Dell™ S3845cdn CACStar™ Smart Card Reader Installation and Configuration Guide Document protection for CAC/PIV enabled Multifunction Devices S3845cdn CACStar User Guide Rev A01 Copyright 2017 Digital Imaging Technology Page 1
Table of Contents Introduction......................................................................................... 4 Initial Setup.......................................................................................... 5 Configuring the CACStar Option via Touchscreen ............................... 6 Activating the CACStar Configuration Menu System .................. 6 Access Code ................................................................................. 6 The Top-Level Menu ..................
Setup Test ....................................................................................37 Date Time ....................................................................................38 Hold Print Files.............................................................................39 Hold File Name Matching Format ............................................. 40 Status ................................................................................................. 41 Card Reader .....................
Introduction CACStar™ provides a solution to HSPD-12 requirements for CAC/PIV based protection of network data to and from printers or Multifunction Devices (MFDs). You can configure it to require an authenticated CAC/ PIV card to control Copy, Print, Fax, Scan to Folder, Scan to Email, SNMP, or FTP. Configurable authentication methods include Basic X.509 certificate on the card, PIN validation, expiration, OCSP, root certificate, LDAP, and Kerberos.
Initial Setup If your 3845 came to you with the CACStar option not pre-installed, you should refer to Appendix B to find instructions regarding initial installation. Otherwise, proceed to CACStar Configuration below.
Configuring the CACStar Option via Touchscreen A limited number of configuration settings can be accessed directly from the printer’s touchscreen: • • TCP/IP address Ethernet connection (speed / duplex) Access to all settings for the CACStar option are available via the CACStar administration web site. Activating the CACStar Configuration Menu System To activate the CACStar Configuration Menu System, tap the “Manual Login” icon on the touchscreen. It looks like a small keyboard icon.
If an incorrect access code is entered, then access to the menu system will be denied.
The Top-Level Menu Upon entry into the CACStar menu system, you are asked which configuration area you wish to use.
LAN TCP/IP settings When setting TCP/IP settings, you will be walked through the following settings: • DHCP If you answer “No” to using DHCP, then the following settings are presented.
• Gateway No changes will be saved until all applicable settings have been set (i.e. If you choose “Yes” for DHCP, then the configuration is saved, and no other settings are presented. If “No” is selected for DHCP, then all settings must be entered before any are saved. Exiting the menu system by pressing the “X” or “Exit” button at any time will exit the menu system without saving any changes.
Ethernet Connection Settings When changing Ethernet connection settings, you will be walked through the following settings: • Auto Negotiation If “No” is chosen for Auto Negotiation, then the following settings will be presented: • Connection Speed • Duplex As with the TCP/IP settings, no changes are made until all applicable settings have been entered. Aborting the menu system by tapping the “X” or “Exit” button at any time will abort the menu system without saving any changes.
Additional Functions in Menu Mode The Functions area of the menu system allows you to: • • • Print a CACStar Configuration Summary page Reset the Administrator password for the CACStar web site Reset CACStar to a Factory Default configuration. When requesting a reset to factory defaults, you will be asked if you are sure you want to do the reset before it is done.
Configuring the CACStar Option via Administration Website CACStar Admin Login Login to CACStar as the Administrator by pointing your browser to the CACStar using a secure connection on port 8443 at the IP address you assigned in the steps above. For example: https://192.168.1.23:8443 or https://10.5.9.11:8443 You are likely to get an Invalid Certificate Warning from the browser. If so, override the warning and continue to the CACStar web site. The browser will require an ID and password.
Accessing the MFD/Printer Web Site If you wish to access the MFD/printer web site, go to the same URL but do not use port 8443. For example: http://192.168.1.23 or https://192.168.1.23. On the 3845, the default login credentials are the same as CACStar (username “admin”, password “admin”.) The following sections describe the different areas of the CACStar administration website. Connectivity CACStar has a “Local Side” and a “LAN Side”.
Step 1 – MFD IP Address This is the IP address that is used for access to these administrator web pages. It is also used for host computer connection to the MFD/printer. This IP address was already set in the initial setup process using the card reader keypad. If you wish to change this address, it can be done using this screen or from the card reader keypad.
Step 4 – Configure Default Domain This field is used for DNS Server Name resolution. Set this to the Default Domain name for the LAN.
Local Side Configuration These settings define the IP addresses used for Local communication between the CACStar and the MFD/printer. The defaults are likely to be acceptable. Usually there is no need to enter any IP addresses on this configuration page. Make sure these values were entered into the MFD using the MFD/printer operator panel.
Security MFD Function Enabling Check the boxes for Functions that require a validated CAC Card for use. If a box is un-checked the Function will always be allowed. For example: If you want the MFD Scan-to-Folder Function to only be available when a validated CAC Card is installed, check the CAC Enable Scan-ToFolder box.
