Managing certificates and other settings

Using certificates, devices can identify themselves on a network. Using public-key cryptography, certificates allow devices to establish secure and encrypted connections with printing hosts and authentication servers.

Devices are shipped with default certificates designed to suit all purposes. However, an organization's security policies may require that new certificates be installed, especially if devices are communicating with hosts on external networks.

Managing certificates

MVP allows administrators to create, update, and manage the certificates on a supported device.

Creating a new certificate

  1. From the MarkVision Professional Home screen, select Security - Certificate Management from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Click New.

  4. Enter values in the appropriate fields:

    • Friendly Name—Type a name for the certificate (64-character maximum).

    • Common Name—Type a name for the device (128-character maximum).

      Note: Leave this field blank to use the domain name for the device.
    • Organization Name—Type the name of the company or organization issuing the certificate (128-character maximum).

    • Unit Name—Type the name of the unit within the company or organization issuing the certificate (128-character maximum).

    • Country Name—Type the country location for the company or organization issuing the certificate (2-character maximum).

    • Province Name—Type the name of the province where the company or organization issuing the certificate is located (128-character maximum).

    • City Name—Type the name of the city where the company or organization issuing the certificate is located (128-character maximum).

    • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Leave this field blank to use the IPv4 address (128-character maximum).

Viewing a certificate

  1. From the MarkVision Professional Home screen, select Security - Certificate Management from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select a certificate from the list.

  4. The details of the certificate are displayed in the Certificate Details window.

Deleting a certificate

  1. From the MarkVision Professional Home screen, select Security - Certificate Management from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select a certificate from the list.

  4. Click Delete.

  5. Click Yes.

Installing CA Certificates for multiple devices

The CA (or certificate authority) certificates on a device help it to identify the authenticity of other hosts. When a signed certificate is presented to a device, the device checks whether the signing authority for the certificate—its CA certificate—is installed.

  1. From the MarkVision Professional Home screen, select Install CA Certificate from the All Tasks list.

  2. Select the device(s).

  3. Browse to the CA Certificate location.

  4. Click Apply.

    Notes:

    • If more than one device is selected for this task, the CA Certificate is applied to all selected devices and overwrites any existing certificates.
    • Only one CA certificate at a time can be installed on Basic- and Intermediate-level devices. Installing new CA certificates on these devices overwrites any existing certificates. Advanced-level devices support multiple CA certificates. See Overview for more information about the three types of devices supported by MVP.

Setting certificate defaults

MarkVision Professional allows administrators to set default values for certificates generated for a supported device. The values entered here will be present in all new certificates generated in the Security-Certificate Management task, even though those fields will remain blank on-screen.

  1. From the MarkVision Professional Home screen, select Security - Certificate Defaults from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Enter values in the appropriate fields:

    • Common Name—Type a name for the device (128-character maximum).

      Note: Leave this field blank to use the domain name for the device.
    • Organization Name—Type the name of the company or organization issuing the certificate.

    • Unit Name—Type the name of the unit within the company or organization issuing the certificate.

    • Country Name—Type the country location for the company or organization issuing the certificate (2-character maximum).

    • Province Name—Type the name of the province where the company or organization issuing the certificate is located.

    • City Name—Type the name of the city where the company or organization issuing the certificate is located.

    • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:1.2.3.4, or a DNS address using the format DNS:ldap.company.com. Leave this field blank to use the IPv4 address.

      Note: All fields accept a maximum of 128 characters, except where noted.

Viewing basic certificate information

To view basic information about the certificates stored on a device or group of devices:

  1. From the MarkVision Professional Home screen, select Security - Certificate Management from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. The Device Certificates table displays basic certificate information for the selected device(s):

    • Friendly Name—This is a user-defined name for the certificate.

    • Common Name—This is a user-defined name for the printer.

    • Issuer Common Name—If a certificate is signed, this field will display the CA information for the certificate; if it is not signed, this field will display the Common Name.

    • Device Name—This is the name of the device as displayed in the MVP device list.

