecting Update now.
9. Save the settings, and if Update now was selected, the updating process starts
immediately.
10. After the updating process is over, the Software update status is changed to Up to date.
Reinstalling YSoft SafeQ Terminal Pro 4 after Updating
1. Log into the web administration, and use an account authorized to manage the system.
Edit button.
3. Terminal edit – edit your terminal according to the instructions on the following page
Installing YSoft SafeQ Terminal Pro 4
confirmation, the terminal is automatically reinstalled with the updated configuration and
terminal.
5. The embedded terminal is being installed. A new window with the installation's progress
appears.
6. After installation is complete, the message Device reinstallation is complete displays.

5.6.2 UPDATING CLIENT COMPONENTS
The update can be performed using the new version of the YSoft SafeQ client installer. You can
use either the GUI wizard or a silent (unattended) installation.
The minimum version to the upgrade is defined by each new version (e.g., in version 6.0.0.1,
upgrading from version 5.8.x.x is not supported, the minimum version is "6.0.0.1"). The
FlexiSpooler version must be the same version as Spooler Controller version.

5.6.2.1 Performing a GUI Wizard Update
When running the installer, it will detect the last installed version during the preinstallation check
. You can continue the update using the latest version installer. All configurations stay the same
and will not be changed by the update. The update will not affect print jobs that have already
been sent.
5.6.2.2 Performing a Silent (Unattended) Update
Please make sure that the current valid certificates are installed in the Windows environment
before performing a silent installation/update.
VeriSign Universal Root Certification Authority(vsign-universal-root.cer) and Thawte Primary

Root CA (thawte-root.cer) for Troubleshooting trust errors
Thawte SHA256 Code Signing CA (thawte-codesigningCA.cer)
Y Soft Corporation, a.s. codesigning CA (ysoft-codesigning.cer) for Automated (silent)

i n s t a l l a t i o n
See Installing Security Certificates for details.
To run a silent installation of the client installer, run this command. Run it in the folder where you
have downloaded ysq-client-install.exe
ysq-client-install.exe /S

5.6.2.3 After Updating
Installation log files are located in the YSoft SafeQ client components installation folder.

launch Desktop Interfaces for all the logged in users, see YSoft SafeQ 6 Workstation Installation,
section Automatic launching of Desktop Interfaces from FlexiSpooler service at start.
5.6.3 UPDATING FROM MU/BUILD TO BUILD
This page contains a detailed update procedure for updating the YSoft SafeQ 6 installation to a
higher build.
The YSoft SafeQ version was previously known as YSoft SafeQ MUXX (Maintenance Update
XX). We are changing naming, MU will be replaced with Build so YSoft SafeQ version will be
known as YSoft SafeQ Build XX. This page contains mixed naming as YSoft SafeQ versions
older than Build 32 are still referred as MUXX.
5.6.3.1 Before the Update
Expected System Outage
It is expected that the system will be out of order until the update is finished.
Expected Data Loss
If executed as documented, no data loss is expected.
In the case of a rollback, the data between step 1.5 (database backup) and Rollback is lost.
Users will need to reprint their jobs once the system is operational again.
General Requirements
When updating to a new build, all installed components (YSoft SafeQ Management Servers,
YSoft SafeQ Spooler Controllers, YSoft SafeQ FlexiSpoolers, YSoft SafeQ Mobile Print Server,
YSoft SafeQ Workflow Processing Systems, YSoft SafeQ Payment System and YSoft SafeQ
Payment System plugins) have to be updated.
If one or more YSoft SafeQ services have the state Disabled, enable them before starting. If
necessary, you can disable them again once the update is finished.

Make sure that no processes or services (e.g., from third-party backup tools) are using
resources from the YSoft SafeQ directory. Files in those directories are about to be replaced
and if they are locked by any process, the update will fail. A common cause of an update
failure is having pgAdmin running while updating or uninstalling Management Server with an
embedded PostgreSQL.
Make sure that the pgAdmin4 server is shut down
Make that you have enough free space on disk in case of PGSQL 11 update. Two new copies
of PGSQL and PGSQL-data folders will be created for the update process.
Make sure the server hosting YSoft SafeQ still fulfills the minimal requirements for the new
version (such as OS version, see YSoft SafeQ server requirements)
Stop YSoft SafeQ Services
1. Stop all YSoft SafeQ services in the whole environment (Management Servers, Site
Servers) except the following (leave the services listed below running):
a. YSoft Bundled Etcd
b. YSoft Bundled PostgreSQL (available if an embedded PostgreSQL DB is used)

'YYSoftPGSQL' -and $_.Name -ne 'YSoftEtcd'} | Stop-Service
c. pgAdmin4
Backing Up Databases
Back up the SQDB6 and SQDB6_IMS databases. If you are using a separated database for data
warehouse, also back up SQDB6_DWH. If you are using YSoft Payment System, back up
SQDB6_YPS database too.
Back Up Configuration Files
If you are using some local changes in your configuration files - for example, due to using some
customizations, extensions, or applying own security rules be aware to make a backup your
configuration files before the update.
See Backing Up Configuration and Binary Files and perform the procedure on all Management and
Site Servers.

Create a Snapshot (Optional but Recommended)
If you have YSoft SafeQ 6 installed on virtual servers, create a snapshot of all Management and
all Site servers to simplify the rollback procedure. Snapshots should be made with all YSoft SafeQ
6 servers being stopped completely or at least services stopped on all servers, as described
above.)
5.6.3.2 Updating Procedure
CHECKING MS SQL SERVER DATABASE SNAPSHOT ISOLATION STATE
If you are using PostgreSQL database, then please skip this part and go to section Update
Management Servers.
If you are using MS SQL database and if you are updating from YSoft SafeQ 6 MU23 or earlier
or if the MS SQL SafeQ databases were created manually (i.e. not by YSoft SafeQ 6 installer),
then snapshot isolation needs to be enabled manually.
If Payment System is in use, then snapshot isolation needs to be enabled for its
database manually (if you did not do so before).
How to check shapshot isolation current state
1. Connect to the SQL Server and run the following query:
SELECT name, collation_name, state_desc, snapshot_isolation_state_desc,

is_read_committed_snapshot_on, recovery_model_desc, containment_desc,
is_trustworthy_on FROM sys.databases WHERE name like '%SQDB6%'
2. If you see that snapshot_isolation_state_desc is OFF for SafeQ databases, then please
continue with the next section.
How to set up the database
1. If database name does not equal SQDB6, please change the name according to end
customer configuration. Connect to SQL Server and run the following commands:
ALTER DATABASE [SQDB6] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6] SET READ_COMMITTED_SNAPSHOT ON
ALTER DATABASE [SQDB6_IMS] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_IMS] SET READ_COMMITTED_SNAPSHOT ON
2. If end customer environment has separate database for data warehouse, reconfigure it
as well:
ALTER DATABASE [SQDB6_DWH] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_DWH] SET READ_COMMITTED_SNAPSHOT ON
3. Same applies for Payment System database, if Payment System is in use:
ALTER DATABASE [SQDB6_YPS] SET ALLOW_SNAPSHOT_ISOLATION ON

ALTER DATABASE [SQDB6_YPS] SET READ_COMMITTED_SNAPSHOT ON
See Microsoft documentation of Snapshot Isolation in SQL Server for more

information.
Update Management Servers
If Management Server was installed using the Management Server installer, use ysq-
management-server-install.exe for the update. Also:
1. see Updating YSoft SafeQ Management Server for detailed instructions.
2. see Updating YSoft SafeQ Management Server cluster for detailed instructions.
If Management Server was installed using the server installer (First Server or Additional
Management Server deployment), see Updating Using the Server Installer for detailed
instructions, and use one of the following packages for the update:
ysq-server-install.zip
YSoft-SafeQ-6-Build-XX-Server-installer.zip (without OCR engine)
ysq-server-ocr-install.zip
YSoft-SafeQ-6-Build-XX-Server-installer-with-Advanced-workflows.zip (with OCR engine)
On some systems, the following issue may appear: during installation of YSoft SafeQ Workflow
Processing System, the service is "marked for removal". In the Workflow Processing Server
install log (c:\SafeQ6\WPS\WPS-install.log), there is an error saying that the service is already
installed, and after restarting, the service is removed. If you encounter it, let Customer
Support Services know about it. A workaround is to install the service manually after the
restart by running WpsService.exe install from the elevated command line.

Re-activate the YSoft SafeQ license
Re-activate YSoft SafeQ license once the update of Management Server(s) is finished. See
Additional steps
If you want to change any YSoft SafeQ configuration, you can do it now in System >
Configuration.
If you are using Management Server cluster which replicates users from secured LDAP and
updating from YSoft SafeQ Build34 or earlier, make sure that LDAP server certificate is
imported in trust store on all Management Server nodes. Any node can start scheduled LDAP
replication now.
You should verify LDAP replication functionality by testing replication from YSoft SafeQ
management interface of each node:
System > LDAP integration > Test tab > TEST SETTINGS button
If you are using failover/load balancing of terminals and updating from YSoft SafeQ MU27 or
earlier, make sure that enableNetworkLoadBalancer property is enabled in YSoft SafeQ
settings:
1. Log in to the YSoft SafeQ management interface with sufficient rights to administer
printers (for example, "admin").
3. Set enableNetworkLoadBalancer property to enabled and save the configuration.
Capture changes and update the Solution Reference Guide (optional)
Export settings and update the respective settings in Solution Reference Guide (if used). The
export can be done using YSoft SafeQ management interface > System > Configuration >
Actions > Export the changed configuration into the XML file.
Updating Site Servers
See Updating Using the Server Installer for detailed instructions and use one of the following
packages for the update:
ysq-server-install.zip
YSoft-SafeQ-6-Build-XX-Server-installer.zip (without OCR engine)
ysq-server-ocr-install.zip

YSoft-SafeQ-6-Build-XX-Server-installer-with-Advanced-workflows.zip (with OCR engine)
If you are using a third-party load balancer:
1. And you are updating from YSoft SafeQ MU28 or earlier, make sure that scanServerIp
is configured in TerminalServer.exe.config on each node:
a. Edit the file <SafeQ_dir>\SPOC\terminalserver\TerminalServer.exe.config.
b. Into the AppSettings section of the config file add new scanServerIp parameter
and set it to the physical IP address of the local TS node.
c. Save the file.
d. Restart YSoft SafeQ Terminal Server services to apply the settings
2. And you are updating from YSoft SafeQ Build 37 or earlier to the Build 38 and higher:
a. Because of security patch of the YSoft SafeQ Spooler Controller Group Service
the service not anymore answer on TCP based monitor on port 9999 and thus all
your servers will be considered down by the load balancer.
b. Recommended solution is to change the configuration of the load balancer and

remove monitoring of the port 9999.
c. Alternative solution is to change value of the system parameter

spocJmxNetworkInterface to 0.0.0.0 (default is 127.0.0.1).
i. Please note that such configuration decreases security of the system and
is not recommended!
In case of updating from MU13 or earlier to MU14 or later using standalone installers, make sure
you delete the cache the during update of YSoft SafeQ Spooler Controller. (Clear the YSoft SafeQ
Spooler Controller cache during update - enabled.)

The YSoft SafeQ Spooler Controller cache recovery mechanism on a standalone SPOC with
the recommended hardware is processing on average 3000 jobs per minute. That means with
60 000 jobs the recovery will take about 20 minutes. SPOC is not fully functional until the
recovery is finished. To see how many jobs is going to be recovered use the following SQL
query:
-- query to be launched on SQDB6 database

-- use proper tenant prefix at smartq_jobs table
-- use proper server_guid, SPOC guid can be found on YSoft SafeQ Management interface ->
tab Spooler Controller groups
SELECT count(1) FROM tenant_1.smartq_jobs where server_guid = 'j1dvczklt5l5hm69' and
cur_status in (1,2,4,8,16,32,64,128,256,512)
Updating Other Products
Updating SafeQube 2
See Updating YSoft SafeQube 2 for detailed instructions.
Updating Terminals
See Updating Terminals for detailed instructions.
Updating Client Components
See Updating Client Components for detailed instructions.
Updating YSoft Payment System plugins
See Payment gateway plugin deployment for detailed instructions.

Updating Mobile Integration Gateway
Reinstall the existing Mobile Integration Gateway installation using the new installation package.
See Updating Mobile Integration Gateway for detailed instructions.
After update steps
After a successful update, don't forget to apply back your local changes (if you are using any) of
configuration files from their backups (made in point Back Up Configuration Files).
Verifying the Functionality
Verify the basic functionality such as Printing, Copying, Scanning, Accounting, and Charging.
5.6.3.3 Rollback
Should you face issues during or after updating that block you from using YSoft SafeQ, revert to
the version prior to the update.
If a Snapshot of Servers Is Available
1. Stop YSoft SafeQ services on all Management and Site Servers.
2. If an external database server is being used, restore the YSoft SafeQ databases SQDB6,
SQDB6_IMS, SQDB6_DWH, SQDB6_YPS to the state prior to the update.
3. Revert Management Servers to the state prior to the update (one by one).
4. Re-activate the YSoft SafeQ license.
5. Revert Site Servers to the state prior to the update.
If a Snapshot of Servers Is Not Available
1. Stop YSoft SafeQ services on all Management and Site Servers.
2. Uninstall Management and Site Servers.
3. Delete all YSoft SafeQ 6 folders.
4. Perform a clean installation of Management Server(s) of the previous YSoft SafeQ 6 version
– use the same Local GUID that was used before.
a. Restore YSoft SafeQ 6 databases.
b. Restore the configuration files from backup – do not restore the file safeq.properties
, keep the new one.
5. Re-activate the YSoft SafeQ license.
6. Perform a clean installation of Site Servers.
a. Restore the configuration files from backup.

7. If you were using custom certificates (e.g., for Web Interface or Terminal Server), set them
up again according to the documentation.
Device Is Unable to Establish a Secure Connection with Terminal Server in MU17 and Newer,
Although It Worked with the Previous MU
A new, more secure certificate was introduced with MU17 . Older devices may be unable to
establish a secure connection with the Terminal Server.
Solution: Generate a new certificate compatible with the device and configure Terminal Server to
use it. See Configuring secured connection between terminals and Terminal Server for detailed
instructions.
FlexiSpooler Installation is Stuck During the Update
Installation is stuck on installing FlexiSpooler during the update without any obvious error. In
installation log is the following exception: Exception calling "DeserializeObject" with "1"
argument(s): "Unrecognized escape sequence."
Solution: Open the spooler.config and ensure that there are only forward slashes in
jobStorePath. (e.g., change "jobStorePath":"C:\Spool\JobStore" to "jobStorePath":"C:/Spool
/JobStore").
5.6.4 UPDATING YSOFT SAFEQUBE 2
When software packages on YSoft SafeQube 2 are outdated, there is the possibility to update
them with an update package via YSoft SafeQ Management.
5.6.4.1 Before Reinstallation
Make sure SafeQube 2 is configured properly. See the configuration guides for more
information.
5.6.4.2 Updating via YSoft SafeQ Management Interface
2. Make sure, that your device is properly registered to IMS. You should find it the list in
Devices > Hardware.

3. Online status indicates whether the device is connected and online or disconnected. For
updating, it is necessary for the device to be online.
4. Software update status property indicates the status of the update.
a. Pending – Updating of the device has not started yet.
c. Up to date – The device is updated with the latest update package.
5. The update package can be uploaded at Actions > Upload software package. After the file
the device update.
6. After the package is properly uploaded, in Action menu, select Update devices.
9. An update can be scheduled for any time or started immediately using Update now.
10.
10. Save the settings, and if Update now was selected, the updating process will start
immediately.
11. After updating the process is complete, Software update status changes to Up to date.
5.6.5 UPDATING MOBILE INTEGRATION GATEWAY
5.6.5.1 Step-by-step Guide
1. Run the Mobile Integration Gateway installer from the latest build.
2. If preinstallation checks are OK, proceed by clicking next.
3. On the next screen, you can see the current version and the new version to which YSoft
SafeQ Mobile Integration Gateway will update.
4. Complete the update. Your current configuration will remain unchanged.
5.7 REQUIREMENTS
5.7.1 HARDWARE REQUIREMENTS
Server deployment Components Recommended configuration
Single Server Deployment Management, Spooler Controller, Dual Core 2GHz or faster
(Management Server with Terminal Server, WPS, processor
FlexiSpooler in spooling server FlexiSpooler 8GB free RAM
mode) Optional: Mobile Print Server, 1Gbps network connection (LAN)
YSoft Payment System 100GB of free disk space (after
installation)
Connection to storage with a
throughput of at least 150MB/s
and 300 IOPS

If a virtual machine is used,

set memory reservation to
the full amount of RAM
allocation.
Site Server with FlexiSpooler in Spooler Controller, Terminal Dual Core 2GHz or faster
spooling server mode Server, FlexiSpooler (in spooling processor
server mode), WPS 8GB free RAM
Optional: Mobile Print Server, 1Gbps network connection (LAN)
YSoft Payment System 100GB of free disk space (after
installation)
and 300 IOPS

allocation.
Site Server with FlexiSpooler in Spooler Controller, Terminal Dual Core 2GHz or faster
non-spooling server mode Server, WPS processor
(CBPR) Optional: Mobile Print Server, 8GB free RAM
YSoft Payment System 1Gbps network connection (LAN)
20 GB of free disk space
and 100 IOPS

allocation.
Workstation deployment Components Recommended configuration
YSoft SafeQ Client Components YSoft SafeQ Desktop Interface, Dual Core 2GHz or faster
with YSoft SafeQ FlexiSpooler Universal Print Driver, processor
in spooling mode FlexiSpooler (in client spooling 4GB free RAM
mode) 1Gbps network connection (LAN)
2GB of free disk space (after
installation)

YSoft SafeQ Client Components YSoft SafeQ Desktop Interface, Dual Core 2GHz or faster
with YSoft SafeQ FlexiSpooler Universal Print Driver, processor
in proxy mode FlexiSpooler (in client non- 4GB free RAM
spooling mode) 1Gbps network connection (LAN)
The YSoft SafeQ Advanced Workflows module requires the Workflow Processing System
(WPS) to be installed together with the ABBYY Finereader 11 OCR engine. Hardware
requirements for this deployment scenario are available in Workflow Processing System with
OCR hardware requirements
The recommended configuration should handle up to 200 devices connected to server and up
to 3 000 clients in combination with Client Based Print Roaming (CBPR).
See How to Measure Storage Throughput and IOPS for more details how to evaluate disk
performance. Please note, that the required disk performance might differ from customer to
customer and it is dependent on YSoft SafeQ configuration (e.g. usage of parser,
cacheReplicationBufferPersistent setting, spooler location, ...) and on the way, how customers
use the YSoft SafeQ (e.g. if they generate constant load or peaks).
5.7.1.1 How to Measure Storage Throughput and IOPS
This article describes how to check if your storage meets the Hardware Requirements.
CrystalDiskMark
This software is free (MIT license), easy to set up, provides reliable results, and these results are
easy to understand.
Download http://crystalmark.info/software/CrystalDiskMark/index-e.html
Select the Standard edition, Portable w/o Ads (zip).
Extract it on the target machine and run the appropriate binary for your architecture
(DiskMark64.exe or DiskMark32.exe).
Change Test size to 2GiB.

Select the disk drive where YSoft SafeQ will be installed.
Press the All button and wait until the test finishes (the progress is shown in the header of
the window).
Save the results to a file: File > Save

And check the contents of this resulting file.
How to Interpret the Results
Look to see if the storage is sufficient for ORS Server (a throughput of at least 150 MB/s and
300 IOPS).
An Example of Storage with Sufficient Speed
All sequential reads/writes are above 150 MB/s.
All random reads/writes are above 300 IOPS.
-----------------------------------------------------------------------
CrystalDiskMark 5.1.2 x64 (C) 2007-2016 hiyohiyo
Crystal Dew World: http://crystalmark.info/
-----------------------------------------------------------------------
* MB/s = 1,000,000 bytes/s [SATA/600 = 600,000,000 bytes/s]
* KB = 1000 bytes, KiB = 1024 bytes
Sequential Read (Q = 32,T = 1): 229.494 MB/s
Sequential Write (Q = 32,T = 1): 153.305 MB/s
Random Read 4KiB (Q = 32,T = 1): 81.998 MB/s [ 20019.0 IOPS]
Random Write 4KiB (Q = 32,T = 1): 68.278 MB/s [ 16669.4 IOPS]
Sequential Read (T = 1): 202.590 MB/s
Sequential Write (T = 1): 152.465 MB/s
Test: 2048 MiB [C: 5.8% (59.4/1023.7 GiB)] (x5) [Interval=5 sec]

Date: 2016/04/08 10:48:18
OS: Windows Server 2012 R2 Server Standard (full installation) [6.3 Build 9600] (x64)
An Example of Storage with Insufficient Speed
Some sequential reads/writes are below 150 MB/s.
Some random reads/writes are below 300 IOPS.
-----------------------------------------------------------------------
CrystalDiskMark 5.1.2 x64 (C) 2007-2016 hiyohiyo
Crystal Dew World : http://crystalmark.info/
-----------------------------------------------------------------------
* MB/s = 1,000,000 bytes/s [SATA/600 = 600,000,000 bytes/s]
* KB = 1000 bytes, KiB = 1024 bytes
Sequential Read (Q = 32,T = 1): 213.717 MB/s
Sequential Write (Q = 32,T = 1): 96.769 MB/s
Sequential Read (T = 1): 114.935 MB/s
Sequential Write (T = 1): 49.909 MB/s
Test: 2048 MiB [C: 51.9% (10.2/19.7 GiB)] (x5) [Interval=5 sec]
Date: 2016/04/08 11:22:12
OS: Windows Server 2012 R2 Server Standard (full installation) [6.3 Build 9600] (x64)
5.7.1.2 Workflow Processing System with OCR hardware requirements
The YSoft SafeQ Advanced Workflows module requires that the Workflow Processing System
(WPS) be installed together with the ABBYY FineReader 11 OCR engine. The system requirements
for this deployment scenario are:
PC with x86-compatible processor (1 GHz or higher)
Note that usage of CPU by ABBYY is limited to maximum 8 cores for parallel processing.
Operating system:
Windows Server 2016

Windows 10 (32-bit and 64-bit)
Windows Server 2012 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2008 SP1-SP2 (32-bit and 64-bit)
Windows Vista SP1-SP2 (32-bit and 64-bit)
Highlighter feature is not supported on Windows Server Core edition.
Memory:
for processing one-page documents — minimum 400 MB RAM, recommended 1 GB RAM
for processing multi-page documents — minimum 1 GB RAM, recommended 1,5 GB RAM
for parallel processing — 350 MB * (cores number) + 450 MB RAM
for parallel processing of documents in Arabic or CJK languages — 850 MB * (cores number) +
750 MB RAM
Hard disk space:
800 MB for library installation and 100 MB for program operation plus additional 15 MB for
every processing page of a multi-page document
Note: the space for program operation is needed to store temporary data, temporary folder
location is determined by your environment and not installation folder, on Windows it is given
by %TEMP% environment variable (usually "C:\Windows\Temp")
5.7.2 SOFTWARE REQUIREMENTS
5.7.2.1 Requirements and Limitations of Embedded Terminals
Requirements and known limitations of YSoft SafeQ Embedded Terminal for Brother
Requirements
Brother Solution Interface activated on the MFD.
Device must support PCL printer language.

Device compatible with Brother MDT - refer to HCL – Brotherfor list of known compatible
devices.
Known limitations
Embedded terminal cannot be installed when a warning/error message is shown on device

display - for example no paper in tray, unrecognized USB reader.
Logout by card is not supported.
It is not possible to make copy/scan during printing. Moreover YSoft SafeQ Print or YSoft
SafeQ Scan applications are not available during printing.
Print jobs accounting is based on YSoft SafeQ offline accounting mode, so it has all its
limitations and dependencies.
Scanned page is always A4 format.
BR-Script3 print driver is not supported.
Direct queue prints are not accounted.
Print job preview is not supported.
Print job finishing options are not supported.
List (address book, select and folder browse) fetch all the available items from WPS and return
them at the same time.
Address book doesn't support multiple choice setting.
Address book doesn't support free text input.
Payment is not supported.
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Epson
Requirements
Epson Open Platform Version 1.0 and later compatible firmware running on the device.
Known Limitations
The Epson vendor does not provide support for media type based job accounting (whether
plain paper or another media type is used).
Only PCL6 and PostScript drivers are supported (EPSON ESC drivers or PDF are not
supported).
Pre-filled user's email for native scan is supported from Epson Platform Version 1.1+. The SNMP
server must be configured on device.

For MFDs without HDD job delivery timeout configuration is recommended:
Problems with job delivery via RAW
Problems with job delivery via LPR
Scanning
Only FTP delivery.
The scanServerUserPassword property should not be longer than 20 characters to be able to

scan using the YSoft SafeQ Embedded Terminal for Epson. Use the Management Interface -
System to learn how to change the property.
Only scan setting combinations supported by devices work. If an invalid combination is

selected, the scan will fail. Please refer to the MFD documentation, e.g., on some devices, only
B&W is supported for a multipage TIFF file format.
Payment
Detailed limitations:
Please see the detailed credit handling documentation.
Brief explanations:
The user can reach the negative balance in certain cases.
The job will be printed, not accounted, not charged - if not sent to YSoft SafeQ properly.
An extra credit/quota will be reserved and not settled in some specific edge cases during
secure reprint
Requirements and known limitations of YSoft SafeQ Embedded Terminal for FujiXerox
YSoft SafeQ Embedded Terminal for FujiXerox

Requirements
Embedded Terminal is a software extension of the Fuji Xerox devices.
Embedded Terminal requires licensed and configured Fuji Xerox ApeOS Connection IV at the
device.
Known limitations
After automatic log out from YSoft SafeQ application, the user is navigated to device main
menu. After given time (based on device settings), the user is also automatically logged out
from device main menu.
Direct Print in combination with Authentication module works, however (any) user must
authenticate for the jobs to be released by the printer (technology limitation).

SSMI 1.4 or higher is required for the proper function of Payment System. In case the SSMI
version is lower, the quota system is not applied and user can reach negative balance.
Only ASCII characters can be used when entering scanning workflow parameters on the
embedded terminal.
When the card activation feature is enabled and there is card swipe with registered card, the
user must always navigate through the Card Activation Code screen.
Blank pages are accounted as BW print.
It can take up to 15 minutes for device to return blocked money back to money account (if
Payment System is used for print/copy/scan charging).
Terminal inactivity timeout set in advanced tab of user's edit dialog (or in settings of Cost
center, if this value is inherited from the Cost center) does not work. The session will be
ended as soon as timeout set on device expires.
Card self-registration possible only using Card Activation Code.
Enable etcd to avoid duplicate accounting records on Management/SPOC cluster.
Jobs printed during failover event on 2 node cluster (i.e. when only 1 node is running) might
not be accounted until the functionality of the cluster is fully restored. Use 3 or more
nodes to avoid this limitation.
When Billing code is changed while a copy job is being performed, the copy job will be
assigned the new newly selected Billing code.
Finishing options:
Proper functionality of Advanced Finishing options is guaranteed only with YSoft Universal
Print Driver
Not all Finishing options are supported on every device, for detailed information see the
Hardware Compatibility List (HCL).
The terminal might not work properly if the MFD certificate validation is enabled (configuration
option enableMfdServerCertificateValidation).
Print job notifications about the status of the Spooler, which are shown in the terminal when
the configuration option "showSpoolerAvailabilityNotifications" is enabled, are not working. The
print flow in the screen is not working properly and the job might fail to print.
YSoft SafeQ Embedded Terminal for FujiXerox with XCP

Requirements
Embedded Terminal is a software extension of the Fuji Xerox devices
Apeos Port IV or V with support for XCP 1.3 or higher is required.
Known limitations

Direct print works but the print jobs are performed even when the user has insufficient
credit.
Print All works but if the user is out of credit, the printing continues and a debt record is
created.
When swiping a card at the card reader and the device is in a sleep mode, the user is not
authenticated.
Scan feature can not be blocked on some devices firmware.
SSMI 1.4 or higher is required for the proper function of Payment System. In case the SSMI
version is lower, the quota system is not applied and user can reach negative balance.
EPA card readers are not supported.
Enable etcd to avoid duplicate accounting records on Management Service cluster.
When you set System Settings > Common Service Settings > Screen/Button Settings >
Screen Default to value Custom Service 4 – YSoft SafeQ Authentication on the MFD, user is
redirected to YSoft SafeQ Authentication screen after language change even if user is already
authenticated.
Scan Workflows with Compact PDF are limited based on the possibilities of the MFD:
MFD should be capable of "MRC Compression".
Color mode should be either "Grayscale" or "Full Color"
Resolution should be "Low", "Normal" or "Fine".
Scan Workflows with JPEG output format will result in a TIFF output file if the color was set
to Black and White or the color was Auto and the MFD detected a black and white paper.
In case "SwA" (SOAP with attachments) is used as scan server type, the maximum number of
files that can be received is limited to 200 by the possibilities of the device. This means that:
For single page formats like JPEG and TIFF this means that the maximum number of
pages that can be scanned in one scan workflow session is 200.
The limit of 200 as maximum number of pages also applies to all output formats when
OCR processing step is used (Searchable PDF, MS Word, ...) however you are able to
overcome this limitation by setting the ocrInputFileType system property to either PDF or
Multipage TIFF format.
For multipage formats like PDF and Multipage TIFF there is no limitation, as all pages are
transferred in one file.
Maximum length of username is 32 bytes, if it's longer authentication will fail with an error.

Print job notifications about the status of the Spooler, which are shown in the terminal when
the configuration option "showSpoolerAvailabilityNotifications" is enabled, are not working. The
print flow in the screen is not working properly and the job might fail to print.
Finishing options
Proper functionality of Advanced Finishing options is guaranteed only with YSoft

Universal Print Driver
Not all Finishing options are supported on every device, for detailed information see the
Quotas
Direct print and the Print All functionality are not fully controlled by the quota
mechanism. While quotas are correctly decreased, user can perform operations even after
reaching zero. Therefore, it is recommended to disable these features while using print
quotas.
It is not possible to use quotas Print, Copy, Color, BW (but it is possible to use their
combinations, e.g. Print Color)
Using the All Pages quota (which is a quota for any operation of any color):
With fujiXeroxEnableDefaultQuotaTogglingStrategy enabled, only half of the quota can

be used for printing, the other half is divided between BW and color copy jobs. If user
has quota for all pages = x, then
BW Copy = x/4
Color Copy = x/4
Print = x - x/4 - x/4
With fujiXeroxEnableDefaultQuotaTogglingStrategy disabled, when user chooses Copy

operation, the quota balance is divided between BW and color copy jobs. If user has
quota for all pages = x, then
BW Copy = x/2
Color Copy = x - x/2
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for HP
Requirements
Devices based on OXPd 1.7.X and newer platform are supported so far. No special settings are
Only HP devices with FutureSmart 4 are supported.
Display size 4.3" and larger.

Known Limitations
Scan Workflows:
The device's merging originals can be controlled by system property

hpScanJobAssemblyEnabled since MU28.
The device's merging originals does not allow you to combine document sources if you
start a scan from the feeder.
Compact PDF is not available (the fallback format is PDF).
Payment:
Detailed limitations:
Please see the detailed credit handling documentation.
Brief explanations:
The user can reach the negative balance in certain cases.
The user needs to have sufficient credit to copy/print/scan at least one cheapest page.
If there are any paid operations and the user has zero balance, not all free operations
may be accessible.
For combinations of color and black&white quotas for given operation, the lowest quota
is applied.
The user can deplete his unused quota and block any further operation in case
additional credit requests occur.
Blank pages do not count towards Page quotas.
Stop on zero for scanning is not supported - the user can get to negative balance.
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Konica Minolta
This information is also applicable for Develop, Olivetti, and Aurora devices.
Requirements
A licensed and configured Konica Minolta OpenAPI platform at the device (OpenAPI version 3.6
or higher) is required.
Konica Minolta OpenAPI3 Account Map is the recommended option for accounting.
The Konica Minolta MyPanel application or web-browser support requires OpenAPI version 3.6
or higher and an iOption license.
Most of the printers require extended memory and a hard drive for full functionality (more
details in Hardware Compatibility List).

For the precise accounting of billing codes for copy and scan jobs, the devices must be able to
correctly provide the Track ID information. Support for Track ID can vary per device model and
firmware version. If Track ID is provided, the job is accounted with the billing code from Track
ID, otherwise, the job is accounted to the billing code that is currently selected. Print jobs are
accounted to the billing code that is currently selected.
Failover with etcd enabled or with a shared DeviceConfigurationData folder is needed if you
use localized keyboards or if you are experiencing issues with user IDs. Usage of etcd is
preferred for all failover solutions on Konica Minolta. More information can be found in the
article Configuring Terminal Failover.
Setting OpenAPI to version 4.2 is required in order to successfully establish secure connection
for downloading the device description to the Terminal Server.
Known Limitations
The terminal inactivity timeout setting in the user's additional configuration is supported only
for YSoft SafeQ Embedded Terminal for Konica Minolta - 2nd Gen.. The timeout can be also set
directly on the machine. For more information, see Konica Minolta - Configure inactivity timeout
.
For limitations related to printing from USB, see the article printing from USB on YSoft SafeQ
Embedded Terminal for Konica Minolta.
By default, the scan jobs performed by a user with insufficient credit are accounted. This may
cause a discrepancy between YSoft SafeQ reports and the information in Payment System.
This behavior can be altered when the configuration "accountingCanceledScanWithZeroPages"
is set to "Enabled". The canceled scan job is accounted with 0 pages, so accounting
information from the MFD is ignored.
Jobs performed by a public user and jobs sent directly to the printer are not accounted.
Users with the username "admin", "ce" or "public" are not supported.
OpenAPI 4.0 or higher:
The scan workflow's description cannot be longer than 60 characters.
In the scan workflow settings, the value attribute of an administrator parameter (or the
default value of a user parameter) must not be longer than 64 characters.
Native interface:
A simplex/duplex option for the scan is not propagated from the scan workflow template
on IT4 generation devices and older. Therefore, these settings have to be set manually on
the device's panel.
It is not possible to mark jobs as favorite.
There can be only five jobs in the device scan job queue, the sixth job will fail with the error
code 21 in the OpenAPI log. It is caused by the device having finite resources.

For the 367 series onward, MFPs not implemented with enhanced memory fail on scans with a
compact PDF and high resolutions.
A black and white scan with a JPEG and Compact PDF file format is not supported by all
devices, and on some, scans may fail without any appropriate message.
Authentication in offline mode is not supported with the YSoft SafeQ Terminal Application -
2nd Gen.
Authentication methods requiring authentication by card are not supported with Serverless
Pull Printing. The affected authentications methods are: Card, Card and username/password,
Card and PIN, Card and PIN (if PIN exists). This is caused by the inability of the printer driver to
get a card number for the job authentication and thus the job sent to the device can not be
assigned to a user.
Native "Blank Page Removal" scan feature is not available with YSoft SafeQ scan workflows. It
is available only if native scanning is used.
Secure connection for downloading the device description to the Terminal Server is not
supported for OpenAPI version 4.13.
Device settings became inaccessible (greyed out) when hw home button is used to exit SafeQ
application
Finishing options
The proper functionality of Advanced Finishing options is only guaranteed with YSoft Universal
Print Driver.
Not all Finishing options are supported on every device, for detailed information, please see
the Hardware Compatibility List.
Quotas
Summary
Stop-on-zero works only with a single quota defined for the user.
The terminal eventually detects if a user exceeded a quota. The amount by which a user
can exceed a quota depends on other quotas applicable to the user.
If the terminal detects that a quota has been exceeded, a warning screen is displayed with
a "Start" button on it. The user must log out. This applies both for native and browser-
based terminals.
Details
Page quotas are simulated using credit, prices, and restricting device functions.

Prices and device function restrictions are set at the beginning of a user session and
cannot be changed during the session.
Operations limited by a quota with a zero or negative remaining balance are blocked.
For example, COLOR 0 blocks all color jobs.
Operations limited by a quota with a positive remaining balance are limited by the total
number of operations. For example, PRINT 1 and COPY 1 means two possible operations.
See below for full details.
Operations for which no quotas apply remain unlimited. For example, if page quotas are
set for PRINT COLOR and PRINT BW, the number of copies is not limited at all.
The total number of operations allowed by a particular combination of quotas is the

maximum of the following sums of remaining balances (undefined quotas and quotas with
a negative balance are counted as zero):
PRINT + COPY
COLOR + BW
PRINT BW + PRINT COLOR + COPY BW + COPY COLOR
COPY + PRINT BW + PRINT COLOR
PRINT + COPY BW + COPY COLOR
If a user reaches the limit of the total number of operations, a warning screen is displayed
with a "Start" button on it. The user must log out. This applies both for native and browser-
based terminals.
Example: A user has COPY 1, PRINT 1, BW 1. Other quotas are not defined. Upon login, no
function is disabled and the user gets two operations. The user can now perform any two
operations in one session.
Scenario 1: The user performs two BW prints. The resulting quotas are COPY 1, PRINT -1,
BW -1. Upon next login, the user is restricted to performing any BW jobs and any print jobs
with one action left. Therefore, the user can perform only one color copy.
Scenario 2: The user performs one BW print and one color copy. The resulting quotas are
COPY 0, PRINT 0, BW 0. The user can now not perform any further operations.
Scenario 3: The user performs one BW print and one BW copy. The resulting quotas are
COPY 0, PRINT 0, BW -1. The user can now not perform any further operations.
Scenario 4: The user performs two color prints. The resulting quotas are COPY 1, PRINT -1,
BW 1. Upon next login, the user is restricted to perform any print jobs with one action left.
Therefore, the user can perform only one copy.

Requirements and known limitations of YSoft SafeQ Embedded Terminal for Lexmark
Requirements
The terminal requires devices supporting the Lexmark LeSF platform, Framework version 3, 4
and 5/6.
Devices with framework 5/6 could have troubles with freezing of waiting screen after the
scanning, or with loosing user's session data. These issues were fixed in a firmware released
in September, 2018. Please, ensure that you have the latest firmware.
Known Limitations
The installation is possible only on unauthenticated devices.
After every reinstall, a manual restart of the printer is strongly recommended.
If application-title is set, the device must be restarted manually after each re-installation. On
some devices, this configuration property may not take effect.
The initial-screen property in System settings can only be set to sq or shortcuts.
After re-installation, a device may occasionally show only a white screen. In such cases, it is
necessary to remove the YSoft SafeQ application from the device and install it again.
Machine wake up issues with the PIN screen with old firmware (works with firmware from
2015).
First login after device wake up is not processed correctly by the device. User needs to log in
again.
Exiting sleep mode by swiping a card is not supported.
Logging out by card is not available.
Incompatible jobs are moved from the Waiting to Printed folder when all jobs are printed from
the Waiting folder using the Print All button. The user is not notified about the presence of
incompatible jobs in the list.
If the Payment System is installed, the shownType configuration has to be set to separated.
Direct print jobs are released after pressing the Home button or after logging into the MFD
No YSoft SafeQ notifications can be shown in native applications. You cannot be notified
about insufficient credit in the Copy or USB Print native application.
Some more complicated screens (such as scan workflow settings) may, exceptionally, not load
properly. In such cases, it is necessary to return to the Home screen and navigate to the
screen again.

If color printing is restricted, USB color print jobs are printed in grayscale.
Class drivers are not supported. PS and PCL drivers are compatible with YSoft SafeQ without
any issues.
It is not possible to restrict print jobs sent directly to the printer's IP address.
Fax accounting is not available.
Finishing options:
Proper functionality of Advanced Finishing options is only guaranteed with YSoft Universal
Print Driver.
Not all Finishing options are supported on every device. For detailed information, please see
the Hardware Compatibility List (HCL).
Scan workflows are supported with limitations
List and browsing user inputs are not supported. Instead, they are displayed as regular
input fields and user can input any text. So it's recommended to use only scan workflows
without user input List and without folder browsing enabled.
Validations are not done when the scan is executed. If the values in the inputs are wrong,
the scan is still executed.
Quota limitations
No known limitations
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for OKI and OKI sXP2
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for OKI
General Notes
The terminal requires a properly licensed and configured OKI Embedded Platform.
Support for SDK 2.4 - 4.
SDKs 4.2 and higher are not supported
Known Limitations
The initial-screen property is not supported.
YSoft Payment System is not supported.
Page quotas are not supported.
Embedded terminal accounting does not account blank pages.
Scanning multiple sheets (simplex or duplex) in one scan job is supported only when scanning
using the automatic document feeder (ADF).

The Username and Password authentication method is not supported for users containing the
@ character in their username. More details in the article configuring OKI for YSoft SafeQ
Embedded Terminal with @ character in username.
Black and white JPEG scanning is not supported. If the black and white color option and JPEG
format are selected when scanning, the job is not processed and a screen with a "Scanning
error" message displays.
The IIS 7.5 or higher (e.g., Windows Server 2008 R2 or higher) is required for the Scan feature.
A PIN must not start with zeros.
It is not possible to account blank pages when printing in duplex.
The terminal might not work properly if MFD certificate validation is enabled (configuration the
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for OKI sXP2
Known Limitations
Exiting the sleep mode by swiping a card is not supported.
It is not possible to restrict print jobs sent directly to the printer's IP address
Card self-registration is not available.
Logout by card is not available.
Guest user must be enabled for printing.
Print Accounting
Guest user must be enabled.
You cannot mix different paper sizes in one job.
If you use a PCL driver and a printed duplex document contains an odd count of pages, the
duplex job is accounted for even pages.
A black and white JPEG scan is not supported. If the black and white color option and JPEG
format are selected when scanning, the job is not processed, and a screen with an Error
message displays.
Manual deletion of the YSoft SafeQ application from the device is required after embedded
terminal's uninstallation. (Device web administration > sXP Application > Delete SafeQ
Application)

Print jobs do not stay collated if you change the number of copies in the finishing options for
the job. (A four-page job is printed as 1,1,2,2,3,3,4,4 instead of 1,2,3,4,1,2,3,4)
The terminal might not work properly if MFD certificate validation is enabled (the configuration
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Ricoh
Requirements
YSoft SafeQ Embedded Terminal for Ricoh is a software extension of Ricoh devices.
The terminal requires a licensed and configured Ricoh ESA™ Platform at the MFP (SDK/J
version 4+).
Java Card is required to be loaded in the device (already delivered, by default, with newer
types of Ricoh devices).
Valid certificate present (for secured connection)
Before Build 36 strongly recommended
Build 36 and higher mandatory
See chapter Configuring Ricoh, section Create a MFD certificate on Ricoh devices
Known Limitations
Accounting
Accounting of scans performed via the native scanning application is not supported.
Printing from USB is not supported, such jobs will not be accounted.
Payment system integration
The copy operation may not stop immediately once the minimum balance is reached.
Depending on the device, there can be a small delay that allows the users to overrun their
balance. For example, MP C305 charges for two A4 copies but stopped after six. Therefore,
registration of the debt has to be allowed in YSoft SafeQ Payment System. Otherwise, the
user would be able to continue copying even after using up credit.
The credit balance is not displayed on devices with small displays.
Quotas
It is possible to reach a negative quota balance. It is mainly caused by a slow connection

between the device and the server.

If a user has less balance then is needed to perform five copies, the user is prevented from
performing any copy jobs. To allow copying, the quota balance must satisfy the following
conditions:
BW COPY, COLOR COPY, COLOR, BW – if defined, the balance of each of them must be at
least five.
COPY – must be at least BW COPY + COLOR COPY or BW + COLOR (if they are defined),
depending on which of the two sums is higher.
Similarly, if the user has a quota for all pages enabled, they must have at least five pages
available to be allowed to copy. If the user quota balance goes below five pages during a copy
job, their access to the copy operation is restricted.
Scanning
On devices without a paper size sensor (most of the A4 models, e.g., Ricoh Aficio MP 171, Aficio
MP 171 SPF, Aficio MP C400 Series, Aficio MP 201, Aficio MP 201 SPF, Aficio MP 301 Series,
Aficio MP C300 Series, Aficio SP 5200S + Aficio SP 5210SF + Aficio SP 5210SR, MP C305 SP,
Aficio MP C305 Series, MP C401 Series, etc.), the following behavior may occur:
Every even page may be rotated by 180 degrees in the resulting file when scanning from
the automatic document feeder (ADF) to JPEG format.
Every even page may be rotated by 180 degrees in the resulting file when scanning
manually from the glass to multiple TIFF files or to a single TIFF file. Note that a duplex
option for scanning from glass makes no sense.
Duplex scanning from the ADF works properly for multi-page PDF/TIFFs, other output file
types may have every other page rotated upside down.
A4 paper size may be enforced instead of auto-detection.
If the MFD is unable to detect the paper size automatically, scan cannot be made.
Finishing options
Print Driver.
Punching is not supported on Ricoh devices.
Other
When a disconnected USB card reader is connected to the device again (or the device is
woken up from sleep mode), it may take up to one minute (device dependent) till the USB card
reader responds again.
The configuration options initial-screen and separatedScanWorkflows are not supported.

It is only possible to log out from the YSoft SafeQ application using the hardware button on
SDK/J devices. To log out after copying, the user first needs to navigate to the YSoft SafeQ
application.
The native software logout button does not work on Android devices.
When a user works with native applications, an inactivity timer is started as a background
process. This timer is reset after each operation changing the device state (i.e., copy, scan,
print). Following a terminal inactivity timeout due to the native application or MFD menu use,
the user will automatically be logged out.
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Ricoh SOP
Requirements
Web API token in Build 46 has only limited validity (2 months). To provide function of the
Embedded Terminal after this period, a new token with 2 years validity has to be obtained (or
update to a newer Build has to be performed).You can find the new token within a guide how
to update it on Partner Portal. You can also consult this with YSoft support.
YSoft SafeQ Embedded Terminal for Ricoh SOP is a software extension for Ricoh SOP G2 and
G2.5 devices.
The terminal requires a license YSoft SafeQ Embedded Terminal for Ricoh SOP.
Ricoh MFD must be set up by chapter Configuring Ricoh for 2nd Gen. SOP Embedded Terminal.
Valid certificate present (for secured connection).
See chapter Configuring Ricoh for 2nd Gen. SOP Embedded Terminal, section Create a MFD
certificate on Ricoh devices.
Known Limitations
Access and logging in
Card reader must be connected to SOP (Smart Operational Panel) USB or micro-USB. If
connected to MFD USB, it won't work.
Card reader may become unavailable for up to 30 seconds after transiting the MFD to sleep
mode. Card reader green notification light is turned off during this period to show the
unavailability and then turned back on when it is available again.
Card number is case sensitive and it must be in upper case while it is manually added into
management for user (f.e. 05825EDE016000), same behavior as Ricoh SDKJ.
Logout timeout set in SafeQ is not supported. After the screen is turned off by a MFD
(Android) timeout, user is logged out.

If YSoft SafeQ Billing Codes application is installed, it is always displayed after login.
If YSoft SafeQ Billing Codes feature is turned on and a user closes the billing code application
instead of choosing billing code, the user is logged out as prevention from using native
applications without billing code selected.
If the YSoft SafeQ Billing Codes feature is turned on, it is possible to overcome the
enforcement of selection of billing code for native applications:
1. User with multiple billing codes logs in (redirect to SafeQ Billing Codes application is
triggered → approximately 4s to finish)
2. User presses the home button before he is redirected to SafeQ Billing Codes application
3. User opens a native application before he is redirected to SafeQ Billing Codes

application
4. Then the user can use native applications without limitations while no billing code is
selected.
If SafeQ Billing Codes feature is turned on/off, proper function is not guaranteed unless the
terminal is uninstalled and installed again.
Only initial screens "sqprint" and "sqscan" (for SafeQ Print and SafeQ Scan respectively) are
supported for use with YSoft SafeQ Billing Codes - d efault setting "shortcuts" is not
supported.
Username "admin" is reserved for machine admin login feature.
Accounting
Session summary is not supported.
Paper roll accounting is not supported.
Stapling accounting is not supported.
G2 Devices
All jobs are accounted in one batch after user logs out. Details about printed/copied
/scanned/faxed pages are located in batch accounting job, including information about color
/bw/simplex/duplex
If device enters sleep mode before accounting of direct print job is finalized, the
submission of accounting data to SafeQ may be delayed until the machine is once again
powered up.
G2.5 Devices
In order to ensure proper function of device dependent accounting for direct print jobs
and jobs released in CBPR mode, Build 46 version of YSoft SafeQ FlexiSpooler (or
newer) must be installed.
If the older version of FlexiSpooler is used, following limitations apply:

Jobs are not accounted with their respective ID, but as new jobs
Billing code precedence "Job reception" is not supported for these jobs
Fax accounting (both G2 and G2.5)
All fax jobs are accounted in one batch after user logs out. Details about sent/received fax
pages are located in batch accounting job
Payment system integration
Charging and quotas are not supported.
Printing
Advanced finishing options are currently only experimental.
Scanning
For merging originals feature, users can combine feeder and glass in following way:
If the scanning is started from glass, user can at any point switch to scanning from
feeder. Once feeder is used, it must be used until the end of scanning session
Starting scanning from document feeder and then using glass is currently not supported.
If the MFD is unable to detect the paper size automatically, scan cannot be made.
Finishing options
Print Driver.
Other
Native application fail-over is not supported.
Only languages supported by both the device and YSoft SafeQ are supported.
When a disconnected USB card reader is connected to the device again (or the device is
woken up from sleep mode), it may take up to one minute (device dependent) till the USB card
reader responds again.
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Samsung
Requirements
The Samsung XOA-E platform
An Android-based terminal (Polaris/Evergreen/ProXpress/MultiXpress)

Known Limitations of YSoft SafeQ Embedded Terminal for Samsung
Finishing options are not supported.
Scanning Workflows are not supported.
When a job containing different sizes of paper is printed in duplex, the device will account
each sheet (except the last one) as having been printed on both sides (e.g., a job containing a
small and a large page will be accounted as two small pages and one large page).
YSoft SafeQ Embedded Terminal for Samsung does not support display flipping.
Sometimes, the YSoft SafeQ Embedded Terminal icon disappears from a screen (e.g, the user
screen) where it was moved from the default place of XOA applications. It happens only on
devices where it is possible to move icons from place to place.
During the installation of YSoft SafeQ Embedded Terminal, the authentication method is set to
Device Authentication. This setting remains set on the device after the uninstallation of YSoft
SafeQ Embedded Terminal.
Quotas
Regardless of the real page amount in print and copy jobs, a device always asks for quotas in
10-quota chunks. When a user does not have 10 quotas, then the server calculates how many
pages can be printed from the current user quota and the request is satisfied just partially. As
a result, a few pages from the job might not be printed if the quota is insufficient.
When more jobs are to be printed, the device asks for quotas for all of them one by one
before executing them. Due to the above-described limitation, not all jobs/pages are printed
even if the user has a sufficient quota for all of them. The user can print all jobs in a one-by-
one manner.
Due to the first-described limitation, a mixed job might not be fully printed despite the fact the
user has a sufficient quota for all pages. The device always asks for 10 quotas when a
transition between bw and color type is reached. It can happen that 10 quotas are allocated
for the first transition despite the fact that a lesser amount is really needed and a greater
amount would be needed for the other color type during the following quota request.
Therefore, quotas are blocked without the possibility to use it at the moment they would be
needed elsewhere. Certain combinations of quota settings are more prone (money credit) than
others (the explicit distinction between a bw and color quota).
Device limitations:
It may occasionally happen that the device stops requesting reservations of quotas. In this
case, users are not limited in their actions, although operations are accounted by YSoft
SafeQ. To fix that, it is necessary to clear the main memory of the device and install the
device's firmware again.

Requirements and known limitations of YSoft SafeQ Embedded Terminal for Sharp
General notes
Embedded Terminal is a software extension of Sharp devices.
Without EAM module, Scan management is not available and a print job list is not refreshed
after print.
Embedded Terminal requires licensed and configured Sharp OSA Platform (ACM and EAM
module) at the device (OSA version 3.5 and higher).
Known limitations
Logout with card is not possible when card reader is in keyboard mode.
Logout with card is not possible when device is not fully unlocked (user did not enter to copy
or scan application after log in).
The initial-screen property is only supported on devices with OSA 4 and higher.
If the MFP device is asleep, user must start the device manually before swiping the card at
USB card reader.
When the user credential (i.e. user name, password) are not filled in, the Login button is active,
but it does not make any action.
Print is not supported for users with username "admin", "blankuser", "service", "users", "other",
"other2", "system", "invalid", "vendor", "vendor2" and "servicefss" as these are internally
reserved words.
In case of changing AMX2/3 license keys, Terminal Server must be restarted before installation
of ET.
In IC Card Mode enabled on device and Sharp mode set on USB card reader swiping card
causes occasional blinking of display.
The Authentication feature has to be installed with the mode set to To device when both
AMX2 and AMX3 licenses are enabled.
Finishing options:
Print Driver.
The following options are not supported: 3-punching and top punching, staple-right, half-folding
and Page Range.
Not all Finishing options are supported on every device, for detailed information please see the

Payment System:
YSoft Payment System is not supported on devices without AMX 3 license.
The print/copy operation may not stop immediately once the minimal balance is reached.
balance by about 4 pages. Therefore, registration of debt has to be allowed in YSoft Payment
System. Otherwise, user would be able to continue printing and copying even after using up
credit.
When the job is suspended due to insufficient funds, the following behavior differs depending
on the supported OSA version.
OSA version < 4.0 It is not possible to print, copy or scan on the device, unless the
suspended job is manually deleted.
OSA version ≥ 4.0 Suspended scan and copy jobs are automatically deleted; Print jobs are
stopped and waiting for user input (retry / delete).
If more jobs are printed in one batch, it might happen that the following jobs are suspended
even though the user has enough credit.
The reason for this is that the quota calculation for the next job is done before the
accounting information from the previous is sent.
The suspended jobs can be released by on the "Limits" native screen, here it is possible to
select the suspended job and re-check the limits. After confirmation the job is released.
Quotas:
It is not possible to use quota defined as PRINT or COPY (without color specification). Only
definitions like PRINT COLOR or COPY BW are allowed.
Print all or print more jobs - it is possible that not all jobs are printed. It depends on balance of
quotas. The strategy for reservation is the same as for credit handling.
Balance < 100 - whole quota is reserved (jobs have to be printed one by one)
Balance ≥ 100 - half of quota is reserved (jobs can be printed in batches)
It is possible, that device will copy or print up to 3 pages more than allowed by quotas.
Therefor, user can end up with negative quota limit.
Differences and limitations of AMX2 and AMX3 licensing

AMX2 license only
The Authentication feature has to be installed with the mode set to To each application.
Authentication is not required for copying.
Authentication screen is displayed after pressing Sharp OSA button.
Copy and scan jobs are not visible in YSoft SafeQ management interface.

Copy, scan and print jobs are not visible in history screen.
Accounting is not available.
After installation, logout and after cancelling card assignment or authentication, user is
navigated to screen “Select external application”.
In the case that the Authentication Mode is configured "To each application", the USB IC Card
mode is not working (the USB keyboard mode must be configured).
AMX3 license only
After authentication user is navigated directly to the embedded terminal application (The initial-
screen property has to be set to sqprint).
Return to embedded terminal from Sharp native screen is not possible.
Scanning is not available.
Both AMX2 and AMX3 licenses
In the case that both licenses are enabled (AMX2, AMX3) and the user login, he is taken to the
Sharp OSA native panel (not directly to YSoft SafeQ application).
The Authentication feature has to be installed with the mode set to To device.
Requirements and known limitations of YSoft SafeQ Embedded Terminal for Sharp-eSF
Known Limitations
The installation is possible only on unauthenticated devices.
If application-title is set, the device must be restarted manually after each re-installation. On
some devices, this configuration property may not take effect.
The initial-screen property in System settings can only be set to sq or shortcuts.
After re-installation, a device may occasionally show only a white screen. In such cases, it is
necessary to remove the YSoft SafeQ application from the device and install it again.
First login after device wake up is not processed correctly by the device. User needs to log in
again.
Exiting sleep mode by swiping a card is not supported.
Logging out by card is not available.

Incompatible jobs are moved from the Waiting to Printed folder when all jobs are printed from
the Waiting folder using the Print All button. The user is not notified about the presence of
incompatible jobs in the list.
If the Payment System is installed, the shownType configuration has to be set to separated.
Direct print jobs are released after pressing the Home button or after logging into the MFD
No YSoft SafeQ notifications can be shown in native applications. You cannot be notified
about insufficient credit in the Copy or USB Print native application.
Some more complicated screens (such as scan workflow settings) may, exceptionally, not load
properly. In such cases, it is necessary to return to the Home screen and navigate to the
screen again.
If color printing is restricted, USB color print jobs are printed in grayscale.
Class drivers are not supported. PS and PCL drivers are compatible with YSoft SafeQ without
any issues.
It is not possible to restrict print jobs sent directly to the printer's IP address.
Finishing options:
Proper functionality of Advanced Finishing options is only guaranteed with YSoft Universal
Print Driver.
Scan workflows are supported with limitations
List and browsing user inputs are not supported. Instead, they are displayed as regular
input fields and user can input any text. So it's recommended to use only scan workflows
without user input List and without folder browsing enabled.
Validations are not done when the scan is executed. If the values in the inputs are wrong,
the scan is still executed.
Quota limitations
No known limitations
Requirements and Known Limitations of YSoft SafeQ Embedded Terminal for Toshiba
General Notes
The embedded terminal requires properly licensed and configured Toshiba Embedded platform.
Support for SDK 2.4 - 4.
SDKs 4.2 and higher are not supported

Known Limitations
YSoft Payment System is not supported.
Page quotas are not supported.
Embedded terminal accounting does not account blank pages.
Black and white JPEG scanning is not supported. If the black and white color option and the
JPEG format are selected when scanning, the job is not processed, and a screen with a
"Scanning error" message displays.
IIS 7.5 or higher (e.g., Windows Server 2008 R2 or higher) is required for the Scan feature.
It is not possible to account blank pages when printing in duplex.
Requirements and known limitations of YSoft SafeQ Embedded Terminal for Xerox
Requirements
Embedded Terminal requires licensed and configured Xerox EIP Platform and Xerox XSA/CA at
the device (EIP 1.5 and higher).
Stop on zero functionality (with YSoft Payment System) requires Job Limits (EIP version 2.0 or
higher).
Xerox Network Accounting (JBA, Job Limits) kit is required for accounting.
Printer time has to be synchronized with YSoft SafeQ server time to ensure billing codes and
accounting works properly.
Known limitations
It is not possible to restrict user access rights of native applications per user. On most
devices, the support can be enabled by enabling property enableXeroxAccessDefinition in
System settings. On the not supported devices, this option can be configured for each device
by the administrator manually.
To be able to define Copy restrictions via YSoft SafeQ Management, the following settings
has to be done:
Set enableXeroxAccessDefinition property to enable in YSoft SafeQ System settings.
On the devices that do not support this option, the access restrictions can be also
configured by the administrator manually in the device configuration.

Color restriction defined via YSoft SafeQ Management is not supported for native applications
(eg. Copy). Terminal access rights for color operations must be configured for each device by
the administrator manually in the device configuration.
When a new billing code is changed while copying, the copy job will be assigned with the new
billing code.
The username can have a maximum of 32 characters in 8-bit ASCII. If used, another encoding
might not be displayed correctly at the terminal, however, the accounting and payment
features will not work correctly if the username is longer than 32 bytes.
Scanning on Versalink models with color mode set to Auto, device always produce PDF file
regardless of configured file format.
Finishing options:
Print Driver.
Page Range setting is not supported.
Not all Finishing options are supported on every device, for detailed information please see the
Payment and Quotas:
Refreshing of user credit after print/scan/copy operation works only on Xerox devices with EIP
3.0 and higher (devices with second generation browser).
Charging on Xerox devices with EIP 1.x:
User is not stopped for using the device during one continuous session, but once he logs
out and has negative balance or quota, he won’t be able to log in next time.
Stop on zero on those devices is not supported due to technical limitations.
Works only with enabled Debt feature in YSoft Payment System settings.
SafeQube 2:
Authentication may not work on devices attempting to initiate SSL handshake using SSLv2 (e.
g. Xerox WorkCentre 7120.)
5.7.2.2 YSoft SafeQ Mobile Integration Gateway Requirements
Setup Requirements
The Mobile Print module license must be installed.
.NET 4.5.1 or higher.
Bonjour (included in installer).

Microsoft Windows Server 2012 and newer.
Mobile Integration Gateway must be installed on the same subnet as the clients are. Mobile
Integration Gateway uses broadcasting to OS X and iOS devices (when the device runs the
discovery of nearby printers), and broadcast is typically not allowed across different subnets.
Firewall exceptions must be configured for the IPP port (the default is 8050, can be modified
during the installation). Firewall exceptions are automatically created during the installation.
Target network printers must support plain PDF (PostScript print language), at some network
printers or MFDs, the PostScript/PDF language is not included, please consult your provider.
SSL Certificate
Mobile Integration Gateway embeds an SSL Certificate, which is used to encrypt the
connection between macOS and iOS devices.
The certificate is self-signed and expires on June 28, 2025.
5.7.2.3 YSoft SafeQ Mobile Terminal requirements and known limitations
Requirements
The applications support the following operating systems:
YSoft SafeQ MU 13+
Android app - Android 4.4+
iOS app - iOS 8.0+
Windows app - Windows 10 mobile
The device must have at least one of the supported printer identification features - camera, NFC
reader or Bluetooth 4 LE.
Camera
Used for identifying printer by scanning QR codes attached to the printer. For successful
scanning, the device has to point directly at the whole QR code from the short distance. QR code
should be well lit for successful scanning.
NFC technology (Android and Windows only)
Might be used for identifying printer by holding NFC tag over designated place on the device. To
use NFC tag, the device must have enabled NFC technology. NFC (near field communication) is
meant for a short distance. NFC tag needs to be held for few seconds steadily over designated
place on your device (can differ on every model).

Bluetooth 4 LE (Android and iOS only)
Used for identifying printer by recognizing information broadcasted from the printer using the
beacon. When the printer is configured to use beacon technology, YSoft SafeQ Mobile Terminal
application is able to recognize nearby printers and displays notification when YSoft SafeQ Mobile
Terminal application is launched. To find nearby printers, the device must have enabled Bluetooth
technology.
Known limitations
Online accounting is not yet supported in combination with YSoft SafeQ Mobile Terminal.
Payment System is not supported in combination with YSoft SafeQ Mobile Terminal (both
credit and quotas).
Advanced finishing options are supported only when the YSoft SafeQ Mobile Terminal is used
on the devices with Embedded Terminals.
Terminal Pro 4)
Lexmark and Sharp-eSF need interaction from user to release job from YSoft SafeQ Mobile
Terminal.
Billing Codes behavior
Billing Codes in YSoft SafeQ Mobile Terminal can be set individually for each print job
Billing Codes set in YSoft SafeQ Mobile Terminal will override the Billing Code set in the client
5.7.2.4 YSoft SafeQ server requirements
For hardware requirements, see Hardware Requirements.
Supported server operating systems
Operating System YSoft SafeQ Management Server Mobile Print YSoft Payment
/Site Server Server System
Microsoft Windows Server

2012 64bit

2012 R2 64bit

2016 64bit

Operating System YSoft SafeQ Management Server Mobile Print YSoft Payment
/Site Server Server System

2019 64bit
The last supported build for Microsoft Windows Server 2008 SP2 64bit and Windows Server
2008 R2 64bit was YSoft SafeQ Maintenance Update 29.
Note that Highlighter feature (part of Advanced Workflows of scanning functionality) is not
supported on Windows Server Core edition.
Supported Languages (Print Management)
User Interface
External and Embedded Terminals: See Configuring supported languages in Embedded Terminal.
*Some of the languages are supported only for some vendor specific Embedded Terminals.
Admin Interface
Chinese (simplified), Czech, Danish, Dutch, English, French, German, Hungarian, Chinese (simplified),
Italian, Japanese, Polish, Portuguese (Brazil), Portuguese (Portuguese), Romanian, Russian, Slovak,
Spanish, Turkish
Web browser compatibility
Mozilla Firefox
Google Chrome
Microsoft Edge Chromium (note: Microsoft Edge Legacy is not supported)
Internet Explorer 10 or higher (compatibility mode with any previous version is not
supported)
Supported Databases
Component Supported data engine
YSoft SafeQ 6 - PostgreSQL 11 embedded or standalone

Management Server Microsoft SQL Server 2012 (SP2/SP3)/2014/2016/2017 Standard or
Enterprise Edition, 32-bit or 64-bit

Component Supported data engine
YSoft SafeQ 6 - Site Server No database required (internal persistent cache).
YSoft SafeQ Payment PostgreSQL 11 embedded or standalone

System Microsoft SQL Server 2012/2014/2016 Express edition (see warning
below)
Microsoft SQL Server 2012 (SP2/SP3)/2014/2016/2017 Standard or
Enterprise Edition, 32-bit or 64-bit
Microsoft SQL Server Express is supported only when YSoft SafeQ Payment System is
installed on the Site Server, it cannot be used for Management Server installation.
System R equirements
.NET 4.8 or newer
GhostScript (version 9.0 or higher) for proper PostScript analysis. For details, see Print
language support and limitations.
No other known software may interfere with the product installed on the servers, especially
databases (unless intended for this installation), or other print solution.
You can use YSoft SafeQ 6 Pre-installation Checklists which help with verification of
requirements of different installation types.
Database Sizing
Example based on real customer data (10 million pages per month):
Management database: 16 GB per YSoft SafeQ server
Database Settings and Configuration
YSoft SafeQ provides automated database maintenance tools. Scheduled database maintenance
is strongly recommended. The following configuration is required for different database types.
Common settings
Login credentials for YSoft SafeQ access, with ownership rights to its database
Collation case-insensitive
Reliable low-latency network connection (if the database server is on another server)

Microsoft SQL Server configuration:
Correct collation: Case-Insensitive and Accent-Sensitive (language_CI_AS) where applicable
Database should be in Snapshot Isolation level
The user that YSoft SafeQ uses to connect to the databases must have the default language
set to English (but not British English) in the SQL Server
Enabled TCP/IP connection or named pipes
Enable Simple recovery model
To install YSoft SafeQ:
when installing with SQL account, db_owner and securityadmin server role is required. In
case you will let YSoft SafeQ create a database following permission is required: CREATE
ANY DATABASE.
when installing with domain user credentials or when "AlwaysOn Availability group" is used:
Enable Contained Databases is set to True at database server
Databases SQDB6, SQDB6_IMS, SQDB6_YPS are created in advance, CONTAINMENT is

set to PARTIAL
A single domain user service account is available with following rights:
account has db_owner rights for YSoft SafeQ databases (its username and
password should be specified during installation for DB connection)
account has administrative rights and "Log on as a service" at YSoft SafeQ server
(install package must be launched under this account by "run as"; YSoft SafeQ
services will be running under it once the installation finishes)
account is different from the account creating the databases, but belongs to the
same domain
To update/upgrade YSoft SafeQ the required rights are the same as for installation, except
that CREATE ANY DATABASE permission is not needed.
To run YSoft SafeQ the following database roles are required: db_datareader, db_datawriter,
db_ddladmin, db_accessadmin, db_securityadmin (or all can be replaced by db_owner).
In case that you are going to use the external MS SQL server with named instance, you will
need following to be allowed between YSoft SafeQ server and MS SQL server:
UDP, both directions, local port on MS SQL server is 1434. This communication is used
to query the SQL server (its SQL Browser service). The SQL Browser service will respond
and inform the requester about the port it shall connect to via TCP.
TCP communication, direction from SafeQ to SQL, port "random". The port number is
dynamically assigned by the SQL Browser service (http://technet.microsoft.com/en-us
/library/cc646023.aspx).

For SSL communication refer to Configuring MS SQL for SSL/TLS.
If you need a specific database collation, refer to Installing YSoft SafeQ Management Server
on server with specific database collation for MS-SQL database.
In case of standalone data warehouse database deployment, refer to First server installation
with standalone data warehouse database.
For domain users authentication refer to Installing YSoft SafeQ Management Server on
external MSSQL using domain users.
For AlwaysOn Availability group configuration refer to Installing YSoft SafeQ Management
Server on MSSQL AlwaysOn Availability group.
PostgreSQL configuration
UTF-8 collation
Version 11 only
Non-local-admin account for running PostgreSQL system service (Windows OS)
To install, update or run YSoft SafeQ Management Server database user must have
superadmin role.
Database server timezone should be correctly configured: Configuring the PostgreSQL Time
Zone for Correct Print Job and Report Data.
In case of standalone data warehouse database deployment, refer to Configuring PostgreSQL

for remote database connection.
Database users
Main database system user - required by YSoft SafeQ installation. We usually use sa for
MSSQL with role db_owner, securityadmin and CREATE ANY DATABASE. We usually use
postgers for PGSQL with superadmin role. Database user is required by YSoft SafeQ
Management Service, YSoft Payment System and YSoft SafeQ Infrastructure Service. With
single tenant licence and for standard system run (not for installation and not for update) we
require for MSSQL role db_owner and securityadmin.
Cluster management database user - usually cluster_mngmt. User is created by YSoft SafeQ
installation. Database user is required by YSoft SafeQ Management Service. For MSSQL is
db_owner role required. For PGSQL is superadmin role required.
Hibernate database user - usually cluster_guest. User is created by YSoft SafeQ installation.
Database user is required by YSoft SafeQ Management Service.

Tenant database users - usually tenantuser_1 and dwhtenantuser_1. Users are created by
YSoft SafeQ installation or YSoft SafeQ Management Service. Database users are required by
YSoft SafeQ Management Service. For each new tenant n is created new couple of database
users tenantuser_n and dwhtenantuser_n by YSoft SafeQ Management Service.
System configuration case study of large deployment
Requirements
Large enterprise environment
Company
approximately 5 500 devices
approximately 250 000 entities in LDAP divided over more than 10 LDAP user domains
Print volume
400 million printed pages per year with average of 4,2 pages per job = ~ 100 million jobs
/ year
100 million jobs / 251 working days / 10 working hours / 60 minutes / 60 seconds = ~ 11
jobs / sec
scanning features used without OCR
Business requirements
Highly Available solution
Store reporting data for last 5 years
YSoft SafeQ Architecture
To achieve the above, Y Soft have implemented the following design:
2 Management servers
Management with embedded PostgreSQL deployed on both servers
PostgreSQL server configured in SSMD (see section Single Server Multiple Database
deployment in PostgreSQL cluster)
Primary and DWH (datamart) databases are split for ease of maintenance including backup
and recovery of databases
One PostgreSQL takes role of primary database, second PostgreSQL takes role of standby
database, there is streaming replication from master to standby
Management Server virtual machine specs
16 GB RAM

8 CPU units
21 Site Servers
Grouped in three Site Server Clusters (SPOC Group) of 10, 6, 5 nodes
Site Server specs
8 GB RAM
4 CPU units
Print volume
Mostly server side spooling, CBPR only on few devices
~ 50 GB of disk space used by primary PostgreSQL database
Data retention in DWH
Keep 5 years of reporting data in DWH
Time span requires ~500 GB of disk space used by DWH PostgreSQL database
Optimized Configuration
Optimization of Management server
Increasing Java memory to 2 GB is recommended for installations over ~100 000 users.

Management | JVM tweaks Default Value Optimized Value
Maximum Java heap memory (Xmx) 1024 2048
The recommended solution for large scale reporting is Data Mart Mode and using the including
Power BI reporting templates for data visualization. Using Web Reports and Management reports
are not recommended for large installations with high print volume.
Management | System | Configuration Default Value Optimized Value
enableManagementReport TRUE FALSE
web-stats-enable TRUE FALSE
enableCMLDataMart FALSE TRUE
Optional change to increase reporting data retention from 36 month default to 60 months.
Management | System | Configuration Default Value Optimized Value
maximumCMLDataMartMonths 36 60
Increase LDAP timeout for initial connection and network communication.
Management | System | Ldap Integration Default Value Optimized Value
Timeout (milliseconds) 5000 180000
Increase Management database timeout when data is archived and processed for reporting in
DWH database.
Management | C:\SafeQ6\Management\conf Default Value Optimized Value
databaseWarehouse.connections.queryTimeout (seconds) 1800 18000
Optimization of Site Servers
Increasing Java memory to 2 GB is recommended for installations with a high print volume.
Spooler Controller | JVM tweaks Default Value Optimized Value
Maximum Java heap memory (Xmx) 1024 2048
To maximize throughput of Site Servers without adding additional CPUs it is recommended to

disable job analysis and rendering. Job preview and metadata (color, duplex printing, number of
copies, ...) will not be available on terminals.
Management | System Configuration Default Value Optimized Value
jobAnalysisResolution LOW_RESOLUTION_RENDERING NO_RENDERING

previewResolution LOW_RESOLUTION_RENDERING NO_RENDERING
Optional configuration if print job volume is expected to be over 20 jobs / sec.
maxParallelJobProcessing 30 500
terminalServerHandlingThreads 10 40
YmqRunOnceWorkerThreadPoolSize 200 800
Optional configuration to save disk space on site servers by reducing retention time for job
storage on site server. This is not needed if majority of print is done via CBPR.
maxSpoolerJobTime 7d 0h 1d
maxSpoolerJobTimeCheckInterval 180 60
maxSpoolerJobTimePrinted 7d 0h 8h
Optional configuration to improve Site Server throughput by reducing file system writes. If
Spooler Controller services are restarted then transient unprocessed accounting data may be
lost..
cacheReplicationBufferPersistent TRUE FALSE
5.7.2.5 YSoft SafeQ Terminal UltraLight and Terminal Professional v3.5 requirements and
limitation
Requirements
Smart cable has to be connected and MFD configured to proper function of terminal.
Known limitations
Registration of new card by PUK or Login when authentication method Card&Pin is used
works correctly only on YSoft SafeQ Terminal Professional 3.5 with firmware 3.14.9 and newer
which support new authentication method .auth. YSoft SafeQTerminal Ultralight is not
affected by this problem.

Because of new architecture of YSoft SafeQ are all accounting information showed on
terminal taken from job parser. Result is that terminal can show different accounting
information (price and printed pages) that are on the end correctly accounted by online
accounting (read from device counters).
Scan workflows:
Scan workflows are supported only on YSoft SafeQ Terminal Ultralight.
Payment and Quotas:
Charging and quotas are not supported.
Know bugs:
TS-3753: Copy job is not accounted when user run out of paper in device tray.
Workaround: Increase the YSoft SafeQ System property closeSessionMaxWaitTime at least to

300 seconds.
5.7.2.6 YSoft SafeQ Workstation Requirements
For hardware requirements, see Hardware Requirements.
Supported workstation operating systems
Operating system YSoft SafeQ FlexiSpooler Universal print driver *
Microsoft Windows 10 32/64bit YSoft Universal Print Driver (v4)
Microsoft Windows 8.1 32/64bit YSoft Universal Print Driver (v4)
Microsoft Windows 8 32/64bit YSoft Universal Print Driver (v4)
Microsoft Windows 7 32/64bit HP Color LaserJet 2700 Series PCL6
*
Vendor drivers are can be used, but are not managed with FlexiSpooler.
Other operating systems are not supported.

Supported languages
YSoft SafeQ Client: Catalan, Chinese (simplified/traditional), Croatian, Czech, Danish, Dutch,
English, Estonian, Finnish, French, German, Greek, Hungarian, Indonesian, Italian, Japanese, Kazakh,
Korean, Latvian, Lithuanian, Malaysian, Norwegian, Polish, Portuguese (Brazil/Portuguese),
Romanian, Russian, Serbian (Latin/Cyrillic), Slovak, Slovenian, Spanish, Swedish, Thai, Turkish,
Ukrainian.
System requirements
.NET 4.8 or newer.
GhostScript version 9.0 or higher when PostScript print jobs are being processed, not required
otherwise.
Outbound connections:
Required Type Port Description (communication from the user)
Mandatory TCP 5555 YMQ - Communication between FlexiSpooler and

Spooler Controller
Mandatory HTTP 5559 File transfer between spoolers and requests

(S)
Mandatory YMQ 5558 YMQ - Communication between FlexiSpooler service

and Desktop Interface
Optional when printing via TCP 9100 Print (port could be configured per device on
RAW raw Management Interface)
Optional when printing via TCP 515 Print (port could be configured per device on
LPR lpr Management Interface)
Optional when printing via IPP 80/443 Print (port could be configured per device on
IPP(S) (S) /631 Management Interface)
Mandatory for Replication SMB 137/138/139 Replication of jobs to the shared folder
shared folder /445
Inbound connections
Required Type Port Description
Mandatory TCP 515 LPR job reception (port could be configured on Management Interface)
YSoft Universal Print Driver requires these four certificates added as trusted ones. Steps
how to install these certificates are here :
Thawte Primary Root CA

File name: thawte-root.cer
Serial Number: 34 4e d5 57 20 d5 ed ec 49 f4 2f ce 37 db 2b 6d
Windows Store certificate source selected: Trusted Root Certification Authorities
VeriSign Universal Root Certification Authority
File name: vsign-universal-root.cer
Serial Number: 40 1a c4 64 21 b3 13 21 03 0e bb e4 12 1a c5 1d
Windows Store certificate source selected: Trusted Root Certification Authorities
Thawte SHA256 Code Signing CA
File name: thawte-codesigningCA.cer
Serial Number: 71 a0 b7 36 95 dd b1 af c2 3b 2b 9a 18 ee 54 cb
Windows Store certificate source selected: Intermediate Certification Authorities
Y Soft Corporation a.s
File name: ysoft-codesigning.cer
Serial Number: 13 73 6b 11 64 e6 9e 6f 89 2e 94 bf 91 4e 93 ac
Windows Store certificate source selected: T rusted Publisher
Valid certificate for the YSoft Universal Print Driver

In case of Windows 7 operating system HP Color LaserJet 2700 Series PCL6 is used as
Universal print driver because YSoft Universal Print Driver is v4 driver which is not supported
on this system.
YSoft SafeQ FlexiSpooler service is configured to run under account using the Gregorian
calendar in regional settings.
5.7.3 REQUIREMENTS FOR THIRD PARTY LOAD BALANCER
Please see Configuring Terminal Failover for additional information.
The solution must be based on software or hardware load balancer in the customer's network
(black box Failover and Load balancing). The unit of failover and load balancing is one Spooler
Controller Group. The Spooler Controller Group is represented from the perspective of MFDs by
one and only one virtual IP address or FQDN (reverse lookups have to be configured) which is
held by the load balancer. This virtual address will be used by MFDs and YSoft SafeQ Terminals.
Following requirements are expected to be delivered by the load balancer for Terminal Failover:
It shall make failover decision based on the state of appropriate Windows Services as reported
by Service Control Manager of individual servers running SPOC/TS services AND/OR based on
the availability of selected TCP ports. If TCP based monitor is in place, required ports for
monitoring are 5555 (for SPOC service) and 5022 (for TS service). The TCP monitor must
finish connection after SYN - ACK with RST, not with FIN. Our recommendation for monitoring
period is 5 seconds with node considered down after 3 unsuccessful attempts. Node shall not
be considered up immediately but after defined time which must be based on real time
required for Management/Site Server to start.
The load balancer shall honor affinity between MFDs and particular SPOC/TS service instances
in the Spooler Controller Group based on the prior decisions made by the load balancer and
configurable timeout window. I.e., when the load balancer decides to connect an MFD with a
particular SPOC/TS service, it must connect the MFD to the same SPOC/TS service if
connection (incl. DNS lookup) attempts are made by the MFD before the configurable timeout
elapses. Affinity needs to be set for a minimum of 30 minutes.
The load balancer shall distribute requests among SPOC/TS nodes in the Spooler Controller
Group uniformly.
The load balancer shall distribute requests from MFDs to SPOC/TS based on Network
Communication (typically TCP ports 5011 - 5025 and ports for FTP/WebDAV)
The load balancer shall handle monitoring and reporting of the service failures on its own.

5.8 TROUBLESHOOTING GUIDES
In this section, you will find several guides for troubleshooting.
5.8.1 AN OVERVIEW OF YSOFT SAFEQ 6 SERVICES
5.8.1.1 About
This page describes the YSoft SafeQ services that are installed automatically after YSoft SafeQ
installation:
Name Short Description

Name
YSoft SafeQ Management Provides an administration web interface and manages the
Service YSoftSQ- whole YSoft SafeQ 6 installation.
Management
YSoft SafeQ LDAP Replicator Replicates user data from an LDAP server into YSoft SafeQ
YSoftSQ- 6.
LDAP
YSoft SafeQ Terminal Server Integrates devices with YSoft SafeQ 6 (e.g., accounting)
YSoftSQ-TS and controls YSoft SafeQ terminals of all types (embedded,
external, mobile).
YSoft SafeQ Workflow Executes workflows: facilitates the live selection of a

Processing System YSoftSQ- document's destination in third-party systems, processes
WPS
documents according to workflow definition, and delivers
processed documents to specified destinations.
YSoft SafeQ Spooler Controls business logic within Spooler Controller Group and
Controller YSoftSQ- facilitates cooperation between local YSoft SafeQ 6
SPOC
subsystems and other Spooler Controller Groups.
YSoft SafeQ Spooler Synchronizes Spooler Controllers within Spooler Controller

Controller Group Service YSoftSQ- Group.
SPOCGS
YSoft SafeQ End User Provides an end-userweb interface where end users can
Interface YSoftSQ- manage their YSoft SafeQ 6 accounts, manage queued
EUI
print jobs, and upload new print jobs.
YSoft SafeQ FlexiSpooler Receives, stores, and releases print jobs.

YSoftSQ-
FSP
YSoft SafeQ Bundled Etcd Manages service discovery and central configuration.
YSoftEtcd

YSoft SafeQ Infrastructure Registers and manages Infrastructure Service clients (e.g.,
Service YSoftIms YSoft SafeQ Terminal Pro 4, YSoft be3D eDee, YSoft
SafeQube 2).
YSoft SafeQ Infrastructure Registers and manages Infrastructure Service clients (e.g.,
Service Proxy YSoftImsPr YSoft SafeQ Terminal Pro 4, YSoft be3D eDee, YSoft
oxy
SafeQube 2) in a part of a distributed environment.
Optional services (based on selected features and the database type):

Name
YSoft SafeQ Bundled An open-source database system used by YSoft SafeQ

PostgreSQL 11 YSoftPG Management Service and YSoft SafeQ Payment System.
SQL
YSoft SafeQ Bundled An open-source database system used by YSoft SafeQ Payment
PostgreSQL 11 YYSoftP System when deployed during Site Server installation.
GSQL
YSoft SafeQ Mobile Print Receives print jobs submitted to a mailbox or hot folder (e.g., via a
Server YSoftSQ web interface), converts them into a PDF, and delivers them to
-MPS
YSoft SafeQ FlexiSpooler.
YSoft SafeQ Payment Manages quota and money accounts and processes transaction
System YSoftPS across the accounts.
Name Short Name Description
ABBYY SDK 11 Runtime Part of ABBYY Finereader 11 OCR engine which

License Service - Licensing ABBYY.Licensing. is used by Advanced Workflows module.
FineReaderEngine.
Service
Windows.11.0
The Mobile Integration Gateway service (installed using a separate installer):

Name
YSoft SafeQ Mobile Enables iOS and macOS devices to auto-discover and use
Integration Gateway YSoftSQ YSoft SafeQ as a printer.
-MIG
5.8.1.2 Default Installation Paths and Registry
Installation path Product name (Installed Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Wo

Programs) w6432Node\)

C: YSoft SafeQ Management \Y Soft Corporation\YSoft SafeQ 6\MGMT
\SafeQ6\Managem Service
ent
C:\SafeQ6\SPOC YSoft SafeQ Spooler Controller \Y Soft Corporation\YSoft SafeQ 6\SPOC
C:\SafeQ6\FSP YSoft SafeQ FlexiSpooler \Y Soft Corporation\YSoft SafeQ 6\FSP
C:\SafeQ6\MPS YSoft SafeQ Mobile Print Server \Y Soft Corporation\YSoft SafeQ 6\MPS
C:\SafeQ6\YPS YSoft SafeQ Payment System \Y Soft Corporation\YSoft SafeQ 6\YPS
C:\SafeQ6\WPS YSoft SafeQ Workflow \Y Soft Corporation\YSoft SafeQ 6\WPS

Processing System
C:\SafeQ6\MIG YSoft SafeQ Mobile Integration \Y Soft Corporation\YSoft SafeQ 6\MIG

Gateway
5.8.2 CREDIT HANDLING ON TERMINALS
5.8.2.1 Credit Handling
YSoft SafeQ 6 allows the limiting of the consumption of print, copy, and scan services using
credit. This is done via integration with YSoft Payment System.
Credit handling per vendor
The following pages describe how credit operations are handled by different vendors:
Limitations
YSoft SafeQ 6 has minor inaccuracies (far beyond the decimal point) in calculated prices.
Batch accounting is automatically disabled when the Payment feature is enabled on at least
one device.
5.8.2.2 Credit Handling on Fuji Xerox
Fuji Xerox
Default strategy
If the user has an account in the YSoft Payment System, a credit reservation is created for
the user (user without a YSoft Payment System account has quotas set to unlimited for all
operations).
If not, zero prices are set for the user.

The amount to be reserved depends on the user's current credit balance and on the price for
an A4 color page.
If the price for an A4 color page is 0, then one quarter of the user's current credit is
reserved.
If the user's current credit is higher than the price for 100 A4 color pages, then one quarter
of the user's current credit is reserved.
If the user's current credit is lower than the price for 100 A4 color pages but is higher or
equal to the price for 50 A4 color pages, the price for 25 A4 color pages is reserved.
If the user's credit is lower than the price for 50 A4 color pages, then the half of the user's
credit is reserved.
Then the quotas are defined according to the reserved amount.
Separate quotas are defined for individual operations: color scan, b&w scan, color copy,
and b&w copy
Each of the quotas (color scan, b&w scan, color copy, and b&w copy) is computed from
the amount to be reserved. In corner cases, debt can be created.
Once the job is finished, the accounting information is sent to YSoft SafeQ 6.
One settlement is generated for all transactions in the given session.
If a connection to YSoft Payment System is not available, the settlement is sent once the
connection is available again.
For each print job, a credit reservation is created before printing based on the price provided
by the parser. Once the job is finished, accounting info is sent to YSoft SafeQ 6, which settles
the transaction. If it is not possible to create a reservation, the job is not printed.
If the connection to YSoft Payment System is lost, it is not possible to create the credit
reservation in YSoft Payment System, therefore, the operation is forbidden. If the connection
to YSoft Payment System is lost during settlement, the settlement is sent later when the
The initial reservation has a specific time to live, once this time runs out, the reservation is
cancelled.
Example
User credit balance in YSoft Payment System is 10 €, the price for an A4 color page is 2 €.
The price list is configured in the following way:

Operation Price
A4 color page 2€
A4 B/W page 1€
A4 color copy 2.5 €
A4 B/W copy 1€
Scan 3€
Available A4 pages: User credit balance in YSoft Payment System/price for an A4 color page ≈
10 € / 2 € = 5
The user has credit for 5 A4 pages (the user's credit is lower than the price for 50 A4 color
pages), then half of the credit is reserved ≈ 10 € / 2 = 5 €
The quotas are calculated the following way:
Quota name Quota value Maximal price available for quota
A4 color copy 5 € / 2.5 € = 2 2.5 € * 2 = 5 €
A4 B/W copy 5€/1€=5 1€*5=5€
Scan 5€/3€=1 3€*1=3€
Corner case: The user performs all operations allowed by the quota's setting (∑ Maximal price
available for quota = 3 € + 5 € + 5 € = 13 € ), but the user has a balance of 10 € in YSoft
Payment System, so a debt of 3 € will be created.
Limitations
Quotas are applied separately for color and bw copy or scan jobs.
Different quotas are defined for color/bw pages. Those quotas are consumed
independently which means that if the user depletes the quotas for color pages, he/she is
still allowed to copy/scan in bw because the quotas for bw pages remained untouched.
Quotas are applied only at the beginning of the scan session.
Users can be prevented from scanning only if they do not have enough credit before the
scanning actually starts. It is not possible to interrupt a scanning operation that is in
progress in case the quotas are depleted.
YSoft Payment System with direct print does not work.

Print all will print all waiting jobs regardless of the user's actual credit. Direct prints are not
charged.
A debt can be registered for the user.
The initial reservation can be canceled:
If the MFD is busy after the defined time to live runs out.
Prints performed from YSoft SafeQ 6 are handled individually by YSoft SafeQ 6 subsystems
according to prices estimated by the print job parser. For other types of print (e.g., printing
from USB), there are quotas set by YSoft SafeQ 6 and handled by the device itself.
The print quotas are set during login and are not consumed when printing from YSoft
SafeQ 6. Therefore, when using both print from YSoft SafeQ 6 and other types of print in a
single session, the user can go into debt.
Requirements
YSoft Payment System operations require devices with SSMI 1.4 or higher.
For proper functioning, the print job parser needs to be enabled and set to render jobs.
5.8.2.3 Credit Handling on Fuji Xerox XCP
Fuji Xerox XCP Terminals
Two different quota reservation strategies can be used. The selected strategy is configured
by the configuration option "Use default quota toggling strategy for FujiXerox"
(fujiXeroxEnableDefaultQuotaTogglingStrategy) in the System Settings.
If the configuration option is set to enabled, the quotas on YSoft SafeQ Embedded Terminal
for Fuji Xerox are calculated from for all operations (color scan, bw scan, color copy and bw
copy). This allows the user to perform all operations but with smaller quotas for each
operation.
Enabled is the default setting.
If the configuration option is set to disabled, the user is forced to select the desired operation
after authentication. The quotas are then calculated only for the operation the user selected.
The default quota toggling strategy is a solution for credit handling, and it is not applicable for
quota entitlement.
Behavior with "Use default quota toggling strategy for FujiXerox" enabled

Reservation strategy
If the user has an account in the YSoft Payment System, a credit reservation is created for
the user (a user without YSoft Payment System account has quotas set to unlimited for all
operations).
The amount to be reserved depends on the user's current credit balance and on the price for
an A4 color page.
If the price for an A4 color page is 0, then one quarter of the user's current credit is
reserved.
If the user's current credit is higher than the price for 100 A4 color pages, then one quarter
of the user's current credit is reserved.
If the user's current credit is lower than the price for 100 A4 color pages, but is higher or
If the user's credit is lower than the price for 50 A4 color pages, then half of the user's
credit is reserved.
Then the quotas are defined according to the reserved amount.
Separate quotas are defined for individual operations:
color scan
bw scan
color copy
bw copy
Each of quotas (color scan, bw scan, color copy and bw copy) is computed from the
amount to be reserved. In corner cases, a debt can be created.
Once the job is finished, the accounting information is sent to YSoft SafeQ 6.
One settlement is generated for all transactions in the given session.
If a connection to the YSoft Payment System is not available, the settlement is sent once
the connection is available again.
For each print job, a credit reservation is created before printing based on the price provided
by the parser. Once the job is finished, accounting information is sent to YSoft SafeQ 6, which
settles the transaction. When it is not possible to create a reservation, the job is not printed.
When the connection to YSoft Payment System is lost, it is not possible to create the credit
reservation in YSoft Payment System, therefore, the operation is forbidden. If the connection
to the YSoft Payment System is lost during settlement, the settlement is sent later when the
Example

User credit balance in YSoft Payment System is 10 €, the price for an A4 color page is 2 €.
Operation Price
A4 color page 2€
A4 bw page 1€
A4 bw copy 1€
Scan 3€
Available A4 pages: User credit balance in YSoft Payment System/price for an A4 color page ≈
10 € / 2 € = 5
The user has credit for five A4 pages (the user's credit is lower than the price for 50 A4 color
pages), then half of the credit is reserved ≈ 10 € / 2 = 5 €
The quotas are calculated in the following way:
A4 color copy 5 € / 2.5 € = 2 2.5 € * 2 = 5 €
A4 bw copy 5€/1€=5 1€*5=5€
Scan 5€/3€=1 3€*1=3€
Corner case: A user performs all operations allowed by the quota's setting (∑ Maximal price
available for the quota = 3 € + 5 € + 5 € = 13 € ), but the user's balance in the YSoft Payment
System is 10 €, this means that a debt of 3 € will be registered for the user.
Behavior with "Use default quota toggling strategy for FujiXerox" disabled
Reservation strategy
The user authenticates at the terminal and the terminal checks whether the user has an
account in YSoft Payment System.
If yes, the user is forced to select the action for which the quotas will be defined, the options
are:
Print
Scan
Copy

All available credit is used to calculate the quota for the selected operation (apart from Print),
quotas for other operations are set to 0.
Separate quotas are defined for color/bw operations.
Print quotas are not set as printing is handled by YSoft SafeQ 6 subsystems according to
the prices estimated by the print job parser.
The user is allowed to perform only the selected operation (either print, copy or scan)
Example
User credit balance in YSoft Payment System is 10 €, the price for an A4 color page is 2 €
Operation Price
A4 color page 2€
A4 B/W page 1€
A4 B/W copy 1€
Scan 3€
The whole user credit will be reserved ≈ 10 €. Suppose user will select the Copy operation.
The quotas are calculated in the following way:
A4 color copy 10 € / 2 € = 5 2 € * 5 = 10 €
A4 B/W copy 10 € / 1 € = 10 1 € * 10 = 10 €
Corner case: A user performs all operations allowed by the quota's setting (∑ Maximal price
available for the quota = 10 € + 10 € = 20 € ), but the user has balance of 10 € in YSoft
Payment System, this means that a debt of 10 € will be registered for the user.

Diagram

Limitations
Print quotas are not set (printing is handled by YSoft SafeQ 6 subsystems according to the
prices estimated by the print job parser).
Print jobs are handled by YSoft SafeQ 6 because Fuji Xerox devices do not have a working
"stop on zero" feature for printing.
Quotas are applied separately for color and bw copies or scan jobs.
Different quotas are defined for color/bw pages. Those quotas are consumed
independently which means that if the user depletes the quotas for color pages, he/she is
still allowed to copy/scan in bw because the quotas for bw pages remained untouched.
YSoft Payment System with direct print does not work, users are not charged for the direct
prints.
Print all will print all waiting jobs regardless of the user's actual credit.
A debt can be registered for the user.
If the MFD is idle after a user logs out.
If the MFD is busy after the defined time to live runs out.

Requirements
YSoft Payment System operations require devices with SSMI 1.4 or higher.
For proper functioning, the print job parser needs to be enabled and set to render jobs
(because of handling print jobs by YSoft SafeQ 6 and the Fuji Xerox "stop on zero" limitation).
5.8.2.4 Credit Handling on Ricoh
Known issues and limitation
The print job parser needs to be set to at least the option Render jobs as low resolution (36
DPI) images in order to use the YSoft Payment System with YSoft SafeQ Embedded Terminal
for Ricoh.
The copy operation may not stop immediately once the minimal balance has been reached.
balance. The user has credit for two copies but wants to copy, e.g., 10 times. The MP C305
device will stop copying, e.g., after six copies..
Copying
When a user requests copying, an initial reservation is created. The reservation is driven by
YSoft SafeQ pricePerPageReservationStrategyForCopyOnHwTerminal and the
6
pagesCountReservationForCopyOnHwTerminal properties available in YSoft SafeQ system
settings.
The formula for creating a reservation is: MIN|MAX from the user price list where Price != 0 *
pagesCountReservationForCopyOnHwTerminal.
If the user does not have enough credit for the initial reservation, they are not allowed to
copy.
When all prices are equal to 0, the user has no restriction and can copy for free.
The reservation can be modified during the copy session as the number of copies increases
and additional money needs to be reserved from the user's account, but until there is enough
money on the user's account.
Copying with quotas
When a user requests copying, an initial quota reservation is created. Reservation amount is
always 5 pages and it cannot be modified.
If the user does not have enough quota for the initial reservation, they are not allowed to
copy.

Printing
The estimated price of the job received from YSoft SafeQ 6 is reserved in YSoft Payment
System.
If the reservation is successful,the job can be printed. After the job is printed, the actual price
of the job is calculated and settled.
Scanning
Once the document is scanned, the actual price for the job is computed and the terminal tries
to allocate this amount in the YSoft Payment System.
If the allocation is successful, the allocated amount is immediately reserved, and the amount
is immediately settled in YSoftPayment System. If the reservation is unsuccessful,the whole
scan job is discarded.
5.8.2.5 Credit handling on Samsung
Printing
Samsung quota mechanism is designed to asks for closest highest 10 pages. When user does not
have quotas for 10 pages then the quota request is satisfied just partially. It is calculated how
many pages can user print from current balance and the amount is returned to the device. It can
happen that not all job pages are printed if quota is insufficient. Device stops on zero not
considering whether all job pages are printed or not.
Stop on Zero: Works on zero.
Copying
There is the same behavior as described in print above.
Scanning
Samsung asks for 1 quota per single page. If 3 pages are scanned, then 3 pages will be reserved.
If 11 pages should be scanned, then 11 pages will be reserved.
5.8.2.6 Credit Handling on Sharp
Limitations and known issues

The print/copy operation may not stop immediately once the minimal balance has been
reached. Depending on the device, there can be a small delay that allows users to overrun
their balance by about four pages.
On some devices the copy operation may not stop immediately once the minimal balance
has been reached if the user copies an original to multiple copies. The balance is
checked only after all the copies are printed out (not after each paper is printed out). (I.e. If
a user copies an original to 250 copies it could happen all the copies are printed out even
if the user has balance only for 10 copies).
When the job is suspended due to insufficient funds, the following behavior differs
depending on the supported OSA version.
OSA version < 4.0 It is not possible to print, copy or scan on the device, unless the
suspended job is manually deleted.
OSA version ≥ 4.0 Suspended scan and copy jobs are automatically deleted; Print jobs
are stopped and wait for user input (retry/delete).
On OSA version < 4.0 If more jobs are printed in one batch, it might happen that the
following jobs are suspended even though the user has enough credit.
The reason for this is that he quota calculation for the next job is done before the
accounting information from the previous job is sent.
The suspended jobs can be released on the "Limits" native screen. It is possible to
select the suspended job there and re-check the limits. After confirmation, the job is
released.
A user should not print multiple jobs in one print batch (print all, print multiple selected
jobs) to avoid possible suspended jobs. Jobs should be printed one after another with a
break of about five seconds between printing the next one to reduce the probability of
suspended jobs.
Quota Calculation
After user authenticates on the terminal, the terminal checks whether the user has an
account in the Payment System. If not, no restrictions are set for the user.
If the user has account in the Payment System, users quota are calculated based on users
credit.
Devices with OSA 4.0 and higher

Print
The reservation amount for a print job is calculated from the parser data and the maximum quota
is used.
Copy and scan

Quotas are calculated according to the reserved amount.
The reserved amount depends on the user's current credit balance and the price for an A4
color page:
If the user's current credit is higher than the price for 100 A4 color pages, half of the
user's current credit is reserved.
If the user's current credit is lower than the price for 100 A4 color pages but higher or
If the user's credit is lower than the price for 50 A4 color pages, the user's entire credit is
reserved.
Separate quotas are defined for color/black and white copies.
Devices with OSA lower than 4.0

Print, copy and scan
Quotas are calculated according to the reserved amount.
The reserved amount depends on the user's current credit balance and the price for an A4
color page:
If the user's current credit is higher than the price for 100 A4 color pages, half of the
user's current credit is reserved.
If the user's current credit is lower than the price for 100 A4 color pages but higher or
If the user's credit is lower than the price for 50 A4 color pages, the user's entire credit is
reserved.
Separate quotas are defined for color/black and white prints, color/black and white copies.
Printing
Secure Print
If the user does not have enough balance to print the selected job or the user reaches the
minimum balance when printing, a warning message appears on the terminal informing the
user that the job has been suspended.
The Limits button appears on the screen, this button navigates the user to the native screen
where the suspended job is displayed. From this screen, it is possible to delete the suspended
job.

Direct Print
If the user does not have enough balance to print the direct print job, the YSoft SafeQ
application appears with a warning message informing the user that the job has been
suspended.
Copying
If the user does not have enough balance to begin copying, a warning message displays
informing the user that the limit of pages has been reached and the copy job is denied.
If the user reaches the minimal balance while copying, the behavior differs depending on the
OSA version.
OSA version < 4.0
If the user reaches the minimal balance while copying, the copy job is suspended.
The Limits button appears on the screen, this button navigates the user to the native
screen where the suspended job is displayed. From this screen, it is possible to delete
the suspended job.
OSA version ≥ 4.0
If the user reaches the minimal balance while copying, the copy job is deleted and only
pages that were already copied are accounted.
Scanning
If the user does not have enough credit to begin scanning,the scan operation is stopped.
Sharp devices currently do not allow an ongoing scan operation to be stopped when the
minimal balance has been reached.
5.8.2.7 Credit Handling on Sharp-eSF
The current credit balance is not shown in Sharp-eSF native applications such as the Copy
application or the USB print application.
Printing
The estimated price of the job received from YSoft SafeQ 6 is reserved in YSoft SafeQ
Payment System.

If the reservation is successful, the job can be printed. After the job is printed, the actual price
Copying and Scanning
When you have an available credit balance for only a few pages, the pages will be scanned
and charged, and the rest will be refused.
5.8.2.8 Credit Handling on Xerox
Xerox's job limits feature is usedto process the job. Xerox's job limits feature is used.
Job limits determines the number of black and white/color pages and sends the information to
YSoft SafeQ 6 where the price for the jobis estimated.
The estimated priceis then reservedin the YSoft Payment System.
Afterthe job is finished,the transaction is settled.
Ifthe connection to YSoft Payment System is lost, it is not possible to create the reservation
in YSoft PaymentSystem,therefore, the operationis restricted.
5.8.2.9 Credit Handling on Konica Minolta
Info
The following information also applies to Develop, Olivetti and Aurora MFDs.
All transactions in a user's session on a terminal are settled only after the user logs out.
When the connection to YSoft Payment System is lost, the terminal holds the transactions
that need to be settled and repeats the attempt every five minutes (this value can be
configured).
When an MFD receives the balance = 0 from the YSoft SafeQ server during the print/copy
/scan operation and a negative credit not allowed, the only possible operation at the MFD
is to log out by the ID button and confirm a job only. Even if some job types have the cost
= 0, the MFD does not accept the execution of jobs from the MFD panel. Job execution
other than from the panel is possible (e.g., Print job = cost 0 and direct print is used when
the credit balance is 0).
Printing with Credit
1. The user logs into YSoft SafeQ Embedded Terminal for Konica Minolta.
2. The Embedded Terminal checks if the user has a Payment System account.
3.

3. YSoft SafeQ 6 creates an initial reservation for 10 large color duplex pages from the user’s
balance. The reserved amount is rented to the MFD. The initial reservation is mandatory due
to the specific handling of the charging by Konica Minolta devices.
If the user does not have enough credit to create a reservation for 10 large color duplex
pages, then the entire remaining user's credit is rented.
If the user has no credit, a reservation of 0 is created.
If the price for a large color page is zero, the reservation is 10 times the sum of the
maximum paper price and the maximum operation price. Note, that a large one color
print is counted as two times a normal one color print, which is defined in the price list.
If all prices are zero, a reservation of one is created (and later settled as zero).
4. The user releases a print job from the secure queue.
5. a) If the parser is enabled and the price for the job is correctly estimated, YSoft SafeQ 6
checks if the user's balance (including the reserved amount) is equal to or greater than the
estimated cost of the job. If not, the print job is not released to the MFD and the user is
informed.
b) If the parser is disabled or set to the option "Only analyze jobs", it will not be
possible to reprint a print job for which the user did not have sufficient balance. Depending
on the version of the firmware of the MFD, the MFD shows one of the following messages:
Insufficient funds.

Touch [Continue] to continue the job. Touch [Job End] to cancel the job. [Continue][Job
Finished]
Due to insufficient funds, the job could not be processed.
The job was deleted. [OK]
Upon tapping Job finished or OK, the job is removed from the print queue and its state
is either Canceled (if the configuration option "Delete after print" is disabled) or Deleted
(if the "Delete after print" is enabled).
6. If the user's balance is sufficient, YSoft SafeQ 6 releases the print job to the MFD.
7. The job is printed.
8. If the rented amount is depleted during printing, the MFD asks for the next rental.
YSoft SafeQ 6 reserves the cost of 10 A3 color pages from the user’s balance and rents
the amount to the MFD.
The original reservation amount increases.
If the user has no more balance available, the current job is stopped or rejected.
9. The print job is accounted by YSoft SafeQ 6.
10. The user logs out from the terminal.
11. The MFD computes the total amount of not-used rentals and returns it to YSoft SafeQ 6.
12. YSoft SafeQ 6 computes the real cost as follows: real costs = total rentals – not-used total
rentals.
13. YSoft SafeQ 6 charges the real costs from user’s account (the reservation is settled with
the real cost and the reservation is closed).
Warning
If the user has insufficient credit to print the entire print job, it may happen that the job gets
stuck. The MFD is in the state Printing error which causes all the following print jobs to be
blocked. To unblock the MFD, either the job needs to be deleted on the MFD using standard
administrator's credentials or the Terminal Server needs to be restarted.
Copying/Scanning with Credit
1. The user logs into YSoft SafeQ Embedded Terminal for Konica Minolta.
2. The Embedded Terminal checks if the user has a Payment System account.
3. YSoft SafeQ 6 creates an initial reservation for 10 A3 color pages from the user’s balance.
The reserved amount is rented to the MFD. The initial reservation is mandatory due to the
specific handling of charging by Konica Minolta devices.

3.
If the user does not have enough credit to create a reservation for 10 large color duplex
pages, then the entire remaining user's credit is rented.
If the user has no credit, a reservation of 0 is created.
If the price for a large color page is zero, the reservation is 10 times the sum of the
maximum paper price and the maximum operation price. Note that a large one color print
is counted as two times a normal one color print, which is defined in the price list.
If all prices are zero, a reservation of one is created (and later settled as zero).
4. The user asks YSoft SafeQ 6 to start a copy/scan job.
5. The user makes copies/scans for as long as the balance is sufficient.
6. YSoft SafeQ 6 accounts the copy/scan jobs.
7. The user logs out from the terminal.
8. The MFD computes the total amount of not-used rentals and returns it to YSoft SafeQ 6.
9. YSoft SafeQ 6 computes the real cost as follows: real costs = total rentals – not used total
rentals.
10. YSoft SafeQ 6 charges the real costs from the user’s account (the reservation is settled
with the real cost and the reservation is closed).
5.8.2.10 Credit Handling on Lexmark
The current credit balance is not shown in Lexmark native applications such as the Copy
application or the USB print application.
Printing
The estimated price of the job received from YSoft SafeQ 6 is reserved in YSoft Payment
System.
If the reservation is successful, the job can be printed. After the job is printed, the actual price
Copying and Scanning
When you have an available credit balance for only a few pages, the pages will be scanned
and charged, and the rest will be refused.

5.8.2.11 Credit Handling on HP
Overview
Use HP Payment feature to proper charging of balance and quotas, credit reservations and stop-
on-zero on HP embedded terminals.
Recommendation
Client certificate validation
Due the security reasons, it is recommended to set the following management property:
clientCertificateValidationMethod - Validation method used for client certificate validation when

communicating with YSoft SafeQ Embedded Terminals.
to: Always
Process overview
Here you can find several examples of possible user scenarios:
SafeQ Print with sufficient balance
1. The user authenticates on the printer
2. The user selects the SafeQ Print application
3. The user selects the print job(s) and clicks on the Start button
4. The printer will display the "Printing in progress" dialog
5. All papers from the print job(s) are successfully delivered.
SafeQ Print with insufficient balance
1. The user authenticates on the printer
2. The user selects the SafeQ Print application
3. The user selects the print job(s) and clicks on the Start button
4. The printer will display the "Insufficient balance" dialog
5. No papers from the copy job(s) are delivered.
Copy with sufficient balance, case 1
1. The user authenticates on printer
2. The user selects the Copy application
3. The user inserts all papers for copying to the printer

4. The user clicks on the Start button
5. The "Contacting Quota Service" dialog is displayed
6. The copy job starts.
7. All papers from the copy job(s) are successfully delivered.
Copy with sufficient balance, case 2
6. The copy job starts
8. The copy job continues
9. Steps 7-8 may occur multiple times
10. All papers from the copy job(s) are successfully delivered.
Copy with insufficient balance, case 1
6. The "Insufficient balance" dialog is displayed
7. No papers from the copy job(s) are delivered.
Copy with insufficient balance, case 2
6. The copy job starts

7. The "Contacting Quota Service" dialog is displayed at least once
8. The "Insufficient balance" dialog is displayed
9. Not all papers from the copy job(s) are delivered.
Copy with some error occurence
1. If any error dialog occurs during scenario "Copy with insufficient balance, case 1" or "Copy
with insufficient balance, case 2", follow the instructions in dialog.
Native print
1. Scenarios for Native print are identical to scenarios for Copy
SafeQ Scan, balance is sufficient for at least one page
The user authenticates on printer
The user selects the SafeQ scan application
The user inserts all papers for copying to the printer
The user clicks on the Start button
The "Contacting Quota Service" dialog is displayed
The scan job starts
The scan job is successfully delivered to the target medium
If the scan job was more expensive than users credit balance, user reached the negative
balance
SafeQ Scan, balance is not insufficient for even one page
The user selects the SafeQ Scan application
The scan job starts
The "Insufficient balance" dialog is displayed
The scan job is not successfully delivered to the target medium

SafeQ Scan with Page quotas entitlement
The user selects the SafeQ Scan application
The scan job starts
The scan job is successfully delivered to the target medium
Native scan
1. Scenarios for Native scan are identical to scenarios for SafeQ Scan
Credit handling for SafeQ Print application
Stop on zero for SafeQ Print application
For SafeQ Print application, the print job parser is used to determine the price of the job(s)
selected for print.
If the parser determines, the current credi/quota balance is not sufficient for all selected print
jobs, the print will not start.
The user will be allowed to print jobs with 0 price when having 0 balance.
The user will not be allowed to print anything when having negative balance.
The user can reach the negative balance due to processing SafeQ Print jobs in case there is
mismatch between print cost estimated by a print job parser and the final print cost reported by
a printer.
Credit reservation for SafeQ Print application
When using the SafeQ Print application, the necessary amount will be reserved from user's
account before the print.
If the user does select the "Print All" checkbox during authentication, the reservation for the jobs
will not be performed.
If the user does not select the "Print All" checkbox during authentication and he selects all jobs in
the SafeQ Print application instead, the reservation will be performed.
Example of screens for SafeQ Print:


insufficient page quotas message
Credit handling for Copy and Native Print application
Stop on zero for Copy and Native print
For both the Copy operation and the Native print operation, a stop-on-zero algorithm was
implemented. A printer will contact the YSoft SafeQ system to ensure the job is allowed to be
processed.
There are three main phases of the stop-on-zero algorithm:
1. Check before processing
2. Job processing
3.

