HP Access Control Smartcard Solution for U. S.
HP Access Control Smartcard Solution for U.S.
Copyright information 2009 Copyright Hewlett-Packard Development Company, L.P. Reproduction, adaptation or translation without prior written permission is prohibited, except as allowed under the copyright laws. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
Table of contents 1 Installation Upgrade the device firmware ............................................................................................................... 2 Supported devices ............................................................................................................... 2 Enable remote firmware upgrades ....................................................................................... 2 Upgrade the Smartcard and MFP/digital sender firmware ............................
OpenSSL ............................................................................................................................................ 51 Appendix B Warranty Service Hewlett-Packard Limited Warranty Statement ................................................................................... 53 Customer self repair warranty service ................................................................................................
1 Installation Use this section to upgrade the HP Access Control Smartcard Solution firmware (if required) and then install the Smartcard reader.
Upgrade the device firmware This section provides instructions for upgrading the firmware on the MFP/digital sender to allow it to work with the HP Access Control Smartcard Solution for U. S. Government. You must have the correct MFP/digital sender Internet Protocol (IP) address to install the firmware. Obtain the IP address of the MFP/digital sender by printing a configuration page or using the control panel. See the MFP/digital sender user guide for instructions.
NOTE: The instructions are for an HP LaserJet M3035. Your MFP/digital sender might access this option differently. For complete instructions about accessing the Remote Firmware Upgrade option, see the MFP/digital sender user guide. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender.
3. First, download the authentication agent file: a. Go to the Software section and click Download. b. When the File Download — Security Warning is displayed, click Run and run the usgovt_auth_agent_v2.xx.exe file. c. When the Self-Extractor window is displayed, click Browse to select a temporary folder to unzip the file, or use the default (C:\Temp\AuthAgent), and click Unzip. The file named usgovt_auth_agent_v2.xx.pjl is extracted to the selected folder. 4.
8. Press Enter. Text is displayed in the command window to indicate that the FTP copy job is processing. When the file is copied, the control panel displays Performing Upgrade and then the MFP/digital sender restarts. 9. After the file is copied to the MFP/digital sender, type bye and press Enter. The session ends. If the firmware on the MFP/digital sender is current and only the .pjl file is installed, the MFP/digital sender must be restarted before U.S. Gov't Smartcard v2.
Install the hardware 1. Plug the Smartcard reader into the external universal serial bus (USB) port on a supported MFP/ digital sender. NOTE: If a label covers the USB port on the MFP/digital sender, remove the label before plugging in the Smartcard reader. 2. Attach the Smartcard reader to an appropriate location on the MFP/digital sender. Ensure that the USB cable from the Smartcard reader does not interfere with any other functions of the MFP/digital sender. 6 3. Restart the MFP/digital sender. 4.
2 Configuring the MFP/digital sender After the HP Access Control Smartcard Solution firmware and hardware are installed, the MFP/digital sender is ready to configure.
Configure the IPv4 settings 1. Open a supported Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/ digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Configure Device. The Configure Device page is displayed.
4. From the menu on the main page, navigate to the IPV4 settings. Click Initial Setup, click Networking and I/O, click Embedded Jetdirect, click TCP/IP, and then click IPV4 Settings. Figure 2-2 Access the IPV4 settings 5. Scroll down to the IPV4 SETTINGS section. Figure 2-3 IPV4 options ENWW 6. Type the IP address of the Kerberos server in the Primary DNS text box. 7. Click Apply.
Configure the MFP/digital sender for Kerberos authentication For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is also available for download from HP at: h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/c00646187.pdf TIP: When installing this solution for the first time in a new environment, it is recommended that you configure and test the Kerberos settings first.
4. Select the domain name and click Edit, or click Add to enter a new domain name. The Kerberos Authentication detail panel is displayed. Figure 2-5 Kerberos Authentication page (part 2) Enter the Kerberos authentication information On the Kerberos Authentication detail page, complete the Accessing the Kerberos Authentication Server section using the following steps: 1. Enter the Kerberos Realm (Domain). NOTE: ENWW You must enter the Kerberos Realm using all uppercase letters. 2.
Kerberos settings test If the settings for the Kerberos Realm (Domain) and Kerberos Server Hostname are correct, you can partially authenticate on the MFP/digital sender. To see if you have configured your Kerberos settings correctly, use the following steps: 1. Using the HP Embedded Web Server, click the Settings tab and then select Authentication Manager from the left menu bar. 2. Select Kerberos from the Sign In At Walk Up drop-down list and click Apply.
