Canon Oce PlotWave 300 Administration Manual

Table of Contents

Quick Links

Administration guide

PlotWave - ColorWave Systems

Security information

Table of Contents

Troubleshooting

Summary of Contents for Canon Oce PlotWave 300

Page 1 Administration guide PlotWave - ColorWave Systems Security information...
Page 2: Copyright And Trademarks
Original instructions that are in British English. Trademarks Océ, Océ ColorWave, Océ PlotWave are registered trademarks of Océ-Technologies B.V. Océ is a Canon company. Adobe, PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Page 3: Table Of Contents
Contents Contents Chapter 1 Océ Security policy......................9 The Océ Security policy ..........................10 Downloads and support for your product....................12 Overview of the security features available per Océ System ..............13 Chapter 2 Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300............................
Page 4 Contents System and Network security........................99 Ports - Protocols............................99 Applications, protocols and ports ....................99 Security Patches.............................102 Install the Océ Remote patch......................102 Protocol protection..........................104 Network protocols protection ......................104 Prevent any outgoing connection to the Internet ................106 Security of the USB connection ......................107 The USB connection on the printer user interface ..............
Page 5 Contents Authentication by Smart card ......................176 Authentication by Contactless card ....................182 Authentication by user name and password................187 Log out .............................192 Troubleshooting..........................195 Hard disk encryption..........................198 E-Shredding............................200 E-shredding presentation........................200 Enable the e-shredding in Océ Express WebTools...............201 E-shredding process and system behaviour................. 203 IPsec ...............................
Page 6 Contents Data security............................283 E-Shredding............................. 283 IPsec ..............................284 HTTPS (on Océ ColoWave 650 R3.x)....................290 How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) ........297 Smart Inbox management and job management.................298 Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700.......... 299 Overview...............................
Page 7 Contents System and Network security........................385 Ports - Protocols............................. 385 Applications, protocols and ports ....................385 Security Patches.............................387 Install the Océ Remote patch......................387 Protocol protection..........................389 Network protocols protection ......................389 Prevent any outgoing connection to the Internet ................391 Security of the USB connection ......................392 The USB connection on the printer user interface ..............
Page 8 Contents...
Page 9: Océ Security Policy
Chapter 1 Océ Security policy...
Page 10: The Océ Security Policy
The Océ Security policy The Océ Security policy Definition At Océ, security is an integral part of system development, and the company is taking a proactive approach to the improvement of security-related issues. Océ is working to address security requirements across all of its digital document systems. For its printing systems connected to the network, Océ...
Page 11 The Océ Security policy • The HTTPS (HTTP over SSL) protocol to encrypt the configuration management data, submitted print data and saved scan data. • The disk encryption capability with 2 modes: Normal for the encryption of the used space or Full for the full disk encryption.
Page 12: Downloads And Support For Your Product
For support information please contact your Canon local representative. Find your local contact for support from: "http://www.canon.com/support/" From the Canon support page, you can also download the printer drivers for the Canon printers, their related user guides and other resources. Chapter 1 - Océ Security policy...
Page 13: Overview Of The Security Features Available Per Océ System
Overview of the security features available per Océ System Overview of the security features available per Océ System Introduction Find below an overview of the security features for every Océ PlotWave and ColorWave systems. Security features in all Océ PlotWave systems and in the Océ ColorWave 300, Océ ColorWave 500 and Océ...
Page 14 Overview of the security features available per Océ System User authentication - By smart card or user name / password for: Océ PlotWave 345 Océ PlotWave 365 Océ PlotWave 450 Océ PlotWave 550 Océ ColorWave 500 Océ ColorWave 700 - By contactless card for: Océ...
Page 15 Overview of the security features available per Océ System Océ Publisher Express Access restriction Access restriction access Control over actions Remote action restric- Remote action restric- on jobs tion tion Control over Service Operations made by operations Service under the con- trol of the System Ad- ministrator on: Océ...
Page 16 Overview of the security features available per Océ System IPv6 Yes (IPv6 only or IPv6 and IPv4 Yes (IPv6 only or IPv6 and IPv4 combination) combination) SMB authentication NTLMV1 NTLMV2 or NTLMV1 NTLMV2 or NTLMV1 only for: - Océ ColorWave 550 R2.2.3 and higher - Océ...
Page 17 Overview of the security features available per Océ System Firewall Network protocols protection Yes (per protocol, through firewall) MS security patches Océ released patches Security logging Auditing of security related events Data encryption on the network HTTPS for administration (Océ Express WebTools) and for job submission through Océ...
Page 18 Overview of the security features available per Océ System Chapter 1 - Océ Security policy...
Page 19: Chapter 2
Chapter 2 Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 20: Security On Océ Plotwave 300/350, Plotwave 900 R1.X And Colorwave 300
Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300 Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300 Overview Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and the Océ ColorWave 300 systems Introduction The Océ...
Page 21: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Printing applications: security levels, ports and protocols used by the Océ systems Application /Function‐...
Page 22 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Function‐ System Supported security lev‐ Port used on the ality els (x) and open port controller: protocol Océ...
Page 23 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Scanning / copying applications: security levels, ports and protocols used by the Océ systems Application /Function‐ System Supported security lev‐...
Page 24 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Function‐ System Supported security lev‐ Port used on the ality els (x) and open port controller: protocol SNMP based applica- Océ...
Page 25 Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems Application /Function‐ System Supported security lev‐ Port used on the ality els (x) and open port controller: protocol Océ...
Page 26: Security Patches
Security Patches Security Patches Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 R1.x and Océ ColorWave 300) Introduction You can install the Océ Remote patches (Security patches) in the following versions of the systems: • Océ PlotWave 300 1.2.1 and higher •...
Page 27 Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 R1.x and Océ ColorWave 300) 4. Log in as the System administrator or Power user All the patches successfully applied (when any) are displayed 5. Click on the 'Update' icon (top right corner) to open the wizard 6.
Page 28: Security Levels
Security levels Security levels Security levels presentation Introduction Océ defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level. High security level The High level is the most secure mode for printing and scanning. The compliant applications are based on: •...
Page 29 Protect the security level by a password Before you begin The System Administrator or a Power User can protect the security settings with a password. When the protection is activated, you must type the password in the printer user panel before you can change the security level.
Page 30 Set the security level in Océ PlotWave 900 R1.1 and higher R1.x versions Result You must type the password in the printer user panel when you want change the security level. Set the security level in Océ PlotWave 900 R1.1 and higher R1.x versions Introduction The security user interface is available through the Océ...
Page 31: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: • Océ PlotWave 300 R1.5 and higher • Océ PlotWave 350 R1.5 and higher •...
Page 32: Security Of The Usb Connection (Océ Plotwave 300/350, Océ Colorwave 300)
Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300) Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300) The USB connection on the Local user interface Introduction A USB connection is available on the Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 Local user interface.
Page 33: Antivirus
NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 34: Roles And Passwords
The Power user has both the rights of the Key operator and the System administrator • Service This role is used exclusively by the Canon Service technician Passwords policy and behaviour in the Océ PlotWave 300/350 and Océ ColorWave 300...
Page 35 Passwords used on the Océ printer user panel (Océ Plotwave 300/350 and Océ ColorWave 300) Important: These passwords can only be made of numbers. NOTE Keep these passwords. The loss of these passwords may require the intervention of Canon Service. Printer panel passwords modification table for Océ PlotWave 300/350 and Océ ColorWave 300...
Page 36 Passwords policy and behaviour in the Océ PlotWave 900 R1.x Password / pincode for Backup with 'Save set'? Restore with 'Open set'? Key operator System administrator Power user - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the backup file.
Page 37: Data Security
Data Security Data Security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/ scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface.
Page 38 Enable the e-shredding Enable/disable the e-shredding (Océ Express WebTools) Procedure 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4.
Page 39 E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding, the system starts the e-shredding process for all print/scan jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded as soon as they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart...
Page 40: Ipsec (On Océ Plotwave 300/350, Océ Plotwave 900 1.2 And Higher 1.X, Océ Colorwave 300)
IPsec (on Océ PlotWave 300/350, Océ PlotWave 900 1.2 and higher 1.x, Océ ColorWave 300) IPsec (on Océ PlotWave 300/350, Océ PlotWave 900 1.2 and higher 1.x, Océ ColorWave 300) IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices.
Page 41 IPsec presentation Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : IPsec Generic section: IPSec General setting to enable or disable IPsec. Enabled/Disabled Once enable, only the network traffic defined by the IPsec configuration rules is authorised.
Page 42 Configure the IPsec settings in the Océ controller Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) Configure the IPsec settings in the Océ...
Page 43 Configure the IPsec settings in the Océ controller 6. Keep the other parameters as they are. 7. In the 'IPsec stations' section, click 'Edit' 8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10.
Page 44 Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation.
Page 45 Create the security policy 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1.
Page 46 Create the filter list 3. Enter the name for the policy and click 'Next' 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…' Chapter 2 - Security on Océ...
Page 47 Create the filter list 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6.
Page 48 Define the filter actions and security negotiation 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1.
Page 49 Define the security rule 4. Select 'Negotiate security' and click 'Next' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7.
Page 50 Define the security rule 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6. Select the filter action previously created then click 'Next' Chapter 2 - Security on Océ...
Page 51 Assign the security policy 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings on the Océ controller on page 42), then click 'Next' 9.
Page 52 The impact of IPsec when you print using Océ WPD through a print server 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/ scanner controller.
