HP MFP Digital Sending Software (DSS) 5.0 - Security Features
11
- For SSL / TLS communication between the DSS service and LDAP servers certificate validation is
always on. Communication with LDAP servers is discussed in more detail later in this paper
- For SSL / TLS communication between the DSS Configuration Utility and the DSS service server
certificate validation is controlled by a configuration file. This is discussed in more detail later in
this document.
SSL / TLS communication with FutureSmart Devices
SSL / TLS encryption is used when DSS communicates with FutureSmart devices. By default server
certificate validation is disabled for this communication channel.
FutureSmart devices have default, self-signed, certificates on them that can be used for SSL /TLS
communication when server certificate validation is not enabled. However, these default certificates are
not adequate to use when server certificate validation is enabled. When server certificate validation is
enabled new certificates must be generated for each device and loaded on the device. Also, the
certificate for the CA that created the device certificates will have to be loaded onto the DSS server in its
Trusted Certificate Store in order for the process to work.
Please refer to the whitepaper “HP Jetdirect and SSL/TLS” for instructions on how to generate
certificates for FutureSmart devices and load them onto the device. Instructions to access this
whitepaper were given earlier in this document in the section Brief Overview of SSL / TLS
communication.
When generating certificates for the device the names in the certificate are very important. Recall that
certificates can have a primary name, the CN, and optionally may have additional names in the
Alternative Subject Name section of the certificate. The following name requirements exist for the
certificates to work properly with DSS:
- One of the names must be the IP address of the device. For this reason, if server certificate
validation is enabled, devices must have an IP address that does not change.
- If a device is added to DSS by host name or fully qualified domain name (fqdn) then that name
must appear in the certificate exactly as it was entered into DSS.
Server certificate validation for DSS <-> FutureSmart device communication can be enabled via the UI on
the Configuration Utility’s Security tab. Please see the Server Certificate Validation section of this paper
for details.
SSL / TLS communication between the DSS CU and the DSS Service
All communication between the Configuration Utility and the DSS service uses SSL / TLS protocols. This is
true when the CU and service are on the same server or on different servers.
Server certificate validation is off by default for DSS CU <-> DSS service communications. Server
certificate validation for this communication channel is not controlled by the UI on the Configuration
Utility’s Security tab. Server certificate validation for this communication can be enabled / disabled in
the configuration file:
<install-folder>\Hewlett-Packard\HP Digital Sending
Software\Filesystems\Product\Dss\Configuration\HP.Dss.App.ConfigurationUtility.View.config.xml.