3. Additional credit request
The flow of the stop-on-zero algorithm can be seen in following diagram:
Check before processing
The main goal of the check before processing is to determine whether or not can the processing
of the job be started.
The check before processing can result with the "Continue without limits" result. This means the
printer can start processing the job without any limits - no credit checking, no additional credit
requesting. This can happen for example when:
the requested operation is not limited by Stop on Zero algorithm (e.g. fax, ...)
the user has the Prepaid account entitlement set, but all prices in pricelist are zero
the user has the Page quotas entitlement set, but does not have any relevant quotas (e.g.
user has quotas only for print but the requested operation is copy)
the user has the Unlimited entitlement set
In case the requested operation is not considered as "Continue without limits" operation, the
reservation algorithm will compute the amount of credit/quotas. This amount is then reserved
(blocked) on the user's account and assigned to the printer.
The check before processing can result by failure. In this case, the processing of the job is not
started and corresponding dialog is displayed to the user.
The failure may be caused for examply when:
the user does not have sufficient credit/quotas
the user has the No access entitlement set

the username provided by the printer differs from username of logged user
etc.
Additional credit request
If the first amount of credit assigned to printer is not sufficient for processing the entire job,
printer will again contact the Quota Service and ask for assigning more credit.
If possible, Quota Service will reserve (block) additional credit/page-quotas on user's balance and
assign it to printer.
Printer can ask for additional credit multiple times, based on the print job size, available credit and
size of the reservation step.
During additional credit request it is possible to result with failure, for example if there is no more
credit left to be reserved and assigned to printer.
Computing the amount of credit assigned to a printer during each credit request
In case of incoming credit assignment request, the Quota service has to determine, how much
credit/page-quotas will be reserved (blocked) and assigned to a printer.
By assigning too small amount of credit/page-quotas, the job processing would be ineffective and
user-unfriendly, since the printer would be constantly contacting Quota Service for additional
batch of credit.
By assigning too big amount of credit/page-quotas, all available credit/page-quotas could be

needlessly reserved (blocked) on user's account and user could not for example run another job
on second device,
For determination of the proper credit/page-quotas amount to be assigned during each credit
assignment request, the kmReservationStep property is used. The kmReservationStep is a
multiplicator used to define the maximum amount of credit/quota reserved by the printer.
In case of prepaid account entitlement, the final amount of the credit reservation is the price of
the most expensive job multiplied by this value.
In case of page quotas entitlement, first the available amount for each assigned quota is limited
by the kmReservationStep value. After this limitation, the printer credit is derived from the
strictest page quotas.
Credit handling for SafeQ Scan and Native Scan application
Stop on zero for scanning
For both the SafeQ Scan operation and the Native scan operation, a stop-on-zero algorithm was
implemented. A printer will contact the YSoft SafeQ system to ensure the job is allowed to be
processed.
There are two main phases of the stop-on-zero algorithm:
1.

1. Check before processing
2. Job processing
The flow of the stop-on-zero algorithm can be seen in following diagram:
Check before processing
The main goal of the check before processing is to determine whether or not can the processing
of the job be started.
In case of Page quotas entitlement, the job will always get the permission to continue without
limitations, since Page quotas cannot be applied to scanning.
In case of Prepaid account entitlement, the Quota Service first performs a check, if the user has
sufficient balance for scanning at least one page. If user has insufficient balance for even one
page, then the operation will result with failure, and the scan operation will not start. The user
can reach the negative balance.
Troubleshooting - possible dialogs
Insufficient balance issue during pre - check
In case the user has insufficient credit/page-quotas balance for processing one cheapest page,
following dialog is displayed and the job is cancelled:

Insufficient balance issue during additional credit request
In case the user has insufficient credit/page-quotas balance for assigning additional credit to
printer, following dialog is displayed and the job is cancelled:
Credit reservation issue during pre - check
In case of credit reservation issue during pre-check, following dialog is displayed and the print job
is cancelled.
This may be cause for example due to lost connection to payment system or other system error.
Credit reservation issue during additional credit request
In case of credit reservation issue during additional credit request, following dialog is displayed
and the print job is cancelled.
This may be cause for example due to lost connection to payment system or other system error.

Authentication issue during pre - check
In case of any authentication issue, following dialog is displayed and the print job is cancelled:
This will occur in any of following situations or in combination of these situations:
user is not authenticated on the printer (authentication expired, system error)
job metadata from printer do not contain information about the authenticated user
job metadata from printer contain the username which is different than username of
authenticated user
Context issue during additional credit request
In a very rare case, user may encounter a context issue during additional credit request.
This means the Quota Service is unable to get necessary information to increase the reservation.
Troubleshooting - feature limitations details
The user can reach the negative balance in certain cases - no reservation peformed when
checking "Print All" during authentication
Note: the user cannot start the SafeQ Print if the estimated price of the job(s) exceeds his
available credit balance. The user will be correctly charged. The only issue is possibility to get to
negative balance when using two ore more printers simultaneously.
Note: If the user does not select the "Print All" checkbox during authentication and he selects all
jobs in the SafeQ Print application instead, the reservation will be performed.

The user can reach the negative balance in certain cases - insufficient minimum balance on
prepaid account for copy/native print/scanning
This limitation relates to users with prepaid account entitlement, who use the copy application,
native print application or the scanning application.
A minimum balance on prepaid account needs to be correctly set in order to prevent users to get
to negative balance on their account. This minimum balance will be used as a safety margin,
because the printer is unable to stop exactly on 0. This is caused by the depth of the device's
page pipeline. When the printer detects, that all assigned credit has been depleted, one or more
extra paper sheets can be delivered to the output bin before the job is indeed stopped. The job
may even succeed if the assigned credit is depleted just a few pages before finishing the job.
This is a known and documented limitation of the HP OXPd SDK.
All processed papers will be correctly accounted, but user could get to negative balance, if the
minimum balance is not properly set. Therefore setting the minimum balance to some convenient
value is recommended.
Note: During experimental testing, printer never delivered more than 15 extra pages over the limit.
Therefore the minimum balance could be set e.g. to fifteenfold of the most expensive page price.
However this number may vary for different printer models.
The user can reach the negative balance in certain cases - insufficient minimum balance on
page quotas for copy/native print
At the moment, YSoft SafeQ does not support setting minimum balance for page quotas. In case
the printer will deliver any sheets to the output bin after the zero balance was detected by a
printer, then the corresponding quotas will be exceeded and the user will get to the negative
balance.
The user can reach the negative balance in certain cases - exceeding the color - only page
quotas during simultaneous use of two printers
Due to design of the reservation algorithm, it is theoretically possible to exceed the color-only
quotas, if the user runs simultaneously both the print job and the copy job on two printers.
This limitation relates to users with page quotas entitlement who use the copy application or
native print application (print from USB, print from storage, ...)
This limitation will occur if all following conditions are met:
user has assigned quotas for PRINT-BW, COPY-BW and ALL-BW
user simultaneously authenticates on two different MFDs
user runs a native print job on printer 1, all pages are black&white
at the same time user runs a copy job on printer 2, all pages are black&white
reservation system will reserve (block) PRINT-BW for first job

reservation system will reserve (block) COPY-BW for first job
after settlement of both jobs, if the sum of printed & copied pages exceeds the available
balance of the BW quota, then the BW quota will be exceeded.
Corresponding example of such situation could be formulated for COLOR quota equivalents also.
This limitation is by design of YSoft SafeQ terminal server and CreditProvider.
The user needs to have sufficient prepaid credit to copy/print/scan at least one cheapest page
This limitation relates to users with prepaid account entitlement who use the copy application,
native print application, SafeQ Scan application or native scan application
In order to start the job, the Quota Service first checks, if the user has enough available balance
for processing of one cheapest page. If the user does not have sufficient available credit balance
for one least expensive page, then the operation will not start and the "Insufficient balance" dialog
will appear.
The minimum balance is not considered to be an available balance. In case user has the total
credit balance $101, minimum balance $100, then the available balance is considered to be $1.
E.g. if the minimum balance is $100, the user has total credit balance $101 and the least
expensive page is $2 (one simplex black&white page), the available balance ($1) is not enough and
the job will not be released.
This limitation is by design in order to prevent user from violating his/her minimum balance.
If there are any paid operations and the user has zero balance, not all free operations may be
accessible
This limitation relates to users with prepaid account entitlement who use the copy application or
native print application (print from USB, print from storage, ...).
the pricelist contains at least one job type which is for free (e.g. copy of A4 black&white
paper)
the pricelist contains at least one job type which is paid (e.g. copy of A4 color paper)
the user has available balance equal to 0
In case the pricelist consists of both free operations and paid operations and user has zero
available balance, then the print/copy will not be enabled.
E.g. price for click is 0, price for paper is 0, price for black&white copy is 0, price for color copy is $
2, user has available balance = 0. In this case, the insufficient balance message is shown and no
copy is done.
In case all operations in the pricelist are for free, user can proceed without any limit.

The minimum balance is not considered to be an available balance. In case user has the total
credit balance $101, minimum balance $100, then the available balance is considered to be $1.
For combinations of color and black&white quotas for given operation, the lowest quota is
applied. (User can only copy/print up to the value of the lowest quota)
Limitation will occur in e.g. following situations:
user runs a copy operation and has following quotas assigned: ANY-BW, ANY-COLOR
user runs a copy operation and has following quotas assigned: ANY-BW, COPY-COLOR
user runs a copy operation and has following quotas assigned: COPY, COPY-COLOR
(COPY quota also affects black&white)
user runs a copy operation and has following quotas assigned: COPY, ANY-BW
If any such quota combination for selected operation occurs, user can print/copy only up to the
value of the lowest quota.
E.g. User has following quotas assigned: COPY-BW, COPY-COLOR, with following available
balances: COPY-BW: 10, COPY-COLOR: 5. Lets suppose user has a copy job, where first 5 pages
are color and rest of them are black&white. After copying first 5 color pages, the balances are
now: COPY-BW: 10, COPY-COLOR: 0. The user could theoretically continue by copying rest
black&white pages, but the MFD does not allow to continue, because one of the quotas (COPY-
COLOR) has been depleted.
The user can deplete his unused quota and block any further operation in case additional
credit requests occur
user has assigned quotas for COPY-BW and COPY-COLOR
user has already copied bigger amount of black&white pages
during these copying, the printer contacted the Quota Service with additional credit request
multiple times
during these additional credit requests, all color quotas have been reserved (blocked)
user stil has sufficient black&white quota balance to continue copying

user is unable to continue the copying because Quota Service cannot reserve (block)
additional color quota
Limitation will occur in e.g. following quota combinations:
user runs a copy operation and has following quotas assigned: ANY-BW, ANY-COLOR
user runs a copy operation and has following quotas assigned: ANY-BW, COPY-COLOR
user runs a copy operation and has following quotas assigned: COPY, COPY-COLOR
(COPY quota also affects black&white)
user runs a copy operation and has following quotas assigned: COPY, ANY-BW
During every single additional credit request, both black&white credit and color credit are
assigned to a printer despite the real credit balance of the printer. Quota Service has no
information about individual credit balances of the printer, nor about the count and colority of
already printed/copied pages. If user prints/copies for example bigger amount of black&white
pages and no color pages and during processing of these pages the additional credit request was
served several times, then during each such request a specific amount of color credit was
reserved (blocked) on user's account. User can get to a situation, when he/she has enough
quotas for both and black&white pages, no color pages have been printed/copied, there is still
sufficient amount of black&white quotas to continue and yet the user is unable to continue
black&white printing/copying because his color quota balance has been depleted by multiple
reservations.
This is caused by the fact the printer provides no information about already processed pages, nor
about the state of its internal credit counters.
Blank pages do not count towards Page quotas
Blank pages do not count towards Page quotas. This limitation is caused by different approach to
blank pages in YSoft SafeQ and HP Printer.
Stop on zero for scanning is not supported - the user can get to negative balance
In current implementation, there is no implementation of stop-on-zero for scanning (both SafeQ

Scan application and native scan application).
The user can get to the negative balance. The user cannot start a scan job if he/she has the
negative balance at the beginning.

5.8.2.12 Credit Handling on Epson
Overview
Use the Payment feature to proper charging of balance and quotas, credit reservations and stop-
on-zero on Epson embedded terminals.
Recommendation
Secure the network to prevent unauthorized access.
Secure the connection between TS and printer (dsSslEnable system configuration option) -
set to true by default.
Reconsider utilization of the direct print feature, since it is not secure functionality by its
nature and the fact, that it is implemented by using insecure LPR protocol.
Process overview
Here you can find several examples of possible user scenarios.
SafeQ Secured Print with sufficient balance
1. The user authenticates on the printer.
2. The user selects the SafeQ Print application (Menu-Print).
3. The user selects the print job(s) and clicks on the Print button.
4. The printer will display the "Your print jobs have been sent to the printer" dialog.
SafeQ Secured Print with insufficient balance
2. The user selects the SafeQ Print application (Menu-Print).
3. The user selects the print job(s) and clicks on the Print button.
4. The printer will display the "Insufficient balance" dialog.
5. No papers from the print job(s) are delivered.
SafeQ Direct Print with sufficient balance
1. The user sends a print job to a direct print queue driver.

SafeQ Direct Print with insufficient balance
1. The user sends a print job to a direct print queue driver.
2. All papers from the print job(s) are successfully delivered (see section Troubleshooting -
feature limitations details below).
3. User's balance is decreased accordingly.
Native Print with sufficient balance
2. The user selects any native print application (Menu-Dashboard-Memory Device).
3. The user selects the print job (e.g. PDF - printjob.pdf).
4. The user sets the desired settings and count of copies.
5. The user clicks on the Start button (e.g. Start BW).
Native Print with insufficient balance
2. The user selects any native print application (Menu-Dashboard-Memory Device).
3. The user selects the print job (e.g. PDF - printjob.pdf).
4. The user sets the desired settings and count of copies.
6. The printer will display the "Insufficient credit to print jobs" dialog.
7. No papers from the print job(s) are delivered.
Copy with sufficient balance
2. The user selects the Copy application (Menu-Dashboard-Copy).
4. All papers from the copy job are successfully delivered.
Copy with balance insufficient even for one page
4.

5. No papers from the copy job are delivered.
Copy with balance sufficient for one page but insufficient for all pages
5. Not all papers from the copy job(s) are delivered.
a. There are some extra papers delivered (see section Troubleshooting - feature
limitations details below).
b. If the user run out of the credit just a few pages before finishing the copy job, it may
happen all papers are delivered).
SafeQ Scan with sufficient balance
2. The user selects the SafeQ Scan application (Menu-Scan).
3. The user selects a scanning workflow.
4. Eventually user enters the workflow user inputs.
5. All scans from the scan job are successfully delivered.
SafeQ Scan with balance insufficient even for one page
3. The user selects a scanning workflow.
4. The printer will display the "Scan failed" dialog.
5. No scans from the scan job are delivered.
SafeQ Scan with balance sufficient for one page but insufficient for all pages
5.
5. When using Epson Open Platform Version 1.0, all scans from scan job will be delivered (the
scan job cannot be stopped in the middle).
6. When using Epson Open Platform Version 1.1, scan will be cancelled, no scans will be
delivered to the scan destination.
Native Scan with sufficient balance
2. The user selects the Scan application (Menu-Dashboard-Scan).
3. The user selects a scanning scenario (e.g. Memory device)
5. All scans from the scan job are successfully delivered.
Native Scan with balance insufficient even for one page
6. No scans from the scan job are delivered.
Native Scan with balance sufficient for one page but insufficient for all pages
6. When using Epson Open Platform Version 1.0, all scans from scan job will be delivered (the
scan job cannot be stopped in the middle).
7. When using Epson Open Platform Version 1.1, scan will be cancelled, no scans will be
delivered to the scan destination.
Credit handling for SafeQ Print application
Credit/quota based job releasing for SafeQ Print application

For the SafeQ Print application, the print job parser is used to determine the price of the jobs
selected for print.
If the parser determines, the current credit/quota balance is not sufficient for all selected print
jobs, the print will not start.
The user will be allowed to print jobs if the price for this print is zero when having 0 or negative
balance.
The user can reach the negative balance during processing SafeQ Print jobs in case there is
mismatch between print cost estimated by a print job parser and the final print cost reported by
a printer.
Credit reservation for SafeQ Print application
When using the SafeQ Print application, the necessary amount will be reserved from user's
account before the print.
If the user does not select the "Print All" checkbox during authentication and he selects all jobs in
the SafeQ Print application instead, the reservation will be performed.
Example of screens for SafeQ Print


insufficient page quotas message
Credit handling for Direct print application
Credit/quota-based job releasing for Direct Print application
For direct print jobs, the job will be released always, and the user can reach the negative balance.
The user is even allowed to print anything when having negative balance.
Credit reservation for Direct Print application
There is no credit reservation performed before the print for the Direct print jobs
Credit handling for Native print application
Credit/quota based job releasing for Native Print application
The job releasing implementation for the Native print is the identical to the SafeQ print. The only
difference is the estimation of the job price is not based on data from parser but based on data
provided by printer.
Credit reservation for Native Print application
The credit reservation for the Native print is the identical to the SafeQ print. The only difference
is the estimation of the job price is not based on data from parser but based on data provided by
printer.
Example of screens for Native Print

Credit handling for Copy application
Credit/quota based job releasing for the Copy application
For the copy operation, there is no total number of pages known in advance. Based on the
information from a printer (count of copies, finishing options, etc.) there is a price for one copy
estimated and used for initial credit/quota check.
If the user has enough credit/quota for making at least one copy, then the first batch of their
credit/quota is reserved and the copy operation starts.
If the user does not have enough credit/quota for at least one copy, then the copy operation will
not start.
The user will be allowed to copy if the price for copy is zero, even when the user having 0 or
negative balance.
The user can reach the negative balance during processing copy jobs in case the minimum
balance of the user is not enough for the extra delivered papers during the stop on zero
Credit reservation for Copy application
The credit/quota of the user is reserved progressively in batches. First, based on the information
from the printer (count of copies, finishing options, etc.) there is a price for one copy calculated.
User needs to have enough credit/quota for at least one such page, otherwise the copy operation
will be aborted. This 1-page-price, multiplied by a kmReservationStep property, is then used for
reservation of user credit/quota. In case user has not enough credit/quota for the 1-page-price *
kmReservationStep, then all his remaining available credit/quota will be reserved. If the reservation
is depleted and the copy operation has still not finished, then a reservation increase attempt is
performed. For each such increase of the reservation, the YSoft SafeQ will again use the 1-page-
price multiplied by kmReservationStep.
Example of screens for Native Print

Credit handling for SafeQ Scan and Native Scan application
Credit based job releasing for the SafeQ Scan and Native Scan application
For the SafeQ Scan operation, there is no total number of pages known in advance. Based on the
information from a printer (count of copies, finishing options, etc.) there is a price for one scan
estimated and used for initial credit check.
If the user has enough credit for making at least one scan, then the first batch of their credit is
reserved and the scan operation starts.
If the user does not have enough credit for at least one scan, then the scan operation will not
start.
The user will be allowed to scan if the price for scan is zero, even when the user having 0 or
negative balance.
The user can reach the negative balance during processing scan jobs in case the minimum
balance of the user is not enough for the extra delivered papers during the stop on zero
Credit reservation for SafeQ Scan and Native Scan application
The credit of the user is reserved progressively in batches. First a price for one scan calculated
based on the related pricelist. User needs to have enough credit for at least one such page,
otherwise the scan operation will be aborted. This 1-page-price, multiplied by a kmReservationStep
property, is then used for reservation of user credit. In case user has not enough credit for the 1-
page-price * kmReservationStep, then all his remaining available credit will be reserved. If the
reservation is depleted and the scan operation has still not finished, then a reservation increase
attempt is performed. For each such increase of the reservation, the YSoft SafeQ will again use
the 1-page-price multiplied by kmReservationStep.
Stop on zero on SafeQ Scan and Native Scan

Stop-on-zero (ability to stop scanning in middle of the scanning in case the user depletes their
credit)
Epson Open Platform Version 1.0
SafeQ Scan from glass - only one page can be scanned using the glass
SafeQ Scan from feeder - no support for Stop on Zero (all scans will be delivered and user
may reach the negative balance)
Native Scan from glass - no support for Stop on Zero (all scans will be delivered and user may
reach the negative balance)
Native Scan from feeder - no support for Stop on Zero (all scans will be delivered and user
may reach the negative balance)
Epson Open Platform Version 1.1
SafeQ Scan from glass - only one page can be scanned using the glass
SafeQ Scan from feeder - Stop On Zero supported - scan is cancelled, no scans will be
delivered to destination, no message is displayed to the user
Native Scan from glass - Stop On Zero supported - scan is cancelled, no scans will be
delivered to destination, insufficient credit message is displayed to the user
Native Scan from feeder - Stop On Zero supported - scan is cancelled, no scans will be
delivered to destination, insufficient credit message is displayed to the user
Example of screens for SafeQ Scan and Native Scan
insufficient credit message - for Native Scan application

insufficient credit message - for SafeQ Scan application (check before scan starts)

Troubleshooting - feature limitations details
The user can reach the negative balance in certain cases - no reservation performed when
checking "Print All" during authentication
If the user does select the "Print All" checkbox during authentication, the reservation of credit
/quota before the print will not be performed.
Note: The user cannot start the SafeQ Print if the estimated price of the job(s) exceeds their
available credit balance. The user will be correctly charged. The only issue is possibility to get to
negative balance when using two ore more printers simultaneously.
Note: If the user does not select the "Print All" checkbox during authentication and selects all jobs
in the SafeQ Print application instead, the reservation will be performed.
The user can reach the negative balance in certain cases - no reservation performed when
direct print was used
If the user prints using the direct print queue, the reservation or credit/quota for the jobs will not
be performed.
Note: user can reach the negative balance by releasing a print job which is more expensive than
their actual credit/quota balance.
Note: if the user gets to the negative quota balance due to last direct print operation, the YPS will
still display the last non-negative quota balance. The quota balance will be visibly subtracted
during next quota recharge when the user has enough quota to be subtracted from
Note: user can release a direct print job even when having zero or negative credit/quota balance.
The user can reach the negative balance in certain cases - reservations does not take the
finishing options into account for SafeQ Print
If the user changes the finishing options on the terminal in the SafeQ Print application, the job can
be finished more expensive then original reservation.
Note: This is a by design issue, valid for more vendors.

Note: The user can reach the negative balance one's credit/quota balance is just enough for the
reservation but not enough for the additional costs of finishing options.
Note: User can e.g. increase the number of copies on finishing options. The reservation assumes
the original number of copies.
The user can reach the negative balance in certain cases - scanning cannot be cancelled
when user runs out of their credit on Epson Open Platform Version 1.0

If the scanning starts and the available credit runs out in the middle of the scanning, then the
scanning cannot be cancelled if the Epson Open Platform Version 1.0 is used. The entire scan job
is processed and user can go to the negative balance.
Note: This is a technology limitation of the SDK for Epson Open Platform Version 1.0.
Note: The user can reach the negative balance one's is enough for at least one page but not
enough for all the pages.
The user can reach the negative balance in certain cases - stop on zero feature for copy and
scan is not able to stop exactly on zero
Before the stop on zero feature detects the user has already depleted their credit/quota balance
during copy or scan operation and instructs the printer to stop, few extra papers/scans may be
delivered.
Note: The user can get to the negative balance by the cost of these few extra papers.
Note: It may happen all papers/scans will be delivered if the stop on zero feature triggers just a
few pages before finishing the operation.
The user can reach the negative balance in certain cases - reservation is not performed in
advance for SafeQ Scan
If the user starts has credit balance for just one page and starts scanning using SafeQ Scan app
simultaneously on two printers, then the user can get to the negative balance before additional
credit checking mechamisms can be applied.
Note: this is an edge case, since the user would have to have credit just enough for one page
and start to scan using SafeQ Scan application on two different printers simultaneously at one
moment.
The user can reach the negative balance in certain cases - when stop-on-zero occurs a few
extra pages are delivered
If the copying starts and the available credit runs out in the middle of the copying, a few more
pages can be copied between detecting insufficient balance and job cancellation. The final job
price might be higher than available balance and user can go to the negative balance.
Note: Number of extra pages depends on MFD speed and speed of communication with YPS.
Usually 2 extra pages are printed.
The job will be printed, not accounted, not charged - if not sent to SafeQ properly - Direct
native print
If the job is sent directly to the printer, the job will be released. This job will not be accounted nor
charged.
Note: This job goes completely outside the SafeQ and YPS.

The job will be printed, not accounted, not charged - if not sent to SafeQ properly - Direct
print to FSP when bad driver is used
If the print job is sent to a printer (FSP address, but not the SafeQ driver), the job will be released.
This job will not be accounted nor charged.
Note: We need to use SafeQ driver otherwise FSP won't add user info to PJL headers and we
won't be able to match job with user.
An extra credit/quota will be reserved and not settled in some specific edge cases during
secure reprint
When using SafeQ Print application, if the user starts a reprint of the same job which is already
being printed, an additional credit/quota of one extra job price per each such a reprint will be
reserved (blocked) from users account.
Note: This happens e.g. when the original print job has not yet finished, but the user navigates to
the Printed tab and starts reprint of the same job.
Note: This happens e.g. when the original print job has already finished, then the user navigates
to the Printed tab, starts the reprint of the same job and before this reprint finishes the user
starts another reprint of the same job.
Note: If the user prints the original job + 1 reprint in the meantime, they will be charged 2 times
the price of the job + 1 price of the job will stay blocked.
Note: If the user prints the original job + 2 reprint in the meantime, they will be charged 3 times
the price of the job + 2 times the price of the job will stay blocked.
Note: Blocked and not-settled credit/quota will be released from YPS after some time but until
then the user cannot utilize it.
5.8.3 LOG FILE OVERVIEW
5.8.3.1 Audit log
System reports information about user actions that could change Management Service state or
behaviour such as:
changes of configuration
changes of users, roles, access etc.
changes of business entities such as device, scan workflow, price lists etc.
access to Management Service
authorization failures, attempts to get unauthorised access to resources (403)

undefined resourcess access (404)
other failures (technical errors)
Most of actions are logged as double row with action input and action output (or technical error).
Format
Audit messages are in format according to Syslog specification (RFC5424), so these attributes
are logged:
Facilty - ("16" - that means local use 0)
Severity - ("6" - normal information) - there aren't now another cases. (See RFC for more info)
Version - "1"
Time - local time in ISO8601 format (it must respect RFC5424 specification, e.g. 2016-10-02T17:
14:41.662+02:00)
Host - "localhost" or machine domain name or machine IP
App name - "MANAGEMENT_SERVICE"
Process ID - "-"
Message type ID - unique ID of the type of message (e.g. "USERSAVE", "USERFIND")
Structured message parameters as pair of name=value according to specification, e.g.

"[web@18060 iut="3" eventSource="Application" eventID="1011"]"
Structured message parameters ID - "web@18060" for message strucutred parameters
comming from web interface
These parameters are logged (its value of the parameter may be null or blank if isn't
possible to detect):
auditPoint - point from message comes from, could have values:
METHOD_INPUT - for message with action input parameters

METHOD_OUTPUT - for message with action output parameters
METHOD_EXCEPTION - for message with action exceptional (technical error)
parameters
crudType - type of the CRUD operation
CREATE - create resource

READ - read resource
UPDATE - update resource
DELETE - delete resource
CREATE_OR_UPDATE - create or update resource (when it couldn't be resolved if
action creates or updates one)

UNKNOWN - action where couldn't be CRUD operation set
requestId - id of the request to track all action depending on the same request
requestIp - IP of the client machine
requestPath - path of the resource
sessionId - id of the user session
tenantDomain - domain of the tenant
tenantIdentification - unique identification of the tenant
userId - unique user identification
userName - name of the user
Message with it's parameters
Human readable message description
After message description there are message parameters in format similar to structured
parameters, i.e. name=value such as "[param1="3" eventSource="Application" eventID="1011"]
".
Technical parts of message (facility, severity, version, app name, process id) can be customized in
configuration.
Configuration
Audit log message system can be configured as standard log4j2 logger according to
documentation (for configuring syslog see this Syslog appender documentation). For information
of the configuration file location see YSoft SafeQ Management Service Logs.
In configuration it's possible to change audit log format, setting up syslog server or disable
audit log completely.
In Management Service log4j2.xml there's commented example of configuration:
...
<Appenders>
...

<RollingFile name="management_audit_app" fileName="${cml_home}/logs/management-service-audit.
log" filePattern="${cml_home}/logs/management-service-audit.log.%d{yyyy-MM-dd-HH}.%i">
<RFC5424Layout newLine="true" appName="MANAGEMENT_SERVICE" includeMDC="false" facility="LOCAL0
"></RFC5424Layout>
<Policies>
<TimeBasedTriggeringPolicy/>
<SizeBasedTriggeringPolicy size="20 MB"/>
</Policies>
<DefaultRolloverStrategy max="500"/>
</RollingFile>
...

<Syslog name="management_audit_server_app"

format="RFC5424" host="127.0.0.1"
port="8515"
protocol="TCP"
appName="MANAGEMENT_SERVICE"
includeMDC="false"
facility="LOCAL0"
enterpriseNumber="18060"
newLine="true"
messageId="defaultMessageId"
id="defaultStructDataId"
mdcId="defaultMdcStructDataId"/>
...
</Appenders>
...

<Logger name="EventLogger" level="info" additivity="false">
<AppenderRef ref="console_app"/>
<AppenderRef ref="management_log_app"/>
<AppenderRef ref="management_audit_app"/>
<AppenderRef ref="management_audit_server_app"/>
</Logger>
...
5.8.3.2 Terminal Server Logs
General Info
Log Format Configur Output Data Max Max Compre Concurr Logging
Definition Path ation Log Pattern File Number ssion ent Type
Path Path after Size Of Files writes
size (Delete
overflow strategy
)
terminalserver\Nlog <SAFEQ <SAFEQ . ~21MB 30 no false Nlog

.config 6_HOME 6_HOME yyyyMM
>\SPOC\ >\SPOC\ dd-
terminal terminal hhmmss
server\N server\lo
Log. gs\termi
config nalserve
r.log
terminalserver\Wsd <SAFEQ <SAFEQ . ~ 10.5 10 no false Nlog

Scan.Services\Nlog. 6_HOME 6_HOME yyyyMM MB
config >\SPOC\ > mmdd-
terminal \SPOC\t hhmmss
server\ erminals
WsdSca erver\log
s\http_t
race.log

size (Delete
overflow strategy
)
n.
Services
\NLog.
config
terminalserver\Ter <SAFEQ ditto ditto ditto ditto ditto ditto ditto

minalServer. 6_HOME
Application\NLog. >\SPOC\
config terminal
server\T
erminalS
erver.
Applicati
on\NLog.
config
terminalserver\Fuji <SAFEQ ditto ditto ditto ditto ditto ditto ditto

Xerox. 6_HOME
Services\Nlog. >\SPOC\
config terminal
server\F
ujiXerox.
Services
\NLog.
config
terminalserver\Rico <SAFEQ ditto ditto ditto ditto ditto ditto ditto

h.Services\Nlog. 6_HOME
config >
\SPOC\t
erminals
erver\Ri
coh.
Services
\NLog.
config
terminalserver\Sha <SAFEQ ditto ditto ditto ditto ditto ditto ditto

rp.Services\Nlog. 6_HOME
config >\SPOC\
terminal
server\S

size (Delete
overflow strategy
)
harp.
Services
\NLog.
config
terminalserver\Tos <SAFEQ ditto ditto ditto ditto ditto ditto ditto

hiba.Services\Nlog. 6_HOME
config >\SPOC\
terminal
server\T
oshiba.
Services
\NLog.
config
terminalserver\Xero <SAFEQ ditto ditto ditto ditto ditto ditto ditto

x.Services\Nlog. 6_HOME
config >\SPOC\
terminal
server\X
erox.
Services
\NLog.
config
Vendor Terminal Vendor Specific Logs
Samsung in App. /everest - - - no - -

config /sys
in for /xoastor
Terminal age
Server /com.
ysoft.
safeq.
ysoft_et
/logs
/ysoft_t
e.log
(access
via ssh)
Konica-Minolta - - - no - -

size (Delete
overflow strategy
)
OpenAPI
SDK1.
log,
OpenAPI
SDK2.
log
Lexmark http://PR - driven 1 no false device

INTER_IP by standar
/cgi-bin system d
/script output
/printer
/prtappl
og
or
http://PR
INTER_IP
/cgi-bin
/prtappl
og
Ricoh http://<I x_sret_s .1, .2 ~ 5MB 3 no false custom

P_OF_D tdout.
EVICE>: log (for
8080 Xlet,
/sqet http://PR
/Login INTER_IP
:8080
/sqet
/Status,
passwor
d
protecte
d)
s_sret_s .1, .2 ~ 5MB 3 no false custom

tdout.
log (for
Servlet,
http://PR
INTER_IP

size (Delete
overflow strategy
)
:8080
/sqet
/Status,
passwor
d
protecte
d)
Sharp-eSF http://PR - driven 1 no false device

INTER_IP by standar
/cgi-bin system d
/prtappl output
og
Maximum file size and the maximum number of files can be set using the YSoft SafeQ
Log Format
Please be aware that card numbers are logged only at TRACE level. On other levels, card
numbers are masked.
Log Column 1 Column 2 Column 3 Column Colum Col Colu Col Col
Name 4 n5 um mn um um
n6 7 n n
8 9
termin yyyy-MM- Logging ThreadName that class metho mes

alserv dd HH:mm: priority generated log | or name | d sag
er.log ss.ffff (Debug) Thread ID if empty (max name e
(width 5) (fixed width = 25) width (max
25) width
20)
http_t Time http status client method server client cs- cs- tim me
race. code (width 7) port ip uri- uri- e- ssa
log (width 6) (width (width ste quer tak ge
5) 15) m y en

n6 7 n n
8 9
(wid (wid (wi

th th dth
60) 40) 10)
Terminal Vendor Specific Logs
Vendo Log Name Column 1 Column 2 Column Colum Col Col Col Col
r 3 n4 um umn um um
n5 6 n7 n8
Sams ysoft_te. yyyy-MM-dd [Log Priority (Debug)] Categor messa

ung log - HH:mm:ss. (width 5) y| ge
Pattern 1 SSS |
ysoft_te. Request Request Message Respon Respo

log - Type se nse
Pattern 2 Type Messa
ge
Konica OpenAPISD yyyy/MM Message level Library IP Thr Met me

- K.log - /dd_HH:mm: ead hod ssa
Minolt Pattern 1 ss.ffff ID ge
a
OpenAPISD yyyy/MM O Library IP Met mes

K.log - /dd_HH:mm: hod sag
Pattern 2 ss.ffff e
Lexma prtapplog. yyyyMMdd Log Priority (Debug) Thread messa

rk log HH:mm:ss. name ge
SSS
Ricoh x_sret_std X dd.MM.yyyy HH:mm:ss: [Log [Threa [Cla mes

out.log (Xle SSS Priority d ss] sag
t) (Debug)] name] e
(width
5)
s_sret_std S dd.MM.yyyy HH:mm:ss: [Log [Threa [Cla mes

out.log (Ser SSS Priority d ss] sag
vlet) (Debug)] name] e
(width
5)
Sharp- prtapplog. Log Priority (Debug) Thread messa

eSF log name ge

n6 7 n n
8 9
yyyyMMdd
HH:mm:ss.
SSS
Konica Minolta message levels:
Output Level Description
M OpenAPI Message log
F Fatal log
E Error log
W Warning log
I Information log
D Debug log
T Trace log
The message level can be set using the YSoft SafeQ management interface.

Examples of Messages
terminalserver.log
yyyy Logging ThreadNa class name | me message

-MM- priority me that (max width 25) th
dd (Debug) generate od
HH: (width 5) d log | or na
mm: Thread me
ss. ID if (m
ffff empty ax
(fixed wi
width = dt
25) h
20
)
2016 FATAL 5 | bt [10.0.5.97][4]

-05- OutputManagem ain Obtaining
25 entFactory | Ne session token
17: w failed. All
03: Se requests
45.2 ssi requiring
126 on administrator
To rights will fail
ke
n|
2016 DEBUG 5 | Rel [10.0.5.97][4]

-05- OpenPlatformLo ea Releasing lock .
25 ck | se
17: Lo
03: ck
45.2 |
126
http_trace.log
Tim http status client server port cli cs-uri-stem cs-uri- ti message
e code method (width 5) en (width 60) query m
(width 6) (width 7) t (width e-
ip 40) t
(wi a
dt k
h e
15) n

(
w
id
t
h
1
0
)
05 200 | POST | 5022 | 10. /et/v1/1/scan ? 6 [Content-

/02 0. /100000000000 startA 1 Length: 5109],
/201 5. 0002/detail t=0&p | [Cache-
6 12: 50 /browse/values | ageSiz Control: no-
56: | e=214 store, must-
33 | 74836 revalidate, no-
47&pa cache],
th= | [Pragma: no-
cache],[Server:
FX-EWB-
Compatible/4.
0],[Content-
Type:
application
/json;
charset=utf-8],
[Vendor: ricoh],
[Content-
Length: 5109]
05 200 | GET | 5022 | 10. /et/v1/1/auth | 7 [Content-

/02 0. /logout | 4 Length: 1217],
/201 5. | [Cache-
6 12: 50 Control: no-
59: | store, must-
33 | revalidate, no-
cache],
[Pragma: no-
cache],[Server:
FX-EWB-
Compatible/4.
0],[Content-
Type:
application
/json;

charset=utf-8],
[Vendor: ricoh],
[Content-
Length: 1217]
ysoft_te.log
yyyy [Log Category message

-MM- Priority | or Response
dd (Debug), or message
HH: (width 5)] Response
mm: or Request type
ss. message
SSS
|
or
Req
uest
type
2016 [DEBUG] RestBillin getRootBillingCo

-05- gCodeSer des request:
27 vice | {pattern=,
10: billingCodeId=,
54: command=getRo
47,5 otBillingCodes,
19 | userName=zuza
na}
getRootBillingCo
des response:
[{"children":[],"id":
2,"code":"0","
description":"
Default Project","
leaf":true,"
idPath":[1],"
codePath":[],"
descriptionPath":
[],"parentId":-1}]
getD {pattern=, getDefaul null

efaul billingCodeId tBillingCo
tBilli =, de
ngC command=g response:
ode etDefaultBilli
requ ngCode,
est: userName=z
uzana}

OpenAPISDK1.log
yyyy Type? Library IP Th Message Messa

/MM re or Thread name ge
/dd_ ad
HH: na
mm: me
ss. or
ffff Th
re
ad
ID
2016 M SDKBase 10.0.5.94 Ap <?xml version="

/04 Library pR 1.0" encoding="
/28_ eq utf-8"?><SOAP-
12: Ex ENV:Envelope
02: tL xmlns:SOAP-
59: ogi ENV=" http://sch
3135 n emas.xmlsoap.
org/soap
/envelope/ "
xmlns:SOAP-
ENC=" http://sch
emas.xmlsoap.
org/soap
/encoding/ "
xmlns:xsi=" http:/
/www.w3.org
/2001
/XMLSchema-
instance " xmlns:
xsd=" http://ww
w.w3.org/2001
/XMLSchema"
><SOAP-ENV:
Header><me:
AppReqHeader
xmlns:me=" http:
//www.
konicaminolta.
com/Header
/ExtOpenAPI"
><ApplicationID
xmlns="">0<
/ApplicationID><
UserName

xmlns=""><
/UserName><Pas
sword xmlns=""
><
/Password><Ver
sion xmlns=""
><Major>101<
/Major><Minor>0
</Minor><
/Version></me:
AppReqHeader><
/SOAP-ENV:
Header><SOAP-
ENV:Body><m:
AppReqExtLogin
xmlns:m=" http://
www.
konicaminolta.
com/service
/ExtOpenAPI"
><FunctionVersi
on><ApplicationT
ype>6<
/ApplicationType
><Major>4<
/Major><Minor>2
</Minor><Special
/><
/FunctionVersion
><OperatorInfo>
<UserName>Ad
min<
/UserName><Us
erPassword>pas
sword<
/UserPassword>
<
/OperatorInfo><D
eviceLock>1<
/DeviceLock><
/m:
AppReqExtLogin
></SOAP-ENV:
Body></SOAP-
ENV:Envelope>
O 10.0.5.94

2016 SDKBase 78 DevReqExtConfir Return
/04 Library 64 mConnect from
/28_ App
12:
37:
04:
652
0
prtapplog.log
yyyy Log Priority Thread message

MMd (Debug) name
d
HH:
mm:
ss.
SSS
2016 debug #144ysoft - Accounting

0527 -lexmark- unaccounted
12: et jobs was
00: finished.
06.2
27
2016 debug #25ui -

0527 UICommunication
12: ProxyImpl.
00: resume():
41.3
73
x_sret_stdout.log
X dd.MM.yyyy [Log [Thread name] [Cl message

HH:mm:ss: Priority as
SSS (Debug), s]
(width 5)]
X 18.05.2016 [INFO] [EventManag] [A Getting logged

14:58:57.276 ut user info...
he
nti
ca
tio
n]
X [DEBUG] [EventManag]

18.05.2016 [M Executing event
14:58: od [UserAuthentica
57.635 ule tedEvent]
Ev
en
tLi
st
en
er]
s_sret_stdout.log
S dd.MM.yyyy [Log [Thread name] [Cl message

HH:mm:ss: Priority as
SSS (Debug), s]
(width 5)]
S 27.05.2016 [INFO] [Thread-13] [Lo Configuring

12:32: gg logger: logLevel=
50.305 er] [1],
debugMemory=
[true]
S 27.05.2016 [DEBUG] [Thread-14] [C A new

12:32: RC FIND_DEVICE
52.860 on cycle has been
tro started
l]
5.8.3.3 YSoft Infrastructure Service Logs
Please note that proxy instances will log either to file (when deployed on production server) or
to syslog (when deployed on SafeQube)
General Info
size (Delete
overflow strategy
)
management- Only in infrastru .yyyy- 20MB no limit zip false LogBack

server source cture- MM-dd_i
/management- code service.

size (Delete
overflow strategy
)
server/src/main log -
/resources/logback. next to
xml the jar
file
management- Only in ims- .yyyy- 20MB no limit zip false LogBack

server/server-proxy source proxy. MM-dd_i
/src/main code log-
/resources/proxy- next to
logback.xml the jar
file
Log Format
Log Name Column 1 Colu Column 3 Column 4 Column 5

mn 2
infrastructu yyyy-MM-dd [Thre Logging priority Name of the logger application

re-service. HH:mm:ss. adNa (Debug, ...) (min shortened to 36 char (logger specific
log SSS me] width 5) {36}) - message
ims-proxy. yyyy-MM-dd [Thre Logging priority Name of the logger application

log HH:mm:ss. adNa (Debug, ...) (min shortened to 36 char (logger specific
SSS me] width 5) {36}) - message

Example
management-server.log
yyyy-MM- [ThreadN Logging Name of the logger application specific message

dd HH:mm: ame] priority (Debug, shortened to 36 char
ss.SSS ...) (min width (logger{36}) -
5)
2016-07- [vert.x- DEBUG c.y.m.m.system. Received System expected-state

01 12:13: worker- SystemRoutes - request for systemGuid [68:7c:d5:01:
55.267 thread- 01:84] from [10.1.2.51]
10]
2016-07- [vert.x- INFO c.y.m.m.system. Sent System expected-state for

01 12:13: eventloop SystemRoutes - systemGuid [68:7c:d5:01:01:84] to
55.267 -thread- [10.1.2.51]. Turn on debug for more
0] details.
2016-07- [vert.x- DEBUG c.y.m.m.system. System expected-state [null] for

01 12:13: eventloop SystemRoutes - systemGuid [68:7c:d5:01:01:84].
55.267 -thread-
0]
5.8.3.4 YSoft Payment System Logs
General Info
Path Path After Size of Files Writes
Size (Delete
Overflo Strateg
w y)
payment\payment- <SAFEQ <SAFEQ .yyyy- 20MB no limit zip LogBack

system\payment- 6_HOME 6_HOME MM-dd_i
system\src\main\re >\YPS\c >\YPS\lo
sources\logback. onf\cata gs\paym
xml lina. ent-
properti system.
es, log
Source
code
prefered
20MB no limit zip LogBack

Path Path After Size of Files Writes
Size (Delete
Overflo Strateg
w y)
payment\payment- <SAFEQ <SAFEQ .yyyy-

xml lina. ent-
properti system-
es, perform
Source ance_to
code tal.log
prefered
payment\payment- <SAFEQ <SAFEQ .yyyy- 20MB no limit zip LogBack

xml lina. ent-
properti system-
es, perform
Source ance_pe
code riod.log
prefered
Customization IPB Source <SAFEQ .yyyy- 500MB no limit zip LogBack

- Custom code 6_HOME MM-dd_i
payments only >\YPS\lo
provider\src\main\r gs\ipb-
esources\logback. payment
xml -
provider.
log
Customization Source <SAFEQ .yyyy- 500MB no limit zip LogBack

REPA - User code 6_HOME MM-dd_i
management only >\YPS\lo
REST gs\user_
endpoint\src\main\r manage
esources\logback. ment.
xml log

Log Format
Log Name Column 1 Column 2 Column 3 Column 4 Column 5
payment- yyyy-MM- [ThreadNa Logging priority Name of the logger application

system.log dd HH:mm: me] (Debug, ...) (min shortened to 36 char specific
ss.SSS width 5) (logger{36}) - message
payment- yyyy-MM- application

system- dd HH:mm: specific
performance_tot ss.SSS message
al.log
payment- yyyy-MM- application

system- dd HH:mm: specific
performance_per ss.SSS message
iod.log
ipb-payment- HH:mm:ss. [ThreadNa Logging priority Name of the logger application

provider.log SSS me] (Debug, ...) (min shortened to 36 char specific
width 5) (logger{36}) - message
user_manageme HH:mm:ss. [ThreadNa Logging priority Name of the logger application

nt.log SSS me] (Debug, ...) (min shortened to 36 char specific
width 5) (logger{36}) - message

Example
payment-system.log
yyyy-MM- [Thread Logging priority Name of the logger Application specific message
dd HH:mm: Name] (Debug, ...) (min shortened to 36 char
ss.SSS width 5) (logger{36}) -
2016-05- [localho INFO o.s.web.servlet. - FrameworkServlet 'admin':

25 15:28: st- DispatcherServlet initialization started
57.312 startSt
op-1]
2016-05- [localho INFO o.s.w.c.s. - Refreshing WebApplicationContext

25 15:28: st- XmlWebApplicationCont for namespace 'admin-servlet':
57.314 startSt ext startup date [Wed May 25 15:28:57
op-1] CEST 2016]; parent: Root
WebApplicationContext
2016-05- [localho INFO o.s.b.f.xml. - Loading XML bean definitions from

25 15:28: st- XmlBeanDefinitionRead ServletContext resource [/WEB-INF
57.315 startSt er /admin-servlet.xml]
op-1]
payment-system-performance_total.log
yyyy-MM-dd HH:mm: application specific message

ss.SSS
2016-05-25 15:26: Monitoring: com.ysoft.vault.incident.IncidentServiceImpl::warn()

07.782
2016-05-25 15:26: Monitoring: com.ysoft.vault.incident.IncidentServiceImpl::info()

07.782
payment-system-performance_period.log
yyyy-MM-dd HH:mm: application specific message

ss.SSS
2016-05-25 15:31: Period performance statistics:

26.376
+---------------------------------------------------------------------------------------+-------+-------+---------+------------------+--------
+---------+---------+
|com.ysoft.vault.service.usermanagement.SOSUserManagement::
getUserByLookupKey() |0 |0 ms |0 ms |0 ms |0 ms |0 ms |0 ms |
|com.ysoft.vault.service.usermanagement.SOSUserManagement::
getUserByCardAndPin() |0 |0 ms |0 ms |0 ms |0 ms |0 ms |0 ms |
user_management.log

HH:mm:ss. [Thread Logging priority Name of the logger application specific message
SSS Name] (Debug, ...) (min shortened to 36 char
width 5) (logger{36}) -
15:31: [localho INFO o.s.s.web. - Creating filter chain: Ant [pattern='

51.583 st- DefaultSecurityFilterCh /api/v1/ping/**'], []
startSt ain
op-1]
15:31: [localho INFO o.s.s.w.a.c. - Validated configuration attributes

51.631 st- ChannelProcessingFilte
startSt r
op-1]
5.8.3.5 YSoft SafeQ End User Interface Logs
General Info
Log Configuration Output Data Max Max Compre Concurr Logging

Format Path Log Pattern File Number ssion ent Type
Definitio Path After Size Of Files Writes
n Path Size (Delete
Overflo Strateg
w y)
End- General: <SAFEQ .yyyy- 20MB no limit zip LogBack

User UI <SAFEQ6_HOME>\S 6_HOME MM-dd_i
- POC\EUI\ui- >\SPOC\
ui\src\m conf\environment- EUI\logs
ain\reso configuration.
urces\lo properties
gback. Logs: Only in
xml source code
Log Format
Log Column 1 Column Column 3 Column 4 Column 5

Name 2
end- DateTime: HH:mm: [Thread Logging priority Name of the application

user-ui. ss.SSS Name] (Debug, ...) (min logger shortened specific message
log width 5) to 36 char (logger
{36}) -

Example
end-user-ui.log
DateTime: HH:mm: [Thread Logging priority Name of the application specific message
ss.SSS Name] (Debug, ...) (min logger shortened
width 5) to 36 char (logger
{36}) -
2016-07-01 03:56: [pool-1- WARN c.y.m.s.zmq. [safeq(35d3926c-adc7-4d54-

56.382 thread- ZeroMQClientSessi 811d-114d67b64049)]: dropping
11] on - message [[goodbye, error, true,
message, unknown peer,
stopReconnecting, false]] for
terminated session
2016-07-06 14:45: [I/O WARN c.y.u.s.m. Execution of PaymentService.

02.070 . dispatch RemoteServiceMo getPaymentGateways took
er 1] nitoringAspect - 1187 ms
2016-07-06 17:00: [I/O WARN c.y.u.s.m. Execution of PaymentService.

02.584 dispatch RemoteServiceMo getPaymentConfiguration took
er 2] nitoringAspect - 1451 ms.
5.8.3.6 YSoft SafeQ FlexiSpooler Logs
General Info
Using Nlog.config user can configure respective output logs. Mainly used for changing of log level
to trace. For more info see Configuring logging using Nlog.config.
Table below shows default values.
Configura Output Log Path Data Max File Max Compres Concurre Logging
tion Pattern Size Number sion nt writes Type
Path after (archiveA Of (concurre
size boveSize) Archived ntWrites)
overflow Files
(archiveN (maxArch
umbering iveFiles)
)
<SAFEQ6 <SAFEQ6_HOME>\FSP Date and ~21MB 30 no false Nlog

_HOME>\F \logs\spooler.log Sequence
SP
\Service\
NLog.
config

Configura Output Log Path Data Max File Max Compres Concurre Logging
tion Pattern Size Number sion nt writes Type
Path after (archiveA Of (concurre
size boveSize) Archived ntWrites)
overflow Files
(archiveN (maxArch
umbering iveFiles)
)
<SAFEQ6 <USER_PROFILE>\. Date and ~21MB 30 no false Nlog

_HOME>\F safeq6\logs\desktopi Sequence
SP nterface.log
\Service\<
Spooler
6.0.X.
Y>\Deskt
opInterfa
ce\NLog.
config
<SAFEQ6 <SAFEQ6_HOME>\FSP Date and ~21MB 30 no false Nlog

_HOME>\F \logs\spooler.log Sequence
SP
\Service\<
Spooler
6.0.X.
Y>\NLog.
config
YSoft
Universal
Print
Driver
log (if
the
driver is
used):
<SAFEQ6 <SAFEQ6_HOME>\FSP Date ~21MB unlimited no false Nlog

_HOME>\F \universal-pcl-
SP driver\gui\driver.log
\universal
-pcl-
driver\gui\
NLog.
config

Please take note, that Desktop Interface log is created per user and located in the user profile
directory for each user.
Log Retention (useful information for GDPR)
Logs mentioned in previous section use NLog configuration, based on these settings the log
creation/retention is handled as follows:
Log is archived (moved to separate file with timestamp and usually a sequence number) when
either [1] the "archiveAboveSize" has been reached or [2] a new day has arrived
Each log file keeps N archived versions, where N is the number set in "maxArchiveFiles"
After the limit set in "maxArchiveFiles" is reached and new log file should be archived, the
oldest one gets deleted
If you put all this information together: If the component is continuously running (or executed at
least once a day), then the logged data will get deleted after "maxArchiveFiles" days at the latest.
Log Format
Log Column 1 Column 2 Column 3 Column Column Column

Name 4 5 6
desktopi yyyy-MM-dd HH: Logging priority thread ID (width 2) ActivityI class messag
nterface mm:ss.ffff (Debug) (fixed D name, e
.log width 5) method /excepti
name on on
and new
source line
informat
ion (f-w
70)
spooler. yyyy-MM-dd HH: Logging priority thread ID (width 2) ActivityI class messag
log mm:ss.ffff (Debug) (fixed D name, e
width 5) method /excepti
name on on
and new
source line
informat
ion (f-w
70)
driver. yyyy-MM-dd HH: Logging priority thread ID (width 2) class

log mm:ss.ffff (Debug) (fixed name,
width 5) method
name
and

Log Column 1 Column 2 Column 3 Column Column Column
Name 4 5 6
source messag
informat e
ion (f-w /excepti
70) on on
new
line

Example
spooler.log
yyyy- Logging threa ActivityID class name, method message/exception on new

MM-dd priority d ID name and source line
HH:mm: information
ss.ffff
2016-05- ERROR 11 b685534d- | Ymq. [1dc792ca-49fe-4b98-9d31-

06 18: 2d45-46e6- Peer+<TryRequest>d__ ebad5a54d615-
35: b810- 29.MoveNext | DesktopInterface] No
49.3411 f2e06ed92f established session found.
06
2016-05- WARN 11 a88e412e- | RemoteProxies. Could not request

06 18: 1811-4b75- UiProxy+<SwitchClientU reconnection of Desktop
35: be8a- iController>d__9. Interface to different
49.3411 df683692f7 MoveNext | Controller.
20
2016-05- INFO 12 b685534d- | Ymq.ServerSession. [1dc792ca-49fe-4b98-9d31-

06 18: 2d45-46e6- ProcessReady | ebad5a54d615- DesktopInterf
35: b810- ace ] Successfully
49.5442 f2e06ed92f established a server session
06 with a type [Client] client.
ConnectionLostTimeout set
to [4] seconds based on
client's ping interval.
2016-05- DEBUG 11 b685534d- | Configuration. Downloading remote

06 18: 2d45-46e6- ConfigurationProvider+< configuration to verify it's
40: b810- UpdateConfiguration>d_ relevance.
48.6198 f2e06ed92f _28.MoveNex |
06
desktopinterface.log
yyyy- Logging threa ActivityID class name, method message/exception on new

MM-dd priority d ID name and source line
HH:mm: (Debug) (widt information (f-w 70)
ss.ffff (fixed width h 2)
5)
2016-05- INFO 7 b685534d- | Ymq. Trying to connect to [ tcp://10.

25 14:44: 2d45-46e6- Client+<TryConnect>d_ 0.13.76:5555 ].
14.8737 b810- _10.MoveNext |
f2e06ed92f
06

2016-05- INFO 8 b685534d- | Ymq. Successfully connected to [ t
25 14:44: 2d45-46e6- Client+<TryConnect>d_ cp://10.0.13.76:5555 ].
15.5774 b810- _10.MoveNext |
f2e06ed92f
06
2016-05- INFO 8 a88e412e- | DeviceInterfacei. Connected to Controller [ tcp:/

25 14:44: 1811-4b75- ControllerProxy+<Conne /10.0.13.76:5555 ].
15.5774 be8a- ct>d__4.MoveNext |
df683692f7
20
5.8.3.7 YSoft SafeQ Management Service Logs
General Info:
Log Format Definiton Configuration Output Log Name Data Ma Max C Con Lo
Path Path Pattern x Number o curr gg
After Fil of Files m ent in
Size e (Delete pr Wri g
Overflow Si Strategy) es tes Ty
ze si pe
on
safeq/cml/cml- "<SAFEQ6_HOM "<SAFEQ6_HOME> .yyyy- 20 500 ( - ) n lo

sysconfig/src/main E>/Management /Management/logs MM-dd- M 500 ( - ) o g4
/config/prod/cml/conf /conf/log4j2. /management- HH B j2
/log4j2.xml xml" service.log" .yyyy- 20
"<SAFEQ6_HOME> MM-dd- M
/Management/logs HH B
/management-
service-audit.log "
safeq/cml/cml- "<SAFEQ6_HOM "<SAFEQ6_HOME> .yyyy- 20 250 n lo

sysconfig/src/main E>/Management /Management/logs MM-dd- M (scavenge o g4
/config/prod/cml/conf /conf/log4j2- /cmldbs.log" HH B r interval j2
/log4j2-cmldbs.xml cmldbs.xml" 300 sec)
safeq/cml/cml- "<SAFEQ6_HOME> always - - n lo

sysconfig/src/main /Management/logs append o g4
/config/prod/cml/conf /cmldbs_version. j2
/log4j2-cmldbs.xml log"
safeq/cml/cml- "<SAFEQ6_HOM "<SAFEQ6_HOME> .yyyy- 20 10 n lo

sysconfig/src/main E>/Management /Management/logs MM-dd- M (scavenge o g4
/config/default/cml /conf/replicator /replicator.log" HH B r interval j2
/conf/replicator/log4j2. /log4j2.xml" 300 sec)
xml

ze si pe
on
- "<SAFEQ6_HOM "<SAFEQ6_HOME> - 20 3 n lo
E>/Management /Management/logs m o g4
/ldapreplicator /LDAPReplicator_st j2
/wrapper.conf" dout.log"
- "<SAFEQ6_HOM "<SAFEQ6_HOME> .yyyy- - - n -

E>/Management /Management/logs MM-dd o
/tomcat/bin/" /ysoftsq-
management-
stdout.log"

/tomcat/bin/" /ysoftsq-
management-
stderr.log"

/tomcat/bin/" /ysoftsq-ldap-
stdout.log"

/tomcat/bin/" /ysoftsq-ldap-
stderr.log"
Management DB
safeq/management "<SAFEQ6_HOM "<SAFEQ6_HOME> always - - n lo

/database-validator E>/Management /Management/logs append o g4
/distribution-support /validator/conf /db-validator.log j2
/conf/log4j2.xml /log4j2.xml"
YSoftEtcd

E>/Management /Management /logs MM-dd o
/etcd/" /ysoftetcd-stdout.
log
- .yyyy- - - n -
MM-dd o

ze si pe
on
"<SAFEQ6_HOM "<SAFEQ6_HOME>
E>/Management /Management /logs
/etcd/" /ysoftetcd-stderr.
log
Log Format:
Log Name Column 1 Column 2 Column 3 Column 4 Column 5 Column 6
manageme yyyy-MM- ThreadName that Logging priority Category User Applicatio

nt-service. dd HH:mm: generated log (Debug) (min width (fixed Session n
log ss,SSS (min width = 30) 6) width 20) (fixed supplied
width 45) message
manageme Formatted according to RFC5424 (detail information in standalone documentation Audit log)
nt-service-
audit.log
cmldbs.log yyyy-MM- Logging priority ThreadName that Category Application

dd HH:mm: (Debug) (min generated log (fixed supplied
ss,SSS width 5) (fixed width = 22) | width 22) message
|
cmldbs_ver | dd.MM. Application

sion.log yyyy HH: supplied message
mm:ss.SSS
replicator. yyyy-MM- Logging priority ThreadName that Category Application

log dd HH:mm: (Debug) (min generated log (fixed supplied
ss,SSS width 5) (fixed width = 22) | width 22) message
|
LDAPReplic yyyy/MM Application

ator_stdou /dd HH:mm: supplied message
t.log ss.SSS |
ysoftsq- Application supplied message

manageme
nt-stdout.
log
Application supplied message

Log Name Column 1 Column 2 Column 3 Column 4 Column 5 Column 6
ysoftsq-
manageme
nt-stderr.
log

ldap-
stdout.log

ldap-stderr.
log
Manageme
nt DB
db- yyyy-MM- Logging priority ThreadName that Category Application

validator. dd HH:mm: (Debug) (min generated log (fixed supplied
log ss,SSS width 5) (fixed width = 22) | width 22) message
|
YSoftEtcd
ysoftetcd- yyyy-MM- Two line message

stdout.log dd HH:mm:
ss
ysoftetcd- yyyy-MM- Logging priority Category: Applicatio

stderr.log dd HH:mm: (Debug) (width 1) | n
ss,SSSSSS supplied
message

Example:
management-service.log
yyyy- ThreadName Logging Catego User Session (fixed Application supplied

MM-dd that priority ry width 45) message
HH: generated (Debug) (min (fixed
mm:ss, log (min width 6) width
SSS width = 30) 20)
2016- ServerThread DEBUG Server - MessagingThread[ID: 1,

05-20 Pool Thread is-stop: false, selector-
16:01: Pool open: true,
54,629 detachedPorts: 0] has
total waiting messages
in ports 0. threshold for
splitting thread is 100
2016- MessagingTh1 DEBUG Messag - Aft: Do not select is

05-20 ingThre set!
16:01: ad
55,645
2016- cml- DEBUG nagem - Executing job: eu.ysoft.

05-20 quartz_Worke entStat safeq.core.scheduler.
16:02: r-1 sDataJ statistic.
00,005 ob RecalculateManagementS
tatsDataJob@648f1a9c
management-service-audit.log
<134>1 2016-11-09T21:01:15.118+01:00 NB478 MANAGEMENT_SERVICE - DEVICE_SOFTWARE_UPDATE

[web@18060 auditPoint="METHOD_OUTPUT" crudType="UPDATE" requestId="318e5b94-8a9e-4f74-
91a2-0366127d63e1" requestIp="0:0:0:0:0:0:0:1" requestPath="http://localhost/software-package
/packages/" sessionId="B91E7267465BBF6FACA7A824662400EC" tenantDomain="tenant_1"
tenantIdentification="f900b632-aad8-4d99-ad98-33496f83812d" userId="13" userName="admin"]
Update device software [info=[Software package has been submitted for processing. Result will be
displayed in the notification center.], resultingPage=redirect:/hardware/list]
replicator.log
yyyy- Logging ThreadName Catego Application supplied

MM-dd priority that ry message
HH: (Debug) (min generated (fixed
mm:ss, width 5) log (fixed width
SSS width = 22) | 22) |
DEBUG ction(345) Transa begin

-10.0.13.116| ctionIm
pl|

2016-
07-12
02:00:
02,532
2016- DEBUG ction(345) JpaTra Exposing JPA

07-12 -10.0.13.116| nsactio transaction as JDBC
02:00: nMana transaction [org.
02,532 ger| springframework.orm.jpa.
vendor.
HibernateJpaDialect$Hib
ernateConnectionHandle
@a2b0656]
2016- INFO ction(345) faultInv Saving new invocation

07-12 -10.0.13.116| ocation request: 'Invocation
02:00: Service [id=null,
02,533 | invocationStatus=REQUE
ST,
clusterNodeId='82f1ff3b-
fd91-4f45-85ae-
b9a19a29c7dc',
serviceIdentification=LDA
P_REPLICATOR]' for
tenant: 'Tenant{id=1,
uuid=f900b632-aad8-
4d99-ad98-
33496f83812d,
name='tenant_1',
domain='tenant_1',
active=true}'
db-validator.log
yyyy- Logging ThreadName | Categ Application supplied

MM-dd priority that ory message
HH: (Debug) (min generated (fixed
mm:ss, width 5) log (fixed width
SSS width = 22) 22) |
2016- DEBUG main | Tables: 4

05-05 DBValid
22:14: ator|
57,866
2016- DEBUG main | Table: smartq_validator --

05-05 DBTabl does not exist
22:14: e|
57,866

5.8.3.8 YSoft SafeQ Mobile Integration Gateway Logs
General Info:
Log Format Configuration Output Log Data Max Max Number Co Concu Log
Definition Path Path Pattern File of Files mpr rrent ging
Path After Size Size (Delete ess Write Typ
Overflow Strategy) ion s e
connector\Co <MIG_install_dir <MIG_install Date-style, ~21 not specified, no false Nlog

nnectorServic >\bin\connecto _dir>\logs\co Daily MB archived daily
e\Nlog.config r\NLog.config nnector.log
Log Format:
Log Column 1 Column 2 Column Column 4 Column 5

Na 3
me
mig. yyyy-MM-dd Logging priority thread class name, method name and message
log HH:mm:ss. (Debug) (fixed ID source information (fixed width /exception on
ffff width 5) (width 70) new line
2)
Example:
connector.log
yyyy-MM- Logging thread class name, method name message/exception on new line
dd HH:mm: p r i o r i t y I D and source information
ss.ffff (Debug) (fixed (width (fixed width 70)
width 5) 2)
2016-05- INFO 5 | FormatConverter. Set Aspose pdf license for

25 16:10: AsposeFormatConverter. PdfConverter
11.0403 SetLicense |
2016-05- INFO 5 | Communicator. Instance initialized with

25 16:10: Communicator..ctor | configuration [LocalPeerName
11.3024 [APGuid], LocalPeerType [AP]].
2016-05- INFO 5 | IppService. listening with method: https

25 16:10: InternetPrintService.Start |
11.7754

5.8.3.9 YSoft SafeQ Mobile Print Server Logs
General Info:
Using Nlog.config user can configure respective output logs. Mainly used for changing the log
level to trace (useful for example when debugging Exchange Web Services EWS). For more info
see Configuring logging using Nlog.config.
For debugging it is also recommended to edit MpsDownloader.exe.config and uncomment section

configSections and applicationSettings.
Configuration Path Output Data Max File Max Compres Concurre Logging
Log Path Pattern Size Number sion nt Type
after of Files Writes
Size (Delete
Overflow Strategy)
<SAFEQ6_HOME>\MP <SAFEQ6 Date- ~21MB 15 no false Nlog

S \Service\NLog. _HOME>\ style,
config MPS\Logs Daily
\mps.log
<SAFEQ6_HOME>\MP <SAFEQ6 Date- ~21MB 15 no false Nlog

S _HOME>\ style,
\Service\OAuthClient. MPS\Logs Daily
exe.config \OAuthCli
ent.log
<SAFEQ6_HOME>\MP <SAFEQ6 _yyyy- ~unlimite unlimited no false Nlog

S _HOME>\ MM-dd d
\Service\MpsDownloa MPS\Logs
der.exe.config \Aspose.
Imap.log
Log Format
Log Column 1 Column 2 Column 3 Column 4 Column

Name 5
mps.log yyyy-MM-dd HH: Logging priority thread ID (width 2) class name, messag
mm:ss.ffff (Debug) (fixed method name and e
width 5) source information /excepti
(f-w 70) on on
new
line
OAuthCli yyyy-MM-dd HH: Logging priority thread ID (width 2) messag

ent.log mm:ss.ffff (Debug) (fixed e
width 5) /excepti

Name 5
class name, on on
method name and new
source information line
(f-w 70)
Aspose. Aspose supplied message

Imap.log
Example
OAuthClient.log
yyyy-MM- Logging thread class name, method message/exception on new line

dd HH:mm: priority ID name and source
ss.ffff (Debug) (fixed (width information (f-w 70)
width 5) 2)
2020-09- INFO 7 OAuthClient. Authorization was successful. The

21 14:07: OAuthController+<Author application was authorized to
06.6846 ize>d__5.MoveNext access the account's mailbox.
mps.log
yyyy-MM- Logging thread class name, method message/exception on new line

dd HH:mm: priority ID name and source
ss.ffff (Debug) (fixed (width information (f-w 70)
width 5) 2)
2016-05- INFO 5 | Configuration. SafeQ configuration loaded

26 09:12: SafeQConfiguration. successfully.
10.7801 Initialize |
2016-05- ERROR 4 | MobilePrint.MobilePrint. The service could not be started

26 09:12: Initialize | because Mobile Print Server is not
11.1550 licensed or enabled in SafeQ system
settings.
2016-05- INFO 4 | MobilePrint. Stopping service...

26 09:12: MobilePrintService.Stop
11.1706 |
2020-09- TRACE 1 | MpsDownloader. EwsRequestHttpHeaders : <Trace

21 15:04: EwsLogger.Trace | Tag="EwsRequestHttpHeaders" Tid="
34.1929 1" Time="2020-09-21 13:04:34Z">
Aspose.Imap_2020-9-21.log

Imap client[1|9/21/2020 2:08:03 PM]: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Connect to:
outlook.office365.com:993 SecurityOptions.SSLImplicit
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
5.8.3.10 YSoft SafeQ Mobile Terminal Logs
General Info:
Log Format Confi Output Log Data Max Max Comp Conc Loggi
Definition Path gurati Path Pattern File Number of ressio urren ng
on after Size Size Files n t Type
Path Overflow (Delete Write
Strategy) s
iOS: Only <SAFEQ6_HOME terminal termi terminal termi termi termi

mobileterminal\sr in >\SPOC\Terminal server nal server style nal nal nal
c\ios\main.cs sourc server\logs\mobil style serve serve serve serve
Android: e e.log r r r r
MobileTerminal code style style style style
/src/Droid
/BaseApplication.
cs
Log Format:

Nam 5
e
mobi yyyy-MM-dd Logging priority ThreadName | or class name, method message

le. HH:mm:ss.ffff (Debug) (fixed width Thread ID if empty name and source /exceptio
log 5) information n

Example:
mobile.log
yyyy-MM- L o g g i n g ThreadName class name, method name and message/exception

dd HH: priority | or Thread ID source information
mm:ss. (Debug) (fixed if empty
ffff width 5)
2016-07- INFO 42 TerminalServer.Lightweight. Received logs from

07 12:55: Services.LogController. mobile terminal:
17.7694 LogMessage
2016-07- INFO 1 MobileTerminal.iOS. Starting logging

07 12:55: PrinterIdentifyViewController+<Initia session on Device
02.4468 teAuthentication>c__async3. [Davids-iPhone]
MoveNext
2016-07- INFO 1 MobileTerminal.iOS. Identified printer [htt

07 12:55: PrinterIdentifyViewController+<Initia p://10.0.13.116:5021
02.4543 teAuthentication>c__async3. /et/v1/1/]
MoveNext
2016-07- INFO 1 MobileTerminal.iOS. User [admin]

07 12:55: UsernamePasswordViewController authenticated
11.2517 +<LogIn>c__async0.MoveNext
2016-07- INFO 1 MobileTerminal.iOS. Retrieved Jobs [0]

07 12:55: JobListTableViewController+<Load in Folder [Waiting]
12.0461 PrintJobs>c__async2.MoveNext
2016-07- INFO 1 MobileTerminal.iOS. Retrieved Jobs [0]

07 12:55: JobListTableViewController+<Load in Folder [Printed]
14.0237 PrintJobs>c__async2.MoveNext
2016-07- INFO 1 MobileTerminal.iOS. Ending logging on

07 12:55: LoggingHelper+<SendLogFile>c__as session on Device
17.7710 ync0.MoveNext [Davids-iPhone]

5.8.3.11 YSoft SafeQ Spooler Controller Logs
General Info
size (Delete
overflow strategy
)
safeq/spoc/spoc- "<SAFEQ "<SAFEQ .yyyy- 20MB 50 zip log4j2

sysconfig/src/main 6_HOME 6_HOME MM-dd
/config/prod >/SPOC >/SPOC
/spooler-controller /conf /logs
/conf/log4j2.xml /log4j2. /spoc.
xml" log"
"<SAFEQ .yyyy- 20MB 5 no log4j2

6_HOME MM-dd
>/SPOC
/logs
/spoc_ti
ming.
log"
"<SAFEQ .yyyy- 20MB 20 zip log4j2

6_HOME MM-dd
>/SPOC
/logs
/cache_r
eplicator
.log"
"<SAFEQ always no_limit no_limit no log4j2

6_HOME append
>/SPOC
/logs
/spoc_v
ersion.
log"
"<SAFEQ .yyyy- 5MB 5 no log4j2

6_HOME MM
>/SPOC

size (Delete
overflow strategy
)
/logs
/spoc_lif
ecycle.
log"
"<SAFEQ always 10MB 5 no log4j2

6_HOME append
>/SPOC
/logs
/sqsh.
log"
"<SAFEQ .yyyy- 20MB 10 zip log4j2

6_HOME MM-dd
>/SPOC
/logs
/distlock.
log"
safeq/spoc/spoc- "<SAFEQ "<SAFEQ - 20m 3 no log4j2

sysconfig/src/main 6_HOME 6_HOME
/config/default >/SPOC >/SPOC
/spooler-controller /bin /logs
/spoolercontroller /wrappe /spoc_st
/wrapper.conf r.conf" dout.
log"
System Generics
distmemserver/src "<SAFEQ "<SAFEQ - 20MB 5 no java,

/main/resources 6_HOME 6_HOME code
/logging.properties > >/SPOC
/SPOC/ /logs
tomcat /infinisp
/webapp an-
s server-
/infinisp rest.log
an-
server-
rest
/WEB-INF
/classes

size (Delete
overflow strategy
)
/logging.
properti
es "
safeq/spoc/spoc- "<SAFEQ "<SAFEQ - - 90 (one no java,

sysconfig/src/main 6_HOME 6_HOME per code
/config/default >/SPOC >/SPOC day)
/spooler-controller /conf /logs
/conf/obejctdb. /objectd /odbYYY
conf b.conf" YMMDD.
log"
Log Format
spoc.log yyyy-MM-dd Logging priority ThreadName that Category Application

HH:mm:ss, (Debug) (min generated log (fixed (fixed width supplied
SSS width 5) width = 22) | 22) | message
spoc_timin yyyy-MM-dd Application

g.log HH:mm:ss, supplied
SSS message
cache_repli yyyy-MM-dd Logging priority ThreadName that Category Application

cator.log HH:mm:ss, (Debug) (min generated log (fixed (fixed width supplied
spoc_versi | dd.MM.yyyy Application

on.log HH:mm:ss. supplied
SSS message
spoc_lifecy yyyy-MM-dd Application

cle.log HH:mm:ss, supplied
SSS message
sqsh.log yyyy-MM-dd Logging priority ThreadName that Category Application

HH:mm:ss, (Debug) (min generated log (fixed (fixed width supplied
distlock. yyyy-MM-dd Logging priority ThreadName that Category Application

log HH:mm:ss, (Debug) (min generated log (fixed (fixed width supplied

spoc_stdo yyyy/MM/dd Message

ut.log HH:mm:ss.
SSS
System
Generics
infinispan- Month, Day, Source of record Two line message

server-rest. Year Time (a class)
log
odbYYYYM ObjectDB
MDD.log specific
messages
Examples
spoc.log
yyyy-MM- Logging ThreadName that Category Application supplied message

dd HH:mm: priority generated log (fixed (fixed
ss,SSS (Debug) (min width = 22) | width 22)
width 5) |
2016-05- INFO rListener_start_runne | Starting rest of services in

05 22:31: r ORSNode| StartUpThread ...
27,577
2016-05- DEBUG rListener_start_runne | ORS Node: STARTED

05 22:31: r ORSNode|
27,593
spoc_timing.log
yyyy-MM-dd HH:mm:ss,SSS Application supplied message
2016-05-26 10:34:29.874 ;;JetD-0;;ACC;;\\QA11-S025;;1690;;47;;1;;NOT-PARSED-YET
spoc_version.log
| dd.MM.yyyy HH:mm:ss.SSS Application supplied message
|09.05.2016 12:37:03.342 |YSoft SafeQ® D.0.0.999 DEVEL (20160409)
spoc_lifecycle.log
yyyy-MM-dd HH:mm:ss,SSS Application supplied message
2016-05-16 09:27:41.708 STARTING
distlock.log
Application supplied message

yyyy-MM- Logging ThreadName that Category
dd HH:mm: priority generated log (fixed (fixed
ss,SSS (Debug) (min width = 22) | width 22)
width 5) |
2016-05- TRACE StartUpThr| Distributed Starting DistibutedLayerClient with

25 14:41: LayerClien configuration:
25,734 t| DistributedLayerClientConfiguration
[checkItemAfterPost=true;
httpPort=80; httpsPort=443;
maxParallelRestConnections=5;
restServerAddress=localhost;
httpConnectionTimeout=10000;
httpSocketTimeout=10000]
2016-05- DEBUG StartUpThr| Document Unable to retrieve config:

25 14:41: Provider| expandEntityReferences defaults to
26,282 true
infinispan-server-rest.log
Month, Day, Year Time Source of record (a class) Two line message
Jun 30, 2016 10:13:23 AM org.infinispan.remoting.transport. start

jgroups.JGroupsTransport INFO: ISPN000078: Starting JGroups
Channel
odb20160711.log
ObjectDB specific messages
[2016-07-11 06:33:34 #1 store]
Database 'C:\SafeQ6\SPOC\SpoolCache\MainORSCache.odb' is opened by 2232@QA13S116
[2016-07-11 06:33:36 #2 type]
Type com.ysoft.cache.objectdb.ObjectCacheDBRegistryEntity is not enhanced.
5.8.3.12 YSoft SafeQ Workflow Processing System Logs
General Info:
Log Format Configur Output Data Ma Max Number of Files Co Con Lo

Definition Path ation Log Path Pattern x (Delete Strategy) m curr ggi
Path After Fil pr ent ng
Size e es Writ Ty
Overflow Siz si es pe
e on
no

Log Format Configur Output Data Ma Max Number of Files Co Con Lo
Definition Path ation Log Path Pattern x (Delete Strategy) m curr ggi
Path After Fil pr ent ng
Size e es Writ Ty
Overflow Siz si es pe
e on
workflow- <SAFEQ6 <SAFEQ6 . 20 1 current + 5 archived, fals Nlo

processing- _HOME>\ _HOME>\ yyyyMMd MB archived after the file size is e g
server\WPS\Wps WPS\NLo WPS\logs d- reached, the oldest archived
Service\Nlog. g.config \wps.log hhmmss files are deleted
config
Log Format:
Log Column 1 Column 2 Column 3 Column 4 Column 5

Na
me
wp yyyy-MM-dd activity id (may be empty for Logging priority logger name message
s. HH:mm:ss. Topshelf messages, fixed (Debug) (fixed (fixed width /exception on
log ffff width 80) width 5) 80) new line
Example:
wps.log
yyyy-MM-dd activity id (fixed Logging priority logger name (fixed message

HH:mm:ss. width 80) (Debug) (fixed width 80) /exception on
ffff width 5) new line
2016-05-25 | | INFO | Default | Starting WPS

15:55: service
53.7944
2016-05-25 | | INFO | Default | Service is live

15:55: now at : [5600]
54.1314
2016-05-25 | | INFO | Topshelf.Runtime. [Topshelf]

15:55: Windows. Started
54.1314 WindowsServiceHost |
2016-06-01 | e06cfbff-3333- | DEBUG | Wps.Processor. [2] templates

12:57: 436b-ac39- TemplateProcessing. loaded and
54.6862 cc69876a44bf TemplateProcessor | preprocessed.

5.8.4 SSL/TLS SECURE CHANNEL - SCHANNEL - TROUBLESHOOTING
When encrypted communication is enabled in YSoft SafeQ 6, the subsystems connect to each
other using strong protocols or protocols defined in the underlying operating system. You may
encounter some issues when your server runs on an out-of-date OS or when the OS is up to date
but your MFD has old firmware. This guide should help you identify and fix problems related to
security protocols.
5.8.4.1 Terminal/MFD Cannot Be installed, the Error "Could not create SSL/TLS secure
channel" Appears in the terminalserver.log Log File
This is a general error message meaning that an error occurred during SSL/TLS cipher negotiation,
the data encryption/decryption process or the data was corrupted.
There are several cases that may make this message occur:
.SSL/TLS Secure Channel - SCHANNEL - Troubleshooting v6.0.33#Device supports only weak

DH keys
.SSL/TLS Secure Channel - SCHANNEL - Troubleshooting v6.0.33#Incorrect implementation of

DH algorithm in the device
.SSL/TLS Secure Channel - SCHANNEL - Troubleshooting v6.0.33#MFD supports only older SSL
/TLS protocol versions but accepts also the higher ones
The Device Only Supports Weak DH Keys
When the device and YSoft SafeQ Server agree on the cipher suite containing a Diffie-Hellman key
exchange (DH or DHE) algorithm and the DH keys provided by the device are shorter than
Windows' default 1024 bits, Terminal Server, which inherits the security settings from the
underlying operating system, it may refuse a connection to such a device.
Conditions/environment
YSoft SafeQ Server (Terminal Server) is running on the Windows Server OS machine with the
following update installed:
June 2016 update rollup
KB3161608 (Windows 7, Windows Server 2008 R2)
KB3161606 (Windows RT 8.1, Windows 8.1, Windows Server 2012 R2)
July 2016 update rollup
June 2016 cumulative update

KB3163018 (Windows 10, Windows Server 2016 Technical Preview 4)
How to recognize this case
Try to connect to the MFD interface via the web browser on the same server as Terminal Server
is running. Is the browser able to connect?
Internet Explorer – usually just the general failure appears: "This page can’t be displayed"
Mozilla Firefox – a connection is denied with the error code

SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
Scan the device using the following nmap command:
nmap --script ssl-enum-ciphers -p DeviceSecurePort DeviceAddress
A list of SSL/TLS protocol versions and cipher suites supported by the device similar to the
following picture should display.
In parentheses after the DHE cipher suites is a DH key length. If this number is lower than 1024,
you may have encountered this case.
How to fix this case
On Windows servers, this can only be avoided by setting the required DH key length lower using
registers. You can add the registry key manually or use the following fix:
1.

1. Create a dh.reg file with the following content:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchan
geAlgorithms\Diffie-Hellman]
"ClientMinKeyBitLength"=dword:00000200
2. Open this file in the machine with Terminal Server running. Windows should automatically
create the given registry key.
3. Try to install the device again.
Do not set a lower length of DH keys unless really necessary. Supporting DH keys of lower
than 1024 bits makes your machine vulnerable to some attacks.
The Incorrect Implementation of the DH Algorithm in the Device
When using a cipher suite containing the Diffie-Hellman key exchange (DH or DHE) algorithm,
occasionally, a device detects a fatal error resulting in an SSL/TLS session termination.
YSoft SafeQ Server (Terminal Server) is running on the Windows Server OS machine with the
June 2016 update rollup
July 2016 update rollup
June 2016 cumulative update
KB3163018 (Windows 10, Windows Server 2016 Technical Preview 4)
The installation of a Konica Minolta device randomly crashes on different installation steps when
trying reinstallation several times.
On Windows servers, this can only be avoided by disabling the DH key exchange algorithm using
registers. You can add the registry key manually or use the following fix:
1.

1. Create a dh.reg file with the following content:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchan
geAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000
2. Open this file in the machine with Terminal Server running. Windows should automatically
create the given registry key.
3. Try to install the device again.
This registry modification disables DH/DHE ciphers for the whole machine, thus, no
communication links dependent on the operating system settings will be able to use them.
The MFD Only Supports Older SSL/TLS Protocol Versions, but also Accepts Higher Ones
YSoft SafeQ Server needs to connect to the device during terminal installation. YSoft SafeQ
Server and the device negotiate the SSL/TLS protocol version they will be communicating with.
During this negotiation, the parties always try to connect using the highest protocol version both
of them support. The problem here is, for example, when YSoft SafeQ Server supports TLSv1.2
and the device does not but pretends it does, they agree on this version and the connection fails.
Try to connect to the MFD interface via a web browser (with TLSv1.2 enabled) on the same
server as Terminal Server is running on. Is the browser able to connect?
Mozilla Firefox – the connection is denied with the error code SSL_ERROR_BAD_MAC_ALERT
Google Chrome – the connection is denied with the error code

ERR_SSL_BAD_RECORD_MAC_ALERT
In the YSoft SafeQ management interface, go to System settings (Expert options) and search for
the property securityProtocolTypesForOutboundCommunication. Set this system property to
only the SSL/TLS protocol versions supported by your MFD.
Be careful when modifying this property. Some other devices may stop communicating when
the SSL/TLS protocol versions are not set properly.

5.8.4.2 Communication with YSoft Payment System Fails with the Error "Could not create SSL
/TLS secure channel" in the terminalserver.log Log File
Older Windows servers do not support cooperation of TLSv1.2 and certificates using the SHA-512
hash function. This causes failures in the connection to YSoft Payment System.
YSoft SafeQ Server (Terminal Server) is running on the Windows Server OS machine without the
August 2014 update rollup
KB2975331 (Windows RT 8, Windows 8, Windows Server 2012)
How to recognize this issue
Try to connect to Payment System from the Terminal Server machine via Internet Explorer with
TLSv1.2 enabled. Is it able to connect?
Internet Explorer – the error message is displayed: "Make sure TLS and SSL protocols are
enabled."
How to fix this issue
If you encounter this issue with TLSv1.2 enabled on the machine with Terminal Server running (in
the registry or in the securityProtocolTypesForOutboundCommunication expert system
property), apply the following update to this machine https://support.microsoft.com/en-us/kb
/2973337 .
5.8.4.3 The Device Supporting Only Higher Versions of the SSL/TLS Protocol Cannot Connect
to YSoft SafeQ Server
Older Windows servers do not have higher versions of SSL/TLS protocol enabled. Terminal Server
inherits these settings from the system, and, thus, devices only supporting higher versions
cannot connect.
YSoft SafeQ Server (Terminal Server) is running on the Windows Server OS machine with one of
the following systems:
Windows Server 2008 R2 with KB3080079 installed
Windows Server 2012

Windows Server 2012 R2
How to recognize this issue
Scan the machine with Terminal Server running using the following nmap command:
nmap --script ssl-enum-ciphers -p 5012 MachineAddress
A list of SSL/TLS protocol versions and cipher suites supported by Terminal Server should display.
Scan the device using the nmap command:
nmap --script ssl-enum-ciphers -p DevicePort DeviceAddress
A list of SSL/TLS protocol versions and cipher suites supported by the device should display.
If the protocols supported by the device and the protocols supported by Terminal Server are
exclusive lists, you have encountered this issue.
How to fix this issue
On Windows servers, this can only be avoided by setting the required SSL/TLS protocol versions
using registers. You can add the registry keys manually or use the following fix:
1. Create a tls.reg file with the following content:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
\TLS 1.0\Server]
\TLS 1.1\Server]
\TLS 1.2\Server]
These values will disable support for SSLv3 and TLSv1.0 and enable TLSv1.1 and TLSv1.2. Of
course, you can modify them before proceeding to the next step according to your
requirements.
2. Open this file is in the machine with Terminal Server running, Windows should automatically
create the given registry keys.
3.

3. Restart the machine with Terminal Server.
5.8.4.4 The Device Is Installed Correctly, but Cannot Connect to YSoft SafeQ Server
This usually happens when the device is not able to verify the YSoft SafeQ Server (Terminal
Server) certificate or the server certificate uses a cryptographic algorithm not supported by the
device.
The Certificate Is Not Trusted
By default, the communication between the terminal and Terminal Server is encrypted using the
same default certificate for all YSoft SafeQ 6 deployments. This is not trusted in the MFDs, so a
new key/certificate needs to be created and Terminal Server configured to use it (follow the
chapter Configuring secured connection between terminals and Terminal Server). Also, the
certificate must be imported to the device as trusted.
The Device Does Not Support the Cryptographic Algorithm Used for the Certificate or the Key
Length
Since YSoft SafeQ 6 MU17 (and newer builds), the default certificate in the Terminal Server uses
the algorithm SHA-256 (instead of the previous SHA-1) and has an RSA key of 2048 bits long.
Some older devices do not support either the SHA-256 algorithm or RSA keys of a maximum
length of 1024 bits. When it really is a must to communicate in an encrypted way with such a
device, a new key/certificate compatible with it needs to be created. More information about the
Terminal Server certificate setting is in the Configuring secured connection between terminals
and Terminal Server chapter.
5.8.5 TROUBLESHOOTING BILLING CODES
5.8.5.1 Common Problems with Billing Codes
"Project" Tab Is Not Visible in the Admin Interface
You do not have a license with the "Project tracking" feature.
Billing Codes Are Not Visible When Printing from the Workstation Client
1. Check that billing codes are enabled. In System settings, "Enabling billing codes" should be
set to "enabled".
2. A user must have at least two billing codes. When a user has just one billing code, it will
automatically become the default billing code, and billing code selection will not display.
Listing and Displaying Billing Codes Is Too Slow
Check whether you have followed the guideline for creating billing codes.

Too Many "Orphaned" Billing Codes
The file that defines billing codes must also contain all billing codes up to the root. If there is no
such path, then the importer will not be able to enter a billing code into the tree.
Wrong scenario - 600.7000 us unreachable:
format:prefix
500;Master
600.7000;Child
Correction:
format:prefix
500;Master
600;Second master
600.7000;Child
5.8.6 TROUBLESHOOTING EMBEDDED TERMINALS
5.8.6.1 Configuring OKI/Toshiba to Support the At Sign in a Username
The Situation
When any of YSoft SafeQ 6 users' usernames contain the @ character, a scan issue with the
YSoft SafeQ scan application occurs.
The solution is to set the configuration option internalLdapReplaceAtChar in YSoft SafeQ

system settings (expert view) to the value \# – all occurrences of @ will be replaced with #.
Limitations
Even if internalLdapReplaceAtChar is set, there are limitations related to the Username and
Password authentication method. So, if a user with the username, e.g., user@domain.com is
logged on OKI Embedded Terminal using Username and Password, the following limitations may
occur:
The SafeQ Scan application does not work.
Copy does not work – the "Permission of execution denied" message displays on the
device after pressing the start button.
The user cannot go to the browser application on some devices.

Because of these limitations, the authentication method Username and Password is not
supported in combination with usernames containing the @ character.
5.8.6.2 Printing from USB on YSoft SafeQ Embedded Terminal for Konica Minolta
Overview:
USB print behaves differently on devices with different OpenAPI versions. Based on the selected
authentication method and OpenAPI version, the print from USB might be:
not supported
supported
supported with additional authentication screen shown on the panel
The additional authentication screen is an empty screen with title User authentication and
two buttons OK and Cancel. The screen appears after a document from USB is chosen. To
continue, click OK.
When using a combination of OpenAPI and authentication option for which the USB print is not
supported, the additional authentication screen is displayed too, but the OK button is not
enabled (it is greyed out and cannot be activated).

Open API differences :
Authentication method OpenAPI 3.7 or OpenAPI 4.0 OpenAPI 4.1

lower or higher
Card with additional

authentication
Card and PIN with additional

authentication
Card and PIN or username/password - card with additional

and pin authentication authentication
Card and PIN or username/password - with additional

username/password authentication authentication
Card and username/password with additional

authentication
Card or PIN - card authentication
Card or PIN - pin authentication with additional

authentication
Card or PIN or username/password - card with additional

authentication authentication
Card or PIN or username/password - pin

authentication with additional
authentication
Card or PIN or username/password -

username/password authentication with additional
authentication
Card or username/password - card

authentication
Card or username/password - username with additional

/password authentication authentication
PIN with additional

authentication
Two-factor with additional

authentication
Username/password with additional

authentication
print from USB supported

with additional authentication - print from USB requires additional authentication (user needs
to confirm the credentials or provide some other type of credentials)
print from USB is not supported
5.8.6.3 Troubleshooting WebDAV delivery of scanned data from Xerox devices
Situation
Scanned data are not delivered using WevDAV transport protocol ( scanServerType = WebDAV
) although the device supports it.
"A connection to the server could not be established." message is the device job log.
Network analysis shows no packet to be received from MFD to the YSoft SafeQ server on
WebDAV port (see webdavPort system setting).
FTP transfer is working without any problem.
WebDAV works from other MFDs
Solution
The problem is usually cased by MFD network settings. Make sure "No Proxy" is set in device
management, on ConnectKey devices in Properties > General Setup > Extensible Service Setup
category. Beware, that "Proxy Disabled" is not the same as "No Proxy" and is often the root case.
5.8.6.4 Troubleshooting YSoft SafeQ Embedded Terminal for Ricoh SOP
If errors or warnings appeared during device preparation or installation of the terminal, follow the
instructions in this section to be sure the MFP is configured correctly for the terminal.
Problem: Unable to print on Ricoh driver (without using YSoft SafeQ client)
Solution: Configuring Ricoh SOP - Configuring Direct Print on Ricoh driver
Problem: Document server not available
Solution:
1. Login as an admin to the device if required.
2. In User Tools > Machine Features > Administrator Tools > Enhanced External Charge Unit
Management (on 2nd page) unblock Document Server (see picture below).

Problem: Service menu inaccessible
Solution:
3. Make sure User Authentication Management is tuned off under Device Management >
Configuration .
Problem: Unable to login as admin in home menu
Solution:
3.

3. Make sure User Administrator Authentication is turned on under Device Management >
Configuration.
4. Make sure User Authentication Management is tuned off under Device Management >
Configuration.
Problem: Card reader is not working.
Solution:
1. Make sure the USB cable is plugged in directly into the SOP panel.
2. See Configuring USB Card Reader in Configuring Ricoh for 2nd Gen. SOP Embedded Terminal
.

Problem: Terminal installation hangs on last step
Solution:
3. In User Authentication Management set User Authentication Management to Custom

Authentication.

Problem: Unable to install embedded terminal (device not reachable).
Solution:
1. Make sure Device IP is correct.
2. Make sure there are no network issues and no ports used by management/MFD are blocked.
Problem: MFD is not responding correctly.
(example of not responsive MFD, after clicking on print nothing happens as seen above)
Solution:
1. Make sure there are no network issues and no ports used by management/MFD are blocked.

Problem: Unable to reinstall terminal (Configuration failed. Unable to connect to the remote
configuration component on the target MFD.)
Solution:
1. Uninstall terminal
2. Manually restart the MFD.
3. Install terminal again.
Problem: A validity check error is displayed on a terminal. (Most probably Ricoh web API token
is expired.)
Solution:
1. Update YSoft SafeQ.
Problem: Installation fails because of timeout.
Solution:

In Management → System → Configuration:
1. Increase tsCommunicationTimeoutSecond value
Suggested value: 360
2. Increase maxEmbeddedInstallationStatusAge value
Suggested value: 20m
Problem: Failed to remove existing application shortcuts during installation.
Solution:
This happens after the application crashed. Reboot the MFD and try the installation again. (Note
that on MFD screen there can be "Installation in progress", but do the reboot anyway.)

Problem: USB reader stops working when MFD goes into sleep mode.
Solution:
1. Login to service mode on SOP panel.
2. Select "Screen Device Settings".
3. Select "Authentication priority mode" and turn on "Authentication priority mode".

4. Turn on "Screen device always-connection Settings".
5.8.7 TROUBLESHOOTING YSOFT SAFEQ MOBILE TERMINAL
This document describes the most common issues you can face when installing or using YSoft
SafeQ Mobile Terminal.

5.8.7.1 How to Find Out the Version of the Installed Application
Android
Open the application in the Google Play Store.
Click Read more.
Scroll to the bottom, find Version and Updated on.
5.8.7.2 YSoft SafeQ Server Is Not Reachable
When you could experience this issue
1. Open the application, try to scan the QR code.
2. The logging screen does not appear and you see the following message:

Troubleshooting
1. Check that you have connectivity to the intranet where YSoft SafeQ Server is running.
2. Check that YSoft SafeQ Server is online and running.
3. Check that you have a QR code with a valid YSoft SafeQ Server IP, port and terminal ID.
You can try the following approach:
a. Scan the QR code with a third-party QR code scanning application.
b. Check the text retrieved from the QR code for the YSoft SafeQ Server IP, port and
terminal ID.
4. Generate a new QR code from the YSoft SafeQ management interface and try again.
5.8.7.3 Google Play Update Failed
1. Updating the application from the Google Play Store.
2. The application is not updated successfully.

Troubleshooting
1. Uninstall the YSoft SafeQ application.
2. Restart the Android device.
3. Install the YSoft SafeQ application.
5.8.7.4 NFC Tag Does Not Launch the Android Application
1. Trying to launch the application using NFC on an Android device.
2. The device/application does not respond.
Troubleshooting
1. Verify the NFC is set up correctly.
2. Make sure your device supports the NFC feature.
3. Turn on NFC in the device's settings.
4. Move your device over the NFC tag (locate the NFC reader on the device – differs per
device).
5. The transfer takes a while – do not just swipe, hold the device in one position to scan
successfully.
5.8.7.5 The User Is Unable to Log In When YSoft Payment System Is Not Configured Correctly
or Not Installed
1. Trying to log in when YSoft Payment System is not correctly configured and the printer is
installed with the Payment feature.
Troubleshooting
1. Correctly configure the whole YSoft Payment System.
2. Reinstall the printer with the Payment feature unchecked.

5.8.7.6 Refreshing the Job List Does Not Work (Pull-to-Refresh)
1. The user is logged into YSoft SafeQ Mobile Terminal.
2. The user sends a new print job to YSoft SafeQ Server.
3. The user refreshes the job list using the Pull-to-refresh gesture.
4. The new job is not visible.
Troubleshooting (one of the following)
1. The new job is loaded after the user logs in next time.
a. The user has to log out from YSoft SafeQ Mobile Terminal.
b. The user logs in again.
2. The administrator has to enable Refreshing Print Job list in native application (Property
name: refreshPrintJobs) in the YSoft SafeQ system configuration.
a. After enabling this property, you have to reinstall the devices.
5.8.8 YSOFT SAFEQ FLEXISPOOLER TROUBLESHOOTING
5.8.8.1 Broken encoding in job name
Situation
Job title is not shown correctly in the YSoft SafeQ management interface (the encoding is
wrong).
Possible cause
User creates a job with the name encoding different from the current system locale default and
sends it to the YSoft SafeQ 6. The job title is shown incorrectly in the YSoft SafeQ management
interface.
Example
A Russian user has his/her Windows operating system in English locale and prints a document in
Russian (including the document's name). The default encoding in English Windows is unable to
process azbuka letters, which causes the job title to be shown in a wrong way.

Solution
To have the job's name shown properly, the user has to change his/her system's locale. There is
currently no other solution for jobs whose title encoding is incompatible with the system's one.
The regression from YSoft SafeQ 5 is caused by a different approach to job retrieval from
Windows Spooler. On the other hand, it allows the user to use v4 drivers (most of the latest
ones), which were incompatible with YSoft SafeQ Client for SafeQ 5 and older.
How to change Windows locale
1. Open Region settings (either from Control Panel or by the Windows search function).
2. Select the Administrative tab and click Change system locale.

3. Select the required language.
4. Log-out or restart may be required to take effect.

5.8.8.2 FlexiSpooler on Windows 7/Windows 2008
YSoft Universal Print Driver is not compatible with Windows 7, Windows 2008 and older. Another,
preinstalled, HP driver is used on such systems. This approach enables us to deploy secure
queues even without any driver specified. However, the recommended procedure is to use a
suitable vendor driver and create a queue to already installed IP_Local port.
5.8.8.3 Konica Minolta device freezes when the spooling client goes to sleep or hibernates
Situation
Konica Minolta device freezes during printing of a job from YSoft SafeQ 6 (secure or direct
queue). Even after a longer period of time, the device functionality is not restored.
Possible cause
User sends a job to the secure queue and then releases the job on a device. In the process of
printing the job, the user's computer goes to sleep or hibernation mode. The job transfer is
interrupted which causes the device to freeze.
Frequency
A very rare situation.
Solution
The only immediate solution is to restart the device.
The devices behave differently in this situation, depending on the firmware. If you are
experiencing this issue, try updating the firmware, in some cases, it can help to avoid this
problem in future.
5.8.8.4 Printing BW Jobs with User Access restriction for Color on Sharp
When user sets Color Restriction on Rules/Access definitions the following behaviors are
observed:
Color job forced as BW job on Driver (Universal Print Driver/Vendor Driver): Job is printed as
BW and accounted as BW.
BW job (e.g. black text without images) without forcing as BW on driver: Job is listed on TS but
not Printed.
The described behavior is due to a third party limitation.
Workaround: In order to print a BW job (e.g. black text without images) by user with color
restriction Rule-based Engine should be created in order to force BW.

5.8.8.5 Problems with Finishing Options on Epson
Finishing Options Are Not Applied
Symptoms: Finishing options set by Rule-based Engine or via terminal are not applied.
Possible solutions:
1. Check that users are printing from the PCL driver. The Epson universal driver supports PCL
and ESC/P-R . Make sure that PCL was chosen during driver installation .
2. You can also use YSoft Universal Print Driver.
Problems with duplex
Symptoms: When Rule-based Engine is set to "force duplex" or duplex is set on the terminal and
the job has an odd number of pages, the first sheet of paper is printed on one side only.
Solution: Uncheck the "reverse order" option in the driver setup. See the figure below.
5.8.8.6 Problems with job delivery via LPR
In some rare cases, problem with delivering job to MFD could occurs. We will describe options and
its values that could help with this problem.
LPR job delivery
lprPrinterConnectionTimeout

configurable only locally in spooler.config
30000 ms by default
Used as a timeout for sending one buffer to printer.
Prolonging this could help in locations with poor network.
Example: "lprPrinterConnectionTimeout":"60000"
lprPrinterConnectionLingerTimeout (SO_LINGER timeout)
configurable globally in Management interface and overridable locally in spooler.config
0 s by default - it means that this feature is switched off.
Timer defines timeout for sending data at the end of the communication. System in rare cases
give just small amount of time to socket for delivering all remaining data before closing
connection.
Setting this to 30 seconds will ensure that whole job is delivered in locations with poor
network. This setting is recommended to set when end of the job is missing during print.
Example: configure it in Management or locally: "lprPrinterConnectionLingerTimeout":"30"
5.8.8.7 Problems with job delivery via RAW
In some rare cases, problem with delivering job to MFD could occurs. We will describe options and
its values that could help with this problem.
Raw job delivery
rawPrinterConnectionTimeout
configurable only locally in spooler.config
30000 ms by default
Used as a timeout for sending one buffer to printer.
Prolonging this could help in locations with poor network.
Example: "rawPrinterConnectionTimeout":"60000"
rawPrinterConnectionLingerTimeout (SO_LINGER timeout)
configurable globally in Management interface and overridable locally in spooler.config
0 s by default - it means that this feature is switched off.
Timer defines timeout for sending data at the end of the communication. System in rare cases
give just small amount of time to socket for delivering all remaining data before closing
connection.

Setting this to 30 seconds will ensure that whole job is delivered in locations with poor
network. This setting is recommended to set when end of the job is missing during print.
Example: configure it in Management or locally: "rawPrinterConnectionLingerTimeout":"30"
5.8.8.8 Troubleshooting YSoft SafeQ FlexiSpooler high resource usage
How to troubleshoot situations when YSoft SafeQ FlexiSpooler consumes too much CPU or
memory and how to identify the root cause so that we can fix it.
Logs
While logs are important, they are usually not sufficient to troubleshoot CPU spikes or memory
consumption as these problems usually have quite complex causes not visible in the logs. This
troubleshooting guide assumes that you collected all the relevant log files and focuses on the
generating and collecting managed memory/thread dump files.
What is memory/thread dump?
For more information on dump files, you may refer to MSDN at: https://msdn.microsoft.com/en-us
/library/d5zhxt22.aspx.
Setting up the Environment
To generate the dumps, we are going to use a ProcDump utility from SysInternals Suite.
You can download the whole suite here: https://technet.microsoft.com/en-us/sysinternals

/bb842062
just the ProcDump utility here: https://technet.microsoft.com/en-us/sysinternals/dd996900.

aspx
To analyze the dump, you can either use Visual Studio 2015 (or higher) or freely available
Debugging Tools for Windows. This guide will focus on both.
Debugging Tools for Windows are best downloaded as part of Windows SDK (choose just
Debugging Tools for Windows if you don't want to install anything else). The web-based
installer for Windows SDK is available here: https://developer.microsoft.com/en-us/windows
/downloads/windows-10-sdk
After you install the Debugging Tools for Windows, please point it to the Microsoft Symbol
Store like this:
set environment variable _NT_SYMBOL_PATH=srv*C:\symbols*http://msdl.microsoft.com

/downloads/symbols

Capturing the Process Dump
When you launch the ProcDump utility without any command line arguments, you get a dialog
prompting you to accept the EULA. Do not forget that this dialog is shown on every single
system you run ProcDump on, so to prevent this from happening, you should always use the -
accepteula command line argument.
Anyhow, without command line arguments, ProcDump shows quite extensive help.
The documentation of all the arguments is available at the download page here: https://technet.
microsoft.com/en-us/sysinternals/dd996900.aspx.
Dumping for Memory
If your focus is to diagnose memory consumption issues, such as memory leaks, you would
probably go for the following switches:
Swi Meaning Value (if applicable)

tch
-l Display the debug logging of the process (such as outputs from

OutputDebugString().
-m Memory commit threshold. Depending on the volume of

printing.
-ma Write a dump file with all access memory and thread
information.
-mp Write a dump file with all access memory excluding large areas You do not need this one for
(caches) and thread information. FlexiSpooler.

Swi Meaning Value (if applicable)
tch
-r Dump using a clone. You should not need this one

for FlexiSpooler.
-s Consecutive seconds before the dump is written. 10-30 seconds
-n How many dumps to write. Usually use more than one, so you 3
can compare.
-t Write one more dump when the process terminates.
-w Wait for the process to launch.
-e Write dump when there is an unhandled exception.
Your command line (assuming you want to monitor FlexiSpooler.exe) could look like this:
procdump -l -m 800 -ma -r -s 30 -n 3 -t -w -accepteula FlexiSpooler.exe C:\Dumps
If it is done correctly, you will see output like this:
5.8.8.9 Xerox WorkCentre 6655 does not print when bidirectional communication is set on
the device
Situation
Xerox does not print because the device waits for two-way communication; the YSoft SafeQ
FlexiSpooler only uses unidirectional communication on the RAW TCP/IP protocol.
Solution
On the device do not set bidirectional communication on the RAW TCP/IP protocol

5.8.9 YSOFT SAFEQ MOBILE INTEGRATION GATEWAY TROUBLESHOOTING
5.8.9.1 Slow printing using IPPS from Linux
Situation
Print jobs sent using IPPS take several minutes, even for a small job and good network
connection. Print jobs sent using IPP, without TLS encryption, are not affected by this issue and
are transferred as quickly as the network will support.
Possible cause
Communication issues between some versions of Linux CUPS TLS implementation and the
Microsoft .NET implementation of TLS can cause slow data transfers.
Solution
The recommended solution is to use Nginx as a reverse proxy to receive print jobs using IPPS.
After Nginx receives the print job from the Linux client the data is sent to YSoft SafeQ Mobile
Integration Gateway using the local network interface.
Nginx can be installed on the same server as YSoft SafeQ Mobile Integration Gateway. All Linux
clients need to send print jobs using IPPS to the Nginx proxy instead of YSoft SafeQ Mobile
Integration Gateway.
How to run Nginx on the same server under Windows.
1. Download and extract Nginx for Windows from https://nginx.org/en/download.html
2. Download and extract nssm from https://nssm.cc/download
3.

3. Open nginx\conf\nginx.conf. Find the http section and add this (configure according to the
comments):
server {
## Configure port to listen for IPPS requests
listen 631 ssl;
## Configure path to certificate
ssl_certificate path/to/cert.pem;
ssl_certificate_key path/to/key.pem;
location / {
## Forward IPPS requests to the configured YSoft SafeQ Mobile Integration
Gateway URL and port
proxy_pass https://127.0.0.1:8050/;
## Certificate verification is disabled by default.

