Xerox WorkCentre 5740 User Manual
Have a look at the manual Xerox WorkCentre 5740 User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 228 Xerox manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide181 • Ensure the system time configured on the device is accurate. This is used to set the start time for self signed certificates. Enable Secure HTTP (SSL) Security certificates cannot be configured until the secure HTTP Protocol (SSL) is enabled: 1. From the Properties tab, click on the [Connectivity] link. 2. Click on the [Protocols] link. 3. Select [HTTP] in the directory tree. 4. In the Configuration area: a. Under Secure HTTP (SSL), select [Enabled]. b. Enter the [Secure HTTP Port Number] if required. 5. Click on the [Apply] button. • Close your web browser and then access Internet Services screen again. The Security warning appears. Self-signed certificates usually cause browsers to display messages which question the trust of the certificate. Click on the [OK] button to continue. To Create a Digital Certificate Note:To configure this feature or these settings access the Properties tab as a System Administrator. For details, refer to Access Internet Services as System Administrator on page 24. 1. From the Properties tab, click on the [Security] link. 2. Select [Security Certificates] in the directory tree, the Security Certificates page displays. 3. To create a Self Signed certificate: a. Select the [Xerox Device Certificate] tab. b. Click on the [Create New Xerox Device Certificate] button. c. Complete the Self Signed Certificate form with details for: •2 Letter Country Code •State/Province Name •Locality Name •Organization Name • Organization Unit •Subject Alternative Name (if required) •E-mail Address •Days of Validity Note:Common Name on the form is generated by the device and cannot be changed. d. Click on the [Finish] button to continue. Values from the form will be used to establish a self- signed certificate, and you will be returned to the Security Certificates page. Note:A Xerox Device Certificate is inherently less secure than installing a certificate signed by a trusted, third party Certificate Authority (CA). However, specifying a self-signed certificate is the easiest way to start using SSL. A self-signed certificate is also the only option if your company does not have a Server functioning as a Certificate Authority (Windows 2000 running Certificate Services, for example), or does not wish to use a third party CA. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide 182 4. To create a Certificate Signing Request: a. Select the CA-Signed Device Certificate(s) tab. b. Click the [Create Certificate Signing Request (CSR)] button. c. Complete the Certificate Signing Request (CSR) form with details for: •2 Letter Country Code •State/Province Name •Locality Name •Organization Name • Organization Unit •Subject Alternative Name (if required) •E-mail Address Note:Common Name on the form is generated by the device and cannot be changed. d. Click on the [Finish] button to continue. Values from the form will be used to generate a Certificate Signing Request. e. When the process is complete, you will be prompted to save the Certificate Signing Request. Right-click on the [Right-click to save this certificate for submission to a trusted certificate authority] link and select [Save Target As]. f. Save the Certificate to your hard drive and send it to a Trusted Certificate Authority. g. Select [Logout] in the upper right corner of your screen if you are still logged in as Administrator, and click on the [Logout] button. To Upload a Signed Certificate When a signed certificate is received from the Trusted Certificate Authority, upload the certificate to the device. Note:To configure this feature or these settings access the Properties tab as a System Administrator. For details, refer to Access Internet Services as System Administrator on page 24. 1. From the Properties tab, click on the [Security] link. 2. Select [Security Certificates] in the directory tree. 3. Select the CA-Signed Device Certificate(s) tab. 4. Click the [Install CA-signed Device Certificate] button. 5. Click the [Browse] button to locate the signed certificate. Click on the [Open] button. 6. Click on the [Next] button. The details of the Certificate are displayed. Change the friendly name of the Certificate if required and click [Next]. 7. The digital certificate will appear in the installed certificates list. Note:For the upload to be successful, the signed certificate must match the CSR created by the device and must be in a format that the device supports. Note:The device only supports certificates of type “Base64”. 8. To view installed certificates: a. Select [Security Certificates] in the directory tree for [Security]. b. Click on the checkbox for the required certificate in the list. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide183 c. Click [View/Save]. The certificate details are displayed. IP Sec IP Sec (IP Security) consists of the IP Authentication Header and IP Encapsulating Security Payload protocols, that secure IP communications at the network layer of the group of protocols, using both authentication and data encryption techniques. The ability to send IP Sec encrypted data to the printer is provided by the use of a public cryptographic key, following a network negotiating session between the initiator (client workstation) and the responder (printer or server). To send encrypted data to the printer, the workstation and the printer have to establish a Security Association with each other by verifying a matching password (shared secret) to each other. If this authentication is successful, a session public key will be used to send IP Sec encrypted data over the TCP/IP network to the printer. Providing additional security in the negotiating process, SSL (Secure Sockets Layer protocols) are used to assure the identities of the communicating parties with digital signatures (individualized checksums verifying data integrity), precluding password guessing by network sniffers. IP Sec security settings are the means by which an administrator can configure multiple groups of hosts and groups of protocols. Also this feature is used to setup IPsec and IKE (Internet Key Exchange) protocols on the printer. The IP Sec implementation is a ‘full’ implementation that the device can initiate a connection for print, scan and administration, and fully work with other industry IPsec nodes. IPsec is necessary for securing many protocols including: •LPR and Port9100 printing •FTP Filing •Scan to E-mail •LDAP •Internet Fax Security Policies: To Enable IP Sec Note:IP Sec cannot be enabled until SSL (Secure Sockets Layer) is enabled on the device. To enable SSL on a device, the device needs to have a Server Certificate. For instructions to set up a Server Certificate, refer to Security Certificate Management on page 179. Note:To configure this feature or these settings access the Properties tab as a System Administrator. For details, refer to Access Internet Services as System Administrator on page 24. 1. From the Properties tab, click on the [Security] link. 2. Select [IP Sec] in the directory tree. 3. Ensure [Security Policies] tab is highlighted under the IPsec heading. 4. In the Settings area, check the [Enabled] checkbox for Enablement enable the IP Sec. 5. Click on the [Apply] button. Note:It is recommended that IP Sec is enabled after the Host Groups, Protocol Groups and Action have been configured and defined. Define Policy Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide 184 An IPsec Policy is a set of conditions, configuration options and security settings which allows two systems to agree on how to secure traffic between them. Multiple policies can be simultaneously active, however the scope and policy list order may alter the overall policy behavior. Note:Before creating Policies, configure Host Groups, Protocol Groups and Actions. 6. In the Define Policy area, there are three policy options: •Hosts Groups •Protocol Groups •Action This area allows you to select settings for allowing or disallowing Hosts and Protocols and what action to be taken. 7. For each individual option select settings from each drop-down menu. 8. Click on the [Add Policy] button. Saved Policies 9. In the Saved Policies area, there will be a list of all the policies saved. 10. To delete a policy, highlight the policy and click on the [Delete] button. 11. Also you can prioritise an individual policy by clicking the [Promote] and [Demote] buttons. Disable IP Sec at the device Note:To configure this feature or these settings access the Tools pathway as a System Administrator. For details, refer to Access Tools Pathway as a System Administrator on page 18. 1. From the To o l s pathway, touch [Network Settings]. 2. Touch [IP Sec]. 3. Touch [Disable], then touch [Save]. 4. Press the button. 5. Touch [Logout] to exit the Tools pathway. Host Groups Host Group page allows you to view and manage host groups. A host group is a logical grouping of hosts based on their specific IP Address or subnet address range.This option displays all the Host Groups saved and the details of each Host Group. At your Workstation: Note:To configure this feature or these settings access the Properties tab as a System Administrator. For details, refer to Access Internet Services as System Administrator on page 24. 1. From the Properties tab, click on the [Security] link. 2. Select [IP Sec] in the directory tree. 3. Ensure [Host Groups] tab is highlighted under the IPsec heading. 4. Host Groups can be deleted by highlighting a Host Group in the IP Host Group area, and clicking on the [Delete] button. If the Host Group selected is not being used by a security policy, then click on the [OK] button. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide185 5. To add or edit a Host Group in the IP Host Group area, either click on the [Add New Host Group] button or highlight a Host Group and click on the [Edit] button. Note:If you change the name of the Host Group that is being used in the Security policy, then the updated host group name will also be reflected in the security policy details. 6. In the IP Host Group Details area: a. To define or modify a Host Group enter the name of the Host Group in the [Name] field. b. Enter a description or purpose of this Host Group in the [Description] fields. 7. In the Address List area select at least one set of network information. a. Select either [IPv4] or [IPv6]. b. From the Address Type drop-down menu, select one of the following: •Specific - to specify a single IP Address. •All - if all addresses of the IP type are to be included. •Subnet - to specify a range of IP Addresses. c. For the [IP Address] field, enter the Specific or Subnet address range. For a Subnet range, enter the lowest IP Address in the fields provided, then the final IP lower octet (for IPv4) or range (for IPv6) in the final field. d. Click on the [Add] button, to add the address range to the host group. 