Version 6.
©2012 Xerox Corporation. All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. Contents of this publication may not be reproduced in any form without permission of Xerox Corporation. XEROX® and XEROX and Design® are trademarks of Xerox Corporation in the United States and/or other countries. Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions. Document version 6.
Table of Contents 1 Introduction Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Card Readers and Card Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Supported Card Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Xerox® Smart Card Installation Guide
1 Introduction The Xerox Smart Card solution brings an advanced level of security to sensitive information. Organizations can restrict access to the walk-up features of a Xerox device. This ensures only authorized users are able to copy, scan, e-mail and fax information. The key benefit of this solution is its two-factor identification requirement. Users must insert their access card and enter a unique Personal Identification Number (PIN) at the device.
Introduction Compatibility This solution is compatible with the following product and configurations: • • 6 Configuration Software Level CAC PIV .NET ColorQube™ 9201/9202/9203 06x.050.222.23301 Yes Yes No 06x.080.222.22600 Yes Yes No ColorQube™ 9301/9302/9303 06x.180.222.21202 Yes Yes Yes Xerox WorkCentre 7755/7765/7775 06x.090.xxx.xxxxx Yes Yes Yes Note: If your System Software Version is 071.xxx.xxx.
Introduction Card Readers and Card Types Supported Card Readers The customer is responsible for providing a card reader for each Xerox device. The following card readers are compatible with the solution: • Gemplus GemPC USB SL • Gemplus GEMPC Twin • SCM Micro SCR3310 • SCM Micro SCR3311 • OmniKey Cardman 3021 USB • OmniKey Cardman 3121 USB • ActivCard USB Reader V2 with SCR-331 firmware1 • Cherry ST1044U Other CCID compliant readers may function with the solution, but have not been validated.
Introduction Documentation and Support For information specifically about your Xerox product, the following resources are available: • System Administrator Guide provides detailed instructions and information about connecting your device to the network and installing optional features. This guide is intended for System/Machine Administrators. • User Guide provides detailed information about all the features and functions on the device. This guide is intended for general users.
2 Preparation This section explains the preparation and resources required to install the Smart Card Reader. The installation will take approximately one hour for each device.
Preparation The first method requires installation of the DC certificate as part of this procedure and is the more accepted method for validation. The second method retrieves the DC certificate automatically for each authentication and doesn't require installation of the DC certificate onto the Xerox device. An additional option is to combine the first and second options and compare the retrieved DC certificate to the one stored at installation.
3 Installation This section provides instructions for installing and configuring the Smart Card solution. There are 4 main installation procedures to follow in sequence. • Enabling and Configuring Smart Card Use the Feature Enable Key to enable the Smart Card to be configured. • Configuring Smart Card Enabling the Smart Card function and customizing the settings. • Hardware Installation Unpacking the Smart Card Enablement kit and installing the card reader device.
Installation Software Enablement Prior to installing the Xerox Smart Card solution, the software requires enabling on your Xerox device using the Internet Services. The Feature Enable Key is printed on the inside cover of the Enablement guide provided within the Xerox Smart Card kit. Follow the instructions below to enable the device software. Note: Some of the steps shown may require the System Administration password for your device to be entered. 1. 2. 3. Access Internet Services a.
Installation g. h. Enter the unique Feature Enable Key provided on the inside cover of the Smart Card Enablement Guide. Select Next. A confirmation message is displayed. i. Select Next. The Smart Card settings are now ready for configuring. Note: No services will be restricted until Smart Card has been fully configured using Internet Services.
Installation Configuring the Smart Card Once the Xerox Smart Card feature has been enabled on the device it can be configured using Internet Services. Follow the instructions below to enable and configure the Smart Card: 1. Access Internet Services and select Properties. Refer to Access Internet Services on page 12 for instructions. 2. Configure the Date & Time to update automatically a. Select the General Setup link, then Date & Time. b. Select Automatic Using NTP. c.
Installation If your site does not register the DC with OCSP: a. Uncheck all three Domain Controller OCSP Certificate Validation boxes and add the required Domain Controller. b. Select Save. Go back and add other Domain Controllers as required. If you wish to validate the DC against OCSP before validation of the user: a. Check the box for Validate before CAC/PIV Authentication. b. Enter the OCSP Server Service URL details. Note: Depending on your environment, these details may be case sensitive. 6.
Installation g. h. i. j. Ensure Port 88 is selected unless your Kerberos Port is different. Enter the Domain Name (this must be the fully qualified Domain Name). Select Save. If you selected the option that the Domain Controller Signature must match the uploaded Domain Controller Certificate, then a field will be presented to enter that certificate. This field will be missing if it is not required to upload the Domain Controller Certificate.
Installation Hardware Installation Install the card reader device using the following instructions. 1. Unpack the Smart Card Enablement Kit The kit contains the following items: • Xerox Smart Card Enablement Guide (1) • Four Dual Lock Fastener pads (Velcro) (2) • Three Cable Ties (3) • One Ferrite Bead (4) Ensure you have read the licence agreement and agree to the terms and conditions specified prior to installation.
Installation 2. Locate the card reader device being installed • There are four types of card reader available, one upright model or three slimline models. • Locate the device being installed and ensure it has been configured. Note: The System Administrator should configure the cards prior to the card reader being installed on the machine.
