Version 3.0 October 2014 Smart Card Installation and Configuration Guide (CAC/PIV/.
©2014 Xerox Corporation. All rights reserved. Xerox®, Xerox and Design®, ColorQube® and WorkCentre® are trademarks of Xerox Corporation in the United States and/or other countries. BR10996 Other company trademarks are also acknowledged. Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions. Document version 3.
Table of Contents 1 Introduction Smart Card Feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Hold All Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Smart Card 4 Installation and Configuration Guide
Introduction 1 The Smart Card solution brings an advanced level of security to sensitive information. Organizations can restrict access to the walk-up features of a Xerox® device. This ensures only authorized users are able to copy, scan, e-mail and fax information. Once validated, a user is logged into the Xerox® device for all walk-up features. The system allows for functions to be tracked for an added layer of security. This guide explains how to install and configure the Smart Card solution.
Introduction Smart Card Smart Card Feature Overview Authentication Xerox offers a feature called Smart Card authentication. This enables users who possess smart cards to use them for network authentication at the multifunction device (MFD). Smart cards contain the user’s Identity Certificate along with their public and private key. This enables the MFD to perform a Kerberos authentication to the Windows Active Domain Controller which originally issued the Identity Certificate.
Smart Card Introduction Supported Card Readers The customer is responsible for providing a card reader for each Xerox® device. The following card readers are compatible with the solution: • Gemplus GemPC USB SL • Gemplus GEMPC Twin • SCM Micro SCR3310 • SCM Micro SCR3311 • OmniKey Cardman 3021 USB • OmniKey Cardman 3121 USB • ActivCard USB Reader V2 with SCR-331 firmware1 • Cherry ST1044U Other CCID compliant readers may function with the solution, but have not been validated.
Introduction Smart Card Minimum Software Levels Product Minimum System Software Version CAC PIV .NET Access Client Rijkspas WorkCentre 3655 072.060.034.16800 Yes Yes Yes No No WorkCentre 58xx 071.xxx.xxx.xxx.xxxxx Yes Yes Yes No No WorkCentre 59xx 071.xxx.xxx.xxx.xxxxx Yes Yes Yes No No WorkCentre 6655 072.060.034.16800 Yes Yes Yes No No WorkCentre 72xx 072.110.044.20500 Yes Yes Yes No No WorkCentre 78xx 071.xxx.xxx.xxx.
2 Preparation This section explains the preparation and resources required to install the Smart Card feature. Configuration Checklist The following items are required to complete the installation: Summary Status 1. Obtain the IP address or Host Name for each applicable Windows Domain Controller 2. If Domain controller certificate validation is required, obtain the DC certificate for each applicable controller including all intermediate certificates up to the root cert.
Preparation 10 Smart Card Installation and Configuration Guide
Installation 3 This section provides instructions for installing and configuring the Smart Card solution. There are four main installation procedures to follow in sequence. • Hardware Installation • Unpacking the Smart Card Enablement kit and installing the card reader device. • Enabling the Smart Card Use the Feature Enable Key to enable the Smart Card to be configured. • Configuring the Smart Card Enabling the Smart Card function and customizing the settings.
Installation Smart Card Hardware Installation Connect the USB Smart Card Reader to the MFD Install the card reader device using the following instructions. 1. Unpack the Smart Card Enablement Kit The kit contains the following items: Smart Card Enablement Guide (1) Four Dual Lock Fastener pads (Velcro) (2) Three Cable Ties (3) One Ferrite Bead (4) Ensure you have read the licence agreement and agree to the terms and conditions specified prior to installation.
Smart Card 2. Installation Locate the card reader device being installed - There are four types of card reader available, one upright model or three slimline models. Locate the device being installed and ensure it has been configured. Note: The System Administrator should configure the cards prior to the card reader being installed on the machine.
Installation 3. Smart Card Attach the ferrite bead to the reader cable. Note: The ferrite bead should be clipped onto the cable directly behind the connector.
Smart Card 4. Installation Attach the fasteners to the card reader device - Fasteners have been provided to secure the card reader to the Xerox® device. Peel back the fastener backing strip. Position the fastener on the under-side of the card reader, as shown. Repeat for each of the fasteners supplied.
Installation 5. Smart Card Remove the fastener backing strips When all the fasteners have been attached to the card reader, remove the backing strips on each of the fasteners.
Smart Card 6. Place the card reader on the Xerox® device - 7. Installation Gently place the card reader on the device (do not fix in place at this point). Position the card reader in a suitable location, ensure it does not obstruct any access points or the opening of doors or covers. Check the cable has sufficient length to connect to the rear of the network controller. Once it is in a suitable location, press firmly on the card reader to fix it in place.