Page 53 Troubleshooting: emergency procedure to disable IPsec Troubleshooting: emergency procedure to disable IPsec Introduction In the following case: • IPsec is enabled and activated on the printer/scanner controller • The 'Failsafe mode' is disabled • The communication between the controller and the IPsec stations fails You cannot open remotely Océ...
Page 54 Disable IPsec on the controller monitor (Océ PlotWave 900 R1.2 and higher 1.x) 5. Select 'Disabled' to deactivate IPsec 6. Click 'Next' to the end of the procedure 7. Restart the controller Result IPsec is disabled. After the restart, you will be able to open Océ Express WebTools remotely from a workstation (HTTP).
Page 55 Disable IPsec on the controller monitor (Océ PlotWave 900 R1.2 and higher 1.x) 5. Change the IPsec setting from 'Enabled' to 'Disabled': Result IPsec is disabled. You can open Océ Express WebTools remotely from a workstation (HTTP). Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 56: Prevent Usb Direct Print And Scan To Usb (Océ Plotwave 300/350, Océ Colorwave 300)
Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300) Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300) How to prevent 'Print from USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device.
Page 57 2- Remove the USB destination from all Scan templates Purpose Prevent any user from scanning to a USB device. Illustration [2] Disable the 'Scan to USB' Procedure 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2.
Page 58: Https With Océ Plotwave 900 R1.X
HTTPS with Océ PlotWave 900 R1.x HTTPS with Océ PlotWave 900 R1.x Encrypt print data using HTTPS with the Océ self-signed certificate Introduction On Océ PlotWave 900 you can use the HTTPS protocol with the default Océ self-signed certificate: - to send encrypted print data to the printer controller via Océ Publisher Express - to securely manage the configuration of the system through Océ...
Page 59 Use the Océ self-signed certificate with Internet Explorer 3. Click on 'Certificate error': 4. Click 'View certificates' 5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools' 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser: 1.
Page 60 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 61 Use the Océ self-signed certificate with Mozilla Firefox • The certificate is not trusted because it is self-signed 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4.
Page 62: Smart Inbox Management
Smart Inbox management Smart Inbox management Configure the Smart Inboxes to manage the access to job data Use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Depending on your system capabilities, go to the 'Preferences'/'System settings' to disable or restrict, for example: •...
Page 63: Security On Océ Plotwave 750 And Océ Plotwave 900 R2.X
Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x Overview Security overview for the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Introduction The Océ PlotWave 750 and the Océ PlotWave 900 R2.x are equipped with the following security features: Security overview Operating System...
Page 64: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Printing applications: security levels, ports and protocols used by the Océ systems Application /Function‐...
Page 65 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Function‐ System Supported security levels (x) and Port used on the ality open port controller: proto‐ M-H* Océ Publisher Mobile Océ Plot- TCP 21: FTP Wave 750 / TCP 21...
Page 66 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Scanning / copying applications: security levels, ports and protocols used by the Océ systems Application /Function‐ System Supported security levels (x) and Port used on the ality open port controller: proto‐...
Page 67 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Func‐ System Supported security levels (x) Port used on the tionality and open port controller: pro‐ tocol M-H* SNMP based applica- Océ PlotWave 750 / UDP 161: SNMP tions PlotWave 900 R2.x...
Page 68 Applications, protocols and ports used on the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems Application /Func‐ System Supported security levels (x) Port used on the tionality and open port controller: pro‐ tocol M-H* IPsec Océ PlotWave 750 / UDP 500 PlotWave 900 R2.x UDP 4500...
Page 69: Security Patches
Security Patches Security Patches Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x Introduction You can install the Océ Remote patches (Security patches) in the following versions of the systems: • Océ PlotWave 750 • Océ PlotWave 900 R2.x Before you begin http://downloads.oce.com Find the Océ...
Page 70 Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed 5. Click on the 'Update' icon (top right corner) to open the wizard 6.
Page 71 Install the Océ Remote patch on Océ PlotWave 750 and Océ PlotWave 900 R2.x 8. Click OK to confirm the update Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 72: Security Levels
Security levels Security levels Security levels presentation Introduction On Océ PlotWave 750 and Océ PlotWave 900 R2.x Océ defined 4 levels of security according to the customer needs. The presentation below can help you to select the most suitable level High and Medium-High security levels The High and Medium-High levels are the most secure mode for printing and scanning.
Page 73 Security levels presentation Set the security level on Océ PlotWave 750 or océ PlotWave 900 R2.x Set the security level on Océ PlotWave 900 R1.1 and higher on page Refer to Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 74: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: • Océ PlotWave 750 • Océ PlotWave 900 R2.x When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools: In the Express WebT‐...
Page 75: Antivirus
NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 76: Roles And Passwords
The Power user has both the rights of the Key operator and the System administrator • Service This role is used exclusively by the Canon Service technician Passwords policy and behaviour for Océ PlotWave 750 and Océ PlotWave 900 R2.x Introduction In Océ...
Page 77 Printer panel protection Password for Can be changed by Stored in the back up set* Remote Service Proxy authenti- System administrator or Power Yes, stored encrypted. cation user user * When you make a back up set of your system settings using the 'Save Set' feature in Océ Express WebTools ('Preferences' tab).
Page 78: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings.
Page 79: Data Security
Data Security Data Security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/ scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface.
Page 80 Enable the e-shredding Enable/disable the e-shredding (Océ Express WebTools) Procedure 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4.
Page 81 E-shredding process and system behaviour Example E-shredding and 'Save received job data for Service' feature On Océ PlotWave 750 and PlotWave 900 R2.x, enabling the e-shredding function doesn't impact the feature 'Save received job data for Service'. If 'Save received job data for Service' is activated it is recommended to clean-up the system and delete all job data previously saved for Service: 1.
Page 82 IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server).
Page 83 IPsec presentation Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : IPsec Generic section: IPSec General setting to enable or disable IPsec. Enabled/Disabled Once enable, only the network traffic defined by the IPsec configuration rules is authorised.
Page 84 Configure the IPsec settings in the Océ controller The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user.
Page 85 Configure the IPsec settings in the Océ controller 6. Keep the other parameters as they are. 7. In the 'IPsec stations' section, click 'Edit' 8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10.
Page 86 Configure the IPsec settings on a workstation or a print server Result The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server). Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller.
Page 87 Troubleshooting: emergency procedure to disable IPsec Consequences of the IPsec configuration on the client workstation: The back-channel information (printer status, feed data) is not retrieved from the printer. It is not displayed in the driver interface. On the workstation, when the job is sent with Océ WPD: •...
Page 88 HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x) HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x) Encrypt print data and manage the system configuration using HTTPS Introduction On the Océ PlotWave 750 and Océ PlotWave 900 R2.x systems, you can use the HTTPS protocol - to send encrypted print data to the printer controller via Océ...
Page 89 Use the Océ self-signed certificate with Internet Explorer Configure the browser for a self-signed certificate The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ...
Page 90 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 91 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 92 Request and import a CA-signed certificate 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 93 Description of the overall procedure to request and import a CA-signed certificate The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller. In the controller, the private key and the public key must match to enable a secure HTTPS protocol.
Page 94 Description of the overall procedure to request and import a CA-signed certificate Step Description B4- Import the Root certificate into The Root certificate identifies the Certification Authority. the web browsers of the worksta- By default, the web browsers contain a list of well- tions known and trusted Root certificates.
Page 95: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ...
Page 96 Smart Inbox management and job management Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300...
Page 97: Chapter 3 Security On Océ Plotwave 500 And Plotwave 340/360
Chapter 3 Security on Océ PlotWave 500 and PlotWave 340/360...
Page 98 Overview Overview Security overview for the Océ PlotWave 500 and PlotWave 340/360 systems Introduction The Océ PlotWave 500 and PlotWave 340/360 systems are equipped with the following security features: Security overview Operating System Windows Embedded Standard 7 SP1 Firewall Network protocols protection Yes (per protocol, through firewall) MS security patches Océ...
Page 99: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports Printing applications: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ...
Page 100 Applications, protocols and ports Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Print from Cloud: WebDAV TCP 80: HTTP TCP 443: HTTPS TCP web proxy port TCP WebDAV port Notes: * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver.
Page 101 Applications, protocols and ports Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol nslookup UDP local port : any UDP remote port : 53 SNMP based applications UDP 161: SNMP Name resolution Outgoing connection: Remote port (on DNS server): Local port (on controller): UDP(/TCP) 53...
Page 102: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin http://downloads.oce.com Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1.
Page 103 Install the Océ Remote patch 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360...
Page 104: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In these systems, you can completely disable some protocols in order to protect them against attacks. HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network Protocol ba‐...
Page 105 Network protocols protection Protocols or Network Protocol ba‐ Available protection Remarks services HTTP (inbound) HTTP There is no specific setting to disable the HTTP proto- col. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ...
Page 106: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some system features allow or request a connection over the Internet to work properly. When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions, step by step, in Express WebTools: In the Express WebT‐...
Page 107 Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the touch panel. This USB connection is used to: • Install / upgrade the controller software •...
Page 108: Antivirus
Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360...
Page 109: Roles And Passwords
Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: • Key operator: The Key operator can manage the jobs and the device settings. •...
Page 110: Passwords Policy And Behaviour In The Océ Plotwave 500 And Plotwave 340/360 Systems
Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems Introduction There are 2 groups of passwords: • The passwords used in Océ Express WebTools •...
Page 111 The 'Import templates' operation restores the passwords. Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system, a Canon representative generates a temporary administrative password for the Windows Administrative account. This password is valid for 4 hours.