      Note: MVP displays the Device Name field because the same certificate could be stored on multiple devices. Because it manages settings for only one device, the Embedded Web Server does not display the Device Name field.

Signing certificates

If a device is required to communicate securely across different domains, the security provided by normal (unsigned) certificates may not be adequate. Unsigned certificates may thus need to be signed by a certificate authority (CA). CA-signed certificates are considered genuine and are required while communicating securely with unknown hosts.

  1. From the MarkVision Professional Home screen, select Security - Certificate Management from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select a certificate from the list, and then click Download Signing Request.

  4. Browse to find a location to save the .csr file, and then click Save.

    Note: The .csr file contains the device certificate information in hashed form, minus the private key. This file must be submitted to a CA, which will generate a signature of the file by encrypting the info contained in the file. The CA also appends its public key to the signature, and may include other information such as the CA name, a unique serial number, issue date, and validity period. The signature file must be in PEM format.
  5. Once you have received a valid PEM file from the CA, repeat steps 1 and 2 to return to the Security - Certificate Management task.

  6. Select the same certificate from step 3 above, and then click Install new signature.

  7. Browse to find the new PEM file, and then click Add.

    Note: If the public key of the signed certificate does not match the private key of the selected device certificate, an error message will be displayed and the signature will not be installed.

Importing certificate stores (SSL)

For communication to occur via the SSL (Secure Sockets Layer), a print server must first have a certificate registered for each socket using SSL. A socket is the combination of an IP address and a port.

To upload a new SSL certificate store to a device:

  1. From the MarkVision Professional Home screen, select Security - SSL Setup from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Click Browse to find the appropriate certificate store, then click Import.

  4. Click Apply to upload the certificate store to the device.

    Notes:

    • Clicking List Certificates will display a list of certificates available on a device.
    • Clicking Delete Certificates will delete all SSL certificates from a device.

Entering a password to access a secured device

For older-generation devices, you can enter the device password to gain access to the device in MarkVision by using the procedure described below. For more sophisticated devices, you will need to update the MarkVision Server authentication settings to match those on the device.

  1. From the MarkVision Professional Home screen, select Security - Enter Device Password from the All Tasks list.

  2. Select a device.

  3. Type the device password.

  4. Click Apply.

Creating, editing, or deleting a device password (basic)

  1. From the MarkVision Professional Home screen, select Security - Set Device Password from the All Tasks list.

  2. Select a device using the Quick Find or Folders tabs.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Edit the Current Password box accordingly.

    • To create a new device password, delete any text from the Current Password text box, and then proceed to the next step.

    • To change an existing device password, type the device password.

  4. Type the new password in the New Password box.

  5. Confirm the password by typing it again.

    The indicator light to the right of the text box turns green when the two passwords match.

    Note: To delete an existing device password, simply remove any text from the New Password and Confirm New Password text boxes.
  6. Click Apply.

Adding a password to the device password list

MVP will attempt to use the passwords stored in the device password list to authenticate password-protected devices until it finds a match. It will enable access to the device if a match is found; otherwise, the name of the device will be displayed in red.

  1. From the MarkVision Professional Home screen, select Security - Basic Credentials from the All Tasks list.

  2. Click Add.

  3. Type a new password.

  4. Click OK.

Editing a password from the device password list

  1. From the MarkVision Professional Home screen, select Security - Basic Credentials from the All Tasks list.

  2. Select a device using the Quick Find or Folders tabs.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Click Edit.

  4. Type a new password.

  5. Confirm the changed password.

  6. Click OK.

Deleting a password from the device password list

  1. From the MarkVision Professional Home screen, select Security - Basic Credentials from the All Tasks list.

  2. Select a device using the Quick Find or Folders tabs.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select the password(s) to delete.

  4. Click Remove.

  5. Click Yes.

    Note: Click Remove All to delete all passwords from the list.