## Certificate verification is recommended if proxy_pass is not 127.0.0.1.
## To validate server certificate uncomment and specify path to CA
certificate.
# proxy_ssl_verify on;
# proxy_ssl_trusted_certificate path/to/ca/certificate.pem;
}
4. In nssm\win64 directory, run this command:
nssm install "Nginx for YSoft SafeQ Mobile Integration Gateway"
5. Fill nginx.exe with full path in Application Path and Nginx directory in Startup directory.
6. Press Install service.
7. Open Windows services and enable automatic start for this service.
8. Configure Linux clients to send print jobs using IPPS to the configured Nginx port.
5.8.10 YSOFT SAFEQ SERVICES ARE NOT STARTED AFTER REBOOT
5.8.10.1 Situation
After the OS is restarted some YSoft SafeQ services are not started, usually YSoft SafeQ
Workflow Processing Service, YSoft SafeQ FlexiSpooler. In the event log a message saying that a
timeout occurred during service startup and it was stopped. Services can be then manually
started without any problem.
5.8.10.2 Solution
Servers are usually in heavy load during OS startup and any operation takes much longer that
usually. OS also limits the time for a service to start. Although, YSoft SafeQ services do only
necessary initialisation during their startup phase, it can happen that it is not fast enough and OS

stops them. This is often happening when minimum HW requirements are not met (please see
Hardware Requirements). One possible solution is so called delayed service start, i.e. system will
run services after all other services are started. In other to turn it on:
1. Run services console (services.msc)
2. Open properties of selected service
3. Change 'Startup type' from 'Automatic' to 'Automatic (Delayed Start)'
5.9 YSOFT SAFEQ 6 ADMINISTRATION AND CONFIGURATION
5.9.1 MANAGEMENT INTERFACE
Mozilla Firefox
Google Chrome
Microsoft Edge Chromium (note: Microsoft Edge Legacy is not supported)
Internet Explorer 10 or higher (compatibility mode with any previous version is not
supported)
5.9.1.1 Management Interface - Overview
Logging Into the System
If the YSoft SafeQ Management interface is configured to use a different port than the standard
port 80, enter the complete URL (e.g., http://safeq_server_IP:8080/).
Use default credentials to begin working with YSoft SafeQ 6. Choose the desired language for the
YSoft SafeQ Management interface by clicking the national flag.

The domain field is only available in the multitenant environment.
It is possible to hide the field and have its value filled in automatically by pointing the browser
to the specially formed URL in the following format http://safeq_server_IP/login/DOMAIN (or
http://safeq_server_IP:8080/login/DOMAIN if the YSoft SafeQ Management interface is
configured to use a different port than the standard port 80). This can be helpful, for example,
for setting up bookmarks in a user's browser or shortcuts on user's desktop.
Automatic Logout
If a user has been inactive for a set period, they are logged out automatically and redirected to
the Login Screen where the following notice appears. The length of the inactive period can be
specified in the system settings.
Adaptive Management Interface
The YSoft SafeQ Management interface is adaptive on various devices including mobile phones
and tablets.

Menus
Menus
The main menu at the left-hand side of the page makes navigating to the right information easy.
The main menu tabs may include sub-menu tabs below the top menu of the page.
General Functions
Header
The available page functions are located at the top right-hand corner of each page. The availability
of these functions can vary based on the displayed page. Detailed info about each icon is in the
table below.

Function Description
If a license for multitenancy is active, the user can switch between Cloud
administration and Tenant management.
Use the menu with tenant names to switch between particular tenants.
Use the flag icon to change the language of the YSoft SafeQ Management interface.
Use the menu with login name and role to change a password or to log out from the
YSoft SafeQ Management interface.
The bell icon indicates the notification center. Review the details of each notification
by clicking on it.
Page Actions Concept
The following elements are used to perform actions on the page. The description of the action is
always intuitively part of the element.
Action Description
Green buttons create a new

record.
White buttons indicate actions and

views relevant for the records on
the page.
Change the scope of available

actions based on the user's
proficiency.
Provides context of the actual

position on the page and its
content.
Search fields allow searching the

records on the page.
On specific pages, switching
between Basic and Advanced
search is possible.

Using Search Filters
Some pages also include search filters to make access to specific data easier. Use data selectors
to set proper data and a folder icon to select the required value from a list.
Page Tables
Page tables contain information and provide actions relevant to the content.
Function Description
Select one, all, or a subset of desired records to apply an action via the page
action button.
Click the column name to sort the table by the column.
Use the EDIT button or particular icons to perform actions for the specific
record.
Hover over an icon to get information about the action it triggers.
5.9.1.2 Management Interface - Cloud
About
The cloud interface provides the management of YSoft SafeQ 6 in multitenant mode. Cloud
management is fully integrated within the YSoft SafeQ management interface.
Multitenancy
Multitenancy allows the running of multiple customers (tenants) within one YSoft SafeQ
Management Server instance.

Each customer (tenant) acts as if it is a separate instance – Communication, Data and Rules are
used only within a tenant.
The configuration is partially common for all customers (tenants) – Configurable in cloud interface
> System > Configuration and partially for a customer (tenant) – Configurable in Tenant interface
> System > Configuration.
Please note that multitenancy is related to Management Service only. Each customer (tenant)
requires their own Print and Scan related components – Site Servers or particular system
components - Spooler Controllers, FlexiSpoolers, Mobile Print Server, Workflows Processing
System and Payment System.
Licensing
To enable Cloud management, a license for multitenancy is required, see Licensing for more info.
Logging In
On the login page, http://safeq_server_IP/login, you can input Domain, Username and Password.
Domain allows logging directly into a specific tenant.
Leave the domain blank to access.
Username and Password are credentials to log as a user of a specific tenant or within Cloud
management.
If you log in as a specific tenant, after logout, you will get the login URL in tenant context
http://safeq_server_IP/login/tenant1.
This URL can also be shared with users who are part of a specific customer.
For the YSoft SafeQ 6 General Availability release, cloud administrators have the right to access
all tenants as administrators.

Navigation and Dashboard
The main menu contains the following sections:
Dashboard – the main page
Reports – an operational overview of particular customers
Tenants – creating, updating and deleting particular tenants
System – contains the configuration shared for all tenants
On the top right-hand navigation bar, the cloud roles may be switched to Tenant management to
log in as specific customers.
An administrator may then switch to the management interfaces of particular tenants in the
multitenant environment.
To go back to Cloud management, switch again from Tenant management to Cloud management
.
Reports
In the Reports section, you can find a basic overview of all tenants. Reports do not include user-
sensitive data such as job names, usernames or roles.

The following types of Reports are available:
Printed pages – an overview of the printing volume across customers.
Tenants – an overview of the printing volume per tenant.
Tenant devices – an overview of the usage of particular devices across tenants.
Tenants
You can see, create, update and delete particular tenants in the Tenants section.
To create a new tenant, enter the name and the domain of the tenant. The tenant domain and
the login URL address will be visible in the database.

When installing YSoft SafeQ Site Server in a multitenant environment, carefully use the tenant
domain of the tenant you want to connect to.
Click SAVE CHANGES to create the new tenant.
Please note that the actions start multiple processes on the server, taking ~ 60 seconds to make
the tenant accessible from the Tenant management menu.
System
In the System section of the cloud interface, you will find similar information as in the System
section of a particular tenant or a single-tenant YSoft SafeQ 6.
For the cloud interface, see the following information:
Configuration – Covering the system settings that cannot be configured per tenant and are
configured globally.
License information – Contains information about the current license, which enables Cloud
management (multitenancy license).
5.9.1.3 Management Interface - Dashboard
Dashboard
The dashboard displays directly after logging into the YSoft SafeQ Management interface. The
user can also select dashboard in the left-hand side menu to display it.
Overview
On the Dashboard tab, the following functions are displayed, based on access rights:
User widgets – relevant for YSoft SafeQ users.
Admin widgets – relevant for YSoft SafeQ administrators.

Add widget
This function adds more widgets to the dashboard.
YSoft SafeQ Version
This widget contains basic information about the version of YSoft SafeQ.
Attribute Description
Internal build Internal version of the currently installed YSoft SafeQ Server
Activation and support ID Activation number and support identifier
Customer Licensed customer name

License expiration When the license expires. Detailed information about the license can be
displayed in the tooltip by hovering the mouse cursor over the icon next to
the expiration date. Items marked with a red color are expired or depleted
Support expiration Expiration date of the product's software support
SLA details Information about the currently purchased SLA. It includes the name of
the SLA, its expiration date and the number of devices covered
Support information Detailed system information in case of any trouble. Support information
can be displayed and downloaded to provide customer support with
detailed system information and the configuration
About the YSoft SafeQ Information about YSoft SafeQ and used technologies
application
System Services
The widget shows the YSoft SafeQ internal system services and their status. Additional
information about the service's status might be available in a title that displays when hovering
the cursor over the status text.
Attribute Description of status
Communicator YSoft SafeQ Server is ready to communicate with Spooler Controllers
Enterprise Server YSoft SafeQ Server is ready to synchronize data in a cluster

Synchronization
LDAP Replicator Service YSoft SafeQ Server is ready to synchronize with LDAP
Active Objects in YSoft SafeQ
The following is a basic overview of created objects in YSoft SafeQ.

Devices The total amount of installed devices
Hardware terminals The total amount of installed hardware terminals
Embedded terminals The total amount of installed embedded terminals
Spooler Controllers The total amount of installed Spooler Controllers
Users The total amount of created users
Cost centre The total amount of created cost centers
Roles The total amount of created user roles
Billing codes The total amount of created billing codes
Printed/Failed Jobs
Widgets show the basic statistical data of printed/failed jobs via YSoft SafeQ 6. Print jobs are
summed per hour and data is listed from the last YSoft SafeQ 6 restart time.

Blue Line Printed jobs
Red line Failed jobs
System Information
The following is basic information about the system.
Server up time Total time for how long the server has been running
Management Server GUID GUID of Management Server node
Operating system and configuration Operating system information
Free disk (with spooler) space Total amount of free disk space
Database structure Database structure check
.NET version Installed versions of .NET
My Last Jobs
The widget shows the last ten jobs.
Title Job title

Last status change Time when the last change of this job was performed
State Current job status
My Savings
This widget describes the amount of trees, energy, water and CO2 saved. Every non-accounted
job with a deleted status is counted as purged.
Data is listed for the current month and the current calendar year.
Trees The total amount of trees saved
Energy The total amount of energy (in kWh) saved
Water The total amount of water (in liters) saved
CO2 The total amount of CO2 (in kg) saved
Money The total amount of money saved (in the currently set currency)
Access Credentials
This widget can be used to generate a new PIN and card activation code for the logged user.
Note that particular features need to be licensed and enabled in order to see parts of the widget
or the widget itself.
The user password can be changed via the menu option located in the drop down displayed by
clicking the name of the logged user in top right-hand corner of each web application page.

Generate PIN code This code can be used for authentication at the terminal on the printer
Generate PIN Click to generate a PIN code
Generate Card Activation This code can be used to assign a new card on the terminal of the printer.
Code Swipe a card over the terminal and when prompted, enter the Card
Activation Code. The next time the card is used, the user will be
automatically authenticated
Generate Card Activation Click to generate a new Card Activation Code

Code
Text Encryption
Use this widget to encrypt any text. This type of encryption is used by various YSoft SafeQ 6
tools, the application and settings for securing sensitive information for the system's users.
Canceled Jobs by System Restart
Use this widget to find all jobs that were canceled by a system restart. All jobs may be re-queued
or canceled.

Find automatically canceled jobs Find all jobs that were canceled during a YSoft SafeQ 6 restart
YES Re-queue all found jobs
NO (cancel the jobs) Cancel all found jobs
Welcome to YSoft SafeQ
This widget covers the basic YSoft SafeQ 6 setup before first system use. Uncompleted tasks
are marked red.
Company Basic settings with information about the company that uses this YSoft SafeQ
information Server. This section is available only when the Management report feature is licensed
and enabled
Email settings Basic email notification settings may be set up here
Regional Basic regional settings may be set up here (including currency and VAT)
settings
Users, cost Basic operations with users, cost centers and roles
centers and
roles
Devices Basic operations with devices

YSoft Payment Basic configuration of the YSoft Payment System integration

System
Print job parser Basic settings of the print job parser (see Print Job Parser Configuration for more
information about this section)
System is ready Basic system ready check
A description of the Welcome to YSoft SafeQ widget can be found here: Widgets - Welcome to
YSoft SafeQ
My Links
Through this widget, a user may add custom hyperlinks to other web pages or applications.
Add Add a new link to my widget

Web page
FTP
Email
Other
Edit Edit existing links
Database Integrity
This widget displays the database integrity.

Last update The last time an update was performed
Next update The specific time when the next update will be performed
Support Information
Support information can be accessed from the YSoft SafeQ version widget and the YSoft SafeQ
version widget > Support information.
Custom support information can be added to this page by editing the value of the
customSupportInformation configuration property in System settings.

System Information
The System information tab contains up-to-date detailed information about the YSoft SafeQ 6
installation.

List of system information
Version Information about the version of YSoft SafeQ
Components This section contains information about each system component – its current
version and installation date and its update history
The information is parsed from the SAFEQ_DIR/conf/version.conf file that is
managed by the YSoft SafeQ installer package
License Information about the YSoft SafeQ license
SLA Information about the purchased SLA
Licensed Information about the licensed features, expiration status and validity
features
Licensed items Information about licensed items, the amount of licenses and currently used licensed
items
System Information about the operating system, disk space and the YSoft SafeQ installation
directory
Database Information about the YSoft SafeQ database
Cluster Information about the YSoft SafeQ cluster
Services Information about the YSoft SafeQ service status
Devices Information about devices, terminals, drivers and queues
Devices groups Information about devices groups
JVM settings Information about JAVA memory, etc.
Support information download
Information for customer support can be downloaded by clicking button Download support
information. The downloaded zip file contains Management configuration files and a file with
system information.
About information
The About information tab contains information about the product support.
Custom product support information can be added to this page by editing the value of the
productSupportInformation configuration property in System settings.
5.9.1.4 Management Interface - Reports
On the Reports tab, the following functions can be accessed:

Job list – A list and audit log of all print, 3D print, copy, and scan jobs tracked by YSoft SafeQ
(see Job list).
Web reports – A centralized interface for accessing cost and usage reports (see Web Reports
).
Management reports – A centralized interface for management level reports (see Management
Reports).
Scheduled reports – Schedule regular exports of reports to file or email (see Scheduled
Reports).
Terminal accesses – An audit log of all access attempts from YSoft SafeQ Embedded
Terminals (see Terminal Access).
Counter reports
YSoft SafeQ can be configured to monitor counters (also known as page meters) from the
devices. The reports are then available in Management interface.
Counter reports page offers two types of reports, source data are held in the warehouse
database:
First and last readout
Daily readout
It is possible to see the history of each device and also to filter multiple devices (by Spooler
Controller group and by selecting a date period).
You can export current report to file by using one of the export action located in page's Actions
menu. Available formats are: HTML, XML, XLSX, CSV and PDF.
Generally, there is only one record per day in the database for every device unless there was
some change of the setting for the device accounting. In such case, a new record is created
for the day in database and those new records are marked with a warning icon.
You can hover over the warning icon to see changes summary or use History link to see more
detailed information about these changes.

Configuration
There are two parts that need to be configured for gathering counter readouts.
Device configuration
In order to gather the information from the device, it is necessary to have an Accounting Driver
assigned to the device. You can verify that it works with the "Test the selected tracking
mechanism" button and if the configuration is correct, this button will open a dialog with the
current readouts from the device. Also you will be able to reset the values stored in database to
the current readout.
Periodical retrieval
YSoft SafeQ will gather periodically readouts from the devices that have an Accounting Driver
assigned. The automatic retrieval is configured by default, but it is possible to change the
configuration through the System settings in Management Web Interface:
Property Defa Description

ult
value
checkmanager- Enabl Allows the periodical retrieval of the device counter readouts.
enabled ed
device-monitor- 60 Interval to execute procedure reading counters from devices without

no-terminals- minu terminals
check-interval tes In this interval the printer/MFP check is launched. If the last known device
counters are older than value defined in device-monitor-no-terminals-interval
(see below) parameter, device is checked and its SNMP counters are read
and updated in YSoft SafeQ database.
Value is in minutes.
device-monitor- 1440 Maximum age of device counters stored in YSoft SafeQ database before
no-terminals- minu they are refreshed - applied for devices without terminals.
interval tes See device-monitor-no-terminals-check-interval for an explanation of usage.
Value is set in minutes, default value represents 1 day.

Property Defa Description
ult
value
device-monitor- 60 Interval to execute procedure reading counters from devices with terminals
terminals-check- minu In this interval the printer/MFP check is launched. If the last known device
interval tes counters are older than value defined in device-monitor-terminals-interval
(see below) parameter, device is checked and its SNMP counters are read
and updated in YSoft SafeQ database.
Value is in minutes.
device-monitor- 1440 Maximum age of device counters stored in YSoft SafeQ database before
terminals-interval minu they are refreshed - applied for devices with terminals.
tes See device-monitor-terminals-check-interval for an explanation of usage.
Value is set in minutes, default value represents 1 day.
First and last readout report
This report displays the readout differences for a given period. Each device row will contain:
Counter information about the first readout in the period.
Counter information about the last readout in the period.
The difference between them both (written in bold font).
The exact times of the readouts can be found in Readout date column (there are dates for both
first and last readouts).
The report is sorted by device name and it shows one record per each monitored device in the
selected period.
Daily readout report
This report displays all the readouts for each device in a given period sorted by device name and
readout date.

Device history
This report displays all the readouts for a given device stored in the main database.
It also contains information about the accounting setting changes and if the counter values were
reset from the device configuration.
YSoft SafeQ keeps counters in the main database only for a given period of time. This period
is configured in Management interface (30 days by default)

Data Mart Mode
Overview
YSoft SafeQ 6 Data Mart Mode (DMM) is a function for collecting and transforming print-related
data to make it available for further online analytical processing (OLAP) and data mining
functionality for business intelligence applications. From a high-level perspective, it can be divided
into three layers:
Data source
Data mart
Data presentation
With the support of multitenancy, each tenant database scheme represents a standalone data
source. These data sources are transformed into a tenant's data marts – a tenant's warehousing
data. A data mart is a collection of all a tenant's data marts.
Data mart
Data mart is taking care of already transformed data from a data source that will be used for
further presentation. Data in a data mart is referenced as statistics. There are two different
types of statistics storage. The first is designed for Web Reports presentation and d ata is
referenced as web reports. The second is designed for business intelligence (BI) engines and data
is referenced as SQL API.
Developer note

Each tenant's data mart has its own, specific credentials (the tenant_warehouses table in the
cluster_mngmt schema).
Data presentation
Covers various means of presenting and visualizing the generated statistics.
Built in Management Service Web Reports with predefined filters.
External reporting system connected to data mart via SQL API (e.g., Power BI).
External data warehouses connected to data mart via SQL API.
Data Life-cycle
Statistics are computed either in regular intervals or explicitly on a user's demand (see the Action
option in the Web Reports section). The basic sources for the statistics are accounted jobs
placed in the tenant schema.
Developer note
In the case of a multi-node Management service deployment, only one statistics recalculation is
executed at a time.
The ETL (extract, transform, load) process that computes statistics is placed in the database. In a
high-level overview, the computation steps of ETL are as follows:
1. Compute statistics:
a. Web reports
b. Management reports
c. Counter reports
d. Generate data mart data (SQL_API dimensions and measurements)
2. Delete old statistics based on the configuration
Configuration
Statistics computation is done every hour (configurable using the

smallStatisticsRecalculationSyncJobCronRule property ) – this is so-called "small statistics" . In
addition, every day at 1:00 AM (configurable using the
fullStatisticsRecalculationSyncJobCronRule property) the "full statistics" computation is
executed, which also removes expired jobs.
Developer note
By default, data mart statistics computation is turned off.

For enabling data mart statistics computation, use the configuration property enableCMLDataMart
. Similarly, use the web-stats-enable property for web reports, enableManagementReport for
management reports and enable-purge_reports for Green reports.
Use the following properties to fine-tune statistics data retention:
maxStatsMonthsBase – The maximum number of months for which web reports and counter
reports data are stored. The default value is 36.
maxStatsDaysFull – The maximum number of days for which unaggregated web reports are
kept. The default value is 31.
maximumCMLDataMartMonths – The maximum number of months for which the data mart
measurements are kept. The default value is 36.
remove-jobs-from-db – The maximum number of days after which the print jobs' metadata will
be removed (along with the jobs log and jobs accounting metadata). The default value is 31.
printJobAgeForStats – The m inimum age of print jobs to include in web reports and data
mart statistics for the Management Service cluster environment, in minutes. If the value is
higher than 120 or lower than 10, it will default to 20.
Data Mart in Detail
The YSoft SafeQ data mart uses the star schema described in the next section, SQL API model
description. That means each dimension table is directly connected to a fact table (measurement
table). It is located in the main SQDB6 database in the dwhtenant_%i% schema where the %i% is
replaced with the tenant scheme sequence number. All tables in the data mart are prefixed with
the "dm_v2_" keyword, where v2 means api version number 2. This allows for easy filtering in the
analytics software.
Developer note
In a single-tenant environment, the database schema's name is dwhtenant_1.
Fact tables in the YSoft SafeQ data mart are suffixed with the "_measures" keyword. Fact tables
contain the main data to be analyzed with the cube analytic software. Dimension tables in the
YSoft SafeQ data mart are suffixed with the "_dimension" keyword. Dimension tables contain data
to be used as axes of the cube or to filter by. A description of all the fact and dimension tables is
in the next section.
Interconnection of measurement tables with dimension tables is done through foreign key
references. Data in the dimension tables is referenced by its primary key ID field from the fact
tables. Columns in the fact table that reference a row in the dimension table are suffixed with the
"_dimension_id" keyword.
Dimension table naming and references to dimension tables

Having a dimension table devices, the table would be named dm_v2_device_dimension and the
reference to a device from a fact table is made via the column with name device_dimension_id
in the fact table. There is also a foreign constraint present on this column in the fact table
that points to the ID column of the dm_v2_device_dimension table.
This interconnection of fact tables with dimension tables through foreign key constraints allows
the analytical software (like Power BI) to automatically build the structure of the data mart. This
way, the user of the SQL API does not have to interconnect the tables manually.
Entities
There are three fact tables in the YSoft SafeQ data mart, all of which use several dimension
tables. Some dimension tables are not active at the moment so they contain only one row with
an UNKNOWN value and every row in the fact table references this UNKNOWN value.
Fact tables
Fact Table Name Description State
dm_v2_print_acco This fact table contains accounting information about jobs. populated
unting_measures One job can have multiple items of accounting information.
dm_v2_print_job_m This fact table contains details about jobs (date of printing, populated
easures page count, sheet count, device used for printing, etc.).
dm_v2_counter_re This fact table contains counter reports of all devices (one populated
porting_measures record per device and counter type per day).
Measurement tables
Measurement Description State

Table Name
dm_v2_accid_dime Device counters indicate the total number of pages printed populated
nsion on a given device, e.g. A4BW. (see Counter reports for more
information about counters)
dm_v2_billing_code Billing codes are selected when printing job on an MFP to populated
_dimension group print jobs into projects. (see Management Interface -
Billing)
dm_v2_color_cover Degree of color coverage (for custom-defined color levels populated

age_dimension based on rendered page images, e.g. ,<5%, 5-25%, 25-50%, 50-
75%, >75%).
dm_v2_color_type_ Type of color output [B&W, full color, Xerox 3-tier acctg levels, populated
dimension ...].
dm_v2_cost_cente A list of Accounting Cost Centers that are used. (see Managin populated
r_dimension g Cost Centers)
dm_v2_datetime_di Date and time (with at least a seconds granularity) to filter populated
mension by.

Table Name
dm_v2_device_dim A list of devices (dimensions representing various device populated

ension attributes – name, cost center, location, device group, SPOC
Group...). (see Management Interface - Devices)
dm_v2_entitlement Entitlement type applied (none/quota/money). unused

_type_dimension
dm_v2_fax_recipie Fax recipient [email, fax number, ...]. populated

nt_dimension
dm_v2_fax_type_di Fax type [ip, internet, telephone, ...]. populated

mension
dm_v2_filament_ty Filament type used for printing (ABS, PLA, HIPS, PVA). unused
pe_dimension
dm_v2_file_type_di File type printed. populated

mension
dm_v2_finishing_ty Finishing type [none, stapling (corner, margin), hole punching, unused
pe_dimension folding (half, Z, U), booklet, glue binding...].
dm_v2_ink_color_di Ink color (for plotters). unused

mension
dm_v2_media_type Media type (plain paper, thick paper, transparency...). unused

_dimension
dm_v2_operation_t Type of operation [print, copy, scan, fax send, fax receive, populated
ype_dimension savings, 3D print].
dm_v2_paper_form Paper format (A5, A4, A3, Letter, Legal, Tabloid, Continuous...). unused
at_dimension
dm_v2_print_acco M-N table for tag_dimension and print_accounting_measures populated

unting_tag_junctio mapping.
n
dm_v2_queue_nam Specific queue name a job was sent to. populated

e_dimension
dm_v2_queue_typ Type of queue a job was sent to [secure/direct/shared]. populated

e_dimension
dm_v2_rbe_action Applied RBE action(s) forcing some printing behavior (force unused
_dimension B&W, force duplex, force simplex, redirect, combinations). (See
Defining a Rule in Rule-Based Engine)
dm_v2_savings_di Savings cause [purge, force duplex, force B&W, redirect]. populated
mension

Table Name
dm_v2_sided_print What sides of paper were printed to [Simplex/duple]. populated

_dimension
dm_v2_source_app Applications from which print jobs are sent. unused

lication_dimension
dm_v2_tag_dimens Tags/Label (both system and user tags... e.g., a report on the populated
ion volume of mobile vs. non-mobile prints).
dm_v2_topology_di Topology (originating computer, spooling computer, SPOC unused

mension Group).
dm_v2_user_dimen List of users (dimensions representing various user attributes populated

sion – name, username, cost center...). (See Managing Users)
dm_v2_workflow_d Workflows for scanning. This table contains the workflow unused
imension name and the workflow connector name. (See Workflow
Basics)
SQL API Model Description
SQL API is a database model of a data mart that enables developers to access reporting data in
the data mart using SQL.
The data mart entity relationship diagram (ERD) is depicted below. Details are available in an SQL
API whole model which is part of the reporting package in the <installation
package>\Complementary Solutions path of the full installation package. The whole model
is divided into two well-arranged parts.
Accounting measure group
In the accounting measure group, there are places' measures and dimensions related with job
accounting, like pages count, price, filament usage, ...
Details are available in an SQL API accounting model file.

Job measure group
In the job measure group, there are places' measures and dimensions related with a job, like job
size, jobs count, ...
Details are available in an SQL API job model.

Counter reporting group
In the counter reporting group, there are places' measures and dimensions related with a counter
readouts, like date time representing counter reports for given day, read time of counter readout,
counter version for device and increment of the counters....
Details are available in an SQL API counter model.

Where to go next
How to connect to Data Mart
Job list
The Job list enables a user to view and manage YSoft SafeQ print, 3D print, copy, fax and scan
jobs.
Displaying the Job list
The Job list page provides an overview of print, 3D print, copy, fax and scan jobs in the system.
To view the job list, select Reports > Job list.
The Job list page includes default filters, action and view buttons, and the list of jobs.

Some country legislation (i.e. German) require that nobody, not even an administrator, is able
to see personal details (even a job name) in various systems.
To achieve the desired behavior, set the following System configuration options per tenant to
these values:
showJobTitle: Disabled
show-job-user: Disabled
printJobAccessSafeMode (previously known as smartQ-safe-mode in SQ4/5, property was

set as Internal in YSoft SafeQ 6 before the epic implementation): Enabled
Additionally value of property "web.databaseEditor.enabled" must be set to false in the

configuration file c:/SafeQ6/management/conf/safeq.properties:
web.databaseEditor.enabled = false
Filtering the Job list

Default job list filters
Use the default filter options to display only specific jobs:
Date from – exact time, in 24-hour format
Date to – exact time, in 24-hour format
Device group – filter by device group
When the Device group filter is set to any SPOC server, an informative label about job
synchronization is displayed.
User/cost center – filter by user/cost center
Device – filter by device
Queue – filter by queue name
Advanced job list filter

To filter jobs according to more job properties, click on Advanced .
Select job status filters as follows:
Job status filter Description
All jobs/2D/3D Select to include 3D printing to your job list results
Printing The job is being sent to the printer or is being printed. View detailed information
about the job process. Typically, the job is sending data, waiting for the print to
start, waiting for the print to be completed, or waiting for accounting
Pending The job is ready to be delivered to a printer. The job will be printed when previous
jobs have been printed or it will wait for another printer to change to the "ready"
status
Accepted The job was accepted by the spooler and has been added to the secured queue and
is waiting for the secure release
Printed The job was successfully delivered to the printer and accounted for
Local Print The print job is registered via local monitoring
Scan A registered and accounted for scanned document
Copied A registered and accounted for copy
ReQueued The job was queued for printing again
Cancelled The job was cancelled by the user (for example, the user selected "delete" at the
terminal)
Cancelled at The job was cancelled during server restart

start
Rejected The job was denied due to insufficient credit or rights
Printer error The printer is not receiving jobs or an error occurred during printing that YSoft SafeQ
cannot resolve. In most cases, the exact reason for the error is provided
Spooler error A server spooler error (for instance, connection to the database failed or the job
could not be read from the hard drive)
Security The spooler detected an unauthorized job modification

violation
Deleted The job was deleted from the spooler and cannot be restored or worked with
The job is part of a batch print

Job status filter Description
Batch
accounting
Non-SafeQ copy/print – YSoft SafeQ detected a print job that is not part of the YSoft SafeQ
system. The YSoft SafeQ system files such an event, marks it, and accounts for it. (A non-SafeQ
copy/print should not happen, but because of the complexity of certain printing environments, it
does occasionally occur.)
Outgoing fax - A registered and accounted for outgoing fax job
Incoming fax - A registered and accounted for outgoing fax job
Printed incoming fax - A registered and accounted for outgoing fax job that was printed
Fax errors - A failed incoming or outgoing fax job
Views
To use different Job list view options, click on Views and select the desired view.
My jobs – Only jobs of the authorized user
Job list – The entire Job list
To be printed – Only jobs waiting to be printed
Favorites – Only Favorite jobs
Unidentified owner – Only jobs not belonging to any user in the system
To work with selected jobs, check the checkbox next to the job and then click on and select the
desired option.

Main actions are also available for each job directly in job list lines.
Working with Selected Jobs in Job List
After selecting a job or multiple jobs, click the required action from Actions list or buttons in the
job list line.
Name Availability Description
Detail Always Display detailed information about the job
Re- Only if job is not deleted and is not currently Re-queue the job to print if the print failed or
queue being printed. Not supported for 3D jobs and the job has already been printed
fax jobs
Previe Only if the Preview feature is enabled, printing Preview the job
w parser is installed and enabled, and job has
not been deleted
Assign Only if job is not assigned to any user in Assign jobs that have an unidentified owner
to system to a new or existing userAll current and future
user jobs from the unidentified owner will now be
assigned to the selected user
Delete Only if the job is queued to be printed in a Remove the job from the queue and cancel its
direct queue planned print operation
Check Only if the job is not a fax job, deleted job or Check the box to mark jobs for bulk action.
box copy job Available actions are located in the top right
Action menu
Displaying Detailed Information about a Print Job
In the Job list, click on an icon or double click on the table record (row) to display job info.

Basic
Job name Name of the print job - name of the job is not visible if configuration
property showJobTitle is disabled
Owner Information about the job's owner - information is not visible if

configuration property show-job-user is disabled
Favorite If a job is marked as favorite (yes) or is not marked as favorite (no)
Billing code Name and description of assigned billing code
Fax type Type of the fax job (e.g. sent via telephone line, sent via internet , sent to
the device's IP address, etc. only for fax jobs)
Fax recipient Recipient of the internet fax (only for outgoing internet fax jobs)
Pages
Type Information about duplex prints (this data is collected only if the internal
parser is enabled)
Number of pages (normal) Number of normal (A5/A4/letter) pages (this data is collected only if the
internal parser is enabled)
Number of pages (large) Number of large (A3/legal/tabloid) pages (this data is collected only if the
internal parser is enabled)
Average coverage

Average coverage percentage (this data is collected only if the internal

parser is enabled)
Status
Current status Current job status
Last state change Last date and time time that status changed
Note Provides additional information about the job
Job reception
Assigned to queue Name of the assigned print queue
Spooler Controller group Name of the Spooler Controller group which accepted the job
Spooler Controller Name of the Spooler Controller which accepted the job
Spooler Controller network IP address of the Spooler Controller which accepted the job
address
Spooler Controller GUID Unique identifier of the Spooler Controller which accepted the job
Spooler GUID Unique identifier of the FlexiSpooler which accepted the job
Management Server Unique identifier and IP address of the Management Service which
accepted the job
Sender Contains the sender's IP address (if the sender's machine is not the same
as the one FlexiSpooler runs on), otherwise contains FlexiSpooler
machine's NetBIOS name. Also contains the sender's username and the
date and time the job was accepted by the receiving FlexiSpooler.
Tags
Allowed system tags Enabled system tags for the job
Denied system tags Disabled system tags for the job
Allowed user tags Enabled user tags for the job
Denied user tags Disabled user tags for the job
Advanced
File Name of the job file stored on the spooler
File size Size of the file on the spooler
Job ID Generic and unique ID number of the job in the database
Job History Displays history of operation with the job
Preview Displays job preview as seen on terminal

Tools in detailed job list
In the Job list, find the job and click on icon or double click on the name of the job.
Re-queue
Select the target queue from the list Select a print queue from the list of available queues
Type the name of target queue manually Type the name of the target print queue
Re-queue Perform action re-queue according to options selected

above
Change job Owner
This tool changes the owner of the job by selecting another user from the list.
Favorite
This tool marks and unmarks job as favorites.

Assign
Assign jobs that have an unidentified owner to a new or existing user. All current and future jobs
from the unidentified owner will now be assigned to the selected user.

Management Reports
Management reports provide a convenient way of disclosing information about the YSoft SafeQ
environment via reports for an entire company, departments, devices and users. Management
reports provide an enhanced overview about the print environment, based on data collected by
YSoft SafeQ 6.
Accessing Management Reports
Management reports are accessible via YSoft SafeQ Management interface > Reports >
Management reports.
If the page is unavailable, please check the following system settings (System > System settings
), and configure:
web-stats-enable = enable
enableManagementReport = enable
For a clustered YSoft SafeQ 6 deployment, Web reports are shown only at the master node.
Some countries have legislation (e.g., German) that requires no one, not even an administrator,
be able to see personal details (including the job name) in various systems.
To achieve the desired behavior, set the following System configuration options per tenant to
these values:
The report Users and Top 5 users will not be visible both on the web and in the exported
report.
See the Job list documentation for additional information about anonymous data in other
parts of the system.
Configuring Management Reports
The only prerequisite for management reports is the configuration of the company name and
fiscal year start. This is easily configured via the YSoft SafeQ Management interface >
Dashboard > Welcome to YSoft SafeQ widget.

Configuration is also accessible via System > System settings:
firstMonthOfFiscalYear
companyName
Report Views
Management reports provide several different overviews. By clicking the Views option in the top-
right-hand corner, company, department, device and user-focused views can be accessed.
Company overview
Company overview displays information for all departments, users and devices. Records in the
Top five departments, Top five users and Most used devices are sorted according to spending
(Price).

Department overview
With department overview, information about one particular department, listing all users and
devices that belong there, can be displayed. Records in the Top five users and Most used devices
are sorted according to spending (Price).
Device overview

Device overview displays reports for devices within the entire company (note: only devices
connected to YSoft SafeQ are displayed). Records are shown based on total spending (Total
price).
User overview
The last view shows records for all users across the company. Records are shown based on total
spending (Total price).

Configuring the Report Time Frame
Each view and data export allows the configuration of the whole fiscal year, quarter or month. To
select the desired time frame, click the Year drop-down menu and select the appropriate fiscal
year. In the left-hand-side menu bar, choose the entire year, one of the four quarters or one of the
twelve months.
Unless data is available for a particular year, the year will not be listed in the drop-down menu.
Exporting a Report
All of the available data can be exported into a single consolidated document. Reports are
generated for one month, however, it also includes a year, current quarter and selected month
overview.
Export options are available from the Actions menu, both on-demand and scheduled.
Export report to file
By selecting the desired period, an on-demand export can be generated.

Scheduled reports export
Based on a predefined schedule (every first day of the new month), reports can be received to
selected email addresses.
Data Included in the Report
The following print job types are included in the reports:
Black and white print normal
Black and white print large
Black and white copy normal
Black and white copy large
Black and white local print normal
Color print normal
Color print large
Color copy normal
Color copy large
Color local print normal
Mono color print normal
Mono color copy normal
NOTE: Paper size information: Large format includes A3/legal/tabloid and larger. Normal format
includes A4/A5/letter and smaller.

Scheduled Reports
About
This section describes how to schedule a report export that sends the report as an email
attachment or generates a file. The look of the user interface may differ based on currently
selected values and licensed features.
Both email and file web reports can be accessed from the Scheduled reports section. Additionally
it is also possible to schedule Counter reports.
Working with Scheduled Reports
An administrator can create a new automatic report with the button Schedule new report and
choosing the report type.
An Administrator can modify and delete existing scheduled report by using the icons in the
Scheduled reports overview.

Creating New Automatic Web Report to Email
Configuration:
Name – A name for the new automatic report
Interval – Interval that determines how often and for what period the report will be exported:
Previous day – The report will be created daily. The report will include data for the previous
day
Previous 7 days – The report will be created weekly. The report will include data for the
previous 7 days
Calendar month – The report will be created monthly at a selected day of the month. The
report will include data starting from the selected day of the previous month until (but not
including) the same day of the current month
Monthly – The report will be created monthly at a selected day of the month. The report
will include data from the first to the last day (inclusive) of the previous month
Day of month – The day of month when the report will be generated. This field is available only
for the monthly and calendar month intervals
Send time – The time of day when the report will be exported
Export type – Format of the report. Supported formats are CSV, HTML, PDF, XLSX, and XML
Email addresses – A list of recipients who should receive the report

Selected filters – A list of saved web report filters used to generate the report. The email will
contain reports for all filters selected. The filters determine the report structure (fields,
grouping etc.)
The Save settings button saves and activates the new automatic email web report.
Creating New Automatic Web Report to File
Configuration:
Name – A name for the new automatic report
Interval – Interval that determines how often and for what period the report will be exported:
Previous day – The report will be created daily. The report will include data for the previous
day
Previous 7 days – The report will be created weekly. The report will include data for the
previous 7 days
Calendar month – The report will be created monthly at a selected day of the month. The
report will include data starting from the selected day of the previous month until (but not
including) the same day of the current month
Monthly – The report will be created monthly at a selected day of the month. The report
will include data from the first to the last day (inclusive) of the previous month
Day of month – The day of month when the report will be generated. This field is available only
for monthly and calendar month intervals
Send time – The time of day when the report will be exported

Export type – Format of the report. Supported formats are CSV, HTML, PDF, XLSX, and XML
Relative file path – Path to a sub-folder inside root directory where the report will be saved
File name – File name prefix for the report. The full file name is constructed based on the
prefix, interval, export type, and the Overwrite file switch
Overwrite file – If enabled, the report is always saved into the same file, possibly overwriting
the previous report. If disabled, a time stamp is added into the file name so that older reports
are not overwritten
Filter – Saved web report filter used to generate the report. The filter determines the report
structure (fields, grouping etc.)
The Save settings button saves and activates the new automatic file web report.
Creating New Automatic Counter Report to Email
Configuration:
Name – A name of the new automatic report
Format – Format of the report. Supported formats are CSV, HTML, PDF, XLSX, and XML
Sending interval – Interval that determines how often and for what period the report will be
exported:
Previous week - The report will be created weekly. The report will include data for the
previous whole week and will be sent first day of the next week right after midnight. The
first day of the week is determined based on the server locale.
Previous month- The report will be created monthly. The report will include data for the
previous whole month and will be sent first day of the next month right after midnight
Report type - The type of the report. Supported values are first and last readout and daily
readout

Spooler Controller group - Limits the report to a particular optional Spooler Controller group
Recipients - The list of email addresses where report should be sent
The Save changes button saves and activates the new automatic report.
Terminal Access
About
On the Terminal access page, all terminal access attempts can be viewed. On this page,
unknown terminals to devices can be assigned and unknown cards and PINs can be assigned to
users.
Displaying and Using the Terminal Access Page
In the YSoft SafeQ Management interface, select Reports > Terminal access.
The Terminal access page displays information about all attempts that were made to access
terminals in YSoft SafeQ.
The page shows the current filters used for the information displayed on the page, the status of
access attempts, Action and View buttons, and a detailed list of access attempts.
The list of access attempts includes the following Information:
SN / name: The terminal's serial number/name
IP: The terminal's IP

Type: Type of terminal: LITE (embedded, Professional, UltraLight)
Firmware: Version of firmware the terminal is currently using
User: Name, surname, and login of an authorized user
Card / PIN: Validation method: PIN or card number (expand PIN... to see the complete number)
Date: Date and time of the access attempt. Note, the time displays according to the time zone
of the Management Server for cases it differs from the time zone of the Site Server
Duration: Length of the user's session at the terminal (how long they were logged in for)
Status: The result of the access attempt
Device: Name of the device for which the terminal is connected
Filtering Information to Display on the Terminal Access Page
The following filters can be used to display only the information needed:
Report period – The date picker component that can be used to specify one of the predefined
date periods or choose a custom range
Spooler Controller group – The group of Spooler Controllers handling the terminal access
Device – The device attached to the terminal (or where the terminal is installed)
User – The user who accessed the terminal
State – The status of the access attempt
Origin - The origin of the access attempt (the type of terminal)
Network address – The terminal's network address
Firmware version – Version of firmware used by the terminal
Understanding the Terminal Access Attempt's Status Information
Success – Access attempts that were successful
Terminal was not configured – Incorrectly configured terminals
Wrong credentials – Access attempts in which the user typed an incorrect PIN or used an
unknown card. (You can assign unknown PINs and cards to users directly from the Terminal
access page.)
Device was locked – Access attempts that were blocked because the device was locked by
the actions of a previous user
Device was not ready – Access attempts when the device was offline
Network problem – Access attempts when the terminal was unable to connect to YSoft
SafeQ 6

Insufficient permission – Access attempts made by users who did not have permission to use
the device (users are disabled in YSoft Payment System or they have insufficient funds)
Rejected by rule - Access attempts rejected by one of the rules defined by the Rules-Based
Engine
Other error – Any other type of access attempt
Assigning Terminals to Devices and Unknown Cards or PINs to Users
If the status indicates that the user entered an incorrect password:
Create a new user and assign the PIN or card to that new user
or
Assign the PIN or card number to an existing user
If the status indicates that the terminal is incorrectly configured:
Create a new device and assign the unregistered terminal to it

or
Add the terminal to an existing device
Action Description
Assigning a terminal to a new Click the icon. The Add device page opens with the terminal's serial
device number automatically entered on the Terminal tab. Enter the rest of
the information required, then save the device.
Assigning a terminal to an Click the icon. In the list of devices that appears, select a device that
existing device does not already have a terminal (hardware or embedded) assigned.
Save the changes.
Assigning a card/PIN to a new Click the icon. The Add user page opens. Enter the required
user information, then save the user. When the user is saved, prompts will
indicate to continue with user edit or assign a user to the card. Click
Yes to assign the card.
Assigning a card/PIN to an Click the icon. In the list of users that appears, select a user. The Edit
existing user user page opens. Save the changes.
Web Reports
Overview
This page describes the Web reports page, which is a central interface for accessing and
managing Usage and Costs reports and Green reports.

Web reports consist of two kinds of statistical data: basic statistics and detailed statistics.
Detailed statistics contain details about each individual job accounted by YSoft SafeQ 6. Basic
statistics are created from detailed statistics by grouping similar jobs by one-hour intervals. Basic
statistics preserve key dimensions (print/copy/scan, username, cost center, device, and billing
codes) but drop job-specific ones (job title, job origin, exact time).
Legislation in some countries (e.g., Germany) require that no one, not even an administrator, is
able to see personal details (including job name) in various systems.
To achieve the desired behavior, set the following system configuration options per tenant to
these values:
showJobTitle: Disabled
The report Per user and any report that contains the columns User - ID, User - login, User -
name and Job title will not be available. Additionally, the Limit to users section of the Advanced
filter (both in Standard and Weekly averages reports) will not be available.
See Job list documentation for additional information about anonymous data in other parts of
the system.
Displaying the Web Reports Page
To display the Web reports page:
1. Log into the YSoft SafeQ Management interface with sufficient rights to administrate
printers (e.g. as an "admin")
2. Go to Reports > Web reports

Selecting a Report to View
On the Web reports page, use the filters to select the desired report to view.
Type of report – Standard or weekly averages. Standard reports display summary data
grouped by selected columns while Weekly averages display averages for each hour of the
day in the selected period
Report – Standard, per device, per device cost center, per device group etc.
Report period – Start and end date of the report
Selecting Specific Information to Include in the Report
Click Show advanced filter (located on the right-hand side of the filter panel).
The Advanced filters provide many options to limit the information to be included in the selected
report:
Limits (filters)
Limit to users – Include only data for the selected users
Limit to user cost centers – Include only data for the selected users' cost centers
Limit to device cost centers – Include only data for the selected devices' cost centers
Limit to device – Include only data for the selected devices
Limit to device group – Include only data for the selected group of devices
Limit to billing code – Include only data for the selected billing codes
The maximum number of entities that can be used in the filter of each type (users, devices,
etc.) is 50. This value can be set in the global system settings option called smartQ-max-items
. Previously, its default value was set to 25. In new installations since YSoft SafeQ 6 MU8, the
property default value is set directly to the maximum 50. For installations made prior to MU8
(even when they are updated to a newer version), the value must be increased manually.

Columns
To specify which columns will be visible in the generated report, click the green Add column
button and then choose the column name from the list to add it into the Columns included in
report section.
Green reports enable four columns with the prefix Costs that show the printing impact on the
environment:
Costs – CO2 [kg]

Costs – energy [kWh]
Costs – trees
Costs – water [l]
A more detailed guide for configuring and using Green reports is described in the article "Green
reporting - Purged Pages".
ABS [mm] and PLA [mm] counters relate to 3D printing. They are used to report how much of
the aforementioned material was used during the reporting period. The value of these
counters is reported in millimeters of used material length.
Please note that Average coverage information is available only for jobs accounted for using
Coverage accounting.
Counters
Use the check boxes next to the accounting counters to include counters in the report or to
exclude them from the report.
The report will also include a counters overview. To change the order of counters in this
overview, use the associated arrow icons.
Purge print counters show the number of pages that were sent to YSoft SafeQ 6 but were
not printed (deleted at the terminal, on the YSoft SafeQ Management interface or
automatically by the system).
Counters in italics are summary counters that display the sum of several other counters. For
example, the B/W pages counter represents the sum of all counters for specific types of black
and white pages (print, copy, both page sizes).

Displaying and Working with a Report
After a predefined report or a customized report using filter options is selected, Search to display
the report.
At the top of the report, counter types: Total, B/W print, B/W copy, Color pages and so on is
shown. To display only selected counter types, click the desired counter types. For example, to
display only B/W prints, click B/W print.
The reports will display:
A bar, line or pie graph (if hidden, click the graph icon in the top left-hand corner of the report)
A general report for the selected time interval
A report according to advanced filter settings (depending on the length, the report can be
broken down into multiple pages – use pager arrows in the bottom right-hand corner of the
page to move between pages)
Action Options
To display Action options, click the Actions button. The following options appear:
Include latest processed data – The report will be calculated to include the latest processed
data (data that has been saved in the database for more than one hour but has not been
added to the report by the hourly executed statistics generator task). Include latest
processed data works correctly only with a correctly configured PostgreSQL timezone
Recalculate statistics – The report will be recalculated to include the latest processed data
(last month data in reports will be deleted and will be included in reports again)
Delete current custom filter – Delete the current customized filter (if you have selected filter
options)
Export report to... – Selecting one of the four options exports the displayed report to a file
with a selected extension. Choose between Microsoft Excel (CSV or XLSX), PDF, HTML or an
XML file.
Exporting web reports may be limited if the number of report rows to be exported exceeds the
expert configuration property Export report maximum row count threshold value. By default,
this feature is disabled.
Saving the Changes You Made as a New Customized Report
To save all the changes made on the Web reports page (visible columns, the order of columns
and other changes), click Save changes, then enter a name for the new customized report. YSoft
SafeQ 6 saves the report and it will be available directly from the Report filter drop-down menu
the next time it is needed.

5.9.1.5 Management Interface - Devices
Overview
The devices section covers all activities related to the management of devices in YSoft SafeQ:
Printers – devices and device groups
Spooler Controller groups – Spooler Controller groups and Spooler Controllers
Shared queues – management of shared queues and assignment of a shared queue to a

specific user
User tags – creation of specific user tags to be considered by the Rule-based Engine
Printer templates – creation of templates to make mass installations easier
Hardware – basic overview of YSoft SafeQ Terminal Pro 4, YSoft SafeQube 2 and YSoft be3D
eDee
Several Topics Related to the Device Management
Adding a Device with YSoft SafeQ Mobile Terminal
Installing YSoft SafeQ Mobile Terminal onto a Device with an Embedded Terminal
Configuring an IPP Backend
Configuring the Back End of LPR
Deleting Devices
Printers
In the Device > Printer section, you can view all devices registered in YSoft SafeQ.
Key features and actions of the Printers page are:
Managing devices in device groups
Creating and managing devices manually and from a template
Reinstalling and uninstalling terminals
Print QR codes for Mobile Terminals
Moving devices among different groups
Showing device sessions (displaying the currently logged users on YSoft SafeQ Terminal
Professional for a selected Spooler Controller group).

You can select if devices will be grouped by Spooler Controller (including grouping by Spooler
Controller and Spooler Controller group), Device group or not grouped at all. The selection is done
by choosing the corresponding option from the Group by menu at the top of the grouping panel.
It is possible to collapse the grouping panel to have more space for the devices. This is the
recommended layout when only a few devices are in use and there is no need for grouping.

The state of the grouping panel is remembered across the user sessions in case there is more
than one device group or Spooler Controller group. Otherwise, the grouping panel will be collapsed.
When more groups of either type are created, the grouping panel expands automatically for the
first time to present all possible grouping options (which are remembered for each authenticated
user as well as the grouping panel state).
Device groups
Device groups help an administrator to group and structure devices according to their needs:
Each device has to be part of a device group
Three levels of device groups are allowed
Device groups are independent of Spooler Controller and Spooler Controller Groups
Mass operations can be performed based on device groups
When creating a new device group, define if the group is part of another group or is at the top
level.

To create a new device, click Add new device or use the second menu of the button to use a
predefined template.
Note: When adding a device that is entitled to use an LD license, tick the checkbox "Use LD
license for this device". Device compatibility with the LD license will be checked via the SNMP
once the device is saved.
Spooler Controller Groups
Spooler Controller groups can be accessed in Devices > Spooler Controller groups.
This page provides an overview and actions for Spooler Controllers and their assignment to a
group.
A Spooler Controller group enables near roaming among particular Spooler Controllers nodes.

To create a new Spooler Controller group, click the Add button and enter the required values:
Name – The unique name of the Spooler Controller group
IP address – The multicast IP address of this Spooler Controller group (print cluster). Multicast
addresses are addresses in the range from 224.0.0.0 to 239.255.255.255. To use one-to-one
TCP connections instead of UDP multicast, use the value 0.0.0.0
Port – The TCP or UDP port of this Spooler Controller group (print cluster)
To configure Spooler Controller group discovery, see Spooler Controller Discovery based on DHCP
Option 9.
To create a new Spooler Controller, click the Add button and enter the required values:
Name – The unique Spooler Controller name
Network address – The IP address or hostname of the Spooler Controller
GUID – The unique identifier of the Spooler Controller. The GUID must be exactly the same as
the GUID defined in the Spooler Controller's configuration file guid.conf (in the property
localGUID). This is the value that was entered during the Spooler Controller's installation

Spooler Controller group – The Spooler Controller group (print cluster) of which the Spooler
Controller is a member. The default value is "Not part of any cluster", which makes the Spooler
Controller a standalone and, as the text states, not part of any print cluster
When creating a new Spooler Controller, assign it to an existing Spooler Controller group.
Shared Queues
Shared queues are secured queues. They enable multiple users to access selected documents (in
accordance with the users' rights). All jobs sent to the shared queue are automatically accessible
to all users with access rights to that queue.

To add a shared queue, follow these steps:
1. Go to Devices > Shared queues and click Add new shared queue.
2. Define the name of the shared queue and save.
3. Select the Shared queue from the list and click Add user to selected queue.
4. Select the desired users or roles to be added to the queue.
User Tags
Device templates can be found in the web interface: Devices > Users tags.

On the Users tags page, click the button, enter the tag name and save it using the Save tag
button.
Tag name correct format: The name must not contain spaces, must be 3-10 characters long,
and can consist of only alphanumeric characters.
Once tags are created, define which of them to allow or disable. Open any existing (or create a
new) device and go to the Tags section.
If the device has an embedded terminal, it must be reinstalled when the system tags are
changed. The device wizard will prompt for a re-installation when the device changes are saved.
Printer Templates
Device templates can be found in the web interface: Devices > Printer templates. On this panel,
a user can manage device templates.

Name The device template name
Unique ID The unique ID of the template generated by the system
Description A device template description
Device group The relation to a specific group of devices
Type The device templates' accounting driver
Spooler Controller group The relation to a specific Spooler Controller group
The definition of a template is the same as when creating a new device without a template. To
create a new device from an existing template, use the menu under the Add device button.
Hardware
In the Devices > Hardware section, all external terminals and SafeQubes deployed in YSoft SafeQ
can be viewed.
Key features and actions of the hardware page are:
Listing and searching each deployed YSoft SafeQ Terminal Pro 4, YSoft be3D eDee and YSoft
SafeQube 2
Displaying basic information about the Terminal – its identifier, network address, connection
status and software update status

Possible software update status values:
Out of date – The device has not received information about the update yet (it may be offline,
configured incorrectly, or the heartbeat interval may be too long)
Pending – An update was scheduled, but it has not started yet
Updating – The update is currently being installed
Failed – The update installation failed
Up to date – The device has the correct software version installed, no updates were
scheduled
Adding a Device with YSoft SafeQ Mobile Terminal
Steps
1. Click the ADD DEVICE button
2. Under Terminal type, select YSoft Mobile.

2.
Configuring and Using Shared Queues
Overview
The following administrative tasks are required before configuring Workgroup print sharing
(Shared Queues).
Initial Deployment
1. Make sure the YSoft SafeQ Management server is currently installed and running.
2. Properly configure Identity management. By default, YSoft SafeQ 6 rejects all prints initiated
by an unknown user (the user who is not in the SafeQ Identity Database).
3. Install and configure YSoft SafeQ terminals.
a. Be sure that every device, where the copy is supposed to be monitored by YSoft
SafeQ 6, is equipped with some type of YSoft SafeQ terminal.
b. Embedded Terminals: device must be properly configured and the terminal must be
deployed to the MFD. Embedded Terminals cannot be installed unless the device is
registered in YSoft SafeQ 6.
4. For network attached printers, (re)configure all workstations or print servers to print via
YSoft SafeQ server (or use Windows print spooler monitoring). YSoft SafeQ Desktop
Interface can be used for configuration of workstations. For a vast majority of the
installations, configured printer ports must point to the YSoft SafeQ server. See Printer
configuration for Workstation and Server for more information.
Configuring Shared Queues via YSoft SafeQ Management Interface
1. Navigate to the Devices > Shared queues and click on ADD SHARED QUEUE button.

2. Fill in Shared queue name.
The name of the shared queue must be unique across the YSoft SafeQ system (secure
queue, device direct queues or other shared queues).
3. The administrator can manage the list of users that can access shared queue's print jobs.
The users are added from the dialog opened after you click on ADD USER TO SELECTED
QUEUE. The desired queue must be selected beforehand. Additionally, the administrator can
remove any user's access to the queue.

Current Behavior
Shared queues currently work only in a manager-secretary scenario (job is always accounted to
the user who sent the job to YSoft SafeQ 6).
1. The manager sends a job to YSoft SafeQ 6.
2. Secretary logs in on a terminal and releases the print job.
3. The job is accounted for on the manager's account.
However, there are limitations for this scenario to work proprely. See further details below in
section Limitations.

Workstation Configuration
1. Configure the workstation as described at printer configuration for workstation and server,
and use the Shared Queue Name created in previous steps.
Limitations
Functionality supported on Konica Minolta devices with YSoft SafeQ Embedded Terminal. Other
vendors may have unknown issues which could be considered as limitations
Batch accounting is not supported with shared queues
VPSX integration is not supported with shared queues
When a secretary does not have access rights for a color job, a manager's color job sent to
the shared queue can not be printed by the secretary
Implementation requires Unlimited access entitlement when the shared queues are used with
the YSoft Payment System or must have a sufficient balance/quota for both the manager and
the secretary. If the secretary does not have Unlimited access entitlement and has depleted
quotas or insufficient balance for the job, the manager's job cannot be printed by the
secretary even though the job would be accounted to the manager's account.
YSoft SafeQ Desktop Interface does not provide the list of available shared queues for the
user. To send a print job to a shared queue, follow Workstation configuration section.

Configuring an IPP Backend
Overview
This page describes how to configure YSoft SafeQ 6 to work with a printer over Internet Printing
Protocol (IPP).
Configuration
1. Log into the YSoft SafeQ management interface with sufficient rights to administer printers
(for example, "admin"). Go to the Devices > Printers > Edit device > Advanced tab.
2. Set Back-end to the IPP value. You also have to define the printer IPP queue and port,
which must be configured the same on the MFD. Press Save Changes to apply these
settings.
Configuring Print Roaming
All Spooler Controller servers in one YSoft SafeQ system have to be in the same time zone
(Java can be set to that time zone).
Overview
Print Roaming is an extension of pull-printing. With pull-printing (also known as secured printing),
after you send a print job to a printer, you later "pull" the job to a printer – that is, you go to a
printer, log in there, and print the job. If Print Roaming is properly configured, you can pick up your
documents sent to YSoft SafeQ Server on every printer across all Spooler Controller groups.
Far Roaming
Far Roaming is (when a valid license is available) used among Spooler Controllers that are not
part of any print cluster group (which is created automatically during installation of YSoft SafeQ
services) or among multiple Spooler Controller groups that have been created manually by the
YSoft SafeQ administrator.
How to disable Far Roaming in the YSoft SafeQ system
1.

(for example, "admin"). Go to System > Configuration.
2. Switch to Expert mode.
3. Change the value of the refreshRoamingJobCronRule configuration option to * * * * * ?

2099
Please note that the procedure above only disables the regular checking and downloading of
metadata of print jobs to be roamed. The jobs are still checked during the first login of the user on
the MFD connected to a particular Spooler Controller.
Near Roaming
There are two ways to configure Near Roaming Group – using a UDP (multicast) or TCP (unicast)
connection.
1. Log into the YSoft SafeQ management interface with sufficient rights to manage printers
(for example, "admin"). Go to the Devices > Spooler Controllers groups section.
2. Click the Add Spooler Controller group button.
3. Enter the name of the new group – choose any name suitable for your needs (for example,
"London branch roaming group", "Sales department", "Building A, 2nd floor", ...). Each group
must have a unique name within the tenant scope.
4. TCP unicast vs. UDP multicast configuration
It is strongly recommended to use UDP multicast instead of TCP unicast whenever

possible. TCP unicast is sensitive to network temporary failures as opposed to UPD
multicast, where the reliability of communication is achieved on higher network layers
and provides less network load.
Multicast communication in YSoft SafeQ 6, as well as TCP Unicast, is provided via a third-
party solution, industry standard communication Java technology called JGroups. JGroups
technology extends reliable unicast (one-to-one) message transmission (as in TCP) to
multicast (one-to-many) settings. It provides reliability and group membership on top of IP
Multicast. It then enables you to use reliable multicast. Since every application has
different reliability needs, JGroups provides a flexible protocol stack architecture. It allows
you to put together custom-tailored stacks ranging from unreliable but fast to highly reliable
but slower stacks.
Unicast communication is where one sender sends a message to one receiver. TCP unicast
takes care of message retransmission for missing messages, weeds out duplicates,
fragments packets that are too big and presents messages to the application in the order

in which they were sent. Then using TCP will cause additional network overheads caused
by the nature of TCP. This, in turn, decreases the solution's scalability. Each additional
member (node) added into a TCP cluster creates a significant amount of communication to
the network due to point-to-point communication with other nodes in the cluster.
In the multicast case where one sender sends a message to many receivers, IP Multicast
extends UDP: a sender sends messages to a multicast address and the receivers have to
join that multicast address to receive them. As in UDP, message transmission is still
unreliable, and there is no notion of membership (who has currently joined the multicast
address). The UDP Multicast configuration of YSoft SafeQ 6 is already set, out-of-the-box, to
use reliable multicast. The only thing that needs to be done is to ensure that the
infrastructure supports UDP Multicast communication among all Near Roaming group
members (nodes).
5.
a. Near Roaming using TCP (preferred for small groups)
Set the group as follows:
Name: Any name suitable
Multicast IP address: 0.0.0.0 (mandatory)
Multicast port: 7800 (mandatory)
IP address 0.0.0.0 and port 7800 have to be used when using TCP.
The limitation of a TCP Near Roaming group: the maximum is 10 Spooler Controller
servers in one group.
b. Near Roaming using UDP Multicast
Make sure multicast networking is allowed between all Spooler Controller servers in
the Near Roaming group.
Set up the group as follows:
Name: any name suitable
Multicast IP address: It is recommended to use an IPv4 address in the range 239.*.*.*

This information shall be provided by the customer and has to reflect the current
network setup.
Multicast port: any UDP port in the range of 1 and 65535. This information shall be
provided by the customer and has to reflect the current network setup.
For more information, refer to http://en.wikipedia.org/wiki/IP_multicast
Example of first group:

Name: Beijing Sales dept.
Multicast IP address: 239.214.54.87
Multicast port: 9874
Example of second group:

Name: Athens HQ, 1st floor
Multicast address: 239.214.54.87
Multicast port: 9875
6. Create a new Spooler Controller or use an existing one and move it to the created roaming
group.
7.
a. Select the Spooler Controller in the list to move and click the Edit button in the right
column. Select any existing Spooler Controller group in the Print Cluster section. As
soon as the value is changed, Save Changes and Discard Changes buttons appear
at the bottom of the web page – click Save Changes.
b. If you need to move more Spooler Controllers to a Near Roaming group, select all
Spooler Controllers (using the checkbox next to each Spooler Controller) to move,
click Actions in the upper-right section, click Move selected Spooler Controllers and
select any existing Spooler Controller group from the list.
8. Follow the steps described in How and When to Restart a Standalone SPOC and SPOC
Group to finish the procedure and let the SPOC group be fully operational (i.e., the
distributed layer is started with the correct configuration and populated with users' data).
Configuring the Back End of LPR
Overview
This page describes how to configure YSoft SafeQ 6 to work with a printer over the Line Printer
Remote protocol (LPR).
Configuration
(for example, "admin"). Go to Devices > Printers > Edit device > Advanced tab.
2. Set Back-end to the LPR value. You also have to define the printer's LPR queue and port,
which must be configured the same way as on the MFD. Click Save Changes to apply these
settings.

Deleting Devices
If a device is not in usage anymore or an administrator does not want to use the device with
YSoft SafeQ, the administrator can delete the device in two ways:
Single device deletion – an action in each device row on the device list page
Batch deletion of devices – a batch action for all selected devices on the device list page
When the administrator deletes a device, it is not present on the device list anymore but is still
visible in the reporting features of the Management Service (e.g., Web Reports).

Deleting Devices with a Terminal
Before the deletion of device from the system, its terminal should be uninstalled correctly to
prevent an undefined state of the terminal. Management Service automatically tries to uninstall
the terminal before the device itself is deleted. An administrator can check the uninstallation
progress on the page that displays when they try to delete such a device.
If the uninstallation is successful, the device is deleted as well.
If the uninstallation fails, the device is not deleted immediately. The administrator should check
the device's status, network connection, etc., to be able to uninstall the terminal correctly. If it is
not necessary to correctly uninstall the terminal and the previous deletion failed, the
administrator can force the device's deletion without uninstallation in two ways:
From the Embedded terminal deletion progress page by clicking the "FORCE DELETE DEVICE"
button.
From the Delete devices list page batch action by checking the "Force delete" checkbox.

Batch deletion works analogically to a single device deletion – when deletion is not forced, the
Embedded terminal deletion progress page is shown to the administrator so they can track
the progress of deletion of all devices with the terminal (devices without the terminal are
deleted immediately).
The "Force delete" checkbox is shown only if the system detects that the device was
previously unsuccessfully deleted.
When device deletion (terminal uninstallation) is in progress, it is not possible to edit the
device – the only possible action is to forcibly remove the device.
Installing YSoft SafeQ Mobile Terminal onto a Device with an Embedded Terminal
Requirements
A device with an embedded terminal that is supported by YSoft SafeQ.
General
YSoft SafeQ Mobile Terminal is automatically installed with all of the embedded terminals
supported by YSoft SafeQ.
There are not additional steps required for enabling YSoft SafeQ Mobile Terminal.
QR Codes
A QR Code can be displayed by clicking Show QR Code in the device's menu.

The size of the QR Code can be changed during the installation or after clicking the Edit
button. The size is located in the Terminal section.
Do not crop the QR code's area smaller than the cutting lines around the code suggest. A
smaller area can lower the chance of the decoding process's success rate.
Tags – Finishing Options
When installing a printer, the administrator can choose which features the printer supports. For
the Mobile Terminal, there are several relevant Tags. When these tags are checked, the user can
change the finishing option on YSoft SafeQ Mobile Terminal.
binding – enables the binding feature
color – allows color jobs
duplex – enables the possibility to set a simplex/duplex finishing option
folding – enables the folding feature
punching – enables the punching feature
stapling – enables the stapling feature
Updating YSoft be3D eDee and YSoft SafeQ Terminal Pro 4 and YSoft SafeQube 2
When installing a new version of YSoft SafeQ 6 or replacing infrastructure parts, it may be
required to update the software on some or all devices. The Management Server interface offers
features that allow you to import binary software packages and schedule updates.

Uploading a Software Package
Before the update can be applied, it has to be uploaded into YSoft SafeQ 6.
1. Login into the YSoft SafeQ management interface.
2. Go to Devices > Hardware
3. Click ACTIONS > Upload software package
4. After the package has been selected and uploaded, an informational message displays and
the package is processed in the background. The result of the processing is displayed in
the notification center.

Software packages are distributed by Y Soft as ZIP files. One package can contain various
applications for various devices or even the whole operating system for the device
Scheduling a Device Update
Imported packages are not automatically installed on the devices, there is an option to select the
version and schedule a time in a separate dialog.
1. Login into the Management Server web interface
2. Go to Devices > Hardware
3. Click ACTIONS > Update devices
4. Click UPDATE for each system type you would like to update.
5. Select the package versions and the update schedule.
6. Click SAVE to apply the changes.
The update progress displays on the Software package update dialog. If there are any failures,
more details can be found on the Hardware list page or in the IMS log files.

The update schedule time is the local time of each system.
5.9.1.6 Management Interface - Billing
Configuring and Managing Billing Codes
About Billing Codes
You use the billing codes list to create and manage a list of billing codes (also called project
codes), their structure, and their assignment to individual users, cost centers, or user roles. In
order to track outputs per project, after creating billing codes, the user must select a billing code
from the billing codes list each time they make any prints/scans or copies.
Managing Billing Codes

Displaying Billing Codes
In the YSoft SafeQ management interface, click Billing.
On this page, there is a list of the billing codes that exist in the system.

To add a billing code, click the ADD NEW ITEM button.
Adding a New Billing Code
Once you select ADD NEW ITEM, the option to add a new billing code appears.
To create a new billing code:
1. Enter the code of the billing code
2. Enter the description of the billing code
3. Click the icon to save the billing code
Assigning Billing Codes

About Inheriting Billing Codes

An administrator can assign billing codes to users, roles, or cost centers. Users inherit billing
codes from roles and cost centers. If you do not assign a specific billing code to a user, the user
inherits the default billing code from a role or a cost center.
Default Billing Codes at Devices
If a user only has one billing code assigned or inherited, this billing code is automatically the billing
code by default. In this case, the device does not display a billing code selection option and
automatically uses this default billing code.
Assigning a Billing Code to a User
In the YSoft SafeQ management web interface, select Users > User list and edit the target user.
In the menu, select the Assign billing code option
To assign a billing code, click the billing code from the list of available billing codes.

Assigning a Billing Code to a Cost Center
In the YSoft SafeQ management web interface, select Users > Cost centers and edit the target
cost center.
In the menu, select the Assign billing code option

To assign a billing code, click the billing code from the list of available billing codes.
Default billing codes
An administrator can assign a default billing code to users or cost centers.
The administrator can also assign a default billing code directly to a specific user.
When the user has no default billing code assigned, they can inherit the default billing code from a
cost center if assigned.
Assigning the default billing code to a user
In the YSoft SafeQ management web interface, select Users > User list and edit the target user.

Select a billing code from the billing code list. This list includes billing codes assigned to users,
cost centers, and roles. Once you select a specific default billing code for the user, that billing
code overrides the cost center's default billing code.
Assigning a cost center's default billing code to all members of the cost center:
When you change the cost center's default billing code, check the option Set as default value for
all cost center members. This causes specific default billing codes set for users to be deleted
from user settings and the users' default billing codes will be inherited from the current cost
center.
Billing Codes for Printing
Print jobs can be accounted either under the billing code selected in the YSoft SafeQ FlexiSpooler
application or under the billing code selected on the terminal after the user logs in. Which billing
code will be applied is controlled by the billingCodePrecedence configuration property. This
configuration property is in the Terminals UI category (level Advanced) and has two options:
Job reception (default value)
Terminal
When billingCodePrecedence is set to Job reception, every print and reprint will be accounted
with the billing code selected in the YSoft SafeQ FlexiSpooler application. When
billingCodePrecedence is set to Terminal and a user selects a billing code at the terminal, then
this billing code will be used for accounting.

This feature is supported on YSoft SafeQ Embedded Terminal and on YSoft SafeQ Mobile
Terminal.
Prerequisites
1. YSoft SafeQ 6 MU2 or newer
2. The feature is available in the Credit and Billing module, no special EAL is required.
3. The enabled billing codes feature.
Setting Up and Usage of Billing Codes for Printing on YSoft SafeQ Embedded Terminal
1. Define the device with YSoft SafeQ Embedded Terminal and the accounting type Device
dependent accounting.
2. Send the print job to YSoft SafeQ 6 using the YSoft SafeQ FlexiSpooler application.
3. Log in at the embedded terminal and select a billing code.
4. Release the print job.
5. Depending on the value of the billingCodePrecedence property, the job will be accounted
either with the billing code selected at the embedded terminal or with the billing code
selected in the YSoft SafeQ FlexiSpooler application.
6. Check web reports to see whether the print job was accounted with expected billing code.
Setting Up and Usage of Billing Codes for Printing on YSoft SafeQ Mobile Terminal
1. Define the device with YSoft SafeQ Embedded Terminal and the accounting type Device
dependent accounting.
2. Send the print job to YSoft SafeQ 6 using the YSoft SafeQ FlexiSpooler application.
3. Scan the QR code for the device.
4. Select the billing code on YSoft SafeQ Mobile Terminal.
5. Release the print job.
6. The print job is always accounted with the billing code selected on YSoft SafeQ Mobile
Terminal regardless of what the value of the billingCodePrecedence configuration property
is. If the billing code is not changed on YSoft SafeQ Mobile Terminal, then the billing code
that has been assigned to the job is used for accounting.
7. Check web reports to see whether the print job was accounted with the expected billing
code.
Limitations
YSoft SafeQ Terminal Professional 4 is not supported.
Terminal type YSoft Mobile is not supported.
Limitations for setting "Terminal"

Konica Minolta
Users always have to select the billing code when logging in, forcing them to change it for
print jobs.
When changing the billing code while printing multiple documents, the documents will be
accounted under the billing code chosen at the time of their actual release to the printer. This
does not apply to Direct Print and Print All.
Note, on the native type of the embedded terminal, it is not possible to change billing codes
during a user session.
Xerox
It is not possible to change a billing code for jobs printed by the Print All functionality if there
was a billing code selected on the YSoft SafeQ Client application
does not apply to Direct Print.
When the user selects a billing code after login, this billing code is selected also with the next
logins until another is selected. The default billing code is not used anymore once a user
selects another billing code.
Ricoh, Sharp, Samsung
print jobs.
Fuji Xerox with XCP
print jobs.
When the user selects a billing code after login, this billing code is selected also with the next
logins until another is selected. The default billing code is not used anymore once the user
selects another billing code.

Importing billing codes
Creating a CSV file with billing codes for import
Billing codes for import can be stored in a CSV file.
See Billing Code Import CSV Format Specification for details about the file structure and format.
Importing billing codes
In the YSoft SafeQ management interface, select Projects > Billing codes > Actions... > Import
billing codes.
Select the CSV file; then click Import data to start the import.
The option Delete codes that does not occur in CSV causes that all billing codes that are not
listed in the imported CSV files will be deleted.
When the import starts, a progress bar is displayed.
When the import is complete, a confirmation message is displayed.
If a problem occurred during import, the message Error detected during the last import appears.
To download a CSV file that includes descriptions of errors, click on Download CSV file with
errors.
Billing Code Import CSV Format Specifications
YSoft SafeQ Management Interface supports the batch importing of billing codes from a CSV file.
The file must fulfil the format requirements described on this page.
It is recommended to use a maximum of 1,000 billing codes per one level (without technical
limitations on the number of nested levels). If you have more billing codes, use (or request) an
import script that can import data into the logical tree structure.

CSV Format
Billing codes are stored in a comma-separated values file.
Delimiter: semicolon ;
Quote character (if needed): double quote "

Importer configuration
You can modify the behavior of the importer by configuring the first row.
Format selection
Several formats are supported for importing. The format MUST be specified in the first line in the
first column.
Available formats: prefix, parent
Format specification string: format:parent

Level delimiter
When you use the prefix format, you can change the default delimiter from '.' to another single
character.
Delimiter specification string: levelDelimiter:/
The default level delimiter is '.'
The default prefix importer will read 1.2.3.. When you change levelDelimiter to / then it
will read data in the format 1/2/3.
Supported Formats
Format prefix
1. Billing code in the tree format – MANDATORY; String – e.g.: 1.2.14 – the parent is in this case
1.2 and the billing code for this item is 14
2. Billing code description – MANDATORY; String – e.g.: Primary code
3. Extension string. From the third position, you can specify extension strings. Each column
contains one and only one extension. Extensions are applied from the first left record to the
right.
Format parent
Record contains the following columns:
1. Billing code – MANDATORY; String – e.g.: 100, 200, 1.1.1
2. Billing code description – MANDATORY; String – e.g.: Primary code
3. Parent billing code (first-level billing code) – OPTIONAL; String – e.g.: 100, can be empty
4. Extension string. From the fourth position, you can specify extension strings. Each column
contains ONE and only one extension. Extensions are applied from the first left record to
the right.

Parent billing code (first-level billing code) is optional. When it is not specified, the billing code is
considered to be directly under the root element.
The uniqueness of a billing code is defined by its path. The same billing codes can appear under
different parents.
Extension string
Format: extension_name:value
Allowed extensions: user, center, role, action
The extension string is case insensitive.

Extension user
This extension contains a user login name. The billing code with its entire subtree will be assigned
to the specified user.
If a user account with the specified name does not exist, the system instead tries to find a role
with the name.
Example: user:georgik
Extension center
This extension contains a cost center number. The billing code with its entire subtree will be
assigned to the specified cost center.
Example: center:118999881
Extension role
This extension contains a role name. The billing code with its entire subtree will be assigned to
the specified role.
Example: role:everyone
Extension action
Available actions:
remove – This deletes the billing code and its entire subtree
resetACL – This deletes the user, cost center and role assignments (i.e., the Access Control
List) of the billing code
Example: action:remove
Removing assignments
To remove a billing code assignment from a specific user, cost center or role, prefix the username,
cost center number or role name with a minus sign.
Example: user:-georgik;center:-1234;role:-everyone;user:newuser
Alternatively, you can remove all existing assignments and add new ones:
Example: action:resetACL;user:newuser

Note that in the unusual case when a username, cost center number or role name starts with a
minus sign or a plus sign and you need to assign a billing code to it, you need to prefix it with a
plus sign.
An example of adding assignments to user "-minususer", cost center "-1" and role "-
minusrole": user:+-minususer;center:+-1;role:+-minusrole
An example of removing assignments from user "-minususer", cost center "-1" and role "-
minusrole": user:--minususer;center:--1;role:--minusrole
Guidelines for Working with a Large Number of Billing Codes
It is possible to handle a large volume of billing codes, but you should follow certain rules.
Some useful guidelines:
1. If you need to assign a large number of billing codes, group them under one parent and only
assign this parent.
2. If you need to assign the same set of billing codes to a large number of users, create a role and
assign billing codes to the role according to guideline 1.
3. Make as few deletions as possible. Billing codes are still in the database even when they are
deleted.
3.1. If you already deleted a large number of billing codes from the database, ask a database
expert to clean up and VACUUM the database. Billing codes are necessary for statistics; incorrect
deletions can harm statistics.
4. Do not create more than 1,000 children at the first level of a billing code tree. Divide billing
codes into groups.
Sample CSV Data
Format prefix
Contents of the CSV file:
format:prefix;
1;Czech republic;user:barbora;user:richard;
1.1;Brno;
1.2;Lomna;
1.2.1;Dolni Lomna;
1.2.3;Horni Lomna;
1.3;Milikov;
2;Slovakia;center:118999881;
2.1;Kosice;

2.2;Povazska Bystrica;
2.2.1;Vrtizer;
2.2.2;Milochov;
1.9;Trencin;
2.2.3;Marikova;
Sample in Excel:
Result in YSoft SafeQ Management Interface:

Format prefix with level delimiter /
format:prefix;levelDelimiter:/;
1;Czech republic;user:barbora;user:richard
1/1;Brno;
1/2;Lomna;
1/2/1;Dolni Lomna;
1/2/3;Horni Lomna;
1/3;Milikov;
Remove and insert new

format:prefix
1;Large forest;;action:remove
1;Desert;;
1.1;Sahara;;user:georgik;118999881;user:arnost
1.1.1;Sand;
1.1.2;Dust;
Format parent
format:parent
100;Large forest;;center:118999881
10;Giant Sequoia;100;user:mary;user:james
11;Coast Redwood;100
12;Western Redcedar;100
13;Australian Oak;100
14;Inheritance;100;center:118999881
200;Old forest;
8;Bristlecone Pine;200
9;Alerce;200
10;Giant Sequoia;200

11;Sugi;200
12;Huon-pine;200
Sample in Excel:

Special characters
You can use LibreOffice Calc to generate a proper CSV file in UTF-8 from an Excel table. Use a
semicolon as the field delimiter and no character as the text delimiter.
format:prefix;levelDelimiter:*
1;Tiskárna
1*1;
1*1*1;
2;
2*1;
2*2;tölvufræði
Sample in Excel:

Recommendation
max 1,000 sub-levels per one first-level
max 100,000 lines per CSV file
Limitation
max 1,000 sub-levels per one first-level for a one import procedure
max 3 MB CSV file size
the following characters are restricted: ?&’”<>
if you need to enter the character backslash '\' you must escape it, i.e. type '\\'
Configuring and Managing Price Lists
About Price Lists
Assignable price lists enable an administrator to define various prices for print, copy or scan
operations. In order to ensure proper accounting of print operations, devices must have assigned
at minimum at the Default Price List. A price list can be shared by multiple users, cost centers or
devices. Therefore, in a homogeneous environment where all devices run at the same cost, only
one price list must be configured and can be applied to all devices, users or cost centers quickly.

Displaying Price Lists
In the YSoft SafeQ management interface, click Billing and then the Price list tab.
On this page, there is a list of the existing price lists defined in the system.
To add a new price list, click the NEW PRICE LIST button.
Creating a New Price List
Once you select NEW PRICE LIST, the price list definition screen appears.
To create a new price list:
1. Define the price list name.
2. Define prices for the various operations and also the VAT value.
3. Click SAVE CHANGES to save the price list.
Assigning a Price List
These price lists can be assigned to:

users
cost centers
devices
There are some rules and dependencies connected to the price lists:
Devices must always have a price list assigned.
When both device and cost center of user have different price lists assigned, the one
assigned to cost center of user is used.
When both cost center of user and user have different price lists assigned, the one assigned
to user is used.
When both device and user have different price lists assigned, the one assigned to user is
used.
Assigning a price list to a cost center
In the YSoft SafeQ management Interface, select Users > Cost center and edit the target cost
center.
Assigning a price list to a user
In the YSoft SafeQ management interface, select Users > User list and the target user.

Assigning a price list to a device
Price list selection is available only when there are multiple price lists defined in the system.
In the YSoft SafeQ management interface, select Devices > Printers and edit the target device.

5.9.1.7 Management Interface - Users
Users
On the Users tab, the following functions can be accessed:
User list – Manage users registered in YSoft SafeQ
Role list – Manage available user roles
Cost centers – Manage cost centers
Management actions available on every users page
Data import – Import users, roles, and cost centers from a CSV file
Data export – Export users, roles, and cost centers to a CSV file
To access LDAP integration settings, navigate to the System tab in the menu and select
LDAP integration in the sub-menu.
Configuring ID Card Self Assignment
Overview
This page describes how to configure the ID card self-assignment methods. ID card self-
assignment can be used in cases when a user has a card that has not been assigned to them
yet. There are two methods for the user to self assign the card.
Method 1. Self-assignment Using a Card Activation Code
Users can use the Card Activation Code to self-assign a card at YSoft SafeQ terminals.
1. Log into the YSoft SafeQ Management interface with sufficient rights to administer printers
(for example, "admin"). Go to System > Configuration and set the puk-enabled
configuration option to enabled.
If enabled, users can self-assign an unknown card using a generated Card Activation
Code.

2. There are three possibilities for generating the Card Activation Code:
a. An administrator navigates to the Users > Users > User > Card activation codes tab
and clicks the Generate new card activation code button. When a confirmation
window displays, click Yes.
b. A Card Activation Code is automatically generated and delivered by email when the
user sends their first print job to YSoft SafeQ.
c. The user can generate a Card Activation Code by logging into the YSoft SafeQ
Management interface. On the Dashboard page, click the Generate card activation
code button in the Access credentials widget. When the confirmation window is
displayed, click Yes.
3. There are two possibilities for the user to receive the generated Card Activation Code:
a.
3.
a. The user receives the generated Card Activation Code by email (if it is correctly
defined in the YSoft SafeQ database and the sending of the Card Activation Code by
email is enabled).
b. The user can also see their Card Activation Code on the YSoft SafeQ Management
interface dashboard after logging in.
For this function, puk-display-on-web must be set to em>enabled. For more

information, see Related Properties below.
4. To perform a card self-assignment correctly, the user has to go to a device and swipe the
card they want to self-assign. The YSoft SafeQ terminals will recognize an unassigned card
and prompt the users for their Card Activation Code. Once the Card Activation Code is
correctly entered by the user, the card is assigned to them. From this moment, the card
can be used to log into all YSoft SafeQ terminals.
Method 2. Self-assignment Using Login and Password
The second method of card self-assignment is the assignment of the card at YSoft SafeQ
terminals with a user's login and password.
1. Log into the YSoft SafeQ Management interface with sufficient rights to administer printers
(for example, "admin"). Go to System > Configuration and set the assign-new-card-enabled
configuration option to enabled.
Allow users to assign a new card to themselves by entering their username and
password after swiping an unknown/new card at the card reader.
2. The self-assignment method is almost the same as with the Card Activation Code. The user
goes to a device and swipes the unassigned card. YSoft SafeQ 6 recognizes the card as
unassigned and asks the user for their login and password. If these credentials are entered
correctly, the card is assigned to a user with these credentials.
Related Properties
There are some other configuration properties related to card assignment:

puk-display-on-web – If enabled, users can see their current Card Activation Code on the
dashboard of the YSoft SafeQ Management interface
remove-puk-after-use – If enabled, each Card Activation Code is removed from the database
after it is used for the first time, therefore, it cannot be used any more by the user to assign
another card. Enabling this decreases the security risk that a Card Activation Code will be
misused by another user
puk-length – The length of the Card Activation Code that is generated for a user. For security
reasons, this value should allow the generation of at least 100 times more Card Activation
Codes than there are users in the system. Minimal length is defined as six
assign-new-card-single – If enabled, a user is allowed to have only a single card assigned

while self-assigning a card from a terminal
Data Export and Import
About Data Export and Import
Data Export and Import are simple utilities for managing data users, roles and cost centers .
The Data Export page is accessible from all pages under Actions in the Users section.
Data Export
On the left-hand side of the Data Export page, an administrator can select character encoding. On
the right-hand side of the Data Export page, a user can select the scope of the data to export.
The export is saved in a CSV file format.
CSV Character Encoding
The CSV file will be created according to the selected encoding listed below.

Action Description
UTF-8 The data will be exported with UTF-8 encoding
Windows-1250 The data will be exported with Windows-1250 encoding
ISO-8859-1 The data will be exported with ISO-8859-1 encoding
Other An administrator can select another encoding type
The Scope of the Data to Export
The CSV data will be exported according to the selected sources listed below.
Action Description
Export Users Export all users to a CSV file
Export Cost Centers Export all cost centers to a CSV file
Export Roles Export all roles to a CSV file
Data that is exported encrypted is marked with the prefix do_not_convert@@. When YSoft
SafeQ Management Service imports data from a CSV file via Data Import, it looks for this prefix
when it tries to decide whether the input value must be converted via the currently set
conversion method or not.
Data Import
In the upper part of the Data Import page, there is the basic file structure for CSV files. In the
bottom part, there is the CSV file character encoding and the path to the CSV file with the data
to import.

CSV Character Encoding
The CSV file will be created according to the selected encoding listed below.
Action Description
UTF-8 The data will be exported with UTF-8 encoding
Other An administrator can select another encoding type
CSV files format
Add/update/delete users – [100;add|del;username[,alias,...];name;surname;[card number, ...];cost

center number;email;[home directory];[password]]
Add/update/delete users with PIN code – [100;add|del;username[,alias,...];name;surname;[PIN%

pin_code%,...];cost center number;email;[home directory];[password]]
Add/delete card numbers – [200;add|del|clear;username[;card number]]
Add/delete PINs – [200;add|del|clear;username[;PIN%pin_code%]]
Add/update/delete cost centers – [300;add|del;cost center number[;cost center name]]
Add/update/delete roles – [400;add|del;role name[;role description]]
Set email address for user – [201;username;email address]
Set cost center for user – [202;username;cost center number]
Data that is exported encrypted (for example, PIN codes or passwords) are marked with the
prefix do_not_convert@@. When YSoft SafeQ imports data from a CSV file, it looks for this
prefix when it tries to decide whether the input value must be converted via the currently set
conversion method or not.
The CSV separator used for separating columns is a configurable value located in System >
Reports > Primary separator in files for export/import, the default is semicolon ';'.
The CSV separator used for separating multiple values within one column is a configurable
value located in System > Reports > Secondary separator in files for export/import , the
default is comma ','.

Additional Rules and Limitations
Add/update/delete users
If a user with a given username already exists, the user record will be overridden.
Aliases and card numbers can only be added but not changed or removed.
The username, name, surname and cost center fields must not be empty.
The email must be a valid email address.
CSV files examples
300;add;5;Communication
300;add;7;Enterprise and Industry
100;add;villevirtanen;Ville;Virtanen;PIN5555;5;villevirtanen@test.com;;4MV0b
100;add;jeandupont;Jean;Dupont;268742;7;jeandupont@test.com;\\share\users\jeandupont;
B27Kf
200;add;villevirtanen;268743
200;add;jeandupont;PIN7777
200;add;johndoe;do_not_convert@@PINb59c67bf196a4758191e42f76670ceba
400;add;marketing
400;add;human resources;All the employees from Human Resources department
400;del;sales
Managing Cost Centers
About
This page describes how to create and edit cost centers in the YSoft SafeQ Management
interface. Attributes vary depending on the YSoft SafeQ 6 configuration and/or license.
Editing Basic Cost Center Settings
Open a cost center from the cost center list to edit the settings. To create a new cost center,
use the green Add button on the Cost centers page.

Attributes:
Number Cost center number
Name Cost center name
Default billing code Default billing code number
Terminal inactivity timeout This figure defines a time limit after which the user is logged out
of the terminal. This value is set for situations when the user
forgets to log out and is therefore blocking the device for another
user. This option also serves as protection against possible
misuse of user accounts
Delete jobs after printing To delete jobs after printing, select Yes. To keep and save jobs
after printing, select No
Use default values for all cost To use the values set on this page as the default values for all
center members users in this cost center, check the checkbox
Assign a billing code to a cost Add a billing code to the cost center from the billing code list
center
Price list is inherited from the Prices are inherited from the device
device
Select price list for this cost Select this option to specify a price list for the cost center
center
Percentage of the device's price The percentage of device costs that will be accounted to the
list users in the cost center. 100% is set as the default.

Managing Roles
About Roles
Roles are used for assigning access permissions and usually correspond to responsibilities within
an organization.
Roles are equivalent to groups in the Active Directory service.
Roles are used for defining access permissions to the YSoft SafeQ management interface and
for permissions to use individual YSoft SafeQ 6 operations/actions/features
Each user can be a member of multiple roles
Displaying the Roles List
In the YSoft SafeQ management web interface, select Users > Roles.
On this page, view, add, edit, and delete roles, and perform other role-related actions.
On the role detail page, edit the Name and Description of a role and assign or remove a billing
code from a role, similar to how a pro user can – see Managing Users.

Name Role name
Description Role description
Managing Users
Overview
YSoft SafeQ 6 requires an identity database to provide access control and/or accounting
functions. The identity database can be an internal or an external database synchronized from an
LDAP, SQL DB or a third-party system.
Displaying the Users List
In the YSoft SafeQ Management interface, select Users > Users to see the users list.
On the Users page, users can be added or edited.

Working with Users
Add new item Create a new user in the YSoft SafeQ database
Edit icon Edit an existing user's settings (see Create and Edit)
Delete icon Delete a user from the database. The user will be marked as deleted, but will still be
included in reports. You can later restore a deleted user
There are two limitations when deleting a user in YSoft SafeQ.

1. The list of PIN and card values is emptied when the user is deleted.
2. The related YSoft Payment System account is not deleted when the
user is deleted in YSoft SafeQ. This means that the creation of a new
user with the same username as the deleted user will cause an error in
the YSoft Payment System and the new user will be not able to log
into a terminal.
Access rights Assign access rights for the selected user

icon
Managing User Access Rights
Access rights determine what a user can see and do once they are logged into the web interface.
Administrators have full access and others can be assigned any subset of access rights. There
are rules governing the addition or modification of the user’s existing access rights.
Terminology:
Editor – User who is modifying the access rights of another user
User – User who’s access rights are being modified
To manage User’s individual access rights:
The Editor may assign and unassign only those access rights that are assigned to
themselves.
To manage User’s role(s):
The Editor must have the access rights of a particular role before they can assign or unassign
that role to a User.
To change a user’s username and/or password:
The Editor must have all the user’s access rights assigned to themselves.
Example:

The Editor has the access rights "View list of users" and "Add, edit, and delete users".
The User has access right "Reports - view all data".
The Editor can edit User’s cards, pins, email and other information.
The Editor is not able to edit User's username and password, because the Editor doesn't have
the access right "Reports – view all data". This prevents the Editor from logging in as the User
and seeing User's reports.
Filtering the Information to Display in the Users List
The Users list includes filters for searching and displaying only specific data in the list.
Filter name Restrict to...
Username Users with the entered username (Login)
First name Users with the entered first name
Surname Users with the entered surname
Card Users with the entered card only
User note Users with the entered user note
Active users List only active users (default option) via the page's view action (top right-hand corner)
Deleted users List only deleted users via the page's view action (top right-hand corner)
Role Users with the selected role
Cost center Users with the selected cost center
Updating, Importing and Exporting User Data
To access the update, import, and export options, use the Actions menu.
Action Description
Data import Import user data from a CSV file
Data export Export user data to a CSV file
To access LDAP integration settings, go to the System menu > LDAP integration. Find details
in LDAP Integration.

Create and Edit
Attributes:
Username The unique login (username) that identifies the user in the system for access
rights to the YSoft SafeQ 6 interfaces. The user's login has to be unique within
a single tenant – it is not allowed to create two (or more) users with an
identical login (username) within a single tenant.
Editing of username depends on user rights. Principles are described in section
Managing User Access Rights above.
First name and The user's first name and surname.

Surname
Password The password is securely saved in the database. The text of the password
cannot be displayed. If a user forgets their password, a new password must be
generated.
Password complexity is affected by two system settings properties:
Minimum password length: minimumPasswordLength
This property enforces a minimum password length for passwords entered by
system users via this web interface (CSV imports and other external tools are
not covered intentionally). If a password has fewer characters than the value of
this property, the password will be rejected and the user is informed about the
proper password length. Set the value to 0 to allow passwords of any length.
Enforce strong passwords: enforceStrongPasswords
This property enforces certain rules for passwords entered by system users
via this web interface (CSV imports and other external tools are not covered
intentionally) must comply with otherwise the password will be rejected and
the user is informed about the necessary requirements for a new password.

Strong passwords must match three of the following criteria:

contains at least one lower case character (a-z)
contains at least one upper case character (A-Z)
contains at least one number (0-9)
contains at least one non-alphanumerical character (~!@#$%^&*_-+=`|\(){}[]:;"
<>',.\?/)
Editing of password depends on user rights. Principles are described in section
Managing User Access Rights above.
Card ID/PIN A list of ID cards and PINs. Each user can have one or more ID card. ID cards
and PINs are used for user authentication at YSoft SafeQ terminals.
Mobile Terminals A list of activated Mobile Terminals. Mobile Terminals are used for authentication
with the YSoft SafeQ Mobile Terminal.
E-mail Enter an email that will be used for sending messages to the user from the
YSoft SafeQ 6 system.
Home directory The user's home directory (used for scanning to the home folder). To support
network scanning, the home directory must contain the complete path on the
YSoft SafeQ 6 server or the complete UNC path. The home folder must be
accessible by YSoft SafeQ 6.
Cost center A number that identifies the cost center assigned to the user. Each user must
only be assigned one cost center.
Default billing code The default billing code for the user
Note
If a user is imported from an LDAP, you will not be able to edit these attributes as the LDAP is
the place where they must be edited.
Terminal inactivity This figure defines a time limit after which the user is logged out of the
timeout terminal. This value is set for situations when the user forgets to log out and
is therefore blocking the device for another user. This option also serves as
protection against possible misuse of user accounts.
Delete jobs after To delete jobs after printing, select Yes. To keep and save jobs after printing,
printing select No
Assigning Roles to a User
1. Scroll to the roles section.
2.
2. The user's access rights to printers and printer features are determined by the roles
assigned to them.
3. Assign a role (or multiple roles) to the user. For more information, see Managing Roles.
Adding an Alias to the User
Scroll to the section Aliases.
The user's aliases can be managed on this page. Aliases are a user's alternative usernames. An
alias must be unique within the set of all active usernames and all aliases.
Aliases are best used when a user has several accounts and the usernames are not identical, for
example in Windows or SAP. Authentication in YSoft SafeQ 6 is possible using an alias and the
spooler recognizes aliases as well. Aliases are a good way to tell YSoft SafeQ 6 that two or more
usernames belong to the same user.
Aliases are useful for detecting the user's identity during printing.
Please note that user aliases are not recognized in the YSoft SafeQ Payment System if
connected to YSoft SafeQ 6.
Assigning Billing Codes to the User
1. Scroll to the Billing codes section. Assign a billing code (or codes) to the user.
2. Assigned billing codes will be available for the user on all interfaces with billing codes
(Terminals and the Desktop interface).
Assigning a Price List to a User
Click Prices. Assign a price list to the user.
Attributes:
Use common price list Prices are inherited from the cost center or device
Select price list for this Select this option to specify a price list for the user. See Managing
user assignable price lists for detailed usage instructions
Assign a PIN to a User
Scroll to the PIN code section.
Enter a PIN code manually. Alternatively, generate a PIN for a user.
To enable the PIN generator in the system, go to System > System settings and set the
following property to enabled:

PIN-generator – This option enables the feature allowing users to generate a PIN code for
themselves on the YSoft SafeQ management web interface.
If choosing to generate a new PIN, choose to generate a code with unlimited validity or with one
with an expiration date.
The default expiration time is 60 days. Change the default value in system settings.
The remaining expiration of the generated PIN code is displayed next to it in the user's Card ID/PIN
list.
The display of the PIN may vary based on the setting of the conversionPIN property.
Assigning a Card Activation Code to a User
Card Activation Codes cannot be added manually to the user. Users can generate a Card
Activation Code for themselves from the Management interface.
Alternatively, generate a Card Activation Code for the user.
Go to System > System settings and set the following property to enabled:
puk-enabled – If enabled, users are able to self-assign an unknown card using a generated
Card Activation Code from the terminal interface
Scroll to the Card activation code section in the user detail
Generate a new Card Activation Code
The user will receive the new code via email if enabled in the System settings.
Assigning a Card to a User
Enter the Card ID value into the Card ID field and save.
The required form of the entered card may vary based on the settings of conversion property.

Mobile Terminals
Mobile Terminals cannot be added manually to the user. Users can activate their Mobile Terminal
by requesting activation through the YSoft SafeQ Mobile Terminal application.
Once the Mobile Terminal is activated, it will be added to the list showing all activated Mobile
Terminals.
Mobile Terminal activation can be deleted by tapping the trash icon.
The Card Conversion Tool
About
Through this tool, you can find the conversion method and the setup for YSoft SafeQ 6 to
convert card numbers read by terminals to match the values stored in the database.
General Overview
The Card Conversion tool can be found in YSoft SafeQ Management Interface: Users > Users >
Actions > Card conversion settings.

The Card Conversion tool is divided into the few parts described below:
For the proper functioning of the Card conversion tool, it is necessary to enter at least three card
number pairs.
Card reader output How the card number is read by the used card reader.
Enter at least three card number pairs to get as accurate a result

as possible
Card number in How the card number is stored in the user database (LDAP, AD, SafeQ, etc.).
database The card manager is used to convert the reader output to the desired format.
Card reader type The used card reader type. Each line can use a different card reader type
because it might be necessary to find a card manager that works for all the
used card readers. If you do not know the reader type, select Arbitrary
Arbitrary – regardless of the terminal type
Embedded – Embedded Terminal type
Terminal Professional – Terminal Professional type
Add Add the new pair (new card numbers) that should be evaluated.
Remove Remove an existing row from the evaluation.
Find matching card According to the entered rows, the database will be searched for known card
manager managers. The results of this search will be displayed in the Exact result panel.

Enter expression This options can be used by experts. Enter the requested expression manually.
manually You can find a syntax description in the YSoft SafeQ 6 documentation (use the
dialog's help).
Exact results Search results are displayed here. If more than one card manager was found
during the search, more than one result displays. Add additional card number
pairs to make the result more exact or choose one of them.
Partial results Results that are matching only part of the entered card number pairs. This card
manager cannot be used. You can use the link next to them to find out which
pairs match them and which do not.
Evaluate Evaluate the entered card manager pairs against the database for known card
managers.
Save Card manager The selected card manager will be chosen and saved in YSoft SafeQ 6's
system. A system restart might be mandatory for settings to be applied in
some cases.
Enter expression manually (Expert mode)
You can create a custom expression for card matching through the Enter expression manually
option.
Disabling the logging of card numbers
If it is necessary (e.g., for security reasons) to hide card numbers from the log, add the following
snipped to the log4j.xml.
<category name="com.ysoft.safeq.terminal.protocol.SecureEncoding" additivity="false">

<level value="warn" />
<appender-ref ref="log_app"/>
</category>
5.9.1.8 Management Interface - Rules
Configuring Access Definitions
About Access Definitions
In order for users to be able to use devices to print or perform other operations, you must assign
the specific user role access for the appropriate operation.
Access definitions are assigned for specific user roles and for devices in the Spooler Controller
group. For example, by giving printing rights to a role named role1 and to the Spooler Controller
group RemoteServer1, users assigned to role1 will be able to print on devices that are part of the
Spooler Controller group RemoteServer1.
More details about inheritance and competition among roles can be found in the article Inheritance
and Competition Among Roles.

Displaying the List of Access Definitions
In the YSoft SafeQ management interface, click Rules and then the Access definition tab.
On this page, you can manage the Access definitions.
The Rules page allows you to define the Rule-Based Engine rules.
There is a list of existing rules defined in the system.
Each access definition is represented with the following information:
User role – the role for which the access definition is configured
Spooler Controller group – the Spooler Controller group for which the access definition is
configured
Device – the device for which the access definition is configured
The following restrictions are available:
Print – allows printing for the given user role
Copy – allows copying for the given user role
Color – allows color operations (color printing/copying) for the given user role
Fax – allows fax operations for the given user role
3D – allows printing 3d print jobs for the given user role
There are also additional options to:
Save changes in the access definition
Revert to unsaved changes made in the definition
Delete the access definition
Actions:

Update data on Spooler Controller – Use the Update data on Spooler Controller action to
immediately replicate all changes to all remote Spooler Controller servers or only on the selected
Spooler Controller server. This function is for use only with a distributed architecture.
Page setting – Allows defining the behavior of the Access definition page.
To add a new access definition, click the ADD NEW ITEM button.
Adding a New Rule
Once you select ADD NEW ITEM, the access definition screen appears.
Option Description
User role The defined user roles. To set up access rights for all users, select everyone.
Spooler Controller The Spooler Controller group to set up access to. To enable the selected role to
group access all devices, select ALL DEVICES GROUP.
Device The device to set up access to. To enable the selected role to access all the
devices in the group, select ALL DEVICES IN GROUP.
Allow print Rights settings for the currently selected role.

Allow copy
Allow color
Allow fax
Allow 3D
Once you have configured the desired behavior, click SAVE CHANGES, and the rule will be saved.
Inheritance and Competition Among Roles

The Principle

To understand rights inheritance, it is important to know how the role's structure works.
Every YSoft SafeQ 6 installation includes the role everyone by default. This role cannot be
deleted. Every YSoft SafeQ 6 user has this role automatically assigned — that is, every user
is a member of the role everyone and this cannot be changed. This role is superior to all
roles you create.
If you set access rights for the role everyone, these rights will be applied to all users. You
can set detailed rights by defining a new role, setting its rights, and assigning it to a user.
The new role inherits rights from its superior group everyone, but the settings made in the
new role override its parent role settings.
If you set access rights for an individual device, these rights take priority over the settings
of the entire device group.
If a user is assigned multiple roles of the same level at the same time, prohibition has priority.
Example: The user1 login is a member of the role everyone, role1, and role2. The role
everyone has print access rights set for a device group named Default. For role1, the device
group Default is prohibited and for role2, this group is permitted. As a result, user1 is
prohibited from printing to all devices included in the Default group because the permission in
the everyone role is ignored. user1 is also a member of other roles that are permitted to print
to this Default device group, but the role everyone is subordinate to other roles and
ignored – the only settings that matter for user1 are the settings made for role1 and role2.
Printing is prohibited to the Default group for role1 and permitted for role2. Because
prohibition has priority (see above), prohibition is applied.
Unlike function rights, assigning device access rights has one extra feature – the ability to
assign default rights to a role. A role's default device rights will apply to all device groups that
do not have rights explicitly set for the particular role. A role's default device rights settings
have priority over the access right settings of a device group, both for the role everyone and
for any other roles.
Example: A user is a member of the role everyone and role1. The role everyone has printing
rights set for the device group devices1 and role1 has default rights set for copying. If the
user accesses a device that is not part of the device group devices1, printing is permitted to
a user because it is permitted to the everyone role. If a user accesses a device that is not
part of the device group devices1, copying is permitted to the user because the default

rights for copying have been set for their role in relation to all device groups that have not
been explicitly set. This means that if a user role1 has printing rights set for the device group
devices2, the default settings are ignored and printing is permitted to the user only
according to role1's device rights set explicitly for the group devices2.
Configuring and Using Rule-Based Engine
Defining a Rule in Rule-Based Engine

Displaying and Using the Rules List
In the YSoft SafeQ management interface, select Rules.
On this page, you can manage print job rules and access the Rules Definition wizard.
There is a list of existing rules defined in the system.
Each rule is represented with the following information:
Name – The name of the rule
Trigger – The action that will trigger the rule
Conditions – The conditions print jobs must meet in order for YSoft SafeQ 6 to apply the rule
Action – The action that will be applied if conditions are met
The following options are available for each rule:
Enable/disable rule
Move the rule position in the list
Edit rule definition
Delete rule
To add a new rule, click the ADD NEW ITEM button.

Adding a New Rule
Once you select ADD NEW ITEM, the rule definition screen appears.

When defining a new rule, follow these steps:
1. Enter a unique name for the rule
2. Define the trigger
3. Specify the job conditions
4. Select the required actions

4.
5. Define the notification
6.
6. Once you have configured the desired behavior, click SAVE CHANGES, and the rule will be
saved.
Rule definition overview

Glossary
Term Definition
Rule Set of associated triggers, conditions, actions and notifications
Trigger Defines action that triggers the execution of rule – when the conditions are
evaluated.
Condition Is reviewed when rule is triggered. Evaluates whether action should be

performed. When more conditions are defined for specific rule, all of them
must be met in order for rule to do action.
Action Action is something the system does, typically with a print job. Happens
when rule is triggered and conditions are met.
Notification Information to end user, manager, administrator or external system about

successful execution of rule – it was triggered and conditions were met.
Triggers
Trigger Description
Print Job Reception from user workstation or print server.

On reception of job by This is where you can affect how the job will be processed by the
YSoft SafeQ server system, e.g., redirect the job to a different queue.
The YSoft SafeQ Client notifications can only be triggered

by this trigger.
Before print job is released to a device managed by YSoft SafeQ 6.

Before job is released to This is where you can reject the job.
the printer
Print job delivery to a device managed by YSoft SafeQ 6

On job's delivery to the This is where you can apply changes to the job, such as conversion
printer to black&white.
When user authenticates at a YSoft SafeQ terminal.

On user's login at terminal
When user logout at a YSoft SafeQ terminal.

On user's logout at
terminal
Rule containing this trigger cannot have any actions, only
notifications.

Trigger Description
When status of user print job has changed.