Installation 3. Attach the ferrite bead to the reader cable. Note: The ferrite bead should be clipped onto the cable directly behind the connector.
Installation 4. 20 Attach the fasteners to the card reader device • Fasteners have been provided to secure the card reader to the Xerox device. • Peel back the fastener backing strip. • Position the fastener on the under-side of the card reader, as shown. • Repeat for each of the fasteners supplied.
Installation 5. Remove the fastener backing strips When all the fasteners have been attached to the card reader, remove the backing strips on each of the fasteners.
Installation 6. 22 Place the card reader on the Xerox device • Gently place the card reader on the device (do not fix in place at this point). • Position the card reader in a suitable location, ensure it does not obstruct the opening of the document handler side cover. • Check the cable has sufficient length to connect to the rear of the network controller. • Once it is in a suitable location, press firmly on the card reader to fix it in place.
Installation 7. Connect the card reader to the Xerox device • Insert the USB connection into the slot provided on the rear of the network controller. • Use the cable ties provided to ensure the cabling is neat and tidy. The hardware installation is now complete.
Installation 8. Confirm the installation • When the card reader and the software has been installed and configured, the Card Reader Detected screen displays on the Xerox device local user interface. • Select OK. Smart Card is now ready for use. Note: If the card reader is not detected, refer to Troubleshooting Tips on page 29 for information.
Installation Using Smart Card Once the Smart Card has been enabled, each user must insert a valid card and enter their Personal Identification Number (PIN) on the touch screen. When a user has finished using the Xerox device, they are then required to remove their card from the card reader to end the session. For instances where a user forgets to remove their card, the machine will end the session automatically after a specified period of inactivity. Follow the instructions below to use the Smart Card: 1.
Installation 26 Xerox® Smart Card Installation Guide
Troubleshooting 4 For optimal performance from your card reader, ensure the following guidelines are followed: • The Card Reader is only compatible with network connected products. • Ensure the Card Reader is plugged into the Network Controller. Refer to Connect the card reader to the Xerox device on page 23 for instructions. • Do not position the Card Reader in direct sunlight or near a heat source such as a radiator. • Ensure the Card Reader does not get contaminated with dust and debris.
Troubleshooting Fault Clearance When a fault occurs, a message displays on the User Interface which provides information relating to the fault. If a fault cannot be resolved by following the instructions provided, refer to Troubleshooting Tips on page 29. If the problem persists, identify whether it is related to the card reader device or the Xerox device. • For problems with the card reader device, contact the manufacturer for further assistance.
Troubleshooting Troubleshooting Tips The table below provides a list of problems and the possible cause and a recommended solution. If you experience a problem during the installation process please refer to the During Installation problem solving table below. If you have successfully installed the Smart Card solution but are now experiencing problems, refer to After Installation on page 30.
Troubleshooting After Installation Problem Authentication failures Possible Cause Solution Incorrect PIN has been entered. • Retry entering the correct PIN. If problem persists, contact the System Administrator for advice. Card is locked due to too many failed PIN attempts. • Contact Registration Authority to reload or to get a new card. Unable to find identity certificate. Identity certificate has been revoked. Authentication with Domain Controller Failed. Unable to validate server certificate.
Troubleshooting Problem Possible Cause Solution Time for date mismatch error There is a mismatch between the time and date setting on the Xerox device and the authentication server time or date setting. • Verify that Network Time Protocol is properly set up. • Verify that the date and time and GMT Offset (Time Zone) is correct, refer to Configure the Date & Time to update automatically on page 14 for instructions. • Verify that GMT offset is correct for Daylight Savings Time.
Troubleshooting 32 Xerox® Smart Card Installation Guide
Retrieving the Certificate from a Domain Controller or OCSP Server 1. 2. A Access the Domain Controller using a web browser using the following syntax: https://IP Address of the Domain Controller:636 For example: https://111.222.33.44:636 where 111.222.33.44 is the IP address of the appropriate server. A Security Alert warning window is displayed, similar to the one shown. Click on View Certificate to proceed.
Retrieving the Certificate from a Domain Controller or OCSP Server 4. Select the Details tab. Record the name of the Certificate Authority (CA) that issued this certificate, the "Issuer". A certificate from this CA will be required during Smart Card setup. Select the Copy to File button. 5. The Certification Export Wizard is displayed. Select Next. 6. 7. Select Base-64 encoded X.509 (.CER). Select Next. 3.
Retrieving the Certificate from a Domain Controller or OCSP Server Select Browse. Browse to a directory to save the Certificate. 9. Enter a filename for the Certificate and select Save. 10. Select Next. 8. 11. Select Finish. The Certificate is retrieved from the server and saved in the selected directory. A pop-up message will confirm that the Certificate has been successfully saved. Once saved the Certificate can be loaded onto the device.
Retrieving the Certificate from a Domain Controller or OCSP Server 36 Xerox® Smart Card Installation Guide
Determining the Domain in which your Card is Registered 1. 2. 3. 4. B From your PC, click the Start menu and right click on My Computer. From the drop down list, select Properties. When the System Properties window opens, click on the Computer Name tab. Beneath the Full Computer name is the Domain Name. Copy and paste the Domain Name directly into the CAC setup page on the Internet Services user interface. Refer to Configuring the Smart Card on page 14 for instructions.
Determining the Domain in which your Card is Registered 38 Xerox® Smart Card Installation Guide
