manualshive.com logo in svg

Canon Oce PlotWave 750, Administration Manual

The Canon Oce PlotWave 750 is a versatile large format printer that combines exceptional print quality with high-speed performance. To ensure optimal utilization and operation, it is essential to have the thorough guidance provided in the Administration Manual. Download this comprehensive manual for free from manualshive.com, empowering you to maximize the printer's capabilities.

Share
Download
background image

Audit log

Introduction

All changes related to security settings are logged in the Audit log. They can be downloaded
and/or cleared.

The operations stored in the Audit log

In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that
contains information on any change made in settings.

Collected information

 on each setting is:

1. Username (if available)
2. Host (IP address and name) or printer user interface from where the modification was done
3. Type of event (create/modify/delete/start/stop/action)
4. Object concerned (setting/template name, service name, operation/action)
5. New value (if applicable, and not logged for password fields)
6. Timestamp in UTC (date&time in ISO-8601 format, yyyy-mm-ddThh:mm:ssZ)

User (Key operator, System administrator, Power user) and Service settings:

• IPv4/IPv6 network settings (IP address, Subnet mask, DNS, Gateway, DHCP, …)
• IPsec settings
• Network services (enable/disable/settings)
• Creation/modification/removal of external locations
• Changes of passwords used to protect security-related settings (Key operator, System

administrator, Power user, Service, User interface password/PIN for network settings, …)

• Timezone
• E-shredding settings
• Remote service online connection (enabled/disabled)
• 3rd-party software settings (remote desktop, admin account, firewall port)
• Smart Inbox (enable/disable)
• Allow Service Technician to reset passwords (on/off)
• Save retrieved job data for service (on/off)
• HTTPS settings (enable/disable, change of certificate)
• HTTP proxy settings (for Cloud and remote service)
• USB print (on/off)
• Scan to USB (on/off)
• Force entry of accounting data for scan/copy/print (on/off)
• Service documentation auto updates of code/content from internet (on/off)
• Startup/ shutdown of the audit functionality
• Tracking info: when someone logs on to view or to change non-security settings
• Changing date and time
• Use of restore and 'open set'

Each log-in operation by the System administrator, the Key operator, and the Power user is also
stored into the audit log.

Service settings only:

• Retrieval of job data by Service
• Resetting of passwords by Service
• Remote service (Allow remote login)
• Audit log export
• Accounting dialog upload (used to implement access control for scan/copy)
• Manual update of the Service Information content (from Internet)

Audit log

Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360

113

Summary of Contents for Oce PlotWave 750

Page 1: ...Administration guide PlotWave ColorWave Systems Security information ...

Page 2: ...CT INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY NATURE OR LOSSES OR EXPENSES RESULTING FROM THE USE OF THE CONTENTS OF THIS PUBLICATION Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes Language Original instructions that are in British English Trademarks Océ Océ ColorWave ...

Page 3: ...swords 34 Data Security 37 E Shredding 37 IPsec on Océ PlotWave 300 350 Océ PlotWave 900 1 2 and higher 1 x Océ ColorWave 300 40 Prevent USB Direct Print and Scan to USB Océ PlotWave 300 350 Océ ColorWave 300 56 HTTPS with Océ PlotWave 900 R1 x 58 Smart Inbox management 62 Security on Océ PlotWave 750 and Océ PlotWave 900 R2 x 63 Overview 63 Security overview for the Océ PlotWave 750 and the Océ P...

Page 4: ...ystems 132 HTTPS 134 Encrypt print data and manage the system configuration using HTTPS 134 Request and import a CA signed certificate 139 Prevent Print from USB and or Scan to USB 145 How to prevent Print from USB and or Scan to USB 145 Smart Inbox management and job management 146 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 147 Overview 148 Security overview for the Océ P...

Page 5: ... ColorWave 550 ColorWave 600 Poster Printer ColorWave 650 R2 x Poster Printer 236 Overview 236 Security overview for the Océ ColorWave 600 650 Poster Printer and the Océ ColorWave 550 systems 236 System and Network security 238 Ports Protocols 238 Security Patches 241 Protocol protection 243 Prevent any outgoing connection to the Internet 244 Security of the USB connection 245 Operating System and...

Page 6: ...and scanning operations with the User authentication 318 User authentication the standard workflows 322 Authentication by Smart card 328 Authentication by user name and password 334 Log out 339 Troubleshooting 342 Hard disk encryption 345 E Shredding 347 E shredding presentation 347 Enable the e shredding in Océ Express WebTools 348 E shredding process and system behaviour 350 IPsec 351 IPsec pres...

Page 7: ...s protection 389 Prevent any outgoing connection to the Internet 391 Security of the USB connection 392 The USB connection on the printer user interface 392 Roles and Passwords 393 Roles and profiles 393 Audit log 395 Data security 396 HTTPS 396 Encrypt print data and manage the system configuration using HTTPS 396 Request and import a CA signed certificate 401 Index 407 Contents 7 ...

Page 8: ...Contents 8 ...

Page 9: ...Chapter 1 Océ Security policy ...

Page 10: ...work protocols protection features by use of the Océ Security levels filtering or by configuring each network protocol for firewall filtering Protecting the system roles and passwords The main network and system settings are protected against change Only authorised users can configure or change these settings Regularly checking the relevance of Microsoft flaws and delivering security patches whene...

Page 11: ...any deleted user data The IPsec configuration that provides authentication data confidentiality and integrity in the network communication between devices A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network The Smart Inbox and job protection by Limiting and restricting the access to the print and scan job data with the Smart Inbox manageme...

Page 12: ...he latest safety information for your product make sure that you read and understand all safety information in the manual entitled Safety Guide Support For support information please contact your Canon local representative Find your local contact for support from http www canon com support From the Canon support page you can also download the printer drivers for the Canon printers their related us...

Page 13: ... Windows Embedded Standard 2009 Windows Embedded Standard 7 SP1 for Océ PlotWave 340 Océ PlotWave 360 Océ PlotWave 500 Windows Embedded Standard 8 64 bit for Océ PlotWave 345 Océ PlotWave 365 Océ PlotWave 450 Océ PlotWave 550 Océ ColorWave 500 Océ ColorWave 700 Windows Embedded Standard 7 SP1 Firewall Yes Yes Yes MS Security flaws Security patches Yes Yes Yes Network protocols protection Océ Secur...

Page 14: ... ColorWave 300 IPsec HTTPS IPsec HTTPS Password protection Yes for User settings Administration set tings Settings on the print er user panel Yes for User settings Administration set tings Settings on the print er user panel Yes for User settings Administration set tings Settings on the print er user panel Data overwrite E shredding E shredding E shredding Access control IP filtering Smart Inbox m...

Page 15: ... ColorWave 650 R3 x Operating System Linux and WES 2009 for Océ ColorWave 650 multifunc tional Océ ColorWave 550 multifunc tional Linux for Océ ColorWave 650 printer only Océ ColorWave 550 printer only Océ ColorWave 600 PP Océ ColorWave 650 PP Windows Embedded Standard 7 SP1 Firewall Yes Yes MS Security flaws Security patches Yes for Océ ColorWave 650 550 multifunctional N A for Océ ColorWave 600 ...

Page 16: ...Océ ColorWave 650 R2 0 1 and higher Océ ColorWave 650 PP R2 1 and higher Océ ColorWave 600 R1 5 and high er Océ ColorWave 600 PP R1 6 1 and higher Océ ColorWave 550 R2 2 and high er E shredding Access control Access restriction to the printer for Océ ColorWave 550 R2 3 1 and higher Océ ColorWave 650 R2 3 1 and higher Océ ColorWave 650 PP R2 3 1 and higher IP filtering Smart Inbox manage ment Smart...

Page 17: ...ty related events Data encryption on the network HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Océ Publisher Express access Access restriction Overview of the security features available per Océ System Chapter 1 Océ Security policy 17 ...

Page 18: ...Overview of the security features available per Océ System 18 Chapter 1 Océ Security policy ...

Page 19: ...Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 20: ...mbedded Standard 2009 for Océ PlotWave 300 R1 5 Océ PlotWave 350 R1 5 Océ ColorWave 300 R1 5 and higher versions Firewall Yes Network protocols protection 3 Océ Security Levels MS Security patches Océ released patches Antivirus Compatible with 2 Antivirus brands IPV6 Yes Data encryption on the network IPsec for Océ PlotWave 300 Océ PlotWave 350 Océ PlotWave 900 from R1 2 and Océ Col orWave 300 HTT...

Page 21: ... Océ back channel TCP 80 HTTP for advanced account ing UDP 515 Océ proto col for printer dis covery Océ Adobe Post Script 3 driver Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR Océ Publisher Express Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80 HTTP Océ Publisher Express over SSL Océ PlotWa...

Page 22: ...tWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR FTP printing Océ PlotWave 300 PlotWave 350 Plot Wave 900R1 x Océ ColorWave 300 x TCP 21 TCP 4242 x 5 TCP 21 TCP 21 FTP TCP 4242 FTP 6 Notes Levels N Normal M Medium H High Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status media loaded and to displ...

Page 23: ...ieval from Smart Inbox Scans over SSL Océ PlotWave 900 R1 x x TCP 443 x TCP 443 x TCP 443 TCP 443 HTTPS Océ Matrix Logic Océ PlotWave 900 R1 x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 TCP 80 HTTP TCP 443 HTTPS Notes Levels N Normal M Medium H High 1 FTP passive mode only the FTP server on the remote workstation must support FTP passive mode 2 FTP active mode only 3 Data channel for FTP passive ...

Page 24: ...server UDP TCP 53 Océ PlotWave 900 R1 x x x x DHCP Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x x x Outgoing connec tion local port on con troller UDP 68 remote port on DNS server UDP 67 Océ Account Center Advanced accounting WPD Océ PlotWave 300 PlotWave 350 Plot Wave 900 R1 x Océ ColorWave 300 x TCP 80 x TCP 80 TCP 80 HTTP Accounting informa tion retrieval by FTP Océ Plot...

Page 25: ...rvice Océ PlotWave 300 R1 5 and higher PlotWave 350 R1 5 and higher Océ PlotWave 900 R1 x Océ ColorWave 300 R1 5 and higher x x x HTTPS outgoing connection required TCP IP port 443 3 Notes Levels N Normal M Medium H High The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation 1 FTP active mode only 2 Data channel for FTP passive mode 3 T...

Page 26: ...lotWave 900 1 x Océ ColorWave 300 1 2 1 and higher Before you begin Find the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Install the Océ Remote patch Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens Security Patc...

Page 27: ...orner to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update The system restarts to apply the patch Install the Océ Remote patch on Océ PlotWave 300 350 PlotWave 900 R1 x and Océ ColorWave 300 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 27 ...

Page 28: ...alled you can go back to the original security level Medium security level The Medium level is compliant with all the Océ applications available for printing and scanning which do not present a high risk as reported by most popular network scanners Target This level is recommended if you need to be secured while you want to use the Océ applications for printing and or scanning you can use the syst...

Page 29: ... in case you only want to check the security settings Press the Next key in case you want to adapt the security level Enter the password if requested and follow the wizard to adapt the security level Protect the security level by a password Procedure 1 Open the Océ Express Webtools in a web browser http Printer IP address or hostname 2 In the Preferences tab select System settings 3 In the Printer...

