White Paper DSS 5 Security Features Digital Sending Software 5 [Item 1] [Item 2] Etc… Security Features Whitepaper Updated on: April 23, 2014
Table of Contents Introduction ............................................................................................................................................ 3 User Accounts and Passwords ................................................................................................................. 3 Security to Run the Configuration Utility (CU) and Connect to the DSS Service ..................................... 3 Windows Account Authorization ..............................................
Introduction The purpose of this whitepaper is to give the reader a comprehensive view of data security mechanisms available with DSS 5.01.xx. Some of the security information is already available in the DSS System Administrator’s Guide (SAG). This paper will refer to the SAG for topics that are currently documented there. Many new features are not yet documented in the SAG. Those features are detailed in this paper. The intent is to move this information to the DSS SAG in the near future.
to access the DSS service. When DSS Account Authorization is enabled any user starting the Configuration Utility will be prompted for the configured password. If there are 5 consecutive unsuccessful sign in attempts to the DSS service the service is locked from future sign in attempts for a period of time and a critical error email message is sent to the DSS administrator.
One good reference is a whitepaper created by the HP Jetdirect team. Jetdirect is the name of the network interface in HP printers and MFPs. The whitepaper gives a nice overview of SSL /TLS in general and a lot of specific information about configuring HP printers for use with SSL / TLS. The paper is titled “HP Jetdirect and SSL/TLS” and can be found here: http://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-c01361514-2.
Certificate Authorities create certificates. When an entity creates its own certificate it is acting as its own certificate authority and the resulting certificate is called a self-signed certificate. When a third party creates a certificate for another entity the entity that creates the certificate is a Certificate Authority (CA). VeriSign is a well-known third party Certificate Authority.
naming with certificates. Notice also that the certificate has been issued by HP IPG DSS CA . The issuer is also DSS, but this is DSS acting in the role as a certificate authority. Since DSS is also acting as a CA, let’s look at the DSS certificate that is generated for DSS as a CA. This certificate is in the Trusted Root Certification Authorities Store.
When using a remote Configuration Utility the settings will appear twice, once for the CU server and once for the DSS server. IMPORTANT NOTE: At this time DSS is unable to function if only TLS 1.1 and /or TLS 1.2 are enabled and SSL 3.0 and TLS 1.0 are disabled. If the server is configured for only TLS 1.1 and/or 1.2 then the DSS service will fail to start. If this occurs, it can be remedied by once again enabled SSL 3.0 and / or TLS 1.0.
b. A check to see if the name associated with the certificate exactly matches the name that entity1 used to contact entity2. For example, if entity 1 contacted entity 2 with its IP address, entity 2 would expect that IP address to be one of the names in entity 2’s certificate. (Certificates have a primary name known as the common name or CN, and can also have alternate names stored in the SAN (Subject Alternative Name) part of the certificate.) c. There are additional checks that won’t be detailed here 6.
When server certificate validation is enabled for DSS as a whole, it can be disabled for specific servers or devices by adding them to the Server / Device exception list. When a Remote Configuration Utility (RCU) is in use it must be considered a server when server certificate validation is enabled.
- For SSL / TLS communication between the DSS service and LDAP servers certificate validation is always on. Communication with LDAP servers is discussed in more detail later in this paper For SSL / TLS communication between the DSS Configuration Utility and the DSS service server certificate validation is controlled by a configuration file. This is discussed in more detail later in this document.
In this config file, under the section, is the item . To enable the server certificate validation change ‘true’ to ‘false’, save the file and restart the DSS CU. This must be done on each server that runs the Configuration Utility, including the DSS server itself and any servers that run the CU remotely.
1. 2. . How to configure the MMC Snap-in a. To open the MMC console, click Start, and then click Run. In the Run dialog box type: MMC b. On the Console menu, click Add/Remove Snap-in.... c. Click Add, and then click Certificates. Click Add again. d. You are prompted to open the snap-in for the current user account, the service account, or for the computer account. Select the Computer Account. e. Select Local computer, and then click Finish. f. Click Close in the Add Standalone Snap-in dialog box. g.
2. . Follow these steps to import the certificate on the DSS server: Navigate to the DSS Server computer by using the MMC snap-in, and then browse to the Trusted Root Certification Authorities folder. a. Right-click the Trusted Root Certification Authorities folder, point to All Tasks, and then click Import. b. Browse, and then select the certificate (.cer file) that you generated in step 1. Select the defaults to complete the remaining part of the wizard.
The checkbox shown above for the LDAP addressing UI is also available in the LDAP authentication UI (not pictured here). When SSL / TLS communication with LDAP servers is enabled server certificate validation is always enabled. The UI on the security tab for exempting servers from server certificate validation does not apply to LDAP servers.
Server certificate validation for communication with SMTP servers is enabled in the CU UI on the Security tab shown earlier in this paper. If the DSS administrator wants server certificate validation on in general but wants to exclude communication with an SMTP server then the SMTP server should be added to the Server / Device exceptions list box. There are other security mechanisms available for e-mail jobs that are sent from FutureSmart devices. These are e-mail encryption and e-mail signing.
The screenshot below shows a workflow form being configured and a secure URL being provided for the SharePoint destination. Server certificate validation for communication with SharePoint servers is enabled in the Configuration Utility UI on the Security tab shown earlier in this paper. If the DSS administrator wants server certificate validation on in general but wants to exclude communication with a SharePoint server then the SharePoint server should be added to the Server / Device exceptions list box.
Pre-FutureSmart devices offer e-mail signing and encryption in their firmware, but these functions are not available when pre-FutureSmart devices send e-mail jobs via DSS. If the administrator wants to use e-mail signing and encryption from pre-FutureSmart devices that are managed by DSS the devices must be configured to send e-mail jobs directly from the device instead of via DSS. E-mail encryption involves encrypting the email with a public key for each recipient.
PDF Encryption when using DSS OCR DSS provides an OCR engine which is capable of producing many output file formats. Included in these formats are Searchable PDF and Searchable PDF/A. When the output file type is one of these PDF types, PDF encryption may be applied. When DSS OCR creates the files the PDF encryption used is PDF 1.7 Extension Level 3 for AES encryption using 256-bit keys. Keys are generated from user-entered passwords.
