Dell™ C7765dn CACStar™ Smart Card Reader Installation and Configuration Guide Document protection for CAC/PIV enabled Multifunction Devices
Information in this document is subject to change without notice. © 2015 Dell Inc. All rights reserved. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in later editions. Improvements or changes in the products or the programs described may be made at any time. Note: For Dell technical support and downloads, visit dell.
Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Converting a Dell C7765dn to a CACStar Enabled Machine . . . . . . . . 8 Configuring CACStar™ Security . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction CACStar™ provides a solution to HSPD-12 requirements for CAC/PIV based protection of network data to and from printers or Multifunction Devices (MFDs). You can configure it to require an authenticated CAC/ PIV card to control Copy, Print, Fax, Scan to Folder, Scan to Email, SNMP, or FTP. Configurable authentication methods include Basic X.509 certificate on the card, PIN validation, expiration, OCSP, root certificate, LDAP, and Kerberos.
Hardware Installation The kit contents includes: CACStar™ I/O cover panel Cable for connection to power USB Cable for Ethernet connection from CACStar to MFD Card reader with USB cable Shelf for reader (with 2 mounting screws/lock washers) Adhesive-backed cable tie This User Guide Note: Make sure power is off before starting this installation. Step 1: Mount shelf to right side of scanner with 2 supplied screws.
Step 3: Secure cable to rear right side of scanner with supplied cable tie. Step 4: Connect reader to USB port on CACStar electronics. Step 5: Connect the CACStar power cable from the microUSB port on CACStar to a USB connector on the upper back of the printer.
Step 6: Connect the CACStar Ethernet LAN port to your network on a port designated for this MFD. Step 7: Remove the existing I/O cover from the lower right rear of the machine. Step 8: Connect the CACStar Ethernet MFD port to the C7765dn Ethernet port.
Step 9: Install CACStar I/O cover panel in place of the existing cover. Step 10: CACStar hardware installation is now completed. The administrator can now turn on the MFD and proceed to “ Converting a Dell C7765dn to a CACStar Enabled Machine”.
Converting a Dell C7765dn to a CACStar Enabled Machine This section will cover the step-by-step instructions to convert the MFD from a “factory default” configuration to a CACStar ready configuration. The CACStar option requires Dell C7765dn Controller ROM Ver. 2.205.100 or later. Important Note: Download the C7765 CACStar Setup files from www.dell.com/support before proceeding to step 1. To prepare for this process, please set up a dedicated PC with a direct Ethernet connection to the CACStar LAN port.
l. Select IPv4-Gateway Address and then press the [Change Settings] button. m. Set the Gateway address to 172.19.10.1 and press the [Save] button. n. Press the [Close] button twice. o. When prompted, press the [Reboot Now] button. 2. Open your Web browser, enter http://10.5.9.11 in the Address or Location field, and press the [Enter] key. Note: If a certificate error screen appears, choose to ignore the error and continue. 3.
7. Enable SSL/TLS: a. Navigate to Properties tab->Security->SSL / TLS Settings b. Check the “Enabled” box for “HTTP - SSL / TLS Communication”. c. Set [HTTP - SSL / TLS Communication Port Number] as necessary. d. Click [Apply]. e. When the right frame of the web browser changes to the Machine Reboot display, click [Reboot Machine]. 8. Make sure you completely close the browser and then log into the web page using HTTPS. 9. Install the CACStar authentication plug-in software: a.
e. On the next screen, select [Install] and click [Next]. f. Click [Next] again when it becomes available. g. Click [Install]. Installation of CACStar services will commence. This process can take up to two minutes. h. When the installation is completed, click [Next]. i. Click [Finish] to exit the installer. 11. DHCP configuration on MFD a. Open your Web browser, enter http://10.5.9.11 in the Address or Location field, and press the [Enter] key.
f. Click the [Install] button. A confirmation screen will be shown. Click [OK]. The clone file will be installed and the printer will automatically restart. g. Wait for the printer to finish restarting. 13. Go to the MFD and log in as administrator: a. At the printer operator panel, press the [Log In / Out] button. The display should show a button to log in to the MFD as the administrator. Note: it might be necessary to press the [Log In / Out] button more than once. b.
15. Configure the “Home Screen” buttons: When the CACStar services are installed above, the services are automatically assigned button positions on the Home Screen. The actual button assignments are made by the MFD, and are not necessarily the positions that a customer would prefer. Since customer preferences are unknown in advance, this step will adjust the button positions for the CACStar services. The procedure described here can be used to change any of the Home screen buttons. a.
f. The next screen shows the list of possible assignments for the selected button position. Press the [Up Arrow] soft key until you get to the top of the list. Choose the first entry “(Not Assigned)”. g. Select this entry and press the [Save] button. h. Press [Save] again to save change to the home screen buttons. i. Press [Close] to leave the screen/button settings screen.
j. Press [Close] at the tools menu to leave the configuration screen. k. The same assignment cannot be used more than once, with the exception of “(Not Assigned)”. To move an assignment from one button position to another, you must first go to the original button position for the service you wish to move and change its assignment to (Not Assigned). Then you can change the assignment of the desired button to the desired service.