Page 30: ...ss Webtools in a web browser http Printer IP address or hostname 2 On the Configuration tab select Connectivity 3 Go to the Security section 4 Click on Edit or double click on the value to open the Security level window 5 Set the security level and click OK 6 Restart the printer when prompted Result After you set the Security level to High you must open Océ Express Web Tools by means of the HTTPS ...

Page 31: ...v ice Remote assistance Stop the Remote assistance if is ac tivated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Defaults Service rela ted information Disable Online Services Set Océ Online Services connection enabled to Disabled 3 Configuration Scan destination X Delete any scan destination go...

Page 32: ...roller configuration from the Local User Interface In that case any file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configu...

Page 33: ...n ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 33 ...

Page 34: ...he Océ PlotWave 300 350 and Océ ColorWave 300 Introduction There are 2 groups of passwords The passwords used in Océ Express WebTools The passwords used in the printer user panel also named Local User Interface Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect The roles The Scan to File remote user name The security settings preshared key for IPsec Password modif...

Page 35: ...mo and test prints Change of the hardware software configuration Start of the scanner calibration Password backup restore policy with the Save Set Open Set features Some passwords are stored into the backup set made with the Save Set feature of Océ Express WebTools the passwords for the printer panel Password backup table for Océ PlotWave 300 350 and Océ ColorWave 300 Password pincode for Backup w...

Page 36: ...emote user name Password modification table for Océ PlotWave 900 R1 x Password for Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user Power user Power user Any ScanToFile remote user name System administrator or Power user Any preshared key for IPsec System administrator or Power user Mobile printing with Océ Mobile WebTools System adm...

Page 37: ... in the Océ Express Webtools and the Printed jobs in Smart Inbox job lifetime is set When the time for the cleanup of the Scans in Smart Inbox is reached When a Clear system Remove all jobs is performed on the printer local interface E shredding algorithms Select one of the three e shredding behaviours DOD 5220 22 M 3 pass overwriting algorithm compliant with the US Department of Defense directive...

Page 38: ...ributes is deleted from the system the e shredding process occurs For a while the E shredding feedback returns as busy On the printer user panel Océ PlotWave 300 350 and Océ ColorWave 300 an indication is displayed in the System menu E shredding busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data processe...

Page 39: ...ocess for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy print jobs has been processed perform the following actions to make sure all the files are e shredded 1 Unplug the system from the network 2 Check that Saved print jobs in Smart Inbox is disabled 3 Delete any job from the Scans...

Page 40: ...The printer copier system is physically connected to the network but communicates only with a dedicated station a Print Server or Scan Server for example The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier system NO...

Page 41: ... traffic is denied except the HTTP traffic for Océ Ex press WebTools with any workstation this allows to change some IP sec settings via Océ Express WebTools from any workstation When the option is Disabled with IPsec enabled only the network traffic defined by the IPsec configuration rules is authorised All other network traffic is denied Default preshared key You can define a default preshared k...

Page 42: ...inter scanner controller Procedure 1 Open a web browser and enter the system URL https hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page 3 In IPsec generic section click Edit 4 Check IPsec 5 Keep Failsafe option checked during the phase you configure the IPSec In case of need this allows to be able to connect to the Océ Express WebTools from any workstation in or...

Page 43: ...ter lowercase upper case a z A Z the following special characters _ NOTE Write it down this preshared key will be required during the IPsec configuration on the workstation NOTE In the TCP IP IPv6 section make sure TCP IP IPv6 is disabled Result The IPsec settings are configured on the controller for a connection to a workstation which can be a print server Configure the IPsec settings in the Océ ...

Page 44: ...ilter list on page 46 4 Define the filter actions and security negotiation on page 48 5 Define the security rule on page 49 6 Assign the security policy on page 51 NOTE The procedure below shows the configuration steps on Windows server 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 Add the security snap in Procedure 1 In the Start R...

Page 45: ...The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 45 ...

Page 46: ... Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 46 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 47: ...zard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 47 ...

Page 48: ...efine the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 48 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 49: ... the Settings button 7 Configure the settings as below 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add 2 Click Next Define the security rule Chapter 2 Security on Océ PlotWave 300 350 P...

Page 50: ...pe select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 50 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 51: ...cé controller on page 42 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 51 ...

Page 52: ...ed on the print server Point Print to print jobs Pre requisites When advanced accounting is required make sure you configured Account Center BEFORE disabling the Failsafe mode on the printer controller Consequences of the IPsec configuration on the client workstation The back channel information printer status feed data is not retrieved from the printer It is not displayed in the driver interface ...

Page 53: ...Océ ColorWave 300 Via Océ Express WebTools on the printer controller monitor for Océ PlotWave 900 R1 2 and higher 1 x Disable IPsec on the printer user panel Océ PlotWave 300 350 and Océ ColorWave 300 Procedure 1 On the printer printer user panel click on System 2 Select Setup 3 Roll down to the Security item and open the Security menu The status is IPsec is enabled 4 Click Next several times to o...

Page 54: ...fails between the controller and the identified hosts you can disable IPsec in Océ Express WebTools only via the printer controller monitor Procedure 1 On the printer controller open Océ Express WebTools and log in as System administrator 2 Open the Configuration Connectivity tab 3 Go to the IPsec section 4 Click on Edit in the upper right hand corner of the section Disable IPsec on the controller...

Page 55: ...sult IPsec is disabled You can open Océ Express WebTools remotely from a workstation HTTP Disable IPsec on the controller monitor Océ PlotWave 900 R1 2 and higher 1 x Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 55 ...

Page 56: ...open the USB direct print window 5 Log in 6 Select Disabled and Ok How to prevent Scan to USB Introduction You can neutralize the Scan to File to USB storage device capability 2 step procedure to prevent scanning to USB destination 1 Disable any USB stick scan destination 2 Remove the USB destination from all Scan templates 1 Disable any USB stick scan destination Introduction You can neutralize t...

Page 57: ...or each scan destination from Scan destination 3 to Scan destination 10 make sure that the scan destination type is NOT Local to USB storage device 2 Remove the USB destination from all Scan templates Procedure 1 In Océ Express WebTools open the Preferences Scan job defaults page 2 In each Scan template File section check that the Destination is not USB stick 3 When the destination is USB stick ed...

Page 58: ...eb browser will generate security error messages In order to easily and securely use the self signed certificate in your web browser you must View and check the self signed certificate in your web browser Configure your web browser to trust the self signed certificate Use the Océ self signed certificate with Internet Explorer Procedure 1 On a workstation type the URL address of your printer in Int...

Page 59: ...certificate into your web browser 1 Place the certificate in the Trusted Root Certification Authorities folder 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWav...

Page 60: ...d on the address bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors Us...

Page 61: ... Océ Organization Unit OU WFPS 6 The certificate is issued to Océ Express WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation ba...

Page 62: ...stem capabilities go to the Preferences System settings to disable or restrict for example The remote view of the Smart Inboxes The printing from the Smart Inboxes The storage of the job data in the Smart Inboxes Depending on your printer capabilities you can also disable the printing from Océ Publisher Express Smart Inbox management 62 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotW...

Page 63: ...nation Antivirus Compatible with 2 Antivirus brands SMB authentication NTLMV2 Data encryption on the network IPsec HTTPS for administration and for job submis sion through Publisher Express Data overwrite E shredding Password protection Yes for User settings Administration settings Settings on the printer user panel Smart Inbox management Can be enabled disabled Remote view restriction Delete scan...

Page 64: ...65200 Océ back channel TCP 80 HTTP for advanced ac counting UDP 515 Océ pro tocol for printer discovery Océ Adobe Post Script 3 driver Océ Plot Wave 750 PlotWave 900 R2 x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR Océ Publisher Express Océ Plot Wave 750 PlotWave 900 R2 x x TCP 80 x TCP 80 TCP 80 HTTP Océ Publisher Express over SSL Océ Plot Wave 750 PlotWave 900 R2 x x TCP 443 x TCP 443 x ...

Page 65: ...x TCP 515 TCP 515 LPR LPR printing com mand line Océ Plot Wave 750 PlotWave 900 R2 x x TCP 515 x TCP 515 x TCP 515 x TCP 515 TCP 515 LPR FTP printing Océ Plot Wave 750 PlotWave 900 R2 x x TCP 21 TCP 4242 x 3 TCP 21 TCP 21 FTP TCP 4242 FTP 4 Notes Levels N Normal M Medium M H Medium High H High Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status medi...

Page 66: ... 900 R2 x x TCP 443 x TCP 443 x TCP 443 x TCP 443 TCP 443 HTTPS Océ Matrix Logic Océ PlotWave 750 PlotWave 900 R2 x x TCP 80 TCP 443 x TCP 80 TCP 443 x TCP 443 x TCP 443 TCP 80 HTTP TCP 443 HTTPS Notes Levels N Normal M Medium M H Medium High H High 1 FTP passive mode only the FTP server on the remote workstation must support FTP passive mode 2 FTP active mode only 3 Data channel for FTP passive m...

Page 67: ...0 PlotWave 900 R2 x x x x x Outgoing con nection local port on controller UDP 68 remote port on DNS server UDP 67 Océ Account Center Advanced accounting WPD Océ PlotWave 750 PlotWave 900 R2 x x TCP 80 x TCP 80 TCP 80 HTTP Accounting informa tion retrieval by FTP Océ PlotWave 750 PlotWave 900 R2 x x TCP 21 TCP 4242 x 1 TCP 21 TCP 21 FTP TCP 4242 FTP 2 Browse Océ systems on the network with Windows ...

Page 68: ...IP port 443 3 WSD print WSD dis covery Océ PlotWave 750 x x x UDP 3702 TCP 5357 Notes Levels N Normal M Medium M H Medium High H High The name resolution is mainly used to determine the IP address of the scan destination during Scan to File operation 1 FTP active mode only 2 Data channel for FTP passive mode 3 TCP IP port 443 must be opened and must allow response back on the IT infrastructure fir...

Page 69: ...Before you begin Find the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Install the Océ Remote patch Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens Security Patches Chapter 2 Security on Océ PlotWave 300 350 Plot...

Page 70: ...played 5 Click on the Update icon top right corner to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2 x 70 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 71: ...8 Click OK to confirm the update Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2 x Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 71 ...

Page 72: ... the corresponding patch cannot be yet installed As soon as the patch can be installed you can go back to the original security level NOTE Attention when you set the Medium high or High security level through the HTTP protocol the communication immediately stops Open Océ Express Web Tools by means of the HTTPS protocol type https Printer IP address or hostname in the web browser and restart the sy...

Page 73: ...otWave 750 or océ PlotWave 900 R2 x Refer to Set the security level on Océ PlotWave 900 R1 1 and higher on page 30 Security levels presentation Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 73 ...

Page 74: ...e Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Defaults Service rela ted information Disable Online Services Set Océ Online Services connection enabled to Disabled 3 Configuration Scan destination X Disable all scan destinations to FTP sites reachab...

Page 75: ...n ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 75 ...

Page 76: ... Océ PlotWave 750 and Océ PlotWave 900 R2 x Introduction In Océ Express WebTools the passwords protect The roles The Scan to File remote user name The security settings preshared key for IPsec The mobile printing password On the printer panel a password protects the administration settings Passwords in Océ Express WebTools Password modification table for Océ PlotWave 750 and Océ PlotWave 900 R2 x ...