On job status change
Rule containing this trigger cannot have any actions, only

notifications.
Conditions
Job Conditions Supported triggers Notes
Triggers:
Job belongs to <user> On reception of job by YSoft
SafeQ server
Job owner's username <is
Before job is released to the
/ is not / contains / does not
printer
contain / matches / does not
On job's delivery to the
match / starts with / ends with>
printer
<text>
On user's logout at terminal
Triggers:
Job belongs to user with On reception of job by YSoft
<role> SafeQ server
printer
printer
Triggers:
Job belongs to user from On reception of job by YSoft
<cost center> SafeQ server
Job owner's cost center
printer
number <equal to / not equal to /
greater than / lesser than /
printer
greater or equal to / lesser than
or equal to> <number>
Triggers:
Job is printed on <device> Before job is released to the
printer
printer


Job is printed on device On job status change
whose name <is / is not /
contains / does not contain /
matches / does not match /
starts with / ends with> <text>
Triggers:
Job is printed on printer Before job is released to the At least one type needs
with type printer to be specified (Devices >
Tools > Printer types),
printer
otherwise this condition
is disabled.
Triggers:
Job is printed on device Before job is released to the At least one group must
from <group/ORS> printer be specified (Devices ->
Items -> Add new group),
printer
otherwise this condition
is disabled.
Triggers:
Job title <is / is not / On reception of job by YSoft Text can be in the form of
contains / does not contain / SafeQ server a regular expression to
matches / does not match / Before job is released to the
detect various patterns.
starts with / ends with> <text> printer
printer
Triggers:
Job has been sent to On reception of job by YSoft Text can be in the form of
named queue <is / is not / SafeQ server a regular expression to
contains / does not contain / Before job is released to the
detect various patterns.
matches / does not match / printer
starts with / ends with> <queue_ On job's delivery to the
name> printer
Triggers:
On reception of job by YSoft
SafeQ server


Job has been sent to printer
queue type <direct / secured / On job's delivery to the
shared> printer
Triggers:
Job <has / has not> set a On reception of job by YSoft Setting a system tag
<system tag> SafeQ server (using the "Mark job with
tag" action) in one rule
printer
doesn't affect other rules
because all conditions are
printer
On user's logout at terminal evaluated at the
On job status change beginning.
Triggers:
Job <has / has not> set a On reception of job by YSoft Setting a user tag (using
<user tag> SafeQ server the "Mark job with tag"
action) in one rule doesn't
printer
affect other rules
because all conditions are
printer
On user's logout at terminal evaluated at the
On job status change beginning.
Triggers:
Job file size <equal to / not On reception of job by YSoft
equal to / greater than / lesser SafeQ server
than / greater or equal to / lesser Before job is released to the
than or equal to> <number> <B / printer
KB / MB / GB / TB> On job's delivery to the
printer
Triggers:
Job has <status> On reception of job by YSoft Only notification can be
SafeQ server executed on this
condition.
printer
printer

Job page conditions Supported triggers Notes
If Job contains <more

The rule requires enabled
than, equal to, less than,
job parser.
between> <x> [<all,b/w,color>]
pages [with paper size <large,
small>]
User status conditions Supported triggers Notes
Triggers:
Total amount of <all pages On reception of job by YSoft This rule is not applied
per month / BW pages per year / SafeQ server before first statistics are
etc.> by job owner is <equal to / Before job is released to the
processed (processing of
not equal to / greater than / less printer
than / greater or equal to / less statistics is run
than or equal to> <number>. approximately every hour)
printer
This rule requires the
following property to be
enabled: displayPrintedPag
esPricesOnTerminal
Triggers:
Outcome of authentication On reception of job by YSoft
on terminal <equal to / not equal SafeQ server
to> success Before job is released to the
printer
printer
Time conditions Supported triggers Notes
Triggers:
Current <day of week / On reception of job by YSoft
day of month> is <equal to / not SafeQ server
equal to / greater than / lesser Before job is released to the
than / greater or equal to / lesser printer
than or equal to> <day in week / On job's delivery to the
day in month> printer

Triggers:
Current time is <equal to / On reception of job by YSoft
not equal to / greater than / SafeQ server
lesser than / greater or equal to / Before job is released to the
lesser than or equal to> <time> printer
printer
Actions
Transform Job Operations Supported Triggers Notes
Triggers:
Add watermark <text> to On job's delivery to the Watermarking feature is
each page. Add it to <position> of printer available for PCL and
the page, rotate it by <number>°
PostScript jobs only.
and use font with <size> and
<color> Only ISO Latin-1 and Latin-2
character set is supported.
Variables can be used, see

below for their definition.
Triggers:
Find <text> in PJL header On job's delivery to the When a match is found,
and replace it with <text> (<Append printer whole line is replaced. Be
/Do not append> the text when
sure to specify the pattern
searched text is not found)
and the new value in the
following format: "@PJL
SET <HEADER>=<VALUE>"
Triggers:
<Convert / Do not convert> On job's delivery to the
job to gray scale printer
Triggers:
<Convert / Do not convert> On job's delivery to the
job to duplex printer
Triggers:


<Convert / Do not convert> printer
job to simplex
Triggers:
Print job <number> times On job's delivery to the
printer
Triggers:
Mark job with <tag> On reception of job by This action will not affect
YSoft SafeQ server the evaluation of tag
conditions in subsequent
rules because all conditions
are evaluated before any
rules are executed.
Change processing workflow Supported triggers Notes
Triggers: A direct queue can be selected

Re-queue the job to <queue> On reception of job by from a list of existing direct
YSoft SafeQ server queues.
Alternatively, a direct or shared
queue name can be typed
manually. In that case, variables
can be used in the queue name
(see below).
Triggers: Used for redirecting the job from a

Redirect the job to the On reception of job by direct (or shared) queue to the
secure queue YSoft SafeQ server secure queue, so that it is held by
the server and not printed
immediately.
Triggers:
Reject print job Before job is released to
the printer
Triggers:
Delete print job On reception of job by
YSoft SafeQ server
Triggers: User authentication is denied

Deny authentication on On user's login at (after successful authentication).
terminal terminal
Triggers: Variables may be used in the text

Change job title to <text> On reception of job by (see below).
YSoft SafeQ server

Triggers:
Change job owner to <user> On reception of job by
YSoft SafeQ server
Triggers:
Change job billing code to On reception of job by
<billing code> YSoft SafeQ server
Triggers:
Set job as <favorite / not On reception of job by
favorite> YSoft SafeQ server
Notifications
General Notification Information Supported triggers Notes
Triggers:
Send e-mail with <subject> all Variables can be used, see
and content of <text> to job
owner
Triggers:
Send e-mail with <subject> all Variables can be used, see
and content of <text> to <user>
Triggers: Executes any application, optionally

Run external <script> all passing some information as
parameters.
Example of input: C:\script.bat
[USER_EMAIL] [JOB_STATUS] (This will
execute a script.bat located on a C
drive with 2 parameters).
Variables can be used, see

Variables
Some variables are not available for some triggers.
Variable Description
[DEVICE_ID] Internal YSoft SafeQ Management Service unique ID of the involved device
(printer, mfp)
[DEVICE_IP] IP Address of the device

[DEVICE_NAME] Device Name as configured in YSoft SafeQ Management Service
[DEVICE_DESCRIPTION] Device Description as configured in YSoft SafeQ Management Service
[DEVICE_LOCATION] Device Location as configured in YSoft SafeQ Management Service
[DEVICE_EQUIPMENT_ID] Device Equipment ID as configured in YSoft SafeQ Management Service
[DEVICE_SERVICE_AGREE Device Service Agreement ID as configured in YSoft SafeQ Management

MENT_ID] Service
[DEVICE_CONTACT_PERS Device Contact Person as configured in YSoft SafeQ Management Service

ON]
[DEVICE_ZIP_CODE] Device ZIP Code as configured in YSoft SafeQ Management Service
[DEVICE_BACKEND] Data Delivery Method as configured in YSoft SafeQ Management Service (e.
g., TCP/IP Raw, LPR, IPP)
[DEVICE_SPOC_GUID] GUID of the Spooler Controller managing the device
[DEVICE_SPOC_NAME] Name of the Spooler Controller managing the device
[USER] Owner of the job in the format "Name Surname (login)"
[USER_NAME] User's first name from the Identity Database
[USER_SURNAME] User's surname from the Identity Database
[USER_LOGIN] User's login from the Identity Database
[USER_EMAIL] User's email address from the Identity Database
[USER_HOME_DIR] User's home directory from the Identity Database
[USER_NOTE] User's note from the Identity Database
[USER_OU_NUM] User's cost center number from the Identity Database
[USER_ID] Internal YSoft SafeQ Management Service unique ID of the user from the
Identity Database
[JOB_ID] Internal YSoft SafeQ Management Service job unique ID (not available during
job reception)
[JOB_GUID] Internal YSoft SafeQ Management Service job GUID (part of the filename in
the JobStore folder in the spooler)
[JOB_TITLE] Job Title
[JOB_SIZE] Size of the print job (formatted for readability)
[JOB_SIZE_RAW] Size of the print job (plain number in bytes for machine readability)
[JOB_PROJECT_ID] Internal ID in YSoft SafeQ Management Service of the billing code selected
for the job

[JOB_QUEUE] Target print queue name
[JOB_STATUS] Current job status
[JOB_STATUS_NUM] Current job status as a numeric identifier
[JOB_NOTE] Internal note generated by system
[JOB_ORIGIN] IP address or hostname from where the job was received
[JOB_SPOOLER_HOSTNA Hostname of the spooler that received the job

ME]
[JOB_SPOOLER_GUID] GUID of the spooler that received the job
[JOB_SPOC_GUID] GUID of the Spooler Controller that received the metadata of the job
[JOB_PAGES_BW] Number of black and white pages in the job
[JOB_PAGES_COL] Number of color pages in the job
[JOB_PAGES_BW_LARGE] Number of large-format black and white pages in the job
[JOB_PAGES_COL_LARGE] Number of large-format color pages in the job
[JOB_PAGES_LARGE] Number of large-format pages in the job
[OP_DATE] Current date and time
[DATE] Current date
[TIME] Current time
The Send e-mail notification sends message in plain text. Microsoft Outlook by default
removes line breaks in plain text e-mails. If this issue occurs in your environment, disable the
Remove extra line breaks in plain text message options in Microsoft Outlook:

Using YSoft SafeQ Desktop Interface Notifications
A Desktop Interface notification displays when a job is received by the YSoft SafeQ server. When
this event occurs, a pop-up window displays on the user's computer.
NOTES:
To use a Desktop Interface notification , the trigger On reception of job by YSoft SafeQ
server must be used.
RBE notifications work only with FlexiSpoolers in spooling client mode.
The interval after which a Desktop Interface notification window closes itself can be
specified in the notificationWindowTimeoutSeconds parameter. It is set to 5 seconds b y
default.
Adding a New Rule
In the YSoft SafeQ management interface, select Rules.
On this page, you can manage print job rules and access the Rules Definition wizard.

To add a new rule, click the ADD NEW ITEM button.
1. Choose the trigger On reception of job by YSoft SafeQ server.
2. Specify the job condition.
3. Select the required actions.
4. Choose YSoft SafeQ Desktop Interface notification and edit Text
You are able to use formatting syntax to create rich text notifications.

You are able to use variables to make notifications more informative.
During the writing of notification text, a preview displays.
Finally, when a registered event occurs, the notification will display on the user's computer.
5.9.1.9 Management Interface - System
About
On the System tab, you can access the following functions:
Configuration
LDAP integration
License information
Configuration
Through this configuration page, an authorized administrator can manage YSoft SafeQ 6's
configuration.
There are several views of System Configuration with different impacts on system stability.
Understanding of the views is therefore a vital knowledge.
All configuration settings are saved in a database. There may be some configuration files in the
YSoft SafeQ 6 installation directory, however, these are considered as a part of the application,
required for its starting up and shall not be modified at any time.
There are the following rules for updating the configuration :
All nodes have to be up and running when changing settings.
It is highly recommended to update the configuration on the master node.
General Overview
System settings can be found on the web interface: System > Configuration.

Please note that the settings of the LDAP integration are on a separate page in user
management, see LDAP Integration.
Working with System Configuration
Search filter
On the System settings page, you can search for properties:
by entering a text phase into the text field. This phase must be part of a property name,
description or internal name.
by checkin/unchecking the YSoft SafeQ 6 components which are using this property
To apply a current search filter, click the Search button.
Use advanced search to search in the main sections or properties with a change value from the
default ones.

Tablet panels
The tablet panel on the left-hand side of the page represents different categories of system
settings. The number of displayed categories depends on the currently selected view and search
filter.
To change a category, click its name. The currently selected category is always highlighted in
white.
Property details
Each property listed in the System settings contains some attributes, which are described below.
All attributes marked with an asterisk are always displayed for each property.
Functions
In the top right-hand corner, there are a few functions available for this page.
Actions
Name Description
Import configuration from the Imports a previously exported file with differential settings with the
XML file following conditions:
The differential system settings in the import file have to
exist in the existing YSoft SafeQ 6 settings and only the value
is updated. If the system setting does not exist in YSoft
SafeQ 6, an error is reported.
The setting has to contain valid values that can be imported.
The setting in YSoft SafeQ 6 that should be overwritten by
the value from the import file cannot be read-only otherwise
an error is reported.
A setting that exists as a user setting in YSoft SafeQ 6
cannot be overwritten by any settings from the import file.
Such a setting has to be modified only from the web
interface.

Name Description
An imported user-defined setting cannot overwrite an existing

system setting in YSoft SafeQ 6.
If your import fails, remove the invalid setting from the import file
according to these conditions and try to load it again.
Export changed configuration Exports settings contain a difference between the default value and
into the XML file the set value. Only a key and a current value are exported. All user-
defined settings are exported as a full record, which means with
information about used subsystems, all flags, the default value and
its assignment in a category to be able to restore it again in the
import. Settings that are not changes are not exported.
Views
YSoft SafeQ 6 system settings are divided into three levels, based on the impact on the YSoft
SafeQ 6 system.
Basic
Advanced
Expert
Basic view manages the standard configuration that varies from installation to installation and
can be set according to the current needs whereas Advanced view manages configuration
values that cannot be changed without further consulting YSoft SafeQ Documentation or Y Soft
technical support personnel. Expert view shows the attributes with the highest impact on YSoft
SafeQ stability and its change is subject to a written approval of Y Soft Corporation or Y Soft
technical support personnel may be requested to perfom this operation.
Save settings
To save new settings, you have to click the Save Changes button before leaving the system
settings page. Use the Discard Changes button to discard the current edit.
Settings in the Dashboard Widget
Some basic settings can also be edited from Management Interface - Dashboard. For changes to
the setting using the widget, the same rules as for System Settings apply.

Delivering a Configuration to a Customer
As a CSS technician or Y Soft partner, I want to deliver changes in the configuration to a

customer so that the customer environment can be set properly, even without a skilled person
onsite.
To prepare changes to the configuration, create an XML file for importing with the following
structure:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<property>
<key>property name</key>
<value>value</value>
</property>
<property>
<key>property name 2</key>
<value>value 2</value>
</property>
...
</configuration>
Any user with the right to change system settings can then import the XML file.

Please note that you have to follow the rules for importing the setting. Also, YSoft SafeQ 6
services must be restarted for applying settings where required.
LDAP Integration
About
To set up LDAP/Active Directory integration, go to System > LDAP Integration in the YSoft SafeQ
management interface. You can also access the same configuration page through the Welcome
to YSoft SafeQ 6 widget on the main screen.
You can set up the replication process in three modes:
Basic
Advanced
Expert
Once the LDAP connection is configured (see below), save the settings and run the
synchronization using the Sync now button.
Basic Mode
Status tab

The Status tab contains only information about the last synchronization with the LDAP server
(date, duration and result) and the count of added/updated/deleted users, cost centers and roles.
If there is an error, the error will display here.
Settings tab
The Connection section is used to set up these essential settings for LDAP integration:
LDAP server type (AD, NDS, OpenLDAP) – use AD for Active Directory
URL of LDAP server – use a URL starting with LDAPS to use an encrypted connection (or
LDAP for a plain connection)
Mode of LDAP server certificate check – defines how the LDAP server certificate is validated
(applies to LDAPS protocol only)
LDAP bind method – method used for authentication and data security on the LDAP level
Searched LDAP subtree
The Mode of LDAP server certificate check setting is very important for security and may
require additional non-trivial configuration, supported options are:
Windows certificate store – The LDAP server certificate is verified using the certification
authorities set in Windows (a certificate import might be required). The certificate also has
to match the value of URL of LDAP server.
Java truststore (with hostname check) – The certificate is verified using authorities in a
dedicated Java truststore where the certificate authority needs to be installed. The
certificate also has to match the value of URL of LDAP server.
Java truststore (without hostname check) – The certificate is also verified using the
Java truststore but the certificate does not have to match any URL. This can be secure
only if all certificate authorities in the truststore are controlled by trusted individuals
exclusively, other authorities have to be removed.
No certificate check (insecure) – Any certificate is accepted for a TLS connection, this
option is not recommended in production as it is insecure.
Please see Configuring secured connection to the LDAP server for more information. Here is
an example of how to import CA certificate for the Java truststore methods.
java\bin\keytool.exe -server -import -alias YourCompanyCA -file YourCertificate.cer -keystore

conf\ssl-truststore
The correct setting of LDAP bind method needs to be selected so that YSoft SafeQ can
authenticate to the LDAP server configured, supported options are:

Simple bind – This is universal password-based authentication method simply passing the
username and password in plain. From a security perspective, this is acceptable if an
LDAPS connection is used since the entire communication is protected on the TLS level.
LDAP servers might refuse to accept an unsecured LDAP connection using simple bind (e.
g. based on registry settings of an Active Directory server). Select this method if an
anonymous connection is to be used.
LDAPv3 SASL DIGEST-MD5 – An advanced authentication mechanism added in LDAP

version 3 is used which does not expose plain-text passwords. In addition, if an unsecured
LDAP connection is used, the data transferred will be integrity-protected and also
encrypted if the LDAP server supports it. However, using LDAPS is still recommended for
better security. This method can also be used together with LDAPS, when only the initial
authentication might be affected (LDAP servers might refuse to accept connections with a
doubled data protection mechanism). Note there are limitations when using this method, e.
g. the IP address in the URL of LDAP server setting is not supported.
Please see Configuring secured connection to the LDAP server for more information and the
full list of limitations.
The On-demand mode section allows you to enable Load users on demand. This type of
replication mode is sometimes referred to as semi-online. When enabled, users are created only
during job reception or when logging into the terminal.
Full and differential replication update only the users already registered within YSoft SafeQ 6.
Replication of Roles and Cost centers is unaffected.
When a user's card is removed from the LDAP, it is not synchronized to the database with the
configuration option removeCardsInDiffLdapReplication .
In the Service account section, the LDAP user credentials can be specified if needed:
Anonymous – Anonymous access is used, no credentials are needed.
Authorized – The username and password for LDAP access need to be specified. The
selected account has to have at least read access to reach the users and their attributes
Please ask your domain administrator for LDAP credentials. Specific username (principal)
format might be required based on LDAP bind method selected. For LDAPv3 SASL DIGEST-
MD5 setting, use only the username string with no prefix or suffix. Simple bind setting
supports more formats, e.g. user@domain or distinguished name.
The Scheduling section gives you the possibility to schedule the run of replication. All settings
are revealed after you check the Enable regular synchronizations checkbox. The options are:

Start full replication – You can select the days and times for full replication by clicking
checkboxes.
Start differential replication – You can specify the hours or time interval from the last
replication to starting differential replication. This type of replication will be started every day.
You have to restart the YSoft SafeQ Management Service services to apply these changes.
Test settings tab
The Test tab enables you to test the connection to the LDAP server. Please note that the
settings have to be saved before the test can start. If the settings are correct, the test will
return the first five users, cost centers and roles matching the entered settings and filters.
There is a summary table at the top if more than one LDAP connection (domain) is set. You can
see if the domain settings are correct (all icons are green) or if something is set up wrongly (red
icons). If the test returned fewer than five results, the icon is orange. This does not necessarily
mean that the setting is wrong (there could be only three objects of that type in the LDAP) but a
warning is raised so the administrator can check if, for example, the filter settings are correct.
You can list the returned items for each domain by clicking the domain name in the summary table.
A summary table is not displayed if only one domain is set.
YSoft SafeQ 6 uses the LDAP Control Extension for Simple Paged Results Manipulation (
RFC-2696) for limiting the fetched results. If this extension is not supported by the LDAP
provider, using the paging will result in an Operation not supported error. In this case, please
do not use paging in responses or the Test feature to avoid this extension usage.
Log tab
On the last tab called Log, you can see the information that was logged by the running LDAP
replicator. This is a good place for troubleshooting if there is an issue with the replication process.
Advanced Mode
The Advanced mode adds an Advanced settings tab, which can be used to configure additional
settings.
In the Replicator section, these settings can be configured:
Number of objects in search request – The maximum number of objects requested on one
response page during a search. Set to -1 for an unlimited response.
List of binary attributes – A list of attributes that contain binary (non-string) values.
Attributes are separated by commas. No spaces are allowed.
Maximum number of reconnection attempts – The maximum number of reconnection

attempts when a connection with the LDAP fails during critical operations.

Delete imported objects in case of an error – The parameter affects only Full replication (not
Differential replication). YSoft SafeQ Management Service launches the procedure for the
deletion of outdated objects at the end of every full LDAP replication. For example, when a
user is deleted on the Active Directory side, this user is deleted on the YSoft SafeQ
Management Service side at the end of LDAP replication by the procedure for the deletion of
outdated objects.
If this parameter is set to "disable" and there is an error during the replication (a
connection error, unexpected values...), the procedure for deletion of outdated objects is
not launched – this way it prevents the deletion of valid objects. It is strongly
recommended to leave it with the default value "disable".
If this parameter is set to "enable" and any error during replication occurs, the procedure
for deletion of outdated objects is launched – this may result in even valid objects being
deleted during replication and users will be unable to authenticate. "Enable" should only be
selected in special cases (for example, as a temporary workaround for issues where the
LDAP contains incorrect values).
Terminate replication if an error occurs – Enable this feature to terminate replication if any
error occurs while synchronizing user roles or cost centers (these objects are synchronized
before any user account).
Remove cards from the database during differential replication
The Users schema section allows you to specify your own attributes that contain important user
data such as an attribute containing aliases, login, cards numbers and other data:
Import users – If disabled, only cost centers and groups are imported – not users.
Attribute containing username – Do not include domains in usernames – Determines how the
domain will be separated from the login:
Option none – The domain will not be separated from the login and the string will be used
as it is
Option at sign or backslash (@, \) – The domain will be separated by (@, \)
Option dot (.) – The domain will be separated by (.)
Login Alias
Do not include domain in username none at sign or backslash (@, \) dot (.)
john.doe@example.com --- john.doe john
martin@example --- martin ---
example.cz\bailey --- bailey example
jfreeman.example --- --- jfreeman
john.doe.example.com --- --- john

Do not include domain in username
Attributes containing aliases – Attributes containing user aliases. Use commas to separate
multiple attributes.
Attribute containing user first name
Attribute containing user surname
Attribute containing user email
Check username uniqueness – It is restricted to have two or more users with an identical
login within a single tenant. If both this option and the option Overwrite user if already exists
in database from Filters tab in Expert mode are enabled, then the original user created in the
YSoft SafeQ management interface is deleted and the user from the Active Directory is
created. Otherwise, user data received from the remote LDAP server is merged with an
existing user created in the YSoft SafeQ management interface.
Attribute containing user role (membership) – The attribute containing the user role
(membership). This multi-valued attribute is a collection of the Distinguished Names of all
groups the user is a direct member of.
Attributes containing cards/PINs – Attributes containing cards and PINs. Use commas to
separate multiple attributes. Multiple values can be replicated from this attribute.
Card number conversions – Used for the conversion of card numbers replicated from
Directory services (AD, NDS, OpenLDAP). You can use The Card Conversion Tool to find a
suitable conversion rule automatically or create the conversion rule manually. For more
information on how to create a conversion rule, see the Card Number Conversion article.
Card separator – If multiple card numbers are stored in a single-value attribute in the LDAP,
the card numbers are separated by the defined separator.
Note: The separator must not contain the apostrophe character (ASCII code 039).
Note: If the LDAP replicator is used in On-demand (semi-online) mode, this feature is not
supported – only one card number may be stored in each single-value attribute.
Delete all the user’s cards when a user’s account is deactivated – When a user's account is
deactivated in the LDAP, all the user's cards will be deleted in the database.
Note: If this option is enabled, the user’s cards that were added via the YSoft SafeQ
management interface or card self-assignment will also be deleted from the database.
Because this operation cannot be undone, the recommended value is disabled.
Note: Do not enable this option if multiple LDAP accounts are merged into one YSoft SafeQ
6 user account (that is, if multiple LDAP accounts have the same employeeID attribute).
Deleting or disabling one of the accounts on the LDAP server causes all cards from the
merged user account to be deleted from the YSoft SafeQ database.
Attribute containing PIN code – The attribute containing the PIN, which can be converted if
the PIN code conversion value is defined. Only a single value is replicated from this attribute.

PIN code conversion – Used for the conversion of PIN codes replicated from Directory
services (AD, NDS, OpenLDAP) to the database. The default system configuration of YSoft
SafeQ 6 requires that PIN codes in the database are stored in the following format: PIN + MD5
hash of the PIN itself (PIN in LDAP is 1234, database value is
PIN81dc9bdb52d04dc20036dbd8313ed055 which requires "MD5;LeftAppend(PIN)" conversion
rule). For more information on how to create a conversion rule, see the Card Number
Conversion article. The conversion must reflect the setting of the conversionPin attribute in
System configuration.
Attribute containing preferred language - The attribute containing the language code of
user's preferred language for an Embedded Terminal. For currently supported languages and
their codes, see Configuring supported languages in Embedded Terminal.
The Groups schema section allows to configure:
Attribute containing group name
Attribute containing group description
Attribute containing group role (membership)
Load primary group
The Cost center schema section contains settings:
Keep users in their current cost center
Attribute containing cost center name
The Home directory schema section allows you to set:
Keep current users' home folders
Attribute containing home directory
The port on which the LDAP listens to YSoft SafeQ Management Service can be configured by
the Port for internal LDAP Replicator communication (ldap-replicator-service-port) expert
property.
Expert Mode
Expert mode unlocks the following tabs and features.

Domains tab
It is possible to configure replication for more LDAP domains, see separate Domains
documentation.
Connection tab

Timeout – The number of milliseconds after which the connection to the LDAP server times out if
there was no response. If several reconnection attempts are configured in the Replicator tab,
LDAP replication will retry the connection after a delay specified by the ldapReconnectionDelay
System settings configuration property.
The On demand mode has two expert options available on the System > Configuration page:
Number of threads (property ldap-replicator-online-mode-threads) – The number of

concurrently running threads. The number of threads should not exceed the number of LDAP
connections. The database should have a sufficient number of open connections.
Maximum response time (property ldap-replicator-online-mode-timeout) – The maximum

response time in seconds. Requests that take longer than the given time are prematurely
canceled.
Expert settings tab
Expert mode adds the Expert settings tab, which contains a few more configuration sections.
The User unique mapping section allows you to configure options and conversion for user unique
mapping, an option for extracting external ID and several options for the user's organizational unit
mapping.
Options for unique mapping of users – Options for user unique mapping:
ID-GUID – for mapping a user to the GUID
ID-[attribute-name] – for mapping a user to an attribute
[name-of-numeric-attribute] – for ID equivalency mapping
Conversion for unique mapping of users – Turn on the conversion of user unique mapping
Options for user unique mapping, e.g., for ”GUID” (=value ”ID-GUID”) is converted to ”objectGUID”
(used for Active Directory). Usually, for the existing installations, the value Enable should be
set for backward configuration compatibility.
For new installations, it is recommended that you use Disable and the specified item Options for
user unique mapping properly, e.g., ” Options for user unique mapping = ID-objectGUID” for Active
Directory. Typically, Disable is used for non-AD servers.
The External ID extraction section contains only Option for extracting external ID – An option
for extracting ext-id from the attribute Options for user unique mapping. Matching parts are used
for the output. An unmatching input is not processed. For example: regex (d+)-adm-(d+)|adm-(d+)
for inputs 12345-adm-6789, 123-adm-456789, adm-123456789, 123456789 will have same output
12345678.
In the User's organizational unit mapping section, these settings can be configured:
Options for user cost center mapping

DN:[attribute-name] – Cost centers are searched by a query in the LDAP, the cost center
is assigned according to LDAP setting (by DN prefix). [attribute-name] determines the user
ext-id. Example: DN:GUID
NUMBER:[attribute-name] – Cost center creation during user replication. The number is

stored in the user’s [attribute-name]. The name is created as ”OU-”[attribute-name],
example: NUMBER:department
NAME:[attribute-name] – Cost center creation during user replication. The name is stored
in the user’s [attribute-name]. The number is identical to the ID (initialized by sequence).
Example: NAME:department
NN1:[attribute-name-with-number]:[attribute-name-with-name] Cost center creation

during user replication. [attribute-name-with-number] contains the cost center number and
[attribute-name-with-name] contains its name. Example: NN1: department:company
NN2:[attribute-name]:[groups-order]:[pattern] – Cost center creation during user

replication. The user’s [attribute-name] must include content that matches reg-ex [pattern].
The value must contain at least two reg-ex groups: the first for the OU name, the second
for the OU number. [groups-order] is string ”name,number”, or ”number,name” depending on
the mapping order of regex-groups to the OU number and the OU name in [pattern].
Example: NN2: department:number,name:([^:]*):(.*)
Conversion of user cost center mapping - Turn on the conversion of the user’s cost center
unit mapping (Options for user’s cost center mapping). For example, ”GUID” (=value ”DN:GUID”)
is converted to ”objectGUID” (used for Active Directory). Usually for existing installations, set
this value to Enable for backward configuration compatibility. For new installations, it is
recommended that you use Disable and the specified item Options for user’s cost center
mapping, for example, ”Options for user’s cost center mapping = DN:objectGUID” for Active
Directory. Typically, Disable is used for non-AD servers.
Map cost center only when value exists – When enabled, the user’s cost center information
is updated only if the cost center exists. If disabled, the user is saved without cost center
information.
The User's groups mapping section contains these settings:
Attribute containing unique identifier for groups – The name of the LDAP attribute
containing the unique identifier for groups.
Bind user to ancestor groups – The option that specifies to map the user not just to its
superior roles but also to roles superior to these roles.
In the Filters section, you can specify additional filters for users, groups or cost center searching
and some other filters according to your needs:

Additional filter for user searches – You can use this filter if the standard built-in filter
includes unwanted objects in the search result. For example, a filter for users that have not
been disabled (&(objectCategory=Person)(objectClass=user)(!(userAccountControl:
1.2.840.113556.1.4.803:=2)))
Additional filter for group searches – Use this filter if the standard built-in filter includes
unwanted objects in the search result.
Additional filter for cost center searches – You can use this filter if the standard built-in
filter includes unwanted objects in the search result. This setting is, in effect, only when
Mapping -> Options for user’s cost center mapping is set to DN:keyword (for example, DN:
GUID). With other options (like NAME, NUMBER,...), this option is not used.
Ignore distinguished name when searching for users – Domain name branches to ignore
during searches of users. Separate multiple values with a pipe.
Ignore distinguished name when searching for groups – Domain name branches to ignore
during searches of users. Separate multiple values with a pipe.
Ignore distinguished name when searching for cost centers – Domain name branches to
ignore during searches of users. Separate multiple values with a pipe.
Overwrite user if already exists in database – Enable this option if you have created internal
users prior to synchronization from the LDAP. If both this option and the option Check
username uniqueness from Users schema tab in Advanced mode are enabled, then the
original user created in the YSoft SafeQ management interface is deleted and the user from
the Active Directory is created. Otherwise, user data received from the remote LDAP server is
merged with the existing user created in the YSoft SafeQ management interface.
Merge automatically generated accounts in YSoft SafeQ 6 database – If multiple user

accounts are automatically generated in the YSoft SafeQ database, they can be automatically
merged once accounts are created in the LDAP with aliases that are the same as the
generated accounts. This should be enabled only when using the anonymous print feature.
Running the Replication
Once you are finished with settings, you can save the LDAP replicator settings by clicking the
Save changes button. Also, if you want to run the replication immediately, you can do so by
clicking the Sync now button.
Replication is always run by the cluster node designated by the ldapReplicatorClusterNodeId

configuration option. The configuration option can be set to the ID of the cluster node that should
run the replication. The default value is '-1', which means the replication is run by the first cluster
node (the node with the lowest ID among all nodes in the cluster, running or not). LDAP replication
is not executed if the designated node is not operational.

LDAP password encryption
Integration with LDAP uses encryption configuration defined in <safeq_folder>/Management

/conf/safeq.properties, meaning whenever the following configuration property is present,
the encryption is enabled.
dataProtection.pathToKey = <path to key file>
Note that <path to key file> should be absolute file path, eg. c:
\encryption_secure_location\encryption.key
For information about creation and management of dataProtection attributes, as well as full list of
supported configuration options, please refer to the Enhanced Password Protection.
Domains
Section Domains (available in Expert mode) allow an administrator to define multiple LDAP servers
in the environment.
Each domain can have specific or common settings with other domains – this can be done by
clicking the icon next to each setting item (on all tabs). When a user clicks the separating button,
the settings are specific to each domain.
The alternative settings can be discarded using the button with the cross icon.

Print Job Parser Configuration
This page contains a detailed description of the print job parser. The print job parser is used by
YSoft SafeQ 6 to analyze print job properties (e.g., detected print job languages, the count of print
job pages with their color coverage, duplex/simplex information, etc.) and for image preview
rendering.
Configuration
To see and configure parser settings:
1. Log into the YSoft SafeQ management interface with sufficient rights to change system
settings (for example, "admin") and access the Tenant view.
2. Go to System > Expert tab and search required properties or find them in the Spooler
category.
You will be interested in the properties below:

jobAnalysisResolution
The higher the rendering resolution is, the more resources it consumes. Job analysis resolution is
used for job operations such as offline accounting.
Possible values:
Value Description
No rendering While analyzing a print job, it will not be rendered at all, so that just basic
information without accounting details is gathered. This option provides the
best system performance.
Low resolution While analyzing a print job, all its pages will be rendered to a low-resolution
rendering image (36 DPI). This option provides full print job properties information, but due
to the lower resolution, the results will not be as accurate as the high
resolution option. Usable for offline accounting. Please keep in mind that this
option can worsen system performance.

High resolution While analyzing a print job, all its pages will be rendered to a high-resolution
rendering image (150 DPI). This is the most convenient option for offline accounting and
coverage accounting. Please keep in mind that this option has a significant
impact on system performance.
previewResolution
With job preview resolution, the parser can create a preview of incoming print jobs with different
levels of precision – the higher the rendering resolution, the better the quality of the image
generated. Job preview resolution is used for rendering job previews for the terminals and
Possible values:
Value Description
No rendering No print job previews will be rendered.
Low resolution The print job preview will be rendered at a resolution of 36 DPI.
rendering
High resolution The print job preview will be rendered at a resolution of 150 DPI. The preview
rendering will be created at the best quality.
Parsing PostScript and Mobile Print and Mobile Integration Gateway Jobs
YSoft SafeQ 6 comes with a built-in parser for PCL print jobs. PostScript (PS) jobs and jobs from
Mobile Print and YSoft SafeQ Mobile Integration Gateway (both sends raw PDFs) require a
GhostScript parser.
The recommended version is 9.x (version 8.x or lower is not supported!).
The GhostScript parser must be downloaded and installed additionally as due to the licensing
conditions, it is not possible to include it in the YSoft SafeQ 6 installation package. To download
the installation files of GhostScript, please refer to https://www.ghostscript.com/download/gsdnld.
html.
GhostScript can be installed to its default path because FlexiSpooler can detect it automatically
and use the latest version installed on the server/computer. So in the case of multiple
GhostScript versions installed on the server/computer, FlexiSpooler will always use the latest
version. Information about the GhostScript version is found in the registry of the operating
system.
More information on the support of print languages can be found on Print language support and
limitations.
5.9.1.10 Management Interface - Scan Workflows
Overview
Scan workflows create digital content from paper documents consistently and accurately.

Configure scan workflows by accessing the Scan Workflows section of the YSoft SafeQ
Management interface.
The Scan Workflows section contains two subsections:
"Workflows" – in this section, scan workflows are configured and made available to YSoft
SafeQ terminal users. For more details, please refer to Workflows List.
"Connectors" – in this section, connectors are configured to external systems that serve as
the final destinations of documents scanned using scan workflows. For more details, please
refer to Connectors List.
NOTE: To get started quickly with creating the first scan workflow, we recommend
administrators read Workflow Basics.

Core Workflows vs. Advanced Workflows Capabilities
The Scan Workflows configuration options available in the YSoft SafeQ Management interface will
differ depending on whether your YSoft SafeQ license is the Core Workflows or Advanced
Workflows module.
Throughout this guide, features available in the Advanced Workflows module license are marked
with the ADVANCED WORKFLOWS label.
For more detail about YSoft SafeQ licensing, please refer to Licensing.
Workflow Basics
This guide will give you a basic overview of all the steps needed to create a scan workflow.
Create a connector – connectors allow YSoft SafeQ 6 to connect to external systems such
as Microsoft Exchange and shared folders, etc. All workflows (except scan to script) will need
one connector, A connector can be used by several different workflows.
Create a scan workflow – a workflow allows for the configuration of the scan destination,
processing steps executed on documents, scan options, access rights, etc.
Creating a connector
Before creating the first scan workflow, a connector must be created. If a connector is already
created or if creating a scan to script workflow, this step can be skipped.
1. Go to the Connectors screen and click the Add connector button.
2. Enter the following general information to distinguish this connector from another:
Name – a short title, maximum of 64 characters
Description – additional information about the connector. Usually, detailed information to

understand the purpose of the connector, maximum 300 characters
3. Select the desired connector type and follow the specific instructions to configure it:
File system – see chapter Edit Workflow, section File System
Email (SMTP) – see chapter Edit Workflow, section Email (SMTP)
Microsoft Exchange – see chapter Edit Workflow, section Microsoft Exchange
Dropbox Business/Enterprise – see chapter Edit Workflow, section Dropbox Business

/Enterprise
Microsoft SharePoint 2010 – see chapter Edit Workflow, section Microsoft SharePoint
2010
2013

Microsoft OneDrive for Business – see chapter Edit Workflow, section Microsoft
OneDrive for Business
Microsoft SharePoint Online – see chapter Edit Workflow, section Microsoft SharePoint
Online
2016
HPE Records Manager – see chapter Edit Workflow, section HPE Records Manager
Some connector types may not be available in your YSoft SafeQ license.
4. Save changes and continue to workflow creation. The created connector is available to be
used in workflows now.
Creating a workflow
Create a workflow using a connector configured in the previous step or without configuring a
connector if creating a scan-to-script workflow. Use variables in parameters to further customize
the workflow. There are two kinds of variables:
capture – defined during the document capture phase, it can be used in both the capture and
processing phase, e.g. user and device information
user input/process – defined from either a result of processing or user input fields, it can be
used in the processing phase only, e.g. outputs from document processing, user input fields
For the list of available variables, see chapter Edit Workflow, section Workflow Variables.
1. Go to the Workflows screen and click the Add workflow button.
2. Enter the following general information to distinguish this workflow from another:
Name – should be a short description that helps terminal users with workflow selection,
maximum 64* characters
Description – usually, instructions for the terminal user that provide guidance on using
the workflow, maximum 300* characters
* Some embedded terminals do not support text of this length. In such cases, the text is
trimmed.
3. Select a destination connector or scan to script and fill in information specific to the
connector type:
File system – see chapter Edit Workflow, section File System
Email (SMTP) – see chapter Edit Workflow, section Email (SMTP)
Microsoft Exchange – see chapter Edit Workflow, section Microsoft Exchange

Dropbox Business/Enterprise – see chapter Edit Workflow, section Dropbox Business
/Enterprise
2010
2013
Microsoft OneDrive for Business – see chapter Edit Workflow, section Microsoft
OneDrive for Business
Microsoft SharePoint Online – see chapter Edit Workflow, section Microsoft SharePoint
Online
2016
HPE Records Manager – see chapter Edit Workflow, section HPE Records Manager
Scan to script – see chapter Edit Workflow, section Scan to script
4. Select the processing that should be applied to documents:
1D Barcode – see chapter Edit Workflow, section 1D Barcode
Scan Job Separation – see chapter Edit Workflow, section Scan Job Separation
Highlighter extraction – see chapter Edit Workflow, section Highlighter extraction
Highlighter redaction – see chapter Edit Workflow, section Highlighter redaction
OCR – see chapter Edit Workflow, section OCR
Some processing steps may not be available in your YSoft SafeQ license.
5. Select suitable scan settings:
Scan resolution – determines the DPI of the scanned document
Sides – determines whether the document will be scanned as duplex or simplex
Color – determines the color scheme of a scan
Settings are locked for users on the YSoft SafeQ terminal by default, i.e. terminal users are
not allowed to change them. If you want to allow terminal users to customize scan
settings, check the Can be modified by the user on the device option below the settings.
In this case, the selected values become defaults on YSoft SafeQ terminals.
6.
6. Define and rearrange user input fields. User input fields are helpful for collecting information
from terminal users along with a scanned document. The value of each user input field is
stored in a variable and can be accessed in the workflow during processing or delivery.
Please note, process variables cannot be used in the capture phase, i.e. variables defined
by user input fields cannot be used in other user input fields. Add a new user input by
clicking the Add user input button.
7. Provide roles with access to the workflow. This ensures that users in the roles will be
permitted to use the workflow at YSoft SafeQ terminals. If no role is specified, the workflow
will not be available to any users.
8. Save your changes. The workflow is now available on terminals to all users in the roles to
whom you provided access. It is suggested to test a newly created workflow first before
providing access to the workflow to other users. Test a workflow by providing access to
administrators only.
Connectors List
The Connectors list displays all available connectors that can be used by scan workflows as a
destination. One connector can be used as the destination in multiple workflows. On a deeper
technical level, connectors specify instructions for the Workflow Processing System to connect
with different destination systems.
In Scan workflows > Workflows the following options are available:
Add connector – create a new connector and configure its settings
Edit – modify an existing connector and its settings
Delete – delete a connector
It is not possible to delete a connector when a workflow already uses the connector as its
destination. A warning message listing the workflows that use the connector displays in
this case.

Editing a Connector
A connector defines the connection configuration required by scan workflows to deliver

documents to external systems. Each type of external system has its specific configuration
properties.
It is possible to define the advanced configuration properties of a workflow independently of the

selected type of connector.
It is also possible to create several connectors of the same type – for example, two file system
type connectors, each of which accesses a different shared folder and authenticates using
different credentials. A single connector may be used as the scanned document destination in
multiple workflows.
How to configure connectors for different types of external systems is explained in the next
section.
General
First, configure the general properties that are common to all connector types.

1. Name – The name of the connector. It is displayed in the connector list. Together with the
connector type icon, it helps identify the connector.
2. Description (optional) – Additional information about the connector. Usually detailed

information to help other YSoft SafeQ administrators understand the purpose of the
connector.
3. Connector type – Connector type determines the type of the external system to which you
would like to connect. Selecting a connector type displays additional connector
configuration options.
4. SAVE CHANGES / DISCARD CHANGES – Save or discard all changes made to the connector
and return to the connector list.
Configuration
Next, configure the properties specific to each connector type.

File System
Use the file system type connector to access either the local file system or a network shared
folder.

1. Base location
Defines a starting path for all workflows using this connector. It can be:
the path to a local file system on a server running the YSoft SafeQ Workflow Processing
System, e.g., 'C:\scans\'
a UNC path to a network shared folder, e.g., '\\safeq_server_hostname\scans\'
The base path can contain capture variables, e.g. '%userHome%' variable.
2. Authentication
Determines which credentials YSoft SafeQ 6 will use to access the folder. Choose from the
below options:
Use default service credentials – the same account under which the YSoft SafeQ
Workflow Processing System service is running will be used (most suitable for a local
filesystem path).
Use custom service account – manually set account credentials (most suitable for a
shared network folder)
Username – an account name in the format 'domain\username', e.g., 'safeq.

local\scanservice'. If the domain is omitted, the local host is used (.\username)
Password – the account password
3. Impersonate terminal user

3.
When this option is enabled, YSoft SafeQ 6 will access the file system location as it would
be accessed by the user logged in at a YSoft SafeQ terminal. YSoft SafeQ 6 will verify
whether the impersonated user has enough permission to write to the folder or to browse
it. The file/directory owner will be changed appropriately. Enabling terminal user
impersonation is helpful to restrict access to certain folders in a shared folder and to keep
track of who created files.
To allow YSoft SafeQ 6 to impersonate a terminal user, additional configuration is needed:
usernames in YSoft SafeQ 6 must be in UPN format (username@domain), e.g.

user@safeq.local – this username will then be seen as the file owner
WPS service must have read and write access to the shared folder and all its contents
use a custom service account that has the required permissions
WPS service must have the Restore files and directories privilege on the machine that
hosts the shared folder in order to change the file/directory owners. Accomplish this in
several ways:
The Workflow Processing System runs under a Local System account by default.
Add all the computers running the service in the Local Security Policy console
(secpol.msc) to the 'Restore files and directories' policy located in the Local Policies,
User Rights Assignment folder
Or add all computers that host the Workflow Processing System into the Backup
Operators group (which has the required privileges as default) in your domain
Or change the account under which the Workflow Processing System services are
running in the Services console to the one which has required permissions.
For proper delivery of scans into a distributed file system (DFS), please make sure that the "
Network access: Do not allow storage of passwords and credentials for network
authentication“ global policy is set to "Disabled" or not set at all on every server running the
"WPS" service.
Email (SMTP)
Use the Email (SMTP) type connector to deliver scanned files over email using an SMTP server.
There are no editable configuration options for this connector; only the YSoft SafeQ 6 global mail
server configuration displays.Please configure your SMTP mail server in System/Configuration. If
mail server settings are not configured correctly, it is still possible to create an Email (SMTP)
connector; however, workflows that use the connector will fail when delivering scanned files. If
this occurs, the Workflow Processing System logs an error in the wps.log file.

1. Connector type – select Email (SMTP) from the connector type list.
2. Primary mail server – the SMTP server host address set on the System > Configuration
page or the Dashboard > Welcome to YSoft SafeQ 6 widget.
Mail server account – the SMTP username set on the System > Configuration page or the
Dashboard > Welcome to YSoft SafeQ 6 widget.
Microsoft Exchange
Use the Microsoft Exchange type connector to deliver scanned files over email using a Microsoft
Exchange Server. This connector functions similarly to the Email (SMTP) type connector, however,
Microsoft Exchange enables additional capabilities including terminal user impersonation.

1. Web Services URL – a Microsoft Exchange 2010 or Microsoft Exchange 2013 Web Services
URL (usually https://<mail.server>/EWS/Exchange.asmx).
2. Username – the domain and username of the Microsoft Exchange account used for
authentication. If the domain is omitted, the local host is used (.\username).
3. Password – the password of the Microsoft Exchange account used for authentication.
4. Impersonate terminal user (optional) – when terminal user impersonation is enabled, the
connector acts as the mailbox owner. In this case, the email address of the YSoft SafeQ 6
user logged in at the terminal must also exist in MS Exchange (you can configure a user's
email address in the Users tab of the YSoft SafeQ management interface). Emails sent
using a Microsoft Exchange type connector with user impersonation enabled will be stored
in the user's Sent Items folder. The service account should be in ApplicationImpersonation
MS Exchange role when using terminal user impersonation.
When terminal user impersonation is disabled, all emails sent using the connector will be
sent using the service account mailbox. The email sender will be the specified service
account and sent emails will be in the service account's Sent Items folder in Microsoft
Exchange. Please refer to Edit workflow – MS Exchange to use the Send on behalf or Send
as functionality.
Dropbox Business/Enterprise

Use the Dropbox Business/Enterprise type connector to deliver scanned files to a Dropbox
Business or Enterprise team member. It is possible to deliver scanned files to a team member's
private folder as well as to team shared folders.
Prerequisites
In order to use the Dropbox Business/Enterprise connector, a working Internet connection on the
machine where the Management Service is installed is required. If your network configuration
requires a proxy to access the Internet, please follow the steps below.
The proxy connection can be configured via several options, but applies only when YSoft SafeQ
Management Server is not licensed with a multitenant license.
Setting up an Internet proxy
To use an Internet proxy, configuration of several expert level settings in the system
configuration of the YSoft SafeQ Management interface must be made. Switch to expert settings
and use the search function to find proxy related settings (i.e., by typing proxy into the search
field).
useProxy – This setting is ignored for YSoft SafeQ Management Server running in multitenant
mode.
1. To see the Internet proxy configuration, select the Expert level settings.
2. Ensure that YSoft SafeQ Management Server is not deployed with a multitenant license
(because all proxy setting would be ignored). Be aware that the Workflow Processing
System server respects proxy settings all the time.
3. Set the Use a proxy to connect to the Internet setting to Enabled.
proxyEndpoint

1. When using a proxy to access the Internet, specify the proxy endpoint address. The proxy
endpoint must be in the <IP address>:<port> format.
proxyAuthenticate
1. If your proxy server requires authentication, set the Authenticate to the proxy setting to
Enabled.
proxyUser

1. If your proxy server requires authentication, specify the proxy username. If proxy
authentication is not required, leave the field empty.
proxyPassword
1. If your proxy server requires authentication, specify the proxy password. If authentication
is not required, leave the field empty.
Setting up the Dropbox connector
To use a Dropbox Business/Enterprise type connector, it is necessary to authenticate with

Dropbox using OAuth 2 as described in the following paragraphs.

1. Dropbox authorization code – After clicking the Get Authorization Code button, a Dropbox-
hosted browser dialog appears (see the picture below).
In this dialog, enter your Dropbox Business administrator account email, password and click the
Sign in button. Another Dropbox-hosted page will prompt for authorization of the YSoft SafeQ
Workflows Connector (see the picture below).

1. Click the Allow button to allow the YSoft Dropbox Business/Enterprise connector to access
your Dropbox Business account and act as a team member. After confirmation, a Dropbox-
hosted screen will be displayed with an authorization code (see the picture below).
1. Copy the displayed code and paste it into the Dropbox authorization code field in the
YSoft SafeQ Management interface (see the picture below).

1. Dropbox access token – After pasting in the Dropbox authorization code, click the Get
Access Token button to generate a unique access token.

1. Service account username – After the Management interface generates a Dropbox access
token, select a service account username. This does not have to be the Dropbox Business
team administrator – the Service account username list contains all Dropbox team
members.
2. Impersonate terminal user – When terminal user impersonation is enabled, the DropBox
Business connector will deliver scanned files as the user logged in at the YSoft SafeQ
terminal. In such a case, the email address of the YSoft SafeQ user logged in at the
terminal must match an email address of a user in your Dropbox Business team account
(configure a user's email address in the Users tab of the YSoft SafeQ Management
interface). When terminal user impersonation is disabled, all documents delivered using the
connector will be delivered under the specified service account.
Use the SharePoint 2010 type connector to deliver scanned files to a location in a Microsoft
SharePoint 2010 document library.

1. Connector type – Select Microsoft SharePoint 2010 from the connector type list.
2. SharePoint site URL – Sharepoint 2010 site URL. This URL is a fully qualified domain name, e.
g, http://full.domain.name
To acquire this information, please contact your Sharepoint administrator. There is no

other way to find it.
3. Authentication – At this time, the only option is to use a custom service account to
authenticate with Microsoft SharePoint 2010. Authentication using the default service
account is planned for a future release of YSoft SafeQ 6.
4. Username – The domain and username of the Microsoft SharePoint 2010 account used for
authentication. If the domain is omitted, the local host is used (.\username).
5. Password – The password of the Microsoft SharePoint 2010 account used for
authentication.
Sharepoint 2010 Foundation is not supported.
SharePoint 2013 document library. The Microsoft SharePoint 2013 connector allows the
impersonation of a YSoft SafeQ terminal user.

2. SharePoint site URL – Sharepoint 2013 site URL. This URL is the fully qualified domain
name, e.g., http://full.domain.name

3. Authentication – At this time, the only option is to use custom service account to
authenticate with Microsoft SharePoint 2013. Authentication using the default service
account is planned for a future release of YSoft SafeQ 6.
4. Username – The domain and username of the Microsoft SharePoint 2013 account used for
authentication. If the domain is omitted, the local host is used (.\username). The selected
user must have read/write rights for all folders intended to be used in the related
workflows.
5. Password – The password of the Microsoft SharePoint 2013 account used for
authentication.
6. Impersonate terminal user – When this option is enabled, YSoft SafeQ will no longer use the
service account (4,5) to access the Microsoft SharePoint 2013 document library but it will
act on behalf of the user logged in at the YSoft SafeQ terminal. SharePoint will verify
whether the impersonated user has enough permission to write to the document library or
to browse it. The service account will be used to acquire the user's windows identity token.
Enabling terminal user impersonation is helpful to restrict access to certain folders in a
document library and to keep track of who creates files.

In order to allow terminal user impersonation in Microsoft SharePoint 2013, the YSoft SafeQ
user's email address has to match to the same user in Microsoft SharePoint and Microsoft
SharePoint impersonation add-on has to be installed. Please follow the instructions in
Configuring User Impersonation in Microsoft SharePoint 2013 and 2016 to install the
SharePoint add-on.
Scan to OneDrive using Azure China service is NOT currently implemented.
Use the OneDrive for Business type connector to deliver scanned files to a location in OneDrive
for Business.
In order to successfully configure the Microsoft OneDrive for Business connector, it is

necessary to create an Office 365 application in your Microsoft Azure Active Directory –
Please refer to Configuring and Deploying the Office 365 application for SharePoint Online and
OneDrive Business for tips on how to set up your Azure Active Directory environment.
Additionally, the computer where the WPS server runs must have access to the Internet. If
there is a proxy, please make sure to set it up in the YSoft SafeQ Management system
configuration. Set the view setting to "Expert" and search for the term "proxy". This is
important because WPS ignores the Internet proxy settings of the computer it runs on.
There is an option to configure the proxy (see the Dropbox guide for more details).
Please make sure to set up the SharePoint client certificate thumbprint property in the system
settings with your Azure certificate thumbprint.

1. Connector type – Select Microsoft OneDrive for Business from the connector type list.
2. Tenant Name – The Office 365 Tenant Name obtained from the Microsoft Azure Active
Directory, e.g., 'mycompany.onmicrosoft.com'
3. Client ID – The client ID of the Office 365 app obtained from Microsoft Azure Active
Directory.
4. Domain – The domain obtained from Microsoft Azure Active Directory, e.g., 'mycompany' (the
full application URL is 'https://{domain}-my.sharepoint.com')
For more info, see the picture below.

Append to PDF might not work properly with OneDrive for Business for files greater than 3MB
if two or more users are modifying the same document at the same time due to a limitation in
OneDrive's ability to solve conflicts.
Scan to SharePoint Online using Azure China service is NOT currently implemented.
Use the Microsoft SharePoint Online type connector to deliver scanned files to a location in a
selected Microsoft SharePoint Online library.
In order to successfully configure the Microsoft SharePoint Online connector, it is necessary

to create an Office 365 application on your Microsoft Azure AD – Please refer to Configuring
and Deploying the Office 365 application for SharePoint Online and OneDrive Business for tips
on how to set up your Azure AD environment. Additionally, the computer where the WPS
server runs must have access to the Internet. If there is a proxy, please make sure to set
it up in the YSoft SafeQ Management system configuration. Set the view setting to
"Expert" and search for the term "proxy". This is important because WPS ignores the
Internet proxy settings of the computer it runs on. There is an option to configure the proxy
(see the Dropbox guide for more details).

Please make sure to set up the SharePoint client certificate thumbprint property in the system
settings with your Azure certificate thumbprint.
1. Connector type – Select Microsoft SharePoint Online from the connector type list.
2. Tenant Name – The Office 365 Tenant Name obtained from Microsoft Azure Active
Directory.
3. Client ID – The client ID of the Office 365 app obtained from Microsoft Azure Active
Directory.
4. Domain (yellow) – The server name part of the domain obtained from Microsoft Azure
Active Directory. It is usually the first part of the tenant name. For example, with the tenant
name "companyname.sharepoint.com", the domain would be companyname.
5. SharePoint site name (green) – The name of the SharePoint site to use. When empty, the
default SharePoint site is used. When using sub-sites, you need to specify the hierarchy.
For example, for the URL https://companyname.sharepoint.com/sites/subsite/Invoices/, you
need to specify the site as: sites/subsite (Invoices is the document library in this case).
We strongly recommend not to rename sites. If the site's name in SharePoint is renamed, its
internal name will not change. That means that the connector has to be configured with the
original site's name.
For more info, see the pictures below.

SharePoint 2016 document library. The Microsoft SharePoint 2016 connector allows the
impersonation of a YSoft SafeQ terminal user.

2. SharePoint site URL – The Sharepoint 2016 site URL. This URL is the fully qualified domain
name, e.g., http://full.domain.name

3. Authentication – Administrators can only authenticate with a Service account.
4. Impersonate terminal user – When this option is enabled, YSoft SafeQ will no longer use the
service account to access the Microsoft SharePoint 2016 document library but it will act on
behalf of the user logged in at the YSoft SafeQ terminal. SharePoint will verify whether the
impersonated user has enough permission to write to the document library or to browse it.
The service account will be used to acquire the user's windows identity token. Enabling
terminal user impersonation is helpful to restrict access to certain folders in a document
library and to keep track of who creates files.
In order to allow terminal user impersonation in Microsoft SharePoint 2016, the YSoft SafeQ
user's email address has to match to the same user in Microsoft SharePoint and the
Microsoft SharePoint impersonation add-on has to be installed. Please follow instructions in
Configuring User Impersonation in Microsoft SharePoint 2013 and 2016 to install the
SharePoint add-on.
HPE Records Manager WORKFLOW CONNECTORS B

Use the HPE Records Manager connector to deliver scanned files to a location in HPE Records
Manager 8.x. The HPE Records Manager connector allows the impersonation of a YSoft SafeQ
terminal user.
Note that the HPE Records Manager connector is only available when your YSoft SafeQ is
activated with a valid Workflow Connectors B license. Please contact your sales
representative if you require a license for the HPE Records Manager connector.
Prerequisites
The HPE Records Manager Client must be installed on all machines running YSoft SafeQ
Workflow Processing System. The libraries installed with the client are used to access the
HPE Workgroup Server.
1. Network address – the address of the primary HPE RM server in '{protocol}://{machine}:

{port}' format, e.g., 'tcp://server:1137'.
2. Alternate network address – the address of the secondary HPE RM server in '{protocol}://
{machine}:{port}' format, e.g., 'tcp://server:1137', optional.
3. Dataset identifier – the two alphanumeric characters that identify the dataset on the
server.
4. Authentication – the user that will be used to access the HPE RM server.
a. Default service credentials – the user under which YSoft SafeQ 6 WPS subsystem is
running will be used (IntegratedWindows).
b. Custom service account – custom credentials will be used (ExplicitWindows):
i. Username – the service account username, e.g., 'myserver\myuser' for the local
user on the server .
ii. Password – the service account password.
5.

5. Impersonate terminal user – YSoft SafeQ6 will act on behalf of the user who initiated the
scan, this requires that the service account has the right to do so.
Encrypted communication
HPE Records Manager 8.x supports encrypted communication but it must be manually enabled.
1. Open HPE Records Manager Enterprise Studio (usually located on the HPE Records Manager
server).
2. Go to the properties of a selected workgroup server (see the screenshot below).
3. Enable HTTPS, select a port and a certificate (a personal certificate for the local computer).
4. Save and restart the workgroup server.
5.

5. In the connector settings, use the HTTPS protocol and the selected port, e.g., 'https://server:
1237'
HPE Records Manager screenshots are from the 8.3 version build 9635 and may differ in your
version.
Warning
Due to a known security limitation of the third-party components YSoft SafeQ depends on, an
IT administrator using the YSoft SafeQ connector for HPE Records Manager should be aware
of the following limitation: The third-party components YSoft SafeQ depends on do not verify a
server’s identify through the server’s certificate. The certificate on the client side gets
ignored, therefore, anyone with access to an organization’s internal network could intercept
the connection between YSoft SafeQ servers and the HPE Records Manager and read or
modify data. However, user login passwords are not transmitted through the YSoft SafeQ
connector to HPE Records Manager and cannot be intercepted.
Advanced Settings
Enable advanced settings by switching to the "Advanced" page view. Advanced settings let you
configure the following additional connector options:
Failure behavior
Restrictions
Notifications
Failure Behavior
Use connector failure behavior to configure the next steps in case scan processing or delivery
fails. In failure behavior, specify a backup directory with its authentication type, the number of
retry attempts and the delay between these attempts.
Enable fall back directory – Enable or disable saving files to a fall back directory in case of
scan failure
By default, this option is enabled and the default fall back directory path is set to: '%
safeqHome%\FailedScans\%userUsername%\%scanDate%'
Fallback directory – Defines the path where a scanned document is going to be stored in case
the workflow fails during scan processing or delivery. The value of the field can be:
the path to a local file system on the server running YSoft SafeQ Workflow Processing
System, e.g. 'C:\scans\'

The value can contain capture variables, e.g. the '%userHome%' variable
Authentication – Determines which credentials YSoft SafeQ 6 will use to access the backup
directory. Choose from the options below:
Use default service credentials – the same account under which the YSoft SafeQ
Workflow Processing System service is running will be used (most suitable for a local file
system path).
Use custom service account – manually set account credentials (most suitable for a
shared network folder)
Username – The account name in the format 'domain\username', e.g., 'safeq.

local\scanservice'. If the domain is omitted, the local host is used (.\username)
Password – The account password
Number of retry attempts – In case a scan delivery fails, the number of times the YSoft SafeQ
Workflow Processing System will retry the delivery of a scan before a scan job fails
Delay between retry attempts – The delay before each delivery retry attempt
Restrictions
Use connector restrictions to apply limits to scan jobs – set up a maximum number of scanned
files per scan job, the maximum size of the scanned job and define an alternative location for the
scanned document in case these limitations are reached so the scanned document is not lost.
Enable delivery restrictions – Enable or disable restrictions functionality. If it is not checked,

then the form is not displayed
Maximum number of scanned files per scan job – Set a limit for scanned files per job
Maximum scan job size – Set a limit for the size of the scanned document
Directory for scan jobs that exceed limits – Defines the path of where the scan is going to be
stored in case any of the limitations is reached while scanning the document. Can be:
a path to a local file system on the server running YSoft SafeQ Workflow Processing
System, e.g., 'C:\scans\'
It can contain capture variables, e.g. the '%userHome%' variable
Authentication – Determines which credentials YSoft SafeQ 6 will use to access the backup
directory. Choose from the options below:
Default service credentials – the same account under which the YSoft SafeQ Workflow
Processing System service is running will be used (most suitable for a local filesystem
path)
Custom service account – manually set account credentials (most suitable for a shared
network folder)

Username – The account name in the format 'domain\username', e.g., 'safeq.local\scanservice'.
If the domain is omitted, the local host is used (.\username)
Password – The account password
Notifications
Use connector notifications to enable email notifications. It is possible to configure notifications

whether the scan delivery succeeds, scan delivery fails, or when restrictions are reached. For
each of the notifications, it is possible to set up a recipient, subject and body of the email.
Delivery failure notifications – Enable or disable notifications in case scan delivery fails. If
disabled, then the form is not displayed
Recipients – Recipients of the email notification
Subject – The subject of the email notification
Body – The body of the email notification. HTML tags can be used for formatting
Delivery success notifications – Enable or disable notifications in case scan delivery succeeds.
If it is not checked, then the form is not displayed (the same fields as in delivery failure
notifications)
Restriction notifications – Enable or disable notifications in case any of the restrictions is

reached. If it is not checked, then the form is not displayed (the same fields as in delivery
failure notifications)
Configuring and Deploying the Office 365 application for SharePoint Online and OneDrive
Business
Description
For centralized document storage and workflow processing YSoft SafeQ can deliver scanned files
to SharePoint Online or OneDrive for Business. In Azure Active Directory the application must be
registered, permissions granted, and a certificate authorized for authentication.

Summary
Required from YSoft SafeQ Administrator
1. Optional: Name of application to be registered in Azure Active Directory.
a. The name is fully up to you. But it is a good idea to name it the way, indicating that
the app is being used by YSoft SafeQ. e.g.: Y Soft - OneDrive and SharePoint
Application.
2. Create certificate to authorize application in Azure Active Directory.
a. Exported public certificate file for import into Azure Active Directory.
i. File format: PEM or base-64 encoded X.509 (.CER file).
b. Optional: Exported public certificate file, including private key, if the certificate needs
to be imported into YSoft SafeQ Workflow Processing System servers.
i. File format: PKCS#12 file containing public certificate and private key (.PFX file).
Required from Azure Administrator
1. Register the application in Azure Active Directory.
a. Provide the Azure Active Directory registered application Application ID for YSoft
SafeQ workflow connector setting Client Id.
b.
b. Provide the Azure Active Director registered application Publisher Domain for YSoft
SafeQ workflow connector setting Tenant Name.
2. Add Application permissions.
API Type Group Name Description Explanation
Azure Active Applica Direct Directory. Read Necessary for mapping of “root
Directory tion ory Read.All directory folder” in order to be able to
Graph data upload scanned documents to
OneDrive for Business or
SharePoint Online.
Microsoft Applica User User.Read. Read all Necessary to identify user’s

Graph tion All users' full OneDrive for Business drive in
profiles order to be able to upload
scanned documents to OneDrive
for Business
SharePoint Applica Sites Sites. Read and Write access is necessary to be

tion ReadWrite. write items able to upload the scanned
All in all site document. Read access is
collections necessary to be able to browse
target folder on MFD terminal, or
to specify behavior in case the
document with defined filename
already exists (append to it,
replace it, keep both files) - if
specified in Scan workflow
definition by YSoft SafeQ
Administrator.
The above mentioned Application permissions are necessary in order to allow YSoft
SafeQ to upload scanned documents to OneDrive for Business or SharePoint Online.
Impersonation of terminal user (available e.g. for SharePoint 2016 connector) which
would use terminal user's access rights to access OneDrive for Business or SharePoint
Online folder structure and preventing him from accessing folders which she or he is
not entitled to see is not available.
This means that YSoft SafeQ application cannot limit terminal user’s access to
browse folders which she or he doesn’t have access to in OneDrive for Business or
SharePoint Online. This must be specified by YSoft SafeQ Administrator on the level
of Scan workflows access definition.
It also means that all documents scanned and uploaded by YSoft SafeQ will have the
name of the Azure Active Directory application filled in the field “Modified by” in OneDrive
for Business or SharePoint Online (instead of name of the user as it would be with
Impersonation functionality).

Best practice is to assign access to OneDrive for Business scan workflows and
SharePoint Online scan workflows only to users who have also access to company’s
OneDrive for Business or SharePoint Online - you can refer to Scan workflows - User
access documentation for details about scan workflows user access definition. And also
to allow terminal user to browse only target directories which they have access for in
OneDrive for Business or SharePoint Online - this can be specified in Scan workflow
definition - in fields Target OneDrive path and Additional OneDrive path.
Regarding the information about the author of document (which is not available in the
field "Modified by”), YSoft SafeQ Administrator can use e.g. Workflow variable %
userUsername% as part of the Filename or in case of OCR processing step and
Searchable PDF output format as part of the metadata field “Author” to have the
information about author of the document available.
Below are more detailed examples to prevent any misunderstanding of possible

undesired effects of Application permissions.
Example of potentially wrong setup:
If user John does not have access to company’s OneDrive for Business at all but YSoft
SafeQ Administrator will allow John to see scan workflow “Scan to OneDrive with
folderbrowsing” on the MFD → John will be able to browse company’s OneDrive for
Business folder structure (starting in the folder specified by the YSoft SafeQ
Administrator in the scan workflow definition) and scan document to selected folder
even though John doesn’t officially have access to company’s OneDrive for Business.
This is caused by the Application permissions granted to YSoft SafeQ and by YSoft
SafeQ Administrator making this workflow accessible to John.
Example of recommended setup:
If user John does not have access to company’s OneDrive for Business at all, YSoft
SafeQ Administrator should specify user access to scan workflow "Scan to OneDrive
with folderbrowsing” in a way that it won’t be available to John at all - there’s no point
in allowing John to see workflow "Scan to OneDrive with folderbrowsing” if he shouldn’t
have access to company’s OneDrive for Business.
At the same time if user Jane has access to some shared part of company’s OneDrive
for Business, YSoft SafeQ Administrator can either setup the scan workflow to not
allow Jane to browse folder structure at all (not allowing her to access the non-shared
part of company’s OneDrive for Business) or specify the scan workflow destination to
start browsing in the shared part of company’s OneDrive for Business which is available
for Jane (not allowing her to access the non-shared part of company’s OneDrive for
Business)
3. Authorize application public certificate
a.

3.
a. Provide the Azure Active Directory application registration certificate thumbprint for
YSoft SafeQ management interface system setting
sharepointClientCertificateThumbprint.
Certificate Requirements
The application certificate must be a unique X.509 certificate with private key. The certificate
should use RSA signature algorithm with SHA-256 hash function. The key length should be at
least 2048 bits.
While we recommend using a certificate issued by the organization's trusted certificate authority,
a self-signed certificate can also be created using the guide in section Optional: Generating a Self-
signed Certificate below.
Note
For client credential authorization access to Azure AD each Workflow Processing System
server must have the application certificate installed. The application certificate, including
private key, must be installed on each Workflow Processing System server in the Windows
Local Computer/Personal certificate store.
Security of authentication by certificate
YSoft SafeQ authenticates to Azure application by signing assertions using the configured X.
509 certificate and its corresponding private key. The certificate is managed by Windows
system and its private key is stored securely using cryptographic provider configured in the
system, which is a standard way commonly used by applications. The private key never
leaves the server during authentication, it is only used to sign a time-limited token sent to
Azure to authorize access to data. This mitigates the risk of leakage of the key compared to
traditional password-based authentication.
Certificate thumbprint configured in YSoft SafeQ is only used to locate the correct certificate
in Windows certificate store, which is then used as described above. In contrast to private
key, the thumbprint does not need to be kept confidential as it is not used as authentication
secret but just as identifier.
In case of a suspected security breach of the server with YSoft SafeQ, the access can be
easily revoked in Azure so that the certificate becomes useless to the attacker.
Configure Azure Active Directory

Register Application
1. Log into https://portal.azure.com with an Office 365 administrator account.
Using an Azure Active Directory administrator account is required or all necessary

information may not be accessible.

2. Select Azure Active Directory from the left-hand panel menu. Then select App registrations.
3. Click the New registration button.
4. Enter the name of the application and ignore everything else.
a. In this example the application is named Doc_Test.
5. Click the Register button and wait for the application to be created.
6. From the Overview page of the created application find the Application ID. This is required
for setting up the YSoft SafeQ connector as Client Id.

7. Navigate to Branding on the left-hand panel and find the Publisher Domain. This is required
for setting up the tenant name in the YSoft SafeQ connector as Tenant Name.
8.
8. Navigate to Authentication on the left-hand panel and make sure that in section
Supported account types, the Accounts in this organizational directory only (<your
company> only - Single tenant) option is selected.
9. Required from Azure Active Directory to configure the YSoft SafeQ workflow connector:
a. Provide the Azure Active Directory registered application Application ID for YSoft
SafeQ workflow connector setting Client Id.
b. Provide the Azure Active Director registered application Publisher Domain for YSoft
SafeQ workflow connector setting Tenant Name.
Add Application Permissions
1. Click the API permissions button on the left-hand panel.
2. In this example the application contains a default delegated permission for Microsoft Graph.
a.

2.
a. Optional: The default delegated permission can be removed by right clicking and
selecting Remove all permissions.
3. Click Add permissions and new pane on the right side will open.
4. Scroll down and find Azure Active Directory Graph and click it. Select Application
permissions and in the Directory section , check the Directory.Read.All checkbox and click
Add permissions on the bottom.
5. Repeat the previous step for Microsoft Graph (add User.Read.All) and SharePoint (add
Sites.ReadWrite.All) to match the table.

API Type Group Name Description
Azure Active Directory Application Directory Directory.Read. Read directory data

Graph All
Microsoft Graph Application User User.Read.All Read all users' full

profiles
SharePoint Application Sites Sites.ReadWrite. Read and write items in

All all site collections
6. Confirm that all permissions are of Application type.
7.
7. Grant consent to the permissions. Click the Grant admin consent for... button. When asked
for confirmation, select Yes.
8. After granting approval the permissions will be configured.
Add Application Public Certificate for Authorization
1.
1. Navigate to Certificates and secrets and click Upload certificate.
2. Locate the application public certificate, select it and the click on Add. The public key
must be in base-64 encoded export format such as a .CER file.
3. If the certificate upload is successful find the authorized certificate thumbprint. This is
required for configuring the YSoft SafeQ management interface system setting

4. Required from Azure Active Directory to configure the YSoft SafeQ workflow connector:
a. Provide the Azure Active Directory application registration certificate thumbprint for
YSoft SafeQ management interface system setting
Optional: Generating a Self-signed Certificate

Create Self-signed Certificate
To generate a self-signed certificate, you can use the PowerShell console. Run the console as an
administrator and make sure that PowerShell is at least version 5.0+.
1. Copy/paste following command into PowerShell window and modify placeholders as

needed:
a. MyCompanyName
b. MyAppName
New-SelfsignedCertificate -Subject "CN=MyCompanyName MyAppName Cert" -FriendlyName

"Office 365 certificate" -NotAfter $([datetime]::now.AddYears(10)) -Provider "Micro
soft Strong Cryptographic Provider"
This command will only work on newer versions of the operation system (Win-10,
Win-2016 server) by default or you need to install * Windows Management
Framework 5.0* to make it work on an older OS .
Export Public Certificate
Export the application public certificate for import into Azure Active Directory. The public key must
be in base-64 encoded export format (.CER file).
1.

1. Run certlm.msc and press Enter.
2. Navigate to Local Computer/Personal certificates and locate the certificate (using the
values that you defined for MyCompanyName and MyAppName).
3. Right-click the certificate and from the popup menu, select All Tasks and then Export...
4. Select not to export the private key.
5. Choose Base-64 encoded X.509 (.CER).
6. Enter the file name of the exported certificate and finish the export.
Export Public Certificate with Private Key for Import to all Workflow Processing System Servers
If you did not generate the application certificate on the server with YSoft SafeQ Workflow
Processing System the certificate and private key will need to be exported. Import the application
certificate containing the private key on all servers with YSoft SafeQ Workflow Processing
System.
1. Export the certificate to a .PFX file with private key included.
a. Additional details: https://technet.microsoft.com/en-us/library/cc754329(v=ws.11).aspx
2. Import the .PFX file into all YSoft SafeQ Workflow Processing System servers in the
Windows Local Computer/Personal certificate store.
Configuring User Impersonation in Microsoft SharePoint 2013 and 2016
It is possible to impersonate a YSoft SafeQ terminal user using a workflow that delivers to a
SharePoint 2013/2016 type connector destination. If impersonation is configured correctly in
Microsoft SharePoint, YSoft SafeQ will store scanned documents in SharePoint using a terminal
user's credentials.
The YSoft SafeQ SharePoint 2013/2016 connector uses a mechanism of High Trust applications
for impersonation on SharePoint. You can find detailed information on https://msdn.microsoft.com
/en-us/library/office/jj945118.aspx and https://msdn.microsoft.com/en-us/library/office/jj945118.aspx.
To configure impersonation on a SharePoint 2013/2016 server:
1. Configure SharePoint to use server-to-server authentication. In short, that means adding

users with appropriate user rights. For more information, you can consult this webpage
https://msdn.microsoft.com/en-us/library/office/fp179923.aspx#Servertoserver.
a. Log in as an admin to Sharepoint Central Administration.
b. Go to Application Management.

c.
d. In the section Manage service application, verify that User Profile Service
Application and App Management Service have started.
e. In the section Manage services on server, verify that the service User Profile
Service has started.
f. Then under Manage service applications, go to User Profile Service Application,

and then under People, verify that you have two users. One user as the service
account and one user to be impersonated.
g.
2. For testing purposes, a self-signed certificate is enough. For more detailed information, you
can consult https://msdn.microsoft.com/en-us/library/office/fp179901.aspx#Cert2.
a. O p e n Internet Information Services.
b. Double-click the Server Certificates icon.

c. Right-click inside the Server Certificates window and select Create Self-Signed
Certificate.
d.
e. Then export your certificate to a .pfx format, call it HighTrustCert and save it into c:
\certs
f. When exporting, fill in the password, e.g., password.
g.
3. To continue, you need to convert the .pfx into a .cer format.
a. Go to the add-in pool that servers IIS website, e.g., Sharepoint - 80
b. Double-click Server Certificates.
c. Double-click HighTrustCert.
d. In the details of the certificate, choose Copy to File.
e. Select do not export private key, and save it into c:\certs
4. Now you need to bind the SharePoint application with the certificate.
a. Run the following commands in the Sharepoint 2016 Management Shell.
b. Change issuerId and publicCertPath according to your needs
c. $publicCertPath = "C:\certs\HighTrustCert.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.
X509Certificate2($publicCertPath)
New-SPTrustedRootAuthority -Name "HighTrustNewAppCert" -Certificate $certificate
$realm = Get-SPAuthenticationRealm
$specificIssuerId = "33333333-3333-3333-3333-333333333333"
$fullIssuerIdentifier = $specificIssuerId + '@' + $realm
New-SPTrustedSecurityTokenIssuer -Name "High Trust New App Cert" -Certificate
$certificate -RegisteredIssuerName $fullIssuerIdentifier –IsTrustBroker
iisreset
$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

5. Register a SharePoint add-in for use by YSoft SafeQ.
a. Register an add-in by navigating to http://<SharePointWebsite>/_layouts/15

/AppRegNew.aspx on the tenancy or farm.
b.
c. In the form that appears:
i. Generate ClientId, keep this value as it is needed for the next step.
ii. Generate client secret, it is not used by the add-in, however, it needs to
validate the form.
iii. Enter a descriptive Title, for example, "SafeQConnector".
iv. Enter a site URL in the app domain field. It is not needed for the add-in, but the
field is validated for the format and it will be on the app link.
v. Redirect URL can be left blank on SharePoint 2013 (on SharePoint 2016, set it
for example, to the localhost address).
vi. You can find more information on https://msdn.microsoft.com/library/jj687469.

aspx.
a. For SharePoint 2016, you need to specify the add-in permissions via an XML
description.
i. Visit the permission assignment page http://<SharePointWebsite>/_layouts/15

/AppInv.aspx .

ii.
iii. Enter the ClientId from the step 5.c.i. and click lookup.
iv. The values from the previous form should load automatically.
v. Enter permissions for the application:
<AppPermissionRequests AllowAppOnlyPolicy="false" >

<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Ri
ght="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection
/web" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web
/list" Right="FullControl" />
</AppPermissionRequests>
And update the permissions.
You can find more information on https://msdn.microsoft.com/en-us/library/office

/fp142383.aspx.
The SharePoint part of the setup should be done by now. Now it is necessary to setup YSoft SafeQ6 to
work with SharePoint.
1. Install the self-signed certificate generated previous steps on the WPS machine. The proper
destination for the certificate is localMachine/personal.
2. In the YSoft SafeQ tenant system settings (please refer to Scan Workflow-related System
Settings), modify the following configuration keys:
a. sharepointClientId – ClientId – the Id generated in step 3.
b.
b. sharepointClientCertificateThumbprint – the thumbprint of the certificate generated
in step 2. You can find Information on how to obtain the thumb-print on the following
link https://msdn.microsoft.com/en-us/library/ms734695(v=vs.110).aspx. Copy-pasting
of the thumbprint code is NOT RECOMMENDED. As the code in certificate detail
contains an invisible symbol at the beginning of the string (more detail on
http://stackoverflow.com/a/9382783).
c. sharepointIssuerId – the GUID assigned to the certificate in step 3.
Workflows List
The Workflows screen displays a list of all available scan workflows in the same order they are
displayed to users on YSoft SafeQ terminal applications. The Workflows screen lets you perform
various actions on scan workflows.

1. Add Workflow – Create a new workflow
2. Reorder/Confirm – Click the REORDER button to start changing the display order of
workflows on the YSoft SafeQ terminal. Drag and drop a workflow and finish changing the
display order by clicking the CONFIRM button.
3. Import XML – Import a workflow definition XML file (previously exported using the Export
XML action). Imported workflows are disabled immediately after importing.
A new connector will be created for each imported workflow.
Importing YSoft SafeQ 5 scan workflow XML files is not supported.
Backward compatibility between builds functions from YSoft SafeQ 6 MU4 onward
(inclusive), therefore, using XMLs from older versions might not work properly.
4. Enable/Disable – Enable or disable a workflow. Disabled workflows are not available to users
on the YSoft SafeQ terminal.
5. Connector Name – The connector used as a workflow destination. Clicking the connector
name opens the connector in edit mode – see Editing a Connector for more details.
6. Edit – Opens the Edit workflow page – see Edit Workflow for more details.
7. Duplicate – Click the duplicate button to create a copy of the workflow.
8.
8. Export XML – Click the arrow icon next to a workflow in the list to display the actions menu.
The Export XML button exports the selected workflow to an XML file. It is possible to
import the workflow again to any YSoft SafeQ 6 instance using the IMPORT XML button.
9. Delete – Click the arrow icon next to a workflow in the list to display the actions menu. The
Delete button deletes the selected workflow.
Edit Workflow
A scan workflow is best described as a blueprint of instructions for capturing, processing and
delivering a scanned document. A workflow's definition consists of several parts:
General information used for workflow identification and displaying help on a YSoft SafeQ
terminal
The destination using a predefined connector with additional settings for defining where and
how scanned documents are stored
Optional processing steps that extract data from scanned documents or modify scanned
documents
Optional user inputs allowing users to enter additional information that will be collected
alongside the scanned document
Scan settings that instruct a YSoft SafeQ terminal on how documents will be captured (e.g.,
scanner parameters)
Access rights specifying which YSoft SafeQ roles can use the workflow
Configure scan workflows using the steps below.
General
First, configure the general properties of a workflow.

1. Name – The name of the workflow that appears on a YSoft SafeQ terminal.
2. Description – A description of the workflow that appears on a YSoft SafeQ terminal.
3. Destination – Select the connector the workflow will use to deliver scanned files to a
destination. In order to select a destination connector, ensure you have previously created
a connector to an external system (see Connectors List).
4. Save changes – It is important to save all the changes when editing the workflow.
5. Discard Changes – Discard all changes if needed.
Destination
After selecting a destination connector, configure properties specific to individual connector

types.
File System
Selecting a file system type connector as a workflow destination stores scanned files to a local
or network file system either in a sub directory of a connector's base location or directly in the
base location. The connector can be configured to enable users to interactively browse the
structure of a selected target directory and optionally select one of its sub directories as the
target.

1. Target directory (optional) – The directory where the workflow delivers scanned files,
relative to the connector's base location. Captured variables may be used. Process and
user input variables are supported only if browsing is disabled (a path that is defined by a
user input cannot be browsed). Please keep in mind the limitation of characters that are
allowed to be in paths.
2. Allow terminal user to browse target directory – If checked, the target directory is not the
final destination. A new user input field is automatically added, which allows a terminal user
to browse and select a sub directory of the target directory as a destination. When this
option is checked, an edit button appears to edit the title of this parameter. The user input
is also visible in the "User input fields" section, so it can be arranged. For more information
see section User Input Fields.
To allow users to browse target directories, the service account under which the Workflow
Processing System runs must have read access to the target directory and all sub directories
that can be used as the scan destination.
Email (SMTP)
Selecting an Email (SMTP) type connector as a workflow destination delivers scanned files by
email to one or more email addresses.

1. Filename (optional) – The name of the resulting scanned file (without an extension).
Process, capture and user input variables may be used. If the scan workflow produces
multiple files, the filename is appended with a numeric sequence in the "####" format, e.g.,
"0001", "0002", etc.
If the filename field is left blank, the filename generated by the device where the scan
was made is used.
2. From – The email address from which the email is sent. Process, capture and user input
variables may be used.
3. To – Recipient email address. Process, capture and user input variables may be used.
Multiple email addresses can be separated by a comma "," or semicolon ";".
4. Subject – The email subject. Process, capture and user input variables may be used.
5.
5. Body (optional) – The email body. Process, capture and user input variables may be used.
HTML tags may be used to format the body.
Microsoft Exchange
Selecting a Microsoft Exchange connector type as a workflow destination delivers scanned files
by email to one or more email addresses. Microsoft Exchange is widely used in companies and the
connector allows more precise configuration than the Email (SMTP) connector.
Basic settings
1. Filename (optional) – The name of the resulting scanned file (without an extension).
Process, capture and user input variables may be used. If the scan workflow produces
multiple files, the filename is appended with a numeric sequence in the "####" format, e.g.,
"0001", "0002", etc.
was made is used.

2. From – The email address from which the email is sent. Process, capture and user input
This field can be used only when the connector is configured without impersonation in
the connector configuration. For more information see Editing a Connector section
Microsoft Exchange.
3. To – The recipient email address. Process, capture and user input variables may be used.
Multiple email addresses can be separated by a comma "," or semicolon ";".
4. Subject – The email subject. Process, capture and user input variables may be used.
5. Body (optional) – The email body. Process, capture and user input variables may be used.
6. Show more – Click the link to configure additional settings (below) for the workflow with a
Microsoft Exchange destination. For more information see section Additional Microsoft
Exchange workflow settings below.
Additional Microsoft Exchange workflow settings
1.
1. Cc (optional) – A carbon copy recipient email address. Process, capture and user input
Multiple Email addresses can be separated by a comma "," or semicolon ";".
2. Bcc (optional) – The blind carbon copy recipient email address. Process, capture and user
input variables may be used.
Multiple Email addresses can be separated by a comma "," or semicolon ";".
3. Priority – Email priority.
4. Sensitivity – Email sensitivity.
5. Delivery receipt – If enabled, a delivery receipt email will be sent to the sender when the
email with the scanned files is delivered to each recipient.
6. Read receipt – If enabled, the read receipt flag will be set in the email. If the recipient
confirms read receipt, a confirmation email is sent to the sender.
7. Show less – The show less link hides additional Microsoft Exchange settings.
Impersonation
When impersonation is enabled in the Microsoft Exchange destination connector (for more
information see Editing a Connector section Microsoft Exchange), it is not possible to change the
value of the From field.
When impersonation is disabled in the Microsoft Exchange destination connector, it is also

possible to set the user logged in at the YSoft SafeQ terminal as the sender using the %
userEmail% variable in the From field and assigning Send as permission to the service account
Microsoft Exchange. However, in this case, the sent email will be in the service account's
Microsoft Exchange Sent Items folder.
Dropbox Business/Enterprise

1. Target directory – The target directory relative to the Dropbox's root folder ("/"). Capture
variables may be used. Process and user input variables are supported only if browsing is
disabled (you cannot browse a path which is defined by user input).
2. Allow terminal user to browse target directory – If checked, the Target directory is not
the final destination. A new user input field is automatically added, which allows the
terminal user to browse and select a sub directory of the target directory as a destination.
When this option is checked, an edit button appears, which can be used to edit the title of
this parameter. The user input is also visible in the "User input fields" section so it can be
arranged. Please see section User Input Fields.
3. Filename – The name of the resulting scanned file (without an extension). Process, capture
and user input variables may be used. If the scan workflow produces multiple files, the
filename is appended with a numeric sequence in the "####" format, e.g., "0001", "0002",
etc.
If the filename field is left blank, the filename generated by the device where scan was
made is used.
4. If filename already exists – Determines the behavior applied if a file with the same name
already exists in the target directory. The available options are:

Keep both files – if a file already exists, YSoft SafeQ creates a new file with a numeric
sequence in the "_#####" format, e.g., "filename_00001", "filename_00002", etc. No
files are deleted in this case.
Replace original file – replaces the original file with the new one.
5. Alternatively choose a Dropbox Business team folder as the root for the target path
composition.
An active Internet connection is required to retrieve a listing of the Dropbox Business team
folder.
Microsoft SharePoint 2010, 2013 and 2016

1. Target SharePoint path – Consists of two parts:
The first part is configured in the SharePoint connector and represents the address of
the SharePoint site (in the example above, "http://sharepoint2010.amasters.com").
The second part consists of the title of a SharePoint document library (in the above
example, "teamlibrary") and an optional sub folder structure (in the above example, a
folder named "accounting"). If the Allow terminal user to browse target directory
option is enabled, capture variables may be used – otherwise, use process, capture and
user input variables.
To acquire this information, please contact your Sharepoint administrator. There is

no other way to find it.
2. Allow terminal user to browse target directory – If checked, the Target directory is not
the final destination. A new user input field is automatically added, which allows the
terminal user to browse and select a sub directory of the target directory as the
destination. When this option is checked, an edit button appears, which can be used to edit
the title of this parameter. The user input is also visible in the "User input fields" section, so
it can be arranged. Please see section User Input Fields.
3. Filename – The name of the resulting scanned file (without an extension). Process and
capture variables may be used. If the scan workflow produces multiple files, the filename is
appended with a numeric sequence in the "####" format, e.g., "0001", "0002", etc.
was made is used.
4.
4. If file name already exists – Determines the behavior applied if a file with the same name
already exists in the target directory. The available options are:
Keep both files – if the file already exists, YSoft SafeQ creates a new file with a numeric
sequence in the "_#####" format, e.g., "filename_00001", "filename_00002", etc. No
files are deleted in this case
Replace original file – replaces the original file with the new one
5. Document Columns – Remove Column – Removes a column from the SharePoint document
metadata
6. Document Columns – Add Column – Adds an administrator predefined document column to

the corresponding SharePoint document metadata. The user can fill the Name of the
column and the Value. Variables may be used in column values
The document column value must be a string in the format expected by the SharePoint
column, otherwise, the column value will not be saved.
Scan to Script
The Scan to Script destination is a special type of destination that allows custom scripts and
executables. Unlike other types of destinations, Scan to Script does not require configuration of a
connector.

1. Script command – The command to be executed when scanned files are delivered to the
Target folder. It can contain any capture, processing or user input variables as command
line arguments. In addition, it is possible to use the following special variables:
%fileList% – Available in One time execution mode only (see Script execution mode).
File system paths to all scanned files delivered to targetDir are written to a text file
as individual lines in UTF-8 encoding. The %fileList% variable used in the "Script
command" is replaced by the absolute path to the created text file. The path to the
text file becomes one of the script parameters. YSoft SafeQ then invokes the
specified script only one time. It is the responsibility of the external script to resolve
all scanned files from the text file, process them within a single script execution and
clean up as necessary.
%metadata% – Available in One time execution mode only (see Script execution
mode). Similarly to the %fileList% variable, use the %metadata% variable in script
parameters. YSoft SafeQ will write all scan workflow variables to a text file and
replace the %metadata% variable with the absolute path to the created file. Each
variable is written on a single line in the text file in UTF-8 encoding in the
"name=value" format, e.g., "userUsername=administrator".

%targetDir% – Available in One time execution mode only (see Script execution
mode). Specifies the location where scanned files (and optionally metadata and file
list files) are stored.
%filePath% – The full path of the currently executed file if script execution mode is
Per file, or the path of the last file processed by the Workflow Processing System if
script execution mode is One time.
2. Target folder – The folder where scanned files are placed for execution by script. Scanned
files and additional files produced by the use of the %fileList% and %metadata% variables
are not automatically deleted after script execution – deletion must be performed by the
script. Process, capture and user input variables may be used.
3. Filename – Name of the resulting scanned file (without extension). Process, capture and
user input variables may be used. If the scan workflow produces multiple files, the filename
is appended with a numeric sequence in the "####" format, e.g., "0001", "0002", etc.
was made is used.
4. Script execution mode
One time – The script is executed only once. Files produced by using %fileList%. %
metadata% and %targetDir% variables may be used to process all scanned files. Any
capture or processing variables may be used as command line arguments.
Per file – The script is executed for each scanned file separately. The %filePath%
variable can be used to get the currently processed scanned file. Any other capture or
process variables may be used as command line arguments.
Selecting a Microsoft OneDrive for Business connector type as the workflow destination delivers
scanned files to the selected OneDrive for Business drive.
1. Destination – Select a OneDrive Connector
2. Target OneDrive path – Define the user's drive. Be aware that the drive name is case
sensitive! It can be obtained from the user profile in OneDrive or it can be seen encoded in
the URL, please see the picture below. Also note, variables here can be used to use a
different drive for each user/device session, e.g., %userUsername%@y3sdev.onmicrosoft.
com

To acquire this information, please contact your OneDrive administrator. There is no
other way to find out.
3. Additional OneDrive path – The directory where the workflow delivers scanned files,
relative to the connector's drive name. Capture variables may be used. Please keep in mind
the limitations to characters that are allowed to be in paths. A path can be specified to a
sub folder.
4. Allow browsing of the target destination on the terminal.
See the picture below for additional info.
Selecting a Microsoft SharePoint Online connector type as the workflow destination delivers
scanned files to the selected SharePoint Online document library.
1. Destination – Select a SharePoint Online Connector
2. Target SharePoint Online path (blue) – Define the public SharePoint library. Be aware that
the SharePoint library name is case sensitive!
If the library was renamed or if problems are encountered during testing, please contact
your SharePoint administrator to get the correct value.
3.
3. Additional SharePoint Online path – The directory where the workflow delivers scanned
files, relative to the connector's document library. Capture variables may be used. Please
keep in mind the limitations to characters that are allowed to be in paths. A path to a sub
folder can be specified.
4. Allow browsing of the target destination on the terminal
5. Add Column – Adds an administrator predefined document column to the corresponding

SharePoint document metadata. The user can enter the name of the column and the value.
Variables may be used in column values.
The document column value must be a string in the format expected by the SharePoint
column, otherwise, the column value will not be saved.
See the picture below for additional information.
HPE Records Manager WORKFLOW CONNECTORS B
Selecting an HPE Records Manager connector type as a workflow destination delivers scanned
files as records in HP Records Manager.
Note that the HPE Records Manager connector type is only available when YSoft SafeQ is
activated with a valid Workflow Connectors B license. Please contact your sales
representative if a license for the HP Records Manager connector is needed.
1.

1. Parent container ID – The container where the record will be created. If it is left empty, the
record will be created in the root of HPE RM. Variables may be used.
2. Record Type – The type of record that will be created. The record type must be a string in
the format expected by HPE RM – it must match the Record type existing in the HPE RM.
3. External ID – The data that will be stored in the related record metadata field, can be left
empty
4. Author – The user who will be stored in the related record metadata field, must either be
left empty or match a user from HPE RM
Workflow Processing Steps
Processing steps can transform or extract data from scanned documents. Each of the processing
steps can be enabled and configured independently of each other.
You may enable or disable all of the below processing steps in any workflow. Note that the
processing steps available in the YSoft SafeQ management interface will depend on your YSoft
SafeQ Managed Workflow license.
Processing steps can either change the resulting document (e.g., process images into a
searchable PDF) or extract information from scanned documents into variables.
1D Barcode
Enable this processing step to find a 1D barcode of the selected type – it reads the barcode value
and saves it into the %barcode% variable.
Note that at the moment, the 1D Barcode processing step detects the first occurrence of a 1D
barcode in a scanned document. This means that YSoft SafeQ detects the first page in the
document containing a barcode of a given type and reads the value of the detected barcode. If
multiple barcodes of the same type are located on the same page, the value of the leftmost and
uppermost barcode on the page is read and saved into the %barcode% variable.
If no barcode is found, the %barcode% variable is set to an empty string.

1. Barcode type – Determines which barcode type should be identified and extracted from a
document. Valid types are:
UPC A
UPC E
EAN 8
EAN 13
Code 39
Code 93
Code 128
Codabar
ITF
RSS 14
RSS expanded
Any 1D barcode – the barcode in a document can be any of the supported (above-listed)
1D barcode types
Scan Job Separation ADVANCED WORKFLOWS
Enable this processing steps to split a batch scan into multiple documents. Scan jobs may be
separated as follows:
Upon detection of a 1D barcode: A new document starts when a 1D barcode of the specified
type is detected in the scan

Upon detection of a Y Soft standard separation sheet: A new document starts when the
standard separation sheet is detected in the scan. The standard separation sheet can be
downloaded in the Scan Job Separation processing step section of the Edit Workflow page
Page count: A new document starts after the number of specified pages
Item Options Description
1D barcode Barcode type: Starts a new document (and finishes the previous)
UPC A each time the selected type of barcode is encountered.
UPC E There is a variable %separationBarcode% which
EAN 8 contains the value of the corresponding barcode. Pages
EAN 13 with these barcodes can be included in or excluded
Code 39 from scan jobs.
Code 93
Code 128
Codabar
Standard Link to download the Starts a new document (and finishes the previous)
Separation standard separation sheet each time the standard separation sheet is
sheet encountered. Separation sheets can be included in or
excluded from scan jobs.
Page Count Every # page Starts a new document (and finishes the previous)
each # pages
Highlighter Extraction ADVANCED WORKFLOWS
Enable the highlighter extraction step to identify all text in a scanned document highlighted with a
given color. The highlighter extraction step concatenates all highlighted text into a single-line text
string (individual words are separated by the white space character) and saves the text string
into the %highlightedText% variable.
Remarks:
The highlighter extraction step works on black and white documents only
Optimal results for the highlight feature are at 300 DPI. Higher DPI settings are not
recommended and will have a negative impact on the performance of the highlighter
extraction
A word should be highlighted precisely to allow the ABBYY OCR engine to detect the word
correctly. The word must be fully highlighted and not include highlighted parts of another
word as the ABBYY OCR engine might recognize it as additional characters

1. Highlighter color – Determines the highlighter color that should be detected. Text
highlighted with this color will be extracted. Available colors are:
Green
Red
2. Language – The language of the extracted text (improves the accuracy of the extracted
text).
3. Search for highlighter
The page range in the scanned document for highlighted text.
In the entire document
Specific range
Use page numbers (including blank pages)
From – The lower limit of page range. If empty, the range starts on the first scanned
page
To – The upper limit of page range. If empty, the range ends on the last scanned
page
Highlighter Redaction ADVANCED WORKFLOWS
Use the highlighter redaction step to redact (overlay with black) areas in a scanned document
marked with the given color.

Remarks:
The highlighter redaction step works on black and white documents only
Redaction on highly compressed files is not recommended. Ensure that scan quality settings
are adjusted accordingly prior to redacting
Best results are achieved using the lowest compression settings on the MFD (even though
the processing step filters compression-related image noise as much as possible)
1. Highlighter color – Determines the highlighter color that should be detected. Areas
highlighted with this color will be redacted. Available colors are:
Green
Red
2. Search for highlighter
The page range in the scanned document for the highlighted text.
In the entire document
Specific range
Use page numbers (including blank pages)
From – The lower limit of the page range. If empty, the range starts on the first
scanned page
To – The upper limit of the page range. If empty, the range ends on the last scanned
page
OCR ADVANCED WORKFLOWS

Use the OCR step to analyze text documents, recognize and extract document text and
formatting, and save the result to a file of a selected output format. The OCR step recognizes
only the common typographic type of text.
1. Language – Document languages. OCR processing requires the language setting to

correctly recognize the document's text. It is possible to select multiple languages.
Please refer to OCR Processing Step – Supported Languages for document languages
recognized by the OCR processing step.
The accuracy of OCR depends on many factors that are out of Y Soft SafeQ's control,
such as the quality of the printed document, scanner quality, and text size and is,
therefore, never 100% even with correctly configured document language. To get the
best results out of OCR, please use the following guide for scan resolution settings:
For regular texts (font size 8-10 points), it is recommended to use 300 dpi resolution
for OCR (in most cases, represented by the "Fine" setting) as the OCR technologies
are tuned for that resolution
For smaller font text sizes (8 points or smaller), it is recommend to use 400-600
dpi resolution
Low image quality (i.e. resolution/DPI) may lead to quality and speed degradation as
uncertainty in the character picture produces more recognition variants to process
2. Remove blank pages – If checked, blank pages are removed from the scanned document.
The blank page detection algorithm is heuristic and so its results cannot always be
accurate. There are predefined thresholds used for blank page detection. When any value
of any of the following criteria is exceeded, the page is not considered blank.

The maximum number of letters belonging to the recognition languages is five
The maximum percentage of black areas on a page is one
The maximum number of objects found on a page is 20
If a page contains a barcode, it is not considered blank
3. Detect page orientation – If checked, detects the page orientation of each page in the
document and rotates pages that are upside-down to correct the orientation
4. Split dual pages – If checked, splits dual pages (e.g., when scanning double pages of a
book) into two pages in the resulting document
5. Despeckle – If checked, cleans noise in the scanned document. This may impact the speed
and performance of the OCR engine
The speed of OCR can be increased by the ocrProcessesPerJob and ocrPoolSize properties in
the expert configuration.
Type of processed file that is being sent from the MFD for OCR processing can by modified by
the ocrInputFileType property in the expert configuration.
External Processing Step
The External Processing Step is a way to extend the built-in capabilities of Scan Workflows in
YSoft SafeQ. Use it to run an external command before delivering scanned documents. The
command will be executed by the WPS service on the server that processes the scan job, under
the identity of the WPS service account, and it will be able to modify the scan job before it is
delivered by WPS.
Some examples of how the External Processing Step can be used include:
Archiving all scan jobs
Delivering scan jobs with an accompanying metadata file in a custom format
Rejecting scans not fulfilling some condition, e.g. where a particular text or barcode pattern is
not found
Delivering multiple image files in a single ZIP archive

The command will be executed as the last step before delivering the documents into a
destination. Two text files in the UTF-8 encoding will be created before the command is executed:
A metadata file that lists all available metadata and user variables. Each line contains a
key=value pair. Use the %metadata% variable to pass the filename of the metadata file as an
argument.
A file-list file that lists all image files that comprise the scan job, with each file name on a
separate line. Use the %fileList% variable to pass the filename of the file as an argument (or
read the fileList variable from the metadata file).
The command may modify one or both of the files in place in order to modify the outcome of the
workflow.
If the command fails to execute or returns a non-zero exit code, the workflow will be aborted.
Output
In the Output section, configure the output settings of the scanned file. More options become
available if your YSoft SafeQ is licensed for the Advanced Workflows module.
The following sections provide a summary of the available output options in the Core Workflows
and Advanced Workflows modules.

Options Available in Core Workflows
Output Format JPEG This option specifies the file format of

TIFF the output file.
Multipage TIFF JPEG – the output file will be saved
PDF in JPEG format
Compact PDF TIFF – the output file will be saved in
TIFF format
Multipage TIFF – the output file will
be saved in TIFF format but will
consist of multiple pages (sub files)
PDF – the output file will be saved in
PDF format
Compact PDF – the output file will
be saved in PDF format, but
compression will be applied and the
resulting file will be a small size
Can be modified When checked, a user can change the

by the user on format of the scanned file on "Scan
the terminal options" screen
Filename String – can contain a reference to The name of the resulting scanned file
workflow variables (without an extension). Process, capture
and user input variables may be used. If
the scan workflow produces multiple
files, the filename is appended with a
numeric sequence in the "####"
format, e.g., "0001", "0002", etc.
Please keep in mind, the

characters limitations that are
permitted to be in file names.
Characters that are not allowed
(*, ?, /, \, |, :, <, >) will cause
failure upon scanned file
delivery.
If the filename field is left blank,

the filename generated by the
device where the scan was
made is used.

If filename already Keep both files: If a file with the Determines the behavior applied if a file
exists same name already exists, YSoft with the same name already exists in
SafeQ 6 creates a new file with a the target directory
numeric sequence in the "_#####"
format, e.g., "filename_00001",
"filename_00002", etc. No files are
deleted in this case
Replace original file: Replaces the
original file with the new one
Append to original file (PDF only*)
Prepend to original file (PDF only*)
* PDF/A-2x formats are not supported

Supported Output Formats
Outp Real Output Format

ut
Form
at
Konica Shar Shar Ricoh Fuji Xerox Xero Toshib HP Epso Lex
Minolta, p p- x a, OKI, n mar
Develop, eSF OKI k
Olivetti, sXP
Aurora
JPEG JPEG JPE JPE TIFF, JPEG JPEG JPE JPEG JPE JPE JPE
G G Exact G G G G
format
depends on
selected
color mode.
TIFF TIFF TIFF TIFF TIFF, JPEG TIFF TIFF TIFF TIFF TIFF TIFF
Exact
format
depends on
selected
color mode.
Multi Multipage Multi Multi Multipage Multipage TIFF Multi TIFF Multi Multi Multi
page TIFF page page TIFF, PDF page page page page
TIFF TIFF TIFF Exact TIFF TIFF TIFF TIFF
format
depends on
selected
color mode.
PDF PDF PDF PDF PDF PDF PDF PDF PDF PDF PDF
Comp Compact PDF Com PDF PDF PDF, Compact Com PDF PDF PDF PDF
act pact PDF pact
PDF PDF Depends on PDF
the color
mode and
resolution
selected
Options Available in Advanced Workflows
Output format

The following options are This option specifies the file

additionally available if the format of the output file. OCR
"OCR" processing step output formats are MFD vendor
processing is enabled: independent so all formats are
Searchable PDF supported for all vendors.
Microsoft Word (DOCX)
Microsoft Excel (XLSX)
Microsoft Excel (XLS)
Microsoft PowerPoint
(PPTX)
Text (TXT)
Rich Text (RTF)
Can be modified by the user on When checked, a user can

the terminal change the format of the
scanned file on the "Scan
options" screen.
File format selection is not

supported when the OCR
processing step is
selected on the workflow.
The checkbox is not
visible in such a case.
Filename String – can contain a reference The name of the resulting

to workflow variables scanned file (without an
extension). Process, capture and
user input variables may be used.
If the scan workflow produces
multiple files, the filename is
appended with a numeric
sequence in the "####" format,
e.g., "0001", "0002", etc.
Please keep in mind

character limitations that
are permitted to be in file
names. Characters that
are not allowed (*, ?, /, \, |,
:, <, >) will cause failure
upon scanned file delivery.

If the file name field is left

blank, the filename
generated by the device
where the scan was made
is used.
If the filename already exists Keep both files Determines the behavior applied
Replace original file if a file with the same name
Append to original file (PDF already exists in the target
only*) directory.
Prepend to original file (PDF
only*)
* PDF/A-2x formats are not
supported
Compliance level None The compliance level of the

(Available only when the output PDF/a-1a searchable PDF output.
format "Searchable PDF" is PDF/a-1b
selected) PDF/a-2a
PDF/a-2u
PDF/a-3a
PDF/a-3u
Modify PDF metadata Enabled or disabled Modifies the standard PDF

(Available only when the output metadata fields in searchable PDF
format "Searchable PDF" is files.
selected) If enabled, specify the following
PDF metadata files:
Title
Author
Subject
Keywords
If appending or prepending a
searchable PDF file, choose
whether to overwrite the
metadata on each append or
prepend.
MRC compression Enabled or disabled Enables or disables the MRC

(Available only when the output compression in a searchable PDF
format "Searchable PDF" is file.
selected) MRC ( Mixed Raster Content ) is a
special compression technology
used to minimize the size of PDF
files.

Document image files are usually

very large due to the background,
which often makes up to 90% of
the file size. The background may,
however, be unnecessary in the
resulting document. It is the text
and pictures that are important.
The PDF MRC compression
technology allows locating the
color background and deleting it
or compressing to a high degree.
This leaves text and pictures
against a white background
contributing to smaller PDF file
size.
Picture objects (diagrams, graphs,
logos, photos, drawings, stamps,
signatures, etc.) are also slightly
compressed, but only to an
extent that does not lower the
quality.
Encrypt PDF Enabled or disabled Enables or disables PDF

(PDF encryption is available only encryption.
when PDF/A compliance is set
to None and Append/Prepend to
original file feature is not used)
Encryption Strength Low 40 bit Encryption The strength of encryption

(Available only if the "Encrypt High 128 bit Encryption desired for PDF output
PDF" option is enabled) High AES 128 bit Encryption
Password Type Generate password Defines the password creation

(Available only if the "Encrypt automatically strategy:
PDF" option is enabled) Define password manually Generate password
(user) automatically – the password
will be generated by the
system and the admin must
provide information for the
delivery of it
Define password manually – if
selected, it is possible to add
a password for the
document, it can contain user
variables.
Send email with password

(Available only if the "Encrypt Enabled or disabled, mandatory if If enabled, an email containing
PDF" option is enabled) "generate password the PDF password will be sent to
automatically" is selected the specified recipients. It is
mandatory if the system
generates the password.
Recipients String or reference to workflow The list of recipients for the

(Available only if the "Encrypt variables password message, defaults to
PDF" option is enabled) "%userEmail%". It is possible to
add multiple recipients separated
by a comma or semicolon.
Subject String or reference to workflow The subject of the email with the
(Available only if "Encrypt PDF" variables password.
option is enabled)
Message String or reference to workflow The content of the message with

(Available only if "Encrypt PDF" variables the password.
option is enabled)
Not all technologies and MFD models support all output file formats. If an unsupported file
format is selected, it is substituted with a similar file format determined by YSoft SafeQ.
Scan Settings
Scan settings are applied to the scanner on the MFD where a YSoft SafeQ terminal user launches
a scan workflow. Decide whether terminal users will have the ability to modify scan settings by
checking or unchecking the Can be modified by the user on the device checkbox next to each
setting.

1. Scan resolution – This option specifies the scanning resolution. If the related check box is
checked, then this option can be modified on the YSoft SafeQ terminal in scan options –
quality.
2. Sides – This option specifies whether the document will be scanned as duplex or simplex. If
the related check box is checked, then this option can be modified on the YSoft SafeQ
terminal in scan options – pages.
3. Color – This option specifies the color scheme of a scan. If the related check box is
checked, then this option can be modified on the YSoft SafeQ terminal in scan options –
color.
Scan DPI
Resoluti
on
Konica Minolta, Develo Sharp, Rico Fuji Xero Toshiba, HP Epso Lex
p, Olivetti ,Aurora Sharp- h Xero x OKI, OKI n mar
eSF x sXP k
Low 200*200 100*100 100 200 72* 150*150 150 200 100
*10 *100 72 *15 *20 *10
0 0 0 0
Normal 200*200 200*200 200 200 200 200*200 200 200 200
*20 *20 *20 *20 *20 *20
0 0 0 0 0 0
Fine 300*300 300*300 300*300

Scan DPI
Resoluti
on
300 300 300 300 300 300

*30 *30 *30 *30 *30 *30
0 0 0 0 0 0
High 400*400 400*400 400 400* 400 400*400 400 600 400
*40 400 *40 *40 *60 *40
0 0 0 0 0
Highest 600*600 600*600 600 600 600 600*600 600 600 600
*60 *60 *60 *60 *60 *60
0 0 0 0 0 0
Not all MFD models support all resolution levels. If an unsupported resolution level is
selected, scanning may not start or resolution is set to at least as good as configured or,
if not possible, the best one available (this differs for each MFD vendor).
Sides
Simplex Only one page of every sheet will be scanned.
Duplex Both sides of every sheet will be scanned.
Some MFD models do not support forcing duplex settings and the user has to set it manually
during the scan.
Color
Full color
Black and white
Two colors
Grayscale
One color
Auto (color scheme is detected automatically by the scanning device)
Not all MFD models support all color schemes. If an unsupported color scheme is selected,
scanning may not start or the color scheme is approximated to the nearest possible value
(this differs for each MFD vendor).

User Input Fields
In the User input fields section, the scan metadata to be collected at the YSoft SafeQ terminal
can be defined in the form of user input. User input is collected from terminal users in a scan
workflow detail. User input values supplied by terminal users are saved in user input workflow
variables.
Add User Input
Click the ADD USER INPUT button and the New user input form opens.
First, select the type of user input to add to a scan workflow.
Next, additional configuration options are displayed. Some of the additional configuration options
are dependent on the type of user input field selected, however, there are several options
common to all types of user input fields.
1. Field title – The title of the user input field that will appear in the workflow detail on the
YSoft SafeQ terminal. Capture variables may be used.
2. Default value – The default value of the user input field. Capture variables may be used.
3. Input required (optional) – If checked, user input must be filled before the terminal user is
allowed to scan a document.
4.