If you want the MFD Scan-to-Folder Function to be available all the time whether a CAC card is inserted or not, uncheck the CAC Enable Scan-To-Folder box. Click the Update button after all entries are made. Hold Print If enabled, Print jobs will be held in the CACStar until the user is authenticated at the printer by inserting their CAC card. After authentication, the user’s jobs will be printed. CAC Print Server Set this to the IP address of the Secure Print server.
Email Setup If you have elected to control MFD generated email with your CAC cards, you will need to configure the item shown in the screen below. SMTP Address or Server Name Set the IP address or Server Name of the SMTP server. SMTP Port Number Set the TCP port number for SMTP communications. User Email Address From Select the source location for the “From” email address. Emailed scans can be from either the user’s own email address on his CAC card, or from the user’s email address on the LDAP server.
Force Email to Self Choose whether you want to force all emailed scans to the user’s own email address. If not checked, he can send to any email address. If this option is not selected, the user can select the recipient from the printer’s internal address book or he can use the printer to enter the email address he wants to use. Encrypt Email When sending emails of scanned documents, choose to never encrypt, always encrypt, or Prompt on each message for whether or not to encrypt.
Check this box if you want to use Kerberos for Email Login Authentication. If this box is checked, the "Kerberos" section of "Authentication Method" web page must be completed properly. Authentication Method CAC Validated Timeout This setting is the number of minutes of inactivity before a CAC Validated session will be terminated. If this setting is 0, the timeout is disabled.
This includes PIN validation, card expiration check, and X.509 card certificate validation. If an NTP server is not configured on the LAN Side Configuration page, the expiration check is bypassed. The Basic level of authentication is always included and cannot be removed from the configuration. In some installations, this is sufficient authentication and is the only one activated. OCSP Check this box to enable OCSP (Online Certificate Status Protocol) verification of CAC Cards.
LDAP Query Password: Password for the LDAP service account login. LDAP Search Base: Defines the location in the directory where a search will start. Example: OU=Users, DC=Itek, DC=com LDAP Search String: The Search String is used by the LDAP server to find users. In conjunction with User ID options below, this field helps create the query to the LDAP server to find users by name. Any data can go in this field, but there are certain keys that will be expanded to create the query.
authentication to the SMB server if so configured. Multiple entries are allowed. KDC Server IP: IP address of the Kerberos server KDC Server Port: Port number of the Kerberos server. The default is 88. KDC Realm: Kerberos Realm KDC Principal: User Name. This can be either the CN or the EDI-PI, or San Principal. PKINIT Win2K The setting affects the "Public Key Cryptography for Initial Authentication" in Kerberos.
Default SMB Service Name The Service Name for the default SMB server, e.g. myshare$. This name will be used as the principal for Kerberos authentication if the Service Name cannot be obtained from the printer. Default SMB Username The Username for the default SMB server. This is only needed if "MFD SMB Kerberos Proxy" is NOT checked - AND the "SMB Folder Name" IS configured. Default SMB Password The Password for the default SMB server.
Additional Realms This button provides a separate page to define additional realms. SSL CA Certificate Checking If enabled, the host SSL certificate will be verified against the CA certificate. Therefore, the applicable CA certificate must be loaded into the CACStar.
SMB Address Book SMB Address Book entries allow definition of multiple variable-based Server/Path destinations. Each destination name has the format "SMB-Book1" to "SMBBook99" - this name should be used for the printer's "Server Address" configuration. The following sequences may be used to specify user-related data in the destination path: %F : First name, %M : Middle Name, %L : Last name, %E : Email Address, %e : EDI-PI, %I : PIC-Identification, %u% : LDAP attribute value Examples: \\myse
User Logging User Logging provides a means to create, view or delete a user log file to track user activity. If this is enabled, it will log the date, user name, and other information. The log can be downloaded in a csv file format for viewing.
Use this page to load Issuer and Root Certificate Authority Certificates into CACStar. PKCS7, X509, PEM and DER formats are supported. Use the Browse button to select the Certificate file on your PC; then click the Upload Certificate button. If your certificates are in a .txt file format, please send them to us, and we will convert them to a supported format. If desired, we can preload them into new units.
S3845cdn CACStar User Guide Rev A01 Copyright 2017 Digital Imaging Technology Page 31
Administrator Change Password Use this feature to change the password for the administrator. When the Change Password button is clicked, the next internal web page access will require this new password. Administrator Access These settings allow the admin to provide additional security by limiting CACStar admin access to specified IP addresses.
all IPs box is checked, an admin can access the CACStar configuration items from a PC at any IP address if he knows the ID and password. If it is not checked, the admin must access the CACStar configuration pages from the IP addresses specified for Administrator #1 or #2. These addresses must be on the same subnet as the CACStar. Allow Telnet If this is enabled CACStar will allow a Telnet session to occur. The Telnet session will happen over Port 23.
Firmware Update Firmware is stored in flash memory and can be updated as necessary for addition of new features. The CACStar.cfg file may also be uploaded. It is a text file that contains the CACStar configuration items. For more details about how to update the firmware, please see the separate document “Firmware Update Procedure”.
