Setting up a security template

Before you can secure access to applications and functions, you need to create a security template that uses Smart Card Authentication Client to obtain user credentials. You can then assign this security template to each application and function you want to protect.

1. Create a building block.

   1. From the Embedded Web Server, click Security > Security Setup.

   2. Under the Advanced Security Setup heading, click the building block (or blocks) appropriate for your environment, and then configure it.

      Note: For more information on configuring a specific type of building block, see the “Configuring building blocks” section of the Embedded Web Server Administrator’s Guide for your printer.

2. Create a security template.

   1. From the Embedded Web Server, click Settings or Configuration.

   2. Click Security > Security Setup.

   3. Under the Advanced Security Setup heading, click Security Template > Add a Security Template.

   4. Type a name for the security template (for example, Smart Card).

   5. From the Authentication Setup menu, select Smart Card Authentication Client, and then click Save Template.

   6. Verify that your template appears in the Manage Security Templates list.

   Setting up group authorization for the Security Template

   Notes:

   • This method applies only to printers running Embedded Solutions Framework (eSF) version 3.0 or later.
   • Make sure you have configured the Group Authorization List from the Smart Card Authentication Client application configuration settings. For more information, see Configuring advanced settings.

   1. From the Manage Security Templates list, select the security template name.

   2. Click Modify Authorization.

   3. From the Authorization Setup menu, select Smart Card Authentication Client.

   4. Click Modify Groups.

   5. Select one or more groups, and then click Save Template.

   For more information on configuring security templates and using access controls, see the Embedded Web Server Administrator’s Guide for your printer.

Securing access to the home screen

Use this method to require users to authenticate to view and use the printer home screen.

1. Access the Background and Idle Screen application configuration settings from the Embedded Web Server.

2. Under the Idle Screen Settings heading, make sure Enable is selected.

3. In the Start Time field, enter 0. This prompts the printer to start the secure idle screen immediately (0 seconds) after a user’s login session ends.

4. Under the Home Screen Background heading, make sure Enable is not selected if you do not want users to be able to change the home screen background image from the printer control panel.

5. If you want to add custom idle screen images, then click Add under the Idle Screen Images heading.

6. Type an image name, and then upload the file you want to use.

   Note: For information about compatible image file types and recommended file sizes, see the mouse-over help next to the field.

7. Click Apply.

8. Repeat step 5 through step 7 to add more idle screen images. You can add up to ten images.

9. If you want to add a custom home screen background image, then under the Home Screen Background heading, select one of the default images, or upload a custom image in the Custom Image field.

   Note: For information about compatible image file types and recommended file sizes, see the mouse-over help next to the field.

10. If necessary, configure the other application settings. For more information about configuring Background and Idle Screen, see the Background and Idle Screen Administrator’s Guide.

11. Click Apply.

12. Secure access to the idle screen using Smart Card Authentication Client.

    On printers running the Embedded Solutions Framework (eSF) version 3.0 or later:

    1. Make sure you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See Setting up a security template.

    2. From the Embedded Web Server, click Settings > Security > Security Setup.

    3. From Step 3 under the Advanced Security Setup heading, click Access Controls.

    4. If necessary, expand the Device Solutions folder.

    5. From the Idle Screen drop-down menu, select your security template.

    6. Click Submit.

    On printers running eSF version 2.0:

    1. Access the eSF Security Manager application configuration settings from the Embedded Web Server.

    2. From the Idle Screen drop-down menu, select Smart Card Authentication Client.

    3. Click Apply.

    Note: If you are unsure about which version of eSF your printer is running, then see Checking which version of the Embedded Solutions Framework is installed on a printer.

Securing access to individual applications and functions

Securing access to installed applications and functions

Use this method to restrict access to installed applications, such as Scan to Network, or to restrict access to the individual functions of an installed application, such as the Change Background function of the Background and Idle Screen application.

On printers running the Embedded Solutions Framework (eSF) version 3.0 or later:

1. Make sure you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See Setting up a security template.

2. From the Embedded Web Server, click Settings > Security > Security Setup.

3. From Step 3 under the Advanced Security Setup heading, click Access Controls.

4. If necessary, expand the Device Solutions folder.

5. For each application or function to which you want to secure access, select your security template from the drop-down menu.

6. Click Submit.

On printers running eSF version 2.0:

1. Access the eSF Security Manager application configuration settings from the Embedded Web Server.

2. For each application or function to which you want to secure access, select Smart Card Authentication Client from the drop-down menu.

3. Click Apply.

Securing access to built-in printer functions

Use this method to restrict access to built-in printer functions, such as copy and fax.

1. Make sure you have created a security template that uses Smart Card Authentication Client to obtain user credentials. See Setting up a security template.