4. Variable name – The name of the variable used to access the user input value in the
workflow. NOTE: Do not use '%' characters.
Click the ADD USE INPUT button (5) to save changes. Click the Cancel or '×' button to discard
them.
Changes made to user input fields will not be reflected until the scan workflow is saved.
Text
Text type user input fields let terminal users enter free text.
Mark text type user input fields as required
Specify the default value for text type user input fields. Capture variables can be used to
specify the default value.
Number
Number type user input fields let terminal users enter whole positive numbers.
Mark number type user input fields as required
Specify the default value for number type user input fields. Capture variables can be used
to specify the default value

Date
Date type user input fields let terminal users enter dates.
Mark date type user input fields as required
Specify the default value for date type user input fields. Capture variables can be used to
specify the default value
Value Input is expected in the "YYYYMMDD" format, e.g., "20160719" for July 19, 2016. Capture
variables that do not hold values in this format should not be used.
Email

Email type user input fields let terminal users enter email addresses.
Mark email type user input fields as required
Specify the default value for email type user input fields. Capture variables can be used to
specify the default value
List
List type user input fields let a terminal user select from a list of possible values.
Mark list type user input fields as required
Specify the default value for list type user input fields. Capture variables can be used to
specify the default value.
Two kinds of data sources for the list are currently supported by the product.
Manual Input List
Manually enter list values through the YSoft SafeQ management interface.
1. Data source – Manually input values means that manually entered values will be used to
fill the selection list on a YSoft SafeQ terminal
2. List items – The list of values for the user input field. The Add row button will append a row
to the list items where a value and a label may be inserted
Only rows with both Label and Value filled are considered valid.
3. Default value – Select the default value from the list, which will be pre-selected in the list
user input on the YSoft SafeQ terminal.

3.
Only valid rows are listed as options in the Default Value.
Only valid rows are going to be saved to the list.
CSV List
The CSV List retrieves data from a source CSV file as specified in the file location path entry. A
common use case is that a CSV file is regularly exported by a third-party system to a shared
folder location and then read by YSoft SafeQ 6 as a list type input source.
1. Data source – CSV File means that a CSV Data source will be used to fill a selection list on
a YSoft SafeQ terminal.
2. Field title – The title of the user input field that will appear in the workflow detail on a
YSoft SafeQ terminal. Capture variables may be used.
3. CSV file location path – The filesystem or UNC path to the CSV file containing data.
4. Label column – The name of a column inside the CSV file containing list item labels. Labels
are displayed as items in the list to YSoft SafeQ terminal users.
5. Value column – The name of a column inside the CSV file containing list item values. Values
are not displayed to YSoft SafeQ terminal users, but are saved in the scan workflow
variable corresponding to the user input field.
6. Delimiter – The delimiter used to separate fields in the CSV file. Can be a comma or
semicolon. The default is comma.
7.

7. Default value – Specify one of the values from the data column. If a valid value (i.e., a value
which exists in the data column) was specified, it will be pre-selected in the list user input.
The source CSV file must be in the standard RFC 4180 CSV file format (please refer to
https://www.ietf.org/rfc/rfc4180.txt). The first row of the CSV file must contain column
names. Below, is example content of a CSV file you may use as a list type user input source:
"name","zip"
"Prague","140 00"
"Brno","602 00"
The CSV file must be accessible to the service account under which the Workflow Processing
System runs at the time when the CSV file is read.
XML List
The XML List retrieves data from a source XML file as specified in the file location path entry. A
common use case is that an XML file is regularly exported by a third-party system to a shared
folder location and then read by YSoft SafeQ 6 as a list type input source.

1. Data source – "XML File" means that an XML Data source will be used to fill the selection
list on a YSoft SafeQ terminal.
2. XML file location path – The file system or UNC path to the XML file containing data.
3. Default value – Specify one of the values from the document. If a valid value was
specified, it will be pre-selected in the list user input.
The XML file must comply with the required XML file format (an example XML file can be
downloaded).
Browse
Browse type user input field is a special type of user input. It cannot be created directly. It is
created automatically by enabling the browsing option (1) in the workflow connector definition.

Click the EDIT button (2) to open the edit folder browsing input field.
1. Field title – The title of the user input field that will appear in the workflow detail on a
YSoft SafeQ terminal. Capture variables may be used
2. Input required – If checked, the user input must be filled out before a terminal user is
allowed to scan a document. When enabled, it is expected that the Target Directory
contains browsable sub folders, i.e. a terminal user cannot scan to the root of a defined
target directory, but must select a sub folder.
Click APPLY CHANGES button (3) to save changes. Click CANCEL or '×' to discard changes.
Once a browse type input field is created, it can be moved, edited or deleted as any other user
input field.
1. For the browse type user input field, the variable name is always browseParameter.
Delete

To delete a user input field, open the drop down menu (1) for the user input field to be deleted,
and select the delete action (2).
Edit User Input
To edit a user input field, click the EDIT button (1). The edit user input dialog opens.
The edit user input form is similar to adding a new user input field, please refer to the Add section
for more detail.
Reorder User Input
User input fields are displayed in the workflow detail screen on the YSoft SafeQ terminal in the
same order as in the workflow definition.

To change the display order of user input fields, drag and drop user input fields using the dotted
area (1).
User Access
User access specifies which YSoft SafeQ roles have access to the workflow and which role is
forbidden to access such a workflow.
Only users belonging to the roles in the Access list will be able to use the workflow. If no role is
listed in the Access list, the workflow will not be accessible to any user.
1. Assign roles – Adds a new role, see the dialog below.
2. Remove – Removes the current assignment.
3. Change access – Changes access to a workflow by selecting "Allowed / Denied " from the
drop down list

1. Search – Filter the values in the table by a given keyword.
2. Sorting – Sort the rows displayed by the selected column.
3. Access – Allow/Deny role access to a particular workflow by selecting a radio button from
the respective column.
If a user has more roles and some of them are allowed to access and other roles are
denied access to a workflow, then the user will not see the workflow on the MFD.
Therefore, the "Deny" feature is stronger than the "Allow" feature. The "None" column is
the initial state and such a role does not have access as well (the user does not see
the workflow on the MFD).
4. Pagination – Navigate through the numerated pages.
5. APPLY CHANGES/CANCEL – Add a selected user roles to the workflow Access list or
discard changes and keep the workflow Access list unchanged.
Workflow Variables
Variables are used to further customize workflows. Access the following types of variables:

capture variables – Available during the entire workflow lifecycle, e.g. information about the
logged user, terminal, etc.
user input variables – Defined on the MFD by the user
process variables – Available during the workflow processing and delivery, e.g., a selected
billing code
Workflow User Input Fields Workflow Processing Workflow Destination
Capture Variables
User Input Variables
Process Variables
*
* Please note, it depends on the order in which processing is done.
Variables start with the '%' character followed by a variable name (no spaces allowed) and end
with the '%' character, e.g. %userEmail%, %barcode%, etc.
Name Workfl Vari Usage

ow able
Destin Type
ation
%barcode% all proc Contains the value extracted from a barcode (for more details, see
ess section 1D Barcode).
% all proc Contains the value extracted from a barcode which triggered a
separationBa ess separation of scan jobs (for more details, see section Scan Job
rcode% Separation).
% all proc The code of the billing code used for this scan job (can be null if none is
billingCode% ess assigned).
% all proc The comma separated file paths of all scanned files in the destination.
fileLocations ess
%
% all proc Contains the text from highlighted text extraction (for more details, see
highlightedTe ess section Highlighter Extraction).
xt%
%deviceID% all capt The ID of the device where a scan was made.
ure
% all capt The name of the device where a scan was made.
deviceName ure
%

ow able
Destin Type
ation
% all capt A description of the device where a scan was made.

deviceDescri ure
ption%
% all capt The ID of a group to which the device where a scan was made belongs.
deviceGroupI ure
D%
% all capt The name of a group to which the device where a scan was made
deviceGroup ure belongs.
Name%
% all capt The IP address a group to which the device where a scan was made
deviceGroupI ure belongs.
P%
% all capt The location of the device where a scan was made.
deviceLocati ure
on%
%deviceIP% all capt The IP address of the device where a scan was made.
ure
% all capt The activate date of the device where a scan was made (in the 'YYYY-
deviceActivat ure MM-DD HH:MM:SS.MS' format).
ionDate%
% all capt The equipment ID of the device where a scan was made.
deviceEquip ure
mentID%
% all capt The device service agreement ID of the device where a scan was made.
deviceServic ure
eAgreementI
D%
% all capt The contact person for the device where a scan was made.
deviceContac ure
tPerson%
% all capt The cost center number of the device where a scan was made.
deviceCostC ure
enterID%
% all capt The cost center name of the device where a scan was made.
deviceCostC ure
enterName%

ow able
Destin Type
ation
% all capt The full path to the folder where YSoft SafeQ is installed on the server
safeqHome% ure where the Workflow Processing System is running (typically C:\SafeQ6).
% all capt The local date on Terminal Server at the time of a scan in the format yyy
scanDate% ure y-MM-dd, e.g., ' 2012-12-21' for December 21, 2012.
% all capt The local time on Terminal Server at the time of a scan in format HH-mm-
scanTime% ure ss-fff, e.g., '12-15-00-000' for a quarter past twelve.
% all capt The cost center number of the terminal user who made a scan.
userCostCen ure
terID%
% all capt The cost center name of the terminal user who made a scan.
userCostCen ure
terName%
% all capt The email of the terminal user who made a scan.
userEmail% ure
% all capt The first name of the terminal user who made a scan.
userFirstNam ure
e%
% all capt The home folder of the terminal user who made a scan.
userHome% ure
% all capt The surname of the terminal user who made a scan.
userSurname ure
%
% all capt The YSoft SafeQ username of the terminal user who made a scan.
userUsernam ure
e%
% all capt Password being used to encrypt a PDF document. (for more details, see
pdfPassword ure section Highlighter Extraction)
%
% except capt The final comma separated list of processed files, including the path to
fileLocations script ure file. This variable is only accessible in notifications.
%
%filePath% script proc The full path of the currently executed file if script execution mode is
ess "Per file", or the path of the last file processed by the Workflow
Processing System if script execution mode is "One time". For more
details, see section Scan to Script.

ow able
Destin Type
ation
%fileList% script proc Full path to the file-list file containing the list of all scanned files.
and ess Relevant for the External Processing Step and for the "One time"
extern execution mode of the Scan to script destination. For more details, see
al the sections Scan to Script and External Processing Step.
proces
sing
step
% script proc Full path to the metadata file containing the list of all workflow variables.
metadata% and ess Relevant for the External Processing Step and for the "One time"
extern execution mode of the Scan to script destination. For more details, see
al the sections Scan to Script and External Processing Step.
proces
sing
step
% all proc After executing the External Processing Step, this variable will contain
externalStep ess the numeric exit code from the external process. If the exit code is not
ExitCode% zero, the workflow is aborted and the failure notification is delivered,
which is where this variable may be useful.
% all proc After executing the External Processing Step, this variable will contain
externalStep ess the captured standard output from the external process (but not the
StdOut% standard error output).
%targetDir% script proc Specifies the location where scanned files (and optionally, metadata and
ess file list files) are stored. For more details, see section Scan to Script.
% all proc The unique ID of the scan job instance. This identifier of the scan job is
scanJobID% ess also visible in the log files.
% all proc A summary of the scan job files sizes.The variable is available only when
scanJobSize ess there is a restriction set on the connector.
%
% all proc The scan job files count. The variable is available only when there is a
scanJobFileC ess restriction set on the connector.
ount%
% all proc The max file count restriction limit. The variable is available only when
connectorFile ess there is a file count restriction set on the connector.
CountLimit%
% all proc The file size restriction limit. The variable is available only when there is
connectorFile ess a file size restriction set on the connector.
SizeLimit%

ow able
Destin Type
ation
% all proc The path to the folder where the scan jobs are stored when a
connectorRe ess restriction is applied. The variable is available only when there is a
strictionsDire restriction set on the connector.
ctory%
% all capt The ID of the workflow used to make the scan.

workflowID% ure
% all capt The name of the workflow used to make the scan.
workflowNam ure
e%
OCR Processing Step - Supported Languages
The OCR processing step available in Advanced Workflows supports recognition of the following
OCR languages:
Languages with Dictionary support
Latin, Cyrillic, Greek or Armenian characters, for which the FineReader Engine provides
dictionary support: Armenian (Eastern, Western, Grabar), Bashkir, Bulgarian, Catalan,
Croatian, Czech, Danish, Dutch (Netherlands and Belgium), English, Estonian, Finnish,
French, German (new and old spelling), Greek, Hungarian, Italian, Indonesian, Latvian,
Lithuanian, Norwegian (Nynorsk and Bokmal), Polish, Portuguese (Portugal and Brazil),
Romanian, Russian, Slovak, Slovenian, Spanish, Swedish, Tatar, Turkish, and Ukrainian.
Japanese, Korean and Hangul with dictionary support, Chinese (PRC and Taiwan).
Thai with dictionary support.
Hebrew with dictionary support, Yiddish.
Arabic with dictionary support, Farsi.
Latin, Azerbaijani (Latin), Russian (old spelling) with dictionary support.
Additional languages
Latin, Cyrillic, or Greek characters: Abkhaz, Adyghian, Afrikaans, Agul, Albanian, Altaic, Avar,
Aymara, Azerbaijani (Cyrillic), Azerbaijani (Latin), Basque, Belarusian, Bemba, Blackfoot,
Breton, Bugotu, Buryat, Cebuano, Chamorro, Chechen, Chukchee, Chuvash, Congo,
Corsican, Crimean Tatar, Crow, Dakota, Dargwa, Dungan, Eskimo (Cyrillic), Eskimo (Latin),
Even, Evenki, Faeroese, Fijian, Frisian, Friulian, Gagauz, Galician, Ganda, German (Luxemburg),
Guarani, Hani, Hausa, Hawaiian, Icelandic, Ingush, Irish, Jingpo, Kabardian, Kalmyk, Karachay-
balkar, Karakalpak, Kasub, Kawa, Kazakh, Khakass, Khanty, Kikuyu, Kirghiz, Koryak, Kpelle,
Kumyk, Kurdish, Lak, Latin, Latvian Gothic, Lezgi, Luba, Macedonian, Malagasy, Malay,

Malinke, Maltese, Mansy, Maori, Mari, Maya, Miao, Minangkabau, Mohawk, Moldavian, Mongol,
Mordvin, Nahuatl, Nenets, Nivkh, Nogay, Nyanja, Ojibway, Old Slavonic, Ossetian,
Papiamento, Provencal, Quechua, Rhaeto-Romanic, Romany, Rundi, Russian (old spelling),
Rwanda, Sami (Lappish), Samoan, Scottish Gaelic, Selkup, Serbian (Cyrillic), Serbian (Latin),
Shona, Somali, Sorbian, Sotho, Sunda, Swahili, Swazi, Tabasaran, Tagalog, Tahitian, Tajik,
Turkmen (Latin), Tok Pisin, Tongan, Tswana, Tun, Turkmen, Tuvinian, Udmurt, Uigur (Cyrillic),
Uigur (Latin), Uzbek (Cyrillic), Uzbek (Latin), Vietnamese, Welsh, Wolof, Xhosa, Yakut,
Zapotec, Zulu.
Artificial languages
Esperanto, Interlingua, Ido, and Occidental.
Programming languages
Basic, C/C++, COBOL, Fortran, JAVA, and Pascal.
Simple chemical formulas
Digits
Scan Workflow-related System Settings
Several YSoft SafeQ system settings affect the way the Workflows function. System settings
can be found on the YSoft SafeQ System screen under Configuration. System settings are
common to all scan workflows and connectors and other YSoft SafeQ modules.
Categor Lev Key Default value Used Description

y el by
NETWOR Exp ftp-port 21 Termi The port used for

K ert nal FTP server
Serve communication.
r
NETWOR Adv ftp-anonymous true Termi If enabled,

K anc nal anonymous login is
ed Serve allowed for FTP
r server authorization.
NETWOR Adv scanServerType FTP Termi The transfer

K anc nal protocols allowed for
ed Serve scanned document
r transfer from an
MFD to YSoft SafeQ.
The possible values
are:
"FTP" – for FTP
protocol

y el by
"WebDAV" – for a
WebDAV
protocol. Can be
secured by SSL
/TLS, see webdav
Ssl system
property, only
KM and Xerox
devices are
supported. Also
if using WebDAV
with a network
load balancer,
please refer to thi
s article.
"SwA" - for SOAP
with
Attachments.
Can be used as
a secure
alternative to
FTP on Fuji Xerox
devices. Please
review the
limitation of this
method and
recommendation
for additional
setup in Require
ments and
known
limitations of
YSoft SafeQ
Embedded
Terminal for
FujiXerox
"WebDAV,FTP" –
for both.
WebDAV is
preferred over
FTP if MFD

y el by
supports it. If
WebDAV cannot
be used, FTP will
be used.
NETWOR Adv scanServerUsernam anonymous Termi The username used

K anc e nal by embedded
ed Serve terminals to
r authorize on a scan
server (FTP or
WebDAV) before
sending data.
NETWOR Adv scanServerPasswor code,-31,-2,43,-90,-103,124,3, Termi The password used

K anc d -49,58,-107,-31,40,74,-57,-1,-120 nal by embedded
ed Serve terminals to
r authorize on a scan
server (FTP or
WebDAV) before
sending data.
NETWOR Adv workflowStorageTy local Termi The scan storage

K anc pe nal type. It can be:
ed Serve local: a local
r server folder
Workf remote: a
low network shared
Proce folder
ssing webdav: a
Syst webdav server
em shared folder
NETWOR Adv workflowStorageRo C: Termi The root path to

K anc ot \SafeQ6\SPOC\terminalserver\sca nal scan storage. Can
ed n Serve be a relative path to
r WPS/Terminal
Workf Server or a UNC
low path, see the
Proce workflowStorageTyp
ssing e parameter.
Syst
em
NETWOR Adv workflowRemoteSto

K anc rageUsername
ed

y el by
Termi The username to

nal access remote scan
Serve storage, e.g.,
r "qa13s162\Administra
Workf tor"
low
Proce
ssing
Syst
em
NETWOR Adv workflowRemoteSto code,-31,-2,43,-90,-103,124,3, Termi The encrypted

K anc ragePassword -49,58,-107,-31,40,74,-57,-1,-120 nal password to access
ed Serve remote scan
r storage.
Workf
low
Proce
ssing
Syst
em
NETWOR Exp webdavSsl Enabled Termi Enable the use of

K ert nal the SSL protocol for
Serve connection to WebD
r AV repositories.
When this setting is
enabled, all WebDAV
connections will be
secured. When it is
disabled, encryption
for WebDAV connecti
ons is disabled.
NETWOR Exp webdavPort 5610 Termi The port used to

K ert nal connect to the
Serve WebDAV server.
r
NETWOR Exp soapWithAttachmen Enabled Termi Enable the use of

K ert tsSsl nal SSL protocol for
Serve connection to SOAP
r with Attachments
(SwA) endpoints.
When this setting is
enabled, all SOAP

y el by
with Attachments
connections will be
secured. When it is
disabled, encryption
for SOAP with
Attachments
connections is
disabled.
EXPERT Exp ocrPoolSize 1 Workf The maximum

ert low number of scan jobs
Proce that involve OCR
ssing that will be
Syst processed in parallel
em by a single Workflow
Processing System
server (scan server).
More jobs will wait in
a queue. See also ocr
ProcessesPerJob,
which controls the
number of OCR
threads that can be
used to process a
single job.
Together, these two
options limit the
number of CPU
cores that can be
used for OCR
processing. For
example, ocrPoolSize
= 2 and
ocrProcessesPerJob
= 3 means that the
system will process
a maximum of two
jobs in parallel and
will utilize as many
as 6 CPU cores in
total.
If the customer
produces a large
number of small

y el by
jobs, you should

increase ocrPoolSize
and keep
ocrProcessesPerJob
low.
If the customer
produces large jobs,
you should keep
ocrPoolSize low and
increase
ocrProcessesPerJob.
EXPERT Exp ocrProcessesPerJo 1 Workf The maximum

ert b low number of
Proce simultaneous OCR
ssing threads that can be
Syst used to process a
em single job. Higher
numbers speed up
the processing of
large scan jobs. The
maximum supported
value is 8. See also
ocrPoolSize, which
controls the number
of jobs that involve
OCR that can be
processed in parallel.
Note that the
number of OCR
threads actually
used to process a
single job is further
limited by the
number of pages
and the total
number of CPU
cores in the system.
Also note that t he
final document
synthesis is done in
a single thread
because it cannot
be parallelized.

y el by
Example: ocrPoolSize
= 2 a nd ocrProcesse
sPerJob = 2. At
most, two jobs are
processed
simultaneously. More
jobs will wait in a
queue. Each job
utilizes, at most, two
CPU cores. In total,
OCR processing may
utilize as many as 4
CPU cores. If the
host only has four
cores, other
applications running
on the same host
may not have
enough resources.
EXPERT Exp ocrDefaultProfile Disabled Workf The default OCR

ert low profile used for all
Proce workflows in the
ssing OCR processing
Syst step. It can be
em overwritten on a
workflow level, see
the ocrProfilePerWork
flow system
property. Use this
property to set
advanced OCR
engine parameters
(e.g., balance the
speed and accuracy
of OCR, blank page
removal conditions,
etc.). If you need any
help, please contact
Y Soft.
Please note that
YSoft SafeQ is
tested only with the
default OCR

y el by
configuration and it
is not possible to
test all combinations
of different OCR
configurations. If
you change the
configuration, you
should test that
OCR is working
properly.
Note: This setting is
affecting only OCR
processing, other
processing using the
OCR engine (e.g.,
highlighted text
extraction) is not
affected.
EXPERT Exp ocrProfilePerWorkflo Workf It enables an option

ert w low to overwrite the
Proce default profile
ssing (stored in the
Syst ocrDefaultProfile
em system property)
per workflow. A new
checkbox "Change
default OCR Profile"
will be available
under the OCR
processing step in
the workflow
definition after
enabling this
property.
Please note that
YSoft SafeQ is
tested only with the
default OCR
configuration and it
is not possible to
test all combinations
of different
configurations. If

y el by
you change the

configuration, you
should test that
OCR is working
properly.
EXPERT Exp ocrInputFileType JPG Workf This specifies the

ert low file format of the
Proce scan document that
ssing is being sent from
Syst the MFD for OCR
em processing.
FEATURE Basi sharepointClientId Workf The GUID on which

S c low the WPS connector
Proce add-in is registered
ssing (see Impersonation
Syst in Sharepoint 2013).
em
FEATURE Basi sharepointIssuerId Workf The GUID on which

S c low the identification
Proce certificate is
ssing registered in
Syst Sharepoint (see
em Impersonation in
Sharepoint 2013).
FEATURE Basi sharepointClientCer Workf The thumbprint of

S c tificateThumbprint low the identification
Proce certificate (must be
ssing installed in the WPS
Syst certification
em storage). Be aware
of hidden leading
symbols if you copy
/paste the value.
NETWOR Exp useProxy Disabled Workf Instructs the

K ert low system to use a
Proce proxy for connecting
ssing to the Internet.
Syst
em
NETWOR Exp useHostProxy Disabled

K ert

y el by
Workf Instructs the

low system to use the
Proce proxy that the
ssing system
Syst administrator has
em set up for the host
system.
NETWOR Exp proxyEndpoint Workf Specify the endpoint

K ert low for the proxy in the
Proce format IP:Port. Examp
ssing le: 127.0.0.1:9999.
Syst The parameter is
em used if
useHostProxy is
disabled.
NETWOR Exp proxyAuthenticate Disabled Workf Instructs the

K ert low system to
Proce authenticate to the
ssing specified property pr
Syst oxyEndpoint .
em
NETWOR Exp proxyUser Workf The username to

K ert low use for
Proce authentication to
ssing the property proxyEn
Syst dpoint . Example,
em "username" or
"domain\user". The p
arameter is used if
proxyAuthenticate is
enabled.
NETWOR Exp proxyPassword Workf The password to

K ert low use for
Proce authentication to
ssing the property proxyEn
Syst dpoint . Use an
em encription tool to set
this value. The
parameter is used if
proxyAuthenticate is
enabled.

y el by
NOTIFICA Basi mailserver Mana The IP address or

TIONS c geme hostname of the
nt primary mail (SMTP)
Serve server. Used by
r YSoft SafeQ to send
Mobil all emails, including
e scans, notifications,
Print alerts, and reports.
Serve
r
Site
Serve
r
Workf
low
Proce
ssing
Syst
em
YSoft
Paym
ent
Syst
em
NOTIFICA Adv mailSmtpPort 25 Mana The TCP port used

TIONS anc geme for communication
ed nt with the SMTP mail
Serve server
r
Mobil
e
Print
Serve
r
Site
Serve
r
Workf
low
Proce
ssing
Syst
em

y el by
YSoft
Paym
ent
Syst
em
NOTIFICA Adv mailSmtpEncryption NONE Mana NONE is the default

TIONS anc geme value, which means
ed nt no encryption is
Serve used.
r When set to the SSL
Mobil /TLS option, then
e the direct SSL/TLS
Print (port 465) is used
Serve for communication.
r When set to the
Site STARTTLS option,
Serve then a STARTTLS
r command is sent
Termi after the
nal communication
Serve channel is created
r (port 587) to
Workf upgrade to the
low secured channel.
Proce NOTE: Mobile Print
ssing Server does not
Syst support the SSL
em /TLS encryption
YSoft option. It always
Paym uses STARTTLS.
ent This behavior can be
Syst overridden by
em setting
"handleSslTlsMailSmt
pEncryptionOptionAs
StartTls" in mps.
config to false. Then
there will be no
encryption used for
the SSL/TLS option.
NOTIFICA Basi mailuser The username used

TIONS c to log into the SMTP
server. Use only if

y el by
Mana your SMTP server

geme requires
nt authentication,
Serve otherwise, leave
r empty.
Mobil
e
Print
Serve
r
Site
Serve
r
Workf
low
Proce
ssing
Syst
em
YSoft
Paym
ent
Syst
em
NOTIFICA Basi mailpass Mana The password used

TIONS c geme to log into the SMTP
nt server. Use only if
Serve your SMTP server
r requires
Mobil authentication,
e otherwise, leave
Print empty.
Serve
r
Site
Serve
r
Workf
low
Proce
ssing
Syst
em

y el by
YSoft
Paym
ent
Syst
em
NOTIFICA Basi mailfrom noreply@ysoft.com Mana The notification

TIONS c geme sender's email
nt address for emails
Serve sent by YSoft SafeQ
r (that is, what will be
Mobil in the From: header).
e
Print
Serve
r
Site
Serve
r
Workf
low
Proce
ssing
Syst
em
YSoft
Paym
ent
Syst
em
NOTIFICA Exp mailEncoding utf-8 Site The encoding used

TIONS ert Serve for creating email
r messages.
Workf
low
Proce
ssing
Syst
em
EXPERT Exp scanDateFormat yyyy-MM-dd Site The C# string

ert Serve format for the date
r used in the
scanDate variable.

y el by
Workf
low
Proce
ssing
Syst
em
EXPERT Exp scanTimeFormat HH-mm-ss-fff Site The C# string

ert Serve format for the time
r Wor used in scanTime
kflow variable. The list of
Proce formats is available
ssing here https://msdn.
Syst microsoft.com/en-US
em /library/8kb3ddd4
(v=vs.110).aspx
Note, be careful
when using
scanTime/scanDate
variables in file
names. They may
contain invalid
characters (for
example, ":").
FEATURE Basi filesystemReplacem - Workf The character to be

S c entCharacter low used for
Proce replacement when a
ssing forbidden character
Syst for FILESYSTEM
em connector is
encountered.
FEATURE Basi sharepoint2010Repl - Workf The character to be

S c acementCharacter low used for
Syst for
em SHAREPOINT_2010
connector is
encountered.
FEATURE Basi sharepoint2013Repl - The character to be

S c acementCharacter used for
replacement when a
forbidden character

y el by
Workf for
low SHAREPOINT_2013
Proce connector is
ssing encountered.
Syst
em
FEATURE Basi sharepoint2016Repl - Workf The character to be

S c acementCharacter low used for
Syst for
em SHAREPOINT_2016
connector is
encountered.
FEATURE Basi sharepointOnlineRe - Workf The character to be

S c placementCharacter low used for
Syst for
em SHAREPOINT_ONLINE
connector is
encountered.
FEATURE Basi dropboxReplacemen - Workf The character to be

S c tCharacter low used for
Syst for DROPBOX
em connector is
encountered.
FEATURE Basi onedriveReplaceme - Workf The character to be

S c ntCharacter low used for
Syst for ONEDRIVE
em connector is
encountered.
FEATURE Adv scanJobsDetailAcco Disabled Mana If enabled, the

S anc unting geme administrator can
ed nt enter detailed prices
Serve for the accounting
r of scan jobs

y el by
Site depending on color

Serve (B&W/color) and
r paper size (large
/small).
TERMINA Adv sharpPdfCompressi LOW Termi Specifies the PDF

L anc onLevel nal compression level
ADMINIS ed Serve for Sharp devices,
TRATION r can be:
LOW = the
highest quality,
the biggest file
MIDDLE
HIGH = the
lowest quality,
the smallest file
TERMINA Exp hpScanJobAssembl Disabled Termi This property

L ert yEnabled nal enables native HP
ADMINIS Serve scan job assembly
TRATION r feature. When
disabled, the feature
is hidden.
5.9.1.11 Management Interface - License Activation
Overview
The YSoft SafeQ license file is generated by the YSoft SafeQ License Portal (https://activate.ysoft.
com). YSoft SafeQ requires only an activation key, which is part of the license agreement
received after the product has been purchased. After entering the activation key, the license file
is available for download from the portal.
The YSoft SafeQ system provides the following information to the YSoft SafeQ License Portal
during the activation process:
The computer ID (the identifier of the host operating system)
The YSoft SafeQ 6 build number
The activation key
The activation process can either be online if the YSoft SafeQ server has a direct Internet
connection to the License Portal, or offline by following the instructions provided on the
management interface. Offline activation can also be used for obtaining the 30-day trial license.

The result of the activation is that YSoft SafeQ is activated with all available features and the
management interface no longer prompts for activation. When the license is activated properly:
The activation portal generates the support ID.
The license is automatically distributed across the entire system (all Management
Servers and Spooler Controller components).
Activation information is included in the downloaded license in the form of a computer ID

and build number used for activation. Each generated license is associated with the computer
ID and build used for activation. License reactivation is necessary with every system update.
Support ID
Support ID is a unique identifier of every YSoft SafeQ installation. All orders related to the
installation are associated with one Support ID. Every Support ID is bound to the computer where
the first activation has been done. If a customer orders additional features or devices, the
activation code from the new order needs to be used on the same server as before, otherwise,
the new features or devices will not be added successfully. In the case of a server cluster, all the
activation codes need to be applied on the first license node.
Support ID can be found by the following means:
1. In the management interface on the dashboard.
2. In the management interface in the System/License information.

Y Soft partners can find the support ID in the Service Desk in the list of registered installations.
Activation Methods
Online activation
An administrator logs into the management interface, enters the activation key received after
purchase, and selects the Activate online activation method. After the administrator clicks the
Activate button, the YSoft SafeQ server contacts the activation portal and tries to activate YSoft
SafeQ. If an activation key matches an existing license, the license is encoded and sent to the
server. The YSoft SafeQ server stores the license and YSoft SafeQ is activated. No restart is
required.
Online activation requires a direct connection to the Internet.
Offline activation
An administrator logs into the management interface, enters the activation key received after
purchase, and selects the Activate offline activation method. YSoft SafeQ generates an encoded
integrity key containing information for activation. The next step required for successful
activation is to manually generate the license key at the activation portal.
The previously generated integrity needs to be entered in the corresponding field on the web
page. The license key is returned if the integrity key contains a valid activation key. The returned
license key can be entered via the management interface which activates the YSoft SafeQ copy.
License Upgrade
A license upgrade is a process where the currently activated license receives additional devices,
features or an extended duration of support. Once the extension has been purchased, the new
activation key is obtained. The new key has to be activated on the YSoft SafeQ management
interface so that the key is bound to the existing license.

Multitenant Licensing
Read Activating YSoft SafeQ 6 in multitenant mode for more information.
Troubleshooting
YSoft SafeQ is deactivated on the following occasions:
On Computer ID change (e.g., sysprep or operating system re-installation).
On version change (e.g., update to 6.0.x version) – in such a case, perform online or offline
reactivation. The license will be updated to a newer build number.
On date expiration (some licenses are time-limited) – in such a case, all devices will be
switched to no accounting status. Please contact our sales department to obtain the
license without time limitation.
In the case of issues with license activation, the first troubleshooting step is using the offline
activation method. This method displays error messages returned by the activation server. The
information from offline activation is required by Y Soft customer support services when an
incident via Service Desk is reported. Each incident needs to contain a screenshot of the error
message, the generated integrity key and a description of the steps that were performed prior to
the activation (e.g., an old server has failed and we are trying to activate the license on a new
server).
In the case of a hardware failure of the node that was used for activation of the license, it is
necessary to transfer the license to another node. The activated license is associated with
the unique node identifier and the system will be deactivated after the simultaneous restart
of all the remaining cluster server nodes (for example, during a power outage if the servers
are not equipped with UPS protection). You can read more information about how to transfer
the license on the dedicated page Transferring a License to a New System.
The license transfer process can take some time. During this time, the system is able to work
without issue as all the nodes have information about the unique identifier of every node,
including the offline one (if it was connected to at least one node between its start and the
hardware failure). However, it is important not to shut down all the remaining cluster nodes
at once otherwise the unique identifier of the offline node would be lost and the system will
become deactivated (the remaining cluster nodes would lose the ability to verify an activated
license). It is possible to restart each node during the license transfer period but the nodes
must be restarted one by one and you can continue with the next node's restart online after
the lastly restarted node comes fully online and connects to the rest of the cluster. You can
see the state of the cluster in the dedicated Management Service cluster status widget.
When the node is marked green, it is safe to consider it online and the next node can be
restarted.

Cannot install a device with an embedded terminal due to insufficient licenses
It is possible that when reporting devices are installed before devices with an embedded terminal,
they get assigned the wrong license type. That can result in the inability to install a device with
an embedded terminal even though the license should allow it.
To see which devices have which licenses assigned, you can visit System -> License information
page. In the section License usage, you can click the respective license to see a list of devices
that have it assigned. You can also filter devices by license type in the Devices list using the
Advanced filter.
Resolution steps:
1. Remove a reporting device (taking the embedded terminal license slot) or remove the device
itself to free the embedded terminal license.
2. Reactivate the license that fixes the incorrect license allocation.
3. Edit (or create) the device you want to update to an embedded terminal.
Removing a device and creating it again can have consequences in reporting (it would be
considered a new device). There can also be issues with Counter reports.
Activating YSoft SafeQ 6 in multitenant mode
In order to enable mutlitenant YSoft SafeQ 6 installation, there are two license types required:
Special license for multitenancy that enables the tenant administration in YSoft SafeQ
management interface
Standard YSoft SafeQ 6 license that will be used for a tenant
Each tenant requires their own license
Activating YSoft SafeQ 6 in multitenant mode
1. After installing YSoft SafeQ 6 for the first time, first activate the multitenancy license
a. Above the Dashboard click the Activate New License button, or visit the License
information and choose to activate your license
b. Choose Activate New License and on the next screen enter Activation Code and
check the "The entered activation code enables multitenant mode" checkbox below
c. Complete online or offline activation
2. Log out and close the Management interface webpage in your browser
3. Open new page and navigate to address of your YSoft SafeQ server using browser
a. Leave option Domain empty

3.
b. Provide your admin access credentials
c. You will be automatically logged into the Cloud Dashboard (see at the top) of
4. Check the License information in System settings, which should read Multitenancy as
shown on the picture below
5. Now, access the Tenant management from the top right menu
6. Activate the first YSoft SafeQ 6 tenant using normal YSoft SafeQ 6 license
Multitenancy license is provided by Y Soft on-demand, please contact your Y Soft sales
representative.

The multitenacy license must be always activated as the first license after system
installation. It is not possible to activate multitenancy license in an existing installation, which
has been already activated with normal license.
YSoft SafeQ 6 must be always activated or reactivated from the first YSoft SafeQ
Management node.
License Reactivation
After upgrading to a new release or restoring an installation on the same hardware and the same
operating system (without the OS being reinstalled), the product must be reactivated again. When
a license reactivation is performed, all orders that have been previously used on that server will
be activated automatically.
License Reactivation
1. On the Dashboard, click License information, CHANGE EXISTING LICENSE and Reactivate
existing license.
2. Then select one of the activation methods (Online activation or Offline activation), and
perform the corresponding following steps.
License Reactivation Cluster Limitations
YSoft SafeQ should always be activated or reactivated from management server when all
cluster nodes are online/installed. The environment will send unique computer IDs from all
management nodes to YSoft SafeQ License Portal (the activation portal). The combination of
a unique computer ID/s and tenant ID is called an integrity key. If a node becomes unavailable
forever (for example, when its hardware becomes damaged) and the node must be exchanged,
you have to follow Transferring a License to a New System instructions.
Note that the integrity key does not contain sensitive data like the IP address of the server,
etc. The integrity key is a combination of the unique computer IDs and tenant ID.
License Upgrades
License upgrades allow you to extend an existing license with additional devices, features or
support (after a purchase has been made).
Prerequisites
For prior license upgrades, make sure that you have:

Access to the management interface
A new activation key
Performing the License Upgrade
1. Log in as an administrator to the management interface and open the license information.
It is better to install all management cluster nodes before license upgrade otherwise
you will need to reactivate license again.
2. Click CHANGE EXISTING LICENSE.
3. Select Upgrade existing license.
4. Enter the new activation key.
5. Select one of the activation methods (Online activation or Offline activation), and follow the
next steps to finish the license upgrade.
Offline Activation
New Offline Activation
1. On the Dashboard, click Activate new license.
2. You will be notified via a modal dialog to wait with activation until the last management
server is installed in case if you plan to install the YSoft SafeQ management cluster. Click
Continue with activation.
3. On the Activation key screen, enter the activation key and click Next.
4. On the Activation method screen, select the Activate offline option and click Next.
5. The integrity key is generated automatically. Copy the integrity key and click Next.
etc. The integrity key is a combination of the unique computer ID and tenant ID.
YSoft SafeQ should always be activated or reactivated when all management server nodes
are online. See more information at the License Reactivation limitations section.
Online Activation
New Online Activation
1. On the Dashboard, click Activate new license.

server is installed in case if you plan to install the management cluster. Click Continue with
activation.
3. On the Activation key screen, enter the activation key and click Next.
4. On the Activation method screen, select the Activate online option and click Activate.
Management server (cluster) contacts the activation portal and downloads the license.
etc. The integrity key is a combination of the unique computer ID and tenant ID.
YSoft SafeQ should always be activated or reactivated when all management server nodes
are online. See more information at the License Reactivation limitations section.
Transferring a License to a New System
Before transferring a license to a new server (e.g., when the original hardware fails) or extending a
management server cluster, it is necessary to enable reactivation on the new hardware.
If the reactivation is not allowed, the license server will determine that the activation has
happened on a different computer and the activation will fail with one of the following messages:
This license has been previously used on a different server.
You are trying to activate license MAxxxxxxx on a server where a different license
(MAxxxxxxx) has been used in the past.
Alternatively, you can see warning screen on management interface for cluster installations
although the action was successful, see License Troubleshooting page with more detail
description.
Please Follow These Steps to Enable Reactivation:
Variant 1:
Method requires portal role "Sales general" which is available mostly to sales personnel. If you
account misses the role you are not able to see "Business support" menu. If you manage more
users accounts, you can list their permissions in menu My Account -> Account Management ->
My Users -> Organisation Users.
1. For prevention and proper functioning visit the Partner Portal
2. On the Partner portal remove hardware lock:
a. Login to the partner portal.

2.
b. Left menu → Business support / License management.
c. Find customer license and click on the Detail.
d. On the detail page, click on the Software wizard button.
e. At the top of the screen, you will see the license information. Click on the HW-locked
and insert the e-mail for a confirmation.
f. Now you should see "Unlocked to new HW."
3. Go back to the management interface and Activate license again (Online or Offline)
a. Use Upgrade existing license if it is available among other options.
Variant 2:
1. The partner responsible for the installation needs to send a request to allow reactivation on
the new hardware to the license support e-mail.
2. The request must contain:
the reason why the transfer is needed
the support ID or the customer company name
3. Note that the approval process may take several days to complete.
4. If you urgently need the license, you can activate the trial license instead. Please see Trial
Licenses for information about the volume of supported devices.
Trial License Activation
Y Soft Partners can activate YSoft SafeQ 6 with a free 30-day trial license. A trial license
provides the complete YSoft SafeQ 6 Enterprise Suite with licensing for 25 devices with
embedded terminals and 25 devices without embedded terminals.
Activating a New Trial License
1. On the Dashboard, click the Start a trial button.
server is installed in case if you plan to install the YSoft SafeQ management cluster. Click
Continue with free trial activation.
3. An integrity key is generated automatically. Copy the integrity key and click Next.
License Troubleshooting
YSoft SafeQ can be deactivated on the following occasions:
On Computer ID change (e.g., sysprep or operating system re-installation).

On version change (e.g., update to 6.0.x version)
On date expiration (some licenses are time-limited)
How to solve the issues:
If your version of YSoft SafeQ has been updated to the newest build or maintenance
u p d a t e .
In such a case, perform online or offline reactivation. The license will be updated to a newer
build number.
If your license has expired

In such a case, all devices will be switched to no accounting status. Please contact our sales
department to obtain the license without a time limitation.
In the case of issues with license activation, the first troubleshooting step is using the offline
activation method. This method displays error messages returned by the activation server. The
information from offline activation is required by support for an incident resolution. Each license
incident needs to contain a screenshot of the error message, the generated integrity key, and a
description of the steps that were performed prior to the activation (e.g., an old server has failed,
and we are trying to activate the license on a new server).
Cannot install a device with an embedded terminal due to insufficient licenses
It is possible that when reporting devices are installed before devices with an embedded terminal,
they get assigned the wrong license type. That can result in the inability to install a device with
an embedded terminal even though the license should allow it.
To see which devices have which licenses assigned, you can visit System -> License information
page. In the section License usage, you can click the respective license to see a list of devices
that have it assigned. You can also filter devices by license type in the Devices list using the
Advanced filter.
How to solve this issue:
1. Remove a reporting device (taking the embedded terminal license slot) or remove the device
itself to free the embedded terminal license.
2. Reactivate the license that fixes the incorrect license allocation.
3. Edit (or create) the device you want to update to an embedded terminal.
Removing a device and creating it again can have consequences in reporting (it would be
considered a new device). There can also be issues with Counter reports.

Cluster License activation issues after upgrading to YSoft SafeQ Build 42 or later
Users may encounter issues with cluster license activation right after upgrading from earlier
versions to Build 42 or later:
Error 500 appears when the user tries to activate license
Re-activation of the license in YSoft SafeQ is required. However, using the "Re-activate Existing
License" process in YSoft SafeQ does not always work to enable the updated license clustering.
The license activation key needs to be re-entered using the "Upgrade Existing License" process
in YSoft SafeQ. The necessary steps are described in the License Upgrades guide.
Always make sure that all Management Service nodes are the same version. All nodes should
be stopped before update.
Hardware failure of all nodes
In the case of a hardware failure all nodes that was used for activation of the license, it is
necessary to transfer the license to another node. The activated license is associated with the
node identifiers and the system will be deactivated when licensed nodes are lost or after the
simultaneous restart of all the remaining cluster server nodes that are not licensed (for example,
during a power outage if the servers are not equipped with UPS protection). You can read more
information about how to transfer the license.
Go through the section General solution below.
Potential issues
If you see the message "Potential issues: You already have activated a YSoft SafeQ
management cluster detected with unlicensed nodes", probably:
The new management node has been added to your management cluster.
The administrator did not wait with the activation until the last management server was
installed in case if he planned to install the management cluster.

Go through the section General solution.
License activation failed
If you see the following screen, probably:
The license has been used previously to activate the different server and currently do not
allow to enable another server.
You are trying to activate license MAxxxxxxx on a server where a different license
(MAxxxxxxx) has been used in the past.
Go through the section General solution below.
General solution
This solution is related to issues:
Hardware failure of all nodes
Potential issues

License activation failed
Variant 1:
Method requires portal role "Sales general" which is available mostly to sales personnel. If you
account misses the role you are not able to see "Business support" menu. If you manage more
users accounts, you can list their permissions in menu My Account -> Account Management ->
My Users -> Organisation Users.
1. For prevention and proper functioning visit the Partner Portal
2. On the Partner portal remove hardware lock:
a. Login to the partner portal.
b. Left menu → Business support / License management.
c. Find customer license and click on the Detail.
d. On the detail page, click on the Software wizard button.
e. At the top of the screen, you will see the license information. Click on the HW-locked
and insert the e-mail for a confirmation.
f. Now you should see "Unlocked to new HW."
3. Go back to the management interface and Activate license again (Online or Offline)
a. Use Upgrade existing license if it is available among other options.
Variant 2:
1. The partner responsible for the installation needs to send a request to allow reactivation on
the new hardware to the license support e-mail.
2. The request must contain:
the reason why the transfer is needed
the support ID or the customer company name
3. Note that the approval process may take several days to complete.
4. If you urgently need the license, you can activate the trial license instead. Please see Trial
Licenses for information about the volume of supported devices.

5.9.2 YSOFT SAFEQ PAYMENT SYSTEM ADMINISTRATION
5.9.2.1 Configuring Payment System
This section describes the advanced configuration of Payment System and its components.
The described settings and features usually require the manual editing of configuration files.
Integration into YSoft SafeQ
Configuring YSoft SafeQ for Payment System
1. Make sure that your YSoft SafeQ license has the feature YSoft Payment System.
2. Log into YSoft SafeQ tenant management or switch from Cloud administration and select
your tenant.
3. Make sure your YSoft SafeQ is using the proper currency. The same currency will be used
by YSoft Payment System. You can find it in Dashboard > Welcome to YSoft SafeQ >
Regional Settings.
4. Go to System > Configuration > YSoft Payment System.
5. Set the following configuration:
enablePaymentSystem – Set Enabled
paymentSystemApiUrl – Set the true IP address of your YSoft Payment Server (for
example, https://10.0.0.1:8443/ )
6. Click Save changes and restart the required services.
Configuring the Roles for Administrators and Cash Desk Operators
Payment System requires these user roles:
YSoft SafeQ Administrators with full access rights for logging into the YSoft SafeQ
Payment System Administration web interface
Cash Desk operators for logging into the YSoft Cash Desk web interface
Roles can be assigned in YSoft SafeQ using the following steps:
1. Log into YSoft SafeQ tenant management or switch from Cloud administration and select
your tenant.
2. Go to the Users > Users tab.
3. Go to the detail of the chosen user.
4.

4. Go to Roles and click Add role.
5. Choose the required role.
6. Save changes.
7. And, optionally, if you need to use the role immediately, go back to the list of users, click
Actions > Update data on Spooler controllers, and run synchronization against the Spooler
Controller used by your Payment System.
Advanced Configuration of YSoft SafeQ Payment System
Overview
The configuration of YSoft Payment System can be found in the <payment_home>/ps-conf

/environment-configuration.properties file.
Each key-value pair from the tables below represents a separate line in the property file.
Each line starting with a # symbol represents a comment and will be ignored.
The definitions of the cron expressions can be found here.
Values with non-ASCII symbols should be escaped. You can use this online tool for escaping
characters.
In order to load the configuration, restart the YSoft SafeQ Payment System service after each
change of configuration in the property files.
Always leave the first line of the property file blank or filled with a comment. Otherwise, it
might cause problems during the loading of the configuration.
Here is example of property file.
#intentional comment on the first line

key=value
key=0 0 0 * * *
key=some non-ascii characters \u0161\u010D\u0159
General
Proxy Setting
Key Default Value Possible Values Description
general.proxy.host hostname Proxy host. If not specified, a proxy will

IP address not be used.
general.proxy.port number If a host is specified, this must not be

empty.

general.proxy. string Proxy login name.

username
general.proxy. string Proxy password. If a login is specified, it

password must not be empty.
Payment system
paymentSystem. internal-payment- internal- Indicates where will money be stored:

type system payment- internal-payment-system: PS
system database
external- external-payment-system: external
payment- payment functionality provider
system
Certificate Watchdog
certificate. 120 number Days to certificate expiration. After this

watchdog. time, the system starts notifying the
warnDays administrator.
certificate. 30 number Days to certificate expiration. After this

watchdog. time, the system starts warning the
errorDays administrator.
certificate. 000*** cron expression Interval in m. How often certificates will

watchdog.cron be checked. (default = every day)
Payment Machines
spm.statistics. 0 */15 * * * * cron expression Configuration for payment machine

dump.cron statistics logging. Defines how often
statistics about payment machine are
generated.
spm.dumpfile path to dump file Path to dump file.
spm.timeout.check. 0***** cron expression Defines how often the system try to
cron disconnect timed out payment
machines. (default = every minute)
Performance Statistics
0 */15 * * * * cron expression

statistics.dump. System performance statistics logging.

cron.period How often statistics are generated.
statistics.dump. 0 0 0,12 * * * cron expression System performance statistics logging.

cron.total How often total statistics are
generated.
License Portal Setting
com.ysoft.payment. https://activate. URL Contains the URL of the portal for the
licenseportal.url ysoft.com online activation of YSoft Payment
lic-act? Payment System.
integrityKey=
{integrityValue}
Notification Support
notification.send- 0 0/5 * * * ? cron expression The cron format interval specifies how
emails.cron often emails in YSoft Payment System
are sent. (default = every five minutes)
mail.debug false true Debug mode of logs for email sending.

false
JavaScript Localization
javascript. js_messages filename JavaScript has its own localization files.

localization. (validation messages, datepicker, select
bundleName boxes, ...) This property defines the
bundle name of the localization file.
javascript. js_messages_fix filename This bundle of localization files contains

localization. some internationalization fields like a
bundleName-fix decimal separator or a date pattern for
a datepicker. The properties of this file
are not sent to the translation process.
Database Configuration
Main YSoft SafeQ Payment System Database
database.vendor H2 PostgreSQL Database vendor describes the

MSSQL database engine being used.

database.url jdbc:h2:mem: string Database URL – connection string to

clearing; the main YSoft SafeQ Payment System
DB_CLOSE_DELAY database (dependent on the database
=-1;MVCC=true engine).
database. sa string Database username – the username of

username the user used to connect to the main
database.
database. string Database password – the password of

password the user used to connect to the main
database.
Domain configuration for main YSoft SafeQ Payment System MSSQL database
key default possible description

value values
domain. string Domain name - name of Windows domain used to connect to main
name YSoft SafeQ Payment System database of vendor MSSQL
domain. string Domain username - username of user used to connect to main

username YSoft SafeQ Payment System database of vendor MSSQL
domain. string Domain password - password of user used to connect to main

password YSoft SafeQ Payment System database of vendor MSSQL
Connection Pool
database. 5 number The number of seconds that describes

transactionTimeout the timeout for all transaction-based
operations. Values around 15 seconds
should still be optimal. Values larger
than 30 seconds are not recommended
because of possible database
deadlocks.
database. 1 number Initial number of connections in the pool.

initialConnectionPo
olSize
database. 20 number Maximum number of open prepared

maxOpenPrepared statements per connection. 0 for no
Statements limit.
60 number

database. The maximum number of active

maxActiveConnecti connections that can be allocated at
ons the same time. -1 for no limit.
database. 0 number The minimum number of connections

minimumIdleConne that can remain idle without extra ones
ctions being created. 0 to create none.
database. -1 number The maximum number of connections

maximumIdleConne that can remain idle without extra ones
ctions being released. -1 for no limit.
database. 60000 number The number of milliseconds to sleep

timeBetweenEvicti between runs of the idle connection
onRunsMillis cleanup thread.
database. 60000 number The minimum amount of time a

minEvictableIdleTim connection may sit idle in the pool
eMillis before it is eligible for eviction.
Database Schema
database. changelog.xml liquibase Mainly, it is used for the default

changelog changelog filepath initialization of a database structure and
default configuration records. This file
can also contain updates of database
schema and records. This file has to be
according to the rules of Liquibase (http:
//www.liquibase.org/).
UI/API Configuration
General
web.channel https http The channel clients are required to

https communicate through with any web UI,
any including cash desk, custom web and
administration web.
Note that the REST API is still
configured via the restAPI.channel
property.
WARNING: setting this property to
anything other than https bypasses
SSL!

Cash Desk UI
cashdesk. true true Flag indicating whether cash desk

cacheResources false resources should be cached. (server
side resources – HTML templates, ...)
cashdesk. false true Flag indicating whether to apply a

applyTheme false custom cash desk theme, whether to
use default cascade styles (css).
Administration UI
web. true true Flag indicating whether administration

cacheResources false resources should be cached. (server
side resources – HTML templates, ...)
web.applyTheme false true Flag indicating whether to apply a

false custom cash desk theme, whether to
use default cascade styles (css).
REST API
restApi.channel https http The channel clients are required to

https communicate through the REST API
any WARNING: setting this property to
anything other than https bypasses
SSL!
Authorization/Authentication
User Management
authentication. safeq-user- standalone- How to authenticate users. The options

type management user- are:
management standalone-user-management: a
safeq-user- database is queried to authenticate
management users.
safeq-user-management: YSoft
SafeQ's authentication service is
used to authenticate users.
safeq. tcp://127.0.0.1: tcp://<IP address Connection details (host and port) of a

authentication. 5556 /hostname>:<port> YSoft SafeQ Site Server (specifically,
address the Spooler Controller) that serves as a
user management system.

If this does not point to 127.0.0.1, please

make sure that the YSoft SafeQ
configuration property terminalServe
rListeningAddress doesn't prevent
connections from outside the server (as
it does by default), and make sure to
protect the endpoint with a firewall.
authentication. 0 */2 * * * * cron expression How often user management should be

watchdog.cron checked. (default = 2 minutes) Indicates
that user management is reachable. If
user management is unreachable, then
a new incident is reported. A new
incident is reported if the user
management is reachable again.
Sign-on Authentication
sign-on.type form-sign-on form-sign-on Sets method of signing on.

sso-sign-on sso-sign-on: via Windows Single Sign-
saml-sign-on On (Windows Integrated
Authentication)
form-sign-on: via form sign on
saml-sign-on: via SAML Single Sign-
On server
sign-on.sso. true true / false If true, the username from Windows

cutUsernameDomai Integrated Authentication will be
n stripped of its domain (e.g., EXAMPLE\doe
will become doe).
saml.baseUrl https://localhost: URL The base part of the URL where YSoft
8443 SafeQ Payment System is accessible.
saml.keystore. The name of the Java keystore file to

name use for encrypted communication.
saml.keystore. The password for the Java keystore

password file.
saml.keystore.alias The alias name of the certificate record

in the keystore file.
Payment Gateways
Payment Gateway Availability

payment.gateway. 0 */2 * * * * cron expression How often to check if the payment

watchdog.cron gateway is OK.
Security
truststore.path <payment_home> relative path The name of the Java truststore file to
/ps-conf/truststore. to use for encrypted communication. See C
jks <payment_hom onfiguring SSL/TLS for YSoft SafeQ
e> Payment System.
absolute path
truststore. The password to Java truststore

password specified in truststore.path. See Co
nfiguring SSL/TLS for YSoft SafeQ
Payment System.
Open Deposit Periodic Jobs
pendingDeposits. 0 0/15 * * * * cron expression How often pending deposits should be

retry.cron retried.
pendingDeposits. 10 number How long after the deposit starts

retry.delayMinutes should payment system retry pending
deposits.
openDeposits. 000*** cron expression How often open deposits should be

expiration.cron cleaned up.
Remember Me
rememberme. remember-me- remember-me- This property's turn on remember me

support disabled disabled functionality in the application
remember-me- options are:
cashdesk remember-me-disabled – remember
me is not enabled.
remember-me-cashdesk – enables
remember-me for Cash Desk.
rememberme. 2592000 number after this time, the remember-me

expiration cookie expires
the number of seconds
the default is 30 days

rememberme. YPS_REMEMBER_M string The name of the remember-me cookie in

cookieName E a client's browser.
Advanced Configuration of the PayPal Gateway Plugin
All mandatory configurations can be managed during installation (see Payment gateway plugin
deployment). Once the PayPal Gateway plugin is installed, you can use this guide to change
existing or set advanced options. Configuration of the PayPal Payment Gateway Plugin can be
found in <payment_home>/ysoft/paypal-configuration.properties file. For more information about
property files, see Advanced Configuration of YSoft SafeQ Payment System#Overview.
Key Description
paypal.paymentSystemUrl The URL pointing to the PS REST API used for Payment Gateway
integrations.
default: https://localhost:8443/payment-system/api/v1/paymentgateway
/deposit
paypal.channel Whether the PayPal Integration UI should require HTTPS or HTTP

connections.
default: https
paypal. The number of days after which the retrying of PayPal payments stop.
paymentExpirationDays 30 is the number of days after which PayPal itself expires its payments.
default: 30
paypal. The number of hours after which completed deposits are removed from
completedDepositCleanupHo the database.
urs default: 1
paypal.depositCleanupDays Number of days after which deposits are removed from the database.
default: 60
paypal. How often pending deposits should be retried.

retryPendingDepositsCron default: 0 0/10 * * * ?
paypal. How often pending deposits should be checked for expiration.

expirePendingDepositsCron default: 0 0 0 * * ?
paypal.cleanupDepositsCron How often deposits should be cleaned up.

default: 0 0 * * * ?
paypal.depositItemName The text that appears as the item name in PayPal.

default: Deposit
paypal.useHttpProxy

Key Description
If set to true, PayPal will be contacted through a proxy (note that

Payment System will always be contacted directly).
default: false
paypal.httpProxyHost Proxy host.

default: localhost
paypal.httpProxyPort Proxy port.

default: 3128
paypal.httpProxyUserName Proxy authentication username.
paypal.httpProxyPassword Proxy authentication password.
paypal.database.vendor Database vendor (e.g. ,H2, MSSQL, PostgreSQL, ...).

default: H2
paypal.database.url Database connection string.

default: jdbc:h2:mem:paypal-integration;DB_CLOSE_DELAY=-1;MVCC=true
paypal.database.username Database username.

default: sa
paypal.database.password Database password.

(required)
paypal.returnUrlPrefix The string that URLs sent to PayPal get prefixed with. For example, if this
property is set to 'https://example.com', then the confirmation URL sent
to PayPal will look like this 'https://example.com/deposit/123/payment-
confirmed-by-paypal'. This is done to allow the integration module to sit
behind a proxy with a public name without URL rewriting.
(required)
paypal.clientId PayPal's "username". (PayPal API app Client ID)

(required)
paypal.clientSecret PayPal's "password". (PayPal API app Secret)

(required)
paypal.serviceEndpoint PayPal's service URL (e.g., https://api.paypal.com).

(required)
paypal. Payment System's username. (the user has to have the appropriate
paymentSystemUsername rights set up in Payment System)
(required)
paypal. Payment System's password.

paymentSystemPassword (required)

Advanced Configuration of the DIBS Gateway Plugin
All mandatory configurations can be managed during installation (see Payment gateway plugin
deployment). Once the DIBS Gateway plugin is installed, you can use this guide to change existing
or set advanced options. Configuration of the DIBS Payment Gateway plugin can be found in
<payment_home>/ysoft/dibs-configuration.properties file. For more information about property
files, see Advanced Configuration of YSoft SafeQ Payment System#Overview.
Key Description
dibs.paymentSystemUrl URL pointing to the PS REST API used for Payment Gateway integrations.
default: https://localhost:8443/payment-system/api/v1/paymentgateway
/deposit
dibs.channel Whether the DIBS Integration UI should require HTTPS or HTTP

connections.
default: https
dibs. The number of days after which the retrying of DIBS payments stops.
paymentExpirationDays default: 30
dibs. The number of hours after which completed deposits are removed from
completedDepositCleanupH the database.
ours default: 1
dibs.depositCleanupDays The number of days after which deposits are removed from the database.
default: 60
dibs. How often pending deposits should be retried.

retryPendingDepositsCron default: 0 0/10 * * * ?
dibs. How often pending deposits should be checked for expiration.

expirePendingDepositsCron default: 0 0 0 * * ?
dibs.cleanupDepositsCron How often deposits should be cleaned up.

default: 0 0 * * * ?
dibs.useHttpProxy If set to true, DIBS will be contacted through a proxy (note that Payment
System will always be contacted directly).
default: false
dibs.httpProxyHost Proxy host.

default: localhost
dibs.httpProxyPort Proxy port.

default: 3128
dibs.httpProxyUserName Proxy authentication username.
dibs.httpProxyPassword Proxy authentication password.

Key Description
dibs.database.vendor Database vendor (e.g., H2, MSSQL, PostgreSQL, ...).

default: H2
dibs.database.url Database connection string.

default: jdbc:h2:mem:dibs-integration;
DB_CLOSE_DELAY=-1;MVCC=true
dibs.database.username Database username.

default: sa
dibs.database.password Database password.

(required)
dibs.returnUrlPrefix The string that URLs sent to DIBS get prefixed with. For example, if this
property is set to 'https://example.com', then the confirmation URL sent to
DIBS will look like this: 'https://example.com/deposit/123/payment-confirmed-
by-dibs'. This is done to allow the integration module to sit behind a proxy
with a public name without URL rewriting.
(required)
dibs.dibsUrl DIB's service URL.

default: https://payment.architrade.com/paymentweb/start.action
dibs.transactionInfoUrl DIBS's transaction info URL.

default: https://payment.architrade.com/cgi-bin/transinfo.cgi
dibs.transactionStatusUrl DIBS's transaction status URL.

default: http://payment.architrade.com/transstatus.pml
dibs.username Username of DIBS merchant's account.

(required)
dibs.password Password of DIBS merchant's account.

(required)
dibs.md5.key1 Merchant key for payments.

(required)
dibs.md5.key2 Merchant key for payments.

(required)
dibs.merchantId (required)
dibs.gateway.language # da=Danish, en=English, de=German, es=Spanish, fi=Finnish, fo=Faroese,

fr=French, it=Italian, nl=Dutch, no=Norwegian, pl=Polish (simplified),
sv=Swedish, kl=Greenlandic
(required)
dibs.gateway.allowedCards See link http://tech.dibspayment.com/toolbox/paytypes for possible values.

(required)
dibs.currencyUnit

Key Description
The smallest unit of an amount in the selected currency (e.g., 0.01).

(required)
dibs. Payment System's username. (the user has to have the appropriate rights
paymentSystemUsername set up in PS)
(required)
dibs. Payment System's password.

paymentSystemPassword (required)
dibs.testMode true/false. Tells DIBS that the requests are in test mode.
default: false
Configuring PayEx integration
This article describes integration of YSoft Payment System with PayEx (http://payex.com/).
Installation of PayEx integration
Download all required jar files: payex-payment-provider, spring-ws-core, spring-xml, spring-oxm,

liquibase and copy them into YPS_HOME\ysoft\payment-provider directory
Configure YSoft Payment System - add paymentSystem.type=external-payment-

system to YPS_HOME\ysoft\environment-configuration.properties
Create payex-configuration.properties in YPS_HOME\ysoft\payment-provider directory
Create DB user and schema (use of existing schema is possible, but using separate schema is
recommended)
Configure PayEx integration according to description below
#url to the payex service

payex.urlPrefix=https://external.payex.com
#payex account number of merchant

payex.account.accountNumber=
#encryption key of the merchant

payex.account.encryptionKey=
#transaction currency code; e.g. SEK, NOK

payex.currencyCode=SEK
#transaction vat value

payex.vat=
#A reference that links this agreement to something the merchant takes money for. Used for
agreement creation
payex.agreement.merchantRef=

#A short description about this agreement. This will show up on the client admin page so that
the client gets info about the agreement. It will also show on the web page where the client
verifies the agreement.
payex.agreement.description=
#One single transaction can never be greater than this amount. Give yourself some leeway here
so you do not have to make new agreements if you decide to raise your price.
payex.agreement.maxAmount=
payex.reservation.productNumber=1
payex.reservation.description=SafeQ print services
# ====================================
# Connection pool
# ====================================
# Database vendor describes the database engine being used

# Supported values are PostgreSQL, MSSQL, H2
database.vendor=PostgreSQL
# Database url - connection string to the Payex plugin database (dependent on the database
engine)
database.url=jdbc:postgresql://127.0.0.1:5432/PAYEX
# Database username - username of user used to connect to Payex plugin database

database.username=sa
# Database password - password of user used to connect to Payex plugin database

database.password=
Click here to see full list of configurable options...
#url to the payex service

payex.urlPrefix=https://external.payex.com
#payex account number of merchant
#payex.account.accountNumber
#encryption key of the merchant
#payex.account.encryptionKey
#transaction currency code; e.g. SEK, NOK
#payex.currencyCode=SEK
#transaction vat value
#payex.vat
#A reference that links this agreement to something the merchant takes money for. Used for
agreement creation
#payex.agreement.merchantRef
#A short description about this agreement.
This will show up on the client admin page so that the client gets info
about the agreement. It will also show on the web page where the client
verifies the agreement.
#payex.agreement.description
#One single transaction can never be greater than this amount. Give yourself some leeway here
so you do not have to make new agreements if you decide to raise your price.
#payex.agreement.maxAmount
payex.reservation.productNumber=1
payex.reservation.description=SafeQ print services
reservationExpirationCron=0 0 0 * * *
expirationIntervalDays=60

# ====================================
# Connection pool
# ====================================
# Database vendor describes the database engine being used
# Supported values are PostgreSQL, MSSQL, H2
database.vendor=H2
# Database url - connection string to the Payex plugin database (dependent on the database
engine)
database.url=jdbc:h2:mem:payex;DB_CLOSE_DELAY=-1;MVCC=true
# Database username - username of user used to connect to Payex plugin database
database.username=sa
# Database password - password of user used to connect to Payex plugin database
database.password=
# Initial number of connections in the pool
database.initialConnectionPoolSize=1
# Maximum number of open prepared statements per connection. 0 for no limit
database.maxOpenPreparedStatements=20
# The maximum number of active connections that can be allocated at the same time. -1 for no
limit
database.maxActiveConnections=60
# The minimum number of connections that can remain idle, without extra ones being created. 0
to create none.
database.minimumIdleConnections=0
# The maximum number of connections that can remain idle, without extra ones being released. -1
for no limit.
database.maximumIdleConnections=-1
# The number of milliseconds to sleep between runs of the idle connection cleanup thread.
database.timeBetweenEvictionRunsMillis=60000
# The minimum amount of time a connection may sit idle in the pool before it is eligible for
eviction.
database.minEvictableIdleTimeMillis=60000
# The SQL query that will be used to validate connections from this pool before returning them
to the caller. If specified, this query MUST be an SQL SELECT statement that returns at least
one row.
# default value is valid for MSSQL, PostgreSQL, H2, MySQL, SQLite
# for Oracle override this property by "SELECT 1 FROM DUAL"
database.validationQuery=SELECT 1
Configuration in YSoft Payment System administration
Configure display name and URL to the PayEx icon in the YSoft Payment System administration

Configuring Single Sign-on for YSoft Payment System
Overview
This article describes the steps that has to be performed in order to set up the Single Sign-on
(SSO) to YSoft Payment System web interface. The configuration of SSO requires advanced
knowledge about the system configuration and working with the configuration files.
Prerequisites
YSoft Payment System has to be:
installed on a server which is a part of the domain. SSO is asking the system for the user
authentication.
connection with YSoft SafeQ - SSO is not supported by standalone mode of YSoft Payment
System
all users which want to use SSO must have a windows user named with the same name as
their username in YSoft SafeQ Management (e.g. windows domain name "MY_COMPANY
/johndoe" should have YSoft SafeQ username "johndoe")
Configuration
For use of YSoft Payment System with SSO functionality, you have to configure the system and
your browser.
YSoft Payment System configuration
SSO authentication has to be set in YSoft Payment System configuration file by following option:
sign-on.type=sso-sign-on

For more detail about YSoft Payment System configuration, see Advanced Configuration of YSoft
SafeQ Payment System#Overview.
Browser configuration
Firefox
1. Type about:config in the address bar and hit enter.
2. Type network.negotiate-auth.trusted-uris in the Filter box.
3. Put your server name as the value. If you have more than one server, you can enter them
all as a comma separated list (e.g. https://localhost).
4. Close the tab.
Internet Explorer
Ensure that Integrated Windows Authentication is enabled.
1. Open the Control Panel > Network and Internet > Internet Options.
2. Click the Advanced tab.
3. Scroll down to Security.
4. Check Enable Integrated Windows Authentication.
The target website must be in the Intranet Zone.
1. Open the Control Panel > Network and Internet > Internet Options.
2. Click the Security.
3. Click the Local Intranet icon.
4. Click the Sites button.
5. (only for Windows 8) Check Automatically detect intranet network.
a. For localhost, click Advanced.
6. Add your server name as the value of the list (e.g. https://localhost/).
Chrome
Same as Internet Explorer.
Usage
Local access
You have to only set your environment according to Configuration part and start using of the
system. You are automatically signed in with your domain credentials.
Remote access

When you accessing YSoft Payment System from outer world by browser and the SSO is used
then a popup window with a form to fill your credentials to the domain is displayed. So you type
your domain credentials into the form and then you do not need to sign in the system, your
domain credentials are used for it.
Change signed in user
Because of use of the SSO you are automatically signed in, so you do not have chance to directly
choose signed in user. In the top-right corner a sign out button is displayed. So you can click the
sign out button and you are redirected to sign in page, where you can type wanted credentials.
Sign in back by SSO
In order to sign in with your windows account, go to the login page one of YSoft Payment System
web interfaces (YSoft SafeQ Payment System Administration web interface, Cash Desk web or
YSoft SafeQ end user interface) and click link Log in as current Windows user. This action should
perform a login into web interface with your presently logged windows user.
Limitations
SSO only in combination with YSoft SafeQ
SSO for YSoft Payment System can be used only in combination with YSoft SafeQ. The SSO is
not supported for standalone mode of YSoft Payment System.
Configuring Certificates for YSoft SafeQ Payment System
This guide provides information about the certificates used in YSoft Payment System and its
clients.

Introduction
By default, Payment System uses a built-in certificate generated by the Y Soft CA and accepts
secure SSL connections only. This applies to web interfaces (YSoft SafeQ Payment System Cash
Desk, YSoft SafeQ Payment System Wallet and YSoft SafeQ Payment System Administration
web) and REST API access.
Other YSoft SafeQ components (Terminal Server, Spooler Controller, YSoft SafeQ End User
Interface) are configured to accept this certificate exclusively when communicating with the
YSoft SafeQ Payment System server.
The private key is stored in <PAYMENT_HOME>\payment-conf\keystore.jks and protected with a

password, which is saved in plain text and visible in the Tomcat configuration XML <
PAYMENT_HOME>\conf\server.xml.
PAYMENT_HOME is typically located at C:\SafeQ6\YPS.
With knowledge of/access to the private key, it is possible to decrypt traffic and gain
administration access to the YSoft SafeQ Payment System API (including possibilities to
make money transactions). This may be a potential danger as all YSoft SafeQ Payment
System installation packages contain the same certificate and private key, but this security
issue can be prevented by using a custom certificate (more details below).
Here is an example of a default SSL certificate from YSoft SafeQ Payment System.
Owner: SURNAME=dza, EMAILADDRESS=info@ysoft.com, CN=YSoft payment system server certificate, OU=RnD, O=Y Soft
Corporation, L=Brno, C=cz
Issuer: SURNAME=DZA, EMAILADDRESS=info@ysoft.com, CN=YSoft RnD CA, OU=RnD, O=Y Soft Corporation, L=Brno, C=cz
Serial number: 8
Valid from: Tue Feb 04 14:30:21 CET 2014 until: Thu Dec 17 15:15:17 CET 2099
Certificate fingerprints:
MD5: 54:11:E0:7A:7F:A5:E9:D6:BB:42:2D:39:B4:0B:EB:34
SHA1: 06:12:14:1D:4F:61:F6:22:55:09:DD:0F:BD:60:F2:62:B7:00:41:FC
SHA256: C8:60:69:27:51:B9:53:34:8E:AF:EA:48:27:54:B4:58:54:05:8A:C5:80:68:4F:3A:B9:F4:96:1F:AF:A1:87:0C
Signature algorithm name: SHA512withRSA
Version: 3
Custom SSL Certificate
PEM certificates are supported (including self-signed, signed by a commercial certificate authority
or similar).
1. The private key has to be imported into the YSoft Payment System keystore.
2. The certificate (containing the corresponding public key) has to be saved to the other YSoft
SafeQ components (Terminal Server, Spooler Controller, YSoft SafeQ End User Interface).

Certificate changes will affect all payment webs (Cash Desk web, YSoft SafeQ Payment
System Wallet and YSoft SafeQ Payment System Administration web) and REST API
communication.
Step 1. Get the Certificate

Generate a self-signed certificate
Generate a new certificate and keys (you will be asked for the keystore password, which can be
found in the SSL connector definition, file <PAYMENT_HOME >\conf\server.xml):
1. Generate a self-signed certificate by running the following commands from the command
line.
cd <PAYMENT_HOME>\payment-conf
<PAYMENT_HOME>\Java\bin\keytool -server -genkey -keyalg RSA -alias yps-tomcat -keystore
keystore.jks -validity 365 -keysize 2048
<PAYMENT_HOME>\Java\bin\keytool -server -exportcert -rfc -alias yps-tomcat -file
YPSClient.crt -keystore keystore.jks
You can use the keytool from any standard Java installation instead of the embedded
Java from YSoft SafeQ Payment System (use JRE 7 or higher).
Option Validity is in days.
Options like validity, alias and keysize can be changed.
2. Make sure that the generated JKS and CRT files are in your <PAYMENT_HOME>\payment-
conf directory.
3. Make sure that the Common Name of your certificate is the same as the web address you
will be using when connecting to your secure site.
The certificate Common Name (CN parameter) is typically composed of the host and domain
name and will look like "www.yoursite.com" or "yoursite.com". SSL Server Certificates are
specific to the Common Name that they have been issued to it at the host level.
Using an existing certificate
As YSoft Payment System uses a Java keystore, you usually need to convert certificates from
common PEM files (.crt and .key) to a p12 file.
If you have a certificate and key in PEM format, the key is named YPSClient.key and the
certificate YPSClient.crt. You can convert it using OpenSSL:
1. Download and install OpenSSL from http://slproweb.com/products/Win32OpenSSL.html
2. Open the command line and navigate to the dir with your KEY and CRT files.

3. Run the following command:
<OPENSSL_HOME>\bin\openssl pkcs12 -export -in YPSClient.crt -inkey YPSClient.key -out

keystore.p12 -name "yps-tomcat"
4. Import the P12 keystore into the Java keystore using the following commands (for more
details, see section Generate a self-signed certificate above).
cd <PAYMENT_HOME>\payment-conf
<PAYMENT_HOME>\Java\bin\keytool -server -importkeystore -srckeystore keystore.p12 -
destkeystore keystore.jks -srcstoretype pkcs12
5. Here is an example of a successful keytool output
Entry for alias yps-tomcat successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Step 2. Configure YSoft SafeQ Payment System
Edit <PAYMENT_HOME>\conf\server.xml, find the Connector block with the SSLEnabled="true"

and:
change keystorePass to your new password.
If you changed the keytool -alias parameter in the previous steps, change keyAlias="yps-
tomcat"
If you changed keytool -keystore parameter in the previous steps, change

keystoreFile="${catalina.base}/payment-conf/keystore.jks"
Step 3. Configure Other YSoft SafeQ Components
1. Stop the Spooler Controller, Terminal Server and YSoft SafeQ End User Interface services.
2. Copy the new certificate YPSClient.crt (or replace an existing) into these directories:
<SAFEQ_HOME>\SPOC\terminalserver\Certificates
<SAFEQ_HOME>\SPOC\conf\certificates\
This must be a single certificate in PEM format, not a truststore in PKCS#12 format.
The certificate must belong to the issuer (CA) of the certificate used for YSoft
SafeQ Payment System.
3. Copy <PAYMENT_HOME>\ysoft\keystore.jks to <SAFEQ_HOME>\SPOC\EUI\ui-conf\
4. Start all services from the first step

Troubleshooting
You can get a list of imported certificates in the keystore using the command:
<PAYMENT_HOME>\Java\bin\keytool -server -list -keystore keystore.jks -storepass L1faMXVVpR
If you already have an alias present in the keystore, you can delete it using the following
command:
<PAYMENT_HOME>\Java\bin\keytool -server -delete -alias yps_tomcat -keystore keystore.jks -

storepass L1faMXVVpR
5.9.2.2 YSoft SafeQ Payment System Administration web interface
Prerequisites
Check these prerequisites before using YSoft SafeQ Payment System Administration web
interface:
YSoft SafeQ Payment System is connected to YSoft SafeQ Management server (for more
information see safeq.authentication.address in Advanced Configuration of YSoft SafeQ
Payment System)
At least one user with role > " YSoft SafeQ Administrators with full access right" is available in
YSoft SafeQ (for more information about required YSoft SafeQ roles, see Configuring Payment
System).
Services YSoft Payment System and YSoft SafeQ Management Server are running
Log In/Out
There are several ways how to get to Administration login page:
use shortcut named YSoft Payment System web interface, which should be on a desktop of
your Payment System server
go to the index page https://<PAYMENT-SERVER-HOST>:8443 and click on link Payment

System Administration
use direct link https://<PAYMENT-SERVER-HOST>:8443/payment-system/admin
Log In With Credentials
1. Go to the YSoft SafeQ Payment System Administration login page.
2. Enter credentials of YSoft SafeQ user with administrator rights (role YSoft SafeQ
Administrators with full access right ).

2.
3. Click Log in.
Log In As Current Windows User
This feature is not available in default configuration of Payment System. For more information
about configuration of Single Sign On, see Configuring Single Sign-on for YSoft Payment System.
1. Go to the YSoft SafeQ Payment System Administration login page.
2. Click link Log in as current Windows user.
Log Out
Log out button is located in the top right corner. User will also be automatically logged out after
long inactivity(for more information about session timeout, see Working with Payment System
chapter Session Timeout).
Administration Overview
Administration web interface is dedicated for system administrators. Its left menu is divided into
two main sections:
Manage – allows administrators to manage (create, modify, delete) objects that are in Payment
System
Configure – allows administrators to configure different settings and features for Payment
System and for Cash Desk as well

Common Actions
Action Description Example
Language You can select language of Administration web

selection interface at the top right corner.
Filtering Some tables allow filtering of results. Filter is always

located at the top of page, above table header. Filter
fields usually represents table columns. Button
"reset" will set filter fields to their default values.
Page refresh will also trigger filter reset.
Sorting Some table columns allows sorting. Following icons

represent ascending
and descending
order. Sorting affects all table results, not just visible

page.
Pagination Default table view will display maximum of 10

records per page. You can change this limit in table
top right corner. Allowed values are 10, 25, 50 and
100 records per page. Present table page is
represented by a number inside of blue square at
the bottom of the table. Icons », «, »», «« will move
you to the next, previous, last and first page,
respectively. Pagination is not affected by page
refresh.
Bulk Some tables contain check boxes. These are used

actions for bulk actions located at the bottom of the table.
Bulk action buttons are clickable only after selecting
at least one record. Check box located at the top left
corner will select all records from the present table
page.
View Some table records have a "View" link at the end of

detail their row. This link will display more details about the
record.
View all Some details display previews from additional tables

(for example "Last 5 transactions"). Link "view all" will
forward you to the full table view.
Remove These actions generally remove selected records

action from the view in the Administration web interface. In
some cases, records remain in database for auditing
purposes.

Remove actions are final and cannot be

reverted.
Management
Entitlements
Entitlement defines which kind of services can be used by YSoft SafeQ user (subject) in Payment
System. There are following types of entitlements: Prepaid account (user has money balance to
pay for services), Page quota (user can use services to a limited amount), No access (user is not
allowed to use Payment System services) and Unlimited access (user is allowed to print or copy
unlimitedly). Each entitlement has unique set of criteria used for matching of YSoft SafeQ users
either by username or by cost center number. If no entitlement matches these criteria, Payment
System will assign Default entitlement to a user. YSoft SafeQ users are in Payment System
represented as subjects. Each entitlement can further define type-specific attributes (for example
minimum balance or quotas), which are assigned to matched users during transaction request or
during saving of entitlement. Payment System will automatically create new subjects based on
matched entitlement.
Here are few basic examples of entitlement matching.
Match of new subject
1. YSoft SafeQ user is assigned to cost center number 0 and has no corresponding
subject in Payment System.
2. User logs into YSoft SafeQ Embedded Terminal or YSoft SafeQ end user interface.
3. YSoft SafeQ User is matched by some entitlement criteria (for example default
entitlement with prepaid account type).
4. Payment System automatically creates a new corresponding subject based on type-

specific criteria of matched entitlement (for example subject with prepaid account type
and with zero initial and minimum balance).
Match of existing subject with changed cost center
1. YSoft SafeQ user is assigned to cost center number 0 and has one corresponding
subject in Payment System.
2. Payment System subject is assigned to entitlement matching cost center number 0

(entitlement type is for example "Prepaid account").
3. YSoft SafeQ User is assigned to new cost center number 1. Subject in Payment
System remains unchanged.
4. User logs into YSoft SafeQ Embedded Terminal or YSoft SafeQ end user interface.
5.

5. YSoft SafeQ User is matched by different entitlement criteria (for example Quota
entitlement).
6. Payment System subject is assigned to the lastly matched entitlement (in this
example, "prepaid account" subject changes to "page quota" subject).
Match of many subjects during saving of entitlement
1. Several YSoft SafeQ user are assigned to cost center number 1
2. Administrator saves new or existing entitlement in YSoft SafeQ Payment System

Administration web interface.
3. This entitlement matches cost center number 1.
4. Payment System automatically creates or edit all subjects corresponding to the all
YSoft SafeQ users from cost center number 1.
There is always only one default entitlement.
Login into YSoft SafeQ Embedded Terminal or YSoft SafeQ end user interface will always
trigger entitlement matching (usually by request about subject's balance or remaining quota).
Automatic creation of subjects during transaction request (or generally call of REST API)
depends on YSoft SafeQ option onDemandPaymentAccountCreation, which should be
enabled as default in YSoft SafeQ 6.
Current implementation of unlimited access entitlement will always return HTTP 404 as
response to an API request about user balance. This response allows unlimited use of services
in Embedded Terminals.
There is a limitation, when log into hardware terminals (for example Terminal Professional v3 or
Terminal Ultralight) will not trigger entitlement matching algorithm, because these devices use
older REST API for communication with Payment System (they use "payment-system/api/v2"
instead of "entitlement-system/api/v1"). As a consequence this mean, that login into these
devices will not trigger automatic subject creation nor assignment of related entitlement
in Payment System.
For more information about entitlement attributes, see tables below. For more information about
subjects, see chapter Subjects.
Following examples show creation of new entitlement, a list of entitlements and details of prepaid
account and page quota entitlements.

Entitlement Attributes
Summary Summary used for better identification of entitlement in Administration web

interface.
GUID Unique entitlement identifier.
Type There are four possible values:

No access - Users are not allowed to use Payment System. This mean, that for
example login into YSoft Embedded Terminal will be denied. This option is usually
used as an equivalent of disabled or removed user.

Page quota - Subjects assigned to this entitlement will use quota limits in order
to use different combination of services. For the list of available combinations,
see chapter Quotas.
Prepaid account - Subjects assigned to this entitlement will use money in order
to pay for services. This option allows use use of initial and minimum balance and
assignment of period recharges.
Unlimited access - Subjects assigned to this entitlement are allowed to print and
copy without any limit. Jobs are without any charge.
Shared This attribute distinguishes between two basic modes:

entitlement Disabled - Each subject from entitlement has its own account (with information
about balance or remaining quota). This is default behavior, when you have one
Payment System subject for each YSoft SafeQ user.
Enabled - This will create a shared subject. All YSoft SafeQ users matched by
entitlement criteria will share their balance or remaining quota. This mean that
decrease of balance or remaining quota by one user will affect whole group. This
option is usually used in situations when you want to have for example shared
balance for each cost center.
It is not possible to change this attribute once the entitlement was

created.
Cost center Cost center number or list of numbers used as entitlement matching criteria.
number
Usernames YSoft SafeQ username or list of usernames used as entitlement matching criteria.
Entitlement assigned to username will always take precedence before

cost center number. This mean that YSoft SafeQ user assigned to an
entitlement by his username, will be always matched by this entitlement,
even if user's cost center number is used in different entitlement.
Assigned to Table of entitlement matching criteria. There are two possible type values, Cost
center and User.
Initial balance This attribute is specific to Prepaid account entitlement. It will grant initial virtual
balance to all newly created subjects matched by this entitlement. Existing subjects
are not affected by this option. For more information about virtual balance, see
chapter Subject Attributes.
Initial virtual balance is assigned to a default safeq API user. For more
information about API users, see chapter API Users.
It also possible to assign global initial balance in configuration of Payment
System.

Minimum balance This attribute is specific to Prepaid account entitlement type. It will set minimum
balance to all existing or new subjects matched by this entitlement. For more
information about minimum balance, see chapter Subject Attributes.
Periodic This attribute is specific to Prepaid account entitlement type. It defines a list of
recharges period recharges, which will be assigned to all existing or new subjects matched by
this entitlement. For more information about periodic recharges, see chapter Periodic
Recharges.
Quotas This attribute is specific to Page quota entitlement type. It defines a list of quotas,
which will be assigned to all existing or new subjects matched by this entitlement.
For more information about periodic recharges, see chapter Quotas.
Entitlement Actions
Action Description
Create Opens a form for creation of new entitlement. Saving of entitlement will create or
entitlement update all subjects matched by entitlement criteria.
Edit Opens a form for editing of entitlement.
Edit of Quotas attribute will reset all manual quota increases and
consumed quotas or in other words, assigned quota subjects will act as if
they were new records.
Remove Removes selected entitlement. All already assigned subjects or those matched by
entitlement criteria will be assigned to a default entitlement. It is not possible to
remove default entitlement.
Refresh Button is displayed only for non-defaulf entitlements with disabled sharing. It checks
YSoft SafeQ users in cost centers used in matching criteria of this entitlement and it
assign or reassign found subjects from this entitlement. From the functional point of
view it is not necessary to use this button as the subjects are going to be reassigned
to a correct entitlement as soon as they interact with the system (e.g. when they
authenticate on the MFD or make a print), the benefit of using this button is only to
see the result on the Payment System Administrative interface right away.
Subjects
Subjects represent users from external user management (usually from YSoft SafeQ) with some
additional stored information. There are three distinct subject types determined by assigned
entitlement: Prepaid account (subject uses money operations), Page quota (subject uses quota
operations), No access (subject is not used in operations from Payment System) and Unlimited
access (subject can print or copy without limit). Subjects are further distinguished by their
entitlement's attribute Shared entitlement to two basic groups: Personal (each subject has its
own balance or remaining quota) and Shared (each subject shares its balance or remaining quota

with all users matched by assigned entitlement). Creation of new subjects is handled
automatically by saving entitlements or by transaction requests from other YSoft SafeQ
subsystems (see chapter Entitlements).
Prepaid account subject type was in former versions of Payment System called customer.
Accounts with unlimited access are not listed among subjects due to the current way of
implementation.
Following examples show a list of personal subjects and details of prepaid account and page
quota subject type. Possible attributes and actions are described below.

Subject Attributes
Name Name is automatically assigned during subject creation. In case of Personal subject,
the name is usually represented in form of "Name Surname (username)", where both
values originates in YSoft SafeQ user. In case of Shared subject, the name
corresponds to the cost center number.
Subject name is automatically synchronized with YSoft SafeQ user after

the opening of subject in Using the Cash Desk Web Interface.
There is limitation with names of Quota and Shared subjects, which are
never synchronized with YSoft SafeQ.
Active Type and name of the assigned entitlement.

Entitlement Possible values are prepaid account , page quota, no access and unlimited access.
Their values correspond to the assigned entitlement. For more details, see entitlement
types in chapter Entitlement Attributes.
Personal subjects of no access type are not displayed in Administration

web interface.
Status Status is indicated by a color of a user's account. If the account's background is

green, then the account is active based on assigned entitlement. If it is grey, then the
account is disabled. If it is orange, then the account is active based on assigned
entitlement, however, the account is disabled (this should not been common case).
Possible values are:
Enabled - Most of the subjects are in this status. Each new subject uses this
status.
Disabled - Used only for Payment subjects (customers) migrated from former
version of Payment System.

There is also Removed status, which is not visible from Administration

web interface.
In relation to the other YSoft SafeQ subsystems, disabled and removed
subjects, behave like subjects with no access entitlement.
Personal Personal balance represents subject's real money deposited by cash desk, payment
Balance gateway or redeemed by a voucher. Each customer can have only one personal
balance.
Virtual Balance Virtual balance represents customer's bonus or free credit. It can be provided by
periodic recharge, manual increase or by setting an initial account balance. Each
customer can have many virtual balances, each assigned to a different API user
merchant role, but in most cases there is only one named safeq. In case of
transaction settlement, drawing of virtual balance take always precedence before
personal balance. For more information about transaction settlement, see Working with
Payment System.
Minimum Minimum balance represents a value below, which the personal balance cannot be
Balance decreased. Its value can be positive, zero or even negative.
Virtual balance is not affected by minimum balance. Its minimum value is

always zero.
Periodic List of assigned periodic recharges.

recharges
Debts Debts represent total overdrawn value of personal balance. Similar to virtual balance,
each debt is assigned to a different API user. For more information about debt
configuration, see Working with Payment System (section Overdrawn transactions)
and configuration of Payment System.
Reservations Reservations represent blocked personal and/or virtual balance. For more information
about reservations, see chapter chapter Reservations in Working with Payment
System.
Transactions Transactions represent history of balance changes. For more information about
transaction types, see chapter Report Attributes.
Open deposits Open deposits represent unfinished payment gateway deposits. For more information,
see Using YSoft SafeQ end user interface.
Quotas Assigned Quotas and their consumed and remaining values. Each subject can have
several different quota limits.

If you subject uses quotas with the same identifiers (aka services), for
example "BW" and "PRINT, BW", then each use of "PRINT, BW" service, will
also spend the "BW" service.
Subject Actions
Most of the subject attributes can be managed from menu in the chapter Entitlements.
This action is available only for Page quota subject type. It serves for
manual increase of quota limit for the selected subject. For more detail
about quota limit, see the chapter Quotas.
All manual increases are discarded during quota reset.
Enable prepaid account This action enable the prepaid account if it is disabled.
Disable prepaid account This action disable the prepaid account if it is disabled.
Remove prepaid account This action remove the prepaid account and also clear all balances and
annul all debts.
Export filtered subjects to All subjects which correspond with a current filter will be exported to a
CSV file CSV file
Quotas
Quota represents a limit of some service or combination of services provided by YSoft SafeQ.
Available services are Print, Copy, Black&White, Color and Any (aka ALL_PAGES). Quotas are
assigned to subjects (either as personal or shared) through configuration of entitlements. Each
quota defines quota reset (aka recurrence), which after a specified of time, will reset all spent
quotas to its default limit.
Accounting of quotas depends on configuration of entitlements and vendor specific behavior.
Following examples show a list of quotas, creation of new quota and quota detail. Possible
attributes and actions are described below.

Quota Attributes
Name Unique quota name.
Limit Quota limit. This limit will be assigned to each subject with this quota. This
limit can be increased individually on the subject detail.
Setting quota limit to zero will automatically deny all quota

reservations for specified quota identifiers.
Identifiers / Applies to Identifiers are in fact services available in YSoft SafeQ. These can be spent
by a user. Not all combinations are valid (for example "Print Copy" is invalid).
Recurrence Recurrence specifies how often should Payment System reset a quota limit.
Following options are possible:
daily - Reset will be executed every day
weekly - Reset will be executed every week at specified day of week
monthly - Reset will be executed at given day every month.
yearly - Reset will be executed every year at given day of given month
at the end of month - Reset will be executed at the last day of every
month (regardless of number of days in the month)
Please note that if you specify day of the month from interval 29-
31, than the recharge will not be executed if the month does not
have given amount of days - e.g. February does not have day 30
or 31
Enables configuration of treshold notification.

Enable treshold
notification
Treshold Defines a proportion (in comparison to quota limit) or amount of consumed

quota which will trigger quota notification.
Be aware, that your YSoft Payment System should have a valid

SMTP configuration and enabled quota notifications, before the
actual email treshold notification can be sent. For more detail, see
the chapter Notifications.
Owner / Owner's YSoft SafeQ username or valid email. In case of username, related YSoft
username/email SafeQ should have a valid email, which will be used for notification when
treshold is reached.
Quota Actions
Action Description
Create Displays "Create quota" page.

quota
Edit quota Displays "Edit quota" page.
Remove Removes quotas. It is not possible to remove assigned quota, at first, you should remove
it from entitlement.
Periodic Recharges
Periodic recharge increases virtual balance of assigned subjects on a regular basis. Since each
virtual balance is bound to a merchant (API user with merchant role), periodic recharges are also
bound to a merchant.
Following examples show a list of periodic recharges and periodic recharge detail. Possible

Periodic Recharges Attributes
Name Periodic recharge name
Description Optional periodic recharge description
Status There are two possible statuses:

enabled - periodic recharge is enabled and will be executed on schedule
disabled - periodic recharge will not be executed
Assigned Merchant (API user with merchant role), which identifies type of subject's virtual
merchant balance to be credited.
Type Periodic recharges can be set up to:

recharge by amount - specified amount will be added with each execution

recharge to amount - virtual balance will be set to specified value, if current value
is less than specified value (i.e. the resulting value will be maximum of current
value and specified value)
Recurrence Recurrence specifies periodicity of the recharge. Following options are possible:
daily - recharge will be executed every day
weekly - recharge will be executed every week at specified day of week
monthly - recharge will be executed at given day every month.
yearly - recharge will be executed every year at given day of given month
at the end of month - recharge will be executed at the last day of every month
(regardless of number of days in the month)
Please note that if you specify day of the month from interval 29-31, than
the recharge will not be executed if the month does not have given
amount of days - e.g. February does not have day 30 or 31
In case your Payment System was not running during some scheduled
periodic recharge, don't worry, because all enabled periodic recharges are
always executed retroactively or in other words all missed scheduled
recharges will be executed at the first possible moment.
Start Recharge will start executing at the first possible moment after specified start date.
Start date must be set to be in the future.
Periodic Recharges Actions
Action Description
Enable recharge / Enable Changes status of selected recharges to enabled.

selected
Disable recharge / Disable Changes status of selected recharges to disabled.

selected
Remove recharge / Remove Removes periodic recharge. Removed recharges remain in database for
selected auditing purposes, but they are no longer visible in the Administration
web. Recharge is inactive.
Create periodic recharge. Opens "create periodic recharge" page.
View assigned customers Shows page with list of subjects currently assigned to the recharge.
Subjects can be assigned or unassigned from the recharge.

Cash desks
Cash desks represents information about some physical place, where cash desk operators
increase, decrease or refund balance on subject accounts on behalf of account owners. In an
example scenario, a person, who would like to deposit money into money account, visits cash
desk operator. Operator will deposit money on person's account through the Cash Desk web
interface. This operation would increase both cash desk balance (where real money are stored)
and personal balance (where electronic money are sent). For more information about usage of
cash desks, see Using the Cash Desk Web Interface.
Following examples show a list of cash desks and cash desk detail. Possible attributes and
actions are described below.

Cash Desk Attributes
Name Cash desk name is used by cash desk operator in Cash Desk web
interface as a main discriminator among different cash desks.
Status / Initial status There are several available values for cash desk status:
Closed - Cash Desk can be opened by cash desk operator in Cash Desk
web interface.
Opened - Cash Desk is already opened by cash desk operator. Other
operators cannot use this cash desk until the present operator close it
or the administrator terminate the cash desk session.
Disabled - Cash desk is not visible in Cash Desk web interface (even
for assigned operator).
Removed - Cash desk in not visible in Administration of Cash Desk web
interface. This is a final state, without transition to any other state.
Type Cash desk type affects functionality on detail of subject in the Cash Desk
web interface. Possible types are:
General - This type allows you to use all actions (deposit, withdraw,
change of virtual balance, refund, redeem) and you will also see all
virtual balances assigned to a subject.
Merchant - This type is designed for environments with more than one
API user merchant roles (usually there is only "safeq"). It will be always
assigned to one merchant and it allows you to do only basic
operations with subject's virtual balance. Only virtual balance assigned
to the same merchant will be visible in the Cash Desk web interface.
Merchant API user merchant role assigned to the cash desk with "merchant" type.
Balance / Initial balance In case of general cash desk type, the cash desk balance represents real
money used for deposit or withdrawal from subject personal balance.
In case of merchant cash desk type, there in no balance, because all
operations affects only virtual balances.
Enabled display of There are two possible values:

customer history Yes - This will display button "Customer history" on detail of subject in
the Cash Desk web interface.
No - This will hide the button.
Current operator Name of the cash desk operator, who lastly opened the cash desk.
Assigned operators You can select YSoft SafeQ users with role "cash desk operators". These
users will see this cash desk after login into Cash Desk web interface
(assuming that the cash desk is not disabled).
Cash Desk Actions
Action Description
Create cash desk Create a new cash desk.

Action Description
After the setting of initial balance, all other cash desk balance
adjustments have to be performed in Cash Desk web interface
through actions "Deposit into cash desk" and "Withdraw from
cash desk".
Edit cash desk Edit cash desk attributes.
Remove cash desk / Remove Remove the cash desk. It will be no longer visible in the Administration
selected web or Cash Desk web.
Enable cash desk / Enable Change cash desk status to "Enabled".

selected
Disable cash deks / Disable Change cash desk status to "Disabled".

selected
Terminate cash desk Forcibly perform transition to "Closed" status. This will make cash desk
session available for all assigned operators and it will allow administrator to edit
cash desk attributes.
YSoft Payment Machines
YSoft Payment Machines allow users to deposit money to their Payment System account without
assistance of administrator or cash desk operator. For more detail about connecting of new YSoft
Payment Machine, see Configuring YSoft Payment Machine.
Following examples show a list of payment machines and payment machine detail. Possible

YSoft Payment Machines Attributes
Name Name of the YSoft Payment Machine. Name is used for better identification of YSoft
Payment Machine in the web administration (e.g. location).
Status Online status of the YSoft Payment Machine. Useful for troubleshooting.
Authorization Authorization status. Unauthorized machines cannot communicate with YSoft Payment
System.
IP YSoft Payment Machine IP address.
Firmware YSoft Payment Machine firmware version.
Serial YSoft Payment Machine serial number.

number
MAC YSoft Payment Machine mac address.

address
Closure List of deposits for certain time period. For more details see Operating YSoft Payment
Machine.
YSoft Payment Machines Actions
Action Description
Grant authorization / Authorize Authorizes YSoft Payment Machine allowing it to connect to

selected Payment System.
Remove authorization / De- De-authorizes Payment Machine making it unable to connect to

authorize selected Payment System.
Rename YSoft Payment Machine Shows dialog for renaming of YSoft Payment Machine.

Payment Gateways
Payment Gateways tab allows you to setup integration with payment gateways through payment
gateway plugins. For more detail about installation, see Payment gateway plugin deployment .
Connected payment gateways are displayed to clients as gateway options on their payment
gateway deposit screens. For more detail about payment gateway deposit, see Using YSoft
SafeQ end user interface.
Payment Gateways Attributes
Name Descriptive name of the plugin.

This name will be used as gateway icon tool tip on

payment gateway deposit page.
URL URL to the payment gateway plugin. At the moment Payment System
supports two types with these default URLs:
PayPal plugin URL https://<YPS_HOST>:8443/paypal-integration
/api/v1
DIBS plugin URL https://<YPS_HOST>:8443/dibs-integration/api
/v1
Use Payment System server (or server where your payment gateway
plugins are installed) true IP instead of "YPS_HOST".
Payment gateway plugin need to be installed before using

these URLs.
Do not use localhost or 127.0.0.1 instead of "YPS_HOST",
because this URL be used by clients for their payment
gateway deposits.
Icon URL URL to the payment gateway icon. This icon helps visually distinguish
the payment gateways. You can use either URL to the image from
internet or you can use these two defaults:
PayPal icon http://<YPS_HOST>:8080/paypal-integration/assets
/icon.png
DIBS icon http://<YPS_HOST>:8080/dibs-integration/assets/icon.
png
Use Payment System server (or server where your payment gateway
plugins are installed) true IP instead of "YPS_HOST".
We are deliberately using http protocol instead of https in

this case, because https can cause problems with visibility
of icon in some browsers.
Minimum deposit amount Minimum amount for one deposit. Bigger amount are usually used in
case of payment gateway, which charges transaction fees.
Status Possible values are:

enabled - user can deposit through the payment gateway
disabled - user cannot deposit through the payment gateway and
it is not visible on payment gateway deposit screen
Require confirmation of terms Flag indicating whether user must accept terms and conditions prior
and conditions to transferring money through the payment gateway.
Terms and conditions

Text of terms and conditions which is displayed when the

confirmation is required.
Payment Gateways Actions
Actions Description
Enable connection / Enable Enables selected payment gateway connection

selected
Disable connection / Disable Disables selected payment gateway connection.

selected
Remove connection / Remove Removes selected payment gateway connection. Payment gateway
selected information is still kept in system for auditing purposes, but the
payment gateway is not accessible from the the web administration.
Create connection to plug-in Opens create plug-in connection dialog
Edit connection Opens edit plug-in connection dialog
Vouchers
Vouchers represent an alternative way of depositing money to subject personal balance by

generating voucher codes with some assigned amount. These codes can be later redeemed by
cash desk operator from Cashdesk web interface or by client through his YSoft SafeQ end user
interface.
Following example shows a list of vouchers. Possible attributes and actions are described below.

Voucher Attributes
Code Unique code identifying the voucher.
Amount Amount by which the personal balance would be or was increased.
Expiration If a voucher with New status exceeds this limit, it be automatically switched to Expired
date status. Vouchers with no expiration date will never expire.
Status Possible values are:

New - Voucher can be redeemed.
Expired - Voucher expired and it cannot be redeemed.
Redeemed - Voucher was already redeemed by some subject. It cannot be
redeemed again.
Redemption Date when the voucher was redeemed.

date
Customer subject who redeemed the voucher.
Voucher Actions
Remov
e
selecte
d

Remove selected vouchers.

Removed vouchers remain in
database for auditing purposes,
but they are no longer visible in
the Administration web and they
cannot be redeemed.
Genera This action allows you to

te generate many New vouchers
vouche with random codes in one batch.
rs Possible attributes are:
Number of vouchers - System
will generate random codes
for the given number of
vouchers. Maximum number is
1000.
Voucher value - Each
generated voucher will have
given amount value.
Expiration date - Each
generated voucher will have
given expiration date. This
field is optional. If you omit it,
generated vouchers will never
expire.
Import This action allows you to import

vouche many New vouchers with given
rs code from the CSV file. Possible
columns in CSV file are:
Code (first mandatory column)
- Unique voucher code. Use
maximum of 10 characters.
Amount (second mandatory
column) - Decimal value from
0.0001 up to 1000000000.
Expiration date (third optional
column) - Date in the yyyy-mm-
dd format. It has to be in
future. If you omit it,
generated vouchers will never
expire.
In order to distribute new voucher

codes to your money account
owners, you can export your

Vouche vouchers into printable file. This

rs to action requires a DocX template
templat with updatable fields, where each
e field represents a voucher code.
Selected vouchers will be
exported into this template. Here
are the possible attributes:
Template file - Select a DocX
template.
Type - You can export either s
elected vouchers from your
vouchers menu or records
created after specific date.
Output file format - Choose
your output format.
Only vouchers in New stat

us will be exported into
output file.
Export This action allows you to export

vouche vouchers into CSV file. There are
rs two basic modes.
export new vouchers - When
you select this type, you will
export vouchers in New
status from the specific date.
export voucher changes -
When you select changed
vouchers type, you will export
all status changes from all
vouchers and from the
specific date.
API Users
API user represents account, which can access Payment System REST APIs. These APIs allow
integration of Payment System with YSoft SafeQ subsytems and other third party systems. API
user can have different roles (for example Merchant, Cashdesk, Admin, Balance management). API
user named safeq is always created as a default.

Since safeq API user is usually used by the rest of YSoft SafeQ suite, its credentials are also
stored in YSoft SafeQ > System settings > YSoft Payment System under options
paymentSystemApiUserName and paymentSystemApiPassword .
Following examples show a list of API users and API user detail. Possible attributes and actions
are described below.
API Users Attributes

Name Name of the API user. Used for API authentication.
Password Password used for API authentication.
Status Current status of the API user. Possible values are:

enabled - API user can access the APIs
disabled - API user cannot access the APIs
locked - API user used more than 5 wrong passwords and cannot access the
APIs. Action Enable will unlock the API user.
Merchant API Access to Merchant APIs - APIs for transaction processing (reservations,
settlements).
Cashdesk API Access to Cashdesk APIs - APIs for deposits, withdrawals or closures on a
Cashdesk.
Admin API Access to Admin APIs - APIs for management of subjects, money accounts or
periodic recharges.
Balance Access to Balance Management API - APIs for increasing or decreasing virtual
Management API account balance.
API Users Actions
Action Description
Enable API user / Enable Enables or unlocks selected API users.

selected
Disable API user / Disable Disables selected API users.

selected
Remove API user / Remove Removes selected API users. Removed API users remain in database for
selected auditing purposes, but they are no longer visible in the Administration
web.
Create API user Opens create API user dialog.
Change password Opens change password dialog.
Edit API user Opens edit API user dialog used for change of API user access.
System Incidents
System incidents section is used as:
1. Early warning system - to notify system administrator about urgent situations needed to be
fixed ASAP (for example "payment gateway is down" - sysadmin should fix it before first
user would be affected)
2.
2. Suspicious activity detection - to detect risky or unusual activity in system and let admin
check the risks related.
Following examples show a list of grouped incidents, list of incidents from one group and detail of
one incident. Possible attributes and actions are described below.

System Incident Attributes
Count Incident occurrence count. Incidents of the same kind may occur many times so they
are grouped together for better readability.
Severity Severity can have following values:

Info - information message without need for administrative action.
Warning - issue which does not prevent the system to operate normally. However, it
is advised that the issue is analysed and resolved by the administrator.
Error - serious problem which should be immediately resolved by the administrator.
Incident Identifies part of the system, which generated the error.

source
Decription Incident description.
Occurrence Date of incident occurrence.

date
Incident detail More detailed incident description.
System Incident Actions
Action Description
Remove selected incidents Permanently deletes selected incidents.
Reports
Reports contain filterable list of all transactions from Payment System.
Following example shows a transaction history. Possible attributes and actions are described
below.

Report Attributes
ID Internal system identifier of the transaction.
Type Type of transaction can have following values:

Balance decrease - decrease a virtual balance for a specific subject
Balance increase - increase a virtual balance for a specific subject
Balance reset - increase a virtual balance for a specific subject
Cash desk deposit - deposit money to a specific subject's account through a cash
desk
Cash desk withdrawal - withdraw money from a specific subject's account through
a cash desk
Debt registration - transactions, which registered/created new debt
Debt write off - a part of subject's debt, which was decreased from debt amount
Deposit via payment gateway - subject deposited some money to his/her YPS
account through a payment gateway
Initial imported debt - debt created during creation of a new imported subject (a
debt from a previous payment system)
Initial imported deposit - initial balance of a newly imported subject (a balance of an
account from a previous payment system)
Money transfer - money transferred by one step transaction
Recharge event - virtual money deposited by a periodic recharge

Transaction refund - partly or fully refunded a subject's transaction

Transaction settlement - settled subject's reservations (finish step of
microtransaction)
Voucher redemption - redemption of a voucher. Deposit money to a subjects's
account by a voucher through a YSoft SafeQ end user interface or Cash Desk
YSoft Payment Machine deposit event - deposited money through a YSoft Payment
Machine
Balance Amount of the transaction.

change
Final balance Account balance after the transaction was performed.
Date Transaction processing date.
Description Transaction description - provided by merchant.
Customer Name of the subject, whose account participated in the transaction.
Merchant API user, who initiated the transaction.
Report Actions
Action Description
Export filtered transactions to CSV file Download currently filtered transaction records as CSV file.
Configuration
License
If this menu displays message "YSoft Payment System is fully activated", your YSoft Payment
System is fully fuctions.
Otherwise check whether:
your YSoft SafeQ license contains YSoft Payment System feature
your Payment System is properly connected to YSoft SafeQ.
YSoft Payment System without fully activated license will still allow login login into
Administration web interface, but most actions will fail on "insufficient license" error.
Notifications
YSoft Payment System provides you with possibility to receive regular email notifications as an
administrator or an account owner. Payment System uses SMTP configuration from YSoft SafeQ
. Periodic notifications are generated at midnight of a server's local date. System tries to deliver

unsent notifications each 5 minutes. Interval can be changed by option notification.send-emails.
cron. For more detail about advanced configuration, see Advanced configuration of YSoft
Payment System.
There are four types of notifications available:
Account balance - Notification is issued once, when credit balance on money account goes
under defined balance limit. Notifications are generated immediately after transaction
settlement.
Transaction - Notification is issued once, when any transaction is performed on money

account. Notifications are generated immediately after transaction settlement
Account statement - Notification is issued periodically and informs recipient about all settled
transactions on money account during given period.
Transaction history - Notification is issued periodically and informs administrator about all
settled transactions in Payment System during given period.
Quota reset - Notification is issued after each quota reset and it informs recipient about
assigned subjects and their spendings.
Quota threshold - Notification is issued once the quota threshold is reached . Recipient can be
admin or YSoft SafeQ user, whose transaction reached the threshold.
Quota threshold owner - Notification is issued the quota threshold is reached . Recipient is
quota owner defined on detail of quota. For more detail, see chapter Quota Attributes.
Each notification can be customized using WYSIWYG editor and variables related to current type
of notification. Click Save to apply changes in configuration of notifications.
Cash desks
Defines configuration for usage of cash desks. You can define rules for rounding, minimal amount
for withdrawal and receipt formats (displayed in in Cash Desk web after deposit, withdrawal or
refundation).
Cash desk template variable amount does not contain a currency symbol. If you wish to
display currency on your cash desk receipts, insert it into template manually.
Payment System
This section describes basic configuration of Payment System accessible from Administration
web interface. For more details about advanced configuration, see Advanced Configuration of
YSoft SafeQ Payment System .
Configuration option Description
Decimal places

Configuration option Description
Any numeric input from the Administration or Cash Desk web interface
is rounded to the given decimal places. The same is true for display of
numbers in web interfaces.
VAT This number determines, which part of transaction amount will be

displayed as tax.
Maximum account balance Maximum personal balance. Any deposit (or refund) exceeding this limit
will fail.
Initial account balance Initial virtual balance for newly created subjects. Balance is assigned to
default safeq API user. Value of initial balance can be overridden before
each subject creation (either from YSoft SafeQ web of through REST
API).
You can also use entitlement attribute Initial Balance, which

will assign initial virtual balance only to a specific group of
users. For more detail, see the chapter Entitlement
Attributes.
Maximum number of refunds Each transaction can be refunded by the given number of times (None,
per payment One, Many).
Maximum refund time Transactions older than this interval cannot be refunded.
Expiration of reservations Reservations older than given number of hours, will be automatically
canceled.
Expiration of pending deposits Open payment gateway deposits older that the given number of days,
will be automatically canceled.
Overdrawn transactions Enables or disables debt tracking in Payment System.
It is recommended to use option Allow and register debt if

necessary in you use Payment System with YSoft SafeQ.
5.9.2.3 Working with Payment System
Reservations
Reservation represents money blocked on user's money account – this money stays on the
money account, but cannot be used by any user, process or for another reservation.
The purpose of reservations is to block a reasonable amount of money before a transaction

happens, so there is lower risk of account with not enough money to settle transaction. If such a
situation happens anyway, a debt is created.

