Manualshelf

HP MFP Digital Sending Software (DSS) 5.0 - Security Features

ManualsBrandsHP ManualsSoftwareHP MFP Digital Sending Software 5.0
10111213141516171819
18
Pre-FutureSmart devices offer e-mail signing and encryption in their firmware, but these functions are
not available when pre-FutureSmart devices send e-mail jobs via DSS. If the administrator wants to use
e-mail signing and encryption from pre-FutureSmart devices that are managed by DSS the devices must
be configured to send e-mail jobs directly from the device instead of via DSS.
E-mail encryption involves encrypting the email with a public key for each recipient. This means that the
public key certificates for each recipient must have been made available before the e-mail is sent.
Certificates used for encrypted e-mail are S/MIME type certificates. The FutureSmart device is
responsible for obtaining the public key certificates of the recipients and passing them to DSS. For this to
happen the device must already have been configured for LDAP based addressing and the public key
certificates of the recipients must have been stored in the LDAP directory for each recipient. The LDAP
attribute that holds the public key certificates is configured in the device when configuring email
encryption on the device. Only recipients that exist in the LDAP server and have their public key
certificates available in the server can receive encrypted emails. The e-mail is then encrypted with the
recipient’s public key and the recipient must decrypt the email with their private key when it is received.
DSS encrypts e-mail using the AES 256 encryption algorithm.
The e-mail client will also need to be configured correctly to receive and read encrypted e-mails. Please
see your e-mail system’s documentation for specific instructions.
To summarize the steps that must be taken before an encrypted email can be sent from a FutureSmart
device via DSS:
1- Load the public key certificate for all potential recipients into the LDAP directory for the
recipient
2- Configure the FutureSmart device for LDAP based addressing
3- Configure the FutureSmart device for encrypted email, which includes providing the name of
then LDAP attribute which stores the recipients’ public key certificates
4- Configure recipient e-mail clients as necessary to read encrypted e-mail
E-mail signing involves DSS signing the email with DSS’s private key. When DSS sends the signed e-mail it
also sends its public key certificate so the recipient can decrypt the signature. But in order to trust the
DSS public key certificate it receives, each recipient must have already loaded the DSS CA’s certificate
into its Trusted Root Certification Authorities store. This means that the DSS CA certificate must have
been exported from the DSS server and made available to all recipients of signed emails for loading into
their Trusted Root Certification Authorities store before e-mail signing is used. DSS uses the SHA 256
hashing algorithm for e-mail signing.
FIPS Security Policy in Windows
At this time DSS 5.0x is not fully FIPS compatible. If the security policy requiring FIPS compatibility is
enabled DSS will not function correctly. See the screenshot below. This security policy must remain
disabled on servers running DSS.