2. From the Embedded Web Server, click Settings or Configuration, and then click Security > Security Setup.

3. From Step 3 under the Advanced Security Setup heading, click Access Controls.

4. If necessary, expand one or more of the access control category folders.

5. For each function to which you want to secure access, select your security template from the drop-down menu.

6. Click Submit.

Notes:

• If you have used a built-in printer security setup to protect the Use Profiles access control, then any installed applications you secure using Smart Card Authentication Client will prompt users for credentials twice. When users touch a secured application icon, they will first be prompted for the credentials specified by the Use Profiles access control, and then they will be prompted for their Smart Card or user name and password.
• If you need to secure access to profiles you have created and installed on the printer, then you can remove the printer security template applied to the Use Profiles access control, and then apply a security template that uses Smart Card Authentication Client. All of your installed profiles will be secured and users will be prompted for their Smart Card or user name and password when they attempt to access a profile.

Configuring login screen settings

You can use the login screen settings to choose how users will be allowed to log in to the printer and whether they will be prompted for a PIN or a password after inserting a Smart Card.

1. Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.

2. Under the Login Screen heading, from the Login Type menu, select how users will be allowed to log in to the printer:

   • Smart Card Only—This allows users to log in using a Smart Card.

   • Smart Card or Manual Login—This allows users to log in using either a Smart Card or a user name and password.

   • Manual Login Only—This allows users to log in using a user name and password.

   Notes:

   • If you selected Smart Card or Manual Login or Manual Login Only, then configure the Manual Login Domain(s) setting under the Manual Login Setup heading. See Configuring manual login setup settings. If you do not configure this setting, then users will not be allowed to log in to the printer manually (using their user name and password).
   • If you selected Smart Card Only, then configure the setting to User Validation Mode. For more information, see Configuring User Validation Mode settings.

3. From the Validate Smart Card menu, select whether users will be prompted to type a PIN or a password after inserting a Smart Card.

4. Click Apply.

Configuring manual login setup settings

Notes:

• If users are allowed to log in to the printer manually (using a user name and password instead of a Smart Card), then specify a list of Windows domains for users to select from during login.
• For eSF v4.x printers, if a manual domain is not specified, then the printer will use the domain in the Kerberos configuration file. To view the complete list of supported printers for each version of the Embedded Web Server, see the Readme file.

1. Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.

2. Under the Manual Login Setup heading, in the Manual Login Domain(s) field, specify the domain or domains that will be available for users to select during login. Separate multiple domains with a comma. Domains are case-sensitive and are usually typed in lowercase.

3. Click Apply.

Configuring Smart Card setup settings

Configuring Kerberos settings

In addition to providing the mechanism for validating login credentials, Smart Card Authentication Client can also be configured to provide Kerberos authentication.

1. Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.

2. Under the Smart Card Setup heading, from the Kerberos Information menu, do one of the following:

   • Select Use device Kerberos setup file to use the Kerberos configuration file (krb5.conf) installed on the printer.

   • Select Use simple Kerberos setup to enter Kerberos information manually in the Simple Kerberos Setup fields.

     Notes:

     • Only one Kerberos realm can be specified using simple Kerberos setup. If you need to specify multiple realms, then use the device Kerberos setup file.
     • A Kerberos configuration file from an eSF version 2.0 or eSF version 3.0 printer will not work on an eSF version 4.0 printer.

   Using the device Kerberos setup file

   If you selected Use device Kerberos setup file, then make sure the Kerberos configuration file is installed on the printer.

   1. From the Embedded Web Server, click Settings or Configuration.

   2. Click Security > Security Setup.

   3. From Step 1 under the Advanced Security Setup heading, click Kerberos 5.

   4. Verify that the Kerberos configuration file is installed. If the file is not installed, then under the Import Kerberos File heading, upload the appropriate krb5.conf file, and then click Submit.

   Using simple Kerberos setup

   If you selected Use simple Kerberos setup, then enter the Kerberos information manually under the Simple Kerberos Setup heading. When you click Apply, the values you entered are used to create a Kerberos configuration file.

   • Realm—Specify the Kerberos realm as configured in Active Directory. This is typically the Windows domain name. Only one realm can be specified here. To specify multiple realms, customize a Kerberos configuration file and install it on the printer. The realm must be typed in uppercase.

   • Domain Controller—Specify the IP address or host name of the domain controller or domain controllers used for validation. Separate multiple values with a comma. The domain controllers will be tried in the order listed.

   • Domain—Specify the domain or domains that should be mapped to the Kerberos realm specified in the Realm field. The domain is the second part of the User Principal Name (UserID@DomainName) on the Smart Card. Type the domain in this format: domain name, comma, period, domain name again. For example, DomainName,.DomainName. Multiple domains that map to the specified Kerberos realm can be added here, separated by a comma. For example, DomainName1,.DomainName1,DomainName2,.DomainName2. The domain is case-sensitive and is usually typed in lowercase.

   • Timeout—Specify the number of seconds (3 to 30) to wait for a response from the domain controller before trying the next one listed.

Selecting the domain controller validation method

Under the Smart Card Setup heading, from the Domain Controller Validation menu, select the method to use for validating the domain controller certificate:

• Use device certificate validation—This is the most common method. This method uses the certificate of the Certificate Authority (CA) that issued the domain controller certificate to validate the domain controller certificate. The CA certificate must be installed on the printer.

• Use device chain validation—This method uses the entire certificate chain, from the domain controller to the root CA, to validate the domain controller certificate. The entire certificate chain must be installed on the printer.