18. Wait for the printer to go through the initialization process which will take about 75 seconds. You will then see the following screen which indicates this procees has completed satisfactorily.
Configuring CACStar™ Security Establishing the Connection There are two choices for TCP/IP configuration: • DHCP: The IP address parameters are acquired automatically from the DHCP server when the printer is turned on. Depending on the configuration of your DHCP server, it may be possible for the printer’s IP address to change. • Manual: You can choose a fixed IP address, subnet mask, and gateway address to ensure that the printer will always be at a known IP address.
Upon tapping the link, you will see a limited configuration screen where some of the CACStar parameters can be set: • To use DHCP to acquire the IP address, make sure that the “Use DHCP” checkbox is checked, then press the [Update] button. • To set a manual (static) IP address, clear the “Use DHCP” checkbox, and enter the appropriate values for “IP Address”, “Subnet Mask”, and “Gateway” settings, then press [Update]. Note: Your network administrator should supply the appropriate values.
Accessing the MFD/Printer Web Site If you wish to access the MFD/printer web site, go to the IP address assigned above. For example: http://192.168.1.23 or https://192.168.1.23. Admin Login Login to CACStar as the Administrator by pointing your browser to the CACStar using a secure connection on port 8443 at the IP address you assigned in the steps above. For example: https://192.168.1.23:8443 or https://10.5.9.11:8443 You are likely to get an Invalid Certificate Warning from the browser.
Connectivity LAN Address Configuration Step 1 – MFD LAN IP Address This is the same IP address that can also be configured from the operator panel as described in “Establishing the Connection” on Page 6. It does not need to be configured here if it was done using the operator panel. It is used for host computer connection to the MFD/printer, and is also used for connection to these CACStar configuration web pages using the IP address followed by “:8443”. For example: https://192.168.1.23:8443.
Step 2 – NTP Server: Set this to the Network Time Protocol Server IP address or Server Name. This will allow the CACStar to validate certificates by date. If DHCP is in use, you may check the “NTP From DHCP” box to force retrieval of the NTP Server address from the DHCP server in which case the address field is not used and may be left blank. Step 3 – Configure Gateway and DNS Server Note: A DNS Server is required for OCSP support. It is not necessary to configure a DNS server if you are not using OCSP.
Local Side Configuration These settings define the IP addresses used for Local communication between CACStar and the MFD/printer. The defaults are likely to be acceptable. Normally there is no need to enter any IP addresses on this configuration page.
Security MFD Function Enabling Check the boxes for Functions that require a validated CAC Card for use. If a box is un-checked the Function will always be allowed. For example: If you want the MFD Scan-to-Folder Function to only be available when a validated CAC Card is installed, check the CAC Enable Scan-To-Folder box. If you want the MFD Scan-to-Folder Function to be available all the time whether a CAC card is inserted or not, uncheck the CAC Enable ScanTo-Folder box.
CAC Print Server Set this to the IP address of the Secure Print server. Server Print Only If enabled, print jobs will only be allowed from the configured CAC Print Server. If not, jobs will be allowed from any IP address. For this to operate, “CAC Enable Printing” must be selected in the “Security/MFD Function Enabling” menu. Email Setup If you have elected to control MFD generated email with your CAC cards, you will need to configure the item shown in the screen below.
SMTP Port Number Set the TCP port number for SMTP communications. User Email Address From Select the source location for the “From” email address. Emailed scans can be from either the user’s own email address on his CAC card, or from the user’s email address on the LDAP server. Force Email to Self Choose whether you want to force all emailed scans to the user’s own email address. If not checked, he can send to any email address.
LDAP Secondary Certificate Attribute Specify the secondary LDAP attribute name which should be used if the primary attribute fails. Authentication Method Basic This includes PIN validation, card expiration check, and X.509 card certificate validation.
If an NTP server is not configured on the LAN Side Configuration page, the expiration check is bypassed. The Basic level of authentication is always included and cannot be removed from the configuration. In some installations, this is sufficient authentication and is the only one activated. OCSP Check this box to enable OCSP (Online Certificate Status Protocol) verification of CAC Cards. If enabled the OCSP server will be used to validate the current status of the CAC card PKI certificate.
LDAP Query Password: Password for the LDAP service account login. LDAP Search Base: Defines the location in the directory where a search will start. Example: OU=Users, DC=Itek, DC=com LDAP Search String: The Search String is used by the LDAP server to find users. In conjunction with User ID options below, this field helps create the query to the LDAP server to find users by name. Any data can go in this field, but there are certain keys that will be expanded to create the query.
KDC Server: IP address or name of the Kerberos server KDC Server Port: Port number of the Kerberos server. The default is 88. KDC Realm: Kerberos Realm KDC Principal: User Name. This can be either the CN or the EDI-PI, or San Principal. PKINIT Win2K The setting affects the “Public Key Cryptography for Initial Authentication” in Kerberos. Check this box if you are using a Windows 2000 KDC Server and/or need to use the older Kerberos PKINIT command/reply set.