Page 77: ...e them only through the standard user interface on the controller Password on the printer panel for Océ PlotWave 750 You can activate the password to restrict the access to the Administrator settings from the printer panel this password is fixed and cannot be changed refer to the Océ PlotWave 750 Operation Guide to know more about the password Printer panel protection Introduction From Océ Express...

Page 78: ...sec settings Network services enable disable settings Creation modification removal of scan destinations Changes of passwords used to protect security related settings Key operator System administrator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin a...

Page 79: ...Webtools and the Printed jobs in Smart Inbox job lifetime is set When the time for the cleanup of the Scans in Smart Inbox is reached When a Clear system or Clear memory job removal is performed on the printer local interface E shredding algorithms Select one of the three e shredding behaviours DOD 5220 22 M 3 pass overwriting algorithm compliant with the US Department of Defense directive Gutmann...

Page 80: ...n the Océ Express WebTools window a new icon is added to the list of icons bottom right Each time data file s content or attributes is deleted from the system the e shredding process occurs For a while the E shredding feedback returns as busy Once the e shredding data processed is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon on a workstation or...

Page 81: ... and scan jobs by the system timeout disabled Smart Inbox cleanup When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy print jobs has been processed perform the following act...

Page 82: ...ected to the network but communicates only with a dedicated station a Print Server or Scan Server for example The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier system NOTE In this configuration the back channel co...

Page 83: ...denied except the HTTP traffic for Océ Ex press WebTools with any workstation this allows to change some IP sec settings via Océ Express WebTools from any workstation When the option is Disabled with IPsec enabled only the network traffic defined by the IPsec configuration rules is authorised All other network traffic is denied Default preshared key You can define a default preshared key that will...

Page 84: ...ure 1 Open a web browser and enter the system URL https hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page 3 In IPsec generic section click Edit 4 Check IPsec 5 Keep Failsafe option checked during the phase you configure the IPSec In case of need this allows to be able to connect to the Océ Express WebTools from any workstation in order to be able to change parame...

Page 85: ...pper case a z A Z the following special characters _ NOTE Write it down this preshared key will be required during the IPsec configuration on the workstation NOTE IPsec can be used only with IPv4 IP type set to IPv4 only or IPV4 and IPv6 both enabled In the Connectivity Network adapter section make sure IPv6 only is NOT enabled before you configure IPsec on the controller Configure the IPsec setti...

Page 86: ...ver 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 The impact of IPsec when you print using Océ WPD through a print server Introduction When you use WPD on a print server with advanced accounting activated the use of IPsec has an impact on the workflow When the following conditions are gathered A print server is configured as an IPse...

Page 87: ...ode on the controller Then the accounting window will be displayed on the client workstation and the accounting information can be entered to print the job Troubleshooting emergency procedure to disable IPsec Introduction In the following case IPsec is enabled and activated on the printer scanner controller and The Failsafe mode is disabled and The communication between the controller and the IPse...

Page 88: ...rtificate provides encryption of the print data sent through Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol...

Page 89: ...Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not issued by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificat...

Page 90: ...the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 90 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 91: ... signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not trusted ...

Page 92: ... window that the padlock is displayed In the navigation bar the Océ certificate is registered as an exception The identity of the remote controller and the encryption of the data on the network are secured Request and import a CA signed certificate Description of the overall procedure to request and import a CA signed certificate Introduction By default the first certificate delivered for the use ...

Page 93: ...A3 Save the content of the certifi cate request Send this content to the Certification Authority to re quest a CA signed certificate The Certification Authority will check the request and re ply If the request is valid go to step A4 if the request is not valid make a new request A2 ac cording to the remarks corrections suggested by the CA request feedback A4 Restart the controller A5 Back up the p...

Page 94: ...ghly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and a private key on page 140 Other procedures Procedure When to do Restore a certificate and a private key You can restore the certificate and the private key at any moment in case of need See Restore a certificate and a private key on page 144 Reset t...

Page 95: ...remote view of the Smart Inboxes Remote Smart Inbox view When set to Login needed you restrict the view on the Smart Inboxes to the Key operator or Power user only logging needed to view the Smart In box The ability to print from Smart Inbox and to make queue operations Printing from Smart Inbox and queue operations When set to Login needed all remote actions on jobs in the Smart Inboxes and queue...

Page 96: ...Smart Inbox management and job management 96 Chapter 2 Security on Océ PlotWave 300 350 PlotWave 750 PlotWave 900 and ColorWave 300 ...

Page 97: ...Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 98: ...tivirus Yes IPv6 Yes IPV6 only or IPV6 IPV4 combination Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for Job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Settings on the printer user panel Access control IP filtering SMB authentication NTLMV2 Smart Inbox management Sma...

Page 99: ...cé Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LP...

Page 100: ... and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 HTTPS TCP web proxy port 2 TCP WebDAV port Scan data retrieval f...

Page 101: ... TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 for WSD eventing WAVE TCP 80 HTTP OBIS TCP 80 HTTP for back channel Océ Publisher Select IPsec UDP 500 UDP 4500 Notes 1 When there is a proxy Additional built in Windows firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Core Networking Dyn...

Page 102: ...ecurity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Secur...

Page 103: ...6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 103 ...

Page 104: ...le Disable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HT...

Page 105: ...nnot be disabled Allow automatic up date of Océ Service in formation HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol ...

Page 106: ...able Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Configuration Con nectivity Other net work interfaces Disable the automatic update of the embedded Service information Set Allow automatic update of Océ service information or Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal l...

Page 107: ...file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the ...

Page 108: ...rprise Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 108 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 109: ...ervice operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The Syst...

Page 110: ...he system update The following settings and functions are protected by the Key operator or Power user password on the user panel The print density The Clear system function The Install additional hardware function The scanner calibration On Océ PlotWave 340 360 up to R1 1 In Océ Express Webtools he System administrator or the Power user can configure the Password to change network settings This pa...

Page 111: ...operation the passwords for any external location remote user name are stored encrypted in the file exportExternalLocationTemplates xml included in the file exportExternalLocationTemplates zip The Import templates operation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative gener...

Page 112: ...rver in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname NOTE When configuring the Access control station IPv6 address use the IPv6 static address instead of a dynamic stateless or stateful one You can define up to 5 hosts For each of the hosts you can decide whether the com...

Page 113: ...trator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate H...

Page 114: ...stick has been performed successfully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed o...

Page 115: ...ors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Configuration Connectivity page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select Custom set the number of passes Result When...

Page 116: ...he Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools 116 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 117: ...he first e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy...

Page 118: ...Psec enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control i...

Page 119: ...and configure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 ...

Page 120: ...nd Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of...

Page 121: ...ult The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 121 ...

Page 122: ...ter actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for oth...

Page 123: ...click Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 123 ...

Page 124: ...ule 5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 124 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 125: ...o open the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 125 ...

Page 126: ...list is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 126 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 127: ...ton 7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule ...

Page 128: ... 4 As the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 128 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 129: ...ings in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 129 ...

Page 130: ...Firewall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings 130 Chapter 3 Security on Océ PlotWave 500 and Plot...

Page 131: ...0 550 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize th...

Page 132: ...ble Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 For Océ PlotWave 500 enter the System administrator or Power user password For Océ PlotWave 340 360 enter the Password to change networks settings if set ...

Page 133: ...roller Result Access control and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec Océ PlotWave 500 and PlotWave 340 360 systems Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 133 ...

Page 134: ...gh Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification...

Page 135: ...issued by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Fol...

Page 136: ...der 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 136 Chapter 3 Security on Océ PlotWave 500 and PlotWave 340 360 ...

Page 137: ... bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is...

Page 138: ...on Unit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certif...

Page 139: ...ill using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificate...

Page 140: ...he CA Root certificate in the Trusted Root certificates list of the web browser on each workstation See Check and import the Root certificate into the work stations browser on page 143 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in a...

Page 141: ...enerate a CA signed certificate request Purpose Create a certificate request Use this function only when you want to request a new CA certificate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and a private key on page 140 Generate a certificate request NOTE Step A2 of the Description of the overall procedure to request ...

Page 142: ...l procedure to request and import a CA signed certificate on page 92 Procedure 1 Copy and paste the content of the request in a csr file named certificate_request csr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Im...

Page 143: ... to the certificate file 3 Select Yes to validate the certificate against Java root certificates and click Import 4 When the message Certificate successfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between...

Page 144: ...store a self signed certificate NOTE Prefer the restoration of the original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and a private key on page 140 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new c...

Page 145: ...onfiguration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan ...

Page 146: ... When disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can s...

Page 147: ...Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 148: ...r name and password Smart card Contactless card for Océ PlotWave 345 365 450 550 1 1 and higher versions Scan to Home folder Yes when User authentication by user name and pass word is enabled Hard Disk encryption Yes 2 modes Full disk encryption Normal encryption Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for Job submission thr...

Page 149: ...ations made by Service under the control of the System Administrator Security overview for the Océ PlotWave 345 Océ PlotWave 365 Océ PlotWave 450 and Océ PlotWave 550 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 149 ...

Page 150: ...blisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LPR pri...

Page 151: ...here is a proxy Scanning applications INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 ...

Page 152: ... authentication by user name and password TCP 88 UDP 88 Kerberos TCP 389 UDP 389 LDAP User authentication by smart card TCP 80 OCSP TCP 80 HTTP or TCP 443 HTTPS Océ Meter Manager UDP 161 SNMP Océ back channel TCP 65200 for OCI back chan nel Océ Remote Service TCP 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 for W...

Page 153: ...e Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out Core Networking IPv6 IPv6 Out Applications protocols and ports Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 153 ...

Page 154: ...ity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Security ...

Page 155: ... Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 155 ...

Page 156: ...isable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTTP H...

Page 157: ...a tion HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service Océ Onl...

Page 158: ... rela ted information Disable Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Security Configura tion Permissions for Service Disable the automatic update of the embedded Service information Set Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal location Delete all External locati...

Page 159: ... infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the inte...

Page 160: ...se Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 160 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 161: ...ce operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The System a...

Page 162: ...settings The system update The following devices settings and functions are protected by the Key operator or Power user password on the user panel Clear system The scanner The print density The Finishing device Clean the knife folder option NOTE Keep this password The reset of this password may require the intervention of a Service technician Passwords modification Password modification table for ...

Page 163: ...ation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative generates a temporary administrative password for the Windows Administrative account This password is valid for 4 hours NOTE The System Administrator must allow the Canon representative to create this password in Express We...

Page 164: ... manually Add the DNS server in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname Use the access restriction to limit the access to the printer Enable Access control and set the list of IP addresses of the computers hosts that will be able to communicate with the printer This...

Page 165: ...tor Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate HTTP...

Page 166: ...files that are stored locally on the controller User authentication methods One of the three following methods can be used for user authentication User name and password The user name and password are required on the printer panel This authentication method is mainly targeted to Windows based environment Microsoft Active Directory Smart card PKI card compatible with MS Active Directory Certificate...

Page 167: ...e submission tool can be Océ Publisher Select or a driver within an application e g WPD2 or a LPR or FTP command 3 The owner of the job logs in on the printer user panel Only the job owner can see the job and print it user authentication is required to unlock the printer panel accessibility 4 The job owner launches the print 5 The job owner collects the printed output The scan and copy workflow Se...