Page 112: Access Control
Access control Access control Introduction Access control allows to limit the access to the Océ system according to IP filtering method. Use the access restriction to limit the access to the printer NOTE Important: ALWAYS define the hosts before enabling Access control. In case Access control is enabled without any host configured, communication is blocked.
Page 113: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings.
Page 114: Data Security
Data security Data security E-Shredding in Océ PlotWave 500 and PlotWave 340/360 systems E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (file's content and attributes).
Page 115: E-Shredding
Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Perform the following actions: 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2.
Page 116 Enable the e-shredding in Océ Express WebTools Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'E- shredding busy' status Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ...
Page 117: E-Shredding Process And System Behaviour
E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding feature, the system starts the e-shredding process for all scan/ copy/print jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded after they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print or scan jobs by the system (time-out, disabled Smart...
Page 118: Ipsec
IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system.
Page 119 IPsec presentation IPsec enabled IPsec disabled Access control disabled Encryption between the print/ No filtering. No encryption. scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations. The communication is encryp- ted ONLY with the stations con- figured as IPsec stations.
Page 120: Configure The Ipsec Settings In The Océ Controller
Configure the IPsec settings in the Océ controller Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user. To benefit from the full IPsec mechanism, the DHCP protocol must not be used. On the Configuration - Connectivity page, disable all the network settings that require the DHCP.
Page 121 Configure the IPsec settings in the Océ controller Result The IPsec settings are configured on the controller for a connection to a workstation. Chapter 3 - Security on Océ PlotWave 500 and PlotWave 340/360...
Page 122: Configure The Ipsec Settings On A Workstation Or A Print Server
Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation.
Page 123 Create the security policy 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1.
Page 124 Create the filter list 3. Enter the name for the policy and click 'Next' 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…' Chapter 3 - Security on Océ...
Page 125 Create the filter list 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6.
Page 126 Define the filter actions and security negotiation 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1.
Page 127 Define the security rule 4. Select 'Negotiate security' and click 'Next' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7.
Page 128 Define the security rule 2. Click 'Next' 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6.
Page 129 Assign the security policy 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the Océ controller on page 120), then click 'Next' 9.
Page 130 Customize the IPsec settings 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller Customize the IPsec settings Procedure 1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows Firewall with Advanced Security' window 2.
Page 131 Customize the IPsec settings 5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...' 6. Check the 'Require encryption for all connection security rules that use these settings.' box 7. Click 'OK' on all open windows to validate and close them. After you finish For Océ...
Page 132: Troubleshooting: Disable 'Access Control' And Ipsec (Océ Plotwave 500 And Plotwave 340/360 Systems)
Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) Introduction In the following case: • Access control and IPsec have been enabled without any station defined •...
Page 133 Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 systems) 4. A wizard is displayed. Follow the instructions 5. Confirm to disable access control 6. Press 'Finish' 7. Restart the controller Result Access control and IPsec functions are disabled. After the restart, you will be able to remotely open Océ...
Page 134: Https (On Océ Plotwave 750 And Plotwave 900 R2.X)
HTTPS HTTPS Encrypt print data and manage the system configuration using HTTPS Introduction In the Océ systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - save encrypted scan jobs from the printer controller (Scans Inbox) - securely manage the configuration of the system through Océ...
Page 135 Use the Océ self-signed certificate with Internet Explorer - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name or PrinterHostname or PrinterIPaddress] A warning window opens.
Page 136 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 137 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 138 Use the Océ self-signed certificate with Mozilla Firefox 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 139: Request And Import A Ca-Signed Certificate
Request and import a CA-signed certificate Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trustful authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate).
Page 140 Back up a certificate and a private key Step Description A5- Back up the private key Save a back up of the private key associated to the certif- icate you will receive. Back up a certificate and a private key on page 140.
Page 141 Generate a CA-signed certificate request Description of the overall • BEFORE the generation of a certificate request (step A1 of the procedure to request and import a CA-signed certificate on page 92): To save your current certificate and private key. •...
Page 142 Save and send the request Result The web server generates a certificate request. The content of the request is displayed (plain text). Example (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M DAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4 yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=- -----END NEW CERTIFICATE REQUEST----- Save and send the request When to do NOTE...
Page 143 Import the [Intermediate certificate] Procedure 1. In a web browser, open Océ Express WebTools (https:\\[IP address or hostname]) 2. On the Configuration - Remote Security page, select 'Import CA-signed certificate' 3. Select [Root certificate] 4. Browse to the Root certificate file and click [Import] NOTE The Root certificate may already exist in the web server certificates list.
Page 144 Restore a certificate and a private key Restore a certificate and a private key When to do You can restore the certificate and the private key at any moment, in case of need. Restore the certificate and private key Procedure 1.
Page 145: Prevent 'Print From Usb' And/Or 'Scan To Usb
Prevent 'Print from USB' and/or 'Scan to USB' Prevent 'Print from USB' and/or 'Scan to USB' How to prevent 'Print from USB' and/or 'Scan to USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device.
Page 146: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ...
Page 147: Chapter 4 Security On Océ Plotwave 345/365 And Océ Plotwave 450/550
Chapter 4 Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 148: Overview
Overview Overview Security overview for the Océ PlotWave 345, Océ PlotWave 365, Océ PlotWave 450 and Océ PlotWave 550 Introduction The Océ PlotWave 345, Océ PlotWave 365, Océ PlotWave 450 and Océ PlotWave 550 systems are equipped with the following security features: Security overview Operating System Microsoft Windows Embedded Standard 8 64 bit...
Page 149: System Administrator
Security overview for the Océ PlotWave 345, Océ PlotWave 365, Océ PlotWave 450 and Océ PlotWave 550 Control over Service operations Operations made by Service under the control of the System Administrator Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 150: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports Printing applications: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ...
Page 151 Applications, protocols and ports Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Print from Cloud: WebDAV TCP 80: HTTP TCP 443: HTTPS TCP web proxy port TCP WebDAV port Notes: * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver.
Page 152 Applications, protocols and ports Control management: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol PING IPv4 ICMPv4 PING IPv6 ICMPv6 nslookup UDP local port : any UDP remote port : 53 SNMP based applications UDP 161: SNMP...
Page 153 Applications, protocols and ports • Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Outbound rules: • Core Networking - DNS (UDP-Out) • Core Networking - Dynamic Host Configuration Protocol (DHCP-Out) • Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out) •...
Page 154: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin http://downloads.oce.com Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1.
Page 155 Install the Océ Remote patch 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 156: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In these systems, you can completely disable some protocols in order to protect them against attacks. HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network Protocol ba‐...
Page 157 Network protocols protection Protocols or Network Protocol ba‐ Available protection Remarks services HTTP (inbound) HTTP There is no specific setting to disable the HTTP proto- col. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ...
Page 158: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some system features allow or request a connection over the Internet to work properly. When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions, step by step, in Express WebTools: In the Express WebT‐...
Page 159: Security Of The Usb Connection
Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the touch panel. This USB connection is used to: • Install / upgrade the controller software •...
Page 160: Antivirus
Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 161: Roles And Passwords
Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: • Key operator: The Key operator can manage the jobs and the device settings. •...
Page 162: Passwords Policy And Behaviour In The Océ Plotwave 345/365 And Océ Plotwave 450/550
Passwords policy and behaviour in the Océ PlotWave 345/365 and Océ PlotWave 450/550 Passwords policy and behaviour in the Océ PlotWave 345/365 and Océ PlotWave 450/550 Introduction There are 2 groups of passwords: • The passwords used in Océ Express WebTools •...
Page 163 The 'Import templates' operation restores the passwords. Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system, a Canon representative generates a temporary administrative password for the Windows Administrative account. This password is valid for 4 hours.
Page 164: Access Control
Access control Access control Introduction Access control allows to limit the access to the Océ system based on the IP filtering method. In Océ Express WebTools, find the 'Access control' settings on the Security - Configuration page. Pre-requisites • The configuration of the 'Access control' settings is only available to the 'System administrator' and 'Power user'.
Page 165: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit log that contains information on any change made in settings.
Page 166: Data Security
Data security Data security User authentication Secure printing, copying and scanning operations with the User authentication Introduction In order to increase document confidentiality, the users can secure printing/copying/scanning operations with the user authentication. The 'User authentication' feature is an option. When the 'User authentication' feature is enabled: •...
Page 167 Secure printing, copying and scanning operations with the User authentication Functional description The system showed in this example is the Océ ColorWave 700. The print workflow 1- The user logs in on a workstation to prepare the job. 2- The user uses a job submission tool to submit the job to the printer. The submitted job contains the job owner identity.
Page 168 Impact of the user authentication on the system features and Océ WebTools The Scan and Copy features are accessible only after the user authenticates on the user panel. Impact of the user authentication on the system features and Océ WebTools Introduction When the user authentication is activated, and in order to guarantee the data confidentiality: •...
Page 169 Impact of the user authentication on the system features and Océ WebTools Disabled feature on the system user panel The 'Move to top' feature on the system user panel is disabled. Additional information To secure the job data and job ownership on the network, during the job submission / the job scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