8. Click on the [Save] button to return to the IPsec page. 9. Click on the [OK] button when you see the message “Properties have been successfully modified” to save changes and return to the IP Sec page. Protocol Groups This option displays all the Protocol Groups saved and the details of each Protocol Group. 1. From the IP Sec page, click on the [Protocol Groups] tab under IPsec heading. 2. Protocol Groups can be deleted by highlighting a Protocol Group in the IP Protocol Groups area and clicking on the [Delete] button. If the Protocol Group selected is not being used by a security policy, then click on the [OK] button. 3. To add or edit a Protocol Group in the IP Protocol Groups area click on either the [Add New Protocol Group] button or highlight a Protocol Group and click on the [Edit] button. Note:If you change the name of a Protocol Group that is being used in Security policy, then the updated protocol group name will also be reflected in the security policy entry. a. In the IP Protocol Group Details area, enter the name of the protocol group in the [Group Name] field. b. Enter description for this protocol group in the [Description] field. c. Check the required services checkboxes for this protocol group under [Service Name]. 4. In the Custom Protocol area: a. Check the corresponding checkboxes to select or deselect a custom protocol. Enter details in the [Service Name] field. b. From the [Protocol] drop-down menu select the protocol type. c. Enter the port number in the [Port] field. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide 186 d. From the [Device is] drop-down menu, select either [Server] or [Client]. Note:The Service Name, Protocol Type, Port Number and Device is fields for a Custom Protocol will be disabled when its associated checkbox is unchecked. 5. Click on the [Save] button to return to the IPSec page. Actions This option displays the list of actions associated with the IPsec security policies. You can view and manage IP actions that can be used in the security policies. 1. From the IP Sec page, click on the [Actions] tab under IPsec heading. 2. To delete an Action, highlight an Action in the IP Actions area and click on the [Delete] button. If the Action selected is not being used by a security policy, then click on the [OK] button. 3. To add or edit an Action, in the IP Protocol Group area: a. Click either on the [Add New Action] button to add a new Action or highlight an Action and click on the [Edit] button to edit details of an Action. Note:If you change the name of an Action that is being used in Security policy, then the updated action name will also change in the security policy entry. 4.Step 1 of 2 page displays, in the IP Action Details area: a. Enter a name for this IP Action in the [Action Name] field. b. Enter description for this IP Action in the [Description] filed. 5. In the Keying Method area: a. Select a Keying Method. This will specify the type of authentication used in an IP Sec policy. Select one of the following: •Manual Keying - this method is used if client devices are not configured for, or do not support, IKE. •Internet Key Exchange (IKE)- this is a keying protocol that works on top of IPsec. IKE offers a number of benefits including: automatic negotiation and authentication; anti- replay services; certification authority (CA) support; and the ability to change encryption keys during an IPsec session. Generally, IKE is used as part of virtual private networking. •X.509 Certificate (Local Certificate) - this is a public key certificate. •Trusted Root Certificate. •Pre-shared Key Passphrase - the use of pre-shared key authentication is not recommended because it is a relatively weak authentication method. b. If you select [Internet Key Exchange (IKE)], enter the pre-shared key passphrase in the [Pre- shared Key Passphrase] field. Note:Only one Action may be created when selecting Internet Key Exchange (IKE) Keying Method. 6. Click on the [Next] button to display the Step 2 of 2 screen. If you Selected Manual Keying as the Keying Method: 1. In the Mode Selections area, select one of the [IPsec Mode] options from the drop-down menu: •Tra n s p o r t M o d e - this is the default Mode for IP Sec. This only encrypts the IP payload. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide187 •Tunnel Mode - this mode encrypts the IP header and the payload. It provides protection on an entire IP packet by treating it as an AH (Authentication Header) or ESP (Encapsulating Secuirty Payload) payload. When this mode is selected, you have the option of specifying a host IP Address 2. In the Security Selections area select preferred option and enter the required information. 3. Click on the [Save] button to return to the IP Sec - Action page. If you Selected Internet Key Exchange (IKE) as the Keying Method: IKE Phase 1 authenticates the IPSec peers and sets up a secure channel between the peers to enable IKE exchanges. IKE Phase 2 negotiates IP Sec System Administrator to set up the IP Sec tunnel. 