Installation Smart Card Software Configuration Enter the Smart Card Enablement Key Before you configure the Smart Card solution, you need to enable the Smart Card feature on your Xerox® device using Internet Services. The Feature Enablement Key is printed on the inside cover of the Enablement guide provided within the Smart Card kit. Follow the instructions below to enable the device software. 1. Access Internet Services a. b. c. 2. Access Properties a. b. c. 3. Select the Properties tab.
Smart Card Installation e. From the Touch UI Method dropdown menu, select Smart Cards. f. If you require users to have an alternative method of authentication, select User Name/Password from the Alternate Touch UI Method drop-down menu. If you require the device to use the Email address registered to the authenticated user, select the Personalize Touch UI checkbox Select Save. g. h. i. j.
Installation Smart Card Configuring the Smart Card Once the Smart Card feature has been enabled on the device it can be configured using Internet Services. Configure Smart Card Authentication Follow the instructions below to enable and configure the Smart Card: 1. In the Internet Services Login/Permissions/Accounting menu, ensure you have the Login Methods link selected. 2. Enter the Domain Controller details for the authentication server. a.
Smart Card Installation Enable NTP Service 3. Configure the Date & Time to update automatically a. Select the Network Time Protocol Edit link. b. Select the Enabled box to enable NTP. Enter the IP address or Host Name of the Primary and Alternate Time Server. Often this can be the same address as the Domain Controller. Select Save. c. d. e. f. View the summary screen and ensure all settings are correct. Select Close.
Installation Smart Card Configure Alternate Authentication If Alternate Authentication is not required, go to Configure a Security Certificate on page 22. 4. If Alternate Authentication is enabled, select the Authentication Servers / Touch UI (Alternate) - Edit link in the Configuration Settings list to configure the server. a. b. c. d. e. f. Select the Authentication Type from the drop-down menu. Select Add New. Enter the required Domain or Realm.
Smart Card Installation Create a Device Certificate The device automatically creates a self-signed certificate. Complete this section if you want to create a new device certificate. 5. To create a new device certificate: a. b. c. d. e. f. g. In the Properties tab select the Security link. Select Certificates > Security Certificates. Select the Xerox Device Certificate tab. Select Create New Xerox Device Certificate. Complete the Self Signed Certificate fields. Select Finish.
Installation Smart Card Install a Domain Controller Certificate 7. Complete these steps if you want to install a domain controller certificate. a. b. c. d. e. f. g. In the Properties tab select the Security link. Select Certificates > Security Certificates. Select the Domain Controller Certificates tab. Click Install Domain Controller Certificate. Click the Browse button and navigate to the location of your Domain Controller certificates. Click Next.
Smart Card Installation Configure Certificate Validation 9. If you do not require certificate validation proceed to Configure Smart Card Inactivity Timer on page 26. a. b. c. d. e. f. g. h. i. In the Properties tab, select the Login/Permissions/Accounting link. Select Login Methods. Select Certificate Validation - Edit in the Configuration Settings menu. Select the required Validation Options. If you have selected one or more option, click Next to configure further settings.
Installation Smart Card Configure Smart Card Inactivity Timer 10. If you do not require inactivity timeout settings for Smart Card authentication, proceed to Configure Acquiring Logged-In User’s E-mail Address on page 26. a. b. c. d. e. In the Properties tab, select the Login/Permissions/Accounting link. Select Login Methods. Select Smart Card Inactivity Timer - Edit. Enter the required number of minutes for Timer. Click Save. Configure Acquiring Logged-In User’s E-mail Address 11.
Smart Card g. Installation k. l. m. At the LDAP Server screen, enter a Friendly Name. Enter the IP address or Host Name of the Primary and Alternate LDAP server. Select the required LDAP Server from the drop-down list. Enter the LDAP Search Directory Root. This is typically related to the server’s domain name. For example, if the server’s Fully Qualified Domain Name is ‘Hostname.Example.Search.Root’, the search directory root is “dc=Example,dc=Search,dc=Root”.
Installation Smart Card b. Select Use DNS (to identify SMTP Server) to configure the server address using DNS, or select IP Address or Host Name and enter the SMTP server address. c. Enter the required Device E-mail Address. Select Save. d. Configure SMTP Authentication 13. Select SMTP - Edit. a. b. Select the SMTP Authentication tab. For the required method of authentication for SMTP Login credentials applied to e-mail jobs sent from the machine’s touch interface select Logged-in User.