Page 170: User Authentication: The Standard Workflows
User authentication: the standard workflows User authentication: the standard workflows Introduction Find below the standard workflow for printing and the standard workflow for scanning/copying when the user authentication is activated and configured on the Océ system. Standard workflow for print Step Action 1- Logging on a work-...
Page 171 User authentication: the standard workflows Step Action 5- Job print The user prints the jobs by clicking the green button. 6- Print queue The user can open the print queue and follow the progress of the jobs. NOTE All the jobs in 'Ready to print' state are printed, even when the users logs out in the meanwhile.
Page 172 The user authentication in the main job submission workflows Step Action 2- Workflow selection The user selects Copy or Scan in the menu. NOTE For scan operations, it is recommended to scan to an external location (not locally on the controller). When the user logs to an external location, the login name in the top menu is replaced by the login name to the external lo- cation.
Page 173 The user authentication in the main job submission workflows Steps Recommendations / Remarks 2- Open Océ Publisher Select and connect to a printer 3- Create a print job The user account name that the Océ Publisher Select application will attach to the print job is: •...
Page 174 Other submission workflows Job submission with Océ PS3 Steps Recommendations / Remarks 1- Log in on a work- Log in on the workstation with the same credentials as the ones you station will use to authenticate on the printer panel later on. Example: 'user1' on domain 'domain.com'.
Page 175 Other submission workflows If there is no ticket or no 'Username' in the ticket, then the content of the 'Job owner' field in Publisher Express is used. The user name entered in this field must not be blank. The name must be the same as the one that will be used to log in on the system (example: 'user@domain.com').
Page 176: Authentication By Smart Card
Additional information - Contact your Canon representative in case you want to use a smart card or a smart card reader which is not recorded in the above lists. - Plug the smart card reader into the USB port (contact your local Canon representative).
Page 177 Configure the Smart card authentication Configure the Smart card authentication Introduction Perform the following steps to activate the user authentication and configure the smart card authentication. Before you begin The smart card and the smart card reader are compliant with the requirements. Activate the smart card authentication 1.
Page 178 Validate the smart card configuration 3. Browse for one root or intermediate certificate. When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL of OCSP responder' field empty. Enter the URL of the revocation server only if this URL is not already embedded into the smart cards.
Page 179 Authentication on the user panel 2. Below the 'User access mode' section, click 'Validate the configuration'. 3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings. 4. Click 'OK'. A report is generated: 5.
Page 180 Troubleshooting of authentication by smart card After authentication, the name of the user is displayed in the top menu. Troubleshooting of authentication by smart card Introduction When an error occurs during the configuration of the authentication by smart card, go to the 'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card configuration').
Page 181 Troubleshooting of authentication by smart card Error message attach‐ Possible cause(s) Actions ed to the red cross List certificates: Chain At least one root or intermedi- Create all the necessary (root and in- status not trusted ate certificate is missing or in termediate) certificate(s) in Océ...
Page 182: Authentication By Contactless Card
- Security - Configuration - User access configuration' has no influence in this case) Additional information - Contact your Canon representative in case you want to use a contactless card or a contactless card reader which is not recorded in the above lists.
Page 183 Configure the Contactless card authentication 4. The restart is required. Select 'Restart now'. When 'User access mode' is set to another setting than 'Disabled', the system must be restarted to guarantee the data confidentiality of future incoming jobs. Do not select 'Restart later'.
Page 184 Validate the contactless card configuration • The 'User session time-out', in minutes. This is the duration of a user session before automatic log out on the system user panel. Note: It is recommended to increase this duration for big jobs or heavy print files. •...
Page 185 Authentication by contactless card on the user panel 4. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the solutions in the troubleshooting section, see Troubleshooting of authentication by contactless card on page 185.
Page 186 Troubleshooting of authentication by contactless card Error message attach‐ Possible cause(s) Actions ed to the red cross Detect search base: The authenticated user has no ac- In Océ Express WebTools check Failed to bind to cess to the LDAP lookup account. the LDAP lookup account in 'Se- rootDSE: The user curity' - 'Domains'...
Page 187: Authentication By User Name And Password
Authentication by user name and password Authentication by user name and password Configure the user authentication by user name and password Introduction Perform the following steps to activate and configure the user authentication by user name and password Before you begin A domain containing users with Microsoft Active Directory credentials.
Page 188 Configure the user authentication by user name and password 2. Click 'Create new' to create a domain: 3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it is recommended to give it a clear name. 4.
Page 189 Validate the configuration Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs that have been submitted by 'user1@mydomain.com'. So the user must make sure that the submission process embedded this information. When this setting is not activated, only the user name (without the suffix) is used for the job filtering.
Page 190 Authentication on the system user panel 5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the solutions in the troubleshooting section below. Authentication on the system user panel Introduction On the system user panel, tap the 'log in' icon to display the window.
Page 191 Troubleshooting Authentication by user name / password: errors in the validation report A red cross in the report indicates an error: Error message attach‐ Possible cause(s) Actions ed to the red cross Domain not correctly No domain defined Define at least one domain in Océ configured Express WebTools.
Page 192: Log Out
Log out Log out Introduction A session can be manually interrupted by a manual log out, or automatically interrupted by the session time-out, in any conditions (normal working condition or in an error status). A warning message announces the session time-out 10 seconds before the session closes. When the session time-out expires the user session is automatically closed, even when a smart card is inserted.
Page 193 Special cases: a time-out, pause, or error occurs Case Status of the jobs When the session time-out or log out occurs 'User A' has submitted a There is at least one job in The job in 'printing' and in 'Ready to job.
Page 194 Special cases: a time-out, pause, or error occurs An error occurs Case Status of the jobs Then An error occurs on a job The job is put on hold. It When the issue is fixed before the will not be printed until the time-out occurs, the job restarts and problem is solved.
Page 195: Troubleshooting
Troubleshooting Troubleshooting Troubleshooting after a successful authentication The authentication is successful but I cannot see the job I submitted to the system. Possible cause: The owner of the job (the user name sent within the job) does not match the user name of the user authenticated on the system.
Page 196 Disable the user authentication Possible cause: The time for the processing of the jobs exceeds the user session time-out. All the jobs have not reached the 'Ready to print' or 'Printing' status. Action: Increase the 'User session time-out' (in Océ Express WebTools - Security - 'Configuration' - 'User access configuration').
Page 197 Disable the user authentication 7. Restart the system. Result The user authentication is disabled. Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 198: Hard Disk Encryption
Pre-requisite • The hard disk encryption licence Contact your Canon representative. • A TPM (Trusted Platform Module) board installed in the controller A Service technician installs the license and the TPM board. Make sure the System Administrator grants him the permission by setting 'Allow Service to access licenses information' (in Express WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
Page 199 Hard disk encryption 2. In the 'Current Security Configuration' window, check the encryption mode. The disk encryption status can be: • 'No encryption' • 'Full disk encrypted' (Full mode) - AES-128 method • 'Used space encrypted' (Normal mode) - AES-128 method How to change the encryption mode Contact your Service representative to change the encryption mode.
Page 200: E-Shredding Presentation
E-Shredding E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (file's content and attributes). A deleted job is a job that cannot be retrieved from any user interface.
Page 201: Enable The E-Shredding In Océ Express Webtools
Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Perform the following actions: 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2.
Page 202 Enable the e-shredding in Océ Express WebTools • On the printer user panel, an indication is displayed in the System menu: 'E-shredding enabled': Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ...
Page 203: E-Shredding Process And System Behaviour
E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding feature, the system starts the e-shredding process for all scan/ copy/print jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded after they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print or scan jobs by the system (time-out, disabled Smart...
Page 204: Ipsec
IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system.
Page 205 IPsec presentation IPsec enabled IPsec disabled Access control disabled Encryption between the print/ No filtering. No encryption. scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations. The communication is encryp- ted ONLY with the stations con- figured as IPsec stations.
Page 206: Configure The Ipsec Settings In The Océ Controller
Configure the IPsec settings in the Océ controller Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user. To benefit from the full IPsec mechanism, the DHCP protocol must not be used. On the Configuration - Connectivity page, disable all the network settings that require the DHCP.
Page 207 Configure the IPsec settings in the Océ controller 8. Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation. Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 208: Configure The Ipsec Settings On A Workstation Or A Print Server
Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation.
Page 209 Create the security policy 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1.
Page 210 Create the filter list 3. Enter the name for the policy and click 'Next' 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…' Chapter 4 - Security on Océ...
Page 211 Create the filter list 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6.
Page 212 Define the filter actions and security negotiation 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1.
Page 213 Define the security rule 4. Select 'Negotiate security' and click 'Next' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7.
Page 214 Define the security rule 2. Click 'Next' 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6.
Page 215 Assign the security policy 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the Océ controller on page 120), then click 'Next' 9.
Page 216 Customize the IPsec settings 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller Customize the IPsec settings Procedure 1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows Firewall with Advanced Security' window 2.
Page 217 Customize the IPsec settings 5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...' 6. Check the 'Require encryption for all connection security rules that use these settings.' box 7. Click 'OK' on all open windows to validate and close them. After you finish For Océ...
Page 218: Troubleshooting: Disable 'Access Control' And Ipsec (Océ Plotwave 500 And Plotwave 340/360 Systems)