When are Reservations created?
A reservation is created when Broker (Payment System) receives request from Vendor (e.g. YSoft
SafeQ) to block specified amount of money on specified account.
When do Reservations disappear?
Reservations disappear in the following 2 cases:
The transaction is settled
The transaction was not finished and reservation cancelled
In certain cases reservation is not cancelled by receiving settlement call . In such cases,
administrator has following possibilities to unblock the reserved amount of money and make it
available for other processes.
Manual reservation cancellation
In YSoft SafeQ Payment System Administration web interface, administrator can open user's
account and list through existing reservations. Clicking on Cancel button, reservation will be
cancelled.
Automatic reservation cancellation
In YSoft SafeQ Payment System Administration web interface, administrator can define value for
Expiration of reservations as the maximum age of any reservation. When this age is exceeded,
the reservation is cancelled automatically. Default value is 168 hours (7 days).
Overdrawn transactions
Defines the overdrawn option for print, copy or scan operations. Overdrawing of transactions can
be set into the 3 overdrawing modes:

Deny overdrawing
Allow if enough credit on account
Allow and register debt if necessary
These settings can be set in the administration part of YSoft Payment System Administration ->
Configure -> YSoft Payment System -> Overdrawn transactions.
Deny overdrawing
Transaction settlements higher than the total sum of reservations are not allowed.
Use case:
Situation: Customer account balance is 30 and minimum balance of the account is set to -15.
Customer also doesn't have any registered debt or reservation.
1. reservation is created for:
a. 50 > FAIL, the reservation cannot be created (actual account balance - minimum
account balance = 30 - (-15) = 45 => 50 > 45 => FAIL)
b. 35 > OK, actual account balance is -5
2. continue with reservation for 35
3. settlement is settled for:
a. 32 > OK
i. the amount is subtracted from the reservation (35 - 32)
ii. the rest of the subtraction (3) is added to the actual account balance
iii. new account balance is -2
b. 36 > FAIL - settlement is greater than the reservation (36 > 35)
c. 53 > FAIL - settlement is greater than the reservation (53 > 35)
Allow if enough credit on account
Transaction settlements higher than the sum of reservations are allowed only in case the user's
current balance minus minimum account balance is higher than current settlement.
Use case:
Prerequisites => Customer account balance is 30 and minimum balance of the account is set to
-15. Customer also does not have any registered debt or reservation.
b.

a. 32 > OK
b. 36 > OK
i. settlement is greater than the reservation and less than possible (reservation +
actual account balance - minimum balance => 35 + (-5) - (-15) = 45 ) => 35 < 36
< 45
ii. settlement is possible to create
iii. new account balance => actual account balance + reservation - settlement = -5
+ 35 - 36 = -6
c. 53 > FAIL - settlement is greater than => reservation + actual account balance -
minimum balance => 35 + (-5) - (-15) = 45 => 35 < 53 > 45
Allow and register debt if necessary
Transaction settlements are always allowed. Debt is registered in case the settlement is higher
than user's current balance minus minimum account balance.
Use case:
Prerequisites => Customer account balance is 30 and minimum balance of the account is set to
-15. Customer also does not have any registered debt or reservation.
a. 32 > OK
b. 36 > OK
i.

b.
i. settlement is greater than the reservation and less than possible balance (
reservation + actual account balance - minimum balance => 35 + (-5) - (-15) = 45
) => 35 < 36 < 45
ii. settlement is possible to create
iii. new account balance => actual account balance + reservation - settlement = -5
+ 35 - 36 = -6
c. 53 > OK- settlement is greater than => reservation + actual account balance -
minimum balance => 35 + (-5) - (-15) = 45 => 35 < 53 > 45
i. new debt is created => settlement - reservation = 53 - 35 = 18
ii. system automatically withdrew (actual account balance - minimum account

balance) based on existing debt => (actual account balance - minimum account
balance) = -5 - (-15) = 10
iii. debt is updated to - (debt - amount from step ii.) = 18 - 10 = 8
Debt tracking
When a transaction settlement is made for an amount higher than the amount of reservation and
there is not enough money on the user's account to cover the settlement, a debt is registered to
user. The amount registered as debt represents amount that was not able to be settled in other
way - through settlement of reservation, remaining money on account or allowed minimal balance.
The registered amount equals settlement amount - reservation amount.
Debt is partially settled anytime money is deposited to the account or made available on
account.
The exception is in case YSoft Payment System is used in connection with external payment
system, when YSoft Payment System does not hold actual user balance, but it works as a
proxy for external payment system. Debt settlement in this case does not happen
immediately, but in following interval: 5 seconds, 1 minute, 1 hour, 12 hours, 1 day, and then on
daily basis. This is to prevent external payment system from denial of service.
In case there is a debt on the account, the account balance is typically 0 (or equal to minimal
balance) and there is a debt record visible in the YSoft Payment System interface in the
user's account overview.
Session timeout
For security reasons, YSoft Payment System will automatically log out users logged into
Administration, Cash Desk or YSoft Wallet web after 30 minutes of inactivity or in other words no
communication with server. User will see dialog "Your session is about to expire" 5 minutes before
reaching this limit. This dialog includes two buttons:

"Reload page" button will effectively close this dialog, reset the counter, refresh the page and
close all unsubmitted forms (e.g. new periodic recharge in Administration)
"Logout" button will log out current user. It has the same effect as automatic log out.
This means that if you leave unsubmitted form inactive for at least 25 minutes, you will lose
filled information, because of timeout dialog, from which you cannot return to the form! Moving
mouse or filling the form still counts as inactivity, unless it triggers communication with
server.
Cash Desk session timeout with enabled Remember me
If the 'Remember me' functionality for Cash Desk is turned on then the session dialog also
appears but it does not log out a user but instead of that a user's page is reloaded.
Transaction timeout
YSoft Payment System has a default timeout of 5 seconds for all transaction based operations.
Examples would be a transaction reservation or settlement request.
In case you experience occasional timeout error during execution of such transaction based
operations, it is possible that your system infrastructure is not able to finish these operations
within 5 seconds. Especially vulnerable are systems connected to an external payment provider.
As a workaround this limit can be changed in the environment-configuration.properties through

option database.transactionTimeout. For more information see Advanced Configuration of YSoft
SafeQ Payment System section Connection Pool.

5.9.2.4 YSoft Payment Machine
The following documents describe installation and usage of YSoft Payment Machine.
Configuring YSoft Payment Machine
Selecting the communication protocol
Change of the communication protocol may erase charging logs, which can cause loss of
unfinished recharges. Perform this configuration only when you are sure that there are no
unfinished items.
1. Display the Service menu and tap Payment System.
2. Tap Charging protocol.
3. Select YSoft Payment System; then tap OK.

3.
Protocol version 1 is intended only for interconnection with a version of YSoft SafeQ
server prior to version 3.6
Protocol version 2 is intended only for interconnection with YSoft SafeQ server version
3.6
The protocol YSoft Payment System is intended only for interconnection with YSoft
Payment System server and YSoft SafeQ 5
Configuring the YSoft Payment System server address
1. Display the Service menu and tap Payment System
2. Tap PS Server address.

3. Enter host name or IP address of YSoft Payment System server; then tap .
The YSoft Payment System server address may be different from the YSoft SafeQ
server address.
4. Enter YSoft Payment System server port; then tap . After confirming the configuration,
leave the menu and save your changes.
Default YSoft Payment System port is 4197.

Connecting YSoft Payment Machine to YSoft Payment System
If YSoft Payment Machine has been configured correctly, connection to YSoft Payment System
will be possible. To make YSoft Payment Machine fully functional with YSoft Payment System,
please follow these steps:
1. If the correct server address is configured in service menu, YSoft Payment Machine will
display a "Server cannot authenticate terminal (Device not authorized)" message.
2. Log into YSoft Payment System administration and go to YSoft Payment Machines tab. If
configuration on YSoft Payment Machine is set correctly, you will be able to see the
machine on the list. Select YSoft Payment Machine, which you want to authorize and click
on Authorize selected button.

3. The YSoft Payment Machine's status will change to Authorized.
4. Users are now able to log into YSoft Payment Machine
5.
5. You can also change the name of the YSoft Payment Machine by clicking View to display
details and then Rename payment machine . New name will be visible after saving in YSoft
Payment System administration; every YSoft Payment Machine can be now easily
identified.
Resetting the system date
System date reset is not necessary in normal situations.
It is useful only when the device date is accidentally the past and the certificates for
encrypted communication could not be verified.
1. Display the Service menu and tap Service
2. Tap Reset date.

2.
3. Tap YES.
It is recommended to perform a date reset without network connection to prevent date

synchronization over the network.
4. The date is restored to the build date of the firmware and the device will reboot.
Operating YSoft Payment Machine
Removing money from the deposit box and performing closure
1. Enter Service menu authentication by tapping the corners.

2. Enter PIN code for money removal. Then tap OK.
3. Tap Payment System.
4. Tap Remove money.

4.
5. Confirm that you want to remove money now.
Alarm is disabled after the confirmation.
6. Open deposit box and remove money.
7.
7. While the door is open, a timer is in effect. As the timeout period nears the end, the terminal
begins to beep.
To continue with the door open, tap WAIT. When the money removal is finished, tap
DONE.
8. Perform closure.
Closure can be performed only when connection to YSoft Payment System is available.
9. Confirmation screen is displayed. Tap screen to return back to Service menu.

10. Closure details can be displayed in YSoft Payment System administration. Log in and go
to YSoft Payment Machines menu item. Click on View for the YSoft Payment Machine,
where closure was performed.
11. Details (list of deposits) for each closure can be then displayed by clicking on View for the
particular closure.

12. Detail of closure displays list of particular deposits belonging to this closure.
YSoft Payment Machine Troubleshooting
This chapter contains most common problems regarding YSoft Payment Machine.
Could not connect to server
Check for correct date on YSoft Payment System server and also on YSoft Payment Machine.

Network connection is strongly encrypted SSL connection with certificate verification. Verification
will fail if devices has older date then creation time of certificates. There is possibility to reset
system date of YSoft Payment Machine in it's service menu.
Access denied
When user is not able to access recharging screen on YSoft Payment Machine due to Access
denied error, it can be caused by using currency in YSoft Payment System which is not
supported by YSoft Payment Machine.
YSoft Payment Machine Data Sets
Data sets contain firmwares for the bank note acceptation unit and printer (used for receipts).
Only supported currencies are listed, however data set package contains also other files which
are not intended for general use.
SPM Data Set 2020-08-25
Added:
JOD-280-52
Updated:
AUD-285-52
BGN-282-52
EUR5-302-52
GBPNIRL1-285-52
GBPSCO2-289-52
KZT1-283-52
LBP-283-52
TDD-282-52
USD-283-52
File Currenc Ver Relea Supported items1) Notes

name y sion se
date
AED2- United 2.8 5.6.2 5(93-95), 5(00-01), 5(04,07), 5(09), 5(15), 10(93- Added support for
282-52 Arab 2- 019 95), 10(98,01), 10(04,07), 10(09), 10(15), 20(99, 100(19) note.
Emirates 52 00), 20(07), 20(09), 20(10), 50(95-96), 50(98),
- Dirham 50(04-08), 50(11), 50(14), 100(93-95), 100(98),
100(03-06), 100(08), 100(11), 100(14), 100(18), 100

name y sion se
date
(19), 200(89), 200(04), 200(08), 200(15), 500 The width 59 mm

(96), 500(98-00), 500(04), 500(06-08), 500(11), of 5 Dirhams is
500(15), 1000(98-00), 1000(06), 1000(08), 1000 out of device
(12), 1000(15) specification.2)
AUD- Australia 2.8 22.7. 5(95), 5(01), 5(16), 10(93), 10(17), 20(94), 20(19), Added support for
285-52 - Dollar 5- 2020 50(95), 50(18), 100(96), 100(20) 100(20) note.
52 Improved
acceptance.
BGN- Bulgaria 2.8 31.7.2 2(99), 5(99), 5(09), 10(99), 10(08), 10(20), 20 Added support for
282-52 - Leva 2- 020 (99), 20(08), 20(20), 50(99), 50(06), 50(19), 100 10(20), 20(20)
52 (03), 100(18) notes.
The length 116 mm
of 2(99) Leva is
out of device
specification.2)
BHD- Bahraini 1.77- 20.10 0.5(97), 0.5(08), 1(93), 1(08), 5(98), 5(08), 10(98),
177-18 dinar 18 . 10(new), 20(01), 20(new)
2008
CAD- Canada 2.8 11.9.2 5(02), 5(06), 5(13), 10(01), 10(05), 10(13), 10(17), 10 Added support for
282-52 - Dollar 2- 018 (18), 20(04), 20(12), 20(15), 50(04), 50(12), 100 10(18) note.
52 (04), 100(11)
CHF2- Switzerl 2.8 5.11.2 10(97), 10(17), 20(96), 20(17), 50(95), 50(16), 100 Added support for
285-52 and - 5- 018 (98), 100(18), 200(97), 200(17) 100(18). Improved
Franc 52 acceptance.
The length 170 mm
of 200(97) Franc
is out of device
specification.3)
CHF3- Switzerl 2.8 17.9.2 10(97), 10(17), 20(96), 20(17), 50(95), 50(16), 100 Removed support
287-52 and - 7- 019 (98), 100(19), 200(97), 200(17), 1000(98), 1000 for 100(18) note.
Franc 52 (18) Added support for
100(19) note.
The length 170 mm
of 200(97) Franc
is out of device
specification.3)

name y sion se
date
The length 182

mm of 1000 Franc
is out of device
specification.2)
CLP- Chile - 2.77 17.12. 1000(10-14), 2000(04,07), 2000(09-12), 5000(09- Added support for
277-51 Peso -51 2015 12), 10000(09-12), 20000(09-12) 1000(14) note.
CZK- Czech 2.8 17.9.2 100(95), 100(97), 100(18), 200(96), 200(98), 200 Added support for
280-52 Republic 0- 018 (18), 500(95), 500(97), 500(09), 1000(96), 1000 100(18), 200(18)
- Korun 52 (08), 2000(96), 2000(99), 2000(07), 5000(99), notes.
5000(09) The length 170 mm
of 5000 Korun is
out of device
specification.3)
DKK- Denmark 2.0 28.6. 50(97), 50(04), 50(09), 100(97), 100(02), 100
208-40 - Kroner 8- 2012 (09), 200(97), 200(03), 200(09), 500(97), 500
40 (03), 500(09), 1000(97), 1000(04), 1000(09)
EUR5- Europea 3.0 25.3. 5(02), 5(13), 10(02), 10(14), 20(02), 20(15), 50 Improved
302-52 n Union 2- 2020 (02), 50(17), 100(02), 100(19), 200(02), 200(19), acceptance.
- Euro 52 500(02)
GBPNIR England 2.8 4.3.2 BofE: 5(15), 10(16), 20(06), 20(18), 50(11) BofI: 5 Added support for
L1-285- /North 5- 020 (17), 10(17), 20(08), 20(13), 20(19) NB: 20(05), 20 BofI: 20(19), UB: 20
52 Ireland - 52 (09) UB: 5(18), 10(18), 20(96-06), 20(07), 20(19), (19), DB: 20(19)
Pounds 50(97) DB: 10(17), 20(13), 20(19) FTB: 10(98), 20
(94), 20(96), 20(98), 20(07)
GBPSC England 2.8 27.2. BofE: 5(15), 10(16), 20(06), 20(18), 50(11) CB: 5 Improved
O2-289- /Scotlan 9- 2020 (15), 5(16), 10(17), 20(09), 20(19), 50(09) RBofS: 5 acceptance.
52 d- 52 (16), 10(16), 20(91-99,07), 20(19) BofS: 5(15), 10
Pounds (16), 20(07), 20(19)
HRK- Croatia - 2.8 1.12.2 10(01), 10(04), 20(01), 20(14), 50(02), 100(02), Improved
280-52 Kuna 0- 017 200(02), 500(93), 1000(93) acceptance.
52
HUF- Hungary 2.8 24.10 500(18), 1000(17), 2000(16), 5000(16), 10000(14), Removed support
283-52 - Forint 3- . 20000(15) for 500(98), 500
52 2019 (01), 500(06), 500
(07,08), 10000(97),
10000(08).
Improved
acceptance.

name y sion se
date
ILS- Israel - 2.8 14.6. 20(98,01), 20(08), 20(17), 50(98,07), 50(13), 100 Added support for
280-52 Sheqalim 0- 2017 (98,02,07), 100(17), 200(98,02,06), 200(15) 20(17), 100(17).
52
INR-281- India - 2.81 22.7. 10(05), 10(11), 10(17), 20(05), 20(12), 20(17), 50 Added support for
52 Rupee -52 2019 (05), 50(12), 50(17), 100(05), 100(12), 100(18), 200 10(17), 20(17), 20
(17), 500(16), 2000(16) (19), 100(18).
Improved
acceptance.
The length 166
mm of 2000
Rupee is out of
device
specification.3)
JOD- Jordan - 2.8 6.11.2 1(03), 5(02), 10(02), 20(03), 50(03)

280-52 Dinar 0- 017
52
KZT1- Kazakhst 2.8 17.6.2 200(06), 500(17), 1000(10), 1000(11), 1000(13), Removed support
283-52 an - 3- 020 1000(14), 1000(15), 2000(11), 2000(12), 5000 for 500(06), 500
Tenge 52 (08), 5000(11), 10000(11), 10000(12), 20000(13) (07) notes.
LBP- Lebanon 2.8 30.3. 1000(11), 5000(05), 5000(13), 10000(05), 10000 Added support for
283-52 - Livre 3- 2020 (13), 20000(05), 20000(12), 20000(19), 50000 20000(19), 50000
52 (05), 50000(11), 50000(16), 50000(19), 100000 (19).
(05), 100000(11), 100000(17) The width 60 mm
and length 115 mm
of 1000(11) Livre
are out of device
specification.2)
MXN- Mexico - 2.8 16.7.2 20(06-09), 50(04-11), 50(12-13), 100(94-00), 100 Added support for
282-52 Peso 2- 019 (00), 100(00-09), 100(07), 100(08-13), 100(16), 200(19). Improved
52 200(95-99), 200(00), 200(00-07), 200(07-13), acceptance.
200(08-13), 200(19), 500(95-99), 500(00), 500
(00-08), 500(10-12), 500(17), 1000(02), 1000(06-
07)
MYR1- Malaysia 2.8 5.9.2 1(00), 1(12, 13), 2(96), 5(99), 5(04), 5(12), 10(98), Improved
280-52 - Ringgit 0- 017 10(03), 10(12), 20(12), 50(98), 50(07), 100(98), acceptance.
52 100(12)
MYR2- Malaysia 2.7 10.6. 10(98), 10(03), 10(12), 20(12), 50(98), 50(07), 100 Minor
278-52 - Ringgit 8- 2016 (98), 100(12) improvements.
52

name y sion se
date
PEN- Peru - 2.8 20.4. 10(95-06), 10(09-13), 10(16), 20(95-06), 20(09- Added support for
286-52 Soles 6- 2018 13), 20(18), 50(92-06), 50(09-12), 100(92-06), 100 10(16), 20(18), 100
52 (09), 100(12), 100(16), 200(95), 200(09-12) (16). Improved
acceptance.
PLN- Poland - 2.7 30.1. 10(94), 10(12), 20(94), 20(12), 50(94), 50(06), 50 Added support for
278-52 Zlotych 8- 2017 (12), 100(94), 100(12), 200(94), 200(15), 500(16) 500(16) note.
52 The width 60 mm
of 10 Zlotych is
out of device
specification.2)
RON- Romania 2.7 25.7. 1(05), 5(05), 10(05), 10(08), 50(05), 100(05), 200 Improved
270-51 - Lei 0- 2014 (06), 500(05) acceptance of all
51 notes
RUB- Russia - 2.81 28.5. 10(97), 10(04), 50(97), 50(04), 100(97), 100(04), Minor
281-52 Ruble -52 2018 200(17), 500(97), 500(04), 500(10), 1000(97), improvement.
1000(04), 1000(10), 2000(17), 5000(97), 5000
(10)
SAR- Saudi 1.76 2.9.2 1(old), 1(07), 5(old), 5(07), 10(old), 10(07), 20(old),
176-17 Arabia - -17 008 50(old), 50(07), 100(old), 100(03), 100(07), 200
Riyals (old), 500(old), 500(03), 500(07)
SGD- Singapor 2.7 20.2. 2(99), 2(05), 2(06), 5(99), 5(07), 10(99), 10(04), Support for new
270-51 e- 0- 2015 50(99), 50(99), 50(99), 50(99), 100(99), 1000 1000 note,
Singapor 51 (99), 1000(99) improved
e Dollar acceptance.
The length 170 mm
of 1000 Dollar is
out of device
specification.3)
THB- Thailand 2.8 21.8. 20(03), 20(13), 20(17), 20(18), 50(04), 50(11), 50 Added support for
282-52 - Bath 2- 2018 (17), 50(18), 100(05), 100(15), 100(17), 100(18), 500 500(18), 1000(18)
52 (12), 500(14), 500(17), 500(18), 1000(05), 1000 notes.
(15), 1000(17), 1000(18)
THB1- Thailand 2.8 21.5. 100(05), 100(15), 100(17), 100(18), 500(12), 500 Added support for
282-52 - Bath 2- 2018 (14), 500(17), 500(18), 1000(05), 1000(15), 1000 500(18), 1000(18)
52 (17), 1000(18) notes.
TRY- Turkey - 2.7 16.3. 5(09), 5(13), 10(09), 20(09), 50(09), 100(09), 200
272-51 Lira 2- 2015 (09)
51

name y sion se
date
TTD- Trinidad 2.8 20.1. 1(02), 1(06), 5(02), 5(06), 10(02), 10(06), 20(02), Minor
282-52 and 2- 2020 20(06), 50(06), 50(12), 50(14), 50(15), 100(19) improvement.
Tobago 52
- Dollar
TWD- Taiwan - 2.7 25.7. 100(01), 200(02), 500, 1000, 2000(02) Improved security
270-51 Yuan 0- 2014
51
USD- USA - 2.8 15.1.2 1(85-09), 5(93-95), 5(99), 5(06-09), 10(90-95), 10 Improved security.
283-52 Dollar 3- 020 (99-03), 10(04-09), 20(90-95), 20(99-01), 20(04- Old USD series
52 09), 50(90-93), 50(96-01), 50(04-09), 100(90- under dip switch 7
93), 100(96-06), 100(09) (5(93-95), 10(90-
95), 20(90-95), 50
(90-93), 50(96),
100(90-93), 100
(96)).
ZAR- South 2.8 24.1. 10(93), 10(05), 10(12), 10(18), 20(93), 20(05), 20 Improved
283-52 Africa - 3- 2019 (12), 20(18), 50(92), 50(05), 50(12), 50(18), 100 acceptance and
Rand 52 (94), 100(05), 100(12), 100(18), 200(05), 200(12), security.
200(18)
1. Format: Denomination (revision)
2. Note is out of device specification (width 62-85 mm, length 120-165 mm, length up to
170 mm when using Steel Cash Box). Y Soft recommends to disable acceptance of it. Y
Soft will not be responsible for any damages caused by this denomination.
3. Note is out of device specification with Plastic Cash Box, Steel Cash box required (width
62-85 mm, length 120-165 mm, length up to 170 mm when using Steel Cash Box). Y Soft
recommends to disable acceptance of it or obtain Steel Cash Box. Y Soft will not be
responsible for any damages caused by this denomination with Plastic Cash Box.
Currencies supported by YSoft Payment Machine
Legend
Supported
Not supported

This is a limitation by our supplier. Date tells the last check of availability. Some currencies may
have become possible ( ) since then.
Support is possible
Currency could be supported but without 100% guarantee. Currency could be supported by YSoft
Payment Machine firmware, however Y Soft cannot guarantee 100% functionality without tests
with real currency of respective type.
YSoft Payment Machine
Region Country Coins Bills/Notes
Europe & Azerbaijan AZN

Middle East
Bahrain BHD
Bosnia and Herzegovina BAM
Bulgaria BGN
Croatia HRK
Czech Rep. CZK
Denmark DKK
European Union EUR
Georgia GEL
Great Britain GBP
Hungary HUF
Israel ILS
Jordan JOD
Kuwait KWD
30.4.2014
Lebanon LBP

lead time > 1 month
Macedonia MKD
4.4.2016
lead time > 1 month
Norway NOK
Oman OMR
17.3.2015
Poland PLN
Qatar QAR
Romania RON
Russia RUB
Saudi Arabia SAR
Sweden SEK
Switzerland CHF
UAE AED
North America Canada CAD
USA USD
South America Argentina ARS
Barbados BBD
Brazil BRL
Chile CLP

Colombia COP
Ecuador and USD
Mexico MXN
lead time > 1 month
Panama PAB
30.4.2014
Peru PEN
Trinidad and Tobago TTD

10.9.2018
lead time > 1 month
Venezuela VEF
Africa Central African CFA franc XAF

9.8.2016
lead time > 1 month
Morocco MAD
South Africa ZAR
Asia & Pacific Australia AUD
Bangladesh BDT
25.1.2016 25.1.2016
China CNY
India INR
Indonesia IDR
30.4.2014
Japan JPY
Kazakhstan KZT
Korea KRW

Malaysia MYR
Moldova MDL
30.4.2014
New Zealand NZD
Singapore SGD
Taiwan TWD
Thailand THB
Turkey TRY
Ukraine UAH
Support of unlisted currencies
Currencies not listed in the table can be checked by R&D upon request. Their availability will
be added once we have more information.
Self-Service Recharging Station v2
Region Country RCS v2 Coins RCS v2 Bills/Notes
Europe & Czech Rep. CZK

Middle East
European Union EUR
Great Britain GBP
Hungary HUF
Israel ILS
Poland PLN

Region Country RCS v2 Coins RCS v2 Bills/Notes
Romania RON
North America Canada CAD
USA USD
Asia Kazakhstan KZT
Support of unlisted currencies and newly released coins or notes
RCS v2 is after EOL. No additional currencies can be supported. No maintenance is provided

after EOL date including support for newly released coins and notes.
RCS v2 currency testing reports

Notes
YSoft SafeQ Recharging Station v2 (RCS v2) could have one of three notes acceptors: GBA HR1,
GBA HR1+ and GBA ST2.
CAD - Canadian dollar
Banknotes
Device type GBA ST2
Device firmware S02N0454-502
Supported items: value(revision) 5(2002), 5(2006), 10(2001), 10(2005), 20(2004), 20(2012)
Pieces Value Revision Result Date
3 5 2006, pr 2008 OK 23.5.2013
1 10 2005, pr 2007 OK 23.5.2013
1 20 2004, pr 2006 OK 23.5.2013
1 50 2004, pr 2006 Not supported 23.5.2013
1 100 2004, pr 2003 Not supported 23.5.2013
Device type GBA ST2

Supported items: value 5(2002), 5(2006), 5(2013), 10(2001), 10(2005), 10(2013), 20(2004), 20
(revision) (2012)
3 5 2006, pr 2008 OK 19.8.2014
1 10 2005, pr 2007 OK 19.8.2014
1 20 2004, pr 2006 OK 19.8.2014
1 50 2004, pr 2006 Not supported - OK rejected 19.8.2014
1 100 2004, pr 2003 Not supported - OK rejected 19.8.2014
CZK - Czech crown

Banknotes
Device type GBA HR1
Device firmware G58N0280-202
Supported items: value 100, 200, 500(old), 500(2009), 1000(1996), 1000(2008), 2000(1996), 2000
(revision) (1999), 2000(2007), 5000
3 50 1993 Withdrawn - OK rejected 23.5.2013
2 100 1997 OK 23.5.2013
2 200 1993 Withdrawn - Fail, normally accepted 23.5.2013
2 200 1998 OK 23.5.2013
2 500 1997 OK 23.5.2013
1 500 2009 OK 23.5.2013
2 1000 1996 OK 23.5.2013
Device type GBA ST2
Device firmware N58N0454-105
Supported items: value 100, 200, 500(old), 500(2009), 1000(1996), 1000(2008), 2000(1996), 2000
(revision) (2007), 5000

2 100 1997 OK 23.5.2013
2 200 1998 OK 23.5.2013
2 500 1997 OK 23.5.2013
1 500 2009 OK 23.5.2013
2 1000 1996 OK 23.5.2013
Device type GBA ST2
Supported items: value 100(1995), 200(1996), 500(1995), 500(2009), 1000(1996), 1000(2008), 2000
(revision) (1996), 2000(2007), 5000(1999)
1 100 1997 OK 19.8.2014
1 200 1998 OK 19.8.2014
1 500 1997 OK 19.8.2014
1 500 2009 OK 19.8.2014
1 1000 1996 OK 19.8.2014
EUR - Euro
Banknotes
Device type GBA HR1

Supported items: value 5(2002), 5(2013), 10(2002), 20(2002), 50(2002), 100(2002), 200(2002)
(revision)
2 5 2002 1pcs OK; 1 pcs has medium errors in orientation A, rest OK 23.5.2013
2 5 2013 OK 7.6.2013
2 10 2002 1pcs OK; 1 pcs has medium errors in orientation C, rest OK 23.5.2013
2 20 2002 OK 23.5.2013
2 50 2002 1pcs OK; 1 pcs has medium errors in all orientations 23.5.2013
Device type GBA ST2
Supported items: value 5(2002), 5(2013), 10(2002), 20(2002), 50(2002), 100(2002), 200(2002),
(revision) 500(2002)
2 5 2002 OK 23.5.2013
2 5 2013 OK 7.6.2013
2 10 2002 OK 23.5.2013
2 20 2002 OK 23.5.2013
2 50 2002 1pcs OK; 1 pcs has few errors in all orientation C, rest OK 23.5.2013
Device type GBA ST2
(revision) (2002), 500(2002)
1 5 2002 OK 19.8.2014
3 5 2013 OK 19.8.2014
1 10 2002 OK 19.8.2014
1 20 2002 OK 19.8.2014
1 50 2002 OK 19.8.2014

Device type GBA ST2
(revision) (2002), 500(2002)
1 5 2002 OK 20.1.2016
3 5 2013 OK 20.1.2016
1 10 2002 OK 20.1.2016
1 10 2004 OK 20.1.2016
1 20 2002 OK 20.1.2016
4 20 2015 OK 20.1.2016
1 50 2002 OK 20.1.2016
GBP - Pound sterling

Banknotes
Device type GBA HR1
Device firmware G070280-186
Supported items: value(revision) 5, 10, 20
1 5 2002 OK 23.5.2013
1 10 2000 OK 23.5.2013
1 20 2006 OK 23.5.2013
1 50 1994 Not tested - too wide 23.5.2013
Device type GBA ST2
Supported items: value(revision) 5(2002), 10(2000), 20(2007), 50(1994), 50(2010)
1 5 2002 OK 23.5.2013
1 10 2000 OK 23.5.2013
1 20 2006 OK 23.5.2013

Device type GBA ST2
Supported items: value(revision) 5(2002), 10(2000), 20(2007), 50(2010)
1 5 2002 OK 19.8.2014
1 10 2000 OK 19.8.2014
1 20 2006 OK 19.8.2014
HUF - Hungarian forint

Banknotes
Device type GBA HR1
Device firmware G53C0280-200
Supported items: value 200(old), 500(old), 500(2009), 1000(old), 1000(2009), 2000(old), 2000
(revision) (2009), 5000(old), 5000(2009), 10000(old), 10000(2009), 20000(old), 20000
(2009)
1 500 2003 OK 23.5.2013
1 500 2006 OK 23.5.2013
1 1000 2006 OK 23.5.2013
2 2000 2004 OK 23.5.2013
1 5000 2005 OK 23.5.2013
1 5000 2006 OK 23.5.2013
Device type GBA ST2

Supported items: value 500(1998), 500(2006), 500(2007), 1000(2005), 1000(2008), 2000(1998),
(revision) 2000(2007), 5000(1998), 5000(2008), 10000(1997), 10000(2008), 20000
(1999), 20000(2009)
1 500 2003 OK 23.5.2013
1 500 2006 OK 23.5.2013
1 1000 2006 OK 23.5.2013
2 2000 2004 OK 23.5.2013
1 5000 2005 OK 23.5.2013
1 5000 2006 OK 23.5.2013
Device type GBA ST2
Supported items: value 500(1998), 500(2006), 500(2007), 1000(2005), 1000(2008), 2000(1998),

(revision) 2000(2007), 5000(1998), 5000(2008), 10000(1997), 10000(2008), 20000
(1999), 20000(2009)
1 500 2003 OK 19.8.2014
1 500 2006 OK 19.8.2014
1 1000 2006 OK 19.8.2014
2 2000 2004 OK 19.8.2014
1 5000 2005 OK 19.8.2014
1 5000 2006 OK 19.8.2014
ILS - Israeli new shekel

Banknotes

Device type GBA ST2
Supported items: value(revision) 20(2008), 50, 100, 200
1 20 2008 OK 23.5.2013
1 50 2007 OK 23.5.2013
1 100 2007 OK 23.5.2013
1 200 2006 OK 23.5.2013
Device type GBA ST2
1 20 2008 OK 19.8.2014
1 50 2007 OK 19.8.2014
1 100 2007 OK 19.8.2014
1 200 2006 OK 19.8.2014
Device type GBA ST2
Supported items: value 20(98,01), 20(08), 50(98,07), 50(13), 100(98,02,07), 200(98,02,06), 200
(revision) (15)
25 20 2001 OK 20.1.2016
20 50 2014 OK 20.1.2016
PLN - Polish zoty

Banknotes
Device type GBA HR1
Supported items: value(revision) 10, 20, 50, 100, 200

2 10 1994 OK 23.5.2013
2 20 1994 OK 23.5.2013
2 50 1994 OK 23.5.2013
2 100 1994 OK 23.5.2013
Device type GBA ST2
2 10 1994 OK 23.5.2013
2 20 1994 OK 23.5.2013
2 50 1994 OK 23.5.2013
2 100 1994 OK 23.5.2013
Device type GBA ST2
(revision) (2012), 200(1994)
1 10 1994 OK 19.8.2014
1 20 1994 OK 19.8.2014
1 50 1994 OK 19.8.2014
1 100 1994 OK 19.8.2014
RON - Romanian new leu

Banknotes
Device type GBA HR1
Supported items: value(revision) 1, 5, 10(old), 10(2009), 50, 100(2005), 200, 500

2 1 2005 OK 23.5.2013
2 5 2005 OK 23.5.2013
2 10 2005 OK 23.5.2013
2 50 2005 OK 23.5.2013
2 100 2005 OK 23.5.2013
Device type GBA ST2
Supported items: value(revision) 1, 5, 10(2005), 10(2008), 50, 100, 200, 500
2 1 2005 OK 23.5.2013
2 5 2005 OK 23.5.2013
2 10 2005 OK 23.5.2013
2 50 2005 OK 23.5.2013
2 100 2005 OK 23.5.2013
Device type GBA ST2
(revision) (2005)
1 1 2005 OK 19.8.2014
1 5 2005 OK 19.8.2014
1 10 2005 OK 19.8.2014
1 50 2005 OK 19.8.2014
1 100 2005 OK 19.8.2014
SAR - Saudi riyal

Banknotes
Device type GBA ST2

Supported items: value(revision) 1(old), 1(2007), 5(2003), 5(2007-9), 10(2003), 10(2007-9)
2 1 4th series OK 23.5.2013
2 1 2007 OK 23.5.2013
2 5 4th series OK 23.5.2013
2 5 2007 OK 23.5.2013
2 10 4th series OK 23.5.2013
2 10 2007 OK 23.5.2013
Device type GBA ST2
Supported items: value(revision) 1(old), 1(2007), 5(2003), 5(2007-9), 10(2003), 10(2007-9)
1 1 4th series OK 19.8.2014
1 1 2007 OK 19.8.2014
1 5 4th series OK 19.8.2014
1 5 2007 OK 19.8.2014
1 10 4th series OK 19.8.2014
1 10 2007 OK 19.8.2014
1 20 special series Not supported - OK rejected 19.8.2014
1 50 4th series Not supported - OK rejected 19.8.2014
1 50 2007 Not supported - OK rejected 19.8.2014
USD - United States dollar

Banknotes
Device type GBA HR1
Device firmware G01C0280-199
Supported items: value 1, 2, 5(1986), 5(old), 5(new), 10(old), 10(new), 10(2004), 20(old), 20(new), 20
(revision) (2004), 50(old), 50(new), 50(2004), 100(old), 100(new)

2 1 2006 OK 23.5.2013
1 5 2006 OK 23.5.2013
1 10 2006 OK 23.5.2013
1 20 2004 OK 23.5.2013
1 20 2006 OK 23.5.2013
1 50 2006 OK 23.5.2013
1 100 2006 OK 23.5.2013
Device type GBA ST2
Device firmware N01C0454-102
Supported items: value 1, 2, 5(1999), 5(2006), 10(1996), 10(2004), 20(1996), 20(2004), 50(1996), 50
(revision) (2004), 100(1996)
2 1 2006 OK 23.5.2013
1 5 2006 OK 23.5.2013
1 10 2006 OK 23.5.2013
1 20 2004 OK 23.5.2013
1 20 2006 Medium errors in orientation A and C, rest OK 23.5.2013
1 50 2006 OK 23.5.2013
1 100 2006 OK 23.5.2013
Device type GBA ST2
Supported items: value 1(1963), 2(1976), 5(1999), 5(2006), 10(1999), 10(2004), 20(1996), 20(2004), 50
(revision) (1996), 50(2004), 100(1996), 100(2013)
2 1 2006 OK 19.8.2014
1 5 2006 OK 19.8.2014
1 10 2006 OK 19.8.2014

1 20 2004 OK 19.8.2014
1 20 2006 OK 19.8.2014
1 50 2006 OK 19.8.2014
1 100 2006 OK 19.8.2014
YSoft Payment Machine currency testing reports

BHD - Bahraini dinar
Coins
Device type CPS v2 Colibri
Device firmware BHD, Sw: 412-005
Supported items: value(revision) 0.010(B), 0.025(B), 0.050(B), 0.100(B), 0.500(A)
2 0.050 2007, 2010 OK 25.6.2014
2 0.100 2000, 2010 OK 25.6.2014
Banknotes
Device type JCM UBA-10
Device firmware 1.77-18 (20.10.2008) U10BHR0317718.bin
Supported items: value 0.5(97), 0.5(08), 1(93), 1(08), 5(98), 5(08), 10(98), 10(new), 20(01), 20(new)
(revision)
2 0.5 2008 OK 25.6.2014
2 1 2008 OK 25.6.2014
1 5 2008 (xxx133) Mostly rejected in orientation A, C and D, rest OK 25.6.2014
1 5 2008 (xxx393) OK 25.6.2014
2 10 2008 OK 25.6.2014
2 20 2008 OK 25.6.2014
Device firmware 1.77-18 (20.10.2008)

Supported items: value 0.5(97), 0.5(08), 1(93), 1(08), 5(98), 5(08), 10(98), 10(new), 20(01), 20(new)
(revision)
1 0.5 2008 OK 15.12.2015
1 1 2008 OK 15.12.2015
1 5 2008 (xxx133) OK 15.12.2015
1 10 2008 OK 15.12.2015
1 20 2008 OK 15.12.2015
BGN - Bulgarian lev

Banknotes
Device firmware 2.06-40 (8.5.2012) U10BGRSS0320640.bin
Supported items: value 2(99), 5(99), 5(09), 10(99), 10(08), 20(99), 20(07), 50(99), 50(06), 100(03)
(revision)
2 2 2005 OK 26.4.2013
2 5 2009 OK 26.4.2013
2 10 2008 OK 26.4.2013
2 20 2007 OK 26.4.2013
HRK - Croatian kuna

Coins
Device type NRI G13.mft
Device firmware HRK, Sw: 12.03
Supported items: value(revision) 0.05(A), 0.10(A), 0.20(A), 0.50(A), 1(A), 2(A), 5(A)
2 0.01 2001, 2007 OK rejected (unsupported) 17.6.2014
2 0.02 2004, 2005 OK rejected (unsupported) 17.6.2014
2 0.05 2012, 2013 OK 17.6.2014
2 0.10 2000, 2013 OK 17.6.2014
2 0.20 2007,2009 OK 17.6.2014

2 0.50 1993, 2007 OK 17.6.2014
2 1 1995, 1999 OK 17.6.2014
2 2 2003, 2011 OK 17.6.2014
2 5 1996, 2009 OK 17.6.2014
Banknotes
Device firmware 2.50-50 (3.7.2013) U10HRVSS0325050.bin
Supported items: value 10(01), 10(04), 20(01), 50(02), 100(02), 200(02), 500(93), 1000(93)
(revision)
2 10 2012 OK 11.6.2014
2 20 2012 OK 11.6.2014
2 50 2002 OK 11.6.2014
1 100 2002 OK 11.6.2014
1 100 2012 OK 11.6.2014
2 200 2002 OK 11.6.2014
2 500 1993 OK 11.6.2014
2 1000 1993 OK 11.6.2014
Device firmware 2.70-51 (15.1.2015)
Supported items: value 10(01), 10(04), 20(01), 20(14), 50(02), 100(02), 200(02), 500(93), 1000(93)
(revision)
1 10 2012 OK 15.12.2015
1 20 2012 OK 15.12.2015
1 50 2002 OK 15.12.2015
1 100 2012 OK 15.12.2015
1 200 2002 OK 15.12.2015

1 500 1993 OK 15.12.2015
1 1000 1993 OK 15.12.2015
CZK - Czech crown

Coins
Device firmware CZK + EUR (bank0, bank1), Sw: 412-054
Supported items: value 1(A, a), 2(A, a), 5(A, a), 10(A, a), 20(A, a), 50(A, a)
(revision)
Notes We recommend to disable wide channel for CZK20 (channel no. 5 on coinslot
or "CZK 20.00 A" in configuration) to reject foreign coins. CZK20 coins will be
accepted through narrow channel.
1 1 2001 OK 6.8.2013
1 2 1997 OK 6.8.2013
1 5 2002 OK 6.8.2013
1 10 2003 OK 6.8.2013
1 20 2002 OK 6.8.2013
1 50 1993 OK 6.8.2013
16 GBP 0.02 1989, 1993, 2000, OK rejected with 6.8.2013

2001, 2002, 2003, disabled wide
2006, 2007, channel 5
2009, 2010, 2011 Fail, less then 10%
accept ratio when
all channels
enabled
5 GBP 0.02 1994, 2001, 2003, OK rejected with 6.8.2013

2009 disabled wide
channel 5
Fail, about 10% to
40% accept ratio
when all channels
enabled
1 GBP 0.02 2008 OK rejected with 6.8.2013

disabled wide
channel 5

Fail, about 80%

accept ratio when
all channels
enabled
Banknotes
Supported items: value 100(95), 100(97), 200(96), 200(98), 500(95), 500(97), 500(09), 1000(96),
(revision) 1000(08), 2000(96), 2000(99), 2000(07), 5000(99), 5000(09)
Notes The length of 5000CZK notes is out of specification for the plastic cash
box. The metal cash box needs to be installed, or the usage is only at own
risk. We recommend to disable acceptance of it and will not be responsible
for any damages caused by this denomination.
1 100 1997 OK 15.12.2015
2 200 1998 OK 15.12.2015
1 500 1997 OK 15.12.2015
2 500 2009 OK 15.12.2015
2 1000 1996 OK 15.12.2015
EUR - Euro
Coins
Device firmware CZK + EUR (bank0, bank1), Sw: 412-054
Supported items: value(revision) 0.05(A), 0.10(A), 0.20(A), 0.50(A), 1(A), 2(A)
3 0.01 2002, 2003, 2004 OK rejected (unsupported) 6.8.2013
3 0.02 2002 OK rejected (unsupported) 6.8.2013
3 0.05 2002 OK 6.8.2013
2 0.10 2002 OK 6.8.2013
1 0.20 2000 OK 6.8.2013
1 0.20 2001 OK 6.8.2013

1 0.20 2002 OK 6.8.2013
1 0.50 2000 OK 6.8.2013
1 0.50 2002 OK 6.8.2013
2 1 2002 OK 6.8.2013
2 2 2002 OK 6.8.2013
Banknotes
Device firmware 2.60-49 (21.5.2013) U10EUR5SS0326049.bin
Supported items: value(revision) 5(02), 5(13), 10(02), 20(02), 50(02), 100(02), 200(02), 500(02)
1 5 2002 OK 7.6.2013
2 5 2013 OK 7.6.2013
1 10 2002 OK 7.6.2013
1 20 2002 OK 7.6.2013
1 50 2002 OK 7.6.2013
Supported items: value 5(02), 5(13), 10(02), 10(14), 20(02), 50(02), 100(02), 200(02), 500(02)
(revision)
1 5 2002 OK 17.10.2014
3 5 2013 OK 17.10.2014
1 10 2002 OK 17.10.2014
2 10 2014 OK 17.10.2014
1 20 2002 OK 17.10.2014
1 50 2002 OK 17.10.2014

Supported items: value 5(02), 5(13), 10(02), 10(14), 20(02), 20(15), 50(02), 100(02), 200(02), 500
(revision) (02)
1 5 2002 OK 15.12.2015
3 5 2013 OK 15.12.2015
1 10 2002 OK 15.12.2015
1 10 2014 OK 15.12.2015
1 20 2002 OK 15.12.2015
4 20 2015 OK 22.12.2015
1 50 2002 OK 15.12.2015
AED - United Arab Emirates dirham

Coins
Device firmware AED, Sw: 412-004
Supported items: value 0.25(A, 2 revs), 0.50(A, 3 revs), 1(A, 3 revs)

(revision)
Notes We recommend to disable wide channel for 1N (channel no. 7) to reject

foreign coins. 1N coins will be accepted through narrow channel (no. 12).
Piece Value Revisio Result Date

s n
2 0.50 2007 OK 30.7.201

3
7 1 2007 OK 30.7.201
3
3 1 2012 OK 30.7.201
3
1 AUD 1992 OK rejected 30.7.201

0.10 3
1 PHP 1 2003 OK rejected with disabled wide channel 7 30.7.201

Fail, about 50% accept ratio as AED1 when all channels enabled 3
Banknotes

Device firmware 2.51-49 (30.4.2013) U10ARE2SS0325149.bin
Supported items: value 5(93-95), 5(00-01), 10(93-95), 10(98,01), 10(09), 20(97, 00), 20(09), 50(95-96),
(revision) 50(98), 50(04-11), 100(93-95), 100(98), 100(03-06), 100(08), 100(12), 200(89),
200(04), 200(08), 500(96), 500(98-00), 500(04), 500(06-08), 500(11), 1000
(98-00), 1000(06), 1000(08), 1000(12)
Notes The width of 5 Dirhams notes is out of specification for the acceptor, so the
usage is only at own risk. We recommend to disable acceptance of it and
will not be responsible for any damages caused by this denomination.
2 5 2009 OK, but see note above 4.6.2013
2 10 2009 OK 4.6.2013
2 20 2009 OK 4.6.2013
1 50 2008 OK 4.6.2013
1 50 2011 OK 4.6.2013
2 100 2008 OK 4.6.2013
2 200 2008 OK 4.6.2013
Device firmware 2.81-52 (13.12.2018)
Supported items: value 5(93-95), 5(00-01), 5(04,07), 5(09), 5(15), 10(93-95), 10(98,01), 10(04,07), 10
(revision) (09), 10(15), 20(99, 00), 20(07), 20(09), 20(10), 50(95-96), 50(98), 50(04-11),
50(11), 50(14), 100(93-95), 100(98), 100(03-06), 100(08), 100(11), 100(14), 100
(18), 200(89), 200(04), 200(08), 200(15), 500(96), 500(98-00), 500(04), 500
(06-08), 500(11), 500(15), 1000(98-00), 1000(06), 1000(08), 1000(12), 1000(15)
Notes The width 59 mm of 5 Dirhams is out of device specification. We

recommend to disable acceptance of it and will not be responsible for any
damages caused by this denomination.
2 100 2018 OK 4.2.2019
Ecuador and USD - Ecuador and USA

Coins

Device firmware EC + USD, Sw: 412-005
Supported items: value US: 0.01(B), 0.05(A), 0.10(A), 0.25(A), 0.50(A), 1(A) EC: 0.05(B), 0.10(B), 0.25(A),
(revision) 0.50(B)
Piece Value Revision Result Date

s
9 US 0.01 1982, 1985, 1988, 1989, 1990, 2001, 2005, 2007 OK 12.5.201
4
4 US 1960, 1979, 1988, 2005 OK 12.5.201

0.05 4
12 US 0.10 1988, 1997, 1998, 2000, 2001, 2005, 2006, OK 12.5.201

2008 4
11 US 1965, 1967, 1989, 1997, 2000, 2003, 2004 OK 12.5.201

0.25 4
2 EC 2000 OK reported as USD 12.5.201

0.05 0.05 4
2 EC 0.10 2000 OK reported as USD 0.10 12.5.201

4

0.25 0.25 4

0.50 0.50 4
Banknotes
Supported items: value 1(85-09), 5(93-95), 5(99), 5(06-09), 10(90-95), 10(99-03), 10(04-09), 20(90-
(revision) 95), 20(99-01), 20(04-09), 50(90-93), 50(96-01), 50(04-09), 100(90-93), 100
(96-06), 100(09
1 1 2006 OK 15.12.2015
1 20 2004 OK 15.12.2015
ZAR - South African rand

Coins
Device firmware ZAR, Sw: 12.03

Supported items: value(revision) 0.10(A), 0.20(A), 0.50(A), 1(A), 2(A), 5(A)
1 0.50 1996 OK 10.6.2014
1 0.50 2003 OK 10.6.2014
1 1 1993 OK 10.6.2014
1 1 2011 OK 10.6.2014
1 2 1991 OK 10.6.2014
1 2 1995 OK 10.6.2014
1 5 2010 OK 10.6.2014
1 5 2011 OK 10.6.2014
Banknotes
Device firmware 2.50-49 (19.4.2013) U10ZAFSS0325049.bin
Supported items: value 10(93), 10(05), 10(12), 20(93), 20(05), 20(12), 50(92), 50(05), 50(12), 100(94),
(revision) 100(05), 100(12), 200(05), 200(12)
Piece Valu Revision Result Date

s e
2 10 5th issue 2012 OK 10.6.201

4
1 20 5th issue 2012 (EBxxxxxxx Fail, mostly rejected in all orientations 10.6.201
B) 4
1 20 5th issue 2012 (CExxxxxxx OK 10.6.201

B) 4
1 50 5th issue 2012 (AGxxxxxxx Sometimes rejected in orientation A and B, rest 10.6.201
C) OK 4
1 50 5th issue 2012 (DQxxxxxxx OK 10.6.201

C) 4
1 100 4th issue 2005 OK 10.6.201

4
1 100 5th issue 2012 OK 10.6.201

4
1 200 4th issue 2005 OK 10.6.201

4

Piece Valu Revision Result Date
s e
1 200 5th issue 2012 OK 10.6.201

4
AUD - Australian dollar

Coins
Device firmware AUD, Sw: 412-054
Supported items: value(revision) 0.05(A), 0.10(A), 0.20(A), 0.50(A), 1(A), 2(A)
1 0.05 2000 OK 26.3.2014
1 0.05 2008 OK 26.3.2014
1 0.10 1984 OK 26.3.2014
1 0.10 1992 OK 26.3.2014
1 0.10 2010 OK 26.3.2014
1 0.20 2008 OK 26.3.2014
1 0.20 2009 OK 26.3.2014
1 0.50 1995 OK 26.3.2014
1 0.50 2002 OK 26.3.2014
1 1 1994 OK 26.3.2014
1 1 2000 OK 26.3.2014
1 2 2006 OK 26.3.2014
1 2 2008 OK 26.3.2014
1 PHP 1 2003 Fail, accepted as 26.3.2014

AUD 0.10. The only
possible solution
is to disable the
acceptance of
AUD 0.10.
1 PKR 5 2004 OK rejected 26.3.2014
1 PKR 5 2006 OK rejected 26.3.2014
Banknotes

Device firmware 1.78-17 (24.9.2008) U10AUS0317817.bin
Supported items: value(revision) 5(95), 5(01), 10(93), 20(94), 50(95), 100(96)
2 5 Current polymer OK 6.2.2014
MYR - Malaysian ringgit

Banknotes
Device firmware 2.30-44 (16.10.2012) U10MYS1SS0323044.bin
Supported items: value 1(00), 1(12), 2(96), 5(99), 5(04), 5(12), 10(98), 10(03), 10(12), 20(12), 50(98), 50
(revision) (07), 100(98), 100(12)
1 1 old OK 26.4.2013
1 1 4th series polymer OK 26.4.2013
1 10 4th series OK 26.4.2013
1 10 with lead OK 26.4.2013
1 20 4th series OK 26.4.2013
1 50 3rd series Few errors in orientation B, rest OK 26.4.2013
1 100 old OK 26.4.2013
1 100 4th series OK 26.4.2013
Device firmware 2.51-50 (20.12.2013) UBA10MYS1SS0325150.bin
Supported items: value 1(00), 1(12), 2(96), 5(99), 5(04), 5(12), 10(98), 10(03), 10(12), 20(12), 50(98), 50
(revision) (07), 100(98), 100(12)

1 1 old OK 17.10.2014
1 10 4th series OK 17.10.2014
2 50 4th series 2009 OK 17.10.2014
1 100 old OK 17.10.2014
SGD - Singapore dollar

Banknotes
Device firmware 2.05-24 (4.5.2011) U10SGP0320524.bin
Supported items: value 2(99), 2(05), 2(06), 5(99), 5(99), 5(07), 10(99), 10(04), 50(99), 50(99,04), 50
(revision) (99), 50(99), 100(99), 1000(99)
1 50 4th series OK 24.5.2013
TWD - New Taiwan dollar

Coins
Device firmware TWD, Sw: 12.03
Supported items: value(revision) 1(A), 5(A), 10(A), 20(A), 50(B), 50(C)
2 1 N/A OK 26.4.2013
1 5 N/A OK 26.4.2013
3 10 N/A OK 26.4.2013
Banknotes
Device firmware 2.07-40 (5.4.2012) U10TWNSS0320740.bin
Supported items: value(revision) 100(01), 200(02), 500, 1000, 2000(02)

2 100 2001 OK 26.4.2013
2 1000 2005 OK 26.4.2013
ILS - Israeli New Shekel
Supported items: value 20(98,01), 20(08), 50(98,07), 50(13), 100(98,02,07), 200(98,02,06), 200
(revision) (15)
25 20 2001 OK 15.12.2015
10 50 2014 OK 15.12.2015
THB - Thai Baht
Supported items: value 20(03), 20(13), 50(04), 50(11), 100(05), 100(15), 500(01), 500(14), 1000(05),
(revision) 1000(15)
2 20 Series 16 OK 27.1.2017
1 50 Series 16 OK 27.1.2017
2 100 Series 15 OK 27.1.2017
2 100 Series 16 OK 27.1.2017
2 500 Series 16 OK 27.1.2017
1 1000 Series 15 OK 27.1.2017
INR - Indian rupee
Device firmware 2.31-45 (14.12.2012)
Supported items: value 10(96), 10(11), 50(97), 100(96), 100(11), 500(old), 500(00), 1000(00), 1000(12)
(revision)
Notes

The length of 500 Rupees notes is out of specification for the plastic cash
box. The metal cash box needs to be installed, or the usage is only at own
risk. We recommend to disable acceptance of it and will not be responsible
for any damages caused by this denomination.
The length of 1000 Rupees notes is out of specification for the acceptor, so
the usage is only at own risk. We recommend to disable acceptance of it
and will not be responsible for any damages caused by this denomination.
Notes 500(old), 500(00), 1000(00) and 1000(12) are no longer in legal tender
due to Indian banknote demonetization in 2016, so we recommend to disable
acceptance of these denominations.
1 5 2009 OK rejected (unsupported) 27.1.2017
1 10 2011 OK 27.1.2017
1 10 2012 OK 27.1.2017
1 20 old OK rejected (unsupported) 27.1.2017
1 50 2012 OK 27.1.2017
1 50 2013 OK 27.1.2017
MXN - Mexican peso

Coins
Device firmware MXN, Sw: 412-006, Build: DE0
Supported items: value(revision) 0.20(A), 0.20(B), 0.50(B), 0.50(C), 1(B), 2(B), 5(B), 10(B), 10(C)
1 1 2015 OK 15.6.2017
2 1 2016 OK 15.6.2017
1 2 2006 OK 15.6.2017
1 2 2008 OK 15.6.2017
1 2 2016 OK 15.6.2017
1 5 1993 OK 15.6.2017
1 5 2005 OK 15.6.2017

1 5 2011 OK 15.6.2017
1 10 2007 OK 15.6.2017
2 10 2015 OK 15.6.2017
Banknotes
Supported items: value 20(06-09), 50(04-11), 50(12-13), 100(94-00), 100(00), 100(00-09), 100(07), 100
(revision) (08-13), 200(95-99), 200(00), 200(00-07), 200(07-13), 200(08-13), 500(95-
99), 500(00), 500(00-08), 500(10-12), 1000(02), 1000(06-07)
Notes
1 20 2012 OK 2.5.2017
2 20 2013 OK 2.5.2017
2 50 2013 OK 2.5.2017
1 50 2015 OK 2.5.2017
1 100 2013 OK 2.5.2017
2 100 2014 OK 2.5.2017
TTD - Trinidad and Tobago dollar

Banknotes
Supported items: value 1(02), 1(06), 5(02), 5(06), 10(02), 10(06), 20(02), 20(06), 50(06), 50(12), 50(14),
(revision) 50(15), 100(02), 100(06), 100(09)
Notes
2 1 2006 OK 10.1.2019
2 5 2006 OK 10.1.2019
2 10 2006 OK 10.1.2019
2 20 2006 OK 10.1.2019

2 50 2014 OK 10.1.2019
TRY - Turkish lira

Banknotes
Supported items: value(revision) 5(09), 5(13), 10(09), 20(09), 50(09), 100(09), 200(09)
Notes
2 5 2013 OK 10.1.2019
2 5 2017 OK 10.1.2019
1 10 2012 OK 10.1.2019
2 10 2017 OK 10.1.2019
1 20 2009 Few errors in orientation A, rest OK 10.1.2019
2 50 2013 OK 10.1.2019
2 50 2017 OK 10.1.2019
2 100 2009 OK 10.1.2019
2 100 2012 OK 10.1.2019
2 100 2017 OK 10.1.2019
1 200 2009 OK 10.1.2019
1 200 2013 OK 10.1.2019
LBP - Lebanese pound

Coins
Device firmware LBP, Sw: 412-006, Build: DE0
Supported items: value(revision) 50(A), 100(A), 100(B), 250(A), 250(B), 500(A), 500(B)
1 250 2006 OK 1.2.2019
1 500 2009 OK 1.2.2019

Banknotes
Supported items: value 1000(11), 5000(05), 5000(13), 10000(05), 10000(13), 20000(05), 20000(12),
(revision) 50000(05), 50000(11), 50000(16), 100000(05), 100000(11), 100000(17)
Notes
1 1000 2011 Few errors in orientation D, rest OK 4.2.2019
1 5000 2012 OK 4.2.2019
1 10000 2012 OK 4.2.2019
1 20000 2012 OK 4.2.2019
1 50000 2011 OK 4.2.2019
GEL - Georgian lari

Coins
Device firmware GEL, Sw: 412-006, Build: DE0
Supported items: value(revision) 0.05(A), 0.10(A), 0.20(A), 0.50(A), 0.50(B), 1(A), 2(A), 10(A)
4 0.10 1993 OK 1.2.2019
4 0.20 1993 OK 1.2.2019
4 0.50 2006 OK 1.2.2019
4 1 2006 OK 1.2.2019
4 2 2006 OK 1.2.2019
5.9.3 CONFIGURING YSOFT SAFEQ END USER INTERFACE
This page contains YSoft SafeQ end user interface documentation for administrators.
5.9.3.1 Installation
YSoft SafeQ end user interface is installed automatically, no configuration is necessary.

YSoft SafeQ end user interface installer will create:
Windows service YSoft SafeQ end user interface
Web interface accessible via default URL https://<SPOC_HOST>:9443/end-user/ui
Default installation directory in C:\SafeQ6\SPOC\EUI\
5.9.3.2 Enable YSoft SafeQ end user interface features
If you want to use all of the YSoft SafeQ end user interface features, you have to configure
YSoft Payment System and YSoft SafeQ Mobile Print Server in YSoft SafeQ web interface.
Payment gateways need to be configured in YSoft Payment System.
Install and enable YSoft Payment System in YSoft SafeQ web interface by setting the Enable
YSoft Payment System configuration option (property name: enablePaymentSystem) to enabled.
When Enable YSoft Payment System option is disabled, Payment menu item, My deposit
widget and user's balance are not visible in YSoft SafeQ end user interface.
YSoft SafeQ Mobile Print Server
Install and enable YSoft SafeQ Mobile Print Server in YSoft SafeQ web interface by setting the
Enable Mobile Print Server option ( Property name: enableMobilePrintServer ) to enabled.
When Enable Mobile Print Server option is disabled, Upload job menu item is not visible and
users are not able to upload job via YSoft SafeQ end user interface web.
Processing of uploaded jobs
Files uploaded to the YSoft SafeQ end user interface are further processed by other
subsystems. Here is rough description of the process:
1. Files are physically saved into a hot folder on YSoft SafeQ end user interface server. It's
default location is C:\SafeQ6\SPOC\server\mobile.
2. Files are processed by YSoft SafeQ Mobile Print Server and removed from hot folder.
3. Data are sent to YSoft SafeQ FlexiSpooler (mode for server spooling).
4. YSoft SafeQ FlexiSpooler saves jobs data into folder

<FLEXI_SPOOLER_HOME>\Service\JobStore\controller-<ID>\
5. Job metadata are sent to YSoft SafeQ Spooler Controller and YSoft Management.

Change of the hot folder
Path to the hot folder depends on configuration of YSoft SafeQ, YSoft SafeQ end user interface
and YSoft SafeQ Mobile Print Server. You can change path to the hot folder by the following
steps.
1. Change YSoft SafeQ system setting "Mobile Print Server spool directory" (alias
mpsSpoolDir).
2. Change the YSoft SafeQ end user interface configuration "spoc.homeDirectory". See
section Advanced configuration for more detail.
3. Change the YSoft SafeQ Mobile Print Server configuration "folderSources".
4. Here is example of final path "%safeq_home_directory%/server/mobile/" (home directory will

be replaced by the value of "spoc.homeDirectory").
Payment gateways
Configure at least one payment gateway connector in YSoft Payment System (Electronic
payment tab). After configuration, the users are able to use Payment gateways in YSoft SafeQ
end user interface.
Supported payment gateways are:
PayPal
DIBS
Account connection
If you use an external payment system provider which needs a user's permission to access his
/her account, administrator needs to set up the provider's name and logo URL in YSoft Payment
System administration. This name and logo are used in YSoft SafeQ end user interface in the
Account connection menu.

5.9.3.3 Advanced configuration
If YSoft SafeQ end user interface is deployed on the same server as YSoft SafeQ Spooler
Controler (SPOC), no configuration is needed, everything is preconfigured.
Configuration of YSoft SafeQ end user interface can be edited or added into environment-
configuration.properties file located in C:\<SAFEQ6_HOME>\SPOC\EUI\ui-conf\
Following parameters are editable:
Element(s) Description
restClient.yps. Maximum number of simultaneous connections to YSoft Payment

maxTotalConnections System. Default value is 200.
web.channel Determines channel used by web of YSoft SafeQ end user interface.
Default value is https. Valid values are http, https or any. Value https
will force redirect from http to https channel.
web.http.port Port for http channel. Default value is 9090.
web.https.port Port for https channel. Default value is 9443.
safeq.authentication.address Address for communication with YSoft SafeQ. Default value is "tcp://127.
0.0.1:5555".
spoc.homeDirectory Path to the home directory of YSoft SafeQ Spooler Controler. This
option is used for determining the hot folder location. Default value is "..
/..", which usually means c:\SafeQ6\SPOC.
remoteService. Threshold for calls to remote systems (YSoft Payment System and
callDurationThresholdInMillis YSoft SafeQ 6). When calls take longer a warning will be logged. Value
is in miliseconds. Default value is 1000.
Customizable Error pages
Error pages can be customized for errors 403 Forbidden, 404 Not Found and 500 Internal Server
Error. It is possible to change image, page title (text in browser's tab), header and error
description.
If you want to know, where to configure customizable error pages, see section Advanced
configuration.
Beware special characters and encoding. Properties files are by default encoded in ISO-8859-1.
To convert special characters, use for example this tool.

Element Description
Image to be displayed on the error page - it can be anything, you just have to
specify a folder of the image. Supported image files are: JPG, PNG, GIF and BMP.
error.image
Title, header and description of the error page

(XXX stands for the required error code - 403, 404 or 500)
error.XXX.title
error.XXX.header
error.XXX.
description
Example of custom error pages:
##############################################################################################
# Error pages
##############################################################################################
#full path to custom image on error pages

error.image=C:/Users/administrator/Documents/EUI/src/main/resources/custom.png
#custom title, header and description for individual errors

error.403.title=Forbidden
error.403.header=Woops!
error.403.description=403 error
error.404.title=Not found
error.404.description=You are looking where you shouldn't.
error.500.title=Internal Server Error

error.500.description=Something went wrong.
5.9.3.4 Related documentation
Using the YSoft SafeQ End User Interface
5.9.4 MOBILE INTEGRATION GATEWAY ADMINISTRATION

Mozilla Firefox
Google Chrome
Internet Explorer 10 or higher
Safari
Note: Web administration is compatible with any ACID3 compatible website browser.
Mobile Integration Gateway administration is a web interface used for configuring Mobile
Integration Gateway service. After log in, user can modify announced printer name and location
and manage server certificates.
If YSoft SafeQ - Mobile Integration Gateway Setup web interface is configured to use a different
port than the default port 8050, enter the complete URL (e.g.: https://mig_ip:port/administration).
5.9.4.1 Logging into the system
Use your default credentials to log into YSoft SafeQ - Mobile Integration Gateway Setup web
interface. Only user who belongs to administrator or sub-administrator group can log in.
5.9.4.2 Automatic logout
If the user has been inactive for at least 30 minutes, he is logged out automatically and with next
action notified about expired session.
5.9.4.3 Turning Mobile Iintegration Gateway on and off
When authenticated, user can turn Mobile Integration Gateway on and off. Server will stop or
start announcing.

5.9.4.4 Updating announced name, location and supported paper sizes
1. When authenticated, user can change announced name and location. This information
shows on iPhone®/Mac as printer name and printer location.
2. Administrator can specify Mobile Integration Gateway geographic location. For valid
geographic location, both altitude and longitude has to be entered. When both altitude and
longitude are empty, server will delete current saved geographic location.
3. Check the paper size that you want to use. If both are selected, user can choose paper
size before print.
5.9.4.5 Certificates
Administrator is able to work with server certificate from Mobile Integration Gateway
administration web interface. Administrator can generate self-signed certificate, generate
certificate signing request or upload signed certificate with private key.

Self-signed certificate
By selecting Generate self-signed, administrator can generate self-signed certificate using web
interface form. Common name field is required and should contain valid server domain name. By
clicking Generate certificate button on correctly filled in form, self-signed certificate is generated
and added to Windows Certificate store. Generated certificate has validity for 10 years. This
certificate is then mapped to be used directly with Mobile Integration Gateway port.
Certificate signing request
By selecting Generate certificate signing request, administrator can generate certificate signing
request by filling in form in interface dialog. Common name field is required and should contain
valid server domain name. By clicking Generate certificate signing request button on correctly
filled in form, certificate signing request is generated and downloaded via web browser.
Generated certificate signing request has requested validity for 10 years. Downloaded file

certificate-request.zip contains two files, YSoft AirPrint certificate.csr and YSoft AirPrint private
key.key. YSoft AirPrint certificate.csr is certificate signing request which should be sent to
desired certificate authority to be signed. YSoft AirPrint private key is private key and should be
kept save and secure for later upload together with signed certificate signing request.
Upload certificate
By selecting Upload certificate, administrator can upload signed certificate by selecting

certificate *.crt and private key *.key file. If password was specified for private key, when
generating certificate signing request, the same password needs to be filled in when uploading
signed certificate. Uploaded certificate is added to Windows Certificate store and then mapped to
be used directly with Mobile Integration Gateway port.

5.9.5 CONFIGURING MOBILE PRINT SERVER
5.9.5.1 Overview
There are two sources of the configuration in the YSoft SafeQ Mobile Print Server (Mobile Print
Server):
Local configuration:
Local configuration consists of two configuration files mps.config and conversion.config. Their
purpose is to define specific options of one Mobile Print Server installation. All local values are
loaded as soon as the Mobile Print Server service is started. Both files are located in
<MobilePrintFolder>\Service\conf\. Without valid and fully defined local configuration the Mobile
Print Server service can not run.
Configuration loaded from YSoft SafeQ Management Service (Management Service):
This configuration is loaded to the Mobile Print Server during startup and is refreshed every 15
minutes. If this configuration is not available during startup the Mobile Print Server waits
indefinitely to receive any. In order to propagate changes immediately to Mobile Print Server,
restart of the service Mobile Print Server is needed (Open services.msc, select service Mobile
Print and restart this service).
Some fields from the YSoft SafeQ Management Service configuration can be overridden by
the local configuration.
To configure Mobile Print Server in Management Service follow the instructions below:
1. Open YSoft SafeQ Management Service http://SAFEQ_IP:SAFEQ_HTTP_PORT/ (for example

http://192.168.1.1:80/) and log in as administrator.
2. Choose tenant for which you want to configure Mobile Print Server and go to its tenant
management page.
3. On page navigate to System tab.
4. To access all of the options for Mobile Print Server, Expert views have to be set.
5. Open category Mobile Print Server.
5.9.5.2 Configuring Mobile Print Sever via web interface
Yellow marked settings can be overridden in the local configuration.

Functional settings
Option Property name Default Description
Allow mobile print enableAnonymousMo Disabled When is enabled, System accepts jobs for
for anonymous bilePrint mobile print from user without
users authentication. If the user is unregistered,
a new one will be created automatically
using the email address of the sender. temp
lateUserLogin property should be
configured on YSoft SafeQ Management,
otherwise, the user will not be created, and
the job will not be available for print.
Force B/W for mpsFinishingBW Disabled Mobile Print Server will force black/white
Mobile print printing.
Force duplex for mpsFinishingDuplex Disabled Mobile Print Server will force duplex
Mobile print printing.
Ignore e-mail body mpsIgnoreBody Enabled If enabled and document contains any
attachment, only attached file will be
converted and email body will be ignored. If
disabled, both body and attached file will
be converted.
It can be overridden in the local
configuration:
< mps ignoreMailBody = "false" >...
Print job title mpsJobPrefix "Mobile print" String that will be used as prefix for all
prefix print jobs received via Mobile Print feature.
Enable Mobile Print enableMobilePrintSer Disabled Enables or disables the Mobile Print Server.
Server ver
Unless this option is enabled the
service can not fully start.
Ignored ignoredAttachments ATT0000?. The pattern of email attachments that are

attachments txt ignored.
Some email clients create unwanted
attachments which should not be printed
by YSoft SafeQ. For example some iOS
clients create ATT00001.txt attachment
even if email is sent with no attachment.
There is a functionality in the Mobile Print
Server that helps to get rid of these
unwanted attachments. It is configurable
via Ignored attachments

(ignoredAttachments) property in the

System settings. You can specify ignored
attachments here. Values must be
separated by comma "," character. To
insert a comma into the file name, you can
use wild card characters "?" and "*" (similar
to file search). Default value of the
property is "ATT0000?.txt" to prevent
unwanted attachments that come from
iOS email clients by default.
All attachments matching Ignored
attachments values will be ignored and
Mobile Print Server will not send any
notification about this event (it is only
logged).
MPS default mpsDefaultEncoding UTF-8 Default encoding used for txt files and non-
encoding HTML body. Mobile Print Server tries to
detect encoding of mentioned files and if
the detection fails, this encoding is used
during conversion.
Cryptographic mpsHttpsSecurityPro Ssl3, Tls, A list of cryptographic protocols for

protocols for tocols Tls11, Tls12 encrypted outbound communication from
encrypted the YSoft SafeQ Mobile Print Server.
outbound Applied for all outbound connections, HTTP
communication with the YSoft SafeQ FlexiSpooler, SMTP,
POP3, IMAP and EWS with the mail server.
If any protocol is removed from the list, the
YSoft SafeQ Mobile Print Server will not
connect to any of the servers that only
support the removed protocol.
For further details see Configuring
cryptographic protocols for outbound
communication and SSL/TLS Secure
Channel - SCHANNEL - Troubleshooting.
The property can be overridden in the local
configuration:
< mps securityProtocols = "Tls12" >
...
Mailbox check mpsCheckTimeout 10000 Time interval to control mailbox in

timeout milliseconds.
configuration:

< mps generalSourceCheckTimeout =

"5000" >...
Fixing of correctSlideSize Enabled Correct incorrectly generated slide size in

PowerPoint files the PowerPoint files.
page size
Despite saving slides to a specific
format (A4/A3/Letter/Ledger) in
PowerPoint, the files are not
converted properly when printing
over Mobile Print. This option allows
Mobile Print Server to detect the
incorrect page sizes and correct
them.
Letter format can not be

distinguished from the 4:3 format.
In this case defaultPaperSize value
is used to decide the output
format. If defaultPaperSize is set to
Letter, then the slides are printed
as letter, otherwise, it is left in 4:3
format.

configuration:
< mps correctSlideSize = "false"
>...
Regional settings
Open category Regional settings instead of Mobile Print Server.
Option Property Defa Description

name ult
Default defaultPape A4 The value uses Mobile Print Server as a default paper size for
paper size rSize printed documents where no paper size is encapsulated in it (i.e.
HTML, MHTML, TXT, Email).
Supported values are: A4, Letter.

Option Property Defa Description
name ult
It can be overridden in the local configuration:

< mps defaultPaperSize = "Letter" >...
Notification settings
YSoft SafeQ Mobile Print Server provides highly customizable email notification about job
processing. By setting the options listed below the administrator can customize and/or localize
the notification emails sent to the user.
Settings for SMTP connection (for sending emails) Mobile Print Serveruses general SafeQ SMTP
settings. Ensuring that mail sending from MPS via SMTP works is crucial, as it is the only way
how Mobile Print Server informs user about jobs processing results. If secured connection
for SMTP is used, pay attention if your server uses explicit or implicit security. In most cases, it
can be recognized by port number used for SMTP. Port 587 is usually used for explicit security,
which is supported by MPS, but port 465 is usually used for implicit security, which is not
supported by Mobile Print Server.
For more information about the notification email composition see Mobile Print Server - User mail
notification composition.
Option Property name Description
Finish option black-white mpsFinishOptionBw Description of finishing option B/W set.
Finish option duplex mpsFinishOptionDuplex Description of finishing option Duplex set.
Job conversion failed mpsJobConversionFailed Description when a job failed to convert.
Job list footer mpsMailFooter Text below the jobs list should contain the
link to the Mobile Print Server Web
Interface (placeholder
#MOBILEWEBINTERFACE#).
Job list header mpsMailHeader Text above the jobs list.
Job processing failed mpsJobProcessingFailed Description when a job failed to process (in
case of general or unknown error).
Job send failed mpsJobSendFailed Description when a job failed to be sent to

SafeQ.
Job was successfully mpsJobSuccess Description when a job was successfully

processed processed and sent to SafeQ.
Mail authentication failed mpsMailAuthenticationFailed Text when the sender's email address is
not registered to any user in SafeQ.

Option Property name Description
Mail duplicate address mpsMailDuplicateAddress Text when the sender's email address is
registered to more than one user in SafeQ.
Mail header mpsJoblistHeader General notification mail header.
Mail footer mpsJoblistFooter General notification mail footer.
Mail send has failed mpsMailSendFailed Text when the sender's email address
could not be verified, because of no
connection to SafeQ.
Mail send was successful mpsMailSendOk Text when the email was accepted by the
SafeQ Mobile Print Server.
Notify finish option forced mpsNotifyFinishOptionForced Text about which finishing options are set.
Send user notifications mpsMailUserSuccess If enabled, the Mobile Print Server will send
regarding successes mpsMailSendOk notifications regarding
successful jobs.
Send user notifications mpsMailUserFailure If enabled, the Mobile Print Server will send
regarding failures users mpsJobConversionFailed,
mpsJobSendFailed and
mpsJobProcessingFailed failure
notifications.
5.9.5.3 Local configuration - mps.config and controllerIPs.config
In general local configuration is used to define job sources (email and folder sources) and
communication channels. An administrator is to set different local configuration values per every
instance of the Mobile Print Server. Most of the local configuration values are defined during
installation.
The configuration files are similar to the configuration in YSoft SafeQ Mobile Print Server 5 with
some differences.
The major version number is necessary to define in main configuration tag (mps) for
version 6.* of YSoft SafeQ Mobile Print Server.
<mps version="6">...
Folder sources
Folder source is a local or network path where users can upload jobs via web or 3rd party
interface. Mobile Print Server checks those folders periodically and transfers them to the YSoft
SafeQ. There can be one or more folder sources defined. Each source is defined by one add tag
with its attributes which is inside folderSources tag.

If the management server is installed on different IP from the Mobile Print Server Path to source
folder location. For installation on the same server as the web interface resides the default folder
source setting can be used without any changes, otherwise, proper IP address and path has to
be defined.
Option Default Description
host N/A IP address of the YSoft SafeQ Management server.
path N/A The absolute local path on the YSoft SafeQ Management server
where the jobs are uploaded.
host and path fields together build the UNC network path to the
folder.
Preferred way of path definition on localhost (127.0.0.1) is full
widows path with driver letter on the beginning.
There may be a $ sign in the path field because

Windows considers these paths as shared network ones
(i.e. C$\SafeQ6\SPOC\server\mobile\).
userName N/A Optional. Credentials of the user who is authorized to access the
folder. If the userName is not defined it uses credentials the Mobile
Print Server is running under. In this case, folder sources have to
be created with the same read/write rights as the Mobile Print
Server credentials.
password N/A Optional. Password can be defined by plain text or encrypted (i.e.
code,3,52,90,-91,44,-90,62,-101 - see section Password encryption).
downloadInterval 1000 Interval in milliseconds of checking the folder.
Examples of folderSources configuration
< folderSources >


< add host = "127.0.0.1" path = "C:\SafeQ6\SPOC\server\mobile\" >

< add host = "168.192.0.11" path = "C$\SafeQ6\SPOC\server\mobile\" userName = "Administrato
r" password = "code,3,52,90,-91,44,-90,62,-101" downloadInterval = "1000" />
</ folderSources >
Email sources
Mobile Print Server can operate one or more email sources that are checked periodically. Each
source is defined by one add tag with its attributes which is inside emailSources tag.
type N/A Protocol for retrieving emails from a mailbox.

Supported values are Imap, Pop3, Exchange. (Exchange web

services - EWS is used to connect when Exchange
connection is chosen)
host N/A Host name or IP address of the mail server.
domain N/A Domain of the user, this is necessary only for Exchange type
userName N/A Mailbox address, that is checked periodically for new emails.
Only local part of address ( username) is needed for some
systems (typically for Exchange).
password N/A Password of the mailbox. It can be defined by plain text or

encrypted (i.e. code,3,52,90,-91,44,-90,62,-101 - see section Pas
sword encryption).
port 993 Port number of the mail server. This setting is ignored for
Exchange type.
Standard email ports are:
POP3: 110 insecure / 995 secure
IMAP: 143 insecure / 993 secure
secure True Enables secure communication to the mail server. This

setting is ignored for Exchange type.
Supported values are:
True - SSL/TLS will be used for secure communication.
False - No security is used.
Auto - Mobile Print Server tries to recognize if secure
communication is on or off.
implicitSecurityMode True Mobile Print Server uses this parameter for secure
communication (secure is set to True). False value means
communication with email server starts without SSL/TLS and
secure layer is set during the communication, True value
means that SSL/TLS is used from the beginning of the
communication with email server.
For ports 995 and 993, implicitSecurityMode normally has to
be true and for 110/143 it normally has to be false. This
setting is ignored for Exchange type.
ignoreCertificateChainErr False In case of a mail server with a self-signed certificate and

ors secure communication (including Exchange communication,
which is secure by default) , you have to set this value to
True.
If set to True all mail server certificate validation

errors are ignored, please consider the security
risks.

maxEmailsPerBatch 50 Maximum number of emails downloaded at once (in one tick
of the mpsCheckTimeout set).
networkOperationTimeo 60 Timeout in seconds for download of all email batch including

ut all attachments. This setting is ignored for Exchange type.
failedFiles Settings for files that were not processed successfully

(folder where the files should be moved, time in seconds after
which the files should be deleted). If no settings provided, the
default values are used (default folder is „Failed“, default time
is 7 days).
Examples of emailSources configuration
<emailSources>

<add type="Imap" host="168.192.0.10" userName="mps1@company.com" password="code,3,52,90,
-91,44,-90,62,-101" implicitSecurityMode="false" />

<add type="Pop3" host="168.192.0.11" userName="mps2@company.com" password="code,3,52,90,
-91,44,-90,62,-101" port="110" secure="false" />

<add type="Imap" host="imap.company.com" userName="mps3" password="1234" ignoreCertificateChai
nErrors="true" />

<add type="Imap" host="imap.company.com" userName="mps4@company.com" password="1234" port="993
" secure="true" implicitSecurityMode="true" ignoreCertificateChainErrors="true" />

<add type="Imap" host="imap.company.com" userName="mps5@company.com" password="1234" port="143
" secure="true" implicitSecurityMode="false" ignoreCertificateChainErrors="true" maxEmailsPerBat
ch ="30" networkOperationTimeout="60"/>

<add type="Exchange" host="exchange.company.com" userName="mps6@company.com" domain="someDomai
n" password="1234" />
</emailSources>
Exchange connection via Exchange web services is possible only with MS Exchange Server
2013 and newer.
Notification settings
It is possible to enable/disable notifications from Mobile Print Server to user email. Configuration
properties are divided to two separate options. First one for enabling success job notifications
and second one for failure job notifications. So, it is possible, for example, disable only success job
notifications, and still be notified, when job has not processed.

Option D Description
ef
au
lt
mailUser Tr Setting to false will disable mpsMailSendOk notifications from Mobile Print Server
Success u regarding successful jobs.
e
mailUser Tr Setting to false will disable mpsJobConversionFailed, mpsJobSendFailed and

Failure u mpsJobProcessingFailed notifications from Mobile Print Server regarding failure jobs.
e
Connection to FlexiSpooler and Spooler Controller
The Mobile Print Server needs connection to YSoft SafeQ Spooler Controller (Spooler Controller) to
authenticate users and to get its configuration. It also needs connection to YSoft SafeQ
FlexiSpooler which is used as endpoint for sending jobs. FlexiSpooler must be in server mode
and must run on the same machine as Spooler Controller.
There is a possibility to define multiple connections to these endpoints (FlexiSpooler and Spooler
Controller) which are used for failover: If one endpoint is inaccessible Mobile Print Server switches
connection to another one.
Defining connection addresses
Addresses for endpoints can be defined in file controllerIPs.config. The file is structured as a
simple JSON string array.
[ "127.0.0.1" , "10.1.2.3" ]
Addresses in this file are automatically updated by Mobile Print Server according to the current
Near Roaming Group (NRG) controller addresses (if the administrator adds a new node into NRG,
addresses are automatically updated after start of Mobile Print Server or after reconnecting to
another endpoint because the current is unavailable.
Configuring Spooler Controller connection details
Details for Spooler Controller connection could be set in communicator tag in mps.config file.
controllerPort 5555 Port number for connection to Spooler Controller
connectionLostTimeout 10000

Mobile Print Server uses heartbeat to check the availability of

its Spooler Controller, if it is unresponsive for the specified
time (4 seconds by default), Mobile Print Server try to
connect another endpoint (failover) if it is defined or stops
working until the connection is restored.
certificateStore My For secure communication, Mobile Print Server needs a

certificate to authenticate itself. It looks for it in the Windows
certificate store specified by this option (Personal store by
default).
Supported values are:
My
AddressBook
AuthRoot
CertificateAuthority
Disallowed
Root
TrustedPeople
TrustedPublisher
certificateThumbprint 1 N/A If left empty, plain communication is used. Otherwise, Mobile

Print Server will look for a matching certificate signed by a
trusted authority and use it to authenticate itself to
Controllers (and it will negotiate encryption with it).
The "encryption" (from MU14) variable must also be set.
encryption 1 Plain Encryption key lengths :

(from MU14) Supported values are (case sensitive):
Plain
Aes128
validateServerCertificate true By default when authenticating a Controller, Mobile Print

1 Server also checks if one of the IPs/hosts in the Controller
Host
certificate's subject alternate name matches its IP/host. It is
not recommended to turn off this option.
Note: 1
These variables are only local configuration.
Examples of Spooler Controller connection configuration
<communicator connectionLostTimeout= "10000" controllerPort= "5555" certificateStore="My" certif

icateThumbprint="77948B8C50205FB8F1EC1AB32EF4F708A65F5422" encryption="Aes128" />

Configuring HTTP connection to FlexiSpooler
Mobile Print Server uses HTTP/HTTPS protocol for communication with FlexiSpooler. Details for
this connection can be set in http tag.
port 5559 Port number for connection to FlexiSpooler.
This value overrides the YSoft SafeQ Management

property 'spoolerHttpPort'
secure true When true secured HTTPS protocol is used. Otherwise, plain HTTP
is used.
compression true When true, Mobile Print Server uses GZip to compress its HTTP
requests, to transfer jobs faster and save network bandwidth.
maxConnections 100 The limit for outgoing HTTP connections on the server side.
requestTimeoutInM 10 Timeout for http requests. Mobile Print Server transfers job data to
inutes FlexiSpooler via HTTP/HTTPS, that can take a while depending on
job size and network speed, if these transfers fail due to timeout, a
higher value might be necessary.
ignoreCertificateCh true This allows a self-signed certificate to be used on the server

ainErrors FlexiSpooler for HTTPS authentication. If true, the certificate chain
is ignored during validation.
Example of FlexiSpooler communication configuration
<http port= "5559" secure= "true" compression= "true" maxConnections= "100" requestTimeoutInMinu
tes= "10" ignoreCertificateChainErrors= "true" />
Error recovery
During processing of new jobs at one point a converted PDF file is created and sent to print
server (Management Server or Site Server), this is usually the time where occasionally Antivirus
SW can lock the converted file and the the printing process fails. To circumvent this situation a
retry mechanism exists in Mobile Print, that will attempt to access the file multiple times with
defined delay in between attempts.

Options
fileReadAttempts 10 Number of attempts to open file before giving up.
fileReadAttemptDelaySe 2 Delay between attempts to open a file.

conds
Examples
<errorRecovery fileReadAttempts="10" fileReadAttemptDelaySeconds="2"/>
Windows service recovery settings for the Mobile Print Windows service
Since YSoft SafeQ 6 MU26 the Windows service of Mobile Print is installed with error recovery
settings set to:
First, second and subsequent failures of the service result in restarting of the service after
1 min
(Forceful) stopping of the Mobile Print Windows service
Either when MPS Windows service gets manually stopped or an unhandled exception occurs a
stopping routine within the service is initiated
This stopping routine has a timeout for its graceful completion defined in seconds, that is
configurable locally in mps.config with recovery errorRecovery →
gracefulServiceStopTimeoutSeconds
If the stopping routine is unable to finish gracefully in the defined timeout the service is forced
to shutdown (to avoid possible deadlock or hanging during stopping of itself)
Options
gracefulServiceStopTim 30 Timeout that is given internally to Mobile Print Window

eoutSeconds service stopping routine to stop the service gracefully, after
the timeout the service is internally terminated
Examples
<errorRecovery gracefulServiceStopTimeoutSeconds="30"/>

Password encryption
To additionally encrypt email password, use web interface. Otherwise, the password will be
displayed as plain text and will be legible. To do so, use Text encryption tool in web interface
Dashboard.
1. Put the email password into the field and press Encode button.
2. Copy and paste your encrypted password into the mps.config file.
mps.config - example
<? xml version = "1.0" encoding = "utf-8" ?>

< mps defaultPaperSize = "A4" correctSlideSize = "false" securityProtocols="Tls12" version="6"
> 
< folderSources >
< add host = "168.192.0.11" path = "C$\SafeQ6\SPOC\server\mobile" userName = "Administrator" pa
ssword = "code,-3,5,98,45,18,-7,-125,-92" downloadInterval = "1000" />
</ folderSources >
< emailSources >
< add type = "Imap" host = "192.168.1.1" userName = "mps@company.com" password = "code,-41,
-62,68,-106,13,21,-111,-57" port = "143" secure = "False" />
</ emailSources >
<communicator connectionLostTimeout="10000" controllerPort="5555" />
< failedFiles folder = "Failed" maxAge = "604800" />
<http port= "5559" secure= "true" compression= "true" maxConnections= "100" requestTimeoutInMin
utes= "10" ignoreCertificateChainErrors= "true" />
</ mps >
Conversion configuration - conversion.config
In the conversion.config file two types of elements are present.
Option Description
For This element describes the rules for processing the files according to their types. Files
extension not defined by this rule will not be processed.
.pdf files are not converted and passed on to SafeQ without change, as it is a standard
output format. All other formats need conversion to .pdf.
By default, all the extensions are converted by the built-in:
Aspose (convert-by="aspose"): .doc, .dot, .docx, .dotx, .docm, .dotm, .rtf, .xml, .odt, .ott, .
htm, .html, .xhtml, .mht, .mhtm, .mhtml, .xls, .csv, .xlsx, .xlsm, .xlsb, .xltx, .xltm, .ods, .ppt, .
pptx, .pps, .ppsx, .pot, .potx, .odp, .txt, .fo, .svg, .xps, .epub, .bmp, .jpeg, .jpe, .jpg, .tif, .tiff, .
png, .gif, .emf, .ico, .wmf
If you want to configure Mobile Print Server to convert certain documents with other
conveters, you can use:
MS Office (suported version 2010)(convert-by="msOffice") can handle files: .docx, .
doc, .odt, .rtf, .xlsx, .xls, .ods, .pptx, .ppt, .odp, .bmp, .jpeg, .jpe, .jpg, .tif, .tiff, .png, .gif

Option Description
Libre (suported version 3.6) (convert-by="libreOffice") can handle files: .docx, .doc, .
odt, .txt., .rtf, .xlsx, .xls, .ods, .pptx, .ppt, .odp, .bmp, .jpeg, .jpe, .jpg, .tif, .tiff, .png, .gif
iText (convert-by="iText") can handle files: .bmp, .jpeg, .jpe, .jpg, .tif, .tiff, .png, .gif
Image Magic (convert-by="imageMagickCmd") can handle files: .bmp, .jpeg, .jpe, .jpg, .tif, .
tiff, .png, .gif
Plain text (convert-by="textFile") can convert only .txt files.
Options Here you can define a few options for the converters. For example, if you want to use
LibreOffice application for conversion, you have to set a path to it. MS Office path is
stored in the Windows registry and the Mobile Print application is able to get it
automatically. Other converters do not need this as they are embedded in Mobile Print
application.
Also, if you want to convert plain text files (.txt) with Aspose using a specific font, specify
it in options as in the example below. If not specified, Arial Unicode MS will be used, which
can handle unicode characters like Cyrillic, hiragana and others.
Example
<? xml version = "1.0" ?>

< conversionConfig >

< for extensions=".doc, .dot, .docx, .dotx, .docm, .dotm, .rtf, .xml, .odt, .ott, .htm, .
html, .xhtml, .mht, .mhtm, .mhtml, .xls, .csv, .xlsx, .xlsm, .xlsb, .xltx, .xltm, .ods, .ppt, .
pptx, .pps, .ppsx, .pot, .potx, .odp, .txt, .fo, .svg, .xps, .epub, .bmp, .jpeg, .jpe, .jpg, .
tif, .tiff, .png, .gif, .emf, .ico, .wmf" convert-by = "aspose" />

< options >

</ options >
</ conversionConfig >
Tips and tricks
LibreOffice documents (.odt, .ods, .odp)

Some of more complicated LibreOffice documents may be converted incorrectly by Aspose
converter. In this case please use LibreOffice converter (suported version 3.6) for the file
conversion.
Images (.jpg, .gif, .png)
For .jpg, .gif and .png image formats, the default Aspose converter is slower than the
alternative converters, especially with large files. If you expect high volumes of these and
performance is critical, consider using ImageMagic converter for .gif and .png images and
iText converter for .jpg images. Note that there might be some differences between the
converters especially in regards to page layout.
Text file (.txt)
If you expect to process large .txt files (exceeding 400 kB or 100 pages), consider using
textFile converter which is significantly faster for large .txt. files than the default Aspose
converter.
ensurePdfA
This option is disabled by default. When is enabled, a second conversion will run for every
processed file (this will prolong the time of document processing). The output file will be a PDF
/A-1a. Enabling this option (setting it to true) could help when special (national) characters are
wrongly printed. Aspose conversion is usually used for this conversion, but if Ghostscript
(version 9 and higher) is installed, it is automatically used instead of aspose.
This option could be also set to "try". It means that conversion to PDF/A-1a is run, but if this
conversion fails, original pdf is used (so the overal processing result is still sucessfull).
When ensurePdfA option is enabled it will prolong the conversion time.
conversionTimeout and pdfAConversionTimeout
This options are timeouts used for basic conversion (conversionTimeout) and PDF/A-1a
conversion (pdfAConversionTimeout). Option is set in miliseconds. If options is not set, not
timeout is used.
Fonts configuration
Mobile Print Server uses fonts that are available in the system font folder as well as fonts stored
in Mobile Print Server custom folder (the standard path is: <MobilePrintFolder>\Service\Fonts).
Fonts used in LibreOffice and OpenOffice are distributed with Mobile Print Server in this folder.
If there is a need to use company-specific fonts or more unusual ones not being part of the
system distribution nor Mobile Print Server distribution it is necessary to install these fonts on
server where Mobile Print Server is running.
To install fonts you can either:
Copy fonts to directory <windir>\Fonts OR

Install every font by double-clicking on its source file OR
Copy fonts to directory <MobilePrintHome>\Service\Fonts
Encoding and fonts of text documents
While converting text documents to the PDF format Mobile Print Server needs to detect character
encoding of the document, which is not always possible to do reliably. If the Mobile Print Server
successfully detects the encoding it uses it for the text document conversion. On the other hand,
if the detection fails, an encoding defined in the configurable property mpsDefaultEncoding
(default value UTF-8) is used. Except the default value administrator can define any other national
encoding that best fits for his purposes (i.e. WINDOWS-1250, WINDOWS-1251 etc.). Document
conversion errors may appear when the Mobile Print Server fails to detect the encoding and the
mpsDefaultEncoding is set to a bad value. In this case, the text document will be converted, but
with a corrupted content.
Do not forget to set also proper font (for text files converted by Aspose convertor) that supports
national characters if you encounter problems with encoding. This could be done within
conversion.config file in options part: Arial Unicode MS or Calibri is recommended. The font must
be present in the system.
Font for text files
<options>
<add key= "asposePlainTextFont" value= "Calibri" />
</options>
5.9.5.4 Mobile Print Server - Configure access to GMail IMAP using OAuth
How to use MPS in OAuth mode
To use Mobile Print Server in OAuth mode follow this steps.
Configure and run OAuth Client.
Steps are further broken down in the chapters below.
Configuring OAuth Client
1. Logout from all Google accounts linked with your default web browser manually, or using
this link https://accounts.google.com/logout.
2. Navigate to the Service folder of the MPS e.g. C:\SafeQ6\MPS\Service\.
3. Run OAuthClient.exe from command line. Client is located in Service folder of the MPS e.g.
C:\SafeQ6\MPS\Service\OAuthClient.exe. Command must be executed directly on the
machine with the installed MPS or using remote desktop session to the machine. Run the
tool with following arguments:
a.

a. provider - "Google" for GMail IMAP
b. user - authorization identification to be later used in YSoft Mobile Print Service

Downloader, e.g. username of the GMail account that will be used in MPS
Example
OAuthClient.exe Google johndoe@mycompany.com
4. New window with Internet browser will open on the machine with installed MPS. Sign in
with the username and password that will be used in the MPS. Should be the same as
username specified in the config file.
5. Grant permission for Read, compose, send and permanently delete all your email from Gmail.
6. Confirm your choice.

6.
7. On success, confirmation message will appear in the browser and console app.
8. Then you can proceed to the Mobile print server configuration. First of all Stop the YSoft
SafeQ Mobile Print Server in services manager.
9. Navigate to the conf folder of the MPS e.g. C:\SafeQ6\MPS\Service\conf.
10. Open mps.config in your favorite text editor.
11.

11. Fill in the key values of the emailSources:
type: ImapOAuthGoogle
host: imap.gmail.com
userName: must be same as user used with OAuthClient.exe, e.g. johndoe@johndoe.

onmicrosoft.com
password: should be empty
port: 993
secure: True
Example mps.config
<?xml version="1.0" encoding="utf-8"?>

<mps version="6">

<folderSources>
<add host="127.0.0.1" path="C$\SafeQ6\SPOC\server\mobile" userName="" password="" down
loadInterval="1000" />
</folderSources>
<emailSources>
 <add type="ImapOAuthGoogle" host="imap.gmail.com" userName="johndoe@myc
ompany.com" password="" port="993" secure="True" />
</emailSources>
<failedFiles folder="Failed" maxAge="604800" />
<localization language="en" default="en" />
</mps>
12. Save the changes.
13. Start Ysoft SafeQ Mobile Print Server in the services manager.
Most common issues
In this chapter will be covered most common issues that can be found in the log file while using
OAuth configuration.
Could not retrieve access token from the OAuth storage
This is a common issue when we misconfigure usernames in config files, or there is some problem
with files in oauth-storage.
Check your configuration files. Mps.config userName value should be the same as OAuthClient.
exe user argument. For more details look at chapter Configuring OAuth Client.
Remove everything from the oauth-storage. Default location of the storage C:

\SafeQ6\MPS\Service\oauth-storage

Run OAuthClient.exe again. For detailed instructions take a look in Configuring OAuth Client
chapter of this page.
Cannot refresh access token
This error message can be found in the logs when we are refreshing the access token.
This could mean that we are unable to contact the OAuth provider or there is a problem with the
google application.
To fix this issue follow this steps:

Test connection was not successful
This error message can be found in the logs when we are unable to read edit or delete messages
of the account used in MPS.
This can be caused by removing permissions to the application in the google account.
To check which applications have access to the account you can visit https://myaccount.google.
com/u/1/security-checkup and show Third-party access.
If you do not see your application in the Third-party access or have issues with the
authentication follow this steps:

Make sure everything is configured correctly.
Client secret could not be retrieved
This error message can be found in the logs when the token is expired and we try to obtain the
new one but we are unable to get one.
google application e.g. OAuth client ID or secret has changed.

App not verified
In some cases, e.g. during application verification, the app might not be verified by Google,
warning will appear.
Always consult with YSoft's Customer support before taking this action.

Click on Advanced and Go to MPS (unsafe).
Changing or adding another service account
If you are changing or adding another account, and the old one is still logged in your default web
browser. Whole verification process may be skipped for newly used account.
You need to logout from any logged in Google account from your default web browser, if you see
" Received verification code. You may now close this window " in you web browser right after
running OAuthClient.exe command.
5.9.5.5 Mobile Print Server - User mail notification composition
Overview
Notification email composition is based on the following template:
Notification mail template
1. Mail header
2. Mail authentication result information
3. Job list header
4. List of jobs
5.

5. Forced finishing options information
6. Job list footer
7. Mail footer
The e-mail message always contains a mail header (Mail header option), user's mail authentication
result information (based on the authentication result one of the options: Mail authentication failed
, Mail duplicate address, Mail send failed, Mail send was successful) and at the end a mail footer (
Mail footer option).
In case of successfully authenticated user's e-mail, the processing details of all jobs are inserted
between the mail authentication result information and the mail footer:
the job list header (Job list header option),
the list of all jobs (one job per line) from the mail in format <job filename> <job processing
status> (based on the job processing result one of the options: Job conversion failed, Job
processing failed, Job send failed, Job was successfully processed),
the information about forced finishing options (Notify finish options forced option + Finish
option black-white and/or Finish option duplex options, based on the finishing options set),
the job list footer (Job list footer option).
For better understanding see the examples below (using default values).

Examples
Mail authenticated, all jobs processed
Dear user,this is an email notification about the result of your request to Mail header
print documents via YSoft Mobile Print Server.
Your request was successfully accepted by YSoft Mobile Print Server. Mail send was
successful
The processing of requested documents finished with following results: Job list header
Document.pdf was successfully queued Successfully

Document.txt was successfully queued processed jobs
Excel.xlsx was successfully queued
Picture.jpg was successfully queued
Picture.png was successfully queued
PowerPoint.pptx was successfully queued
Word.docx was successfully queued
You can release your jobs on any terminal or you can use https://example. Job list footer
com:9443/end-user/ui to edit, view and release jobs.
This message has been sent by YSoft SafeQ Mobile Print.YSoft SafeQ © Mail footer
2003 - 2016

Mail authenticated, some job processing errors, B/W and duplex finishing options forced
Dear user,this is an email notification about the result of

your request to print documents via YSoft Mobile Print
Server.
Your request was successfully accepted by YSoft

Mobile Print Server.
The processing of requested documents finished with

following results:
Document.pdf was successfully queued

Document.txt was successfully queued
Excel.xlsx was successfully queued
Picture.jpg was successfully queued
Picture.png was successfully queued
Notsupported.xxx could not be converted because Job conversion failed, job send failed
of unkonwn format
Word.docx could not be sent to SafeQ
Note that following finishing options are forced: black Notify finish options forced, Finish option
and white, duplex black-white, Finish option duplex
You can release your jobs on any terminal or you can

use https://example.com:9443/end-user/ui to edit, view
and release jobs.
This message has been sent by YSoft SafeQ Mobile Print.

YSoft SafeQ © 2003 - 2016
Not registered e-mail address
Dear user,this is an email notification about the result of your request to print
documents via YSoft Mobile Print Server.
Your email could not be verified by YSoft Mobile Print Server because your Mail authentication
email is not registered in SafeQ. failed
This message has been sent by YSoft SafeQ Mobile Print.YSoft SafeQ © 2003 -
2016

No connection to YSoft SafeQ server
Your email could not be processed YSoft Mobile Print Server because there is no Mail send
connection to SafeQ. failed
This message has been sent by YSoft SafeQ Mobile Print.YSoft SafeQ © 2003 - 2016
Duplicate e-mail address
Your email could not be verified by YSoft Mobile Print Server because other user Mail duplicate
has registered the same email address in YSoft SafeQ. address
This message has been sent by YSoft SafeQ Mobile Print.YSoft SafeQ © 2003 -
2016
5.9.5.6 Mobile Print Server - Configure access to Microsoft Exchange Online IMAP using OAuth
How to use MPS in OAuth mode
To use Mobile Print Server in OAuth mode follow this steps.
Configure and run OAuth Client.
Steps are further broken down in the chapters below.
Configuring OAuth Client
1. Logout from all Microsoft accounts linked with your default web browser manually, or using
this link https://login.microsoftonline.com/logout.srf.
2. Navigate to the Service folder of the MPS e.g. C:\SafeQ6\MPS\Service.
3. Run OAuthClient.exe from command line. Client is located in Service folder of the MPS e.g.
C:\SafeQ6\MPS\Service\OAuthClient.exe. Command must be executed directly on the
machine with the installed MPS or using remote desktop session to the machine. Run the
tool with following arguments:
a. provider - "Microsoft" for Microsoft Exchange Online IMAP
b.
b. user - authorization identification to be later used in YSoft Mobile Print Service
Downloader, e.g. username of the GMail account that will be used in MPS
Example
OAuthClient.exe Microsoft johndoe@johndoe.onmicrosoft.com
4. New window with Internet browser will open on the machine with installed MPS. Sign in
with the username and password that will be used in the MPS. Should be the same as
username specified in the config file.
5.
5. Grant permission for Read and write to your mail.
6. On success, confirmation message will appear in the browser and console app.
7. Then you can proceed to the Mobile print server configuration. First of all Stop the Ysoft
SafeQ Mobile Print Server in services manager
8. Navigate to the conf folder of the MPS e.g. C:\SafeQ6\MPS\Service\conf.
9.

9. Open mps.config in your favorite text editor.
10. Fill in the key values of the emailSources:
type: ImapOAuthMicrosoft
host: outlook.office365.com
userName: must be same as user used with OAuthClient.exe, e.g. johndoe@johndoe.

onmicrosoft.com
password: should be empty
port: 993
secure: True
Example
<?xml version="1.0" encoding="utf-8"?>

<mps version="6">

<folderSources>
<add host="127.0.0.1" path="C$\SafeQ6\SPOC\server\mobile" userName="" password="" down
loadInterval="1000" />
</folderSources>
<emailSources>
 <add type="ImapOAuthMicrosoft" host="outlook.office365.com" userName="j
ohndoe@johndoe.onmicrosoft.com" password="" port="993" secure="True" />
</emailSources>
<failedFiles folder="Failed" maxAge="604800" />
<localization language="en" default="en" />
</mps>
11. Save the changes.
12. Start Ysoft SafeQ Mobile Print Server in the services manager.
Most common issues
In this chapter will be covered most common issues that can be found in the log file while using
OAuth configuration.
Could not retrieve access token from the OAuth storage
This is a common issue when we misconfigure usernames in config files, or there is some problem
with files in oauth-storage.
1. Check your configuration files. OAuthClient.exe.config user key value should be the should
be the same as OAuthClient.exe user argument. For more details look at chapter
Configuring OAuth Client.
2.
2. Remove everything from the oauth-storage. Default location of the storage C:
3. Run OAuthClient.exe again. For detailed instructions take a look in Configuring OAuth Client
Cannot refresh access token
This error message can be found in the logs when we are refreshing the access token.
Azure application.

Test connection was not successful
This error message can be found in the logs when we are unable to read edit or delete messages
of the account used in MPS.
This can be caused by removing permissions to the application in the account.
To check which applications have access to the account you can visit https://login.microsoftonline.
com , go to My Account and show App permissions.
If you do not see your application in the App permissions or you have issues with the
authentication follow those steps:

2. Make sure everything is configured correctly.
3.
Need admin approval
This error message (see the image bellow) can be found during authorization with Microsoft when
the authorization requires permissions of your organization administrator.
If you have the admin credentials, use them to finish the authorization by choosing the first
option. Otherwise, please contact your organization administrator to give you permissions to use
the application or to consent on your behalf . If needed, run OAuthClient.exe again. For detailed
instructions take a look in Configuring OAuth Client chapter of this page.
Client secret could not be retrieved
This error message can be found in the logs when the token is expired and we try to obtain the
new one but we are unable to get one.
Azure application e.g. OAuth client ID or secret has changed.

Changing or adding another service account
If you are changing or adding another account, and the old one is still logged in your default web
browser. Whole verification process may be skipped for newly used account.