3. Verify that a valid SMTP gateway is specified on the E-mail Settings page by selecting the Digital Sending tab and clicking E-mail Settings from the left menu bar. Figure 2-6 E-mail Settings 4. Access the menu on the MFP/digital sender control panel and touch E-mail. ● If you authenticate with no error message and the correct name displays in the From field on the E-mail Settings screen, then the LDAP settings are configured correctly.
4. Scroll down to the Using PKINIT Authentication (Smart Card Authentication Only) section and click PKINIT Settings. The following screen is displayed: Figure 2-7 Kerberos Authentication page (PKINIT Settings) 5. From the Kerberos Server Root Certificate Authority (CA) Certificate section, click Edit. 6. On the Certificates page, click Browse and locate the certificate file. 7. Once the file is located, click Import.
If there is a certificate problem, the error message on the MFP/digital sender often contains the subject of the required certificate. The subject normally has a CN= value in it. The portion is the value that Internet Explorer shows in the Issued To column of the Certificates dialog box. Once the following steps are completed, you are ready to test PKINIT Smartcard authentication. Verify the following before you begin: ● The HP Smartcard reader is attached to the MFP/digital sender.
The MFP/digital sender supports two methods for validating the KDC’s certificate: ● OCSP (Online Certificate Status Protocol) One or more OCSP responders can be used for validation. OCSP responders are contacted in the order entered. As soon as a good or bad response is received from a responder, no more responders are contacted.
cannot be obtained solely from the CDP information provided in the server's certificate, then the MFP/digital sender attempts to use the following fields to help locate a CRL: ● CDP Distinguished Name (DN) — standard DN format ● LDAP Server — IP address or hostname ● Port — LDAP server port NOTE: Anonymous is the only LDAP Server Bind Method that is currently supported.
KDC Certificate Validation Test 18 1. Using the HP Embedded Web Server, click on the Settings tab and then select Authentication Manager from the left menu bar. 2. Verify that U.S. Gov't Smartcard v2.xx is selected from the Sign In At Walk Up drop-down list and click Apply. 3. Insert your Smartcard into the reader, enter the appropriate PIN on the control panel, and touch OK. ● If you authenticate successfully, then the correct certificates are properly installed.
Configure authentication using the Smartcard accessory 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Settings tab. 3. On the left menu bar, click Authentication Manager. The Authentication Manager page is displayed. Figure 2-8 Authentication Manager page 4. Review each of the MFP/digital sender functions on this page. Select U.S.
Configure access to the network destination folders Configure the access options for each folder to Use Public Credentials, and then configure the public credentials with those of a known authorized user (such as an administrator account). 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click Send to Folder.
5. Click Edit. The Edit Shared Folder page is displayed. Figure 2-10 Edit Folder Access settings 6. In the Access Credentials drop-down list, select Use Device User's Credentials or Use Public Credentials. If Use Device User's Credentials is selected, then the MFP/digital sender uses the credentials of the current user to access the shared folder. If Use Public Credentials is selected, then the credentials that were specified during the configuration are used. 7.
Configure LDAP access for address books When a user enters the send to E-mail screen, next to each recipient field (“To”, “Cc”, “Bcc”) is an address book icon. As the user types a recipient on the keyboard screen, the recipient name can be autocompleted. This auto-complete feature is enabled by specifying the LDAP addressing settings in the HP Embedded Web Server. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter.
NOTE: You should be able to use the same values used to configure LDAP access on the Kerberos page to configure the LDAP address settings. 6. Click Apply. The search root might need to be refined to return only LDAP records, which represent users in your organization. If entries are returned which do not contain an E-mail address or a display name, the MFP/digital sender considers the results invalid.
c. In the CA Certificate section, click Configure. The Certificate Options page is displayed. Figure 2-13 Network Authorization - Certificate Options d. Make sure the Install CA Certificate option is selected and then click Next. The Install CA Certificate page is displayed. Figure 2-14 Network Authorization - Install CA Certificate e. 2. Click Browse and search for the root CA certificate. Click Finish to install the specified certificate. Change the bind type to Simple over SSL or Kerberos over SSL.