Troubleshooting: Disable 'Access control' and IPsec Troubleshooting: Disable 'Access control' and IPsec Introduction In the following case: • Access control and IPsec have been enabled without any station defined • The communication between the controller and the host stations fails Any remote connection to Océ...
Page 219 Troubleshooting: Disable 'Access control' and IPsec 6. Press 'Finish' 7. Restart the controller Result Access control and IPsec functions are disabled. After the restart, you will be able to remotely open Océ Express WebTools from any workstation (HTTP). Chapter 4 - Security on Océ PlotWave 345/365 and Océ PlotWave 450/550...
Page 220: Https
HTTPS HTTPS Encrypt print data and manage the system configuration using HTTPS Introduction In the Océ systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - save encrypted scan jobs from the printer controller (Scans Inbox) - securely manage the configuration of the system through Océ...
Page 221 Use the Océ self-signed certificate with Internet Explorer - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name or PrinterHostname or PrinterIPaddress] A warning window opens.
Page 222 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 223 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 224 Use the Océ self-signed certificate with Mozilla Firefox 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 225: Request And Import A Ca-Signed Certificate
Request and import a CA-signed certificate Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate).
Page 226 Back up a certificate and a private key Step Description A5- Back up the private key Save a back up of the private key associated to the certif- icate you will receive. Back up a certificate and private key on page 226.
Page 227 Generate a CA-signed certificate request • AFTER the generation of the certificate request: To save the private key linked to the certificate request. • AFTER the import of the new certificate (step B5): To save your new certificate and private key, in order to be able to restore them if needed. Back up the current certificate and private key Procedure 1.
Page 228 Save and send the request Example (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M DAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4 yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=- -----END NEW CERTIFICATE REQUEST----- Save and send the request When to do NOTE HTTPS Description of the overall procedure on page Step A3 of the 225.
Page 229 Import the [Intermediate certificate] 4. Browse to the Root certificate file and click [Import]. NOTE The Root certificate may already exist in the web server certificates list. 5. Validate to confirm the import. 6. When the message [Certificate successfully imported.] pops up, go on to import the [Intermediate certificate].
Page 230 Reset the current certificate Restore the certificate and private key Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[IP address or hostname]) 2. On the 'Security' - 'HTTPS' page, select [Restore certificate and private key] 3. Browse to the back up file 4.
Page 231: Scan To Home Folder / Print From Home Folder
Scan to Home folder / Print from Home folder Scan to Home folder / Print from Home folder Introduction Home folders are private network locations where the Active Directory users can store their files. With the 'Scan to Home folder' feature, an authenticated user can send scanned files from the system directly to his/her Microsoft Active Directory Home folder.
Page 232: Troubleshooting
Troubleshooting Result Both methods send the scanned files to the users' private Home folder (root directory). Print from the Home folder An authenticated user can also print from his/her private Home folder: 1. At the system panel, select the 'Print' tile to turn it into 'Print from...'. 2.
Page 233: Prevent 'Print From Usb' And/Or 'Scan To Usb
Prevent 'Print from USB' and/or 'Scan to USB' Prevent 'Print from USB' and/or 'Scan to USB' How to prevent 'Print from USB' and/or 'Scan to USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device.
Page 234: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ...
Page 235: Security On Océ Colorwave 550/600/650 (And Poster Printer)
Chapter 5 Security on Océ ColorWave 550/600/650 (and Poster Printer)
Page 236: Overview
Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) Overview Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ...
Page 237 Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems Password protection Yes for: - User settings - Administration settings - Settings on the printer user panel Access control Access restriction to the printer for: - Océ...
Page 238: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Printing applications: ports and protocols used by the system Application /Functionality Port used on the controller: Remarks...
Page 239 Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Back-channel for Océ ColorWave 600 R1.6.1 and higher, Océ ColorWave 650 2.3.1 and higher, Océ ColorWave 550 2.3.1 and higher. For Océ...
Page 240 Applications, protocols and ports used in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Notes: TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall. Chapter 5 - Security on Océ...
Page 241: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in the following (versions of the) systems: • Océ ColorWave 650 multifunctional (printer and scanner) • Océ ColorWave 550 multifunctional (printer and scanner) Before you begin http://downloads.oce.com Find the Océ...
Page 242 Install the Océ Remote patch 5. Click on the 'Install' icon (top right corner of the 'Operating system patches' section) to open the wizard 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8.
Page 243: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In the Océ ColorWave 600 (Poster Printer), Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 systems, you can completely disable some protocols in order to protect them against attacks. List of network protocols Protocols Available Protection Yes.
Page 244: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: • Océ ColorWave 550 R2.3 and higher • Océ ColorWave 600 R1.6 and higher •...
Page 245: Security Of The Usb Connection
Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the Océ ColorWave 650/550 printer panel. This USB connection is used to print from the USB storage device Security on the USB port General USB port protection: •...
Page 246: Operating System And Software Protection
Operating System and software protection Operating System and software protection Linux OS and software protection In the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 systems the Linux operating system and associated software are stored on 'read only' partitions to guaranty the Operating System and software integrity at each reboot.
Page 247: Roles And Passwords
The Power User has both the rights of the Key operator and the System administrator • Océ service This role is used exclusively by the Canon Service technician Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ...
Page 248 Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550 systems Password backup/restore policy with the 'Save Set'/'Open Set' features The 'Password to change network settings' is stored encrypted into the backup set made with the 'Save Set' feature of Océ...
Page 249: Access Control
Access control Access control Introduction The 'Access control' feature is available on the following printers and versions: - Océ ColorWave 550 v2.3.1 and higher - Océ ColorWave 650 v2.3.1 and higher - Océ ColorWave 650 PP v2.3.1 and higher Use the access restriction to limit the access to the printer Enable 'Access control' and set the list of IP addresses of the computers (hosts) that will be able to communicate with the printer controller, for printing only.
Page 250: Data Security
Data Security Data Security E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave 550 E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data (for Océ ColorWave 600 / 650 PP) and any user print/copy/scan data (for Océ ColorWave 650 / 550) when it is deleted from the system.
Page 251 Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Recommendation: in the Océ Express Webtools ('Preferences'), make sure you: - Disable 'Keep completed jobs in the Smart Inbox' in the Job management settings (so that all the print jobs will be automatically deleted after successful printing) before enabling the e- shredding.
Page 252 E-shredding process and system behaviour Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'E- shredding busy' status Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ...
Page 253: E-Shredding On Océ Colorwave 600 And Océ Colorwave 650 (Pp) And Océ Colorwave 550
IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices.
Page 254 Configure the IPsec settings in the Océ controller Illustration IPsec parameters in the Océ Express WebTools (EWT) The following IPsec parameters are available in the Océ Express WebTools : Network security section: The generic 'Access control' must be enabled. The 'Access control station X' must be enabled. Enable and configure the parameters for each required station.
Page 255 Configure the IPsec settings on a workstation or a print server 3. In 'Network security' section, click on the general Edit 4. Enable Access control 5. Enable Access control station 1 6. Enter IP address of the station 1 7. Enable IPsec control station 1 8.
Page 256 Add the security snap-in Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 6 following actions: Add the security snap in on page 256 Create the security policy on page 257 Create the filter list on page 258 Define the filter actions and security negotiation on page 260 Define the security rule on page 261...
Page 257 Create the security policy Create the security policy Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security Policy' 2. Click 'Next' to open the wizard 3. Enter the name for the policy and click 'Next' Chapter 5 - Security on Océ...
Page 258 Create the filter list 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…' 2.
Page 259 Create the filter list 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6. Select 'My IP address' as the 'Source address and click 'Next' 7.
Page 260 Define the filter actions and security negotiation Define the filter actions and security negotiation Procedure 1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard. 2. Click 'Next' 3. Give a name to the filter actions and click 'Next' Chapter 5 - Security on Océ...
Page 261 Define the security rule 4. Select 'Negotiate security' and click 'Next' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7.
Page 262 Define the security rule 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6. Select the filter action previously created then click 'Next' Chapter 5 - Security on Océ...
Page 263 Assign the security policy 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings on the Océ controller on page 42), then click 'Next' 9.
Page 264 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/ scanner controller.
Page 265 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 4. Confirm to disable access control 5. Press 'Finish' 6. Restart the controller Result Access control is disabled. If IPsec was also activated on the controller, it is also disabled with this operation. After the restart, you will be able to open Océ...
Page 266: How To Prevent 'Print From Usb' On Océ Colorwave 550/650 (And Pp)
How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) Introduction You can disable any access to the USB device by preventing printing from the USB device. Illustration [6] USB direct print: Disabled How to disable the 'USB direct print' feature...
Page 267: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes to manage the access to job data Use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data.
Page 268: Security On Océ Colorwave 650 R3.X
Security on Océ ColorWave 650 R3.x Security on Océ ColorWave 650 R3.x Overview Security overview for the Océ ColorWave 650 R3.x system Introduction The Océ ColorWave 650 R3.x systems are equipped with the following security features: Security overview Operating System Windows Embedded Standard 7 SP1 Firewall Network protocols protection...
Page 269: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports used in the Océ ColorWave 650 R3.x system Printing applications with Océ ColorWave 650 R3.x: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐...
Page 270 Applications, protocols and ports used in the Océ ColorWave 650 R3.x system * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. FTP passive mode only (FTP active mode not supported). Scanning applications with Océ...
Page 271 Applications, protocols and ports used in the Océ ColorWave 650 R3.x system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ Remote Service TCP 443: HTTPS TCP web proxy port NetBios over TCP/IP UDP 137 TCP 139, 445 UDP 138...