Smart Card Installation Test Configuration 16. Select SMTP - Edit. a. Select the Test Configuration tab. Note: This screen allows you to send a test e-mail to confirm that all e-mail settings are correct. b. c. Enter a valid e-mail address in the To Address field. Select Send E-mail. Note: If the SMTP settings are correct, the screen will display a success message and an e-mail will be received at the address d. e. f. Select the Required Information tab.
Installation Smart Card Configure Address Books 18. Select the Address Books tab. a. b. LDAP was configured in a previous step. If you require the Device Address Book, select the Device Address Book - Edit link. Configure the Device Address Book. Instructions are available in the System Administration Guide. Configure E-mail Defaults 19. Select the Defaults tab. a. b. Select the required options for e-mail default settings. Save your changes. Configure E-mail Compression 20.
Smart Card Installation 22. If you want to configure e-mail domain restrictions, click Edit in the Network Policies area. a. b. Select the required restrictions. • Domain Filtering enables you to configure a list of domains to allow or block e-mails. • E-mail Filtering allows you to send internal e-mail without the need to add @ corporate name. This option requires your e-mail server to be configured to allow this. Select Save. 23.
Installation Smart Card Printing Features The Hold All Jobs and Secure Print features can be configured to ensure jobs are held securely at the MFD until the user authenticates at the Control Panel. Configure Hold All Jobs Hold all Jobs allows you to configure the MFD to require users to release print jobs manually at the Control Panel. If you want to configure Hold all Jobs, follow these instructions. 1. Access Internet Services and select Properties.
Smart Card Installation Configure Secure Print Driver Defaults The Secure Print feature allows you to send a job to the MFD with a unique passcode. Jobs are stored at the MFD until the user enters the same passcode to release them. Further information about how to use Secure Print is available in your User Guide. You can configure the Secure Print Driver Default settings to require the user to enter a User ID to release secure print jobs at the Control Panel, instead of a passcode.
Installation Smart Card Confirm the Installation When the card reader and the software has been installed and configured, the Card Reader Detected screen displays on the Xerox® device local user interface. Smart Card is now ready for use. Note: If the card reader is not detected, refer to Troubleshooting Tips on page 39 for information.
Smart Card Installation Using Smart Card Once the Smart Card has been enabled, each user must insert a valid card and enter their Personal Identification Number (PIN) on the touch screen. When a user has finished using the Xerox® device, they are then required to remove their card from the card reader to end the session. For instances where a user forgets to remove their card, the machine will end the session automatically after a specified period of inactivity.
Installation 36 Smart Card Installation and Configuration Guide
Troubleshooting 4 For optimal performance from your card reader, ensure the following guidelines are followed: • The Card Reader is only compatible with network connected products. • Ensure the Card Reader is plugged into the Network Controller. Refer to Connect the card reader to the Xerox® device on page 17 for instructions. • Do not position the Card Reader in direct sunlight or near a heat source such as a radiator. • Ensure the Card Reader does not get contaminated with dust and debris.
Troubleshooting Smart Card Fault Clearance When a fault occurs, a message displays on the User Interface which provides information relating to the fault. If a fault cannot be resolved by following the instructions provided, refer to Troubleshooting Tips on page 39. If the problem persists, identify whether it is related to the card reader device or the Xerox® device. • For problems with the card reader device, contact the manufacturer for further assistance.
Smart Card Troubleshooting Troubleshooting Tips The table below provides a list of problems and the possible cause and a recommended solution. If you experience a problem during the installation process please refer to the During Installation problem solving table below. If you have successfully installed the Smart Card solution but are now experiencing problems, refer to After Installation on page 40.
Troubleshooting Smart Card After Installation Problem Possible Cause Solution The login was successful, however you do not have the appropriate access to the operation you requested LDAP not configured properly or local user permission roles not configured properly. • Check the authorization method. The passcode entered was incorrect Incorrect PIN has been entered. • Carefully re-enter the PIN. Caution: Consecutive incorrect entries may lead to your card being locked. Authentication failed.
Smart Card Troubleshooting Problem Possible Cause Solution Invalid Timestamp. Authentication failed due to a time or date difference between the device and the remote server (Domain Controller) NTP not enabled or properly configured. • Verify that Network Time Protocol is correctly set up, refer to Enable NTP Service on page 21. GMT offset is not set correctly. • If you are not using DHCP, verify the date and time and GMT Offset (Time Zone) is correct.
Troubleshooting 42 Smart Card Installation and Configuration Guide