1. In the IKE Phase 1 area: a. For [Key Lifetime] enter length of time that this key will live, either in seconds, minutes or hours. b. Select required option from the [DH Group] drop-down menu. Choose one of following: •DH Group 2 - which provides a 1024 bit Modular Exponential (MODP) keying strength. •DH Group 14 - which provides a 2048 bit MODP keying strength. Diffie-Hellman (DH) is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys. c. For Hash - Encryption, check the required checkboxes: •SHA1 (Secure Hash Algorithm 1) and MD5 (Message Digest 5) are one-way hashing algorithms used to authenticate packet data. Both produce a 128-bit hash. The SHA1 algorithm is generally considered stronger but slower than MD5. Select MD5 for better encryption speed, and SHA1 for better security. •3DES (Triple-Data Encryption Standard) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES. It also requires more processing power, resulting in increased latency and decreased throughput. •AES (Advanced Encryption Standard) is a more secure method compared to 3DES. 2. In the IKE Phase 2 area: a. Select from the [IPSec Mode] drop-down menu one of the following: •Tra n s p o r t M o d e - this provides a secure connection between two endpoints as it encapsulates the IP payload, while Tunnel Mode encapsulates the entire IP packet. •Tunnel Mode - this provides a virtual ‘secure hop’ between two gateways. It is used to form a traditional VPN, where the tunnel generally creates a secure tunnel across an untrusted Internet. b. If you select [Tunnel Mode], then select either [Disabled], [IPv4 Address] or [IPv6 Address]. c. If you select IPv4 Address or IPv6 Address, enter IP Address details. d. From the [IPsec Security] drop-down menu, select either, Both, ESP or AH. AH (Authentication Header) and ESP (Encapsulating Security Payload) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt and authenticate (ESP) the data flowing over that connection. They can be used independently or together. e. For [Key Lifetime] enter length of time that this key will be valid for, either in seconds, minutes or hours. Downloaded From ManualsPrinter.com Manuals
User Data Encryption WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide 188 f. Select the preferred option from the [Perfect Forward Secrecy] drop-down menu. Default is ‘None’ g. Check the required checkboxes for [Hash] and [Encryption]. Hash refers to the authentication mode, which calculates an Integrity Check Value (ICV) over the packet's contents. This is built on top of a cryptographic hash (MD5 or SHA1). Encryption uses a secret key to encrypt the data before transmission. This hides the contents of the packet from eavesdroppers. Algorithm choices are AES and 3DES Note:Encryption will not be shown if [IPsec Security] is set to AH. 3. Click on the [Save] button to return to the IPSec - Action page. Downloaded From ManualsPrinter.com Manuals
Security Certificates WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide189 Security Certificates A Trusted Certificate Authority is a Certificate Authority (CA) that is trusted to authenticate digital certificates. This page allows trusted root certificates to be uploaded to a server so that the server will ‘trust’ any certificates that have been signed by that CA. Digital certificates and the enablement of SSL provides encryption for all workflows where the device is used as a HTTPS server. Workflows include: • Administration of the device via Internet Services • Printing via Internet Services • Printing via IPP • Scan Template Management • Workflow Scanning via HTTPS • Administration of Network Accounting To Access the Security Certificates Screen The device exports the signed certificate to the client to establish an SSL/HTTPS connection. Note:To configure this feature or these settings access the Properties tab as a System Administrator. For details, refer to Access Internet Services as System Administrator on page 24. 1. From the Properties tab, click on the [Security] link. 2. Select [Security Certificates] in the directory tree. The Security Certificates page shows any currently installed trusted root certificates in the Root/Intermediate Trusted Certificate(s) tab. To Install a Machine Root Certificate To complete this procedure you must have a digital certificate available. For instructions to configure a digital certificate, refer to Security Certificate Management on page 179. 1. At the Security Certificates screen, select the [Root/Intermediate Trusted Certificate(s)] tab and click on the [Install external Root/Intermediate trusted certificates] button. 2. Click the [Choose File] button to locate the signed certificate from the Trusted Certificate Authority. This file has an extension “CER” or “CRT”. Click on the [Open] button. 3. Click on the [Next] button. The details of the Certificate are displayed. Change the friendly name of the Certificate if required and click [Next]. 4. The digital certificate will appear in the installed certificates list in the Root/Intermediate Trusted Certificate(s) area. To Delete a Certificate 1. At the Security Certificates screen, select a certificate from the list in the Installed Certificate area. Downloaded From ManualsPrinter.com Manuals
Security Certificates WorkCentre™ 5735/5740/5745/5755/5765/5775/5790 System Administrator Guide 190 2. Click on the [Delete] button. 3. Click on the [OK] button when the acknowledgement message appears. To Request a Machine Root Certificate If the device does not have a trusted root certificate, or if it is using a self-signed certificate, users may see an error message related to the certificate when attempting to connect to the device’s Internet Services server. To resolve this, install the generic Xerox Root CA Certificate in user's Web browsers. 1. At the Security Certificates screen, right-click on the [Download the Generic Xerox Device CA] link which appears at the bottom of the screen, under the installed Certificates list. 2. Select [Save Target As]. 3. Browse to the location where you want to save the cacert.crt file and click on [Save]. The cacert.crt file is now ready to be uploaded to any device needing a Machine Root Certificate. Downloaded From ManualsPrinter.com Manuals