Page 168: ... Inbox Keep a copy of scanned jobs in the Smart Inbox Keep a copy of copy jobs in the Smart Inbox Keep a copy of local print jobs in the Smart Inbox Key operator actions on jobs In Preferences System defaults Job management Restrict remote actions on jobs to the Key Operator Copy job priority In Preferences System defaults Job management Copy job priority OCI interface In Configuration Connectivit...

Page 169: ...o secure the job data and job ownership on the network during the job submission the job scanning to external locations the use of a secured network IPsec for instance is recommended Impact of the user authentication on the system features and Océ WebTools Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 169 ...

Page 170: ...2 or a job submitter example Océ Publisher Select 2 3 Authentication on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card The credentials used on the printer must be the same as the ones used at the job submission time Example user1 belonging to the domain domain com 4 Job management On the bottom right ...

Page 171: ...t the user stays close to the printer until all the jobs are completely printed The jobs in Processing state are not printed if the user logs out before they are in Ready to print status Standard workflow for scan and copy Step Action 1 Logging on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card Example...

Page 172: ...o an external location The user authentication in the main job submission workflows Introduction There are several ways to submit print jobs to the printer Find below the recommendations for benefiting from the protection by the user authentication in the recommended job submission workflows Job submission with Océ Publisher Select from version 1 17 Job submission from an application with the Océ ...

Page 173: ... Example user1 on domain domain com 2 Open the applica tion to open the file 3 Open Océ WPD2 Properties to print the job from the appli cation When the WPD2 driver window opens check the user account name of the job in the top right part of the window This user name is going to be sent along with the job Example user1 domain com NOTE If the user account name is not displayed open the Options Advan...

Page 174: ...ther submission workflows Job submission by LPR For a file submitted by LPR the system will use the Username tag present in the job ticket of the file if any If there is no job ticket in the file or no Username in the job ticket then the non FQDN user name of the user logged in on the system is used example user1 The LPR command to submit the job is LPR S printer name P printer name x filename NOT...

Page 175: ...in this field must not be blank The name must be the same as the one that will be used to log in on the system example user domain com NOTE The job owner declared in Publisher Express does not overwrite the Username embedded into the job ticket Other submission workflows Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 175 ...

Page 176: ...icates Forced URL of OCSP responder setting The PIN of the card if needed Compatible smart card readers HID Global Corporation OMNIKEY 5x2x products Identive infrastructure formerly SCM Microsystems Inc SCR33x products Gemalto IDBridge products formerly GEMPC GEMPLUS Advanced Card Systems Holdings Limited ACR1281U product contact support only HID Global Corporation OMNIKEY 3x2x products Only for O...

Page 177: ... section select Smart card as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to guarantee the data confidentiality of future incoming jobs Do not select Restart later Configure the smart card settings Configure The trusted certificates The user access settings Procedure 1 Open th...

Page 178: ...used for job filtering When this setting is activated the FQDN of the user user name domain is requested when the user logs in on the printer panel Once logged in the user sees only the jobs that have been submitted with the same FQDN Example the user user1 domain com logs in on the printer This user can see only the jobs that have been submitted by user1 domain com When this setting is not activa...

Page 179: ... card on page 180 Authentication on the user panel Introduction Insert the smart card into the card reader The authentication is automatic when the smart card contains a valid user name and no password is needed A login window is displayed when the authentication with the smart card requires a PIN Enter the PIN in the password field A login window is displayed when there is more than one user regi...

Page 180: ...ssage attach ed to the red cross Possible cause s Actions Error detecting readers Reader not supported or read er not correctly connected Check the connection of the smart card reader Check that the smart card reader is supported Failed connecting with card The Smart card resource manager is not running No smart card is inserted in the smart card reader The smart card is not correctly inserted Ins...

Page 181: ...XX Type Intermediate or ROOT 2 Check whether you find those cer tificates XXXXXXXXX in your browser then export each certifi cate in your browser 3 Configure in Océ Express WebT ools the trusted certificates you just exported see section Config ure the smart card settings in top ic Configure the Smart card au thentication Revocation status Server is off line The revocation server is re quired but ...

Page 182: ...lica or Mifare may work The Type of contactless card setting in Océ Express WebTools Security Configuration User access configuration has no influence in this case Additional information Contact your Canon representative in case you want to use a contactless card or a contactless card reader which is not recorded in the above lists Plug the contactless card reader into the USB port contact your lo...

Page 183: ...t set the advanced settings Suffix for the User Principal Name UPN if there is a custom suffix select Custom and enter it if there are several suffixes in the same domain create as many domains as suffixes Locate LDAP server enter the LDAP server name Fully Qualified Domain Name or IP address and port number if not automatically retrieved by the DNS server LDAP attribute to display on the user pan...

Page 184: ...qualified name of the job owner setting The user then sees only the jobs that have been submitted with this FQDN The type of the contactless card Felica or Mifare or both Validate the contactless card configuration When to do After you configured the authentication by contactless card validate it Procedure 1 Below the User access mode section click Validate the configuration of the user access mod...

Page 185: ...d configuration on page 184 Find below the list of possible causes of errors that can occur during the validation of the contactless card configuration Authentication by contactless card errors A red cross in the report indicates an error For error messages with possible causes and actions to solve the error see Error message attach ed to the red cross Possible cause s Actions Domain not correctly...

Page 186: ...or rect In Océ Express WebTools check the LDAP search base in Security Domains Advanced If a red cross is not reported with the Validate configuration tool but there is an error during authentication with the card please check If the PIN code is correct but authentication fails check that the LDAP attribute for card ID is correctly set in the domain created this may occur in case PIN code setting ...

Page 187: ...er enter the URL or IP address of the printer to open Océ Express WebTools 2 Open the Security Configuration page Log in as a system administrator if requested 3 In the User access mode section select User name and password as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to gua...

Page 188: ... on another attribute LDAP search base by default the complete LDAP database defaultNamingContext attribute In case of several LDAP databases it can be worthwhile for performance improvement to indicate another LDAP search base Custom LDAP search base LDAP attribute for Home folder by default the Home directory for product with the Scan to Home folder feature 7 Repeat the creation operation for ev...

Page 189: ...ob sent by all user1 users if several When logged in on the printer user1 will have access to all jobs submitted by user1 mydomain com user1 user1 anydomain net Validate the configuration When to do After you configured the authentication by user name and password validate it Procedure 1 Below the User access mode section click Validate the configuration 2 Select the domain name 3 Enter a valid us...

Page 190: ...name and the password After authentication the name of the user is displayed in the top menu Troubleshooting Introduction When an error occurs during the process of authentication by user name and password go to the Security Configuration page and Validate the configuration on page 336 Find below the list of possible causes of errors that can occur during the validation of the configuration Authen...

Page 191: ... correct Check the user name and pass word Check the Fully Qualified Domain Name FQDN Authenticating user xxx A local error has occur red Additional test Authenticate on the user panel If the authentica tion fails and a Invalid creden tials message is displayed then The date and or time set in the system is not correct In Océ Express WebTools correct the Current date and time in Preferences System...

Page 192: ... the smart card from the smart card reader NOTE The session is automatically closed when the time out occurs even if the smart card is still in the card reader Pull the card out of the reader and insert it again to start a new session Log out after an authentication by contactless card On the system user panel tap on the user name icon Confirm the log out Special cases a time out pause or error oc...

Page 193: ...put on hold It is recommended to increase the user session time out The processing time for a batch of jobs is longer than the session time out The time out occurs before all the jobs are processed At least one job is printing The user is automatically logged out Only the jobs in Ready to print and Printing statuses are printed All the jobs that have another status for example Processing are put o...

Page 194: ...must solve the issue and then must log in to resume the queue A Media request occurs The following combination of settings applies Media request time out Action after media re quest time out When the media is loaded the job restarts and is printed When the time out occurs before the media is loaded this job is put on hold The user must load the media and then must log in to resume the queue Specia...

Page 195: ...name and the domain of the user logged in on the workstation are used to submit the job including the domain when detected If needed log in on the workstation with the relevant user name on the relevant domain example user1 on domain domain com For a job submitted with the WPD2 driver the user account name displayed in WPD2 in the top right part of the window is used Change it if needed example us...

Page 196: ...e user access mode is enabled and you cannot access Express WebTools you can disable it on the system panel Disable the user authentication on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator password The current security configuration is displayed 4 Tap Next to go on and disable a feature 5 Selec...

Page 197: ...7 Restart the system Result The user authentication is disabled Disable the user authentication Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 197 ...

Page 198: ...m recommended On a running system which has already processed data 2 encryption modes There are 2 encryption modes Encryption mode Scope Duration Remarks Normal The Normal encryption encrypts the used disk space only It is recommended for new systems at installation time when no print scan data has been processed on the disk around 30 minutes Full The Full encryption encrypts the en tire disk It i...

Page 199: ... the system is given back At the system s end of life before it is recycled To purge the system from the system user panel 1 In the system settings select Security 2 In the Current Security Configuration window check the encryption mode and tap Next the Next button is displayed only when an encryption mode is active 3 In the list of actions select Purge the System and tap Next 4 A message Purging ...

Page 200: ...ly or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user panel When a Cle...

Page 201: ...g the e shredding 4 Go to the In case of errors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Security Configuration page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select Cus...

Page 202: ... the E shredding feedback returns busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools 202 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave...

Page 203: ...irst e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy pri...

Page 204: ... enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in Ex...

Page 205: ...igure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then 1 I...

Page 206: ...Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of th...

Page 207: ...oller Result The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 207 ...

Page 208: ...actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for other O...

Page 209: ...k Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 209 ...

Page 210: ...5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list 210 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 211: ...en the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 211 ...

Page 212: ... is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 212 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 213: ...7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule Chap...

Page 214: ...s the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 214 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 215: ... in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 215 ...

Page 216: ...wall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings 216 Chapter 4 Security on Océ PlotWave 345 365 and Océ ...

Page 217: ...0 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize the IP...

Page 218: ...achable Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator or Power user password 4 A wizard is displayed Follow the instructions 5 Confirm to disable access control Troubleshoot...

Page 219: ...ntrol and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 219 ...

Page 220: ...the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fully...

Page 221: ...ority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wizard s instructions to imp...

Page 222: ...2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 222 Chapter 4 Security on Océ PlotWave 345 365 and Océ PlotWave 450 550 ...

Page 223: ... Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not...

Page 224: ...nit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certificat...

Page 225: ...till using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificat...

Page 226: ...ser on each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When to d...

Page 227: ...ficate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certific...

Page 228: ...sr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import the R...

Page 229: ...uccessfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Descript...

Page 230: ...e original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure 1 I...

Page 231: ...alues are correct in Océ Express WebTools Configuration System defaults Refer to Configure the user authentication by user name and password on page 334 for the detailed procedure It is recommended that the System Administrator validates this new configuration by clicking Validate this configuration in Security Configuration see Validate the configuration on page 336 Scan to the Home folder There ...

Page 232: ...bleshooting When an error occurs during the process of authentication by user name and password follow the procedures below to test and troubleshoot Use the validation tool to validate the configuration See Validate the configuration on page 189 Apply the corrective actions when needed SeeTroubleshooting on page 190 In case the home folder is not accessible Use the validation tool and check in the...