You need to logout from any logged in Microsoft account from your default web browser, if you
see " Please return to the app. " in you web browser right after running OAuthClient.exe
command.
5.9.6 CONFIGURING YSOFT SAFEQ WITH AZURE AD
See FlexiSpooler Server HTTP authentication configuration - Azure AD
5.9.7 CONFIGURING FLEXISPOOLER
5.9.7.1 Configuration and usage of JobStore
Overview
When a new print job is accepted the FlexiSpooler in spooling mode uses the JobStore location to
store the data on a local hard drive. Alternatively, the JobStore could be a network share. The
jobs can also be replicated to an external shared folder located in a remote server for redundancy
purposes.
JobStore configuration
It is possible to configure the JobStore location through the Spooler.config file located in C:
\SafeQ6\FSP\Service\ folder (see file structure explained here: YSoft SafeQ FlexiSpooler local
configuration through spooler.config file).
The path can be located inside the FlexiSpooler directory or anywhere on the disk (defined by
absolute path).
Spooling locally
Its important to mention that all jobs are saved in JobStore only when the spooling mode is
enabled during installation. A default location of the JobStore is C:\SafeQ6\FSP\Service\JobStore
and a folder structure is as follows:
When a job is being received by FlexiSpooler, files with the same "job id" and extensions: .job and .
jobinfo are created and saved on the JobStore folder.

The metadata on .jobinfo file will be updated during the process of job analysis. The file with
extension .controller will be created only if the job ticket sent by FlexiSpooler to Spooler
Controller is Accepted. The content of the file is the Spooler Controller GUID who accepted the
job. If the job is rejected, the .job and .jobinfo files will be automatically deleted. In case of offline
print mode enabled, the same logic will apply. It means that after the Offline print request is sent,
the .job and .jobinfo files are saved on JobStore and when the connection to Spooler Controller
is recovered, the jobs are synchronized, and if they are Accepted, the .controller file will be
created. If shared folder was enabled, .job and .jobinfo files will be replicated.
Before processing (receiving)
JobStore will contain:
After processing (parsing)
JobStore will contain the additional file .controller:
The rendered image (the preview) with .png extension, is stored also on the JobStore for
Management Interface or terminal requests.
Spooling locally with job replication
1. Log in to the SafeQ Web Interface with sufficient rights to change system setting and
access the Tenant view. In case of single tenant mode, go directly to system settings.
System > Spooler > Expert tab.
2. Set Job replication feature (jobReplication) to Shared folder. The default is No replication
which means that jobs will be stored on the original spooler and do not will be available
when the server is not connected. Press Save Changes to apply these settings.
3. Set a valid path on Path to the replication shared folder (replicationSharedFolder).

Press Save Changes to apply these settings.
4. Set a valid credentials, if required, for the defined shared folder on Credentials for
replication shared folder (replicationSharedFolderCredentials). The format is username and
password separated by "|" There are two ways to specify the password - encrypted or
plaintext:
a.

a. Credential with the plain password - e.g. userbob|1234.
b. Credential with the encrypted password - e.g. userbob|code,3,52,90,-91,44,-90,62,-101
Password encryption can be performed by the Text encryption widget on the YSoft
SafeQ Management dashboard tab.
Press Save Changes to apply these settings.
5. Shared folder should be created with read/write permission for everyone or for the specific
user, which will be propagated to FlexiSpoolers via Credentials for replication shared
folder (replicationSharedFolderCredentials ).
It's important to mention that the .controller file will not be replicated to the shared folder.
For the 2D jobs, the preview image (.png) will be not replicated to replication folder on normal
conditions (when the FlexiSpooler which spooled the job is available and the preview is
requested). Otherwise, when the FlexiSpooler which spooled the job is not accessible (e.g was
turned of), the preview (.png file) will be created and saved in the replication folder when the
preview is requested.
For the 3D jobs, the preview will be always replicated to the configured shared folder.
Important notes
Migration of Job stores from older than MU3 to newer ones.
There was new Job store structure introduced in MU3. This structure is described above in this
section.
Migration from older structure (it is present in versions up to 6.0.2.5) to newer structure is done
automatically in local Job stores (which are owned by particular spooler).
If you are using Shared Folder Job Replication feature then you will need migrate the shared
folder structure separately by provided migration tool:
Migration tool for Replicated Job stores
Shared folder structure should be migrated shortly after all spoolers are updated, ideally when the
shared folder is not used.
Usage example (use your shared folder UNC path - the same as your replicationSharedFolder
configuration setting):
JobStoreMigration.exe \\10.0.13.35\tisk
or
JobStoreMigration.exe „\\10.0.13.35\replicated jobStore”
To successfully run the migration tool, you need to have full access to the shared folder.
Logs will be stored in same folder where tool is ran, in file: JobStoreMigration.log

Migration tool requires .NET 4.5.1 or higher to run. Supported systems: Windows 7,8,10, Windows
servers 2008, 2012.
5.9.7.2 Configuring Authentication
Authentication is handled by first Flexi Spooler, who receives the job based on configuration and if
the first Flexi Spooler is in client or server mode.
Flexi Spooler in client mode (with Desktop Interface)
On Flexi Spooler in client mode user needs to authenticate when sending print job by providing
some credentials based on the configuration of a property authenticationType:
Domain username ( username of the user logged into the workstation is used)
When set, user does not need to enter any credentials
For more information about domain username format, see below.
Stored username ( username will be retrieved from the configuration file spooler.config )
Values with required user interaction:
Username and password
Username
Card
PIN
The user can be asked for credentials every time when sending print job or credentials can be
stored after first print based on property cacheCredentials.
Properties authenticationType and cacheCredentials can be set centrally in YSoft SafeQ

Management Interface in System > Spooler tab, and from version MU6 it can be overridden
locally for each Flexi Spooler via spooler.config. See FlexiSpooler local configuration through
spooler.config file
See user documentation Using the YSoft SafeQ Desktop Interface#Authentication for more
details.
Flexi Spooler in server mode (without Desktop Interface)
On Flexi Spooler in server mode is authentication bit more complex as authentication options are
not exclusive, also taking into account various possible print job sources and username formats
(see list of specific behaviors and exceptions below). The job is authenticated according to
authentication option with the highest priority.
Authentication options listed from highest priority to lowest:

Parse username from PJL headers
Parse username from job title (for LPR jobs)
Stored username if set in authenticationType
Domain username (if no other authentication was applied)
For information about how to set parsing username from either the job title or PJL headers see
Parsing username from print job.
For more information about domain username format, see below.
Example 1:
Settings:
Management interface setting: authenticationType:Card
Job is sent via LPR to Flexi Spooler in server mode and does not have username in PJL
header nor in job title
Result:
Domain username is used for authentication.

Example 2 :
Settings:
Management interface setting: authenticationType: Domain, parsing user from the title is
correctly configured.
Job is sent via LPR to Flexi Spooler in server mode and has username in job title that is
different from domain username
Result:
Username from job title is used for authentication.
Username formats used for Domain username authentication mode
YSoft SafeQ management interface offers setting Username format ( usernameFormat), which
can be set to any of the three formats:
NT4 account name (e.g., engineering\someone)
User principal name (e.g., someone@engineering)
Plain username (e.g., someone)

Based on which mode Flexi Spooler is running in, what is the source of the print job, which
username format is selected, which username transformations are set and what are the other
circumstances the resulting username may differ from what expected:
Flexi Spooler in client mode (incoming LPR connections)
User principal name

We will obtain the UPN through proposed system calls.
Should it return null (mostly for local accounts, but can possibly happen for domain user
accounts without UPN), we will return username in format:
ShortDomainName\Username (a.k.a. NT4 Account Format) - in case domain is still

known, i.e. only UPN is not set for the used domain account
MachineName\Username - if it is not a domain account (as this is more valid full

format for such username, instead of the proposed variant Username@MachineName)
NT4 account name

we will return username in format:
ShortDomainName\Username - in case of domain account
MachineName\Username - otherwise
Flexi Spooler in server mode
Incoming LPR connections

We receive jobs via LPR and thus we have only access to username (without anything
else)
We will try to use system calls to resolve the defined format within the domain assigned
to the machine, where Flexi Spooler in server mode is running
Should this not work, we fallback to ShortDomainName\Username
This may seem like a security breach, but in fact it does not lower security in any way,
as the possible attacker can fake the username in LPR to anything
This way we can behave as the designer of the environment has probably indented
Incoming HTTP connections

We do not modify received username, we rely on connecting party being forwarding
correctly set username format
Parsing job name from title (LPR)

We will take the parsed username as is and will not apply any further username format
looking up and will be sent as is

Parsing job name from PJL header
The parsed username will not be subjected to any further username format looking up and
will be sent as is (the current state)
Both Flexi Spooler modes
Incoming legacy YSoft SafeQ Client protocol connections

We do not modify received username, we rely on YSoft SafeQ Client being correctly set to
the desired username format
5.9.7.3 Configuring Offline Print
Overview
Offline Print is a feature of the YSoft SafeQ FlexiSpooler that provides limited printing functionality
while the Spooler Controller is not accessible. The FlexiSpooler detects if the Spooler Controller is
inaccessible when connection is lost for a specified time. During Offline Print, a user can print
directly on the last used printers. Jobs are printed immediately on the selected printer. When the
FlexiSpooler reconnects, the information about all jobs printed offline are sent to Spooler
Controller. These jobs are then visible on management interface as printed.
More details about how Offline Print works can be found in user documentation Using the YSoft
SafeQ Desktop Interface.
Configuration
1. Log in to the SafeQ Web Interface with sufficient rights to change system setting (for
example, "admin") and access the Tenant view. Go to System > Spooler > Expert tab.
2. Set Enable offline print (offlinePrintEnabled) to Enabled. The default is Disabled. Press
Save Changes to apply these settings.
Limitations
Not supported in combination with YSoft Payment System.
A user must print at least one job before going offline to enable the feature – to store the
last used printer.
The Desktop Interface has to load the configuration from Spooler Controller at least once.
During printing in Offline Print with billing codes enabled (billing-codes-enabled: true), print
job has assigned default billing code from SafeQ (0 - Default Project). This is not default
billing code assigned to the user.
The offline print feature does not work with Sharp, Sharp-eSF, Lexmark, and Samsung
printers.

The offline print feature works only for an FlexiSpooler in client spooling mode.
Konica Minolta requires "Print without authentication" option to be enabled (Konica Minolta -
Configure Print without authentication option).
Supported Authentication types in Offline print: ( * It does not matter if the

cacheCredentials is enabled/disabled)
Username and password *
Stored username *
Username *
Card *
PIN *
Domain username
5.9.7.4 Configuring Spool cleaning
Overview
The spool cleaning mechanism is there to ensure that no jobs remain orphaned after specified
retention period. The YSoft SafeQ server controls the lifecycle of all stored jobs while the actual
job data could be on client machines. Should those be unavailable (in sleep mode, etc.) at the time
when the job should be deleted, the job could remain in the spool folder. There is a periodical
cleaning trigger which removes those orphaned jobs from all FlexiSpoolers in the system. All
FlexiSpoolers perform cleaning at the trigger time if they are running, if not, they perform it at the
earliest opportunity.
Configuration
1. Log in to the SafeQ Web Interface with sufficient rights to change system setting (for
2. Set Automatic spool cleaning (spoolerCleanerSchedule) cron trigger to a value you need.
The default is "0 0 0 * * ?" which means cleaning will trigger once a day at midnight (or the
first time the machine is turned on/awakened if it was not running at midnight.
3. Press Save Changes to apply these settings.
More on cron triggers: https://www.quartz-scheduler.net/documentation/quartz-2.x/tutorial

/crontrigger.html.
Once the property value is configured it will be applied once is replicated on FlexiSpooler and
reflected on spooler.log like:
[spoolerCleanerSchedule: - | 0 0 0 * * ?]

In case of Failover scenarios, the cleaning process will be triggered automatically after the failover
applies or the connection to the Spooler Controller is restarted. The same behavior applies when
the FlexiSpooler service is restarted.
The time of the last cleaning cycle performed will be persisted on" cleaner.time " file located
inside the " C:\SafeQ6\FSP\Service\ " directory. This file will be created on demand after the first
cleaning is triggered.
If the replication of jobs is enabled to shared folder the cleaning process will affect it too.
Notes
The clean mechanics has protective period of 5 min. It means that Jobs that are not fully
received and are not older than this period are not deleted.
Jobs that are not fully processed because of communication problems are not deleted
immediately and stays in jobstore for 2 clean periods (or until are confirmed from Spooler
Controller). There could be a file (lastCleanReceivingJobs.json) that contains id's of the jobs
that was present during first or these clean periods.
Full Disk Prevention
The job reception based on the available free disk space can be managed using the three
configuration options - minimumDiskSpaceRequired ,
minimumDiskSpaceRequiredToResumeReception and diskSpaceCheckIntervalInSeconds, found
in System > Spooler settings.
To prevent exhaustion of disk space, the YSoft SafeQ FlexiSpooler will stop receiving jobs from
any source when the free space on a disk where the jobs are spooled is below the
minimumDiskSpaceRequired. The job reception will start again after the free space increases
above the minimumDiskSpaceRequiredToResumeReception.
After the YSoft SafeQ FlexiSpooler stops receiving jobs, it won't accept any other job on the
same interface for the next 30 seconds .
When the job reception is stopped, the free disk space is checked with every 30 seconds, but if
there is enough space available, the free space is checked periodically to prevent exhaustion of
disk resources. The check interval can be set using the diskSpaceCheckIntervalInSeconds. This
behavior may in the worst case scenario cause that jobs are still received 15 minutes (default
value of diskSpaceCheckIntervalInSeconds) after the available free disk space decreased below
minimumDiskSpaceRequired.
Notifications
FlexiSpooler logs events to Windows Event log as show in table below.

Event Trigger Event
ID
Available free disk space is Available free disk space is less than minimumDiskSpaceRequire 3
running low. dToResumeReception.
Job reception is stopped. Available free disk space is less than minimumDiskSpaceRequire 2
d.
Job reception started. Job reception was stopped, but starts again because available 1
free disk space is greater than minimumDiskSpaceRequiredToRe
sumeReception.
We recommend to attach tasks to these events in Windows Event log which alert the
administrator.
Task can be created in the Task Scheduler → Event Viewer tasks → Create basic task → When
specific event happen.
Log: Application
Source: YSoft SafeQ FlexiSpooler
EventID: according to event, see table up.
Limitations & notes
1. When available free disk space goes under the minimumDiskSpaceRequired, one job can
still be accepted by FlexiSpooler. Please set the minimumDiskSpaceRequired with respect
to this fact.
2. When YSoft SafeQ FlexiSpooler stops job reception because available free disk space is
under minimumDiskSpaceRequired, jobs which are already receiving are properly finished
and received.
3. When YSoft SafeQ FlexiSpooler stops job reception because available free disk space is
under minimumDiskSpaceRequired, jobs which have not been already sent stay in
Windows print queue (in case of server shared queue via LPR. This requirement cause
limitation 1.)
4. Full disk prevention only applies to YSoft SafeQ FlexiSpooler in server spooling mode.
5.9.7.5 Configuring Spooler Controller Discovery
Spooler Controller Discovery based on DHCP Option 9
The following guide provides step-by-step instructions on how to enable Spooler Controller
discovery by configuring Option 9 on your DHCP servers. It allows an automatic location
switching of the FlexiSpooler during their location change.

In order to enable Spooler Controller discovery via DHCP Option 9, an administrator has to set
Option 9 on each DHCP server within your locations.
1 Define Spooler Controller Groups in YSoft SafeQ Management interface

Switch to Tenant Management
Open Devices
Tab Spooler Controller groups
Define your Spooler Controller groups. Be aware that defined Spooler Controller group Name will
be displayed in the Desktop Interface and a user can manually switch to that location via context
menu.
2 Configure DHCP servers in your locations

Referencing previous image - in our example we have 3 locations (Bratislava, London and Prague).
In each location we're able to configure Option 9 on DHCP servers.
DHCP Option 9 should contain addresses of Discovery Services in current location / Spooler
Controller group
Discovery Service runs on the Spooler Controller
In our example
DHCP Server in Bratislava - Option 9 -> 10.0.13.41
DHCP Server in London- Option 9 -> 10.0.13.35, 10.0.13.39
DHCP Server in Prague - Option 9 -> 10.0.13.192
3 Configuring default FlexiSpooler server

You can configure default FlexiSpooler server which allows client FlexiSpoolers to print from a
public location.
This address is provided by Discovery Service - in case the DHCP Option 9 was found.
In case that the Discovery Service provides this address, it's stored as non-spooling location with
name Default.
FlexiSpooler client uses this default FlexiSpooler server when a user changes the location to the
one where is no Discovery Service - DHCP Option 9 is not set.
airport, customer, conference, ...
The network address of the default FlexiSpooler server can be defined in the Management
Interface:
Switch to Tenant Management.

Open System.
Search for defaultFlexiSpoolerNetworkAddress.
i FlexiSpooler automatic location switching

When FlexiSpooler is started, it will automatically check if any active network adapter which has
assigned address by DHCP server obtained also Option 9
In case the DHCP Option 9 was found for the first time (after installation)
Discovery Service is requested for data about the current location - addresses and names of the
current Spooler Controller group.
locations.config is overwritten by the new location (the location defined during installation is
dismissed).
Discovery Mode is set to DHCP Option 9.
FlexiSpooler will connect to the first available address in the current location.
In case the user changes location but previous one was discovered by DHCP Option 9
Discovery Service is requested for data about the current location - addresses and names of the
current Spooler Controller group.
location.config is extended by the received location (if it's not stored already).
FlexiSpooler will connect to the first available address in the current location.
In case the DHCP Option was not found for the first time (after installation)
FlexiSpooler will try to connect to the address provided during installation.
5.9.7.6 Configuring YSoft SafeQ FlexiSpooler Modes
Overview
This page describes available YSoft SafeQ FlexiSpooler modes and how they work together.
Each mode is one possible configuration of a connection to YSoft SafeQ Spooler Controller or a
different FlexiSpooler and YSoft SafeQ printer. It is set up during installation as a choice when
combining these two options:
Enable or disable spooling (Spooling here means saving incoming print jobs into configurable
folder named JobStore.)
Client or server (Client has always a user interface called YSoft SafeQ Desktop Interface)

Modes can also be set manually after installation. See FlexiSpooler locations configuration
with locations.config file
To configure repository where incoming print jobs are saved, see FlexiSpooler local
configuration through spooler.config file
We recommend to stop YSoft SafeQ FlexiSpooler service and YSoft SafeQ Desktop Interface
service before change is made, then start them again.
Describing Modes
There are cases when the local spooling (saving) of print jobs is not desirable. In these situations,
print jobs are forwarded to another FlexiSpooler that handles them. FlexiSpooler uses HTTPS (by
default; it can be changed in spooler.config to HTTP) for job and request forwarding.
A print job is always analyzed by the first FlexiSpooler, who receives it regardless of its mode. The
last FlexiSpooler in a row is always spooling (that means it will save the print jobs) and it will send
the job tickets to a Spooler Controller.
1. Spooling client mode (typical CBPR scenario)
Provides user interface (YSoft SafeQ Desktop Interface) which communicates with
FlexiSpooler via YMQ.
to launch Desktop Interfaces for all the logged in users, see chapter YSoft SafeQ 6
Workstation Installation, section Automatic launching of Desktop Interfaces from FlexiSpooler
service at start..
Print jobs are received only on localhost (127.0.0.1).
Print jobs are both analyzed and saved on a local computer.
Spooling client mode is connected directly to Spooler Controller via YMQ.
Print jobs are sent from client directly to MFD when printing.
That means that the client workstation must be available in the time when user wants to
print on a device or job replication feature must be turn on and configured.

2. Non-spooling client mode
Provides user interface (YSoft SafeQ Desktop Interface) which communicates with
FlexiSpooler via YMQ.
Workstation Installation, section Automatic launching of Desktop Interfaces from FlexiSpooler
service at start..
Print jobs are received only on localhost (127.0.0.1).
Print jobs are analyzed on a local computer and then sent to spooling server, which spools the
job.
Non-spooling client is connected to spooling server via HTTP/HTTPS.
Print jobs are sent from spooling server directly to MFD when printing.
Limitations
Desktop Interface cannot display RBE notifications in this mode.
The offline print feature does not work in non-spooling client mode.
Non-spooling clients could be connected to non-spooling server. Print job is analyzed on the client:

3. Spooling server mode
Print jobs are received on all interfaces on server (list of the interfaces could be defined in
configuration).
Print jobs are analyzed and saved on a server (where FlexiSpooler in spooling server mode is
installed).
Servers with installed FlexiSpoolers in spooling server mode are used for Far roaming, it is
not possible to use this feature without it. (For Near roaming to work you do not need any
FlexiSpooler installed on site servers, only SPOC . But there may be limitations on other
functionality, e.g. only FlexiSpooler in spooling server mode can receive print jobs from SafeQ
Enterprise Client 2.x)
Spooling server communicates with Spooler Controller via YMQ.
Print jobs are sent from spooling server directly to MFP when printing.
Spooling server can receive print jobs from SafeQ Enterprise Client 2.x (SQ4/SQ5) (see How to
set receiving print jobs from YSoft SafeQ Client Enterprise 2.x via port 9100).
Limitations
FSP Spooling Server must be deployed with SPOC.
4. Non-spooling server mode
A non-spooling server was established for scenarios where users need to connect from an
unsafe environment to YSoft SafeQ via Microsoft Azure or DMZ. In fact, it is a kind of smart proxy
for communication between the destination spooling server and a non-spooling client.

Print jobs are received on all interfaces on server (list of the interfaces could be defined in
configuration).
Print jobs are analyzed on a non-spooling server and then sent to FlexiSpooler in spooling
server mode.
Non-spooling server can be installed on a different computer than Spooler Controller.
FlexiSpooler in non-spooling server mode has to be connected to FlexiSpooler in spooling

server mode.
Communication between all FlexiSpoolers are done via HTTP/HTTPS. Last spooling node is
connected to Spooler Controller via YMQ.
Print jobs are sent from spooling server directly to MFD when printing.
Q&A
Q: What are differences between a spooling and non-spooling client?
A: A spooling client saves print jobs locally, but a non-spooling client sends it to a spooling
server–where they are saved. Therefore, a spooling client does not need a server mode, but a
non-spooling client needs to connect to FlexiSpooler in server mode.
Q: Is Far Roaming supported by FlexiSpooler?
A: Yes, but there is a limitation: For Far Roaming to work, every SPOC needs to have FSP
server on the same machine.
5.9.7.7 YSoft SafeQ Client failover mechanism
The following guide provide information about how YSoft SafeQ Client Failover mechanism
works.
To fulfill requirements for reliability, failover mechanism has been implemented in case YSoft
SafeQ Client loses connection to Spooler Controller or YSoft SafeQ Client Server. Basically, the
failover is an ability of YSoft SafeQ Client to reconnect to the first available server if the current
one is unreachable.

Please read before continuing:
Spooler Controller Discovery based on DHCP Option 9
Please check the following image, example scenarios are based on this image:
Example scenario 1: The connection to Spooler Controller is lost in current user's location
We have three locations, only one of them has two Spooler Controllers.
In case Spooler Controller in Bratislava is down, YSoft SafeQ Clients will wait until connection
will be restored.
Failover will not work because there is no other SpoolerController where YSoft SafeQ
Client Client can reconnect.
In case one of the Spooler Controller in London is down, all YSoft SafeQ Client Clients which
lost connection to it will be reconnected to second one.
Example scenario 2: The user moved to different location where the DHCP Option 9 is not
configured or DHCP server has outage
User was in Prague and moved to Bratislava for a business trip.
DHCP server in Bratislava is not configured so the DHCP Option 9 was not propagated.
YSoft SafeQ Client Client is trying to connect Spooler Controller in Prague but it's not
accessible.
The user didn't noticed this problem and the user printed the document.
Document is queued and waiting for successful connection.
The user can change location manually to correct one. See: Using the YSoft SafeQ
Desktop Interface
Example scenario 3: The user moved to different location, Spooler Controller Discovery is not
set up - locations map was defined during installation

The user was in Prague and moved to Bratislava for business trip.
The user didn't noticed this problem and he printed the document.
The user have to change location manually to actual location. See: Using the YSoft SafeQ
Desktop Interface
Example scenario 4: The user is moving to airport from Prague office, public YSoft SafeQ
Spooling server is configured
The user was in Prague office and is going to fly to London office.
The user forgot to print document so the user is printing it in taxi on the way to airport,
without internet connection.
YSoft SafeQ Client does not have connection to Prague Spooler Controller, nor to public
one because he's not connected to internet.
The user comes to the airport and connects to public wifi.
Configured public spooling server is used for connection.
Queued job is transferred through Public YSoft SafeQ Client Server to one of the spooling
servers in data center.
Job is not spooled locally.
When the user arrives to London office and authenticate on printer, document is ready to
print.
Job will be transferred from data center's YSoft SafeQ Client Server.
Limitations
If a user have jobs saved on multiple site servers (or YSoft SafeQ Clients), and use print all or
select and print multiple jobs, the order of printed jobs is not guaranteed.
5.9.7.8 FlexiSpooler Server HTTP authentication configuration - Azure AD
The following guides provide step-by-step instructions on how to configure and enable HTTP
authentication on YSoft SafeQ FlexiSpooler. FlexiSpooler Server HTTP authentication adds access
protection to YSoft FlexiSpooler servers, before YSoft FlexiSpooler client will access YSoft
FlexiSpooler server, user is required to authenticate using credentials. Please note, authentication
is not changing job owner, also it doesn't matter whether the server is spooling or not. At this
moment, only Azure Active Directory authentication is supported.
In order to enable Azure Active Directory HTTP authentication, follow the next steps:
1. Add YSoft SafeQ FlexiSpooler Client application into AD
a.

1.
a. Login to your company Azure account
b. Select your Active Directory
i. Open App registrations Tab and click New registration
ii. Fill in Name: for example YSoft SafeQ FlexiSpooler Client
iii. Choose Platform configuration: Client Application
iv. Register
v. Go to application Authentication
vi. Add platform and select Mobile and desktop applications
vii. Check https://login.live.com/oauth20_desktop.srf as a redirect URI
viii. C o n f i g u r e
2. Add YSoft SafeQ FlexiSpooler Non-Spooling Server application into AD
a. Login to your company Azure account
b. Select your Active Directory
i. Open App registrations Tab and click New registration
ii. Fill in Name: for example YSoft SafeQ FlexiSpooler Non-Spooling Server
iii. Choose Platform configuration: Web API
iv. Register
v. Go to application Expose an API
vi. Set Application ID URI, which identifies the application, for example:
https://safeqtesting.onmicrosoft.com/flexispoolerserver
vii. Go to application Branding
viii. Set Home page URL to the same value as Application ID URI
ix. Save
x.

x. Go to Expose an API
xi. Press Add a scope
xii. Scope name: Job.Receive
xiii. Who can consent?: Admins only
xiv. Admin consent display name: Receive Job
xv. Admin consent description: Receive Job
xvi. A d d S c o p e
3. Set permission for YSoft SafeQ FlexiSpooler Client to access YSoft SafeQ FlexiSpooler
Non-Spooling Server
a. Open YSoft SafeQ FlexiSpooler Client application registration in company's Active

Directory
b. Find section API permissions and click Add a permission
i. Switch to APIs my organization uses filter
ii. Select YSoft SafeQ FlexiSpooler Non-Spooling Server and check all APIs, keep
Delegated Permission selected
iii. Add permissions
c. Grant admin consent for your domain, e.g. by pressing Grant admin consent for
SafeQ Testing button
4. Find configuration for YSoft SafeQ FlexiSpooler Non-Spooling Server
a. Open YSoft SafeQ FlexiSpooler Client application registration in company's Active

Directory
b. Find and store somewhere (for example notepad):
i. Application (client) ID
ii. Redirect URI
c.

c. Go back and open YSoft SafeQ FlexiSpooler Non-Spooling Server application
registration in company's Active Directory
d. Find and store:
i. Application ID URI
e. Go to App registrations tab of company's Active Directory
i. At the top, click on button ENDPOINTS
ii. Find and store OAuth 2.0 Token Endpoint (v1)
f. Store Active Directory's Tenant > company's instance of AD; for example, if AD is
named SafeQ Testing, AD Tenant is safeqtesting.onmicrosoft.com
5. Create and save configuration
a. You should have stored 5 required configuration values
i. Application (client) ID
ii. Redirect URI
iii. Application ID URI
iv. OAuth 2.0 Token Endpoint (v1)
v. AD Tenant
b. You can now create configuration values for spooler.config, stored in YSoft SafeQ
FlexiSpooler Non-Spooling Server
"azureNativeClientRedirectUri": "https://login.live.com/oauth20_desktop.srf",
"azureNativeClientId": "de711fde-11aa-4910-9f15-d5e853129efc",
"azureApplicationIdUri": "https://safeqtesting.onmicrosoft.com/flexispoolerserver",
"azureActiveDirectoryAuthorizationEndpoint": "https://login.microsoftonline.com
/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token",
"azureActiveDirectoryTenant": "safeqtesting.onmicrosoft.com",
"httpAuthenticationMethod": "azureActiveDirectory"
c.

c. And append spooler.config, so the final config looks like:
{
"jobStorePath": "JobStore",
"isServer": "true",
"azureNativeClientRedirectUri": "https://login.live.com/oauth20_desktop.srf",
"azureNativeClientId": "de711fde-11aa-4910-9f15-d5e853129efc",
"azureApplicationIdUri": "https://safeqtesting.onmicrosoft.com
/flexispoolerserver",
"azureActiveDirectoryAuthorizationEndpoint": "https://login.microsoftonline.com
/2573df81-c00d-4172-8ce7-9deb6e7252b9/oauth2/token",
"azureActiveDirectoryTenant": "safeqtesting.onmicrosoft.com",
"httpAuthenticationMethod": "azureActiveDirectory"
}
5.9.7.9 How to set receiving print jobs from YSoft SafeQ Client Enterprise 2.x via port 9100
About
YSoft SafeQ Client Enterprise 2.x (YSoft SafeQ 4/YSoft SafeQ 5) can be installed on either
servers or workstations.
Tested and supported are only :
Compressing print jobs (enable, disable)
Multi-domain environment: CurrentUserNameFormat with values empty (standalone user

name), DS_NT4_ACCOUNT_NAME (Engineering\someone), DS_USER_PRINCIPAL_NAME
(someone@engineering.fabrikam.com)
YSoft SafeQ Enterprise Client 2.x (YSoft SafeQ 4/YSoft SafeQ 5) failover (load balancing).
Note that the list of IPs will not be received from FlexiSpooler in server mode.
Other YSoft SafeQ Client 2.x (SafeQ 4/SafeQ 5) functionality could partially work, but we
cannot guarantee its stability and reliability.
Limitations
YSoft SafeQ Client Enterprise 2.x (YSoft SafeQ 4/YSoft SafeQ 5) can communicate with
only FlexiSpooler in server spooling mode.
For using YSoft SafeQ 6 with YSoft SafeQ Client Enterprise 2.x (SafeQ 4/SafeQ 5):
Encryption, DHCP opt.9, UserNameRegEx and UI functionality is not supported.

FlexiSpooler server mode receiving communication from YSoft SafeQ Client Enterprise 2.x
(YSoft SafeQ 4/YSoft SafeQ 5) with set CurrentUserNameFormat, must have set property
"usernameFormat" only with value "Plain username".
How to set receiving print jobs from YSoft SafeQ Client Enterprise 2.x (YSoft SafeQ 4/YSoft
SafeQ 5) via port 9100
1. Install Management Server and Spooler Controller version 6.0.9.11 or higher, Install
FlexiSpoolers 6.0.9.4 or higher, YSoft SafeQ Client Enterprise 2.27 or higher.
2. On Management server configure the following properties, located on "Spooler" section:
legacyClientEnabled = Enabled (default is Disabled)

legacyClientPort = 9100 (default)
usernameFormat = Plain username (default)
3. Configure the "SafeQ.ini" file for YSoft SafeQ Client and install the YSoft SafeQ Client
Enterprise 2.x ("install.exe -a") on print server:
Set ServerIP to point to FlexiSpooler in server spooling mode.
Set if compression is needed or not:
; Compression = 0
; Compress job data on port (SafeQ Server will automatically decompress them)
; 0 = disable
; 1 = enable
Set CurrentUserNameFormat to empty value or one of these two options (others not
supported):
; CurrentUserNameFormat =
; How the port should report the user name. If no input is given, than just
standalone user name is reported (default)
; DS_NT4_ACCOUNT_NAME Engineering\someone
; DS_USER_PRINCIPAL_NAME someone@engineering.fabrikam.com
Example 1: Compression enabled, username in format Domain_name\someone
[1]
Description=SafeQ Secure Port
ServerIP=192.168.0.1
ServerPort=9100
Queue=secure

AuthType=1
Projects=0
LogFilePath=c:\SafeQ6\SQ5Client\Log
LogToFile=1
LoadBalancing=0
Compression=1
CurrentUserNameFormat=DS_NT4_ACCOUNT_NAME
ProtocolLevel=4
JobOwnerMethod=1
WebBasedApplications=0
Note="Note"
YSoft SafeQ 5 Client Support
About
YSoft SafeQ 5 Client is an optional component available in previous YSoft SafeQ versions. Refer
to YSoft SafeQ 4 or 5 documentation for the full feature set documentation.
What Functionality Is Available with YSoft SafeQ 6
Only a subset of its rich feature set was brought into YSoft SafeQ 6. When in doubt, consult
with a Customer Support Services representative.
Identify user based on local user login name
Identify user based on local user login name in multi-domain environment.

CurrentUserNameFormat with values
empty (standalone user name),

DS_NT4_ACCOUNT_NAME (Engineering\someone),
DS_USER_PRINCIPAL_NAME (someone@ysoft.com)
SAFEQ_SID_FORMAT (01:05:00:00:00:00:00:05:15:00:00:00:23:2e:93:00:5e:fc:94:30:e5:fd:ce:
87:63:04:00:00)
Compress print jobs during the transfer to a Site Server
Failover
Load balancing
User roaming enabled by the client (consultation with a Y Soft Customer Support Services
representative recommended)

What Functionality Is NOT Available
Print job data-in-transit encryption
Automatic server detection for failover. Site Server cannot communicate list of other Site
Servers back to the client as YSoft SafeQ 5 could. The server list must be configured
manually in the SafeQ Client.
Advanced username detection such as UserNameRegEx
Advanced user authentication methods such as login/password pop up window
Any pop up windows:
Identify user with a popup request to specify credentials.
Display estimated price of a print job
Allow conversion from color to black and white
Display available money account balance
Delegation Print (VIP Shared Queues)
RBE desktop notifications
Billing code selection
Deployment Scenarios
Scenario: Single Print Queue with HA (local workstation queue)
The YSoft SafeQ 5 Client, print drivers and print queues are be deployed locally to users'
workstations. Means of deployment vary based on infrastructure at hand (MSI package
distributed by SCCM or Group Policy, etc.). See MSI Package Product Sheet on Parner Portal
https://portal.ysoft.com/products/ysoft-safeq/professional-services-catalog
Use Cases
1. A single highly available print queue for a Site Server cluster. As long as at least one
Site Server is available, the queue delivers print jobs to one of them.
2. A single load-balanced print queue for a Site Server cluster. The YSoft SafeQ 5 Client
randomly selects which Site Server to spool on.
3. Network traffic reduction between the workstation and Site Servers. Print job data are
compressed during the transfer from the workstation to a Site Server.
Sample Architecture

Scenario: Single Print Queue with HA (shared server queue)
The YSoft SafeQ 5 Client is deployed to a print server as a backend of a print queue shared from
the print server. No workstation client is required for this scenario.
Use Cases
1. A highly available print queue for a Site Server cluster. As long as at least one Site
Server is available, the queue delivers print jobs to one of them.
If the shared queue itself becomes unavailable (e.g. server outage), no print jobs can be
sent to YSoft SafeQ. A viable mitigation would be to share the queue from all servers and
map users as needed.
2. A single load-balanced print queue for a Site Server cluster. The YSoft SafeQ 5 Client
randomly selects which Site Server to spool on.
3.

3. Reduced network traffic between the YSoft SafeQ 5 Client and Site Servers. Print job
data are only compressed during the transfer from the client (on the server) to a Site
Server.
Sample Architecture
Supported Platforms
YSoft SafeQ 5 Client supports the following operating systems:
Microsoft Windows 32 bit (XP/Vista/7/8/8.1/10)
Microsoft Windows 64 bit (XP SP3/Vista/7/8/8.1/10)
Microsoft Windows Server 2003/2003R2/2008/2008R2/2012 (32bit/64bit) including Remote

Desktop Services (a.k.a. Terminal Server) and Citrix
Notes:

YSoft SafeQ 5 Client does not support v4 printer drivers (bundled with Microsoft Windows 8+).
Vendors' v3 drivers must be used.
YSoft SafeQ 5 Client v2.27 or higher is supported.
YSoft SafeQ 5 Client can communicate only with Site Server (FlexiSpooler in server spooling
mode).
How to Configure
YSoft SafeQ 6
On the management interface in System Settings:
legacyClientEnabled = Enabled (default is Disabled)
legacyClientPort = 9100 (default)
Restart YSoft SafeQ FlexiSpooler service to apply the changes.
Also set expected username in value usernameFormat. See CurrentUserNameFormat value

in YSoft SafeQ Client configuration, they have to match.
YSoft SafeQ 5 Client

Configure

Edit the file SafeQ.ini with the options below. See SafeQ 5 Client Configuration Options for
more details.
Always disable all pop up windows:
WebBasedApplications = 0
Set how username should display in YSoft SafeQ. User with login "someone" is member of
domain "domain123" in the example below. Option:
[empty] for "someone"
DS_NT4_ACCOUNT_NAME for "domain123\someone"
DS_USER_PRINCIPAL_NAME for "someone@domain123"
SAFEQ_SID_FORMAT for "01:05:00:00:00:00:00:05:15:00:00:00:23:2e:93:00:5e:fc:94:30:e5:

fd:ce:87:63:04:00:00"
CurrentUserNameFormat =
Set ServerIP to point to Site Server (FlexiSpooler in server spooling mode). FQDN, hostname or
IPv4 can be used. Also enable load balancing if required.
ServerIP = safeq6server1.domain123.local
ServerIP2 = safeq6server2.domain123.local
LoadBalancing = 1
Set if compression is needed or not:
Compression = 1
Example of SafeQ Client configuration which creates two identical ports:
SafeQ.ini
[1]
Description = SafeQ Secure Port
LoadBalancing = 1
ServerPort=9100
Queue=secure
AuthType=1

Compression=1
CurrentUserNameFormat=
ProtocolLevel=4
JobOwnerMethod=1
Note="Note"
[2]
Description = SafeQ Secure Port
LoadBalancing = 1
ServerPort=9100
Queue=secure
AuthType=1
Compression=1
CurrentUserNameFormat=
ProtocolLevel=4
JobOwnerMethod=1
Note="Note"
Install
1. Run a command line as administrator.
2. Navigate to folder which contains the YSoft SafeQ installation files.
3. Configure the Client by editing the file SafeQ.ini. (Configuration options are described in
SafeQ 5 Client Configuration Options)
4. From the command line, run the utility install.exe.
install.exe
Uninstall
1. Run a command line as administrator.
2. Navigate to folder which contains the YSoft SafeQ installation files.
3. From the command line, run the file install.exe, using the parameter -u.
install.exe -u
Add a Printer
To install a new printer for use with the YSoft SafeQ 5 Client, follow these steps:
1 For adding printer to your workstation with Windows OS go to Control Panel > Devices and
Printers > Add printer.
When Add printer wizard will be opened click The printer that I want isn't listed button.

2 Select Add a local printer or network printer with manual settings and click Next.
3 Select the Use existing port and select SafeQ Client Secure Port as the printing port
OR
click Create a new port and select SafeQ.

4 Perform few other steps to set all necessary option for new printer to finish the installation
wizard.
5 If device is installed,and SafeQ Client has not been yet been configured before installation in the Sa
feQ.ini file, configure it now.
In your OS go to Devices > Printer properties > select SafeQ Secure Port > Configure port.
5b If Microsoft Windows 7/8 OS is used, the port configuration is available with "elevated" right only
accessible via Print server properties.
Devices and Printers > select the printer which port you want to reconfigure or any other printer
> Print server properties > navigate to Ports tab > Change ports settings > select SafeQ Secure
Port > Configure port.

SafeQ 5 Client Configuration Options
This page is a copy from YSoft SafeQ 5 documentation. See YSoft SafeQ 5 Client Support for
supported feature set and limitations.
The following configuration options are available:

Name of configuration option Description Default
value
ServerDeliveryMode Following options are supported: 0

0 - statically defined IP address list.
1 - use IP address of workstation the user uses to
connect via Terminal Services to server, identify its
subnet according server_subnet.csv file and
subsequently choose correct target SafeQ server
according server_subnet.csv file. If the method fails, 0 -
statically defined IP address list is used instead.
2 - use IP address of local workstation, identify its
subnet according server_subnet.csv file and
subsequently choose correct target YSoft SafeQ server
according server_subnet.csv file. If the method fails, 0 -
statically defined IP address list is used instead.
3 - use IP address of workstation where the print job
has been created, identify its subnet according
server_subnet.csv file and subsequently choose
correct target SafeQ server according server_subnet.
csv file. If the method fails, 0 - statically defined IP
address list is used instead.
4 - use IP addresses obtained by DHCP: LPR server
option. If the method fails, 0 - statically defined IP
address list is used instead.
5 - use IP address taken from user's environment,
identify its subnet according server_subnet.csv file and
subsequently choose correct target SafeQ server
according server_subnet.csv file. Option
"EnvironmentVariableIP" contains the name of
environment variable cointaining IP address.
ServerIP IP Address of SafeQ Server (CML or ORS). When used

on SafeQ Cluster (or ORS roaming group), input the
address of the first SafeQ node (in the case of Roaming
group, imput the first Roaming ORS IP address).
Use of DNS names is allowed. This option must always
be filled in.
ServerIP2, ServerIP3, ... IP Address for other nodes of SafeQ cluster (or another
ORS in roaming group).
ServerPort The TCP port of SafeQ Server, where the SafeQ Client 9100
will try to connect for job delivery.
Queue secure

value
The queue name has to exactly match the queue name

created on SafeQ server.
For default general secure queue use the name
"secure".
AuthType How SafeQ Client will identify the job owner to SafeQ
server.
SafeQ Client for YSoft SafeQ 5 uses protocol version 4
by default. In case protocol version 1, 2 or 3 is
configured and AuthType options 3,4,5,6,8,9 are used
make sure that parameters useSSLProxy and
sslProxyPort are configured.
Following options are supported:
1 - user login (actually logged user on a workstation;
username format depends on
"CurrentUserNameFormat")
3 - user defined text (provides value of parameter
"AuthText" as a username)
4 - dialog with password (SafeQ Client displays an
authentication dialog to a user upon job submission)
NOT AVAILABLE IN SAFEQ CLIENT FOR MS WINDOWS
CLUSTER (formerly SafeQ Port Enterprise)
5 - novell user login
6 - novell user with context
8 - dialog without password (SafeQ Client displays
dialog with a text field and user input is used as
username; similar to dialog with password but without
password verification)
9 - keyboard reader (it is expected that a card number
is entered via a keyboard or swipe on a USB reader in a
keyboard mode connected to the workstation)
Card numbers received from SafeQ Client to
authenticate user are not converted in any way before
SafeQ searches them in its database/cache.
AuthText This text will be reported as a user name in case of

AuthType=3, otherwise leave empty.
SavePassword 0

value
Allows saving of user password in SafeQ Client

application when AuthType is set to 4.
0 = disable
1 = enable
Saved password is used only for the same job owner.
Saved password is removed when the user logs off.
SaveUsername Allows saving of username in SafeQ Client application 0

when AuthType is set to 8.
0 = disable
1 = enable
Saved username is used only for the same job owner, i.
e. currently logged in user.
Saved username is removed when the user logs off.
LoadBalancing Allows load balancing among nodes in SafeQ Cluster. 1

0 = disable
1 = enable
IPLoadBalancing, Load balancing per server IP address. If enabled for any 0

IPLoadBalancing2, IP address, this option disables LoadBalancing option.
IPLoadBalancing3, ... 0 = disable
1 = enable
EnvironmentVariableIP Defines environment variable containing IP address for ViewClient_I

option ServerDeliveryMode 5. P_Address
Default value "ViewClient_IP_Address" is suitable to get
IP address of user using VMware View.
Compression Compress job data on port (SafeQ server will 0

automatically decompress it).
0 = disable
1 = enable
Encryption Encrypts data between SafeQ port and SafeQ server – 0

also the transmitted job is encrypted.
This setting requires to setup of SSL certificates on
SafeQ Server and can have significant influence on the
system performance.
Ensure that option ProtocolLevel is set to 1 or 4
0 = disable
1 = enable
SSLCertificateVerification In case any SSL session is established during job 0

delivery, perform verification of server certificate.
In case certificate is not valid or is not trusted,
connection is aborted and print job is not delivered to

value
SafeQ server.
0 = disable
1 = enable
CurrentUserNameFormat How the SafeQ Client should report the user name. If
no input is given, than just standalone user name is
reported.
Following options are available:
DS_FQDN_1779_NAME CN=someone,OU=Users,
DC=Engineering,DC=Fabrikam,DC=Com
DS_NT4_ACCOUNT_NAME Engineering\someone
DS_DISPLAY_NAME Jeff Smith
DS_UNIQUE_ID_NAME 4fa050f0-f561-11cf-bdd9-
00aa003a77b6
DS_CANONICAL_NAME engineering.fabrikam.com
/software/someone
DS_USER_PRINCIPAL_NAME someone@engineering.
fabrikam.com
DS_CANONICAL_NAME_EX engineering.fabrikam.com
/software\nsomeone
DS_SID_OR_SID_HISTORY_NAME S-1-5-21-397955417-
626881126-188441444-501
SAFEQ_SID_FORMAT 01:05:00:00:00:00:00:05:15:00:00:
00:23:2e:93:00:5e:fc:94:30:e5:fd:ce:87:63:04:00:00
Note that options other than DS_NT4_ACCOUNT_NAME,
DS_SID_OR_SID_HISTORY_NAME, and
SAFEQ_SID_FORMAT require both computer and user to
be members of Microsoft Active Directory. The
computer must have permissions in Microsoft Active
Directory to format the user name. Formatting a user
name in a trusted domain outside of the computer's
Active Directory forest is only supported for
DS_NT4_ACCOUNT_NAME,
DS_SID_OR_SID_HISTORY_NAME, and
SAFEQ_SID_FORMAT.
To support multiple trusted domains set configuration
option "CurrentUserNameFormat=SAFEQ_SID_FORMAT".
Set LDAP replication setting "Attribute containing
aliases" to include attribute "objectSid".
For shared printers set configuration option
"JobOwnerMethod=1" so the user name can be
formatted.
JobOwnerMethod 0

value
Identification of job owner.

0 = default behavior (single user on workstation)
1 = identification is based on owner of printing thread
(shared printer)
ProtocolLevel Setup communication protocol. Following options are 4

available:
4 = default behavior
3 = reserved
2 = set to 2 for backward compatibility
1 = set to 1 for backward compatibility or in case the
encryption support is required
LogToFile Records a log file on SafeQ Port operations. Logging 0

when using shared queues requires Everyone group to
have Modify permissions on the file.
0 = disable
1 = enable
LogFilePath Path for SafeQ Client log file. If empty, path is defined
by configuration of system environment variable "TEMP"
(e.g. C:\Windows\TEMP).
LogFileSizeLimit Maximum limit of log file in MB before its rotation occurs. 20

0 = no limit
LogFileCount Rotated log count. 3
WebBasedApplications Enables web based YSoft SafeQ applications 1

1 = client will display window with YSoft SafeQ web
applications after delivering job. YSoft SafeQ provides
several applications: Selection of billing code, VIP shared
queues or price estimation
0 = client just delivers job to SafeQ. User will not be
prompted to select billing code, VIP shared queues or
price estimation
NetworkTimeout Timeout in seconds when communicating with SafeQ 60

server over TCP/IP.
ParserDPI DPI for page rendering if PriceEstimation mode is 150

enabled.
Note Note which will be sent with job to SafeQ server.
RedirectToIP

value
IP address of printer to which the print job will be

redirected in case SafeQ server unavailability.
The job will be sent to printer by LPR protocol.
If empty, the job will not be redirected.
AssignPrinter, AssignPrinter2, Search for given name in installed printers during

AssignPrinter3, ... installation, and bind the one which matches with the
created port.
UserNameRegExMatch Regular expression which is used for matching of user

name. This option is available only when AuthType is
set to 1 (user login)
Example: for matching of "username" from "username
(ip)", expression should be set to "^([^ ]*).*$"
UserNameRegExReplace Replacement string which is used for user name

modification. It can refer to arguments from
UserNameRegExMatch.
$0 is the full user name string, $1 refers to the first
match, $2 to the second match, ...
Example: for replacing user name with first match
(specified by expression UserNameRegExMatch), string
should be set to "$1"
Save Password Details
Client application compares the current job owner (user logged to the computer) to the last
job owner (saved in registry). If these two match, the saved credentials are used. Otherwise,
the user is asked to fill in login and password.
User logs in and the application has currently no password saved. When the user prints and
inserts the correct credentials, the username and password are saved and it is not
necessary to fill them in next time. In case the user logs out, the application is terminated
and the password is forgotten.
If another user logs in, the login window appears automatically, because the job in queue is
owned by this another user. If the computer is used only by one user, he/she still has to fill
the credentials in after login to the computer. After every logout (or client application
termination), the password is forgotten.
All settings are usually stored in subkeys of the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\SafeQ\Ports\
or, in the case of SafeQ Client Enterprise:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\SafeQE\Ports\
However, note that this location is system-dependent and may differ, for example in the
case of a Windows Failover Cluster. This information is provided without guarantee.
5.9.7.10 Job compression
Overview
Jobs transference can be done faster and consume less network bandwidth by enabling the
compression of http requests from Spooler.
Job Compression
The parameter " HttpCompression " is possible to be configured locally on each Spooler (See
FlexiSpooler local configuration through spooler.config file for details about communication with
mobilePrint, AP and between Spoolers.)
Compressed jobs are characterized of having the GZip header. When HttpCompression = True is
set on Spooler, it will compress the outgoing jobs. In case of multiple Spoolers connected, the last
one will decompress the job (if needed) and save it.
Note
How to check on Spooler logs that the compression was applied?
The easy way is to enable the "Trace" mode on Nlog.config files inside the Spooler directory and
restart the "YSoft SafeQ FlexiSpooler" service. See Configuring logging using Nlog.config
After the job is compressed, on logs of the spooling server, will appear a trace like follows:
2016-05-31 13:24:26.4681 TRACE 17| 2b07f182-b91d-49e2-a1f4-502a82bf0db6 | JobReceiver.

HttpReceiveJobController+<SaveJob>d__9 | Job [4aa670fb-8492-43fa-a314-4f8b0eeec972] was
compressed.
2016-05-31 13:24:26.4837 INFO 11| 2b07f182-b91d-49e2-a1f4-502a82bf0db6 | JobReceiver.
HttpReceiveJobController+<SaveJob>d__9 | Job completely saved [4aa670fb-8492-43fa-a314-
4f8b0eeec972].
In case of no compression applied, only "Job completely saved [JOB_GUID]" message will appear.
5.9.7.11 Job recovery feature
To ensure that all print jobs are fully processed and captured by YSoft SafeQ

In case print job is not received completely due to some interruption, it remains (.job and .jobinfo)
in the JobStore folder on the FlexiSpooler. After the FlexiSpooler is started again after the
interruption (might have been caused by a restart, closing the laptop lid...) it tries to process all
unprocessed jobs and send information about them to Spooler Controller. If the jobs is accepted
by the Spooler Controller a .controller file will be created with the Guid of the Controller who
managed the job and the .jobinfo will be updated with information about parser processing.
This is useful in the following sample scenarios:
When FlexiSpooler on user computer is stopped (e.g. users suddenly close their laptop lid).
Connection to Spooler Controller or FlexiSpooler server is lost before the job is accepted.
How FlexiSpooler recovers in these situations:
i Scenario 1: communication is interrupted during job processing

If this happens before user fills out his or her authentication details or billing codes (is case this
information is needed) print job and its related information are saved and waiting in JobStore folder
until connection is recovered.
When user computer and connection to Spooler Controller or FlexiSpooler Server is running again,
processing of the print job continues and if needed, user is asked again to fill out necessary
information.
i Scenario 2: communication is interrupted during job information sending

If this happens before or during print job information or file is sent, print job and its related
information are saved and waiting in JobStore folder until connection is recovered and FlexiSpooler
service is started.
When FlexiSpooler service is started and connection to Spooler Controller or FlexiSpooler Server is
running, print job information are sent to Spooler Controller.
Note: JobStore folder is checked for not sent print jobs information (non processed jobs
recognizable by the presence of only .job and .jobinfo files without the .controller file) only when
service is started. This means in case of connection is lost between FlexiSpooler spooling server to
Spooler Controller, jobs will be waiting on FlexiSpooler server until FlexiSpooler service is restarted.
This scenario is highly rare as both FlexiSpooler spooling server and Spooler Controller have to be
on one computer.
5.9.7.12 Parsing username from print job
YSoft SafeQ can be configured to allow external systems to generate print jobs in YSoft SafeQ. In
order to do that the appropriate method for identifying user needs to be selected.
In case print jobs are sent to YSoft SafeQ FlexiSpooler in server mode by some external system
that is using common username for all users, e.g. all jobs are sent from sap_administrator
account, YSoft SafeQ can be set to parse user's identity from:
Print job title

The feature is enabled via the configuration option parseUserFromTitle = <user_names>,
which is empty by default. The <user_names> value can contain multiple users, separated
by "comma" symbol ( , ).
The user name must be provided as a part of the job title, delimited by sign defined in
configuration property parseUserFromTitleDelimiter (default values: "dot" or "colon" or
"underscore" or "slash" or "backslash" – e.g. USER.title or USER:title or USER/title or
USER_title.
Position of user name could be specified by configuration property
parseUserFromTitleIndex (0 for USER.title, 1 for something.USER.title etc.).
It is also possible to keep original job title by setting configuration property

parseUserFromTitlePreserverTitle (default behavior is removing user name from title:
someting.USER.title -> something.title).
PJL command in print job data stream
PJL header can be used to detect user identity.
This feature is enabled via the configuration option parseUserFromJob (enabled by

default)
Regular expression for detecting username from PJL headers could be specified by
configuration property ParserPJLUser (Default: @PJL USER[ ]*=[ ]*(.*)(@|\n|\r) ). The string
that matches the first group in the regular expression is used as the print job owner. (
@PJL USER = username)
In case user information is blank in PJL header (@PJL USER = ) FlexiSpooler will use
username extracted from LPR header.
PJL header in defined format (for example: @PJLUSER = username) needs to be in print
file somewhere before PJL command @PJL ENTER LANGUAGE.
Please note, that usernameFormat setting is not applied to results of any of the above
methods, FSP will always use as username what it has extracted.
Examples of Regular Expressions - ParserPJLUser
When defining the regex pattern it is important to always set ' (.*)' in order to match the
Username value. For example:
Job Header Pattern Parsing result for Username
@PJL USER = tester@domain. @PJL USER[ ]*=[ ]*(.*)@ tester

com\n
@PJL USER = bob\n @PJL USER[ ]*=[ ]*(.*) bob
@PJL USER = "filip"\n @PJL USER[ ]*=[ ]*(.*) filip

Job Header Pattern Parsing result for Username
@PJL USER = "" or @PJL USER = @PJL USER[ ]*=[ ]*(.*) (Username extracted from LPR
header)
When the regex pattern does not match with the expression on the job header, it will be reflected
on the spooler.log.
5.9.7.13 Print language support and limitations
The support of print languages depends on capabilities of the FlexiSpooler's language parser.
There are currently two levels of languages: job ticket languages (used for metadata) and the
languages forming the actual job data.
Supported job ticket formats
PJL
XPIF / XCPT
Print languages
Renderable jobs
Those are languages which are fully supported and it is able to render a print job preview. It is
also able to determine the color coverage, page size and other job characteristics.
PCL5
PCL3 GUI
PCLXL (PCL6)
HPGL/2
Following languages need Ghostscript installation (for correct version see YSoft SafeQ
Workstation Requirements, YSoft SafeQ server requirements) in the system for full rendering
capabilities, otherwise, only limited analysis is supported (specified in brackets).
PDF (simplex/duplex, copies count)
Postscript (simplex/duplex, copies count)
Color coverage analysis is no longer supported for these languages even with Ghostscript
installed.

Jobs with basic analysis
No preview can be generated for such jobs. Usually, it is able to analyze job properties like page
count or page size but the information can be inaccurate in some cases. Rule-based Engine
actions generally cannot be performed on such jobs.
Prescribe
NT EMF
QPDL
Hiper-C
ZjStream
CPCA
Jobs with no analysis
The rest of the print languages pass through the FlexiSpooler without any job analysis. Some of
the languages are recognized but still no analysis is performed. The only modification performed is
wrapping the jobs into PJL headers (if not present already).
PostScript support
Basic finishing options (Simplex/Duplex, Color/Black&White and Copy count) are supported for
PostScript jobs.
5.9.7.14 Using FlexiSpooler with multiple users on one computer
The following guide provides information about how to use FlexiSpooler in client mode with
multiple users on one computer.
FlexiSpooler in client mode can be used on CITRIX or Windows Terminal systems.
Running FlexiSpooler service can serve multiple connected Desktop Interfaces, which are
identified by the username of logged user.
Installation & Configuration
No special installation or configuration is required.
Workstation Installation, Automatic launching of Desktop Interfaces from FlexiSpooler service
at start.
Desktop Interface is started directly when the user logs in the system (via respective entry in
the Windows Registry).

Each FlexiSpooler > Desktop Interface communication is identified by logged user username in
the format domain\username.
Print Queues
Print queues are installed to the system so every user can see and access them.
Notifications that print queues are being installed are displayed to each logged user.
FlexiSpooler notifications
Print notifications - the job was not able to print, the problem with the analysis, etc. are
displayed only to the concerned user.
Rule-Based Engine (RBE) notifications
RBE notifications are displayed directly to the user who sent the job ticket.
RBE works only in FlexiSpooler spooling client mode.
5.9.7.15 FlexiSpooler local configuration through spooler.config file
All configuration options in spooler.config file are case insensitive. That means it does not matter
if there is "Authenticationtype": "PIN", or "authenticationtype": "PIN", or "AUTHENTICATIONtype":
"PIN". True/false values are also case insensitive.
It is recommended to follow these steps when change in the spooler.config is needed:
1. Stop YSoft SafeQ FlexiSpooler service and then stop the process YSoft SafeQ Desktop
Interface.
2. Change the <SAFEQ6_HOME>\FSP \Service\spooler.config file.
3. Start YSoft SafeQ FlexiSpooler service and then YSoft SafeQ Desktop Interface
(<SAFEQ6_HOME>\FSP \Service\<Spooler 6.0.X.Y>\DesktopInterface\DesktopInterface.exe).
FlexiSpooler configuration options fall into 2 categories:
Global options
These options are expected to be the same for all FlexiSpoolers and are set centrally through
YSoft SafeQ Management Interface to avoid having to configure them for each FlexiSpooler.
These options are described in the Management Interface and will not be explained in detail here.
Some of these options (where it makes sense and does not create potential for abuse, most of
them are for receiving jobs) can be overridden locally through spooler.config, these options can be
used to configure a specific FlexiSpooler differently:
automaticUpdatesEnabled
authenticationType (from version MU6)

billing-codes-enabled
billingCodesSyncCronRule
cacheCredentials
defaultFlexiSpoolerNetworkAddress
defaultPaperSize
deviceUpdate
deviceUpdateIntervalMinutes
directPrintRetryAttempts
directPrintRetryTimeoutSeconds
diskSpaceCheckIntervalInSeconds
dsCertificateFileSource
dsCertificateSource
dsCertificateStore
dsCertificateStoreIdentifier
dumpMemoryOnCrash
fspHttpsSecurityProtocols (from version MU12)
ignoreIppsMfdCertificateErrors (from version MU28)
internalLdapReplaceAtChar
jobAnalysisResolution
jobReplication
legacyClientEnabled (from version MU10)
legacyClientPort (from version MU10)
logPerformanceMetrics (from version MU28)
lprEncoding
lprPrinterConnectionTimeout
lprPrinterConnectionLingerTimeout
maximumOfflinePrinters
maxParallelJobProcessing
minimumDiskSpaceRequired
minimumDiskSpaceRequiredToResumeReception
notificationWindowTimeoutSeconds
numberOfRetriesInCommunication (from version MU13 HFX)

offlinePrintEnabled
ParserPJLUser
parseUserFromJob
parseUserFromTitle
parseUserFromTitleDelimiter
parseUserFromTitleIndex
parseUserFromTitlePreserverTitle
previewResolution
rawPrinterConnectionTimeout
rawPrinterConnectionLingerTimeout
removeInvalidCharactersFromJobTitle
removePjlDminfoForHp (from version MU14)
replicationSharedFolder
replicationSharedFolderCredentials
secureHttp
secureQueueDisplayName
spoolerCleanerSchedule
SQLPRPrt
uiLaunchAttemptTimeoutSeconds
uiLaunchAttempts
usernameFormat
Turning on https and server authentication can be done via SafeQ configuration (the options
are described in the YSoft SafeQ Management Interface), but all these values are overwridable
locally:
secureHttp for turning https on/off (true/false), supported protocols are listed in
fspHttpsSecurityProtocols (new parameter from MU12) For further details see Configuring
cryptographic protocols for outbound communication and SSL/TLS Secure Channel -
SCHANNEL - Troubleshooting.
dsCertificateSource, dsCertificateStore,
dsCertificateStoreIdentifier and dsCertificateFileSource for supplying
certificate for server FlexiSpooler authentication.

Local options
These options are set per FlexiSpooler via the local spooler.config file (a JSON file located in
the FlexiSpooler installation folder). They are only local because they are not expected to be
changed and use the default value unless in rare circumstances, because there is no reasonable
global value for all FlexiSpoolers, or because FlexiSpooler needs to know them to even connect to
a Spooler Controller and download global SafeQ configuration. Most of these options have a
default value that is used when none is specified in the file. They can be grouped into several
main areas:
General options
Local Option Type Default Description

Name Value
TimeSpan 0:15:0 The interval in which FlexiSpooler checks for

configurationUpda changes in SafeQ configuration, every 15 minutes
teInterval
by default.
boolean true By default, FlexiSpooler dynamically updates

UpdateLocations locations with the latest information from Spooler
Controller/FlexiSpooler that it is connected to. This
way it has the current IP addresses of servers to
connect to during location change or failover. Turn
this option off if you want to configure locations
manually.
string This value is used as username for received jobs

Username when "authenticationType" is set to Stored
username
boolean false This turns on or off server mode (see FlexiSpooler

IsServer Modes).
string Path to the job store where are incoming jobs

jobStorePath JobStore saved in case od spooling mode (see FlexiSpooler
Modes and Configuration and usage of JobStore ).

Path must be in valid JSON format for example: "C:
/JobStore/" - note the path cannot contain
backward slashes. Default job store can be found
here: <SAFEQ6_HOME>/FSP/Service/JobStore
EndUserInterfa string https: Template for the URL of the End User Interface.
ceUrlTemplate //{0}: Use the following placeholders in the template:
9443 {0} for the IP address of the currently
/end- connected Spooler Controller,
user {1} for the GUID of the current FlexiSpooler,
/ui {2} for the current user's username.

Name Value
Set to the empty string to remove the option to

open the End User Interface from the tray icon
menu.
OverrideDelive string If configured, this option overrides the delivery

ryUrlTo destination for all jobs released by this spooler to a
ll devices in its Spooler Controller Group.
If set to "ipp://<ip>:<port>/<path>/", jobs will be
delivered by IPP to <ip> on port <port> with
URL /<path>/<queue>, where <queue> is the
queue name configured for the device in YSoft
SafeQ in the Back-end section. The actual back-
end configured for the device, or its IP address,
will not be used.
If set to "ipps://<ip>:<port>/<path>/", jobs will be
delivered by IPP/SSL to <ip> on port <port>
with URL /<path>/<queue>.
If set to "lpr://<ip>:<port>/", jobs will be delivered
by LPR to <ip> on port <port> with queue name
<queue>.
The intended use case for this configuration is
routing all print jobs through a print server when
they are being released, allowing the print server
to do any processing (such as compression) on
the jobs.
Communication with Spooler Controllers and Desktop Interface
This communication is built on TCP and is configured only locally.

Name Value
ControllerPort integer 5555 Port number on which FlexiSpooler connects to

Spooler Controller
When changing the default value, make

sure that the sosApiMessagingV2List
enerPort property is configured to the
same port on Spooler Controller side.
DesktopInterfa integer 5558 Port number on which Desktop Interface connect

cePort to FlexiSpooler
Guid

Name Value
SpoolerId new Unique FlexiSpooler identification for Spooler

Guid Controllers, it should not change for the entire
lifetime of a FlexiSpooler (that is why IP/host
cannot be used). If not filled, it will be filled by a
new Guid upon the first start of FlexiSpooler. Do
not change this option! Spooler Controllers store
the SpoolerId in their metadata for each received
job, changing it would mean losing access to all
jobs previously stored by that FlexiSpooler.
UiId string SpoolerI Similar as SpoolerId, this is Desktop Interface's

d- static unique identification and is derived from
ClientUi SpoolerId upon the first run, do not change this
option!
ConnectionLost TimeSpan 0:1:0 FlexiSpooler uses heartbeat to check the

Timeout availability of its Spooler Controller, if it is
unresponsive for the specified time (1 minute by
default), FlexiSpooler can react, failover to another
Spooler Controller, go to offline print mode, etc. A
higher value may be needed for networks with a
high latency or for performance reasons.
By default, this communication is plain, no authentication or encryption. These options can be

used to set up secure communication (see System communication hardening). Secure
communication must either be used on all FlexiSpoolers and Spooler Controllers or none. A
FlexiSpooler will not be able to connect to a Spooler Controller if their security settings do not
match. These variables are only local configuration.
Local Option Name Type Default Description

Value
CertificateThumbprint string empty If left empty, plain

string communication is used.
Otherwise, FlexiSpooler will
look for a matching
certificate signed by a
trusted authority and use it
to authenticate itself to
Spooler Controllers (and it
will negotiate encryption with
it). It will also communicate

Local Option Name Type Default Description
Value
securely with Desktop

Interface. The "encryption"
(from MU14) variable must
also be set.
encryption string Plain Encryption key lengths :

Supported values are (case
(from MU14) insensitive):
Plain
Aes128
CertificateStore enum My For secure communication,

FlexiSpooler needs a
certificate to authenticate
itself. It looks for it in the
Windows certificate store
specified by this option
(Personal store by default).
ValidateServerCertificateHost boolean true By default when

authenticating a Spooler
Controller, FlexiSpooler also
checks if one of the IPs
/hosts in the Spooler
Controller certificate's
subject alternate name
matches its IP/host. It's not
recommended to turn off this
option.
Communication with Mobile Print, Mobile Integration Gateway , DHCP options 9 and between
FlexiSpoolers
This communication is built on HTTP and is configured only locally, except for HTTPS and server
authentication options. In this communication, FlexiSpooler acts as a HTTP server, and Mobile
Print, Mobile Integration Gateway and client FlexiSpoolers act as HTTP clients.

Name Value
ListeningOnAdd string 0.0.0.0 Address on which FlexiSpooler listens for http(s)

ress connections. By default, it listens on all IPv4 addresses on
the local machine.
ListeningForJo string 0.0.0.0

bsOnAddress

Name Value
Address on which FlexiSpooler listens for LPR connections.

By default, it listens on all IPv4 addresses on the local
machine.
SpoolerPort integer 5559 Port number on which FlexiSpooler listens for http(s)
connections.
HttpRequestTim TimeSpan 0:10:0 Timeout for http requests, default is 10 minutes. Non-
eout spooling client FlexiSpoolers transfer job data to spooling
server FlexiSpoolers via http, that can take a while
depending on job size and network speed, if these
transfers fail due to timeout, a higher value might be
necessary.
HttpCompressio boolean true When true, FlexiSpooler uses GZip to compress its http
n requests, to transfer jobs faster and save network
bandwidth.
IgnoreCertific boolean true This allows a self-signed certificate to be used on the

ateChainError server FlexiSpooler for https authentication, if true, the
certificate chain is ignored during validation.
MaxHttpConnect int 100 The limit for outgoing http connections on the client side.
ions
ServerSpoolerA array of empty This enables failover and virtual IPs for non-spooling
ddresses strings array servers (see FlexiSpooler Modes). Non-spooling client
FlexiSpoolers ask their server FlexiSpooler for addresses of
all server FlexiSpoolers, so they can failover when one
server is down. Spooling server FlexiSpoolers are always on
the same server as Spooler Controllers, so they just return
the IPs of their Spooler Controller Group. But a non-spooling
server returns only its own IP addresses (the "real" ones
from network interfaces). When this option is filled, the non-
spooling server returns its value instead. This solves a
scenario when the non-spooling server is only accessible
through a public virtual IP address different from its real IP
(for example a server in Azure cloud). It also gives
administrators the option to manually configure a non-
spooling server FlexiSpooler cluster for failover.
HttpAuthentica None None This allows client authentication for https communication
tionMethod /AzureActi via Azure Active Directory(server authentication is done via
veDirector certificates). To use AAD, more local configuration options
y are necessary - AzureActiveDirectoryTenant,

Name Value
AzureActiveDirectoryAuthorizationEndpoint,
AzureApplicationIdUri and AzureNativeClientId. More details
are in FlexiSpooler Server HTTP authentication
configuration - Azure AD.
boolean true For DHCP discovery should be enable, it is able to query

ServerDiscoveryEn DHCP server for option 9 information. Can be over written
abled
on spooler.config file. ("ServerDiscoveryEnabled": "False" -
DHCP discovery is disable.) For disable via silent Installer
you use parameter /CFG:noServerDiscovery.
Automatic FlexiSpooler Update

Name Value
spoolerUpdateC integer 4 Intervals in which FlexiSpooler checks for a new

heckIntervalIn version, default is 4 minutes.
Minutes
updateServerHt integer 443 Port number on which FlexiSpooler connects to

tpPort Update Server.
Desktop Interface Notifications

Name Value
string If set, this forces different culture on Desktop

culture Interface (and localize its string in a different
language) than the current culture on that
machine. Example "en-US", all codes are here: https:
//msdn.microsoft.com/en-us/library/ee825488(v=cs.
20).aspx
integer 5000 When receiving a job, FlexiSpooler needs to

processingTimeWit process it, if it takes longer than this time(5
houtNotification
seconds by default), Desktop Interface will display
a notification to inform the user.

Authentication methods
Properties authenticationType and cacheCredentials can be set centrally in the YSoft SafeQ
management interface in System > Spooler tab, and from version MU6 it can be overridden locally
for each FlexiSpooler via spooler.config (but are still mentioned here because the option values
are different in spooler.config).
Local Option Type Default Another Description

Name Value Value
DOMAIN DOMAIN When set to Domain username, the username of

authenticationType _USERN _USERN the user logged into the workstation is used.
string
AME AME
USERNA When set to Username and password, the user will

ME_AND be prompted for a username and password.
_PASSW
ORD
STORED When set to Stored username, a username will be

_USERN retrieved from the configuration file. e.g.:
AME spooler.config - "username":"admin"
Management database - usernameFormat =
"Plain username"
USERNA When set to Username, the user will be prompted

ME only for a username.
CARD When set to Card, the user will be prompted to

swipe their card.
PIN When set to PIN, the user will be prompted for a

PIN.
LPR byte counting
When sending jobs from FlexiSpooler to printer via LPR, FlexiSpooler did not send job size as LPR
protocol dictates. Instead, FlexiSpooler have sent a specific value (which is used in Windows
printing sub-system for jobs with unknown size). While it works for MFDs, this caused issue when
sending print job to Windows LPD service via LPR, which would not correctly accept the job.
FlexiSpooler has locally configurable setting for FlexiSpooler which will enable calculation of the
job size through usage of a temporary file on the disk where the print job with modifications is
generated, size is calculated and then the data is sent to the printer with correct size submitted
via LPR protocol. This setting is turned off by default.

Local Option T Default Value Description
Name y
p
e
st "JobDataDump" relative to the Service Folder where the temporary files

JobDataDump ri folder of FlexiSpooler, e.g. "C: containing print job data ready to be
n \SafeQ6\FSP\Service\JobDataDump" sent to the printer. Filename of these
g files include job guid, timestamp and a
random suffix and these files are
locked against access by another
process throughout their usage during
printing and then immediately deleted.
in 1200 Timeout for writing the printed job

CalculateJobSize te data to the temporary file.
BeforeDeliveryTi
g
meoutSeconds
er
b false Enables job size calculation. Job size

CalculateJobSize o calculation is currently supported
BeforeDelivery
ol when sending print jobs to MFP via
e LPR back-ends. Otherwise the job size
a calculation (along with the creation of
n temporary file) is not done.
If the receiving Windows LPD service is still refusing the job at the end, it may also be
necessary to add the following registry value on the receiving server.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LPDSVC\Parameters]
"SimulatePassThrough"=dword:00000001
An example spooler.config file
{
"CertificateThumbprint" : "77948B8C50205FB8F1EC1AB32EF4F708A65F5422",
"encryption": "AES128",
"CertificateStore" : "My",
"ConnectionLostTimeout" : "0:0:20",
"DesktopInterfacePort" : "5559",
"parseUserFromTitle" : "sykoram",
"ServerSpoolerAddresses" : [ "10.0.11.146", "127.0.0.1" ],
"UserNameDelimiterInJobTitle" : "_",
"updateLocations": "true",
"isServer" : "false",
"EndUserInterfaceUrlTemplate":"http://{0}:9443/end-user/ui",

"jobStorePath": "C:/JobStore/"
}
5.9.7.16 FlexiSpooler locations configuration with locations.config file
This file is used by FlexiSpooler to discover servers to connect to in each location, to perform its
functions, for non spooling mode it's a server FlexiSpooler to transfer accepted jobs to, for
spooling mode it is a Spooler Controller to send spooled job metadata to, accept print requests
from, etc. When installing FlexiSpooler, one needs to enter at least one Spooler Controller IP
/hostname and if this FlexiSpooler should be spooling, the locations.config file then looks
something like this:
{
"discoveryMode": "Manual",
"locations": {
"": {
"id": "",
"name": "Default",
"addresses": ["10.0.11.146"],
"spooling": true
}
},
"currentLocationId": ""
}
If discoveryMode is set to "DhcpOption9", then locations will be discovered automatically via

DHCP and this file should not be touched. In "Manual" mode, FlexiSpooler will connect to one of
the addresses in the current location (the location whose id matches "currentLocationId") and will
the ask that server to give him the most current address list (for a Spooler Controller Group,
Spooler Controller will supply IPs/hosts of all the Spooler Controllers in that group) and replace the
"addresses" of that location in the locations.config file with the current list. If you do not
want them to be updated and want to only configure them manually, set "UpdateLocations"
option in spooler.config to false.
Manual location configuration allows advanced scenarios like the file below, with 3 locations
(current being Prague):
Prague where FlexiSpooler will be spooling jobs locally and connecting with failover to one of
the 2 Spooler Controllers
Brno where FlexiSpooler will not be spooling jobs locally and will instead send them with
failover to one of the 2 server FlexiSpoolers
Default location which is everywhere else, FlexiSpooler will be not spooling and connecting to
the server FlexiSpooler in Azure cloud

Desktop Interface will display all 3 locations(their names - Default, Prague, Brno) in a pop-up tray
menu and will allow the user to manually set location when he moves his machine between them.
Naturally, the current location is persisted through FlexiSpooler restarts.
{
"discoveryMode": "Manual",
"locations": {
"0": {
"id": "0",
"name": "Default",
"addresses": ["flexispooler.ysoft.onazure.com"],
"spooling": false
},
"1": {
"id": "1",
"name": "Prague",
"addresses": ["10.1.11.120", "10.1.11.122"],
"spooling": true
},
"2": {
"id": "2",
"name": "Brno",
"addresses": ["10.0.11.146", "10.0.11.145"],
"spooling": false
}
},
"currentLocationId": "1"
}
5.9.7.17 Advanced direct print configuration
Overview
For printers installed with IPP backend, when printer is not ready to receive jobs and reply with
stopped status (e.g. because of paper jam, full memory, etc.) direct print will be retried so the
user have opportunity to fix the printer (fix paper jam, delete old jobs, etc.) and allow the job to be
released.
Configuration
Log in to the YSoft SafeQ Web Interface with sufficient rights to change system setting (for
Configure following options:
directPrintRetryAttempts - number of attempts to check printer status and print the job. If
no retry should be made, set this property to 0.
directPrintRetryTimeoutSeconds - time period between each print attempt in seconds.

Limitations
1. Direct print retry is only for printers installed with LPR or IPP/IPPS backend.
2. Direct print jobs are not always printed in the same order as user sent them.
Security
1. Direct print jobs are sent to the FlexiSpooler over LPR protocol, which is not encrypted.
2. It is recommended to configure printers to use IPPS protocol since it is most secure option.
3. Depending on printer model, direct print jobs can get printed although another user is
currently logged in on the device. A s a result jobs of both users can be mixed.
5.9.7.18 YSoft SafeQ FlexiSpooler Security considerations
This document summarize security considerations that need to be take into account when
deploying YSoft SafeQ FlexiSpooler.
LPD print job reception
LPD is running by default on port 515. Anyone, who can communicate with the server with YSoft
SafeQ FlexiSpooler on this port is also able to send print job to YSoft SafeQ via LPR. Because the
LPR does not have any authentication or authorization implemented, an attacker can send the job
to other user queue, if the attacker knows just the username. When the user prints all jobs, also
the unwanted documents from the attacker will be printed. When YSoft SafeQ FlexiSpooler is
installed in server mode, LPD will by default listen on port 515 on all network interfaces.
Print backends
Raw (plain TCP), LPR and IPP are used to deliver print jobs to a printer. Transmission is not
encrypted and printer is not verified. For secure connection from YSoft SafeQ FlexiSpooler to
printer, use IPPS (IPP over SSL).
Web API
YSoft SafeQ FlexiSpooler provides web API via HTTP on port 5559 by default and also binds on all
network interfaces by default. Network interfaces can be defined by `ListeningOnAddress` in
`spooler.config`. This option should be set up carefully because this web API is required if the non-
spooling YSoft SafeQ clients, YSoft SafeQ Mobile Integration Gateway or YSoft SafeQ Mobile Print
Server are used. On the other hand, this API does not require authentication so the attacker can
exploit it to guess usernames, PINs, passwords, card numbers, billing codes or addresses of other
site servers in near roaming group.

5.9.7.19 YSoft SafeQ Server FlexiSpooler failover mechanism
Common deployment of Near Roaming Group (NRG) has several site servers. Spooler Controller
(SPOC) and FlexiSpooler in server mode are installed on each site server as you can see on the
picture below.
Default behavior
In case of SPOC unavailability (update or temporal outage) FSP re-connects (failover) to another
SPOC in the same NRG by default. FSP checks availability of its local SPOC every minute and if
SPOC is back online, FSP will connect back to the local SPOC in cca one minute.
Disabling Server FlexiSpooler failover
To disable FlexiSpooler failover, you should:
set following property in spooler.config
"ServerDiscoveryEnabled" = false
Set only localhost address in location.config
"addresses": [ "127.0.0.1" ],
Restart the FlexiSpooler service.

5.9.8 NFC ADMINISTRATION APP
5.9.8.1 About NFC Administration app
Application allows administrators to scan QR code (generated from YSoft SafeQ web interface)
and write these information into NFC tag. There is also possibility to lock and unlock the tag with
4 digit password. NFC Administration app works with NXP NTAG213 tags only.
Requirements:
Android device with NFC
compatible NFC tag (NXP NTAG213)
Application can be downloaded from Google Play store.
5.9.8.2 Programming NFC using the NFC Administration app
Programming NFC tag using NFC Administration app
5.9.8.3 Programming NFC tag using NFC Administration app
YSoft NFC Tool is an Android application, which is used for setting up NFC tags. NFC tags are
small passive(without battery) stickers used for storing information. This information can be read
by Android or Windows devices that has support for NFC. SafeQ uses NFC tags for identifying
printers in Mobile Terminal Android and Windows application. If NFC tag is properly set up and
read by Mobile Terminal, the printer is identified and the user can log in. The application is meant
to be used with YSoft SafeQ NFC Tags NTAG213 (provided by Y Soft Corporation).
To read and write NFC tags with an Android device you have to turn on NFC technology on your
device. When prompted, place NFC tag over designated place on your device (can differ on every
model) and hold steady for few seconds. The application will inform you about successful or
unsuccessful operation.
This application is for writing information from generated QR code in Device section to the NFC
tag.
Main screen
NFC Disabled

The application detects if NFC technology is enabled or not on the device. If NFC is disabled, a
warning dialog is shown.
"Cancel" button will close the application because it is not possible to use the application
without NFC.
"Settings" button will redirect the user to phone settings to be able to turn NFC on.
The application cannot be used without enabled NFC technology.
NFC Enabled

When NFC is enabled this page will be shown.
The application is ready to be used on the current device.
Tapping "Scan" button will redirect the user to QR code scanning.
QR code scanning
Android 6.0 and above

In Android 6.0 and above the application will ask for camera permission.
Denying the camera access will make the application unusable. The camera is required to
successfully scan QR code.
General

To scan QR code, place the phone camera over the QR code.
After successful scanning, you will be redirected to Select NFC operation.
Select NFC operation
General

The user is informed about successful / unsuccessful scanning of QR code.
"Write to NFC" button will start writing sequence to NFC tag, show the dialog and will wait
for the user to hold NFC against the phone.
"Set password" button will show setting password window. This button serves for setting
the password on the NFC tag.
"Reset password" button will show resetting password window. This button serves for
deleting the password on the NFC tag.
This application is fully compatible only with YSoft SafeQ NFC Tags NTAG213 (provided
by Y Soft Corporation).
Setting password

Insert password dialog will inform user that this process cannot be reverted if password is
forgotten. There is no way to reset the password on NFC tag when the password is
forgotten.
In order to set password, user has to insert 4 digits. Otherwise warning will appear and action
will be canceled.
"Cancel" button will cancel "set password" operation.
"Ok" button will show dialog and wait for user to hold NFC tag to perform operation. When the
NFC tag is held against the device, the password is set.
Resetting password

Reset password dialog is shown when the user wants to reset the password on the NFC tag.
To reset the password, insert current password and tap "Ok" button. This will show a dialog
and wait for the user to hold NFC tag against the device.
When the NFC tag is held against the device, the user is informed about successful or
unsuccessful reset.
Ready to perform NFC operation

This dialog is shown during writing, setting or resetting the password.
During this dialog, the device is ready to perform selected action and is waiting for the user to
hold the tag against the device.
When the NFC tag is held against the device, the user is informed about the result:
Success - the operation was successful - example of successful operation.
Failed - the operation was unsuccessful - example of warning dialog.
"Cancel" button will stop the process.
Successful operation

The user is informed about successful operation. The required operation was done
successfully and NFC tag is modified.
"Ok" button will redirect user back to Select NFC operation.
Unsuccessful operation with warning

The user is informed about an unsuccessful operation. NFC tag was not modified.
Some of the possible reasons are:
NFC tag is protected / can not write.
Connection with NFC tag was lost during writing.
Not supported NFC tag.
Not supported NFC tag format.
"Close" button will redirect user back to Select NFC operation.
5.9.9 SYSTEM COMMUNICATION HARDENING
Right after installation, the most important links (sending jobs to FlexiSpooler in server mode,
communication between terminals and the Terminal Server) are encrypted by default using pre-
installed certificates (the same are used for every YSoft SafeQ 6 deployment), other links are
unencrypted by default. In order to make all the securable paths encrypted and subsystems
authenticated, everything (encryption and authentication via certificates) needs to be properly
configured. For the scheme of communication paths mentioned in this guide, please refer to
Communication paths.
This guide includes guidelines for enabling encrypted and authenticated communication through
whole YSoft SafeQ, generating and using own certificates for authentication of YSoft SafeQ
subsystems.
In order to follow this guide, generate certificates for all components and sign them with your
certification authority (CA), or even convert your already existing certificates to the appropriate
format, you will need the following command line tools:
Keytool
Keytool is a command-line utility provided with any standard Java distribution in <JAVA_HOME>
/bin. It is also distributed with YSoft SafeQ Management, located in < SAFEQ_HOME>
/Management/java/bin folder.
It is expected that the keytool.exe is stored in the PATH environment variable (e.g. <
SAFEQ_HOME>/Management/java/bin). If the variable does not exist, it is necessary to
specify the full path to keytool.exe in all keytool commands.

OpenSSL
OpenSSL is an open source project containing command line tool for working with the
cryptographic algorithms and protocols. Compiled Windows binaries can be obtained e.g. from
http://slproweb.com/products/Win32OpenSSL.html.
It is expected that the openssl.exe is stored in the PATH environment variable (e.g.: C:
\OpenSSL-Win32\bin). If the variable does not exist, it is necessary to specify the full path to
openssl.exe to run OpenSSL commands.
Some of the commands need the path to the file containing configuration options (openssl.cfg
or openssl.cnf). Example file is distributed together with the binaries. You can either add this
path to each such command in the -config argument, or set the following system variable:
OPENSSL_CONF = c:\OpenSSL-Win32\bin\openssl.cfg (path has to lead to the folder where

OpenSSL was installed)
5.9.9.2 Generating certification authority
The easiest way to achieve proper authentication is to use certificates signed by the same
authority. In case you do not have a certification authority (Root CA), perform the following steps:
1. Open command line and run following keytool command:
keytool -genkeypair -keyalg RSA -keysize 4096 -alias root -keystore root.jks -validity
3650 -ext BC=ca:true,pathlen:1
3. Answer the questions about organization when you are prompted for them:
Q: What is your first and last name?
A: enter name for your Root CA
Q: What is name of your organizational unit?
A: enter unit name
Q: What is the name of your organization?
A: enter organization name
Q: What is the name of your City or Locality?
A: enter organization city
Q: What is the name of your State or Province?
A: enter organization state

Q: What is the two-letter country code for this unit?
A: enter two-letters code for entered state
4. Write yes to confirm correctness of your answers.
5. Enter a password for key protection.
6. Your new Root CA key and certificate is stored in root.jks file.
7. Export public certificate of your Root CA from the root.jks to root.crt file:
keytool -exportcert -rfc -keystore root.jks -alias root -file root.crt
5.9.9.3 Installing your Root CA to truststores of YSoft SafeQ machines
The certificate of your Root CA needs to be trusted in all subsystem machines in order to make
them trust each other (using certificates signed by this Root CA).
Java Truststore
The subsystems using Java keystores and truststores (.jks files), i.e. Management, Spooler
Controller, End User Interface and Payment System need a truststore containing public certificate
of your root certification authority in order to trust all components, which send certificates signed
by this Root CA. To create such a truststore, open command line and run the following keytool
command:
keytool -import -keystore truststore.jks -file root.crt -alias rootca
Write yes to confirm you want to trust this certificate. If import was successful, the following
message should appear:
Certificate was added to keystore

Windows Certificate Store
Using the following steps you can install this CA to the Trusted Root Certification Authorities
store in Windows Certificate Store.
1. Run mmc (Microsoft Management Console)
2. Add Certificates snap-in, local computer (Computer Account).

3. Go to Trusted Root Certification Authorities \ Certificates and import the root.crt file
here.
5.9.9.4 Generating key/certificate in Java Keystore format
1. Open command line and run the following keytool command. It will generate a key, create a
new file safeqkeystore.jks and store the key in it.
keytool -genkeypair -keyalg RSA -keysize 2048 -alias safeq -keystore safeqkeystore.jks
Q: What is your first and last name?
A: enter name, e.g. IP address of your server

3.
Q: What is name of your organizational unit?
A: enter unit name
Q: What is the name of your organization?
A: enter organization name
Q: What is the name of your City or Locality?
Q: What is the name of your State or Province?
Q: What is the two-letter country code for this unit?
4. Confirm correctness of your answers by writing yes.
5. Enter a password for key protection.
This password is usually the same as the keystore password. Note that in case you set
different password for key protection, you will have to properly set additional
configuration properties on the server.
6. a) In case you want to use external certification authority, create certificate signing request
(safeqcertificate.csr) using following command.
keytool -certreq -keystore safeqkeystore.jks -alias safeq -keyalg rsa -storepass password
-file safeqcertificate.csr -ext SAN=ip:10.0.13.31,dn:safeq.myorg.local
This command will create safeqcertificate.csr file, which you need to send to the
certificate authority. You will receive your signed certificate (safeqcertificate.crt), along
with the certificate of this authority (root.crt). In case only one file (containing all

certificates needed) is received, skip the next step.
b) Otherwise, sign the certificate with your CA (root.jks file, e.g. created using the guide in
Generating certification authority chapter) using following keytool commands:
keytool -certreq -keystore safeqkeystore.jks -alias safeq -keyalg rsa -storepass

keystoreprotectingpassword | keytool -gencert -rfc -keystore root.jks -alias root -
storepass CAprotectingpassword -validity 365 -outfile safeqcertificate.crt -ext BC=ca:
false -ext SAN=ip:10.0.13.31,dn:safeq.myorg.local
The server hostname (domain name or IP address) is usually validated. In SAN extension,
specify the IP address and/or domain name of your server.
7. Copy the content of root.crt file at the end of the safeqcertificate.crt file.
In case you have longer certificate chain containing more than one certification
authority, the safeqcertificate.crt file needs to contain certificates of all of them in the
specified order. The first certificate is the server's one. Each following certificate
belongs to the authority which signed the previous certificate directly. The last one
belongs to the root CA.
You can use e.g. a text editor or the following command (in case of longer chain write all
the needed files in the above specified order):
type root.crt >> safeqcertificate.crt
8. Import the signed certificate back to the generated keystore. Use the following keytool
command:
keytool -import -keystore safeqkeystore.jks -file safeqcertificate.crt -alias safeq
Write yes to confirm you want to import these certificates. If import was successful, the
following message should appear:
Certificate reply was installed in keystore
5.9.9.5 Generating key/certificate in the Personal Information Exchange format
1. Open command line and run the following OpenSSL command to generate a key and
certificate signing request:
openssl req -new -out safeqcertificate.csr -keyout safeqcertificate.key -passout "pass:

password"

OpenSSL commands should always contain prefix pass:, correct string is "pass:my-
secret-password"
The default OpenSSL RSA key size is 2048 bits. However, some older MFDs do not
support it and for compatibility reasons you will have to generate a shorter key. Add the
following parameter to the aforementioned command:
-newkey rsa:1024
Q: Country Name (2 letter code) [AU]:
Q: State or Province Name (full name) [Some-State]:
Q: Locality Name (eg, city) []:
Q: Organization Name (eg, company) [YSoft]:
A: enter organization mane
Q: Organizational Unit Name (eg, section) []:
A: enter unit name
Q: Common Name (e.g. server FQDN or YOUR name) []:
A: enter name, e.g. IP address of the server (e.g. 10.0.11.31). This field is compulsory and
several (e.g. Xerox) devices require the IP address here
Q: Email Address []:
A: enter e-mail address

Do not fill optional 'extra' attributes.
3. a) In case you want to use external certification authority, send the created certificate
signing request safeqcertificate.csr to them for signing. You will receive your signed
certificate (safeqcertificate.crt), along with the certificate of this authority (root.crt).
b) Otherwise, sign your request with your CA (root.jks file, e.g. created using the guide in
Generating certification authority chapter) using following keytool command:
keytool -gencert -rfc -keystore root.jks -alias root -storepass CAprotectingpassword -

validity 365 -outfile safeqcertificate.crt -infile safeqcertificate.csr -ext BC=ca:false -
ext SAN=ip:10.0.5.31,dn:safeq.myorg.local
Server hostname (domain name or IP address) is usually validated. In SAN extension,

specify the IP address and/or domain name of your server.
The default keytool signature algorithm is SHA256withRSA. However, some older MFDs
do not support it and for compatibility reasons you will have to sign certificate using
older (not recommended) algorithm. Add the following parameter to the aforementioned
command:
-sigalg sha1withRSA
4. Create a Personal Information Exchange (.pfx) file.

4.
openssl pkcs12 -export -inkey safeqcertificate.key -in safeqcertificate.crt -out

safeqcertificate.pfx -chain -CAfile root.crt -caname root
It is possible to specify a cryptographic provider for the generated Personal Information

Exchange file. This is needed for example for the proprietary protocol for secure
connection with YSoft SafeQ Spooler Controller, where the Microsoft Enhanced RSA and
AES Cryptographic Provider must be used. It can be done by adding the following
parameter to the command above:
-CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
In Windows Server 2012 it is not needed to generate Personal Information Exchange file
with a Cryptographic Service Provider (CSP) specified, it is enough to import this file into
Windows Certificate Store using this provider. However, in Windows Server 2008 this is
a must.
5.9.9.6 Communication paths
The scheme below contains communication paths which are secured by default or securable
using the System communication hardening guide.
Color coding:
Grey color - internal component, part of YSoft SafeQ solution
White color - external system
Communication paths:
Full line - the communication link can be secured
Dashed line - the communication link cannot be secured

Purpose Not Secured
secured
(1) Configuring SSL/TLS for Administrator access to HTTP TLS (HTTPS)

Management web interface SafeQ Management web
interface
(2) Setting the secure connection Communication between Proprietary TLS (proprietary)
between cluster nodes nodes in a cluster [default]
(3) Setting secured SafeQ Inter server Proprietary TLS (proprietary)

communication between communication [default]
YSoft SafeQ Management and
Spooler Controller
(4) Setting secured Authentication data Proprietary Proprietary

communication with Spooler [default] (proprietary)
Controller
(5) Setting server spooler Print from client computer, HTTP TLS (HTTPS)
authentication for job transfer far roaming [default]
(6) Configuring secured Authentication data from n/a TLS (proprietary or

connection between terminals terminal to YSoft SafeQ SOAP) [default]
and Terminal Server server
(7) Print from mobile phone n/a

Purpose Not Secured
secured
Setting custom certificate on TLS (IPP over SSL)

YSoft SafeQ Mobile Integration [default]
Gateway web interface
(8) Configuring SSL/TLS for YSoft Access to YSoft Payment HTTP TLS (HTTPS)
SafeQ Payment System System web interface [default]
(9) Configuring SSL/TLS for End Access to End User Interface HTTP TLS (HTTPS)
User Interface [default]
(10) Getting certificate for setting Scanned document to HTTP TLS (HTTPS)
up SharePoint 2013 add-in SharePoint [default]
environment
(11) Release of the print job RAW TCP, TLS (IPPSSL)

IPP
(12) Configuring secured User information LDAP TLS (LDAPS)

connection to the LDAP server
(13) Receiving document by the POP3/IMAP TLS (POP3S

server /IMAPS)
(14) Notifications, scanned SMTP TLS (SMTPS)

document to email
5.9.9.7 Configuring SSL/TLS for Management web interface
By default, YSoft SafeQ Management uses certificate distributed with YSoft SafeQ to provide
encrypted communication with the web interface. In order to ensure both encrypted and
authenticated connection, you need to use certificate trusted in your environment.
This guide will help you with the configuration of the secured connection (HTTPS) to the YSoft
SafeQ Management web interface, using a CA-signed certificate.
CA-signed certificate requirements
The certificate must be signed by a certification authority trusted in your environment.
Certificate (fields Common Name and Subject Alternative Name) must contain all network
names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection
to the respective Management server.
For importing the key/certificate you need it in an appropriate format - two separate PEM files,
one containing the private key (usually with .key extension) and one with the whole certificate
chain (usually with .crt extension).

The certificate file needs to contain all certificates in the chain in a specified order. The first
certificate is the Management's one. Each following certificate belongs to the authority which
signed the previous certificate directly. The last one belongs to the Root CA.
The private key needs to be protected by a password.
In case your key/certificate is in a different format than specified, convert it following the
in Personal Information Exchange format chapter (steps 1 - 3) in System communication
hardening and make sure your certificate file contains all certificates in the chain in the
correct order.
Configuring YSoft SafeQ Management to use secure communication channel
In case the Management Server cluster is used, the following steps have to be performed on
every node of the Management Server cluster.
1. Stop YSoft SafeQ Management Service service on YSoft SafeQ server.
2. Copy your key and certificate files to the server where the YSoft SafeQ Management is
installed.
3. Set following attributes in <management_folder>\tomcat\conf\server.xml file (usually C:

\SafeQ6\Management\tomcat\conf\server.xml):
certificateFile = "absolute/path/to/your/safeqcertificate.crt"
certificateChainFile = "absolute/path/to/your/safeqcertificate.crt"
certificateKeyFile = "absolute/path/to/your/safeqcertificate.key"
certificateKeyPassword = "key protecting password"
4. If you wish to enable automatic redirection from unsecured connection (HTTP port 80) to
the secured connection (HTTPS port 443), edit <management_folder>\tomcat\conf\web.xml
and append these lines before the </web-app> tag:
<security-constraint>
<web-resource-collection>
<web-resource-name>Automatic SLL Forwarding</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

5. Start the YSoft SafeQ Management Service service on YSoft SafeQ server.
6. Verify that YSoft SafeQ Management web interface is functional and uses your own
certificate (open https://<safeq_server_IP> in browser, click on the lock and View
certificate button). In case you enabled the automatic redirection to HTTPS, opening the
http://<safeq_server_IP> address will be automatically redirected to https protocol.
Example of Tomcat HTTPS configuration
The configuration is stored in <management_folder>\tomcat\conf\server.xml (usually C:

\SafeQ6\Management\tomcat\server.xml).
Keep HTTP non-SSL port (default 80) as the first in XML. Installer requires HTTP port to be the
first in definition. HTTPS should be the second one.
<Connector port="80"
protocol="HTTP/1.1"
redirectPort="443"
connectionTimeout="20000" />
protocol="HTTP/1.1"
maxHttpHeaderSize="8192"
maxThreads="200"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
URIEncoding="UTF-8"
scheme="https"
secure="true"
SSLEnabled="true">
<SSLHostConfig certificateVerification="none"
protocols="TLSv1.2,TLSv1.3"
ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
AES128-SHA256">
<Certificate certificateFile="${catalina.home}/conf/safeqcertificate.crt"
certificateChainFile="${catalina.home}/conf/safeqcertificate.crt"
certificateKeyFile="${catalina.home}/conf/safeqcertificate.key"
certificateKeyPassword="*****" />
</SSLHostConfig>
</Connector>
The default, pre-installed private key is stored in <management_folder>\tomcat\conf\safeq-tomcat.

key file. The private key is protected by password specified in the configuration file with
certificateKeyPassword attribute.
The pre-installed certificate is stored in <management_folder>\tomcat\conf\safeq-tomcat.crt file.

As a default, TLSv1.2 and TLSv1.3 are the only SSL/TLS protocol versions supported. Please
note, that there are issues when lower versions are configured at the same time as TLSv1.3. If
you need to support lower versions for the compatibility reasons, TLSv1.3 must be removed.
You will also need to update the list of supported cipher suites to add the ones compatible
with the required version.
5.9.9.8 Configuring secured connection to the LDAP server
This page complements information from LDAP Integration with additional details related to
security. When configuring the LDAP server connection, specifying LDAPS as a protocol (property
URL of LDAP server starting with LDAPS:) will lead to encrypted connection using SSL/TLS.
Supported SSL/TLS versions are SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. The default protocol is TLS
1.2 since several weaknesses were found in the lower versions. To change the protocol version,
go to the System settings (using Expert options) and modify the
cryptographicProtocolsForOutboundCommunication property (the recommended setting is
configured by the value TLSv1.2). More protocols can be specified in order of priority separated by
comma.
SSL/TLS cipher suites used for LDAPS communication can be customized by the
customCipherSuitesForOutboundCommunication property (use the IANA names in order of
priority, separated by comma). However, not all cipher suites are supported for this
communication link and note that some combinations of protocols and ciphersuites are not valid.
8 high-security and tested cipher suites compatible with TLS 1.2 are set by default:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
The configured cipher suites are used only when the property
allowCustomCipherSuitesForOutboundCommunication is set to Enabled (the default setting). By
setting it to Disabled, a wider range of cipher suites will be automatically used based on the
protocol configured. This setting can ensure better compatibility with legacy systems but also
potentially decrease the security level.

Server authentication
The authentication is ensured via SSL/TLS certificates. There are four options for certificate
verification available in System > LDAP Integration > Settings (in Basic mode):
Windows certificate store -The LDAP server certificate is verified using certification
authorities set in Windows and has to match the value of URL of LDAP server. This is the
default option.
Java truststore (with hostname check) -The certificate is verified using authorities in a
dedicated Java truststore where the certificate authority needs to be installed. The certificate
also has to match the value of URL of LDAP server.
Java truststore (without hostname check) - The certificate is also verified using the Java
truststore but the certificate doesn't have to match any URL.
No certificate check (insecure) - Any certificate is accepted for TLS connection.
See below for more details regarding the required configuration and security of different options.
These options supersede options hash and secure available in previous product versions.
During the update, if LDAPS is configured, the option hash is automatically changed to No
certificate check (insecure) and the option secure is converted to Java truststore (without
hostname check). Please select an option which suites your needs the best. If plain LDAP is
configured in the time of update, the option Windows certificate store is used as the default.
Change the protocol in the URL of LDAP server option to LDAPS to enable secure connection.

For the
Windows certificate store option, that store has to contain the certificate authority which
signed the LDAP server certificate. If it is not already imported or the LDAP server certificate is
not signed properly, see System communication hardening for instructions.
For the both Java truststore options, the certificate authority (or the certificate itself) needs to
be present in a dedicated Java truststore. This ssl-truststore file can be found in the
<management_folder>\conf\ folder. If the LDAP server certificate is not signed by a public
certificate authority, run the following keytool command to import the certificate or the private
authority used to sign it:
keytool -import -keystore ssl-truststore -file ldap_server_certificate.crt -alias

ldap_server_certificate
The command will ask for a truststore password, which can be found in the <management folder>
/tomcat/conf/server.xml file. Third party tools with graphical interface such as KeyStore Explorer
can also be used if preferred.
Note that for Windows certificate store and Java truststore (with hostname check) options,
the LDAP server certificate has to have SAN (Subject Alternative Name) or Common Name
extensions correctly set as specified in RFC 2830. The value in that field has to match the
hostname or IP address configured by the URL of LDAP server setting. For example, if the
certificate contains only the domain name of the LDAP server in SAN, the configured URL has to
use that domain name and not the IP address nor a different domain name pointing to the server.
The Java truststore (without hostname check) option does not check values in SAN nor
Common Name. This means that certificates signed by authorities in the truststore are
interchangeable and every owner of a private key for any of those certificates can spoof the

LDAP server identity and thus break the confidentiality or integrity of the data transferred. For
this reason, all public certificate authorities have to be removed from the ssl-truststore file. This
option should be used only in specific cases where certificates with proper server identification
cannot be used.
For the Windows certificate store option and the both Java truststore options, note that very
weak algorithms such as MD5 for hashing or RSA with a key length below 1024 bits for signature
are disabled. Certificates using those algorithms cannot be used for LDAPS connection as they
provide poor security. Certificate revocation is not supported.
The No certificate check (insecure) option skips all certificate security checks and server
identity is not verified. The communication is still encrypted but as any certificate is considered
valid, the LDAP server identity can be spoofed and an active attacker might break the
confidentiality or integrity of data transferred. This option is intended especially for testing
environments where no sensitive data is transferred but LDAPS connection needs to be used.
Client authentication
YSoft SafeQ authenticates to the LDAP server with username and password (unless anonymous
access is configured). One of the two bind methods can be selected in System > LDAP
Integration > Settings (in Basic mode) – Simple bind or LDAPv3 SASL DIGEST-MD5. Simple bind
is configured by default; however, it is not recommended to be used without LDAPS as all data
(including service account credentials) would be transferred without any confidentiality or
integrity protection. Moreover, Microsoft advises to enforce LDAP signing on Active Directory
servers which prevents to connect to such server with plain LDAP and simple bind. In contrast,
LDAP integration using simple bind and LDAPS is still supported as the whole communication
channel is protected by TLS (SSL).
When method LDAPv3 SASL DIGEST-MD5 is configured, YSoft SafeQ can integrate with an LDAP
server enforcing LDAP signing even if LDAPS is not used. In this case, password confidentiality
and data integrity is enforced on the level of LDAP protocol. Also, the data is encrypted if the
LDAP server supports it. However, it is still recommended to use LDAPS for higher security. Note
that using the DIGEST-MD5 method together with LDAPS will fail if the LDAP server strictly
enforces LDAP channel binding, which is not supported in this case.
Limitations of using LDAPv3 SASL DIGEST-MD5 binding method
Using the DIGEST-MD5 method has several limitations in contrast to simple bind (which is more
universal):
IP address in the LDAP URL is not supported, only a domain name
The domain name in the LDAP URL must match a Service Principal Name (SPN) of the LDAP
server, this may be an issue if DNS load balancing/failover is used (unless that DNS name is
added as SPN to the end servers)
Default authentication realm (offered by the LDAP server) is used, there is no way to use a
different realm, username must be unique globally

DIGEST-MD5 method with LDAPS does not support channel binding, it cannot be used if the
server has registry LdapEnforceChannelBinding configured to value 2
The method has only been tested with Active Directory in the role of the LDAP server
Troubleshooting
YSoft SafeQ replicator logs
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 -

00002028: LdapErr: DSID-0C09023C, comment: The server requires binds to
turn on integrity checking if SSL\TLS are not already active on the
connection, data 0, v4563 ]
Plain LDAP is used with simple bind to connect to a server requiring signing. Switch to LDAPS or
change the bind method to DIGEST-MD5.
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C:

LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e,
v4563 ]
Credentials are invalid. If DIGEST-MD5 method is used, check if format of the username is correct
(it should be plain username with no prefixes or suffixes).
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346:

LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data
80090346, v4563 ]
LDAP channel binding is required by the LDAP server. Use LDAPS with simple bind or plain LDAP
with DIGEST-MD5 method.
javax.naming.CommunicationException: <URL> [Root exception is javax.net.

ssl.SSLHandshakeException: PKIX path building failed: sun.security.
provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target]
LDAPS is configured but the certificate of the LDAP server is not trusted. Import the certificate
authority correctly and select an appropriate method of certificate check. (This is actually an error
in server authentication.)

5.9.9.9 Setting the secure connection between cluster nodes
The communication between cluster nodes is not secured by default. In order to start encrypted
and authenticated communication, all the cluster nodes need to be properly configured to use the
same security settings. If one of the sides is set secure and the others are not, the
communication doesn't work.
This guide will help you with the configuration of the secured connection between cluster nodes,
using CA-signed certificates.
to the respective server.
For importing the certificate you need an appropriate format - Java Keystore (.jks file)
containing the private key and whole certificate chain.
Both the keystore and key itself need to be protected by a password
You will also need a truststore, file containing certificate of the root certification authority,
again in the Java Keystore (.jks) format.
In case your key/certificate is in a different format than Java Keystore, convert it following the
in Java Keystore format chapter in System communication hardening.
Node settings
Perform the following steps for each one of the Management servers in the cluster.
1. Stop YSoft SafeQ Management Service service in YSoft SafeQ server.
2. Copy your key/certificate and certificate of the root certification authority, both in the Java
Keystore format, to the <management_folder>\conf\ (usually C:\SafeQ6\Management\conf\)
directory on the server with YSoft SafeQ Management.
3. Go to <management_folder>\conf\ (usually C:\SafeQ6\Management\conf\) and create there

a new file, clusterCommunicator.conf.

When this file is present in the specified directory, correctly configured and accessible
for read, then the settings specified are applied and communication between
Management servers in the cluster will start in secure mode.
4. Set following properties in the clusterCommunicator.conf file:
# this property sets security in Communicator on/off if set to false then resp of
properties are ignored (MANDATORY)
secureCommunicationEnabled=true
# name of Java truststore file in current directory (MANDATORY)
truststoreFile=truststore.jks
# password to java truststore if not set default value 'changeit' is used (OPTIONAL)
truststorePassword=changeit
# name of Java keystore file in current directory (MANDATORY)
keyStoreFile=keystore.jks
# password to java keystore if not set default value 'changeit' is used (OPTIONAL)
keystorePassword=changeit
# protocol type as defined by Java SSL specification (MANDATORY)
sslProtocol=TLS
# this option forces CML to require SPOC authentication (MANDATORY)
clientAuthenticationRequired=true
# available protocols as defined by Java SSL specification (OPTIONAL)
#allowedProtocols =
# available cipher sutes as defined by Java SSL specification (OPTIONAL)
#allowedCiphersuites =
The clusterCommunicator.conf file has to refer to correct Java keystore and

truststore files that have to be placed in the same SafeQ conf directory as this
configuration file.
5. Start the YSoft SafeQ Management Service service.
Example of clusterCommunicator.conf file configuration
truststorePassword=password
keyStoreFile=safeqkeystore.jks
keystorePassword=keystoreprotectingpassword
sslProtocol=TLS

5.9.9.10 Setting secured communication between YSoft SafeQ Management and Spooler
Controller
The communication between YSoft SafeQ Management Service and YSoft SafeQ Spooler
Controller is not secured by default. In order to start encrypted and authenticated communication,
both sides need to be properly configured to use the same security settings. If one of the sides is
set secure and the other one is not, the communication does not work.
This guide will help you with the configuration of the secured connection between YSoft SafeQ
Management and YSoft SafeQ Spooler Controller, using CA-signed certificates.
For multi-tenant deployment it's recommended to enable which is described in section

Hardening multi tenant deployment with Spooler Controller tenant identity validation.
in Java Keystore format chapter in System communication hardening .
YSoft SafeQ Management settings
1. Stop YSoft SafeQ Management Service service in YSoft SafeQ server.
Keystore format, to the <management_folder>\conf\ (usually C:\SafeQ6\Management\conf\)
directory on the server with YSoft SafeQ Management.
3. Go to <management_folder>\conf\ (usually C:\SafeQ6\Management\conf\) and create there

a new file, communicator.conf.