Page 272: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin http://downloads.oce.com Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1.
Page 273 Install the Océ Remote patch 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 5 - Security on Océ ColorWave 550/600/650 (and Poster Printer)
Page 274: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In the Océ ColorWave 650 R3.x system, you can completely disable some protocols in order to protect them against attacks. HTTPS, ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network Protocol ba‐...
Page 275 Network protocols protection Protocols or Network Protocol ba‐ Available protection Remarks services HTTP HTTP There is no specific setting to enable disable HTTP protocol. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ...
Page 276: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some features of the following systems allow or request a connection over the Internet to work properly: • Océ ColorWave 550 R2.3 and higher • Océ ColorWave 600 R1.6 and higher •...
Page 277: Security Of The Usb Connection
Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the Océ ColorWave 650/550 printer panel. This USB connection is used to print from the USB storage device Security on the USB port General USB port protection: •...
Page 278: Antivirus
Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 5 - Security on Océ ColorWave 550/600/650 (and Poster Printer)
Page 279: Roles And Passwords
Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: • Key operator: The Key operator can manage the jobs and the device settings. •...
Page 280 This password is used on the printer user panel to protect: • the network settings • the security settings NOTE Keep this password. The reset of this password may require the intervention of an Canon Service technician. Passwords modification Password modification table for Océ ColorWave 650 R3.x...
Page 281: Access Control
Access control Access control Introduction Access control allows to limit the access to the Océ system according to IP filtering method. Use the access restriction to limit the access to the printer NOTE Important: ALWAYS define the hosts before enabling Access control. In case Access control is enabled without any host configured, communication is blocked.
Page 282: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the Support - Audit log tab to download the Audit log that contains information on any change made in settings.
Page 283: Data Security
Data security Data security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface.
Page 284: Ipsec
IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system.
Page 285 Configure the IPsec settings on the Océ controller IPsec enabled IPsec disabled Access control disabled Encryption between the print/ No filtering. No encryption. scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations.
Page 286 Configure the IPsec settings on a workstation or a print server 3. In the 'Access control' section, click on the general 'Edit' 4. Check the 'Enable/Disable IPsec' box to enable 'IPsec' You can also activate the Access control 5. Enable 'IPsec control station 1' Tip: When you enable Access control, it is recommended to declare the workstation from which you remotely configure the system, at least during the configuration time (IPsec not needed).
Page 287 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. On the workstation, perform the 7 following actions: Add the security snap-in on page 122 Create the security policy on page 123 Create the filter list on page 124 Define the filter actions and security negotiation on page 126...
Page 288 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) 2. Select 'Setup' 3. Roll down to 'Disable access control' Enter the password if requested (Password to change the network settings). 4. Confirm to disable access control 5. Press 'Finish' 6.
Page 289 Troubleshooting: Disable 'Access control' and IPsec (Océ ColorWave 650/550 systems) After the restart, you will be able to open Océ Express WebTools remotely from a workstation (HTTP). Chapter 5 - Security on Océ ColorWave 550/600/650 (and Poster Printer)
Page 290: Https (On Océ Colowave 650 R3.X)
HTTPS (on Océ ColoWave 650 R3.x) HTTPS (on Océ ColoWave 650 R3.x) Encrypt print data and manage the system configuration using HTTPS (on Océ ColorWave 650 R3.x) Introduction On the Océ ColorWave 650 R3.x systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ...
Page 291 Use the Océ self-signed certificate with Internet Explorer - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name or PrinterHostname or PrinterIPaddress] A warning window opens.
Page 292 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 293 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 294 Request and import a CA-signed certificate 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 295 Description of the overall procedure to request and import a CA-signed certificate The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller. In the controller, the private key and the public key must match to enable a secure HTTPS protocol.
Page 296 Description of the overall procedure to request and import a CA-signed certificate Step Description B4- Import the Root certificate into The Root certificate identifies the Certification Authority. the web browsers of the worksta- By default, the web browsers contain a list of well- tions known and trusted Root certificates.
Page 297: How To Prevent 'Print From Usb' On Océ Colorwave 550/650 (And Pp)
How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) Introduction You can disable any access to the USB device by preventing printing from the USB device. Illustration [7] USB direct print: Disabled How to disable the 'USB direct print' feature...
Page 298: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ...
Page 299: Security On Océ Colorwave 500 And Océ Colorwave 700
Chapter 6 Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 300: Overview
Overview Overview Security overview for the Océ ColorWave 500 and ColorWave 700 systems Introduction The Océ ColorWave 500 and ColorWave 700 systems are equipped with the following security features: Security overview Operating System Microsoft Windows Embedded Standard 8 64 bit Firewall Network protocols protection Yes (per protocol, through firewall)
Page 301 Security overview for the Océ ColorWave 500 and ColorWave 700 systems Océ Publisher Express access Access restriction Control over actions on jobs Remote action restriction Control over Service operations Operations made by Service under the control of the System Administrator on: - Océ...
Page 302: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports Printing applications: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ...
Page 303 Applications, protocols and ports Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Print from Cloud: WebDAV TCP 80: HTTP TCP 443: HTTPS TCP web proxy port TCP WebDAV port Notes: * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver.
Page 304 Applications, protocols and ports Control management: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol PING IPv4 ICMPv4 PING IPv6 ICMPv6 nslookup UDP local port : any UDP remote port : 53 SNMP based applications UDP 161: SNMP...
Page 305 Applications, protocols and ports • Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In). Outbound rules: • Core Networking - DNS (UDP-Out). • Core Networking - Dynamic Host Configuration Protocol (DHCP-Out). • Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out). •...
Page 306: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin http://downloads.oce.com Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Install a patch Procedure 1.
Page 307 Install the Océ Remote patch 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 308: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In these systems, you can completely disable some protocols in order to protect them against attacks. HTTPS (inbound), ICMP (ping), DNS protocols cannot be completely disabled. List of network protocols Protocols or Network Protocol ba‐...
Page 309 Network protocols protection Protocols or Network Protocol ba‐ Available protection Remarks services HTTP (inbound) HTTP There is no specific setting to disable the HTTP proto- col. Inbound HTTP is enabled as long as at least one of the following services is enabled: - 'Océ...
Page 310: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some system features allow or request a connection over the Internet to work properly. When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions, step by step, in Express WebTools: In the Express WebT‐...
Page 311: Security Of The Usb Connection
Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the touch panel. This USB connection is used to: • Install / upgrade the controller software •...
Page 312: Antivirus
Contact your Canon representative to know which antivirus version to install on your Océ systems and get the installation procedure. NOTE Canon/Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 313: Roles And Passwords
Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: • Key operator: The Key operator can manage the jobs and the device settings. •...
Page 314: Passwords Policy And Behaviour In The Océ Colorwave 500 And Colorwave 700 Systems
Passwords policy and behaviour in the Océ ColorWave 500 and ColorWave 700 systems Passwords policy and behaviour in the Océ ColorWave 500 and ColorWave 700 systems Introduction There are 2 groups of passwords: • The passwords used in Océ Express WebTools •...
Page 315 The 'Import templates' operation restores the passwords. Temporary password for the installation of 3rd party application To install a 3rd party application in the controller system, a Canon representative generates a temporary administrative password for the Windows Administrative account. This password is valid for 4 hours.
Page 316: Access Control
Access control Access control Introduction Access control allows to limit the access to the Océ system based on the IP filtering method. In Océ Express WebTools, find the 'Access control' settings on the Security - Configuration page. Pre-requisites • The configuration of the 'Access control' settings is only available to the 'System administrator' and 'Power user'.
Page 317: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit log that contains information on any change made in settings.
Page 318: Data Security
Data security Data security User authentication Secure printing, copying and scanning operations with the User authentication Introduction In order to increase document confidentiality, the users can secure printing/copying/scanning operations with the user authentication. The 'User authentication' feature is an option. When the 'User authentication' feature is enabled: •...
Page 319 Secure printing, copying and scanning operations with the User authentication Functional description The print workflow 1- The user logs in on a workstation to prepare the job. 2- The user uses a job submission tool to submit the job to the printer. The submitted job contains the job owner identity.
Page 320 Impact of the user authentication on the system features and Océ WebTools Impact of the user authentication on the system features and Océ WebTools Introduction When the user authentication is activated, and in order to guarantee the data confidentiality: • Some features of the system are disabled (see below). •...
Page 321 Impact of the user authentication on the system features and Océ WebTools Disabled feature on the system user panel The 'Move to top' feature on the system user panel is disabled. Additional information To secure the job data and job ownership on the network, during the job submission / the job scanning to external locations, the use of a secured network (IPsec for instance) is recommended.
Page 322: User Authentication: The Standard Workflows
User authentication: the standard workflows User authentication: the standard workflows Introduction Find below the standard workflow for printing and the standard workflow for scanning/copying when the user authentication is activated and configured on the Océ system. Standard workflow for print Step Action 1- Logging on a work-...
Page 323 User authentication: the standard workflows Step Action 5- Job print The user prints the jobs by clicking the green button. 6- Print queue The user can open the print queue and follow the progress of the jobs. NOTE All the jobs in 'Ready to print' state are printed, even when the users logs out in the meanwhile.
Page 324 The user authentication in the main job submission workflows Step Action 2- Workflow selection The user selects Copy or Scan in the menu. NOTE For scan operations, it is recommended to scan to an external location (not locally on the controller). When the user logs to an external location, the login name in the top menu is replaced by the login name to the external lo- cation.