Page 233: ...guration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan to t...

Page 234: ...ne is selected the job submission capability through Océ Express WebTools is completely deactivated The remote actions on submitted jobs to the Key operator or Power user Perform job actions in the print queue When set to Login needed only the Key oper ator or Power user can remotely delete or move a submitted job The display of Smart Inboxes in Océ Express WebTools When enabled all users of Océ E...

Page 235: ...Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 236: ...650 Oce ColorWave 550 offer the following security features Security overview Operating System Linux for Océ ColorWave 550 Océ ColorWave 600 Poster Printer and Océ ColorWave 650 Poster Printer Linux and WES 2009 for Océ ColorWave 650 multifunctional printer and scanner and Océ ColorWave 550 multifunctional printer and scanner Firewall Yes Network protocols protection Yes per protocol through firew...

Page 237: ...inter for Océ ColorWave 550 R2 3 1 and higher Océ ColorWave 650 R2 3 1 and higher see al so Security on Océ ColorWave 650 R3 x on page 268 Océ ColorWave 650 PP v2 3 1 and higher Security overview for the Océ ColorWave 600 650 Poster Printer and the Océ ColorWave 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 237 ...

Page 238: ...ublisher Express TCP 80 HTTP Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 3 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 4 Océ Reprodesk Studio TCP 515 LPR TCP 65200 Océ back chan nel Novell NDPS printing TCP 515 LPR LPR printing TCP 515 ...

Page 239: ...TP passive mode Control management ports and protocols used by the system Application Functionality Port used on the controller protocol Remarks PING ICMP incoming echo request only SNMP based applications UDP 161 SNMP Name resolution Outgoing connection Local port on controller UDP TCP dynamic value Remote port on DNS server UDP TCP 53 Océ Express WebTools TCP 80 HTTP Océ Account Center Ad vanced...

Page 240: ...response back on the IT infrastructure firewall Applications protocols and ports used in the Océ ColorWave 600 Poster Printer Océ ColorWave 650 Poster Printer Océ ColorWave 550 systems 240 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 241: ...d the Océ Security patch from the Océ Downloads website on http downloads oce com Open the product page and go to the Security tab to download the available security patches Procedure 1 Open the Océ Express Webtools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed Se...

Page 242: ...perating system patches section to open the wizard 6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch 242 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 243: ...etwork protocols Protocols Available Protection FTP Yes Can be disabled SNMP Yes Can be disabled LPR Yes Can be disabled Backchannel Always Enabled Océ proprietary protocol HTTP No always Enabled ICMP No always Enabled DNS No always Enabled To disable a network protocol go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol Protocol protection Chapter 5 S...

Page 244: ...ess WebT ools section Action Detail 1 Support Remote Serv ice Remote assistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Properties Service Disable Remote Service connection Set Océ Remote Services connection enabled to Disabled 3 Configuration ...

Page 245: ...sabled and no operation on the controller can execute a programme on the USB device Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Disable the USB fe...

Page 246: ...fied except when using the Océ procedures for update Any exploit of the security vulnerability can only affect temporary files A reboot of the system brings it back to the original genuine one Windows Embedded Standard 2009 OS and software protection An additional Operating system is used for scanning on the Océ ColorWave 650 multifunctional printer and scanner and Océ ColorWave 550 multifunctiona...

Page 247: ...orWave 600 Poster Printer Océ ColorWave 650 Poster Printer Océ ColorWave 550 systems Introduction There are 2 groups of passwords The passwords used in Océ Express WebTools The passwords used in the Printer Operator Panel Passwords used in Océ Express WebTools In Océ Express WebTools the passwords protect the roles Password modification table for Océ ColorWave 600 Océ ColorWave 650 and Océ ColorWa...

Page 248: ...e Power user The passwords are restored only when the System administrator or the Power user makes the Open Set operation When a password has been stored with Auto value it is restored with the No password value Password backup restore policy with the Export templates Import templates features During the Export templates operation the passwords for any ScanToFile remote user name are stored encryp...

Page 249: ...Océ ColorWave printers on page 253 You can enable Access control in Océ Express WebTools You can disable it in Océ Express WebTools or via the printer user panel NOTE In case DHCP and DNS servers are used Add the DHCP server in the list of the Access control stations Otherwise the DHCP protocol is disabled you can disable the DHCP settings in the Configuration Connectivity settings and configure t...

Page 250: ... Inbox system setting is disabled in the Océ Express Webtools After a ScanToFile to remote destination has been successfully performed When it is automatically deleted after a timeout the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox set in the job management settings of the Océ Express Webtools When...

Page 251: ...enter the system URL http hostname to open the Océ Express WebTools 2 Open the Configuration Connectivity page and select the E shredding section 3 Click Edit 4 Check E shredding feature to enable it 5 Select the algorithm When you select Custom you must set the number of passes On Océ ColorWave 650 PP 550 click on the value of E shredding custom number of passes to set the number of passes 5 Set ...

Page 252: ... Smart Inbox After an automatic deletion of the print or scan jobs by the system timeout disabled Smart Inbox cleanup When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure a file is completely e shredded e shredding enabled Perform the following actions to...

Page 253: ...ion below The printer copier system is physically connected to the network but communicates only with a dedicated station a print server or scan server for example The print server receives the print request from the workstations via IP on the network The print server send the print requests to the printer copier system via IPsec The workstations cannot communicate directly with the printer copier...

Page 254: ...one or set a custom one You can define a default preshared key that will be used for all the stations connected by IPsec to the printer scanner system Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user DHCP must be disabled Activate and configure IPsec in the printer scanner controller Procedure 1 Open a web browser and ...

Page 255: ...e following special characters _ NOTE Write it down This preshared key will be required during the IPsec configuration on the workstation 9 Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation which can be a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the cont...

Page 256: ...icy on page 263 NOTE The procedure below shows the configuration steps on Windows server 2008 The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 Add the security snap in Procedure 1 In the Start Run window enter mmc to open the management console 2 In the top menu select File Add Remove Snap in 3 Select IP Security Policy Management and click...

Page 257: ...click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard 3 Enter the name for the policy and click Next Create the security policy Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 257 ...

Page 258: ...ate the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions 2 In the Manage IP filter lists tab click Add Create the filter list 258 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 259: ... Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller 8 Select Any as the IP Protocol Type and click Next 9 Click Finish 10 In the IP filter list window click OK The filter list is set Create the filter list Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 259 ...

Page 260: ...ure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation 260 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 261: ...d click on the Settings button 7 Configure the settings as below 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add 2 Click Next Define the security rule Chapter 5 Security on Océ ColorWav...

Page 262: ...Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule 262 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 263: ...s on the Océ controller on page 42 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 263 ...

Page 264: ...bled and activated on the printer scanner controller of Océ ColorWave 650 550 v2 3 1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Express WebTools to change the settings The system is unreachable Then you can use the emergency procedure to disable Access control Via the printer user panel on the printer scanner system Disable Acce...

Page 265: ...as also activated on the controller it is also disabled with this operation After the restart you will be able to open Océ Express WebTools remotely from a workstation HTTP Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 265 ...

Page 266: ...a web browser and enter the system URL http hostname to open the Océ Express WebTools 2 Open the Preferences System properties page and select the Printer properties section 3 Go to the USB direct print setting 4 Click on the value to open the USB direct print window 5 Log in as a Key Operator or Power User 6 Select Disabled and Ok How to prevent Print from USB on Océ ColorWave 550 650 and PP 266 ...

Page 267: ...le The remote view of the Smart Inboxes The display of the Smart Inboxes on the printer panel The storage of the job data in the Smart Inboxes Set the job management settings The Job management settings are available on the Preferences System properties tab Configure the job management settings to manage the visibility of jobs and their availability in Océ Express WebTools or in the printer operat...

Page 268: ... or IPV6 IPV4 combination Data overwrite E shredding Data encryption on the network IPsec HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Settings on the printer user panel Access control IP filtering SMB authentication NTLMV2 or NTLMV1 can be set in Océ Express WebT ools Smart Inbo...

Page 269: ... TCP 515 LPR Océ Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 21 FTP TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery Océ Reprodesk Studio TCP 515 LPR TCP 65200 Océ back channel OCI Novell NDPS printing TCP 515 LPR LP...

Page 270: ...FTP passive mode only FTP active mode not supported Control management with Océ ColorWave 650 R3 x0 INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol PING IPv4 ICMPv4 PING IPv6 ICMPv6 nslookup UDP local port any UDP remote port 53 SNMP based applications UDP 161 SNMP Name resol...

Page 271: ...500 Notes 1 When there is a proxy Additional built in Windows 7 firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 In Outbound rules Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out ...

Page 272: ...ity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Security ...

Page 273: ... Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 273 ...

Page 274: ...ing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Account dialog upload interface HTTP Enable Disable When both this Account dialog interface AND Océ WAVE interface are disa bled any interaction with Océ Account Center is disa bled Web Services for De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable...

Page 275: ...es Allow interaction with Océ Publisher Select Océ Express Web Tools via HTTP Inbound HTTP is totally disabled when ALL afore mentioned network serv ices are disabled HTTPS HTTPS Always Enabled Cannot be disabled Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service Network protocols protec...

Page 276: ...ess WebT ools section Action Detail 1 Support Remote Serv ice Remote assistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disap pear 2 Preferences System Properties Service Disable Remote Service connection Set Océ Remote Services connection enabled to Disabled 3 Configuration ...

Page 277: ...sabled and no operation on the controller can execute a programme on the USB device Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from USB device protection The USB READ operation is protected when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Disable the USB fe...

Page 278: ...se Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 278 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 279: ...llow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration page in Océ Express WebTools The System administrator and the Power user control also the connection via a Remote Desktop Protocol needed by a Service technician to install a third party application on the system an antivirus for ins...

Page 280: ...network settings and the Proxy authentication password are stored encrypted into the backup set made with the Save Set feature of Océ Express WebTools The roles passwords are not stored in the backup set NOTE When a password is configured as No password the information Auto meaning No password is stored in the backup file It is not encrypted The passwords are stored in the backup file whatever the...

Page 281: ... the communication from this host to the system needs to be encrypted by IPsec see IPsec presentation on page 284 You enable Access control in Océ Express WebTools You can disable it in Océ Express WebTools or via the printer user panel NOTE In case DHCP and DNS servers are used Add the DHCP server in the list of the Access control stations Otherwise the DHCP protocol is disabled you can disable t...

Page 282: ...ion removal of external locations Changes of passwords used to protect security related settings Key operator System administrator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technicia...

Page 283: ...ed successfully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user pan...

Page 284: ...c enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in E...

Page 285: ...et a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then 1 IKE SA lifetime 28800 s IKE security method 3DES then MD5 IKE hash SHA1 then MD5 ESP encryption 3DESthen DES ESP hash SHA1 then MD5 then None AH hash SHA1 the MD5 Encapsulation ...

Page 286: ...y MS character NOTE Write down this preshared key It will be required during the IPsec configuration on the workstation 7 Click OK Note The settings are applied as soon as OK is validated and before the restart You may lose the remote connection to the system when your workstation is not part of the configured stations 8 Restart the controller Result The IPsec settings are configured on the contro...