Configure Send to E-mail E-mail messages are digitally signed by default when Smartcard authentication is used. However, this can be changed on the advanced E-mail settings screen. 1. Open a Web browser, type the IP address of the MFP/digital sender into the address bar, and then press Enter. The browser opens the HP Embedded Web Server page for the MFP/digital sender. 2. Click the Digital Sending tab. On the left menu bar, click E-mail Settings. The Addressing Settings page is displayed.
4. Click the Advanced button. The Advanced E-mail Settings panel is displayed: Figure 2-16 Advanced E-mail settings 5. 6. If E-mail signing is preferred for outgoing operations: a. Using the S/MIME Settings (Signed/Encrypted E-mail) section, select Sign Message in the Digital Signature section. b. If signing is preferred but not required, select the Allow users to send unsigned messages check box. (If signing is required, do not select this check the box.) c.
digital sender by clicking Edit in the Signed E-mail Certificate Chains section on the Kerberos Authentication page. If you use Microsoft Outlook® and already have signed E-mail configured for your personal account, here is one way to gather certificates in your E-mail signature chain: 1. Send a signed E-mail to yourself. 2. Click on the certificate icon. 3. Click Details. 4. Click on the signer, and then click View Details. 5. Click View Certificate. 6. Click on the Certification Path tab. 7.
28 Chapter 2 Configuring the MFP/digital sender ENWW
3 Normal use of the HP Access Control Smartcard Solution After the firmware and hardware are installed and the MFP/digital sender is configured for HP Access Control Smartcard Solution authentication, the MFP/digital sender restricts access according to the specified options. When a user attempts to use a Smartcard-restricted function, the following actions occur: 1. The MFP/digital sender prompts for a valid card to be placed in the Smartcard reader.
30 Chapter 3 Normal use of the HP Access Control Smartcard Solution ENWW
4 Troubleshooting NOTE: For the most current troubleshooting information regarding this product, go to: www.hp.com/ support/usdodsmartcard. NOTE: For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/ c00646187.
General troubleshooting 49.4c18 error displays when restarting device Cause Solution An unsupported firmware version is installed on the device. To enable the device to boot to Ready after this message has appeared: The authentication upgrade was installed on the device without the correct firmware. CAUTION: The following procedure is for resolving the 49.4c18 error only and is not recommended for any other operation of the device. 1. Turn the device off and back on. 2.
Error: “No card detected” when using a valid Smartcard Cause Solution If the Smartcard is valid then the mechanical switch on the card reader may have failed. Replace the card reader. Error: “Please insert a valid card” when using a valid Smartcard Cause Solution If the Smartcard is valid then the card contacts on the reader may have failed. Replace the card reader. The configured device no longer recognizes the Smartcard.
Kerberos troubleshooting Error message: “Authentication Failed: Kerberos server not available. Please contact the administrator.” Cause Solution The Kerberos server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping . If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct.
Error message: “Authentication Failed: Device time not synchronized with server. Set correct time, then turn device off and back on.” Cause Solution The device clock is offset more than five minutes from the Kerberos server. The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks. On the device control panel press Administration, then press Time/Scheduling, then press Date/Time.
Error message: “Authentication Failed: Error code XXXXX” 36 Cause Solution Unknown Contact HP support Chapter 4 Troubleshooting ENWW
LDAP server troubleshooting Error message: “LDAP bind at server ‘X’ failure: Server down” Cause Solution The LDAP server hostname was not entered correctly or is not a valid hostname. To determine if the hostname is valid, open a Windows command shell and type: ping . If ping cannot find the host you are typing, then it is probably not the correct hostname. The DNS settings on the device are not correct.
Error message: “LDAP bind at server ‘X’ failure: SSL bind required” Cause Solution The LDAP server requires that the connection be made using Secure Sockets Layer (SSL). See Configuring LDAP over SSL on page 23 Error message: “LDAP failure retrieving display name. Result code: Fail” Cause Solution The search root is incorrect. Typically if your domain is TECHNICAL.MARKETING.COM, then your search root would be: DC=TECHNICAL,DC=MARKETING,DC=COM It may also have CN=Users.
PKINIT troubleshooting Error message: “HP smart card reader not detected. Please connect the HP reader #nnnnn to the device, and turn the device off and back on.” Cause Solution The reader detection algorithm may have failed. Reboot the device and try again. The connection may be loose. If the device reboots and the same problem persists, power the device off and check that the reader is connected firmly. After ensuring the connection is secure, power the device back on. The reader may be faulty.