Page 325 The user authentication in the main job submission workflows Steps Recommendations / Remarks 2- Open Océ Publisher Select and connect to a printer 3- Create a print job The user account name that the Océ Publisher Select application will attach to the print job is: •...
Page 326 Other submission workflows Job submission with Océ PS3 Steps Recommendations / Remarks 1- Log in on a work- Log in on the workstation with the same credentials as the ones you station will use to authenticate on the printer panel later on. Example: 'user1' on domain 'domain.com'.
Page 327 Other submission workflows If there is no ticket or no 'Username' in the ticket, then the content of the 'Job owner' field in Publisher Express is used. The user name entered in this field must not be blank. The name must be the same as the one that will be used to log in on the system (example: 'user@domain.com').
Page 328: Authentication By Smart Card
Additional information - Contact your Canon representative in case you want to use a smart card or a smart card reader which is not recorded in the above lists. - Plug the smart card reader into the USB port (contact your local Canon representative).
Page 329 Configure the Smart card authentication Configure the Smart card authentication Introduction Perform the following steps to activate the user authentication and configure the smart card authentication. Before you begin The smart card and the smart card reader are compliant with the requirements. Activate the smart card authentication 1.
Page 330 Validate the smart card configuration 3. Browse for one root or intermediate certificate. When the URL of the revocation server is embedded into the smart cards, leave the 'Forced URL of OCSP responder' field empty. Enter the URL of the revocation server only if this URL is not already embedded into the smart cards.
Page 331 Authentication on the user panel 2. Below the 'User access mode' section, click 'Validate the configuration'. 3. Leave the 'User name' field empty and enter the PIN if it is required in the user access settings. 4. Click 'OK'. A report is generated: 5.
Page 332 Troubleshooting of authentication by smart card After authentication, the name of the user is displayed in the top menu. Troubleshooting of authentication by smart card Introduction When an error occurs during the configuration of the authentication by smart card, go to the 'Security' - 'Configuration' page and start the validation tool (See topic 'Validate the smart card configuration').
Page 333 Troubleshooting of authentication by smart card Error message attach‐ Possible cause(s) Actions ed to the red cross List certificates: Chain At least one root or intermedi- Create all the necessary (root and in- status not trusted ate certificate is missing or in termediate) certificate(s) in Océ...
Page 334: Authentication By User Name And Password
Authentication by user name and password Authentication by user name and password Configure the user authentication by user name and password Introduction Perform the following steps to activate and configure the user authentication by user name and password Before you begin A domain containing users with Microsoft Active Directory credentials.
Page 335 Configure the user authentication by user name and password 2. Click 'Create new' to create a domain: 3. Enter a name for the domain. This name will appear on the user panel as the domain name, so it is recommended to give it a clear name. 4.
Page 336 Validate the configuration Example: 'user1@mydomain.com' is logged in on the printer. This user will see only the jobs that have been submitted by 'user1@mydomain.com'. So the user must make sure that the submission process embedded this information. When this setting is not activated, only the user name (without the suffix) is used for the job filtering.
Page 337 Authentication on the system user panel 5. Check there is no red cross icon in the report. If there is a red cross, solve the issue or check the solutions in the troubleshooting section below. Authentication on the system user panel Introduction On the system user panel, tap the 'log in' icon to display the window.
Page 338 Troubleshooting Error message attach‐ Possible cause(s) Actions ed to the red cross Domain not correctly No domain defined Define at least one domain in Océ configured Express WebTools. Go to the 'Se- curity' - 'Domains' page) Error in DNS lookup: The domain entered is not correct.
Page 339: Log Out
Log out Log out Introduction A session can be manually interrupted by a manual log out, or automatically interrupted by the session time-out, in any conditions (normal working condition or in an error status). A warning message announces the session time-out 10 seconds before the session closes. When the session time-out expires the user session is automatically closed, even when a smart card is inserted.
Page 340 Special cases: a time-out, pause, or error occurs Case Status of the jobs When the session time-out or log out occurs 'User A' has submitted a There is at least one job in The job in 'printing' and in 'Ready to job.
Page 341 Special cases: a time-out, pause, or error occurs An error occurs Case Status of the jobs Then An error occurs on a job The job is put on hold. It When the issue is fixed before the will not be printed until the time-out occurs, the job restarts and problem is solved.
Page 342: Troubleshooting
Troubleshooting Troubleshooting Troubleshooting after a successful authentication The authentication is successful but I cannot see the job I submitted to the system. Possible cause: The owner of the job (the user name sent within the job) does not match the user name of the user authenticated on the system.
Page 343 Disable the user authentication Possible cause: The time for the processing of the jobs exceeds the user session time-out. All the jobs have not reached the 'Ready to print' or 'Printing' status. Action: Increase the 'User session time-out' (in Océ Express WebTools - Security - 'Configuration' - 'User access configuration').
Page 344 Disable the user authentication 7. Restart the system. Result The user authentication is disabled. Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 345: Hard Disk Encryption
• The release of the Océ ColorWave 500 or Océ ColorWave 700 system is R4.1 or higher. • The hard disk encryption licence. Contact your Canon representative. • A TPM (Trusted Platform Module) board installed in the controller. A Service technician installs the license and the TPM board. Make sure the System Administrator grants him the permission by setting 'Allow Service to access licenses information' (in Express WebTools, in ' Security' - 'Configuration', 'Permissions for Service').
Page 346 Hard disk encryption 2. In the 'Current Security Configuration' window, check the encryption mode. The disk encryption status can be: • 'No encryption' • 'Full disk encrypted' (Full mode) - AES-128 method • 'Used space encrypted' (Normal mode) - AES-128 method How to change the encryption mode Contact your Service representative to change the encryption mode.
Page 347: E-Shredding
E-Shredding E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user print data and any user print/copy/scan data when it is deleted from the system. This feature prevents the recovery of any deleted user data (file's content and attributes). A deleted job is a job that cannot be retrieved from any user interface.
Page 348: Enable The E-Shredding In Océ Express Webtools
Enable the e-shredding in Océ Express WebTools Enable the e-shredding in Océ Express WebTools Before you begin You must be logged as a System Administrator or a Power user. Perform the following actions: 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools 2.
Page 349 Enable the e-shredding in Océ Express WebTools • On the printer user panel, an indication is displayed in the System menu: 'E-shredding enabled': Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns 'busy'. In the Océ...
Page 350: E-Shredding Process And System Behaviour
E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding feature, the system starts the e-shredding process for all scan/ copy/print jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded after they are deleted: - After a manual deletion from the Smart Inbox - After an automatic deletion of the print or scan jobs by the system (time-out, disabled Smart...
Page 351: Ipsec
IPsec IPsec IPsec presentation Introduction IPsec is a protocol that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. You can connect up to 5 IPsec stations to the print/scan system.
Page 352 IPsec presentation IPsec enabled IPsec disabled Access control disabled Encryption between the print/ No filtering. No encryption. scan system and IPsec stations is activated. All stations can communicate with the system. The system can communicate with all stations. The communication is encryp- ted ONLY with the stations con- figured as IPsec stations.
Page 353: Configure The Ipsec Settings In The Océ Controller
Configure the IPsec settings in the Océ controller Configure the IPsec settings in the Océ controller Before you begin You must be logged as a System Administrator or a Power user. To benefit from the full IPsec mechanism, the DHCP protocol must not be used. On the Configuration - Connectivity page, disable all the network settings that require the DHCP.
Page 354 Configure the IPsec settings in the Océ controller 8. Restart the controller Result The IPsec settings are configured on the controller for a connection to a workstation. Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 355: Configure The Ipsec Settings On A Workstation Or A Print Server
Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server When to do After the IPsec configuration on the controller. Pre-requisites Log on the workstation with the Administration rights. Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation.
Page 356 Create the security policy 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Create the security policy Procedure 1.
Page 357 Create the filter list 3. Enter the name for the policy and click 'Next' 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' Create the filter list Procedure 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…' Chapter 6 - Security on Océ...
Page 358 Create the filter list 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 4. Click 'Next' to open the wizard 5. Check the 'Mirrored' checkbox and click 'Next' 6.
Page 359 Define the filter actions and security negotiation 8. Select 'Any' as the 'IP Protocol Type' and click 'Next' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set Define the filter actions and security negotiation Procedure 1.
Page 360 Define the security rule 4. Select 'Negotiate security' and click 'Next' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next' 6. Select 'Custom' and click on the 'Settings...' button 7.
Page 361 Define the security rule 2. Click 'Next' 3. Select 'This rule does not specify a tunnel', and click 'Next' 4. As the Network type, select 'All network connections' and click 'Next' 5. Select the filter previously created then click 'Next' 6.
Page 362 Assign the security policy 7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)' 8. Enter the preshared key you set in Express WebTools (see Configure the IPsec settings in the Océ controller on page 120), then click 'Next' 9.
Page 363 Customize the IPsec settings 2. To test the configuration, open a 'command' window and issue a 'ping' command from this IPsec station to the printer/scanner controller Customize the IPsec settings Procedure 1. In the Control panel select 'Windows Firewall' - 'Advanced settings' to open the 'Windows Firewall with Advanced Security' window 2.
Page 364 Customize the IPsec settings 5. In the 'Data protection (Quick Mode)' select 'Advanced and click on 'Customize...' 6. Check the 'Require encryption for all connection security rules that use these settings.' box 7. Click 'OK' on all open windows to validate and close them. After you finish For Océ...
Page 365: Troubleshooting: Disable 'Access Control' And Ipsec
Troubleshooting: Disable 'Access control' and IPsec Troubleshooting: Disable 'Access control' and IPsec Introduction In the following case: • Access control and IPsec have been enabled without any station defined • The communication between the controller and the host stations fails Any remote connection to Océ...
Page 366 Troubleshooting: Disable 'Access control' and IPsec 6. Press 'Finish' 7. Restart the controller Result Access control and IPsec functions are disabled. After the restart, you will be able to remotely open Océ Express WebTools from any workstation (HTTP). Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 367: Https
HTTPS HTTPS Encrypt print data and manage the system configuration using HTTPS Introduction In the Océ systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - save encrypted scan jobs from the printer controller (Scans Inbox) - securely manage the configuration of the system through Océ...