Create and Export Current Configuration Create Config File will create a configuration file containing all current settings except LAN IP Address, LAN Mask, and LAN Gateway. Thus, the Config file can be used to configure other CACStars. The passwords are encrypted so they may not be edited. The first line of the file must not be edited. The MAC address and Serial Number are displayed for information purposes only and will not be used as a configuration item.
Technical Support For help obtaining the correct firmware or documentation, contact Dell’s ProSupport Help Desk by calling 1-866-516-3115, or by sending email to Imaging_Solutions_Support_CAC@dell.com This page is used to obtain Log Files and Capture Files to help diagnose network and configuration concerns. Use of these features is normally in conjunction with technical support from your vendor.
Setup Test S3845cdn CACStar User Guide Rev A01 Copyright 2017 Digital Imaging Technology Page 37
Date Time This is used to set the system date and time in CACStar if necessary. The time zone should be set to your local time zone.
Hold Print Files Hold Print Files Hold Print files will be stored encrypted in CACStar and can be printed with CAC authentication at the printer. Hold Print files expire after the set number of days. When the expiration date is reached, the file will be deleted without being printed. Remaining storage and total storage are displayed so the user will know if held print files are reaching the maximum storage capacity.
Hold File Name Matching Format This field defines the format that will be used to associate the username in the Hold Print files with Card-Validated users. Any data can go into this field and keywords will be expanded.
Export Hold Print Usernames If you want to copy the usernames from one CACStar to another, you can Export the usernames. You will get a ***.db file which you can then send to another CACStar to load them into the other CACStar. Status The Status pages offer three views of information about the current operations of CACStar. Number of successful card validations, number of unsuccessful card validations, network operations, date/time, and firmware version are all displayed.
Network S3845cdn CACStar User Guide Rev A01 Copyright 2017 Digital Imaging Technology Page 42
Other S3845cdn CACStar User Guide Rev A01 Copyright 2017 Digital Imaging Technology Page 43
Appendix A – Setup Information Checklist This checklist can be used prior to installation to collect the information necessary for installation of the CAC option.
• • • • • • • • • Do you wish to force all emails to go to the CAC/PIV card’s email address? o If No, selection can be made from the front panel by typing in the address, or using the Network Address Book (LDAP) feature. Should emails be encrypted? (Yes, No, or Prompt) o If Yes, what encryption should be used? (3DES or AES256) LDAP Do you wish to use the Network Address Book (LDAP) feature to look up email addresses? o If Yes, please complete this section. Otherwise go to the Kerberos section.
Appendix B – CACStar Option Installation Procedure If the CACStar option is not already installed on your printer, the following procedure will ensure proper installation of your CACStar option. Step 1: Determine IP Address of the printer. First, ask your Network Administrator if your network uses a DHCP server to assign the IP address for your device. • • If DHCP is used, then physically mount the CACStar option and connect it to the printer, as described in the Hardware Installation instructions below.
Step 2: Disable Sleep Mode It is necessary to disable printer sleep mode for operation with CAC control. To do this, follow the following procedure (refer to the diagram of the operator panel below): 1. Turn the printer on. If the printer is already turned on but is in Power Save mode (the touchscreen will be dark), wake up the printer by pressing the power button in the lowerright corner of the operator panel. 2. Hold down the Home button for 5 seconds, then release it.
7. Enter a value of zero (0), and tap the “OK” button in the top right corner of the touchscreen. 8. Tap the “X” button in the top left corner of the touchscreen. 9. Tap the “Exit” button in the top left corner of the touchscreen. 10. Tap the “Keep Error Log History” button on the touchscreen. 11. Tap the “Restart Now” button on the touchscreen. Install the Installation Cloning File To install the cloning file, use the management web site for the printer: 1.
5. Click the [Install] button. Note: If the “FIPS 140-2” setting is turned on, this step will fail with an error message indicating that the clone file installation cannot be done with FIPS 140-2 enabled. In this case, turn off the FIPS 140-2 setting (in the [System]>[Security] section of the printer management web site) before installing the clone file. 6. After the cloning file is installed, the printer will restart automatically. 7.
Hardware Installation of CACStar The kit arrives assembled as shown in the photo below. The contents of the box includes the CACStar option, User’s Guide, and a bag containing 2 M4 x 10mm screws required for securing the CACStar option to the back of the printer as shown below. You will need a Phillips #1 screwdriver.
Turn off power to the MFD.
Use the M4 x 10mm screws to attach the back assembly to the back of the MFD. These two screws use the two holes from which screws were removed earlier. Leave these screws loose until after the next step. M4 x 10mm M4 x 10mm Remove the white backing from the Dual Lock tape on the back of the CACStar enclosure. Then press the CACStar enclosure against the stainless steel back of the printer.
Tighten the two M4 x 10mm screws. Plug the CACStar USB power cord into the MFD USB port just above CACStar. This USB cable is for power only. It has no data connection. Install the white cable clamp as shown. Peel the adhesive protection tape from the back of the card reader. Install the card reader on the side of the MFD as shown. USB Power Card reader Cable clamp Turn on the S3845.