Error: “Authentication Failed: Authentication Method Not Found. Please contact the administrator” Cause Solution Smartcard authentication was previously installed on the device, but the device configuration has been changed because the hard disk was re-initialized. The entire HP Access Control Smartcard Solution installation and configuration must be completed again.
OCSP/CRL troubleshooting Error message: “Authentication Failed: KDC certificate with subject ‘X’ has been revoked.” Cause Solution The OCSP responder returned a revoked status for the KDC certificate with subject ‘X’ Contact your PKI administrator. Error message: “Authentication Failed: KDC certificate status with subject ‘X’ is unknown.” Cause Solution The OCSP responder returned an unknown status for the KDC certificate with subject ‘X’ Contact your PKI administrator.
Error message: “Authentication Failed: OCSP request failed: Failed to find issuer with subject ‘X’ for certificate with subject ‘Y’. Please contact the administrator.” Cause Solution A certificate in the issuing chain of the KDC certificate is not installed on the device. In order for the KDC certificate to be trusted, if the KDC certificate is not self-signed, then all certificates in the KDC certificate chain must be validated. One of the certificates in this chain is not installed on the device.
Error: “Authentication Failed: CRL X not found. Please contact the administrator.” Cause Solution A CRL specified in the PKINIT configuration settings is not found. This may be because the file path was entered incorrectly, the device hard disk was reinitialized, or the CRL file has never been installed onto the device. To view files on the device hard disk, on the control panel touch: Administration, then touch Information, then touch Configuration / Status Pages, and then touch File Directory.
Error: “Unable to obtain CRL from Distribution Point” 44 Cause Solution A valid CDP extension was found on the server certificate, but the CRL could not be obtained. Possible causes are: An improperly formatted CDP entry, incomplete or inaccurate LDAP parameters in the CDP entry, problems communicating with the LDAP server, or the CRL is not present on the LDAP server in the location referenced by the CDP.
E-mail troubleshooting Error: "E-mail Gateway rejected the job because of the addressing information. Job Failed" Cause Solution The E-mail address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect. The Email address attribute is used to set the authenticated user’s from address. The E-mail gateway is trying to make sure that the "from" address is a valid from address.
46 Chapter 4 Troubleshooting ENWW
A Licenses This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions.
Heimdal Kerberos 5 This solution from HP uses and contains open source code and libraries from Heimdal Kerberos 5 and the OpenSSL project. Following are acknowledgements, copyrights, and license information associated to these open source solutions. Heimdal is a free implementation of Kerberos 5.
Some of the functions in libroken also come from Berkeley by way of NetBSD/FreeBSD. editline was written by Simmule Turner and Rich Salz. Heimdal contains a modifed copy. The getifaddrs implementation for Linux was written by Hideaki YOSHIFUJI for the Usagi project. Bugfixes, documentation, encouragement, and code has been contributed by: Derrick J Brashear shadow@dementia.org Ken Hornstein kenh@cmf.nrl.navy.mil Johan Ihrén johani@pdc.kth.se Love Hörnquist Åstrand lha@kth.se Magnus Ahltorp map@stacken.kth.
ruda@ics.muni.cz Brian A May bmay@snoopy.apana.org.au Chaskiel M Grundman cg2v@andrew.cmu.edu Richard Nyberg rnyberg@it.su.se Frank van der Linden fvdl@netbsd.org Cizzi Storm cizzi@it.su.se Petr Holub Holub.Petr@atlas.cz Mario Strasser mario.strasser@zhwin.ch David Love fx@gnu.org and we hope that those not mentioned here will forgive us. All bugs were introduced by ourselves.
OpenSSL Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
B Warranty Service Hewlett-Packard Limited Warranty Statement HP Product Duration of Limited Warranty HP Access Control Smartcard Solution for U. S. Government 1 Year 1. HP warrants to you, the original end-user customer, that HP hardware and accessories will be free from defects in materials and workmanship after the original date of purchase, for the period specified above.
7. HP’s limited warranty is valid in any country/region or locality where HP has a support presence for this product and where HP has marketed this product. The level of warranty service you receive may vary according to local standards. HP will not alter form, fit or function of the product to make it operate in a country/region for which it was never intended to function for legal or regulatory reasons. 8.
© 2009 Hewlett-Packard Development C ompa ny, L. P. www.hp.