Default SMB Server Address The IP address or server name for the default SMB server. This address will be used if the SMB server address cannot be obtained from the printer. Default SMB Service Name The Service Name for the default SMB server, e.g. myshare$. This name will be used as the principal for Kerberos authentication if the Service Name cannot be obtained from the printer. Default SMB User Name The User name for the default SMB server.
SMB Folder LDAP Attribute If a Folder Name is configured using %u, the LDAP Attribute defined here will be used to retrieve the path value for the %u field. Care should be taken when using “\” characters before or after the %u - based on whether the LDAP Attribute value includes “\” character(s) at the beginning or end. SSL CA Certificate Checking If enabled, the host SSL certificate will be verified against the CA certificate. Therefore, the applicable CA certificate must be loaded into the CACStar.
Upload Certificate Use this page to load Issuer and Root Certificate Authority Certificates into CACStar. PKCS7, X509, PEM and DER formats are supported. Use the Browse button to select the Certificate file on your PC; then click the Upload Certificate button. If your certificates are in a .txt file format, please send them to us, and we will convert them to a supported format. If desired, we can preload them into new units.
Administrator Change Password Use this feature to change the password for the administrator. When the Change Password button is clicked, the next internal web page access will require this new password. Administrator Access These settings allow the admin to provide additional security by limiting CACStar admin access to specified IP addresses.
a PC at any IP address if he knows the ID and password. If it is not checked, the admin must access the CACStar configuration pages from the IP addresses specified for Administrator #1 or #2. These addresses must be on the same subnet as the CACStar. Allow Telnet If this is enabled CACStar will allow a Telnet session to occur. The Telnet session will happen over Port 23. Telnet use with CACStar is intended for diagnostics by the developers.
is a text file that contains the CACStar configuration items. For more details about how to update the firmware, please see the separate document “Firmware Update Procedure”. Create and Export Current Configuration Create Config File will create a configuration file containing all current settings except LAN IP Address, LAN Mask, and LAN Gateway. Thus, the Config file can be used to configure other CACStars. The passwords are encrypted so they may not be edited.
For help obtaining the correct firmware or documentation, contact the Dell ProSupport Help Desk by calling 1-866-516-3115, or by sending email to Imaging_Solutions_Support_CAC@dell.com This page is used to obtain Log Files and Capture Files to help diagnose network and configuration concerns. Use of these features is normally in conjunction with technical support from your vendor. Create SysLog File A log file can be created for use by CACStar Engineering to help resolve problems that may occur.
Setup Test Date Time This is used to set the system date and time in CACStar if necessary. The time zone should be set to your local time zone.
Hold Print Files Hold Print files will be stored encrypted in CACStar and can be printed with CAC authentication at the printer. Hold Print files expire after the set number of days. When the expiration date is reached, the file will be deleted without being printed. Remaining storage and total storage are displayed so the user will know if held print files are reaching the maximum storage capacity. When storage is nearly full, a warning message will be displayed on the CAC reader LCD - MEMORY NEAR FULL.
These keywords are: %F - the user’s first name %f - the first character of the user’s first name %M - the user’s middle name %m - the first character of the user’s middle name %L - the user’s last name %l - the first character of the user’s last name %e - the user’s EDI-PI %I - the user’s PIC-Identification %S - the user’s SAM Account Name (from LDAP) A number may be used between the ‘%’ and the keyword to specify a maximum number of characters.
Status The Status pages offer three views of information about the current operations of CACStar. Number of successful card validations, number of unsuccessful card validations, network operations, date/time, and firmware version are all displayed.
Network Page 41
Other Page 42
Controlling Access to Fax and Copy The MFD has configuration settings to indicate whether authentication is required to access fax and copy. The CACStar user interface reads this configuration to determine whether to make fax and copy functions available from the login screen. To configure access: Step 1 Login to the MFD as administrator via the operator panel. Step 2 Press the Home key. Step 3 Press the [Tools] button. Step 4 Navigate to Authentication/Security Settings->Authentication>Access Control...
Step 5 Press the [Service Access] button. Step 6 Choose Fax or Copy and press the [Change Settings] button. Step 7 Choose [Unlocked] for no authentication required; or [Locked(Show Icon)] to require authentication. Step 8 Press the [Save] button. Step 9 Press [Close] two times. Step 10 Press the [Reboot Now] button when prompted.
Appendix A Setup Information Checklist • Should the MFD use DHCP to acquire an IP Address (Yes or No) ? If No, specify the following for the MFD: IP Address Subnet Mask Gateway • What is the IP address for an available NTP (Network Time Protocol) Server (or N/A if none available)? • What are the IP Addresses for the primary and secondary DNS (Domain Name System) Servers? Functions • Do you wish to use CAC/PIV control for the Scan-to-Email function (Yes or No)? Is Kerberos Authentication required for
• Do you wish to force all emails to go to the CAC/PIV Card’s email address (Yes or No)? If No, selection can be made from the Front Panel by typing in the address, or using the Network Address Book (LDAP) feature.