• Use OCSP validation—This method uses the Online Certificate Status Protocol (OCSP) to validate the domain controller certificate. The entire certificate chain, from the domain controller to the root CA, must be installed on the printer, and the settings under the Online Certificate Status Protocol (OCSP) heading must be configured:

  • Responder URL—Specify the IP address or host name of the OCSP responder/repeater and the port being used (typically 80). Type the value in this format: http://ip_address:port_number.

    For example, http://255.255.255.0:80.

    Separate multiple values with a comma. The values will be tried in the order listed.

  • Responder Certificate—Upload the X.509 certificate for the OCSP responder. This certificate is used to validate that the response from the OCSP responder is from a trusted source.

  • Responder Timeout—Specify the number of seconds (5 to 30) to wait for a response from the OCSP responder before trying the next one listed.

  • Allow Unknown Status—Select this check box to allow users to log in if the OCSP response indicates that the certificate status is unknown. If the certificate status is unknown and the check box is cleared, then users will not be allowed to log in.

When you are done configuring Smart Card setup settings, click Apply.

Configuring advanced settings

Not all networks require you to configure advanced settings. If necessary, adjust the settings to enable the printer to communicate on your network.

1. Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.

2. Under the Advanced Settings heading, configure the following settings:

   • Session User ID—Select how the user ID will be obtained when a user logs in:

     • None—The user ID is not set. You can select this option if the user ID is not needed by other applications.

     • User Principal Name—The User Principal Name (UserID@DomainName) retrieved from the Smart Card or provided during manual login is used to set the user ID.

     • EDI-PI—The "UserID" portion of the User Principal Name (UserID@DomainName) retrieved from the Smart Card or provided during manual login is used to set the user ID.

     • LDAP Lookup—The user ID is retrieved from Active Directory.

   • E-mail From Address—Select where the printer should retrieve the user's e-mail address when sending e-mail.

     • Smart Card—This retrieves the e-mail address from the user's Smart Card.

     • LDAP Lookup—This retrieves the user's e-mail address from Active Directory.

   • Disable Reverse DNS Lookups—If reverse DNS lookups are not used on your network, then select this check box (if available).

     On printers running the Embedded Solutions Framework (eSF) version 3.0 or later, this setting is not available from the application configuration settings. If your printer is running eSF version 3.0 or later, then do the following to disable reverse DNS lookups:

     1. From the Embedded Web Server, click Settings > Security > Security Setup.

     2. From Step 1 under the Advanced Security Setup heading, click Kerberos 5.

     3. Under the Kerberos Settings heading, select Disable Reverse IP Lookups.

     4. Click Submit.

        Note: If you are unsure about which version of eSF your printer is running, then see Checking which version of the Embedded Solutions Framework is installed on a printer.

   • Wait for user information—For some secured applications to work correctly, additional user information must be placed in the login session. Select this option to retrieve all user information before allowing the user to access the home screen or secured application.

     Note: If you have enabled manual login and you are using the Secure E-mail application along with Smart Card Authentication Client, then you must select this option. This ensures that a manual login user’s e-mail address is stored in the login session and is available for use with Secure E-mail. If this option is not selected, then manual login users cannot send e-mail to themselves automatically. The Secure E-mail “Send me a copy” option will not be available.

   • Use SSL for User Info—Select this check box to use an SSL connection to retrieve user information from the domain controller. If this check box is cleared, then a non-SSL connection is used.

   • Other User Attributes—List any other LDAP attributes that should be added to the user's session. These attributes will be used with other applications. Separate multiple values with a comma.

   • Group Authorization List—List all Active Directory groups that are authorized to use at least one printer function. Separate multiple groups with a comma. Leave this field blank if you are not using group authorization.

   • Hosts File—If DNS is not enabled on your network, then upload a text file containing the necessary IP address–host name mappings.

     Type the mappings in the text file in this format: IP address, space, server host name. For example, 0.0.0.0 HostName. You can assign multiple host names to an IP address. For example, 0.0.0.0 HostName1 HostName2 HostName3. You cannot assign multiple IP addresses to a host name. To assign IP addresses to groups of host names, type each IP address and its associated host names on a separate line of the text file. For example:

     123.123.123.123 HostName1 HostName2

     456.456.456.456 HostName3

3. Click Apply.

Configuring User Validation Mode settings

You can secure your printer using the Smart Card without the need to maintain a full Kerberos authentication system. The user inserts the Smart Card into the reader and then enters the PIN in the printer home screen. If the Smart Card PIN matches the PIN entered in the home screen matches, then the user can access the application.

1. Access the Smart Card Authentication Client application configuration settings from the Embedded Web Server.

2. Under the Login Screen heading, set “Login Type” to Smart Card Only, and then set the Authentication mode to PIN ONLY.

3. From the Domain Controller Validation menu, select Use device certificate validation.

   Note: The Online Certificate Status Protocol (OCSP) must not be configured.

4. Under the Advanced Setting heading, set “E-mail From Address” to Smart Card, and then clear the Wait for user information check box.

   Note: Session User ID must be set to None, and the “Other User Attributes” and “Group Authorization List“ fields must be empty.

5. Click Apply.