Page 287: ...indows XP Windows Vista Windows 7 and for other Océ printers Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Introduction In the following case Access control is enabled and activated on the printer scanner controller of Océ ColorWave 650 550 v2 3 1 and higher and The communication between the controller and the host stations fails You cannot open remotely Océ Expres...

Page 288: ... to disable access control 5 Press Finish 6 Restart the controller Result Access control is disabled If IPsec was also activated on the controller it is also disabled with this operation Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems 288 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 289: ...will be able to open Océ Express WebTools remotely from a workstation HTTP Troubleshooting Disable Access control and IPsec Océ ColorWave 650 550 systems Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer 289 ...

Page 290: ...rint data sent through Publisher Express and of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivere...

Page 291: ...ed by a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow ...

Page 292: ...2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 292 Chapter 5 Security on Océ ColorWave 550 600 650 and Poster Printer ...

Page 293: ...r Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is no...

Page 294: ...tom of the window that the padlock is displayed In the navigation bar the Océ certificate is registered as an exception The identity of the remote controller and the encryption of the data on the network are secured Request and import a CA signed certificate Description of the overall procedure to request and import a CA signed certificate Introduction By default the first certificate delivered fo...

Page 295: ...page 141 A3 Save the content of the certifi cate request Send this content to the Certification Authority to re quest a CA signed certificate The Certification Authority will check the request and re ply If the request is valid go to step A4 if the request is not valid make a new request A2 ac cording to the remarks corrections suggested by the CA request feedback A4 Restart the controller A5 Back...

Page 296: ...e It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and a private key on page 140 Other procedures Procedure When to do Restore a certificate and a private key You can restore the certificate and the private key at any moment in case of need See Restore a certificate and a private key on page 1...

Page 297: ...a web browser and enter the system URL http hostname to open the Océ Express WebTools 2 Open the Preferences System properties page and select the Printer properties section 3 Go to the USB direct print setting 4 Click on the value to open the USB direct print window 5 Log in as a Key Operator or Power User 6 Select Disabled and Ok How to prevent Print from USB on Océ ColorWave 550 650 and PP Chap...

Page 298: ...n disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can see t...

Page 299: ...Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 300: ...nd pass word is enabled on Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher Hard Disk encryption Yes for Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher 2 modes are available Full disk encryption Normal encryption IPv6 Yes IPV6 only or in combination with IPv4 Access control IP filtering Data overwrite E shredding Data encryption on the network IPsec HTTPS fo...

Page 301: ...trol over Service operations Operations made by Service under the control of the System Administrator on Océ ColorWave 500 R4 1 and higher Océ ColorWave 700 R4 1 and higher Security overview for the Océ ColorWave 500 and ColorWave 700 systems Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 301 ...

Page 302: ... Publisher Express TCP 80 HTTP TCP 443 HTTPS Publisher Select Publisher Select 2 TCP 80 HTTP UDP 515 Océ protocol for Printer Discovery Océ Publisher Mobile TCP 515 LPR 1 TCP 4242 FTP passive mode for data channel in FTP pas sive mode ICMP ping UDP 515 Océ protocol for Printer Discovery TCP 21 FTP 2 Océ Reprodesk Studio TCP 515 LPR TCP 80 Océ back channel WAVE Novell NDPS printing TCP 515 LPR LPR ...

Page 303: ...UND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol OUTBOUND ports from the controller protocol Scan to File SMB TCP 139 445 UDP 137 138 445 Scan to File FTP FTP command 1 Local TCP any Remote TCP 21 FTP Data 1 Local TCP any Remote TCP any Scan to File Cloud WebDAV TCP 80 HTTP TCP 443 HTTPS TCP web proxy port 2 TCP WebDAV port...

Page 304: ...ser authentication by user name and password TCP 88 UDP 88 Kerberos TCP 389 UDP 389 LDAP User authentication by smart card TCP 80 OCSP TCP 80 HTTP or TCP 443 HTTPS Océ Meter Manager UDP 161 SNMP Océ back channel TCP 65200 for OCI back chan nel Océ Remote Service TCP 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WSD TCP 80 HTTP UDP 3702 for WSD discovery TCP 5357 fo...

Page 305: ...Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Core Networking Dynamic Host Configuration Protocol for IPv6 DHCPV6 Out Core Networking IPv6 IPv6 Out Applications protocols and ports Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 305 ...

Page 306: ...curity tab to download the available security patches Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The Authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of the Operating system patches section to open the wizard Securi...

Page 307: ...6 Click OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 307 ...

Page 308: ...e Disable For LPR printing Océ WAVE interface HTTP Enable Disable Used for Océ back channel for WPD2 Account Center Reprodesk Web Services on De vices WSD HTTP Enable Disable For WSD device discovery OCI interfaces Océ propri etary interfa ces Enable Disable Allow interaction with Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTT...

Page 309: ...enta tion HTTP HTTPS Enable Disable Outbound connection Océ Online Services connection enabled or Remote Service con nection HTTPS Enable Disable Outbound connection used by Remote Service Note To disable a network protocol or network service go to the Configuration Connectivity section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service Océ ...

Page 310: ...ble Online Services or Remote Service Set Océ Online Services con nection enabled or Remote Service connection to Disa bled 3 Configuration Con nectivity Other net work interfaces Disable the automatic update of the embedded Service information Set Allow automatic update of Océ service information or Allow automatic update of embedded Service docu mentation to Disabled 4 Configuration Exter nal lo...

Page 311: ...ile infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation when printing from the USB device Any print file infected by a virus will never compromise controller s software integrity Protection of the USB WRITE operation during the backup of the controller configuration from the Local User Interface The backup is performed by the i...

Page 312: ...prise Edition ePolicy Orchestrator for AntiVirus update Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure NOTE Canon Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers Antivirus 312 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 313: ...Power user control the following Service operations Allow Service technician to reset passwords Allow software reinstallation from USB Allow an update or patch installation by Service Allow Service to access licenses information Allow automatic update of embedded Service documentation Each of these permissions can be disabled in the Permissions for Service section of the Security Configuration pag...

Page 314: ...stem update The following settings and functions are protected by the Key operator or Power user password on the user panel The printer calibration Clear system The Install additional hardware function The scanner calibration The media calibration The roll to roll option NOTE Keep this password The reset of this password may require the intervention of a Service technician Passwords modification P...

Page 315: ...rtExternalLocationTemplates xml included in the file exportExternalLocationTemplates zip The Import templates operation restores the passwords Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system a Canon representative generates a temporary administrative password for the Windows Administrative account This password is valid f...

Page 316: ...ngs manually Add the DNS server in the list of the Access control stations Otherwise the DNS protocol is disabled you can configure the path of the external locations with the IP address instead of a hostname Use the access restriction to limit the access to the printer Enable Access control and set the list of IP addresses of the computers hosts that will be able to communicate with the printer T...

Page 317: ...trator Power user Service User interface password PIN for network settings Timezone E shredding settings Remote service online connection enabled disabled 3rd party software settings remote desktop admin account firewall port Smart Inbox enable disable Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings enable disable change of certificate H...

Page 318: ...ess them Copying and scanning operations are accessible only after the user authenticates on the system user panel You cannot retrieve scanned files that are stored locally on the controller User authentication methods One of the two following methods can be used for user authentication User name and password The sser name and password are required on the printer panel This authentication method i...

Page 319: ...PD2 or an ONYX application or a LPR or FTP command 3 The owner of the job logs in on the printer user panel Only the job owner can see the job and print it user authentication is required to unlock the printer panel accessibility 4 The job owner launches the print 5 The job owner collects the printed output The scan and copy workflow The Scan and Copy features are accessible only after the user au...

Page 320: ...art Inbox Keep a copy of copy jobs in the Smart Inbox Keep a copy of local print jobs in the Smart Inbox Key operator actions on jobs In Preferences System defaults Job management Restrict remote actions on jobs to the Key Operator Copy job priority In Preferences System defaults Job management Copy job priority OCI interface In Configuration Connectivity Other network interfaces OCI interfaces Lo...

Page 321: ...n To secure the job data and job ownership on the network during the job submission the job scanning to external locations the use of a secured network IPsec for instance is recommended Impact of the user authentication on the system features and Océ WebTools Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 321 ...

Page 322: ...WPD2 or a job submitter example Océ Publisher Select 2 3 Authentication on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card The credentials used on the printer must be the same as the ones used at the job submission time Example user1 belonging to the domain domain com 4 Job management On the bottom rig...

Page 323: ...that the user stays close to the printer until all the jobs are completely printed The jobs in Processing state are not printed if the user logs out before they are in Ready to print status Standard workflow for scan and copy Step Action 1 Logging on the printer The user logs in on the printer either by typing his her user name and password on the printer pan el or by using his her smart card Exam...

Page 324: ...b to an external location The user authentication in the main job submission workflows Introduction There are several ways to submit print jobs to the printer Find below the recommendations for benefiting from the protection by the user authentication in the recommended job submission workflows Job submission with Océ Publisher Select from version 1 17 Job submission from an application with the O...

Page 325: ... on Example user1 on domain domain com 2 Open the applica tion to open the file 3 Open Océ WPD2 Properties to print the job from the appli cation When the WPD2 driver window opens check the user account name of the job in the top right part of the window This user name is going to be sent along with the job Example user1 domain com NOTE If the user account name is not displayed open the Options Ad...

Page 326: ...1 Other submission workflows Job submission by LPR For a file submitted by LPR the system will use the Username tag present in the job ticket of the file if any If there is no job ticket in the file or no Username in the job ticket then the non FQDN user name of the user logged in on the system is used example user1 The LPR command to submit the job is LPR S printer name P printer name x filename ...

Page 327: ...n com NOTE The job owner declared in Publisher Express does not overwrite the Username embedded into the job ticket Job submission with ONYX For a file submitted with ONYX the system uses the non FQDN user name the user has entered to log in on the workstation example user1 To be able to see the files on the user panel the user must log in on the system with the same user name Other submission wor...

Page 328: ...tificates Forced URL of OCSP responder setting The PIN of the card if needed Compatible smart card readers HID Global Corporation OMNIKEY 5x2x products Identive infrastructure formerly SCM Microsystems Inc SCR33x products Gemalto IDBridge products formerly GEMPC GEMPLUS Advanced Card Systems Holdings Limited ACR1281U product contact support only HID Global Corporation OMNIKEY 3x2x products Only fo...

Page 329: ...ode section select Smart card as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to guarantee the data confidentiality of future incoming jobs Do not select Restart later Configure the smart card settings Configure The trusted certificates The user access settings Procedure 1 Open...

Page 330: ...is used for job filtering When this setting is activated the FQDN of the user user name domain is requested when the user logs in on the printer panel Once logged in the user sees only the jobs that have been submitted with the same FQDN Example the user user1 domain com logs in on the printer This user can see only the jobs that have been submitted by user1 domain com When this setting is not act...

Page 331: ...art card on page 180 Authentication on the user panel Introduction Insert the smart card into the card reader The authentication is automatic when the smart card contains a valid user name and no password is needed A login window is displayed when the authentication with the smart card requires a PIN Enter the PIN in the password field A login window is displayed when there is more than one user r...