3.
for read, then the settings specified are applied and communication between YSoft
SafeQ Spooler Controller and YSoft SafeQ Management will start in secure mode.
4. Set following properties in the communicator.conf file:
sslProtocol=TLS
#allowedProtocols =
The communicator.conf file has to refer to correct Java keystore and truststore files
that have to be placed in the same SafeQ conf directory as this configuration file.
5. Start the YSoft SafeQ Management Service service.
YSoft SafeQ Spooler Controller settings
1. Stop YSoft SafeQ Spooler Controller service.
Keystore format, to the <spoc_folder>\conf\ (usually C:\SafeQ6\SPOC\conf\) directory on
the server with YSoft SafeQ Spooler Controller.
3. Go to <spoc_folder>\conf\ (usually C:\SafeQ6\SPOC\conf\) and create there a new file,

communicator.conf.
for read, then the settings specified are applied and communication between YSoft
SafeQ Spooler Controller and YSoft SafeQ Management Service will start in secure
mode.
4.

4. Set following properties in the communicator.conf file:
sslProtocol=TLS
#allowedProtocols =
The communicator.conf file has to refer to correct Java keystore and truststore files
that have to be placed in the same SafeQ conf directory as this configuration file.
5. Start the YSoft SafeQ Spooler Controller service.
Example of communicator.conf file configuration
truststorePassword=password
keyStoreFile=safeqkeystore.jks
keystorePassword=keystoreprotectingpassword
sslProtocol=TLS
Hardening multi tenant deployment with Spooler Controller tenant identity validation
Configuration described above is sufficient for single tenant deployments.

In case of multi tenant deployment it might be useful to enable also Validate Spooler Controller
tenant identity (option tenantValidationEnabled).
With this option enabled, Management Service ensures that communication with any YSoft SafeQ
Spooler Controller is authentic and prevents any attempt to impersonate other tenants in case of
compromised YSoft SafeQ Site Server.

For this validation to work, it is necessary to include additional metadata in SSL certificate of
each YSoft SafeQ Spooler Controller within the YSoft SafeQ deployment.
When Spooler Controller tenant identity validation is enabled, YSoft SafeQ Management
Service accepts only communication from YSoft SafeQ Spooler Controller, which have trusted
SSL certificate with required metadata.
If YSoft SafeQ Spooler Controller lacks required metadata in certificate or if the metadata are
incorrect, then all communication from this YSoft SafeQ Spooler Controller is rejected.
Spooler controller validation requires secured communication between YSoft SafeQ

Management Service and Spooler Controller. Plain communication would be rejected during
validation.
For this feature, SSL certificate of YSoft SafeQ Spooler Controller must contain:
Subject Alternative Name extension
this extension must contain entry of type Directory Name where field Organization
Name is set to your tenant domain
for example: if there is tenant with domain samplecompany, then SSL certificate must
contain O=samplecompany
Tenant domain can be configured only during tenant creation.
Tenant domain must be set in client certificate of each YSoft SafeQ Spooler Controller in
extension Subject Alternative Name in Directory Name entry and it's organization name field.

Once each YSoft SafeQ Spooler Controller of each tenant withing YSoft SafeQ 6 deployment
contains certificate with matching tenant domain entry, then the validation can be enabled.
1. Enable Validate Spooler Controller tenant identity. In the Management web interface go to
the System Configuration and under Expert options find the following parameter
tenantValidationEnabled
and set it to Enabled. This option is visible only in cloud administration if multi-tenant
license is enabled or together with other settings without multi-tenant license.
2. Restart YSoft SafeQ Management Services. This step forces all YSoft SafeQ Spooler
Controllers to reconnect and properly validate the communication.
5.9.9.11 Setting secured communication with Spooler Controller
Communication with Spooler Controller is not secured by default. In order to start encrypted and
authenticated communication, security needs to be enabled and certificates properly set on all
the following components (if used). All sides need to be configured to use the same security
settings. If one of the sides is set secure and the others are not, the communication does not
work.
This guide covers security settings for all the following components:
Spooler Controller
End User Interface

FlexiSpooler
Mobile Print Server
Mobile Integration Gateway
In order to improve performance, the key agreement is not performed for each message, but once
a specific time instead. This period can be configured in the sessionLifeTimeMinutes system
property in the YSoft SafeQ web interface (Advanced option).
CA-signed certificate requirements for Spooler Controller and End User Interface
CA-signed certificate requirements for FlexiSpooler, Mobile Print Server, Workflow Processing
System and Mobile Integration Gateway
For importing the certificate you need it in an appropriate format - Personal Information
Exchange (.pfx file) containing the private key and whole certificate chain.
Must be created using the Microsoft Enhanced RSA and AES Cryptographic Provider.

In case your key/certificate is in a different format than Personal Information Exchange, you
can convert it following the guide in Conversions between different keystores and certificate
types .
in Personal Information Exchange format chapter in System communication hardening.
Spooler Controller settings
Following settings apply for both cases, when Spooler Controller acts as a server and as a client.
In order to enable security, follow the steps below.
1. Stop YSoft SafeQ Spooler Controller service.
2. Enable encrypted communication with Spooler Controller. In the Management web interface
go to the System Configuration and under Expert options find the following parameter
usePlainCommunicationForOrsSubsystems
and set it to Disabled.
Keystore format, to the server where the Spooler Controller is installed.
4. Set following properties in the <spoc_folder>\conf\ymq_config.properties file (usually C:

\SafeQ6\SPOC\conf\ymq_config.properties):
keyStorePath=absolute/path/to/your/keystore.jks
keyStorePassword=keystoreprotectingpassword
keyStoreAlias=safeq
keyStoreAliasPassword=keyprotectingpassword
trustStorePath=absolute/path/to/your/truststore.jks
trustStorePassword=truststoreprotectingpassword
ellipticCurve=secp256r1
certificateValidationMode=VALIDATE_CERTIFICATE
certificateValidationMode property is currently mandatory. Recommended value

is VALIDATE_CERTIFICATE, what means everything is validated including server
hostname. In case you have problems with hostname verification (wrong or missing IP
address in the SAN field of the server certificate), you may select IGNORE_HOSTNAME
value. This option is taken into account only if this Spooler Controller acts as a client
(server is always ignoring client's hostname).
5. Start the YSoft SafeQ Spooler Controller service.

End User Interface settings
Follow the steps below to set secure connection of the End User Interface to the Spooler
Controller, which is set to communicate securely.
1. Stop YSoft SafeQ End User Interface service.
Keystore format, to the server where EUI is installed.
3. Set following properties in the <eui_folder>\ui-conf\environment-configuration.properties file

(usually C:\SafeQ6\SPOC\EUI\ui-conf\environment-configuration.properties):
messagingContext.secureMechanism=secured-messaging-context
messagingContext.keyStorePath=absolute/path/to/your/keystore.jks
messagingContext.keyStorePassword=keystoreprotectingpassword
messagingContext.keyStoreAlias=safeq
messagingContext.keyStoreAliasPassword=keyprotectingpassword
messagingContext.trustStorePath=absolute/path/to/your/truststore.jks
messagingContext.trustStorePassword=truststoreprotectingpassword
messagingContext.ellipticCurve=secp256r1
messagingContext.encryptionKeyLength=16
There is one additional property which you can set:
messagingContext.certificateValidationMode - default value is

IGNORE_HOSTNAME. You should select VALIDATE_CERTIFICATE value unless you have
problems with hostname verification (wrong or missing IP address in the SAN field of
the SPOC certificate). VALIDATE_CERTIFICATE value means that everything is validated
including server hostname.
4. Start the YSoft SafeQ End User Interface service.
FlexiSpooler settings
1. Stop YSoft SafeQ FlexiSpooler service.
2. Copy your key/certificate in the Personal Information Exchange format to the server where
the FlexiSpooler is installed.
3. Import the key with signed certificate to Windows Certificate store.

In Windows Server 2012 use the following command:
certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My"
"safeqcertificate.pfx"
In the Windows Server 2008 use the following command:

certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx
4. If you have not installed your Root CA as a trusted authority yet, do it following the guide in
chapter Installing your Root CA to truststores of SafeQ machines - Windows Certificate
Store in System communication hardening.
5. Set following properties in the <fsp_folder>\Service\spooler.config file (usually C:
\SafeQ6\FSP\Service\spooler.config):
"CertificateThumbprint":"000102030405060708090a0b0c0d0e0f10111213","encryption":"Aes128"
The value is a thumbprint (SHA1 hash) of a certificate stored in Windows certificate

store, in the Local Computer \ Personal folder. You can obtain the thumbprint by
opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the
Thumbprint field. Remove spaces and make sure there are no invisible characters when
copying the value from the window (it adds an invisible character at the beginning!).
In case you have problems with hostname verification (wrong or missing IP address in
the SAN field of the SPOC certificate), you may turn off hostname verification by using
value ValidateServerCertificateHost ("ValidateServerCertificateHost":"
false") in the spooler.config file. This is, however, not recommended. If you do not
specify it, the default value is true.
6. Start the YSoft SafeQ FlexiSpooler service.
Mobile Print Server settings
1. Stop YSoft SafeQ Mobile Print Server service.
the Mobile Print Server is installed.


5. In the <mps_folder>\Service\conf\mps.config file (usually C:\SafeQ6\MPS\Service\conf\mps.
config) edit the following tag to contain certificate thumbprint (hash) and the encryption
type.
<communicator connectionLostTimeout="4000" controllerPort="5555" certificateThumbprint="00

0102030405060708090a0b0c0d0e0f101213" encryption="Aes128" />

store, in Local Computer \ Personal folder. You can obtain the thumbprint by opening
the certificate (.cer or .crt) file in Windows. In the Details tab you can find the
the SAN field of the Spooler Controller certificate), you may turn off hostname
verification by using attribute ValidateServerCertificateHost (
ValidateServerCertificateHost="false") in the communicator tag above. This
is, however, not recommended. If you do not specify it, the default value is true.
6. Start the YSoft SafeQ Mobile Print Server service.
Workflow Processing System settings
1. Stop YSoft SafeQ Workflow Processing System service.
the Workflow Processing System is installed.
certutil.exe -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My"
certutil.exe -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx

5. In the <wps_folder>\WpsService.exe.config file (usually C:\SafeQ6\WPS\WpsService.exe.
config) add the following keys, where the value of certificateThumbprint key is set to the
client certificate thumbprint (hash):
<add key="certificateThumbprint" value="000102030405060708090a0b0c0d0e0f101213" />

<add key="ymqEncryption" value="Aes128" />

the certificate (.cer or .crt) file in Windows. In the Details tab, you can find the
the SAN field of the Spooler Controller certificate), you may turn off hostname
verification by using key validateServerCertificateHost ( <add key="
validateServerCertificateHost" value="false" />) in the WpsService.exe.
config file. This is, however, not recommended. If you do not specify it, the default value
is true. If the validation is enabled, Workflow Processing System will check that CN
specified in the certificate matches with Spooler Controller server address specified in
the configuration file.
6. Start the YSoft SafeQ Workflow Processing System service.
Terminal Server settings
Once Workflow Processing System is set for secure communication, Workflow Processing System
endpoint is accessible only using HTTPS address. You need to set this in the Terminal Server
configurations along with the valid certificate.
In case you have problems with hostname verification (wrong or missing IP address in the
SAN field of the Workflow Processing System certificate), you may turn off hostname
verification by using key validateServerCertificateHost ( <add key="
validateServerCertificateHost" value="false" /> ) in the
<spoc_folder>terminalserver\ TerminalServer.exe.config file (usually C:

\SafeQ6\SPOC\terminalserver\TerminalServer.exe.config). This is, however, not recommended.
If you do not specify it, the default value is true. If the validation is enabled, Terminal Server
will check that CN specified in the certificate matches with Workflow Processing System
server address specified in the configuration file.
Mobile Integration Gateway settings
1. Stop YSoft Mobile Integration Gateway service.
the Mobile Integration Gateway is installed.

5. In the <mig_folder>\bin\MigService.exe.config file (usually C:\SafeQ6\MIG\bin\MigService.exe.
config) add the following key with value set to the client certificate thumbprint (hash).
<add key="certificate-hash" value="000102030405060708090a0b0c0d0e0f10111213" />

the certificate (.cer or .crt) file in Windows. In the Details tab you can find the
6. Start the YSoft Mobile Integration Gateway service.

5.9.9.12 Setting server spooler authentication for job transfer
This communication link is encrypted by default. However, the pre-installed certificate cannot
have the correct IP address/domain name of your machine where FlexiSpooler is installed and
thus it is ignored on the client side (FlexiSpooler in the client mode, Mobile Print Server, Mobile
Integration Gateway ). In order to ensure secure connection, you need to use certificate trusted
in your environment.
This guide will help you with the configuration of the secured connection (HTTPS) to the
FlexiSpooler in the server mode, using a CA-signed certificate.
Certificate of your Root CA must be installed on all subsystems you use for sending job data
to FlexiSpooler (client Spooler, Mobile Print Server, Mobile Integration Gateway ), otherwise
after the certificate validation is enabled, this communication would be denied by the client.
to the FlexiSpooler in server mode.
types.
Configuring Server FlexiSpooler to use secure communication channel
In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config)

configuration file specify the certificate source by adding or modifying configuration option
dsCertificateSource.This option has three possible values (all case insensitive):
Default - default certificate provided with YSoft SafeQ

WindowsCertStore - finds certificate in Windows Certificate Store
FileSystem - tries to find certificate on local or network storage

1. Stop the YSoft SafeQ FlexiSpooler service.
2. Copy your key/certificate in the Personal Information exchange format to the server where

certutil.exe -importpfx "My" "safeqcertificate.pfx"
certutil.exe -importpfx "safeqcertificate.pfx"
4. In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config)

configuration file add or modify following configuration options:
"dsCertificateSource":"windowscertstore",
"dsCertificateStore":"my",
"dsCertificateStoreIdentifier":"000102030405060708090a0b0c0d0e0f10111213"
Configuration option dsCertificateStoreIdentifier is used for specification of certificate

in selected certificate store. The certificate in store can be specified by its name (value
entered in Common Name (CN) field when generating a certificate signing request) or by
its unique thumbprint , which can be obtained by double-clicking the certificate and
browsing the Details tab for Thumbprint field. In case you are copying certificate
thumbprint from the window, remove spaces and make sure there are no invisible
characters (it adds an invisible character at the beginning!).
File system
1. Stop the YSoft SafeQ FlexiSpooler service.
3. In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config)

configuration file add or modify following configuration options:
"dsCertificateSource":"filesystem",

"dsCertificateFileSource":"absolute\path\to\your\certificate.pfx"
FlexiSpooler loads certificate from filesystem. This certificate is automatically installed

into Windows Certificate Store specified by configuration option dsCertificateStore.
To specify location of file on local disc or network storage, configuration option

dsCertificateFileSource must be provided. Path to the certificate can be specified as
follows:
Full path to certificate file - e.g. C:\Certificates\fsp.pfx
Directory containing certificate - e.g. C:\Certificates, first .pfx file found in this
directory is taken
Client FlexiSpooler settings
In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config)

configuration file set the following property to validate the server certificate:
"IgnoreCertificateChainError":"false"
Mobile Print Server settings
In the <mps_folder>\Service\conf\mps.config (usually C:\SafeQ6\MPS\Service\conf\mps.config)

configuration file set the following property to validate the server certificate:
<mps>
<http ignoreCertificateChainErrors="false" />
...
</mps>
Mobile Integration Gateway settings
In the <mig_folder>\bin\MigService.exe.config file (usually C:\SafeQ6\MIG\bin\MigService.exe.

config) edit the following key to enable certificate validation:
<add key="validate-spooler-certificate" value="T" />
Notes
This setting provides server verification only. Without verification of the client anyone in the
internal network is able to call and use FlexiSpooler web API. Find more at YSoft SafeQ
FlexiSpooler Security considerations.

5.9.9.13 Configuring secured connection between terminals and Terminal Server
Setting Terminal Server certificate
By default, Terminal Server uses certificate distributed with YSoft SafeQ to provide encrypted
communication between Terminal Server and MFDs. This certificate can be found in
<install_dir>\SPOC\terminalserver\Certificates. Terminal Server can also use external
certificates provided by Windows Certificate Store or file system.
Certificate of your Root CA must be uploaded to MFD (following the vendor's guide). Otherwise
MFD might reject certificate and users will be unable to login.
to the Terminal Server.
The time while the certificate is valid is also important. The expiration date is added to the
certificate by its signer, thus in case of self-signed certificate or certificate signed by your CA,
it is up to you, how long it will be valid. In case you want certificates signed by a trusted third-
party CA, they will set this value according to their policy.
types.
in Personal Information Exchange format chapter in System communication hardening.

Configuring Terminal Server to use your certificate
In the TerminalServer.exe.config configuration file

(<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) specify the certificate source by
adding or modifying configuration option dsCertificateSource located in the appSettings section.
This option has three possible values (all case insensitive):
Default - default certificate provided with YSoft SafeQ

WindowsCertStore - finds certificate in Windows Certificate Store
FileSystem - tries to find certificate on local or network storage
All the settings in this chapter can be also configured in the Management web interface, under
Expert configuration options. This works as a global configuration for all Terminal Servers and
FlexiSpoolers in SafeQ system. Since there should be different certificates for each Terminal
Server (e.g. because of the domain name / IP address validation), this is not recommended.
the Terminal Server is installed.

4. In the TerminalServer.exe.config configuration file

(<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) add or modify following
configuration options:
<add key="dsCertificateSource" value="windowscertstore" />

<add key="dsCertificateStore" value="my" />
<add key="dsCertificateStoreIdentifier" value="000102030405060708090a0b0c0d0e0f10111213"
/>

Configuration option dsCertificateStoreIdentifier is used for specification of certificate
in selected certificate store. The certificate in store can be specified by its name (value
enetered in Common Name (CN) field when generating a certificate signing request) or
by its unique thumbprint , which can be obtained by double-clicking the certificate and
browsing the Details tab for Thumbprint field. In case you are copying certificate
thumbprint from the window, remove spaces and make sure there are no invisible
characters (it adds an invisible character at the beginning!).
File system
the Terminal Server is installed.
3. In the TerminalServer.exe.config configuration file

(<install_dir>\SPOC\terminalserver\TerminalServer.exe.config) add or modify following
configuration options:
<add key="dsCertificateSource" value="filesystem" />

<add key="dsCertificateFileSource" value="absolute\path\to\your\certificate.pfx" />
Currently the file must not be protected by a password (can be protected by an empty
string) to make YSoft SafeQ able to load keys and certificates from file system. That is
why it is currently recommended to use Windows Certificate Store as a certificate
source.
Terminal Server loads certificate from filesystem. This certificate is automatically

installed into Windows Certificate Store specified by configuration option
dsCertificateStore.
To specify location of file on local disc or network storage, configuration option

dsCertificateFileSource must be provided. Path to the certificate can be specified as
follows:
Full path to certificate file - e.g. C:\Certificates\safeqcertificate.pfx
Directory containing certificate - e.g. C:\Certificates, first .pfx file found in this
directory is taken

Cryptographic key for terminal authentication tokens
As a proof of successful authentication in terminal, a user receives an authentication token from

the Terminal Server. Authentication tags for YSoft SafeQ Terminal Application tokens are
generated using a key, which is generated during YSoft SafeQ installation and is unique per
tenant. This key is encoded using Base64 and by default it is 16 bytes long.
It is possible to specify own key following the steps below.
2. Set custom key for generation of the authentication tokens. In the Management web
interface go to the System configuration and under Expert options find the following
parameter and set it to the desired value.
sqtaTokenKey
5.9.9.14 Setting custom certificate on YSoft SafeQ Mobile Integration Gateway web interface
YSoft SafeQ Mobile Integration Gateway comes with pre-installed self-signed certificate, thus all
the communication is always encrypted. However, this certificate may be untrusted, because it
was not generated specifically for your machine.
The following guide will help you specify usage of your certificate, trusted in your environment.
There are two ways of managing the server certificate:
Using Command line
Using Mobile Integration Gateway administration
Command line
Certificate requirements
to the Mobile Integration Gateway .

types.
Configuring Mobile Integration Gateway to use secure communication channel
the Mobile Integration Gateway is installed.

3. Map the certificate to the Mobile Integration Gateway port:
netsh http delete sslcert ipport=0.0.0.0:portNum

netsh http add sslcert ipport=0.0.0.0:portNum appid={e30002ed-301d-4c40-a94e-
d4360173fd81} certhash=000102030405060708090a0b0c0d0e0f10111213
Default port for Mobile Integration Gateway is 8050.
The value of certhash is thumbprint (SHA1 hash) of a certificate stored in Windows

certificate store, in Local Computer \ Personal folder. You can obtain the thumbprint by
opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the

Mobile Integration Gateway administration
Mobile Integration Gateway provides a web interface for configuring Mobile Integration Gateway
service. After log in, administrator can modify announced printer name and location and manage
server certificates, i.e. create a certificate signing request and upload back the signed certificate
chain, which will then be used for HTTPS connection to the Mobile Integration Gateway .
1. Go to https://mig_ip:port/administration
Default port for Mobile Integration Gateway administration is 8050.
2. In the Certificates tab select Generate certificate signing request.
3. Fill in the form when you are prompted. Common name field is required and should contain
valid server domain name.

4. By clicking Generate certificate signing request button on correctly filled in form, private
key and certificate signing request are generated and downloaded via web browser.
5. Sign your request (downloaded .csr file) with your certification authority. Or, in case you
want to use external certification authority, send the created certificate signing request to
them for signing. You will receive your signed certificate (usually .crt file) along with the
certificate of this authority.
6. Select Upload certificate in the Certificates tab in the Mobile Integration Gateway
administration.
7. Upload signed certificate by selecting certificate *.crt and private key *.key file. If password
was specified for private key, when generating certificate signing request, the same
password needs to be filled in when uploading signed certificate. Uploaded certificate is
added to Windows Certificate Store and then mapped to be used directly with Mobile
Integration Gateway 's port.

The certificate file (.crt) needs to contain all the certificates in the chain in a specified
order. The first is a certificate of Mobile Integration Gateway . Each following certificate
belongs to the authority who signed the previous certificate directly. The last one
belongs to the root certification authority.
5.9.9.15 Configuring SSL/TLS for YSoft SafeQ Payment System
By default, YSoft SafeQ Payment System is automatically redirecting all HTTP requests to
encrypted HTTPS connection. In order to ensure secure connection, you need to use certificate
trusted in your environment.
In case you want to communicate using unsecured HTTP, you have to set the following
configuration option in the <payment_folder>\ps-conf \environment-configuration.properties
(usually C:\SafeQ6\YPS\ps-conf \environment-configuration.properties ) configuration file:
web.channel=http
cashdesk.channel=http
restApi.channel=http
This is, however, not recommended.
This guide will help you with the configuration of the secured connection (HTTPS) to the YSoft
SafeQ Payment System, using a CA-signed certificate.

to the YSoft SafeQ Payment System.
containing the private key and whole certificate chain. The procedure below is simplified by
creating a new keystore instead of reusing the existing one.
Configuring YSoft SafeQ Payment System to use secure communication channel
This section describes the way how to make the web connection secure using the CA-signed
certificate.
1. Stop YSoft SafeQ Payment System service on YSoft SafeQ server.
2. Copy your key/certificate in the Java Keystore format to the server where YSoft SafeQ
Payment System is installed.
3. Set following attributes in <payment_folder>\conf\server.xml file:
keystoreFile = "absolute/path/to/your/keystore.jks"
keystorePass = "keystore protecting password"
keyPass = "key protecting password"
By default, keyPass attribute has the same value as keystorePass. Set this attribute if
the key and the keystore are protected using different passwords.
4.
4. (OPTIONAL) To secure communication between Payment Gateway Plugin and Payment
System by your certification authority, if a payment gateway is used, the path and
protecting password to your truststore.jks file containing CA certificate need to be
provided. Add the new configuration properties truststore.path and truststore.
password to the Payment System's configuration (<payment_folder>\ps-conf\environment-
configuration.properties), see Security.
In case you have important certificates in the truststore, you can use this same
command to import your CA to the existing file. Just run this command inside the
<payment_folder>\ps-conf directory.
In this situation you also need to delete the default YSoft Payment System certificates
from the current truststore (if they are not replaced yet):
keytool -delete -alias certalias -keystore truststore.jks

keytool -delete -alias ca_root -keystore truststore.jks
keytool -delete -alias ca -keystore truststore.jks
5. Start the YSoft SafeQ Payment System service on YSoft SafeQ server.
6. Verify that YSoft SafeQ Payment System is functional and uses your own certificate (open
https://<payment_system_IP>:8443 in browser, click on the lock and view certificate
button). In case you did not disable the automatic redirection to HTTPS, opening
http://<payment_system_IP>:8080 address will be automatically redirected to https
protocol.
The configuration is stored in <payment_folder>\conf\ server.xml (usually C:

\SafeQ6\YPS\conf\server.xml)
Keep HTTP non-SSL port (default 8080) as the first in XML. Installer requires HTTP port to be
the first in definition. HTTPS should be the second.


<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"
useBodyEncodingForURI="true" />
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="${catalina.base}/ps-conf/keystore.jks"

keystorePass="*****"
clientAuth="false"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
ciphers="..."
useBodyEncodingForURI="true"
/>
The default, pre-installed private key is stored together with its corresponding certificate in
<payment_folder>\ps-conf\keystore.jks file. Both, keystore and private key, are protected by the
same password specified in configuration file with attribute keystorePass.
When client authentication is required (clientAuth attribute is set to true) then some attributes
about truststore need to be added/modified in the "Connector" above:
truststoreFile="<path-to-truststore>"
truststorePass="*****"
clientAuth="true"
The ciphers attribute contains list of cipher suites you want to support. Following configuration is
recommended:
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
Terminal Server configuration
Communication between Terminal Server (client) and YSoft SafeQ Payment System (server) is
performed via REST API, secured by default with a certificate provided by Y Soft. Terminal Server
has a copy of server certificate exported from YSoft SafeQ Payment System and the thumbprint
of these two files is validated.
After you change the certificate used by YSoft SafeQ Payment System, it is needed to make it
trusted on the Terminal Server machine. There are two options:
a. Replace the YPSClient.crt file in <spoc_folder>\terminalserver\Certificates\ directory on

Terminal Server machine by your yps.crt file (renamed to YPSClient.crt), containing only the
server certificate (excluding your CA).
b. Import the your certificate authority to the machine with running Terminal Server (follow the
guide Installing your Root CA to truststores of YSoft SafeQ machines - Windows Certificate Store
in the System communication hardening) and set the following system property:
ypsServerCertificateValidationType = STANDARD

YSoft Payment Machine configuration
Communication between YSoft Payment Machine - YPM (client) and YSoft SafeQ Payment System
- PS (server) is performed via TCP on ports 4197 and 4199. By default a YPM communicates over
TLS protocol, the only supported version is TLSv1, it also supports only the following two cipher
suites TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
Default configuration of YPM and PS uses the protocol TLSv1 and the cipher suite
TLS_DHE_RSA_WITH_AES_128_CBC_SHA. To support the stronger cipher suite
TLS_DHE_RSA_WITH_AES_256_CBC_SHA the Java Cryptography Extension needs to be placed
into <payment-folder>/Java/lib/security . Before the extension is used, a jurisdiction of a
customer's country needs to be checked if the stronger cipher suite is allowed.
To change the current configuration, the following DB queries needs to be run:
YPM security configuration
-- enable/disable SSL communication

-- 'false' to disable SSL - NOT RECOMMENDED
-- default value is 'true'
update configuration set value = 'true' where name = 'spm.sslEnabled';
-- change SSL request protocol

-- default and only supported by YPM is 'TLSv1'
update configuration set value = 'TLSv1' where name = 'spm.sslRequestProtocol';
-- change SSL cipher suites

-- to use the stronger cipher suite, the extension needs to be installed
-- default and only supported by YPM are '
update configuration set value = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA' where name = 'spm.sslCiphersWhiteList';
5.9.9.16 Configuring SSL/TLS for End User Interface
By default, End User Interface is automatically redirecting all HTTP requests to encrypted HTTPS
connection. In order to ensure secure connection to EUI, you need to use certificate trusted in
your environment.
In case you want to communicate using unsecured HTTP, you have to set the following
configuration option in the <eui_folder>\u i-conf\ environment-configuration.properties
(usually C:\SafeQ6\SPOC\EUI\u i-config\environment-configuration.properties ) configuration file:
web.channel=http
This is, however, not recommended.
This guide will help you with the configuration of the secured connection (HTTPS) to the End User
Interface, using a CA-signed certificate.

containing the private key and whole certificate chain. The procedure below is simplified by
creating a new keystore instead of reusing the existing one.
Both the keystore and key itself need to be protected by a password.
guide Conversions between different keystores and certificate types.
Configuring EUI to use secure communication channel
This section describes the way how to make the web connection secure using the CA-signed
certificate.
1. Stop YSoft SafeQ End User Interface service on YSoft SafeQ server.
2. Copy your key/certificate in the Java Keystore format to the server where EUI is installed.
3. Modify <eui_folder>\conf\server.xml (usually C:\SafeQ6\SPOC\EUI\conf\server.xml) file as

follows:
keystoreFile = "absolute/path/to/your/keystore.jks"
keystorePass = "keystore protecting password"
keyPass = "key protecting password"
By default, keyPass attribute has the same value as keystorePass. Set this attribute if
the key and the keystore are protected using different passwords.
4. Start the YSoft SafeQ End User Interface service on YSoft SafeQ server.
5.
5. Verify that End User Interface is functional and uses your own certificate (open
https://<server-ip-address>:9443/end-user/ui in browser, click on the lock and view
certificate button). In case you did not disable the automatic redirection to HTTPS, opening
the http://<server-ip-address>:9090 address will be automatically redirected to https
protocol.
The configuration is stored in <eui_folder>\conf\ server.xml (usually C:

\SafeQ6\SPOC\EUI\conf\server.xml)
Keep HTTP non-SSL port (default 9090) as the first in XML. Installer requires HTTP port to be
the first in definition. HTTPS should be the second.


<Connector port="9090" connectionTimeout="20000" protocol="HTTP/1.1" redirectPort="9443"/>
<Connector port="9443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"

maxThreads="200"
SSLEnabled="true"
secure="true"
scheme="https"
sslProtocol="TLS"
useBodyEncodingForURI="true"
keystoreFile="${catalina.base}/ui-conf/keystore.jks"
keystorePass="*****"
truststoreFile="${catalina.base}/ui-conf/truststore.jks"
truststorePass="*****"
clientAuth="false"
sslEnabledProtocols="TLSv1.3,+TLSv1.2"
ciphers="..." >
</Connector>
The default, pre-installed private key is stored together with its corresponding certificate in
<eui_folder>\ui-conf\keystore.jks file. Both, keystore and private key, are protected by the same
password specified in configuration file with attribute keystorePass.
The <eui_folder>\ui-conf\truststore.jks file contains certificates which should be trusted by EUI

when client authentication is required (clientAuth attribute). Currently this file is empty.
The ciphers attribute contains list of cipher suites you want to support. Following configuration is
recommended:
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

5.9.9.17 Getting certificate for setting up SharePoint 2013 add-in environment
In order to set up SharePoint 2013 add-in environment, follow the guide Configuring User
Impersonation in Microsoft SharePoint 2013 and 2016. For the production environment, you need a
domain-issued or commercial certificate. This guide will help you obtain such a certificate and
install it to all your WPS servers.
Each keypair (certificate) you want to be able to sign SharePoint access tokens with needs to
be registered on SharePoint. The easiest way is to generate one keypair, register it and
distribute it over all WPS servers.
1. Obtain a key/certificate in an appropriate format - Personal Information Exchange (.pfx file)

In case your key/certificate is in a different format than Personal Information Exchange,

you can convert it following the guide in Conversions between different keystores and
certificate types.
In case you do not have key/certificate at all, follow the guide in the Generating key
/certificate in Personal Information Exchange format chapter in System communication
hardening .
the Workflow Processing System is installed.
3. Import the key with the corresponding signed certificate to Windows Certificate store of all
your WPS servers.
4. In Windows Server 2012 use the following command:
5. Once you have this domain-issued or commercial certificate, you may configure SharePoint
2013 as described in Complete debugging with a domain issued or commercial certificate.

5.9.9.18 Configuring cryptographic protocols for outbound communication
Description
It is possible to modify the list of cryptographic protocols for encrypted outbound communication
used by the following subsystems:
Terminal Server
FlexiSpooler
Mobile Print Server
For each of these subsystems there exists a configuration property, where you can specify the
list of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol versions to be
supported. To change the setting, in YSoft SafeQ web interface go to the System settings
(Expert options) and search for the properties
securityProtocolTypesForOutboundCommunication (Terminal Server), fspHttpsSecurityProtocols
(FlexiSpooler) and mpsHttpsSecurityProtocols (Mobile Print Server).
The subsystems can be set to use the following versions of the SSL/TLS protocol: SSL 3.0, TLS
1.0, TLS 1.1 and TLS 1.2. If any of the versions is not present in the list, the corresponding
subsystem will not connect to the servers or terminals that only support the removed versions.
In case secure Http communication is enabled, t he fspHttpsSecurityProtocols parameter is

applied to IPPS communication to a printer and to communication from FSP in nonspooling client
mode to FSP in server spooling mode.The specified protocols are used in SSL/TLS handshake
from the client side of the outbound communication.
The system property mpsHttpsSecurityProtocols applies for all outbound connections from the
YSoft SafeQ Mobile Print Server: HTTP with the YSoft SafeQ FleixSpooler, SMTP, POP3, IMAP and
EWS with the mail server.
For the secure communication with the Konica Minolta devices (and also Konica Minolta branded
devices Olivetti and Develop), the SSL/TLS protocol versions supported depend also on the
OpenAPI SDK used. By default, the newer version, 4-13a is enabled, what means support of .NET
4.5 or higher. To use lower versions the configuration property kmOpenApiVersion needs to be set
to 4-2.
The subsystem has to be restarted once the property is modified.
In order to work properly, the list must contain the consecutive versions. I.e. specification of
only one version is correct, SSL 3.0 + TLS 1.0 or TLS 1.0 + TLS 1.1 + TLS 1.2 are both the
correct lists, but TLS 1.0 + TLS 1.2 is not.

In case the list is empty, the supported protocols are dependent on the used .NET version. In .
NET 4.5 the only SSL/TLS protocol versions supported are SSL 3.0 and TLS 1.0. In .NET 4.6
and above, also TLS 1.1 and TLS 1.2 are enabled by default.
Protocols and algorithms not enabled in the underlying operating system cannot be used. The
SSL/TLS protocol versions supported by the subsystems are the interception of the versions
specified in the aforementioned properties and the settings in the OS.
5.9.9.19 Conversions between different keystores and certificate types
Different applications usually have different requirements on the key/certificate format they
import and use. This guide contains steps for conversion between the most common formats,
needed in SafeQ subsystems.
Conversion from the common PEM files (.crt and .key) to the Personal Information Exchange
Suppose you have a certificate (or a whole chain in one file, in case your certificate chain
contains at least one certification authority) and private key in PEM format. Let's name the key
file privatekey.key and certificate chain file certificatechain.crt.
In order to combine these two files into one Personal Information Exchange (usually .pfx or .p12
extension), run the following OpenSSL command:
openssl pkcs12 -export -in certificatechain.crt -inkey privatekey.key -out <path to your new .
pfx file>
This command will ask for the password to the original privatekey.key file and for a new
password, you want to use for your new Personal Information Exchange file protection. Then the .
pfx file specified will be created.
Conversion from Personal Information Exchange to the common PEM files (.crt and .key)
Suppose you have a Personal Information Exchange (usually .pfx or .p12 extension) file, let's name
it certificate.pfx. In order to export the private key and the certificate (or the whole chain in case
your certificate chain contains at least one certification authority) to two distinct PEM files (.crt
and .key extensions), run the following OpenSSL commands:
openssl pkcs12 -in certificate.pfx -nocerts -out <path to your new .key file>
openssl pkcs12 -in certificate.pfx -nokeys -out <path to your new .crt file>
The first command will ask for the password to the original certificate.pfx file and for a new
password you want to use for protection of your new .key file containing exported private key.
Then the .key file specified will be created.

The second one will similarly ask for the password to the original certificate.pfx file. Then it will
create the .crt file containing exported certificate, or, in case your chain contains more
certificates, all of them.
Conversion from Personal Information Exchange to Java Keystore
In order to convert certificate from Personal Information Exchange (usually .pfx or .p12) to the
Java Keystore (extension .jks), run the following keytool (tool distributed along with Java )
command:
keytool -importkeystore -srckeystore <path to your .pfx or .p12 file> -srcstoretype pkcs12 -
destkeystore <path to your new .jks file> -deststoretype JKS
This command will ask for the password to the original .pfx or .p12 file and for a new password
you want use for your new Java keystore protection. Then the .jks file specified will be created.
Conversion from Java Keystore to Personal Information Exchange
In order to convert certificate from Java Keystore (extension .jks) to the Personal Information
Exchange (usually .pfx or .p12), run the following keytool (tool distributed along with Java)
command:
keytool -importkeystore -srckeystore <path to your .jks file> -srcstoretype JKS -destkeystore
<path to your new .pfx file> -deststoretype pkcs12
This command will ask for password to the original Java keystore and for a new password you
want to use for your new Personal Information Exchange file protection. Then the .pfx file
specified will be created.
Conversion from P7B to the common PEM file
P7B is a file format for storage of certificate chains, without the corresponding private keys. This
is a common format for Certification Authorities to deliver the signed certificates to requesters.
However, many applications do not understand it. In order to convert .p7b certificate file to a more
common PEM file, run the following OpenSSL command:
a) In case your .p7b file is in a binary form:
openssl pkcs7 -print_certs -inform DER -outform PEM -in certificate.p7b -out certificate.crt
b) In case your .p7b file is encoded using Base64:
openssl pkcs7 -print_certs -inform PEM -outform PEM -in certificate.p7b -out certificate.crt

5.9.9.20 Configuring security for Infrastructure Management Server
Set SSL/TLS cipher suites and transport protocols
To override a default list of cipher suites and transport protocols, properties in <safeq_folder>
/Management/ims/application.properties of IMS ims.tls.transport-protocols
and ims.tls.cipher-suites need to be set. The following properties represent default
values.
ims.tls.transport-protocols=TLSv1,TLSv1.1,TLSv1.2
ims.tls.cipher-suites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384
Database password encryption
To configure encryption of IMS database password stored in file <install_dir>/Management

/ims/application.properties, the following configuration option needs to be present:
dataProtection.enableEncryption = true
dataProtection.pathToKey = <path to key file>
Note that <path to key file> should be absolute file path, eg. c:
/encryption_secure_location/encryption.key
For information about creation and management of dataProtection attributes, as well as full list of
supported configuration options, please refer to the Enhanced Password Protection.
5.9.9.21 How to Secure Distributed Layer Communication
This page describes how to secure distributed layer communication in the meaning of
SpoolerController-to-SpoolerController distribution of data in Near Roaming Group.
By default the distributed memory shared by Spooler Controllers in the same Near Roaming Group
communicates in not secured mode. There are proprietary protocols to share and transfer data
that could be influenced by Man-in-the-Middle type of attack.
This article describes how to secure the communication to keep the data private and
unmodifiable by attackers.

Y Soft recommends to use symmetric encryption with a keystore, either with AES 128 bit length
key, or more preferably with AES 256 bit length key, that is more secure although it requires
administrator to install Java Cryptography Extension by Oracle, Inc.
1. Keystore
There must be a keystore with the same key on each Spooler Controller in the Near Roaming
Group. If the encryption is omitted or keystore with different certificates is used on any Spooler
Controller then the node cannot connect into the clustered Near Roaming Group.
1. Use keytool.exe tool distributed in Java SDK - use the command either for AES 128 or
AES 256 bit length keys.
AES 128
keytool.exe -genseckey -alias spocGroup -keyalg AES -keysize 128 -storepass password -
keypass password -storetype JCEKS -keystore keystore-128.jck
or
AES 256
keytool.exe -genseckey -alias spocGroup -keyalg AES -keysize 256 -storepass password -
keypass password -storetype JCEKS -keystore keystore-256.jck
2. Copy the generated keystore file to each SpoolerController, to path

SPOC_HOME\distServer\config\
2. Configuration
Following steps must be done on each of the Spooler Controllers in the same Near Roaming
Group. It is required to edit SPOC_HOME\distServer\config\spoc-cluster-jgroups-
TCP.xml or SPOC_HOME\distServer\config\spoc-cluster-jgroups-UDP.xml
depending if the Near Roaming Group is defined to use either TCP or UDP based communication.
1. Open either spoc-cluster-jgroups-TCP.xml or spoc-cluster-jgroups-UDP.xml

for editing.
2. It is XML file, but it depends on the order of the elements, so find element
<VERIFY_SUSPECT timeout="1500"/>. Put one of the following pieces of code
(depends on AES 128 or 256 chosen) right after that element:
AES 128
<SYM_ENCRYPT
provider="SunJCE"
sym_algorithm="AES"
sym_keylength="128"

encrypt_entire_message="true"
keystore_name="c:/SafeQ6/SPOC/distServer/config/keystore-128.jck"
store_password="password"
key_password="password"
alias="spocGroup"/>
or
AES 256
<SYM_ENCRYPT
provider="SunJCE"
sym_algorithm="AES"
sym_keylength="256"
encrypt_entire_message="true"
keystore_name="c:/SafeQ6/SPOC/distServer/config/keystore-256.jck"
store_password="password"
key_password="password"
alias="spocGroup"/>
3. If another passwords were entered in previous step into keytool.exe tool, make sure
they are changed in the appended XML element.
4. Make sure the path entered in the appended XML element leading to keystore generated in
previous step is correct, or change it if required. (Please note that forward slashes ("/") are
used.)
5. Save the modified configuration file.
6. Make sure the change was applied on all Spooler Controllers in the same Near Roaming
Group.
3. Apply the changes
Start or restart (if it was running) the complete Near Roaming Group according to documentation
to apply the changes.
5.9.9.22 Configuring SSL/TLS for communication from server to MFD
How to enable full validation of the certificate provided by the MFD during the Terminal
Server outbound connection
The administrator can enable certificate validation by configuration option

enableMfdServerCertificateValidation. The default value is Disabled.

5.9.10 EDDYSTONE CONFIGURATION
5.9.10.1 General
Eddystone is a Bluetooth Low Energy beacon profile released by Google.
We use Eddystone-URL frame, which broadcasts a URL using a compressed encoding format
in order to fit more within the limited advertisement packet. It has following frame
specification:
Byte offset Field Description
0 Frame Type Value = '0x10'
1 TX Power Calibrated TX power at 0 m
2 URL Scheme Encoded Scheme Prefix
3+ Encoded URL Length 1-17
5.9.10.2 Setting up Eddystone for YSoft SafeQ Mobile Terminal
Required data
Terminal Server IP Address
Terminal Server SQTA Port (default is 5021 for HTTP, 5022 for HTTPS)
Device ID
Where to find required data
You can scan the QR code generated for the installed device with a basic QR code scanner. It
contains all the required information you will need for setting up an Eddystone.
The data in QR code looks like {"terminalServerEndpoint":"

<url_scheme><terminal_server_ip>:<port>/et/v1/<device_id>"}
Other option is to use simple web conversion tool: https://www.ysofters.com/qr/?q=%7B%

22terminalServerEndpoint%22:%22https://10.0.13.199/et/v1/1%22%7D
Creating compressed data for Eddystone
1. Convert IP Address's octets from decimal to hex representation (ignore dots between
octets)
the result MUST be exactly 8 characters long
e.g.: 10.0.13.199 would be converted to 0A000DC7
2.

2. Convert Terminal Servers SQTA Port from decimal to hex representation
the result MUST be exactly 4 characters long
e.g.: 5021 would be converted to 139D
e.g.: 200 would be converted to 00C8
3. Convert device ID from decimal to hex representation
the result MUST be at most 5 characters long
e.g.: 719 would be converted to 2CF
4. Concatenate all the results
e.g. Terminal Server at 10.0.13.199 with SQTA port 5021 and device ID 719 would be
0A000DC7139D2CF
Other option is to use simple web conversion tool. Just specify valid URL from
terminalServerEndpoint and result will be visible in the field Eddystone: https://www.ysofters.com
/qr/?q=http://10.0.13.199:5021/et/v1/719.
Writing compressed data to Eddystone
To write data to an Eddystone, you have to use your Eddystone's manufacturer's application.
Data MUST be written to Eddystone-URL frame (field Encoded URL)
You MUST also set whether you want the URL scheme to be HTTP or HTTPS (secure)
0x02 is http://
0x03 is https://
Beacon configuration with iBKS Config Tool
Prerequisites:
Android/iOS device
Device with Bluetooth Low Energy support
Bluetooth is turned ON
YSoft currently uses beacons from Accent Systems (https://accent-systems.com/). To configure

this beacon, you will need mobile configuration application from Accent Systems which is
available for
Android (https://play.google.com/store/apps/details?id=com.accent_systems.ibks_config_tool)
iOS (https://itunes.apple.com/us/app/ibks-config-tool/id929525388?mt=8)
The application provides you with a nice tutorial which will help you at the beginning.

For more information: https://accent-systems.com/support/knowledge/getting-started/
Simple configuration steps:
1. List of available devices (only devices with the white background are in connectable mode)
To be able to connect to the beacon, a user needs to stop scanning (by tapping the blue
circle in bottom right corner). Otherwise, the application will show a warning.
2. Connection to selected device

After a successful connection, a user is able to see and configure different beacon
services. Accent Systems beacons offer two main services: Eddystone and iBeacon. To be
able to use beacon with Mobile Terminal, we will need Eddystone service. And because we
won't need iBeacon, it is better to turn it off and save some battery.
3. Eddystone service configuration

Eddystone URL offers 4 values to be configured:
Advertising interval - how often are packets broadcasted. Lower number means better
signal stability and accuracy, but higher battery consumption. For our purposes, default
value (950ms) should be ok.
Radio Tx. Power - advertising power. Default value is 0 which results in range about 30-40
m (depending on number of obstacles between beacon and mobile device). Lower the
value, lower the advertising power. For example value "-16" results in a range about 5-8
meters.
Calibration power - this is a default value which doesn't need to be changed.
URL - actual broadcasting value. Needs to be properly configured according to

documentation above.
The application offers also more advanced features like changing beacons name or setting a
password. These options can be useful for managing beacons.
5.9.11 YSOFT HARDWARE ADMINISTRATOR GUIDE
This guide is for administrators who need to control one piece of YSoft hardware device. By YSoft
hardware device we mean:
YSoft be3D eDee,
YSoft SafeQ Terminal Pro 4 or

YSoft SafeQube 2.
The term device is used in the rest of this guide for any of the products.
There are two ways how to control the device:
A management console accessible over SSH. The management console is a command line
utility, which allows administrators to configure the devices.
All available commands can be listed in the console by command 'help'. More more
specific help for particular command will be displayed after typing '<command> --help'.
The console has autocomplete function - press the [Tab ] key for the console to show
you available commands in the current context or automatically complete the current
command.
The command history can be browsed by up and down keys.
The management console session can be terminated by the 'exit' command.
To clear the screen use 'clear'.
A management web interface which allows:
Browsing and exporting log files.
Upload of installation packages for OS or applications.
Most common device and application settings.
5.9.11.1 How to login
Credentials
Username: manager
The credentials are the same for both the management console and the management web. If you
change your password in one of them then the other will accept only the new password.
The password is the same for all devices. so it is highly recommended to change it. See How
to change manager password.
Management console

putty.org/).
2. Login as manager.

Management web
1. Go to https://<device IP address>:8083. On OS versions lower than 4.2 the address has to

contain the particular tab, e.g https:// <device IP address> :8083/configuration/ for
configuration tab.
2. Login as manager.
5.9.11.2 How to change manager password
The new password has to have at least 6 characters.
Management console
1. Login to the management console on the device.
2. Run command 'password set -user manager'.
draco-84$ password set -user manager

Enter password(6):
Enter password again:
Password changed
Management web
1. Login to the web interface and go to the Configuration tab.
2. Type the new password twice.
3. Press Change Password button.
Please note that any other settings changes will be discarded when changing
password.

5.9.11.3 Connection to YSoft Infrastructure Service (IMS)
The YSoft Infrastructure Service is part of YSoft SafeQ Management Service and allows to
control groups of YSoft Hardware devices. The device is usually connected to the IMS during
installation or deployment steps. Once the device is connected to IMS, it can download OS
images, applications, or configuration from there.
Management console
2. Check the settings - 'server show address'.
3. Set the connection to IMS - 'server set -address protocol://<IMS address>:

port'. It is possible to enter more addresses separated by ',' (comma). This command
replaces all previously configured connections.
4. Addresses can be added or removed by 'server add' or 'server remove'.
5. Test the connection - 'server test'.

uams.address: https://10.0.13.171:7348
draco-84$ server set -address https://10.0.11.12:7348
draco-84$ server add -address https://10.0.13.55:7348

uams.address: https://10.0.11.12:7348,https://10.0.13.55:7348
https://10.0.13.55:7348: Not reachable
https://10.0.11.12:7348: Ok (212 ms) [used]
draco-84$ server remove -address https://10.0.13.55:7348
https://10.0.11.12:7348: Ok (192 ms) [used]
6. The timeout of the connection can be set by 'server set timeout -timeout
<number>'. The timeout is in seconds.
draco-84$ server set timeout -timeout 10

draco-84$ server show timeout
uams.timeout: 10
Management web
2. Enter IMS address in format protocol://<IMS address>:port. It is possible to enter more

addresses separated by ',' (comma).
3. Press the Save button.
The server connection timeout can not be set from the web interface.

5.9.11.4 Operating system update
Without IMS connection
1. Login to the web interface and go to the Upload tab.
2. Upload OS update package (in tar.gz format).
3. Login to the management console after the upload finishes.
4. List available versions - 'os show versions'.
5. Run command 'os update -version <new version>'.
draco-84$ os show versions

hw.osversions: versions:4.1.17
4.1.20
draco-84$ os update -version 4.1.20
Finished successfully
6. The device is rebooted automatically during the update.
7. Check the version after update.
draco-84$ os show version

hw.osversion: 4.1.20
With IMS connection
2. Check version available on IMS - 'os show versions'.
3. Download OS update package - 'os update fetch -version <version>'.
4. Follow steps 4. - 7. from previous section.
OR

1. Download and install the update in one command by 'os update -version <version>
'.
2. The system is updated and rebooted into new version.
5.9.11.5 Applications
The YSoft hardware device is delivered with pre-installed applications according its type.
Management console
2. Set application configuration.
a. one parameter at a time - 'applications set configuration -appname

<appname> -key <parameter> -value <value>'.
b. more parameters in one command - 'applications set multiple -appname

<appname> -keys <parameter1>=<value1> <parameter2>=<value2> ...
'.
3. Check the configuration - 'applications show configuration -appname

<appname>'. Note that the configuration is shared by different versions of the application,
therefore the command does not contain the argument version.
4. Remove unwanted parameters - 'applications remove configuration -appname

<appname> -key <parameter>'.
Management web
Only parameters defined in application description file can be defined over web interface.
2. On the bottom of the page choose the application to configure from the drop down menu.
3. Configure the displayed parameters.
4. Press the Save and Restart Application button.

The following commands are available only in the management console on the device.
List of applications
applications show installed - display all applications installed on the system including
their states.
applications show running - list all applications currently running on the device.
applications show deployed - list all applications ready for installation on the device.
applications show available - list all applications available on IMS.
Applications lifecycle
applications start -appname <app_name> -version <version>.
applications stop -appname <app_name> -version <version>.
applications restart -appname <app_name> -version <version>.
applications autostart -appname <app_name> -version <version> -enable

<on/off> - set/unset the start of application after the device powers on.

Application update
It is not possible to update the application in one step. The update procedure consists of
application package upload, uninstalling or stopping the old application, and then installing the new
application. The data and configuration are shared by different versions of the same application.
Installation package upload without IMS connection
1. Login to the web interface and go to the Upload tab.
2. Upload an application package (in tar.gz format). The name of the application package is
parsed during installation, the part before first dash ('-') is used as a name of an application,
whatever is after it until the .tar.gz is used as a version of the application. The application
version is optional. If there is no dash in the installation package name, the application will
be installed without specified version. For example: application with package name server-
6.1.4.5.tar.gz will be installed as application with name server and version 6.1.4.5.
Installation package download with IMS connection
2. List applications available on IMS - 'applications show available'.
3. Download the required application package - 'applications fetch store -appname

<appname> -version <version>'.
OR
2. List applications available on IMS - 'applications show available'.
3. Download and install the application in one step - 'applications install store -
appname <appname> -version <version> -autostart <on/off>'. If autostart is
set to [on] then the application is started after installation and starts automatically after
the device starts.

1. Login to the management console on the device after the upload finishes.
2. Check if the application was really uploaded by 'applications show deployed'.
3. Install the application - 'applications install file -appname <appname> -

version <version> -autostart <on/off>'. If autostart is set to [on] then the
application is started after installation and starts automatically after the device starts.
draco-ba$ applications show deployed

terminalserver-6.0.2.2
draco-ba$ applications install file -appname terminalserver -version 6.0.2.2 -autostart
off
Installation in progress ...
Installation was successful.
To uninstall the application run ' applications uninstall -appname <app_name> -

version <version>'.
How to see logs
1. Login to the web interface and go to the Logs tab.
2. Filter the application or date you are interested in.
3. Choose the export type or display format.

Logs interface limits output to 1500 log entries. Once this threshold is reached admin is
informed about that in the last visible log entry and needs to modify the query to narrow
the timespan.
The application dropdown contains only currently installed applications. Previously installed
applications can be filtered by Custom filter.
Other configuration
Management console
Networking
Management console enables to set up static or dynamic network configuration.
network show configuration - display the current network configuration.
network set dhcp - set dynamic network settings. The device will fetch its network
configuration from the DHCP server.
network set static -ip <IP address> -gateway <gateway IP address> -

mask <network mask> - static network settings.
network set -dns <dns server IP address> - change the DNS server address.

Time
server settings.
Administrator may use following commands in the management console for setting up a time
zone and NTP servers for device time synchronization:
time show - shows time in this format: YYYY-MM-DD hh:mm:ss (<time difference from UTC>
TIMEZONE).
timezone show - shows actual timezone set on the device as it is named in IANA time zones
library.
timezone show groups - shows available groups for setting time zone.
timezone show available -group <group> - shows available time zones in a group of
time zones.
timezone set -group <group> -place <place> - command for a change of time
zone. Both the group and the place have to be selected from the list of groups or places given
by their respective commands.
Setting up NTP servers is possible through the following commands.
time ntp show - shows the actual list of NTP servers separated by a comma.
time ntp set -servers <ntp_server_1>,<ntp_server_2>,... - sets the list of

NTP servers to the provided servers (replaces any previous settings). There must be at least
one server.
time ntp set default - resets the actual NTP server list to default. The default list
contains 5 well known servers located on the internet.
time ntp remove -servers <ntp_server_1>,<ntp_server_2>,... - removes the

provided NTP servers from the list. There must be at least one left in the actual settings.
time ntp add -servers <ntp_server_1>,<ntp_server_2>,... - adds provided

NTP servers at the end of the actual settings.
Services control
Some basic commands are enabled for control of services available in the operating system:
services list - lists all the services available in the current version of the device's
operating system.

services detail -name <service_name> - shows detailed information about the
specified service.
services start -servicename <service_name> - starts the specified service.
services stop -servicename <service_name> - stops the specified service.
CPU information
CPU information are available for monitoring and troubleshooting purposes.
os cpu model - get CPU Model.
os cpu cores - get number of cores.
os cpu temp - get core's temperature.
os cpu - get overall information in one output.
Display backlight
Management also enables to change the display brightness and get information about current
display setting.
display show brightness level - print the current level of display brightness.
display show brightness maximum - print the maximum level of display brightness.
display set brightness -level <value> - set the display brightness to a specified
level.
Sound
sound set volume -level <level 0-100> - sets the volume as a percentage of
highest value possible.
test sound - plays test_sound.wav file located in user's home folder.
Management web
From the above configuration options, only networking can be configured over the management
web interface.
2. Configure networking.
3. Press Save button.

5.9.12 CONFIGURING WORKFLOW INTEGRITY CHECK LOGGER
Integrity of each workflow is checked before it is processed so e.g. if an error in scan data
collection occurs, workflow is rather discarded than sending the scanned documents to a
different user. In some cases it could be useful to change logger configuration so you can track
the validation result.
5.9.12.1 To log errors from validation into a separate log file
Workflow integrity check is done in YSoft SafeQ Terminal Server subsystem which is using
NLog. Sample configuration is bellow, please note that more advanced configuration can be
done according NLog documentation (https://github.com/NLog/NLog/wiki).
1. Open NLog configuration file (usually located in 'C:\SafeQ6\SPOC\TerminalServer\NLog.

config')
2. Add a custom target which will act as a destination, e.g. to store messages into a file called
'terminalserver.workflow.error.log' add
<target name="workflowValidationErrorLogfile" xsi:type="File" archiveAboveSize="20971520"

archiveNumbering="Date" concurrentWrites="false"
archiveFileName="logs\terminalserver.workflow.error.{#}.log" maxArchiveFiles="
5" fileName="logs\terminalserver.workflow.error.log"
archiveDateFormat="yyyyMMdd-HHmmss"
layout="${whenEmpty:whenEmpty=${longdate} ${level:uppercase=true:padding=-5:
fixedLength=true} ${whenEmpty:whenEmpty=${threadid}:inner=${threadname}:SuffixTrim=20}|
${class:SuffixTrim=25} | ${method:SuffixTrim=20} | ${message} ${exception:innerFormat:
tostring:format=tostring}:inner=${remote}"/>
3. Add a custom logger for WorkflowValidator component to log data into the defined target

3.
<logger name="TerminalServer.Scans.SessionManagement.WorkflowValidator" level="Error" writ

eTo="workflowValidationErrorLogfile" />
4. Restart YSoft SafeQ Terminal Server subsystem
The same approach can be used to log also the successful validation results, the only
difference is in the level in the logger configuration which is Info.
5.9.13 CONFIGURING LOGGING USING NLOG.CONFIG
Flexispooler, Mobile Print Server, Terminal Server and some others are using Nlog.config files for
configuring respective output logs. Description of output logs and where to find its respective
Nlog.configs can be found in Log File Overview.
5.9.13.1 How to change logging level to Trace
Trace is the lowest logging level, that means when logs are set to Trace level, they provide the
most information. This should be used in case of troubleshooting.
To change log level, find a row with following code in the respective Nlog.config and change the
minlevel to Trace.
For troubleshooting, it is best to set Trace level in all Nlog.config files.
Original Nlog line (minlevel="Debug" is the default):
<logger name="*" minlevel="Debug" writeTo="logfile" />
Nlog set to trace level:
<logger name="*" minlevel="Trace" writeTo="logfile" />
5.9.13.2 Other configuration options:
With Nlog.config you can also do other changes in logging, such as configure compression, max
size and rotation of log files. To learn more about how to set this options and use NLog, see its
documentation:
https://github.com/nlog/nlog/wiki/Configuration-file
https://github.com/nlog/NLog/wiki/File-target

5.9.14 CONFIGURING YSOFT UNIVERSAL PRINT DRIVER
5.9.14.1 YSoft Printer Driver PCL
YSoft SafeQ secure print queue uses these drivers:
Windows 8, Windows 10, Windows Server 2012, and newer: YSoft Printer Driver PCL is
automatically installed during FlexiSpooler installation
Windows 7 and Windows Server 2008: YSoft Universal Print Driver is not supported, and
FlexiSpooler expects the HP Driver is already installed (HP Driver is a standard part of these
systems – HP Color LaserJet 2700 Series PCL6).
5.9.14.2 Vendor specific driver
The possibility to apply a particular finishing option, paper orientation or paper size depends on
the driver and machine capability combinations.
Advanced finishing options (stapling, punching, folding) are not supported by default driver
installed during FlexiSpooler installation. Paper orientation (portrait/landscape) and paper size (legal
/A3) have the same limitation. To allow users to use all those features, the default driver has to
be replaced by a vendor specific driver.
5.9.14.3 Creating a Direct or Secure Print Queue Using a Vendor Driver
If you want to create print queue with vendor driver and you want print jobs to be handled and
managed by YSoft SafeQ, you can but do not use ports that are automatically created by
FlexiSpooler (IP_local for secure queue, SafeQPort-direct_queue_name for direct queues), but
create your own TCP/IP port that is directed to IP where FlexiSpooler is installed (usually
127.0.0.1).
For secure printing, use protocol LPR with port 515 and queue name secure.
For direct printing, set correct Direct queue name up on a device in the management interface.
See picture below:

Stapling is charged per-job, it is not per-stanple on Konica Minolta devices.
5.9.14.4 YSoft Universal Print Driver
If default driver is installed during FlexiSpooler installation and Letter size paper is preferred rather
than A4 paper, choose Letter as preferred paper size in driver's Printing Preferences.
Setting preferred paper size f or logged in user (this setting is not applied if printer is shared to
other users)
1. Go to Devices and Printers
2. Right click on driver
3. Click Printing preferences
4. Choose preferred Size

Setting preferred paper size for shared printer
1. Go to Devices and Printers
2. Right click on driver
3. Click Printer properties
4. Open Advanced tab
5. Click Printing Defaults
6.
6. C h o o s e preferred Size
5.9.15 YSOFT SAFEQ MOBILE PRINT APPLICATION CONFIGURATION
Y Soft delivers two applications which allows printing from mobile devices:
YSoft Mobile Print for iOS - https://apps.apple.com/us/app/ysoft-safeq-mobile-print

/id1460758690?ign-mpt=uo%3D2
YSoft Mobile Print for Android - https://play.google.com/store/apps/details?id=com.ysoft.

ysoftsafeqprint
The applications allows discovery of YSoft SafeQ server based on DNS record: safeq6.COMAPNY-
DOMAIN.COM
The applications allows two types of delivery channels:
via Mobile Integration Gateway (MIG) - URL begins with ipps:// (default port 8050)
via end user interface (EUI) with Mobile Print Server - URL begins with https:// (default port
9443)
End user interface is phasing out.
Applications (specificaly server components) requires Mobile Print license installed on YSoft
SafeQ.

5.9.15.1 Minimal requirements
Applications requires following version of OS as minimal version:
iOS - 12.2
Android - Marshmallow - 6.0 (API 23)
5.9.15.2 Installation of infrastructure
Delivery via MIG
Install Mobile Integration Gateway for YSoft SafeQ 6. It will open port 8050.
Limitations:
MIG is able to handle common PDF and JPEG formats. For other formats like DOCX you can
use MPS or let application on mobile device convert the document to PDF.
Only Android version of applications has support for this delivery method. iOS will be added in
future.
Note: The application is able to print also via MIG or AP for YSoft SafeQ 5. This might be useful for
customers with older installations of YSoft SafeQ. The MIG/AP for YSoft SafeQ 5 is not under
active development.
Delivery via End User UI (phasing out)
Note: This interface is recommended only for small installations with just one site and only one
Mobile Print Server. Consider using MIG instead.
It's necessary to install EUI and MPS. Make sure that Mobile Print Service is running and it's also
enabled in YSoft SafeQ 6 management interface.
Default port of EUI is 9443.
The applications is talking to https end-point of End User UI and uploading the job. Same could be
achieved via web browser. Once the job is uploaded MPS will take care of conversion and it will
deliver the job to Spooler
Limitations:
Installation is suitable for single site. In case of installing multiple EUI/MPS, it's necessary to
take care that only one MPS is consuming emails from mailbox. The mailbox functionality is not
required for the application, but it's the default way how MPS processes data.

Discovery
The application is able to discover endpoint for job upload in the network. The discovery is based
on DNS using following mechanism:
application reads search domain from DHCP response or VPN profile
application adds subdomain "test-printserver"
application checks ports 443 and 9443 (EUI) or 8050 (MIG)
Once the URL is responding with proper signature of the service, the user is prompted to confirm
whether she would like to use service.
To configure the discovery it's sufficient to add DNS A record which is pointing to the server
where EUI or MIG is located. The name of subdomain should be "safeq6".
Installation of Android application
The application is possible to install from Google Play: https://play.google.com/store/apps/details?

id=com.ysoft.ysoftsafeqprint
Installation of iOS application
The application is available in App Store: https://apps.apple.com/us/app/ysoft-safeq-mobile-print

/id1460758690?ign-mpt=uo%3D2
Installation of Android application via MDM
If the company has MDM it can leverage the installation and configuration. It's possible to
configure following properties
Key Typ Default Meaning

e value
server stri Server URL which is displayed on login screen

ng
login stri User login name

ng
server_url_1 ... stri Additional server URL presented in Spinner above login, so user can
9 ng choose location
server_name_ stri Friendly name displayed to user in Spinner

1 ..9 ng

5.9.15.3 Using Mobile Print applications
Printing from application on Android
Tap the application icon. Type in address of endpoint:
EUI/MPS: https://server-with-eui:9443/end-user/ui/
MIG: https://server-with-mig:8050
If DNS record of subdomain safeq6 was configured it is sufficient to click Discover button.
Enter Login and Password.
Check "Remember credentials" if you'd like to persist server URL, login and password.
Tap Login button.
The Add button.
Select files for upload.
Upload files.
Printing from application on iOS
1. Tap the application icon. Type in address of endpoint:
MIG: https://server-with-mig:8050/
EUI/MPS: https://server-with-eui:9443/end-user/ui/
If DNS record of subdomain safeq6 was configured it is sufficient to click Discover button.
2. Enter Login and Password.
3. Check "Remember credentials" if you'd like to persist server URL, login and password.
4. Tap Login button.
5. The Add button.
6. Select files for upload.
7. Upload files.
Printing from Android by Share button
1. Open application with content that you'd like to print.
2. Tap Share button.
3. In the list find YSoft SafeQ Print.
4. Tap Login.
5. Check files for upload and tap Upload button.

Printing from iOS by Share button
2. Tap Share button.
3. In the list find YSoft SafeQ Print.
4. Tap Login.
5. Check files for upload and tap Upload button.
Printing from Android by Print button
2. Tap Share or Print button.
3. Tap Print button.
4. You'll see YSoft SafeQ print service with job print preview.
5. Tap Print icon in upper right corner.
5.9.15.4 Security considerations
Current version of application is using HTTPS interface available in YSoft SafeQ. The validation of
certificate chain is disabled in current version (for PoC), it will be enabled in future. We
recommend to use MDM to deploy application. Some MDMs even allows VPN tunnel per
applications.
End point for receiving jobs can be hidden behind WAF to increase security level.
Single Sign On is not supported in services or in application in current version. This feature is
planned for future releases.
Y Soft is not gathering any information from user except what is collected automatically by
Google Play or App Store regarding application crashes. User is prompted to share information of
application crash in the same way like any other Android or iOS application. Y Soft does not use
any additional data gathering from user.
5.9.15.5 Support
Applications are in preview state and their implementation might change. We're open to feedback
and improving the service.
Applications are not covered by any SLA.
In average application will receive update once a week for bugfixes and improvements.
Since distribution of application is dependent on Google and Apple, we're not able to guarantee
time to distribution. It often takes 24 hours for stores to synchronize versions.

We recommend to use MDM for better control of installed applications, where administrator can
decide to deploy new version or not in the organization.Should you have any questions, please
contact Juraj Michálek - juraj.michalek@ysoft.com .

6 YSOFT BE3D EDEE DOCUMENTATION
6.1 DEECONTROL 2 - QUICK GUIDE
DeeControl 2 is a visual editor for 3D models. Its main features are preparing a model for 3D
printing and sending the print job to an eDee printer via YSoft SafeQ.
6.1.1 MAIN SCREEN
The purpose of this document is to allow the user to start using DeeControl 2 quickly. If you need
a more detailed explanation, see DeeControl 2 - User Guide.
After starting DeeControl 2, the following screen appears:
The most important parts of the layout are marked by in red.
Model manipulation tools (Move, Scale, Rotate, Align etc.)
Viewport controls
Print settings panel
Action button
6.1.2 TYPICAL WORKFLOW
The typical workflow of printing a model is as follows:
1.

1. Import an STL model by either dragging and dropping or clicking the "Add" button in the top
left-hand corner
2. Use the model manipulation tools to arrange the model(s) on the print bed.
Scale tool
Select the model and either enter the absolute dimensions or relative percentage. Use
Uniform Scaling option to scale the model proportionally. The SCALE TO MAX feature fits
the model to the print bed so that its size is to the maximum.
Move tool
Select the model and input the desired x,y coordinates. Alternatively, use drag and drop to
move the model.
Rotate tool
Select the model, enter the desired relative change in degrees, and use the arrow buttons
to apply. The orientation is shown by the 3D axis cross icon at the lower left-hand corner of
the editor.

3. Select a suitable print profile in the slicer panel.
We recommend using the default profile for most cases. Change the advanced settings
only if you know what you are doing.
4. Click the "PREPARE FOR PRINT" button

5. Review the print preview.
Tip: Use the slider to cut the model to see the infill.
6. Click the "SEND TO YSOFT SAFEQ" button. This step requires configuration. For more
information see chapter DeeControl 2 - User Guide, section How to Set Up a connection to
YSoft SafeQ Server.

After the print job has been successfully sent to YSoft SafeQ, go to the eDee printer and follow
the instructions on the terminal to start printing.
6.2 DEECONTROL 2 - USER GUIDE
6.2.1 INTRODUCTION
The purpose of this document is to provide YSoft be3D DeeControl 2 end users with a complete
overview of how to install the software and the best way to prepare a print job for printing.
6.2.2 WHAT IS YSOFT BE3D DEECONTROL 2
The YSoft be3D DeeControl 2 application is slicer software for 3D jobs. It converts a 3D model
into printing instructions for your 3D printer. It cuts the model into horizontal slices (layers),
generates tool paths to fill them, and calculates the amount of material to be extruded.
6.2.3 REQUIREMENTS
6.2.3.1 Software
64-bit Windows 7 and later or Mac OS X 10.7 and later
32-bit Windows is not supported!
6.2.3.2 Hardware
4 GB RAM
2 GB hard disk space
A dedicated graphics card (recommended)
6.2.4 INSTALLATION OF YSOFT BE3D DEECONTROL 2
6.2.4.1 Windows Installation
1. Locate the installation file on your computer.
2. Run the installation file and follow the wizard.

3. Select whether you want to install DeeControl 2 for yourself or for all users of the
computer.
4. You can change the installation directory. If selected directory already exists, a notification
that contents of the directory will be deleted is shown.

4.
5. You can setup your YSoft SafeQ server address and port. You can also set default
language or check a check box if you want to create a desktop shortcut, start menu folder,
or associated STL files.
6. The installation's progress displays.

6.
7. Once the installation is successful, a confirmation message displays. You can check a
check box if you want to run DeeControl 2 right after the installation wizard closes.

6.2.4.2 Windows Silent Installation
The installation can run from a command line in silent mode, which allows the installation of
DeeControl2 on remote computers or via an installation script. To enable silent installation, run the
installation file with the /S parameter
Setup parameters
/SQaddr
sets the YSoft SafeQ server address
e.g.: /SQaddr=10.0.0.1
/SQport
sets the YSoft SafeQ server port
e.g.: /SQport=515
/Shortcut=true
enables the creation of a desktop shortcut
/StartMenu=true
enables the creation of a start menu folder
/AssociateStl=true
registers STL files to be opened by DeeControl 2
/AssociateDcp=true
registers DCP files to be opened by DeeControl 2
/StartUpLocale=en_US
sets default language of DeeControl 2
possible values:
en_US (English)
cs_CZ (Czech)
da_DK (Danish)
es_ES (Spanish)
nb_NO (Norwegian)
nl_NL (Dutch)
/D
sets the destination folder of the installation
e.g.: /D=C:\Program Files\DeeControl 2

CAUTION: It must be the last parameter used in the command line and must not contain
any quotes, even if the path contains spaces. Only absolute paths are supported.
Example
deecontrol-win-installer.exe /S /SQaddr=127.0.0.1 /SQport=515 /Shortcut=true /StartMenu=true

/StartUpLocale=en_US /D=C:\Program Files\DeeControl 2
6.2.4.3 Windows Uninstallation
1. Run the unistallation file and follow the wizard.
2. Confirm the directory to uninstall from.

3. Check if you want to remove your configuration.
4. Wait until the uninstallation is complete and click Next.

5. The uninstallation is finished.
6.2.4.4 Mac Installation
Once you have opened the DMG file, the only thing needed to install DeeControl2 on your Mac OS
is to drag and drop the DeeControl2 icon onto the Applications icon.

6.2.5 HOW TO SET UP A CONNECTION TO YSOFT SAFEQ SERVER
In the Windows version of the DeeControl 2 installer, the connection to YSoft SafeQ server can
be set during installation (step 5 in section Windows Installation, or appropriate parameters in
section Windows Silent Installation).
1. Open the preferences window by clicking the Preferences button in the File menu.

2. Switch to the NETWORK tab in the preferences window. Set the YSoft SafeQ server
address and port, then click SAVE button to store your settings or CANCEL to discard your
c h a n g e s .
In YSoft SafeQ username field you can specify a user who will be owner of a print job sent
to YSoft SafeQ, so you are able to send print jobs from your device and they will be
associated with your YSoft SafeQ account. If you left the field empty, your system
username will be used automatically.

6.2.6 SELECT LANGUAGE
1. Open the preferences window by clicking the Preferences button in the File menu.
2. Switch to the GENERAL tab in the preferences window. Select your preferred lanaguage,
then click SAVE button to store your settings or CANCEL to discard your changes.

6.2.7 PRINT JOB PREPARATION
DeeControl 2 only supports STL 3D model files.
1. Open the STL file using one of the following methods (multiple files can be opened at once):
a. Use the open file dialog
b. Drag and drop – drag the STL file and drop it onto the DeeControl window
c. Double-click the STL file
2. Edit the model to fit your needs.
a. Move
You can move your model by dragging it using a mouse.
You can use the predefined buttons in the main bar to center your model or align
the model to the edges of the printable area.
You can set the exact coordinates of the center of the model using the input
fields in the move panel.
b. Scale
You can scale your model to the maximum size allowed by the print bed and the
selected settings (e.g., the initial platform reduces the area that can be used for
printing the model) using the SCALE TO MAX button in the scale panel or
corresponding button in main bar.
You can set the exact scale of the model using the input fields in the scale panel.
c. Rotate
You can rotate your model by axes that are relative to the print bed using the
input fields in the rotate panel. Choose the axis and enter the angle by which you
want to rotate the model. Then click one of the buttons alongside the input field
to rotate clockwise (right) or counterclockwise (left).
You can reset the model's rotation using the RESET button in the rotate panel.
You can lay your model on specific face by using LAY ON POLYGON button in
rotate panel or corresponding button in main bar.
6.2.7.1 Lay model on selected face
Use mouse to select a face and click. Your model will be rotated so the selected face will be laid
on print bed.

6.2.8 USING 3D VIEWPORT
For easier preparation of the model or viewing a GCode visualization, you can rotate, pan, or zoom
the view. It is possible to turn off the perspective to view the alignment of the models on print
bed better or the GCode lines in layers.
6.2.8.1 View Mode
View mode can be switched using the perspective switch button in the main bar.
Perspective
Displays scene of the print area as seen by the human eye.
Parallel
In this mode, all parallel lines are displayed parallel even if they are heading away from the
camera.
6.2.8.2 Controlling the View
The view can be reset using the Reset view button in the main bar.

Rotate
To rotate the view, use the left mouse button.
For a better view of the model's placement, there is the Top view button in the main bar.
Pan
To pan the view, use the right mouse button.
Zoom
To zoom the view, use the mouse wheel.
6.2.9 DEECONTROL 2 PROJECT
DeeControl 2 project can be used for saving your unfinished work or to share your scene setup
and print settings with someone else.
To save current scene and print settings click the Save project button in the File menu.
To load the saved project you can use the same methods as for loading a STL file.
Open the file dialog from file menu (select DCP extension as type)
Drag and drop
Double click on file (if associated)

6.2.10 PRINT SETTINGS
The properties of the final printout can be further modified using the print settings.
6.2.10.1 Basic Settings
Print profile
Default – a balanced profile that prints most models without any problems.
Speed print – a good choice when you want to print fast but the quality is not an issue.
Fine quality print – the printed model will have a smoother shell but it will take more time to
print.
Print job name – select the name of your print job displayed in YSoft SafeQ. The name of the
first model imported into the scene is used as the default name.
Initial platform – the initial platform takes up some of the space of the print area, so the
model cannot cover the whole print bed.
Brim
Raft
None
Model supports

Print supports
6.2.10.2 Advanced settings
The advanced settings are only suitable for highly experienced users and have to be used
wisely. E.g., by a student of a technical university.

Layer height – the lesser the value, the finer the surface is.
0.1 mm; 0.15 mm; 0.2 mm
Roof thickness – the thickness of the top side of the model.
0 mm and greater
Bottom thickness – the thickness of the bottom side of the model.
0 mm and greater
Print speed – Solid layers – the speed of the print head movement when printing the roof
and bottom layers. A higher speed may have a negative impact on the quality of your print.
Shell thickness – the thickness of the walls of the model. The higher the value, the stronger
the model is.
0–4 mm (multiples of the nozzle diameter – 0.4 mm)
Print speed – Shell – the speed of the print head's movement when printing the shell. A
higher speed may have a negative impact on the quality of your print.
Infill internal pattern – a geometric shape repeated on the inside of the model to add
strength to the model.
Grid
Line
Cubic
Infill density – the density of the internal structure. A higher density significantly slows the
print down but results in a harder model.
Support density – the density of the support structure. A higher density results in better
overhangs but the support structure is harder to remove.

Support internal pattern – a geometric shape repeated on the inside of the support structure
to add strength to it.
Lines
Grid
Zig Zag
Support starting angle – the maximum angle of overhangs for which the supports will be
printed.
0° (supports everywhere) – 90° (no supports)
Support placement – indicates where support structures should be generated
Everywhere
Touching build plate only
6.2.10.3 Saving a Print Profile
If any of the previous settings are changed, a new profile can be saved by clicking the floppy disk
icon on the right-hand side of the print settings header and filling the profile name in the following
dialog.

6.2.11 PREPARING A MODEL FOR PRINT
When you have prepared your models and chosen the fitting settings, it is time to click the
PREPARE FOR PRINT button in the right panel.
If something goes wrong during slicing, the following alert displays.
6.2.12 VIEWING GCODE AND SENDING THE PRINT JOB TO THE YSOFT SAFEQ
SERVER
For a better idea of how the print will look, you can use a GCode visualizer. On the right side of
the workspace, you have a slider that is used to select the visible part of the print job. To
determine if all the lines are aligned as you wish, the perspective switch can be turned off as
shown on the images below (left – perspective on; right – perspective off).

It is possible you do not have enough memory to view the vizualisation of GCode. In that case, a
notification (image below) displays but you can still upload your print job to the YSoft SafeQ
server.

6.2.12.1 Viewing a Specific Part of GCode
If you want to view a specific part of GCode such as shell, infill, or supports, you can switch to
Detailed view.
Shell – the part of the model that is outside. (blue)
Travel moves – the movements made by the print head without extruding filament. (red)
Infill – the part of the model that is inside. (yellow)
Supports – the part of the print that should be removed after the print is finished. (grey)
6.2.12.2 Sending to the YSoft SafeQ Server
After you are satisfied with the print job, you can use the SEND TO YSOFT SAFEQ button at the
bottom right-hand corner to upload your print job.

If you have not configured the connection details of the YSoft SafeQ server, an alert appears as
shown in the image below. Click the SHOW link to open the Network preferences and set up your
connection (see section How to Set Up a connection to YSoft SafeQ Server).
6.2.12.3 Exporting the Print Job
You can export the print job as two file types GCODE and 3DJOB. The GCode file can be used for
some debug analyses. The 3djob should be used to manually upload to the YSoft SafeQ server in
the future. To export, use the "Export as…" item in the File menu.

6.3 USING YSOFT BE3D EDEE
6.3.1 INTRODUCTION
Purpose of this document is to provide end user with a full overview how to prepare a 3D print
job, send it to the printer and operate the YSoft be3D eDee printer.
6.3.2 SENDING A PRINT JOB TO YSOFT SAFEQ
To be able to send a print job to YSoft SafeQ, YSoft SafeQ must be installed in the print
environment. For more information, please see the YSoft be3D eDee Installation Guide.
User has to have DeeControl 2 installed on his machine to be able to process the 3D object and
send it for printing.
6.3.2.2 DeeControl 2
Follow the User guide:
DeeControl 2 - User Guide

6.3.3 USER AUTHENTICATION ON YSOFT BE3D EDEE PRINTER
A user can be authenticated only when eDee is connected to the YSoft SafeQ server. The user
must also have been pre-defined with access rights by an administrator.
The supported authentication methods are:
PIN (Picture 1)
User name and password (Picture 2)
ID card (Picture 3)
ID card OR User name and password (Picture 2)
ID card AND User name and password (Picture 2)
ID card OR PIN (Picture 1)
ID card AND PIN (Picture 1)
Picture 1

Picture 2
Picture 3
Authentication methods are configured by the administrator during Terminal installation.
When using an ID card, the card should be swiped over the front right corner of the top lid (over
the sticker).
6.3.3.1 Log out
To log out, select the exit icon which appears next to the user's name.
6.3.3.2 Unknown user
Should a user's ID card not be recognized by eDee, the following message will be displayed:

The user should contact the YSoft SafeQ administrator for assistance.
6.3.4 JOB LIST AND JOB MANAGEMENT ON YSOFT BE3D EDEE PRINTER
Once the user authenticates, the job list is displayed with the list of jobs waiting to be printed.

The following information is displayed:
User name
Information about the user's account credit balance (when the Payment feature is enabled)
3 separate tabs with print jobs folders (based on the device settings)
Waiting - displays the list of jobs that are ready to be printed
Printed - displays the list of jobs which were already printed in the past (either
successfully or unsuccessfully), jobs are displayed for a certain period of time depending
on the SafeQ settings
Favorite - displays the list of jobs that were marked as favorite
For each job, additional data are displayed:
Thumbnail - visualization of the 3D model
Job name
The age of the print job - when it was sent to YSoft SafeQ
Price estimation - when accounting is turned on

Time required to print
Delay notification icon (alarm clock) - when Filament counter feature is on and if there's not
enough filament to print the job
Star - star symbol represents the favorite job selection, if selected, job is marked as favorite
and is visible also in favorite jobs tab and should never be deleted from YSoft SafeQ.
Gear - display popover with additional info
Additional info displays bigger thumbnail of a job, it's name, owner, time of upload, time needed to
be print, material and it's usage.
The user can choose a print job by selecting it.
When a job is selected it is possible to
Select the i (information) icon to display more information about the selected job.
Mark the selected job as a favorite by selecting the star icon. Print jobs marked as favorites
can be easily reprinted later.

6.3.5 PRINTING A MODEL ON YSOFT BE3D EDEE PRINTER
Once you selected a print job, the panel of list of print jobs will be replaced by new buttons:
Select Continue to begin the print process.
In case user does not have sufficient funds to print the model following message is displayed
In case Filament counter feature is on and there's not enough filament to print the model
following message is displayed

In case your model print time is longer than 5 hours following message is displayed. If you
choose "Send snapshots", you will receive email notification with a photo of your current print
progress at 5% and 55%.
When beginning the print process, a print guide appears. The print guide is a sequence of
steps which guides the user to prepare the printer for the print job.
For glass print pad: The user must take the print pad out of the print chamber, clean any glue
deposits using the spatula or wash it under the hot water.
Once the print pad is clean, apply an even layer of glue on it and return the print pad into
the print chamber. Close the print chamber door. Select Start Printing.

For plastic print pad: The user must take the plastic print pad out of the printer and wipe the
surface clean with the suplied cleaning wipes.
Once the pad is clean, place the print pad on the print pad holder leaving no gap in
between. Close the print chamber door and select Start Printing.
If there is an option to select used print pad, select the correct type.

The printer will check that the print pad is present and that the door is closed.
If the print pad is missing, a dialog window appears. Place the print pad in the printer and
close the door.
If the printer detects the door is open, a dialog window appears advising the user to close the
door.

Printing begins when the user closes the door with the job transfer, which might take couple
of minutes depending on the model size and the network speed.
In case there is a problem with the job retrieval (e.g., in case of local FlexiSpooler and the
device not available) following message will be displayed.

Please note: If you use CBPR client computer must be online and accessible. The application
will stuck on "Transferring job" screen otherwise.
6.3.6 PRINTING
Printing starts with print pad calibration:
Once the calibration is finished, the print window is displayed.
On this screen, the following information is shown:
The picture of eDee displays a green progress bar which illustrates how much of the current
print job has been completed.
On the right side of the screen, basic information about the print job is displayed:
Printing time - shows how long the current print job has been running.
Time Left - an estimate of how much more time is needed to complete the print job.
Nozzle temperature - displays the current temperature of eDee's nozzle.

This information may be needed when troubleshooting.

Stop printing - provides possibility to terminate current print job. This option require
authentication of the job-owner. Other users can notify only the administrator upon
authorization, and he can terminate the job instead of the job owner
Notify admin - sends an email message to the administrator.
6.3.7 PRINTING FINISHED
Once the printing finishes, the following message is displayed:
The user receives an email notification that the print job is finished:
The model can be retrieved once the nozzle is cooled down (at leas down to 50°C).

The job owner can unlock the printer to remove the model, or if not satisfied with the print,
demand a refund.
The job owner has to identify himself as a first step for either action.
In case the authorization is not successful, following message will be displayed.
Once the user is authorized print summary is displayed:

The user can request refund if he is dissatisfied. If the user wants to demand a refund, a camera
snapshot of the printed model is sent with a notification to the administrator.
When user clicks Unlock door or finishes the refund request the print chamber door will open and
the model can be removed.
User can open door if he accidentally locks it. When he decides to continue following confirmation
is displayed:

As a courtesy to other users, the user should clean the print pad after removing the print.
Once the print is removed, the user will select Finish to end the print job.
If the print chamber door is not closed, following message will be displayed.
Once the door is closed, the authorization screen is displayed and the next user can start a
print job.
6.3.8 SEND A REQUEST TO ADMINISTRATOR
Any time that the eDee printer is printing, any registered user can notify the Administrator about
a specific issue.
a) Select Notify admin.
b) To be transparent about who is sending a notification, the user is required to authenticate at

the printer.

c) After authentication, a list of possible issues is presented on the screen.
d) The user can select one or more options to report. Once one or more issues are selected, the
Select button becomes activated. Tap the Select button.
e) Confirmation is displayed on the screen that the administrator has been notified.

6.3.9 STOP PRINT
Job owner can stop the print job. He can do it simply by tapping at stop print button:
Then he is asked to authenticate:
When another user tries to log in and stop print the screen with information that only owner can
stop the job is displayed.

When the job owner successfully authenticates he is asked to confirm, that he really wants to
stop the print job.
The job is then stopped, user is charged for printing so far if the accounting is turned on.
He needs to wait for nozzle to cool down:
And than he can take the model out.

Than is the workflow same as when the print ends, print summary is displayed:
User can request refund if he is dissatisfied. If the user wants to demand a refund, a camera
snapshot of the printed model is sent with a notification to the administrator.
When user clicks unlock door or finishes the refund request the print chamber door will open and
the model can be removed.

User can open door if he accidentally locks it. When he decides to continue following confirmation
is displayed:
As a courtesy to other users, the user should clean the print pad after removing the print.
Once the print is removed, the user will select Finish to end the print job.
If the print chamber door is not closed, following message will be displayed.
6.4 YSOFT BE3D EDEE INSTALLATION GUIDE
6.4.1 PURPOSE OF THIS DOCUMENT
This document is an installation guide for partner technician on how to unbox and install the eDee
printer at customer's.
Only a trained technician is allowed to unbox and install the eDee printer on site!

More detailed information regarding the eDee printer can be found in the YSoft be3D eDee
Administrator Guide.
6.4.2 HARDWARE OVERVIEW
The eDee solution contains 2 HW components:
YSoft card reader (optional)
6.4.2.1 YSoft be3D eDee printer

1 – Display
2 – Print pad holder
3 – Print head
4 – Front (main) door
5 – Side (spool chamber) door
6 – Electro-mechanical lock
7 – Counterpart of electro-mechanical lock
8 – Power switch
9 – Slot for LAN connection
10 – Power slot
11 – Power cable holder/Kensington lock slot
12 – Manufacture label
13 – Filament entrance/filament detector
14 – Card reader mount
6.4.3 SW OVERVIEW
The eDee solution uses 2 software components:
YSoft SafeQ 6 - which is a Workflow Solutions Platform, for more information see About YSoft
SafeQ 6.
YSoft be3D DeeControl - 3D job slicing software. For more information see Using YSoft be3D
DeeControl.

6.4.4 UNBOXING
1. Cut the tape on the box.
Packaging version 1:
Packaging version2:
2. Remove the printer from the box and from a plastic bag.
Be careful, when lifting the printer from the box due to its weight (28,5 kg)!

6.4.5 NETWORK AND POWER CORD CONNECTION
1. Pull up the top lid and remove it.
2. Remove the red blind plug from Top lid sheathing.
3.
3. Unpack the power cable from printer´s box and the power cord from the spool chamber.
4. Connect the power cable to power cord.
5. Connect the Power cord and Ethernet cable to the appropriate socket on the back side of
the printer as displayed in the following picture.

6.4.6 TERMINAL EXTRACTION
Open the terminal by pushing it gently and then let go.
Once the device is plugged into the electricity, turn it on using the power switch at the back side
of the printer.
YSoft be3D eDee starts by booting up the system:
Once the system is initialized, the device will start the terminal application:

When YSoft be3D eDee first starts up, the eDee Service menu screen is displayed:
6.4.7 LOGIN TO SERVICE MENU
Use the predefined authorization PIN code: 7777 to access the service menu. The administrator
can change the PIN afterwards (see YSoft be3D eDee Administrator Guide).
Once you are logged in, following menu is displayed.

6.4.8 OPEN ALL DOORS
Select the Print & manual control and then press on the Unlock front door and Unlock side door
.

6.4.9 REMOVE FIXING FOAMS AND ACCESSORY BOX
Remove protective foams from the print chamber and take out the filament box.
1. Remove the foams fixing the printhead.
2. Also the filament can be removed now.

1. Remove flat cardboard and front foam.

2. Now pull both REAR ends of foams. Then remove them completely. After that pull out the
remaining cardboard through the front door.

3. Plug the PTFE tube to the printhead (simply push in). Also filament can be removed now.
Once the side door is open, take out the accessory box from the spool chamber:

KEEP THIS FOAMS WITH PACKAGE FOR FUTURE PACKING. The head should be secured for
any transportation, otherwise, there might be a damage to the print head or the printer
insides.
6.4.10 UNPACK ACCESSORY BOX
Open the accessory box:
Make sure it contains all the following:

Spool holder
Glass pad
Spatula with rounded corners
Glue stick - 3 pieces
LAN cable
8mm spanner
2,5mm hex key
6.4.11 PLACE THE GLASS PRINT BED INTO THE PRINTING CHAMBER
Take out the glass from the bag and place it carefully into the printing chamber.

6.4.12 ATTACH THE CARD READER - OPTIONAL
If the customer ordered a card reader for the eDee printer, unbox it and locate the card reader
connector inside the spool chamber:
Plug the micro USB cable to its socket and attach the card reader to the connector:

Once the card reader is connected and mounted enter the Card reader menu from the service
menu.
The card reader protocol will be displayed:

If needed you could select the different card reader protocol by pressing the Change button,
selecting the appropriate protocol from the list and pressing the Select button.
Once the protocol is selected you can test it using the test card reader and put the customer's
card on the reader.

All the reads from the tested cards will be displayed in a table.

6.4.13 LOAD FILAMENT
Unpack the filament from the box and remove it from the plastic bag.
Insert only PolyMaker filament approved by YSoft for eDee printers. If you load a filament not
suitable for eDee and its full metal nozzle, you will damage the print head (the nozzle will get
clogged immediately) and lose the warranty on this part.
Mount the spool holder (part of the accessory kit) to the spool chamber.

When manipulating with the filament keep it constantly under pressure so that it will not
loosen up. If it gets loose, it might get tangled during printing and the print job will not be
successful.
Take the loose end of the filament and push it gently into the Filament limit switch in the spool
chamber (the entry point is depicted as an end switch in the following image), push it through
until it reaches the print head, there should be slight resistance and with a slight pressure you
should feel as the printhead starts to pull the filament itself.
In case it is not possible to push it through to the head completely, you can detach the silicon
tube from print head by pressing the orange tube joint.
You can then guide the filament through the tube, so you have few centimetres out of the tube
and guide those to the head manually.

Once you cannot push through, slide in the silicon tube again, until it is locked in the orange
holder again. Place the spool onto the spool holder in the chamber.
Select the Filament manipulation menu from the Service menu.

Once you enter this menu item, the nozzle starts heating up immediately, avoid touching it.
Once the nozzle is heated the feed filament option becomes available, go ahead and press the
Feed filament in button.

Once the feeding in starts, you should see the filament moving in the spool chamber, if not try to
push it gently from the filament chamber until you feel that the filament is being pulled by the
printer. You can stop feeding in filament once you are satisfied by pressing the red cross.
You should always select the recently loaded filament color, spool size and remaining filament on
the spool, so that the eDee administrator/user will be able to know which filament color is loaded
in the eDee printers.

6.4.14 MOTION TEST
You should test the print head and print bed movement before the first use, select the Print &
manual control menu from the service menu.
You can move the head and the print bed by simply clicking on the arrows. Once you are sure
both are moving correctly, you can send both to the home position by clicking the home icon.

In case you would like to make sure everything is setup correctly, you can perform a diagnostic
print, select the Diagnostic print from the Print & manual control menu.
You can then select any of the diagnostic print jobs:
Once the print job is selected, the administrator is walked through the standard printing
procedure (see Using YSoft be3D eDee for more information):
cleaning up the bed

application of the glue
printing
Print test diagnostic print job - basic evaluation, whether the offset is correct and the nozzle is
extruding as it should. See in Service manual: 7.3 Running the Diagnostic print after repairment
Calibration test is used for advanced evaluation, here is the outcome guidance:
Defect Image
No Issues
Cooling issue
Bowden issue/ clogged nozzle

Defect Image
Blocked spool, bowden issue
6.4.15 OFFSET TEST
After transporting the eDee printer, you should always perform an offset test and fix the offset if
needed, make sure to prepare the print bed in advance, apply glue around all the glass and make a
diagonal cross on it.
To perform the test go to the Nozzle setting menu.

Select Test offset to perform the test.
The test will begin automatically after the Nozzle is heated.

The resulted print out should look like this, with solid lines without any gaps:
In case you need to adjust the offset, use the set offset option.
You must remove the plastic print pad prior to the "set offset" setting the offset with the
plastic print pad in the printer may result in permanent damage to the print pad

Insert a sheet of paper (office paper - 80g/m ²) between the nozzle and print bed.
If you cannot insert a paper you have to move the print bed down by tapping “down 0,1mm”
button. Once you have inserted the sheet of paper move the print bed up by tapping “up 0,1mm”
until you feel that you cannot move the paper.
Then tap “down 0,01mm” and you should be able to move the paper but feel a little resistance.
Then click to Save button and test the offset again.
6.4.16 CLOSING THE EDEE PRINTER
Once all the previous steps are completed successfully, you can place back the eDee printer top
lid followed by the spool and printing chamber.

6.4.17 CONFIGURE THE NETWORK ADDRESS
By default, the network address is obtained by the DHCP and it is shown at the top left corner of
the service menu. If you wish to change it please select the Network button from the service
menu.
Turn off the DHCP and configure the network setting manually.

The SafeQ address will be configured automatically by the YSoft SafeQ server installation.
6.4.18 ADDING EDEE DEVICE TO YSOFT SAFEQ 6
Prerequisite: YSoft SafeQ Server is correctly installed and configured. For more information, please
see the article Installing YSoft SafeQ 6 Server.
Follow the procedure below to connect eDee device with YSoft SafeQ 6 (more information can be
found at Updating YSoft be3D eDee).
1. Go to Tenant management in YSoft SafeQ 6 and select Devices.

Picture: YSoft SafeQ6 menu
2. Press Add device button.
Picture: Button ADD DEVICE to add new device into YSoft SafeQ 6.
3. Fill in all required fields: Name, Device group, Network address (eDee device IP address), and
Spooler Controller group.

Picture: Filling in all required fields to add new device.
4. Open Terminal type selector and select YSoft eDee.
Picture: Selecting YSoft eDee terminal type.
5. Press Save Changes button.
Picture: Save changes button to add new device into YSoft SafeQ 6.
6. Once the Save button is selected, SafeQ configures remotely the device and reinstalls the
terminal.

7. Once the terminal installation is complete, a confirmation message is displayed.
In case there is an error with the reinstallation following message is displayed.
8. Now a new eDee device is added.
Picture: Administrator can see terminal ID of any device by pressing EDIT button.

6.4.19 ACCOUNTING
In case the customer has an accounting turned on, you should set up the pricing for eDee -
please look at Configuring and Managing Price Lists.
6.4.20 LOCKING THE DEVICE - OPTIONAL
YSoft eDee printer is ready to be safely attached to a table with a PC desktop Lock (e.g.
Kensington K64617S). Guide the loose end of the lock, through the hole in the cable holder in the
back of the printer as depicted in the following picture.
6.5 YSOFT BE3D EDEE REQUIREMENTS AND KNOWN LIMITATIONS
6.5.1 REQUIREMENTS
YSoft be3D eDee requires a YSoft SafeQ environment installed in network, for more details
please refer to the YSoft SafeQ server installation guide.
6.5.2 KNOWN LIMITATIONS

7 YSOFT SAFEQ DEMO
7.1 ABOUT YSOFT SAFEQ DEMO
YSoft SafeQ Demo is a tool, which is used to give YSoft SafeQ DB (PostgreSQL Embedded
database) the appearance of actual use for certain time period. SafeQ demo helps can help both
with technical training or sales presentations by allowing to show a real product usage and
present features like reporting on real data.
YSoft SafeQ Demo can be used only in a testing environment where fresh installation of
YSoft SafeQ in default configuration was deployed. Running YSoft SafeQ Demo against
production system is prohibited.
7.2 REFERENCES:
1. How to run YSoft SafeQ Demo
2. Limitations of YSoft SafeQ Demo
3. Troubleshooting YSoft SafeQ Demo
7.3 HOW TO RUN YSOFT SAFEQ DEMO
7.3.1 YSOFT SAFEQ DEMO ON WINDOWS
This chapter aims to give information on how to use YSoft SafeQ Demo on Microsoft Windows.
7.3.2 PRECONDITIONS
Microsoft Windows operating system.
YSoft SafeQ is installed with PostgreSQL embedded database.
To demonstrate multiple tenants environment, the multi tenant license must be activated before
running the YSoft SafeQ Demo for the first time or after the cleanup.
To run YSoft SafeQ Demo together with Payment System, it is necessary to install Payment
System and enable it in YSoft SafeQ.
7.3.3 YSOFT SAFEQ DEMO INSTALLATION
Copy YSoft SafeQ Demo files to the same computer where YSoft SafeQ 6 is installed.

Custom configuration is supported only if the demo is run with YSoft SafeQ Demo
Application.exe, as described in the following section.
7.3.4 YSOFT SAFEQ DEMO USER INTERFACE (RECOMMENDED)
Run YSoft SafeQ Demo Application.exe with administrator privileges
7.3.4.1 Starting Demo management
Starting the demo - Navigate to the Demo Control tab. There are two ways to start the
demo:
Click on Generate YSoft SafeQ demo data button if you want to generate static data into
SafeQ.
On the first run (after clean installation or after cleanup), Demo creates the initial
configuration with defined initial number of jobs.
On the next run, Demo adds only new jobs to fill in the empty time frame between the
last run and the current time.
Click on Start generating continuous demo data button if you want to keep the Demo
inserting new jobs into YSoft SafeQ continuously.
On the first run (after clean installation or after cleanup), Demo creates the initial
configuration with defined initial number of jobs and keeps inserting new jobs in
predefined intervals.

On the next run, this adds jobs since the time when Demo was stopped and continues
adding new jobs in predefined intervals.
The Stopgenerating continuous demo data button can be used to stop the daemon.
Clean data from YSoft SafeQ
This option is used to remove all data which were either generated by YSoft SafeQ Demo
or created manually.
Running cleanup does not ensure the same database content as a clean installation of
YSoft SafeQ. Some data might not be removed by the cleanup.
Configuring YSoft SafeQ Demo
You can change profiles that will be generated in General Settings tab. These profiles
represent tenants, that will be created in YSoft SafeQ and each tenant will have data that
represent the correct vertical. For example Education will be focused on education segment
and will have different print job names than Financial vertical.
In the Profile Settings tab it's possible to further configure some values for each profile:
Number of days - Number of days to the past when the jobs will be created.
Number of jobs - Number of jobs generated each day. Jobs are generated with the
following ratio: Monday 120% jobs, Tuesday 90% jobs, Wednesday 110%, Thursday
100% and Friday 80%.

Scan workflow templates - You can add custom templates that will be imported for
each profile
The Embedded Terminal tab contains convenience buttons for creating the link to
Embedded terminal application
After selecting the desired application you can either open the application directly in
the web browser or copy it to clipboard
It always points to the first generated terminal
7.3.5 YSOFT SAFEQ DEMO - WITHOUT USER INTERFACE
If YSoft SafeQ Demo has to be run for any reason without user interface, batch files can be used.
7.3.5.1 Starting YSoft SafeQ Demo
YSoft SafeQ Demo can be executed in 2 ways:

demo_init.bat creates the initial configuration with an initial number of jobs. A new run of
demo_init.bat creates only new jobs to fill in the empty time frame between the last run
and the current one.
demo_daemon.bat has the same functionality as demo_init.bat, but continues inserting

new jobs into YSoft SafeQ periodically. If stopped, the next run of demo_daemon.bat will
only add jobs between the last run and the current time and then continue adding new
jobs periodically.
These two methods can be combined, but never concurrently.
7.3.5.2 Cleaning database data
In order to cleanup data from YSoft SafeQ, run demo_cleanup.bat with administrator privileges.
This also removes any data from YSoft SafeQ that were added manually by the user.
The cleanup essentially (with some exceptions) returns the database to clean post-installation
state.
7.4 LIMITATIONS OF YSOFT SAFEQ DEMO
7.4.1 POSTGRESQL DATABASE ONLY
YSoft SafeQ Demo supports only PostgreSQL database.
7.4.2 ADDING NEW ITEMS
It is possible to add new items to YSoft SafeQ using the YSoft SafeQ web interface, but the
YSoft SafeQ Demo ignores them. The consequence is that manually created user will not receive
any jobs and that no jobs will be assigned to any newly added printer.
7.4.3 REMOVING GENERATED ITEMS
Unfortunately, it is not possible to prevent the user from removing/editing generated items from
YSoft SafeQ via the YSoft SafeQ web interface.
Such actions will lead to an unexpected functionality of demo scripts since removed devices,
users, etc. would still be assigned to new jobs.
7.4.4 CURRENCY
The currency must be changed in YSoft SafeQ before any demo scripts are run. YSoft SafeQ
Demo uses the YSoft SafeQ configuration.

7.4.5 CLEANUP SCRIPT
The cleanup script cleans the entire database, including items which were not created using
YSoft SafeQ Demo scripts.
Exceptions are:
changed YSoft SafeQ settings (this includes changes made by YSoft SafeQ Demo)
created rules
price lists are not removed/changed
7.4.6 JOBS ON LOCAL PRINTERS
Local printers are created, but no jobs are assigned to these printers.
7.4.7 DELETING JOBS
Jobs are marked as "Deleted" after the number of days set in the YSoft SafeQ Demo
configuration (DAYS_TO_DELETE_JOB). YSoft SafeQ Demo does not respect the "delete after
print" configuration on printers, or "maxSpoolerJobTime" "maxSpoolerJobTimePrinted" and
"deleteAllJobsAfterPrint" in YSoft SafeQ system settings. The YSoft SafeQ Demo configuration
DAYS_TO_DELETE_JOB should always be less than the "maxSpoolerJobTime" configuration which
is set in YSoft SafeQ. If not, some jobs may be deleted twice.
7.5 TROUBLESHOOTING YSOFT SAFEQ DEMO
Problem: Demo does not run or does not work correctly.
Run demo cleanup and then try to run YSoft SafeQ Demo again.
If this does not help, please report the problem to Service Desk. Such report should contain:
1. Folders logs, profiles, tmp which are located in the folder with YSoft SafeQ Demo.
2. Description of the problem.
3. Description of steps to reproduce the error.
4. Windows version
5. YSoft SafeQ Demo version. If you are not sure which version do you use, include the
file version.txt located in the folder with YSoft SafeQ Demo
Problem: After starting YSoft SafeQ Demo the following error appears: "The application has
failed to start because its side-by-side configuration is incorrect."
Open YSoft SafeQ Demo folder. Install vcredist_x86.exe which is located in folder vcredist.

If the problem persists, try updating Windows using Windows Update.
Should the problem persist after Windows Update finishes, please report the problem to
Service Desk. Such report should contain:
1. Problem description
2. Windows version
file version.txt located in the folder with YSoft SafeQ Demo.
Problem: After starting demo cleanup as administrator an error message "ERROR: Run as
Administrator!" appears.
Check if Server service (LanmanServer) is running. If not, then try to start the service and
then try to run the cleanup again.
If this does not help, please report the problem to Service Desk. Such report should contain:
1. Folders logs, profiles, tmp which are located in the folder with YSoft SafeQ Demo.
2. Description of the problem.
3. Description of steps to reproduce the error.
4. Windows version
file version.txt located in the folder with YSoft SafeQ Demo.

YSoft SafeQ 6 Build 50 Documentation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

YSoft SafeQ 6 Build 50 Documentation

Uploaded by

Copyright:

Available Formats

YSOFT SAFEQ 6

Y SOFT SAFEQ 6 DOCUMENTATION WWW.YSOFT.COM

1 YSoft SafeQ Build 50 24

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 24

2.1 WHAT IS YSOFT SAFEQ 6?

2.1.1 A WORKFLOW SOLUTIONS PLATFORM

As a platform, YSoft SafeQ 6 includes three main pillars:

Document Capture/Automated Workflows,

3D Printers/3D Print Management.

The three main pillars enable customers to:

Centralize print management across 2D and 3D printers:

Embedded in the world's most popular MFD brands,

Embedded in 3D printers from Y Soft Corporation, a.s.

Reduce costs on print, scan, and copy services.

Increase document and 3D object security.

Improve productivity through automated scan workflows and pull-printing.

Contribute to organization sustainability initiatives.

2.1.2 SUITES AND MODULES

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 25

2.2.1 COMPONENT OVERVIEW

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 26

Managers that use web and other reports

SafeQ specific protocols - YMQ, Communicator and MessagingV1

2.2.2 NETWORK COMMUNICATION

2.2.2.1 Security configuration

2.2.2.2 Firewall Configuration Best Practices

JMX Ports Threat

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 27

Bandwidth and latency must be considered for each implementation:

2.2.2.4 Network communication overview

Client Server Unsecured Secured Applicati Networ Transferred data

User Manage 80 443 HTTP TCP User credentials, settings,

Manageme Manage 2379 n/a HTTP TCP Database password

Manageme Manage 2380 n/a HTTP TCP Database password

Manageme Manage 6020 6020 Proprieta TCP Synchronization info, system

Spooler Manage 6010 6010 Proprieta TCP Configuration

Payment Manage 4096 n/a Proprieta TCP Firmware update

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 28

Payment Manage 64099 n/a Proprieta UDP Server discovery

User Manage 80 443 HTTP TCP Credentials, availability status,

ProactiveC Manage 19898 n/a JMX, TCP System state

– Manage 4099 n/a ServerSync

Client side Server Unsecured Secured Applicat Netwo Transferred data

Spooler Spooler 5555 5555 Propriet TCP Configuration

Management Spooler 5020 n/a HTTP TCP Job preview

Mobile Spooler 5555 5555 Propriet TCP User credentials, configuration

End User Spooler 5555 5555 Propriet TCP Configuration

FlexiSpooler Spooler 5555 5555 Propriet TCP User credentials, configuration

Flexispooler Spooler 5566 n/a HTTP TCP Print job accounting

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 29

Terminal Spooler 5556 n/a Propriet TCP Configuration, notification

Terminal Spooler 5020 n/a HTTP TCP Job preview

Workflow Spooler 5555 5555 Propriet TCP Configuration

Payment Spooler 5556 n/a Propriet TCP Configuration, license, user

ProactiveCare Spooler 9000 n/a JMX TCP System state

ProactiveCare Spooler 9898 n/a JMX TCP System state

ProactiveCare Spooler 9999 n/a JMX TCP System state

ProactiveCare Spooler 19044 n/a JMX TCP System state

Identity Spooler 5555 5555 Propriet TCP User credentials

Client side Server Unsecur Secured Applicatio Net Transferred data

Embedded terminal Termi 5011 5012 SOAP TCP User credentials

Y SOFT SAFEQ ENTERPRISE WORKFLOW PLATFORM 30

Embedded terminal Termi 5011 5012 SOAP TCP User credentials

Embedded terminal Termi 5013 5029 HTTP TCP User credentials