Using a device policy to set device passwords

  1. From the MarkVision Professional Home screen, select Device Policies - Create/Manage from the All Tasks list.

  2. Click New.

  3. Select For Any Print Server, and then click Continue.

  4. Enter a name for the policy.

  5. Expand the Security folder.

  6. Select the Password check box.

  7. Enter the current password, followed by a colon and the new password. (For example: veronica:betty.)

    Notes:

    • To set a password for devices with no current password, enter a colon followed by the new password.
    • To clear a current password, enter the current password followed by a colon.
    • Because MVP uses the colon as a delimiter, device passwords must not contain colons.
  8. Click Apply, and then click Close.

    The new device policy can now be applied to devices using the Device Policies - Apply task.

    Note: The password will not be changed for any device with a current password that does not match the current password entered.

Configuring advanced credentials

MarkVision Professional allows users to store multiple security credentials on the MVP Server to be used later when authenticating to supported devices. The Security - Advanced Credentials task allows users to store authentication credentials on the MarkVision Server. These credentials allow the MarkVision Server to create and assign a security template to the RemoteManagement access control, thereby securely authenticating to sophisticated next-generation devices that have protected remote management. Only one set of authentication credentials can be stored per MarkVision Server.

  1. From the MarkVision Professional Home screen, select Security - Advanced Credentials from the All Tasks list.

  2. Enter the User ID, Password, PIN, and Kerberos Realm to be stored on the MVP Server.

    Note: The indicator light changes to green when the two passwords are identical. When the passwords do not match, the indicator light remains red.
  3. Click Apply.

Setting a communication password

A communication password helps establish a secure connection between a device and the MarkVision server. It is possible to communicate securely even if the device does not use a password; however, if a password is set for a device, it must match the server password in order to establish a secure channel.

  1. From the MarkVision Professional Home screen, select Security - Communication Password from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Click Synchronize with Server.

  4. Click Yes.

    Note: Click the check box if you want to change the server communication password before synchronizing.
  5. Click OK.

    Note: Click Remove password to cancel the device password.

Changing on-board security for a device

This function allows MVP administrators to make changes to select security settings on supported devices. This will override any previous changes made to the settings on the device itself.

  1. From the MarkVision Professional Home screen, select Security - On-Board Security from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select an authentication method. The choices include Internal, Kerberos 5, LDAP, LDAP + GSSAPI, and NTLM.

  4. Set the amount of delay in seconds (between 1-900) before a user is logged out of a device automatically.

  5. Enter a value for the Scan to PC Port Range. This is a setting for MVP administrators who have a port-blocking firewall between an MFP and its users. A valid entry consists of two port numbers separated by a colon.

  6. Click Apply to save changes, or click Undo to clear all fields and start over.

Configuring menu lockout

Administrators can use MVP to PIN-protect the Paper, Reports, Settings, and Network menus on supported devices.

  1. From the MarkVision Professional Home screen, select Security - Menu Lockout Setup from the All Tasks list.

  2. Select a device using the Quick Find or Folders tabs.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select or deselect menus to protect in the Password Protect section

  4. Type a PIN number in the Enter PIN text box, and then re-type it in the Re-enter PIN text box.

    Notes:

    • PINs should use only numbers between 0-9 and should be four characters long.
    • The indicator light will change to green when the two PINs match; it will remain red if the PINs do not match.
  5. Click Apply to save changes, or click Undo to cancel changes and start over.

Configuring confidential printing

Users printing confidential or sensitive information may opt to use the confidential print option, which allows print jobs to be PIN-protect so that they remain in the print queue until the user enters a PIN on the operator panel of the device. MarkVision Professional enables administrators to configure the settings for confidential print option.

  1. From the MarkVision Professional Home screen, select Security - Confidential Print Setup from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Select an option for Max Invalid PIN:

    • Select Off to allow users to enter an incorrect PIN as many times as they choose.

    • Select a value of between 2 and 10 to specify the number of times users can enter an incorrect PIN before being locked out.

  4. Select an option for Job Expiration:

    • Select Off to allow unprinted confidential print jobs to remain in the print queue indefinitely.

    • Select a value of 1 hour, 4 hours, 24 hours, or 1 week to specify the amount of time that an unprinted confidential print job will remain in the print queue before being automatically deleted.