Page 332: ... message attach ed to the red cross Possible cause s Actions Error detecting readers Reader not supported or read er not correctly connected Check the connection of the smart card reader Check that the smart card reader is supported Failed connecting with card The Smart card resource manager is not running No smart card is inserted in the smart card reader The smart card is not correctly inserted ...

Page 333: ...XXXXX Type Intermediate or ROOT 2 Check whether you find those cer tificates XXXXXXXXX in your browser then export each certifi cate in your browser 3 Configure in Océ Express WebT ools the trusted certificates you just exported see section Config ure the smart card settings in top ic Configure the Smart card au thentication Revocation status Server is off line The revocation server is re quired b...

Page 334: ...owser enter the URL or IP address of the printer to open Océ Express WebTools 2 Open the Security Configuration page Log in as a system administrator if requested 3 In the User access mode section select User name and password as the User authentication 4 The restart is required Select Restart now When User access mode is set to Smart card or User name and password the system must be restarted to ...

Page 335: ...sed on another attribute LDAP search base by default the complete LDAP database defaultNamingContext attribute In case of several LDAP databases it can be worthwhile for performance improvement to indicate another LDAP search base Custom LDAP search base LDAP attribute for Home folder by default the Home directory for product with the Scan to Home folder feature 7 Repeat the creation operation for...

Page 336: ...e job sent by all user1 users if several When logged in on the printer user1 will have access to all jobs submitted by user1 mydomain com user1 user1 anydomain net Validate the configuration When to do After you configured the authentication by user name and password validate it Procedure 1 Below the User access mode section click Validate the configuration 2 Select the domain name 3 Enter a valid...

Page 337: ... the user is displayed in the top menu Troubleshooting Introduction When an error occurs during the process of authentication by user name and password go to the Security Configuration page and Validate the configuration on page 336 Find below the list of possible causes of errors that can occur during the validation of the configuration Authentication by user name password errors in the validatio...

Page 338: ...ully Qualified Domain Name FQDN Authenticating user xxx A local error has occur red Additional test Authenticate on the user panel If the authentica tion fails and a Invalid creden tials message is displayed then The date and or time set in the system is not correct In Océ Express WebTools correct the Current date and time in Preferences System defaults Regional settings Detect search base Failed ...

Page 339: ...ove the smart card from the smart card reader NOTE The session is automatically closed when the time out occurs even if the smart card is still in the card reader Pull the card out of the reader and insert it again to start a new session Log out after an authentication by contactless card On the system user panel tap on the user name icon Confirm the log out Special cases a time out pause or error...

Page 340: ...is put on hold It is recommended to increase the user session time out The processing time for a batch of jobs is longer than the session time out The time out occurs before all the jobs are processed At least one job is printing The user is automatically logged out Only the jobs in Ready to print and Printing statuses are printed All the jobs that have another status for example Processing are pu...

Page 341: ...er must solve the issue and then must log in to resume the queue A Media request occurs The following combination of settings applies Media request time out Action after media re quest time out When the media is loaded the job restarts and is printed When the time out occurs before the media is loaded this job is put on hold The user must load the media and then must log in to resume the queue Spe...

Page 342: ... and the domain of the user logged in on the workstation are used to submit the job including the domain when detected If needed log in on the workstation with the relevant user name on the relevant domain example user1 on domain domain com For a job submitted with the WPD2 driver the user account name displayed in WPD2 in the top right part of the window is used Change it if needed example user1 ...

Page 343: ... the user access mode is enabled and you cannot access Express WebTools you can disable it on the system panel Disable the user authentication on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator password The current security configuration is displayed 4 Tap Next to go on and disable a feature 5 Se...

Page 344: ...7 Restart the system Result The user authentication is disabled Disable the user authentication 344 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 345: ...g the installation of a new Océ System recommended On a running system which has already processed data 2 encryption modes There are 2 encryption modes Encryption mode Scope Duration Remarks Normal The Normal encryption encrypts the used disk space only It is recommended for new systems at installation time when no print scan data has been processed on the disk around 30 minutes Full The Full encr...

Page 346: ...ore the system is given back At the system s end of life before it is recycled To purge the system from the system user panel 1 In the system settings select Security 2 In the Current Security Configuration window check the encryption mode and tap Next the Next button is displayed only when an encryption mode is active 3 In the list of actions select Purge the System and tap Next 4 A message Purgi...

Page 347: ...fully or not When it is automatically deleted after a time out the end of the job lifetime in the Smart Inbox is reached Keep completed jobs in the Smart Inbox is enabled with Expiration time out for Smart Inbox and Expiration time out for Smart Inbox copy and scan jobs set in the job management settings of the Océ Express WebTools When a Clear system is performed on the printer user panel When a ...

Page 348: ...ling the e shredding 4 Go to the In case of errors settings 5 Check the Save received jobdata for Service setting is disabled 6 On the printer user panel make a Clear system Enable the e shredding Procedure 1 In Océ Express Webtools open the Security Configuration page and select the E shredding section 2 Click Edit 3 Check E shredding feature to enable it 4 Select the algorithm 5 When you select ...

Page 349: ...ile the E shredding feedback returns busy In the Océ Express WebTools window roll the mouse over the e shredding icon to display the E shredding busy status Once the e shredding data process is complete the status comes back to E shredding ready in the Océ Express WebTools roll over the icon Enable the e shredding in Océ Express WebTools Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 70...

Page 350: ...e first e shredding pass is performed immediately after the job is deleted Subsequent passes are performed in background When you disable the e shredding When you disable the e shredding the system Terminates the e shredding process for files which are being e shredded Will not e shred the new deleted files Make sure all the scan copy print jobs are completely e shredded Once a batch of scan copy ...

Page 351: ...sec enabled IPsec disabled Access control enabled IP filtering Encryption are acti vated Only the stations configured with IPsec can connect to the system No other stations can communicate with the print scan system The system can communicate only with the IPsec stations Communication and data are encrypted IP filtering is activated no en cryption Only the stations configured for Access control in...

Page 352: ...onfigure the parameters for each required station The parameters can be different for each different workstation the IP address the preshared key keep the generic default one or set a custom one You can define a default preshared key that will be used for all the IPsec stations connected to the print scan system NOTE The following IPsec parameters cannot be changed IKE Diffie Hellman group 2 then ...

Page 353: ...nd Access control behaviour on page 118 5 Enable IPsec station 1 Tip When you enable Access control it is recommended to declare the workstation from which you remotely configure the system at least during the configuration time IPsec is not needed 6 Enter the IPsec preshared key or keep it empty to use the default preshared key The IPsec default preshared key setting is available at the bottom of...

Page 354: ...ntroller Result The IPsec settings are configured on the controller for a connection to a workstation Configure the IPsec settings in the Océ controller 354 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 355: ...er actions and security negotiation on page 126 5 Define the security rule on page 127 6 Assign the security policy on page 129 7 Customize the IPsec settings on page 130 NOTE The procedure below shows the configuration steps on Windows server 2008 for an Océ ColorWave 300 system The procedure is similar on other Operating Systems Windows Server 2003 Windows XP Windows Vista Windows 7 and for othe...

Page 356: ...lick Finish The security snap in is added click OK Create the security policy Procedure 1 In the console right click on IP Security Policies on local Computer and select Create IP Security Policy 2 Click Next to open the wizard Create the security policy 356 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 357: ...le 5 Uncheck Edit properties and click Finish Create the filter list Procedure 1 In the console right click on IP Security Policies on local Computer and select Manage IP filter lists and filter actions Create the filter list Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 357 ...

Page 358: ... open the wizard 5 Check the Mirrored checkbox and click Next 6 Select My IP address as the Source address and click Next 7 Select A specific IP address or subnet as Destination address and enter the IP address of the controller Create the filter list 358 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 359: ...ist is set Define the filter actions and security negotiation Procedure 1 Open the Manage Filter Actions tab and click Add to open the wizard 2 Click Next 3 Give a name to the filter actions and click Next Define the filter actions and security negotiation Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 359 ...

Page 360: ...on 7 Configure the settings as below Data and address integrity without encryption AH setting is not mandatory 8 Click OK and Next then Finish Define the security rule Procedure 1 In the console right click on the IP security policy just created and select Properties to open the wizard On Windows 7 a new window opens check that Use Add Wizard is checked then click on Add Define the security rule 3...

Page 361: ...4 As the Network type select All network connections and click Next 5 Select the filter previously created then click Next 6 Select the filter action previously created then click Next Define the security rule Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 361 ...

Page 362: ...ngs in the Océ controller on page 120 then click Next 9 Click Finish 10 Click OK to validate the Security rule Assign the security policy Procedure 1 In the console right click on the security policy just created and select Assign The configuration is activated on the IPsec station workstation Assign the security policy 362 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 363: ...irewall Advanced settings to open the Windows Firewall with Advanced Security window 2 In the Actions section on the right hand side click on Windows Firewall with Advanced Security on Local Computer to expand the menu 3 Select Properties 4 In the IPsec Settings tab click on the Customize button of the IPsec defaults Customize the IPsec settings Chapter 6 Security on Océ ColorWave 500 and Océ Colo...

Page 364: ... 550 and OcéColorWave 500 550 650 650R3 700 Remove your workstation from the IPsec Access control configuration when it must not remain in the list of connected stations For all other printers When the test works properly it is recommended to disable the Failsafe mode on the printer scanner controller So only the IPsec station is allowed to communicate with the printer scanner system Customize the...

Page 365: ...nreachable Then use the emergency procedure to disable IPsec and Access control via the printer user panel Disable Access control on the printer user panel Procedure 1 On the user panel tap the upper right corner to display the menu 2 Select Security 3 Enter the System administrator or Power user password 4 A wizard is displayed Follow the instructions 5 Confirm to disable access control Troublesh...

Page 366: ... control and IPsec functions are disabled After the restart you will be able to remotely open Océ Express WebTools from any workstation HTTP Troubleshooting Disable Access control and IPsec 366 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 367: ...of the configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fu...

Page 368: ...uthority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wizard s instructions to ...

Page 369: ...er 2 Accept the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 369 ...

Page 370: ...bar Océ self signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is ...

Page 371: ...n Unit OU WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certifi...

Page 372: ...e still using HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certifi...

Page 373: ...rowser on each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When t...

Page 374: ...rtificate Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certi...

Page 375: ...t csr by default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import th...

Page 376: ...e successfully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Descr...

Page 377: ... the original self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure ...

Page 378: ...e values are correct in Océ Express WebTools Configuration System defaults Refer to Configure the user authentication by user name and password on page 334 for the detailed procedure It is recommended that the System Administrator validates this new configuration by clicking Validate this configuration in Security Configuration see Validate the configuration on page 336 Scan to the Home folder The...

Page 379: ...roubleshooting When an error occurs during the process of authentication by user name and password follow the procedures below to test and troubleshoot Use the validation tool to validate the configuration See Validate the configuration on page 189 Apply the corrective actions when needed SeeTroubleshooting on page 190 In case the home folder is not accessible Use the validation tool and check in ...

Page 380: ...nfiguration External locations page 3 Log in as a System administrator or Power user 4 Edit the USB type 5 In the Enabled functionalities drop down list select None to disable print from and scan to capabilities Print from only to enable to print from USB and disable Scan to USB capability Scan to only to enable to scan to USB and disable Print from USB capability Note Select Print from and scan t...