Page 368 Use the Océ self-signed certificate with Internet Explorer - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name or PrinterHostname or PrinterIPaddress] A warning window opens.
Page 369 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 370 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 371 Use the Océ self-signed certificate with Mozilla Firefox 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 372: Request And Import A Ca-Signed Certificate
Request and import a CA-signed certificate Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate).
Page 373 Back up a certificate and a private key Step Description A5- Back up the private key Save a back up of the private key associated to the certif- icate you will receive. Back up a certificate and private key on page 226.
Page 374 Generate a CA-signed certificate request • AFTER the generation of the certificate request: To save the private key linked to the certificate request. • AFTER the import of the new certificate (step B5): To save your new certificate and private key, in order to be able to restore them if needed. Back up the current certificate and private key Procedure 1.
Page 375 Save and send the request Example (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M DAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4 yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=- -----END NEW CERTIFICATE REQUEST----- Save and send the request When to do NOTE HTTPS Description of the overall procedure on page Step A3 of the 225.
Page 376 Import the [Intermediate certificate] 4. Browse to the Root certificate file and click [Import]. NOTE The Root certificate may already exist in the web server certificates list. 5. Validate to confirm the import. 6. When the message [Certificate successfully imported.] pops up, go on to import the [Intermediate certificate].
Page 377 Reset the current certificate Restore the certificate and private key Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[IP address or hostname]) 2. On the 'Security' - 'HTTPS' page, select [Restore certificate and private key] 3. Browse to the back up file 4.
Page 378: Scan To Home Folder / Print From Home Folder
Scan to Home folder / Print from Home folder Scan to Home folder / Print from Home folder Introduction Home folders are private network locations where the Active Directory users can store their files. With the 'Scan to Home folder' feature, an authenticated user can send scanned files from the system directly to his/her Microsoft Active Directory Home folder.
Page 379: Troubleshooting
Troubleshooting Result Both methods send the scanned files to the users' private Home folder (root directory). Print from the Home folder An authenticated user can also print from his/her private Home folder: 1. At the system panel, select the 'Print' tile to turn it into 'Print from...'. 2.
Page 380: Prevent 'Print From Usb' And/Or 'Scan To Usb
Prevent 'Print from USB' and/or 'Scan to USB' Prevent 'Print from USB' and/or 'Scan to USB' How to prevent 'Print from USB' and/or 'Scan to USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device.
Page 381: Smart Inbox Management And Job Management
Smart Inbox management and job management Smart Inbox management and job management Configure the Smart Inboxes and the job management settings You can use the Smart Inbox management features of your system to limit and restrict the access to the print and scan job data. Configure the job management settings to manage the visibility of jobs and their availability through Océ...
Page 382 Smart Inbox management and job management Chapter 6 - Security on Océ ColorWave 500 and Océ ColorWave 700...
Page 383: Security On Océ Colorwave 810, Océ Colorwave 900 And Océ Colorwave 910
Chapter 7 Security on Océ ColorWave 810, Océ ColorWave 900 and Océ ColorWave...
Page 384: Overview
Overview Overview Security overview for the Océ ColorWave 810, Océ ColorWave 900 and Océ ColorWave 910 systems Introduction The Océ ColorWave 810, Océ ColorWave 900 and Océ ColorWave 910 systems are equipped with the following security features: Security overview Operating System Microsoft Windows Embedded Standard 8 64 bits Firewall Network protocols protection...
Page 385: System And Network Security
System and Network security System and Network security Ports - Protocols Applications, protocols and ports Printing applications: INBOUND and OUTBOUND ports and protocols used by the system Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ...
Page 386 Applications, protocols and ports Application /Functionality INBOUND ports on the con‐ OUTBOUND ports from the troller: protocol controller: protocol Océ Express WebTools TCP 80: HTTP TCP 443: HTTPS Océ Account Center TCP 80: HTTP Accounting information re- TCP 80: HTTP trieval Océ...
Page 387: Security Patches
Security Patches Security Patches Install the Océ Remote patch Introduction You can install the Océ Remote patches (Security patches) in your Océ system. Before you begin http://downloads.oce.com Find the Océ Security patch from the Océ Downloads website on Open the product page and go to the Security tab to download the available security patches. Important: When the Service technician installs the patches, make sure the System Administrator allows him to do it (in Security' - 'Configuration').
Page 388 Install the Océ Remote patch 6. Click OK 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 7 - Security on Océ ColorWave 810, Océ ColorWave 900 and Océ ColorWave 910...
Page 389: Protocol Protection
Protocol protection Protocol protection Network protocols protection Introduction In these systems, you can completely disable some protocols in order to protect them against attacks. HTTPS (inbound), ICMP (ping), DNS, LPR protocols cannot be disabled. List of network protocols Protocols or Network Protocol ba‐...
Page 390 Network protocols protection Note: To disable a network protocol or network service, go to the Preferences / Connectivity section of the Océ Express WebTools and uncheck the protocol or service. To disable the connection to Remote Service, go to Preferences / System defaults / Service related information.
Page 391: Prevent Any Outgoing Connection To The Internet
Prevent any outgoing connection to the Internet Prevent any outgoing connection to the Internet Introduction Some system features allow or request a connection over the Internet to work properly. When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions, step by step, in Express WebTools: In the Express WebT‐...
Page 392: Security Of The Usb Connection
Security of the USB connection Security of the USB connection The USB connection on the printer user interface Introduction A USB connection is available on the touch panel. This USB connection is used to: • Install / upgrade the controller software •...
Page 393: Roles And Passwords
Roles and Passwords Roles and Passwords Roles and profiles Roles description 4 different roles exist in the product. Each of them has the ability to configure or modify some system settings. The roles are: • Key operator: The Key operator can manage the jobs and the device settings. •...
Page 394 Passwords policy in the Océ ColorWave 810 and ColorWave 910 systems Password for Can be changed by Proxy authentication (for Remote System administrator or Power user Service) Chapter 7 - Security on Océ ColorWave 810, Océ ColorWave 900 and Océ ColorWave 910...
Page 395: Audit Log
Audit log Audit log Introduction All changes related to security settings are logged in the Audit log. They can be downloaded and/or cleared. The operations stored in the Audit log In Océ Express WebTools, open the 'Security' - 'Audit log' tab to download the Audit events log that contains information on any change made in settings.
Page 396: Data Security
Data security Data security HTTPS Encrypt print data and manage the system configuration using HTTPS Introduction In the Océ systems, you can use the HTTPS protocol to: - send encrypted print data to the printer controller via Océ Publisher Express - securely manage the configuration of the system through Océ...
Page 397 Use the Océ self-signed certificate with Internet Explorer - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate Use the Océ self-signed certificate with Internet Explorer Procedure 1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name or PrinterHostname or PrinterIPaddress] A warning window opens.
Page 398 Use the Océ self-signed certificate with Internet Explorer 1. Place the certificate in the 'Trusted Root Certification Authorities' folder 2. Accept the warning 3. Finish the installation When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.
Page 399 Use the Océ self-signed certificate with Mozilla Firefox 8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Close ALL instances of Internet Explorer 10. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).
Page 400 Use the Océ self-signed certificate with Mozilla Firefox 2. In order to view and check the self-signed certificate, continue to add an exception. 3. Click 'I Understand the Risks' and 'Add Exception...' 4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the controller web server.
Page 401: Request And Import A Ca-Signed Certificate
Request and import a CA-signed certificate Request and import a CA-signed certificate Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate).
Page 402 Back up a certificate and a private key Step Description A5- Back up the private key Save a back up of the private key associated to the certif- icate you will receive. Back up a certificate and private key on page 226.
Page 403 Generate a CA-signed certificate request • AFTER the generation of the certificate request: To save the private key linked to the certificate request. • AFTER the import of the new certificate (step B5): To save your new certificate and private key, in order to be able to restore them if needed. Back up the current certificate and private key Procedure 1.
Page 404 Save and send the request Example (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEV TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3M DAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQM HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7o W/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4 yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg=- -----END NEW CERTIFICATE REQUEST----- Save and send the request When to do NOTE HTTPS Description of the overall procedure on page Step A3 of the 225.
Page 405 Import the [Intermediate certificate] 4. Browse to the Root certificate file and click [Import]. NOTE The Root certificate may already exist in the web server certificates list. 5. Validate to confirm the import. 6. When the message [Certificate successfully imported.] pops up, go on to import the [Intermediate certificate].
Page 406 Reset the current certificate Restore the certificate and private key Procedure 1. In a web browser, open Océ Express WebTools (http(s):\\[IP address or hostname]) 2. On the 'Security' - 'HTTPS' page, select [Restore certificate and private key] 3. Browse to the back up file 4.
Page 407: Index
Index Index Antivirus......33, 75, 108, 160, 278, Océ Remote Patch... 26, 69, 102, 154, 241, 272, 306, Océ security policy..........OS and software protection: Linux CA-signed certificate Océ ColorWave 600 (PP)........246 Overall procedure..92, 139, 225, 294, 372, OS and software protection: Linux/WES2009 Certificate Océ...
Page 408 Index Printer drivers...........12 USB direct print Disabled....56, 145, 233, 266, 297, User authentication........166, Contactless card..........Smart card..........176, Troubleshooting........195, User name/ password......187, Workflow..........172, Wizard: Security............28...
Page 410 Canon Inc. www.canon.com Canon U.S.A., Inc. www.usa.canon.com Canon Canada Inc. www.canon.ca Canon Europe Ltd. www.canon-europe.com Canon Latin America Inc. www.cla.canon.com Canon Australia PTY. Ltd www.canon.com.au Canon China Co., Ltd www.canon.com.cn Canon Singapore PTE. Ltd www.canon.com.sg Canon Hongkong Co., Ltd www.canon.com.hk...

This manual is also suitable for:

Oce plotwave 750 Oce plotwave 900 Oce plotwave 500 Oce plotwave 340 Oce plotwave 360 Oce plotwave 345 ... Show all

Canon Oce PlotWave 300 Administration Manual

Chapter 1 Océ Security Policy

Chapter 2

Chapter 3 Security on Océ Plotwave 500 and Plotwave 340/360

Chapter 4 Security on Océ Plotwave 345/365 and Océ Plotwave 450/550

Chapter 5 Security on Océ Colorwave 550/600/650 (and Poster Printer)

Chapter 6 Security on Océ Colorwave 500 and Océ Colorwave 700

Chapter 7 Security on Océ Colorwave 810, Océ Colorwave 900 and Océ Colorwave 910

Quick Links

Troubleshooting

Related Manuals for Canon Oce PlotWave 300

Summary of Contents for Canon Oce PlotWave 300