  5. Click Apply to save changes, or click Undo to reset both fields.

Configuring security audit log settings

The security audit log allows administrators to monitor security-related events on a device including, among others, user authorization failures, successful administrator authentication, or Kerberos files being uploaded to a device. This is an especially important feature for environments where highly confidential or sensitive information is handled.

  1. From the MarkVision Professional Home screen, select Security Audit Log from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Enter or adjust values in the appropriate fields.

  4. Click Apply to save changes to the security audit log settings, or click Undo to reset the fields and start over.

Note: The security audit log for a device can be viewed and deleted on the Embedded Web Server (EWS) page for each device. You can launch the EWS page for a device using the Web Page (Print Server) task in the All Tasks list.

Configuring 802.1x authentication

Though normally associated with wireless network connections, 802.1x authentication is also used on wired networks to create port-based connections.

Note: If using digital certificates to establish a secure connection to the authentication server, you must configure them on the printer before changing 802.1x authentication settings. For more information on configuring digital certificates, see Managing certificates.
  1. From the MarkVision Professional Home screen, select 802.1x from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. Adjust the settings as necessary:

    • Select the Active check box to enable 802.1x authentication.

    • Type the login name and password the printer will use to log in to the authentication server.

    • Select the Validate Server Certificate check box to require verification of the security certificate on the authenticating server.

      Note: Server certificate validation is integral to TLS (Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), and TTLS (Tunneled Transport Security Layer).
    • From the 802.1x Device Certificate list, choose the digital certificate you want to use. If only one certificate has been installed, Default will be the only choice listed.

  4. Under Allowable Authentication Mechanisms, choose which authentication protocols the printer will recognize by clicking the check box next to each applicable protocol.

  5. From the TTLS Authentication Method list, choose which authentication method will be accepted through the secure tunnel created between the authentication server and the printer.

  6. Click Apply to save the changes, or Undo to restore the default settings.

  7. Note: Changes to these settings will cause the print server to reset.

Setting up SNMP

Simple Network Management Protocol (SNMP) is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention. The Embedded Web Server allows administrators to configure settings for SNMP versions 1 through 3.

SNMP Version 1, 2c

  1. From the MarkVision Professional Home screen, select Security - SNMP from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

    Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device.
  3. In the SNMP V1/V2c Enabled field, select Yes.

  4. Type a name to be used for the SNMP Community identifier (the default community name is public).

  5. To facilitate the automatic installation of device drivers and other printing applications, select Yes in the Enable PPM Mib (Printer Port Monitor MIB) field.

  6. Click Apply to finalize changes, or Undo to restore default values.

SNMP Version 3

  1. From the MarkVision Professional Home screen, select Security - SNMP from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

  3. In the SNMP Version 3 field, select the Yes check box.

  4. To allow remote installation and configuration changes as well as device monitoring, type an SNMPPv3 Read/Write (R/W) User name and Password in the appropriate fields.

  5. To allow device monitoring only, type an SNMPv3 Read Only (R/O) User name and Password in the appropriate fields.

  6. From the SNMPv3 Minimum Authentication Level list, select Authentication, No Privacy; Authentication, Privacy; or No Authentication, No Privacy.

  7. From the SNMPv3 Authentication Hash list, select MD5 or SHA1.

  8. From the SNMPv3 Privacy Algorithm list, select DES, AES-128, AES-192, or AES-256.

  9. Click Apply to save changes, or Undo to restore default values.

Setting SNMP Traps

After configuring SNMP Version 1, 2c or SNMP Version 3, you can further customize which alerts are sent to the network management system by designating SNMP “traps”, or events that trigger an alert message.

  1. From the MarkVision Professional Home screen, select SNMP Traps from the All Tasks list.

  2. Select devices using the Quick Find or Folders tabs.

    Use Ctrl + click and Shift + click to select multiple devices.

  3. Click Add.

  4. From the IP Address list, click one of the blank IP address entries (shown as 0.0.0.0).

  5. Click the check box next to each condition that should generate an alert.

  6. Click Apply to save changes, or Cancel to clear all fields.