Page 381: ...When disabled the job submission capability through Express WebTools is completely de activated The remote actions on jobs to the Operator Restrict remote actions on jobs to the Key Operator When enabled all remote actions on jobs in the queue are restricted to the Key Operator or Power user only The display of Smart Inboxes in Océ Express WebTools When enabled all users of Express WebTools can se...

Page 382: ...Smart Inbox management and job management 382 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700 ...

Page 383: ...Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Page 384: ...bits Firewall Yes Network protocols protection Yes per protocol through firewall MS security patches Océ released patches Security logging Auditing of security related events Data encryption on the network HTTPS for administration Océ Express WebTools and for job submission through Océ Publisher Express Password protection Yes for User settings Administration settings Océ Publisher Express access ...

Page 385: ...ng TCP 515 LPR FTP printing TCP 21 FTP TCP 4242 for data channel in FTP passive mode Notes Océ back channel is an Océ proprietary protocol used to retrieve information from the printer status media loaded and to display it in the application or driver Control management INBOUND and OUTBOUND ports and protocols used by the system Application Functionality INBOUND ports on the con troller protocol O...

Page 386: ...P 443 HTTPS TCP web proxy port 1 NetBios over TCP IP UDP 137 TCP 139 445 UDP 138 WAVE TCP 80 HTTP OBIS TCP 80 HTTP for back channel Océ Publisher Select Additional built in Windows firewall rules Inbound rules Core Networking Dynamic Host Configuration Protocol DHCP In Outbound rules Core Networking DNS UDP Out Core Networking Dynamic Host Configuration Protocol DHCP Out Applications protocols and...

Page 387: ...e technician installs the patches make sure the System Administrator allows him to do it in Security Configuration Install a patch Procedure 1 Open Océ Express WebTools 2 Open the Support tab 3 Select Update The authentication window opens 4 Log in as the System administrator or Power user The latest patch successfully applied when any is displayed 5 Click on the Install icon top right corner of t...

Page 388: ... OK 7 Browse to the Océ Remote patch and click OK to install it 8 Click OK to confirm the update Install the Océ Remote patch 388 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Page 389: ...ith Océ Publisher Select HTTP Enable Disable Used only for Océ Publish er Select backchannel Océ Express WebT ools via HTTP HTTP Enable Disable For Océ Express WebTools and Publisher Express HTTP inbound HTTP There is no specific setting to disable the HTTP proto col Inbound HTTP is enabled as long as at least one of the following services is enabled Océ Wave interface Allow interaction with Océ P...

Page 390: ...section of the Océ Express WebTools and uncheck the protocol or service To disable the connection to Remote Service go to Preferences System defaults Service related information Network protocols protection 390 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Page 391: ...tion Action Detail 1 Support Remote Service Remote as sistance Stop the Remote assistance if it is activated Click Stop remote assis tance until it changes into Allow remote assistance The two blinking arrows on the right side disappear 2 Preferences System Defaults Service rela ted information Disable Remote Service Set Remote Service connec tion to Disabled 6 Support About Shut down Restart the ...

Page 392: ...any infected file present on the USB device plugged on the USB port is not possible Read from write to USB device protection Protection of the USB READ operation when restoring a controller configuration from the Local User Interface In that case any file infected by a virus appears as an invalid backup file The controller software detects it and rejects the restore operation Any print file infect...

Page 393: ...technician to reset passwords On the Security Configuration page the System administrator and the Power User define whether they allow the Service technician to Perform the software reinstallation using the USB installation key Install an update or a patch on the system Passwords policy in the Océ ColorWave 810 and ColorWave 910 systems Passwords used in Océ Express WebTools In Océ Express WebTool...

Page 394: ...by Proxy authentication for Remote Service System administrator or Power user Passwords policy in the Océ ColorWave 810 and ColorWave 910 systems 394 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Page 395: ...etwork settings IP address Subnet mask DNS Gateway DHCP Network services enable disable settings Changes of passwords used to protect security related settings Key operator System administrator Power user Service Timezone Remote service online connection enabled disabled Allow Service Technician to reset passwords on off Save retrieved job data for service on off HTTPS settings change of certifica...

Page 396: ... configuration settings accessed through Océ Express WebTools between the client and the controller It can be easily used This self signed certificate has not been signed by a Certification Authority consequently the web browser will display a Certificate Error message the first time you use the HTTPS protocol The CA signed certificate is delivered by a Certification Authority To ensure a fully tr...

Page 397: ...a trusted certificate authority The Common Name in the certificate does not match the printer hostname or IP Address you typed in the address bar 2 In order to view and check the self signed certificate continue to the website 3 Click on Certificate error 4 Click View certificates 5 The certificate is issued to OcéExpress WebTools by Océ Express WebTools 6 Click Install Certificate 7 Follow the Wi...

Page 398: ...pt the warning 3 Finish the installation When the import is successful the Océ Express WebTools Certificate is recognised and its status is OK Use the Océ self signed certificate with Internet Explorer 398 Chapter 7 Security on Océ ColorWave 810 Océ ColorWave 900 and Océ ColorWave 910 ...

Page 399: ...elf signed certificate guarantees The identity of the remote computer controller The encryption of the print data on the network Use the Océ self signed certificate with Mozilla Firefox Procedure 1 On a workstation type the URL address of your printer in Mozilla Firefox https common Name or PrinterHostname or PrinterIPaddress A warning window opens It displays 2 errors The certificate is not trust...

Page 400: ... WFPS 6 The certificate is issued to OcéExpress WebTools by Océ Express WebTools so you can confirm the security exception permanent or temporary exception 7 A security warning window may pop up Click Yes to continue Result The Océ Express WebTools software opens You can check in the status bar at the bottom of the window that the padlock is displayed In the navigation bar the Océ certificate is r...

Page 401: ...sing HTTPS follow these 2 procedures step by step Overall procedure to prepare and generate the CA signed certificate request Step Description A1 Back up the current certificate and private key if any The current certificate can be the original Océ self signed certificate embedded a CA signed certificate delivered by a Certification Authority you previously installed See Back up a certificate and ...

Page 402: ... each workstation See Check and import the root certificate on page 229 B5 Back up the certificate and pri vate key Back up and store the certificate and the private key Note It is highly recommended to back up the CA sign ed certificate and the private key since they are not saved in any system backup See Back up a certificate and private key on page 226 Other procedures Procedure When to do Rest...

Page 403: ... Pre requisites Back up the current Certificate and Private key already installed on the controller see Back up a certificate and private key on page 226 Generate a certificate request NOTE Step A2 of the HTTPS Description of the overall procedure on page 225 Procedure 1 In a web browser open Océ Express WebTools https IP address or hostname 2 On the Security HTTPS select Generate a certificate re...

Page 404: ...default 2 Send the content of this request to the Certification Authority Import a CA signed certificate into the controller and workstations Introduction overall procedure 1 Import the CA signed certificate into the controller Import the Root certificate Import the Intermediate certificate Import the CA certificate 2 Import the Root certificate into the workstations web browser Import the Root ce...

Page 405: ...fully imported pops up restart the controller Result Result The certificate is now installed on the server Check and import if needed the CA Root certificate also into the workstations web browser That will secure the complete data workflow between the workstations and the server Check and import the Root certificate into the workstations browser When to do NOTE Step B4 of the HTTPS Description of...

Page 406: ...inal self signed certificate that requests a preliminary back up of the original self signed certificate See Back up a certificate and private key on page 226 Each Reset certificate action generates a new self signed certificate with a new private and public key So each time you reset the certificate you must import the new certificate into the web browser Reset the certificate Procedure 1 In a we...

Page 407: ...51 Workstation configuration 44 45 46 48 49 51 122 123 124 126 127 129 208 209 210 212 213 215 256 257 258 260 261 263 355 356 357 359 360 362 O Océ Remote Patch 26 69 102 154 241 272 306 387 Océ security policy 10 OS and software protection Linux Océ ColorWave 600 PP 246 OS and software protection Linux WES2009 Océ ColorWave 650 246 P Password LUI passwords 35 Restore 35 36 248 280 Password Backu...

Page 408: ...2 U USB direct print Disabled 56 145 233 266 297 380 User authentication 166 318 Contactless card 182 Smart card 176 328 Troubleshooting 195 342 User name password 187 334 Workflow 172 324 W Wizard Security 28 Index 408 ...

Page 409: ......

Page 410: ...da Inc www canon ca Canon Europe Ltd www canon europe com Canon Latin America Inc www cla canon com Canon Australia PTY Ltd www canon com au Canon China Co Ltd www canon com cn Canon Singapore PTE Ltd www canon com sg Canon Hongkong Co Ltd www canon com hk Océ 2012 2017 ...

Reviews:

No comments

Related manuals for Oce PlotWave 750

Samsung 1000P Declaration Of Conformity preview
1000P
Brand: Samsung Pages: 2
Olympus Stylus Tough 8000 Blue - Stylus Tough 8000 12MP 2.7 LCD Digital... Manuel D'Instructions preview
Stylus Tough 8000 Blue - Stylus Tough 8000 12MP 2.7 LCD Digital...
Brand: Olympus Pages: 83
Olympus E300 - 14-54mm f/2.8-3.5 Zuiko ED Digital SLR... Manuel Avancé preview
E300 - 14-54mm f/2.8-3.5 Zuiko ED Digital SLR...
Brand: Olympus Pages: 212
Leica APO-SUMMICRON-M 50 mm f/2 ASPH. Manual preview
APO-SUMMICRON-M 50 mm f/2 ASPH.
Brand: Leica Pages: 8
XtendLan XL-ICA-206M3 User Manual preview
XL-ICA-206M3
Brand: XtendLan Pages: 33
Samcon ExCam IPP1275 User Manual preview
ExCam IPP1275
Brand: Samcon Pages: 28
GPX PF708 Specification Sheet preview
PF708
Brand: GPX Pages: 2
Hello Kitty Hello Kitty KT7009A Owner'S Manual preview
Hello Kitty KT7009A
Brand: Hello Kitty Pages: 43
SiPix StyleCam DV100 Owner'S Manual preview
StyleCam DV100
Brand: SiPix Pages: 35
KMZ Zenit-EM Manual preview
Zenit-EM
Brand: KMZ Pages: 7
Uniden APPCAM 24HD Owner'S Manual preview
APPCAM 24HD
Brand: Uniden Pages: 36
DynaColor DH820E User Manual preview
DH820E
Brand: DynaColor Pages: 27
Panasonic Lumix DMC-FZ150P Service Manual preview
Lumix DMC-FZ150P
Brand: Panasonic Pages: 64
WalimeXPro 85/1,4 IF Aspherical Instruction Manual preview
85/1,4 IF Aspherical
Brand: WalimeXPro Pages: 7
GeoSlam ZEB Horizon Firmware Update Manual preview
ZEB Horizon
Brand: GeoSlam Pages: 15
Epson L500V - PhotoPC Digital Camera Specifications preview
L500V - PhotoPC Digital Camera
Brand: Epson Pages: 3
Epson P-2000 - Multimedia Storage Viewer User Manual preview
P-2000 - Multimedia Storage Viewer
Brand: Epson Pages: 80
Epson PhotoPC 750Z User Manual preview
PhotoPC 750Z
Brand: Epson Pages: 170

Brands by name

Popular brands

Load more brands