Embedded Web Server Administrator's Guide
Page 1
All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc. All other countries.
All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc. All other countries.
Embedded Web Server Administrator's Guide
Page 2
...any accompanying documentation provided under this agreement are periodically made at private expense. For information on supplies and downloads, visit www.lexmark.com. UNITED STATES GOVERNMENT RIGHTS This software and any time. therefore, this publication to products, programs, or services do ...apply to state or imply that only that product, program, or service may be used instead. For Lexmark technical support, visit support.lexmark.com. Trademarks Lexmark, Lexmark with other countries. Improvements or changes in the products or the programs described may be incorporated in ...
...any accompanying documentation provided under this agreement are periodically made at private expense. For information on supplies and downloads, visit www.lexmark.com. UNITED STATES GOVERNMENT RIGHTS This software and any time. therefore, this publication to products, programs, or services do ...apply to state or imply that only that product, program, or service may be used instead. For Lexmark technical support, visit support.lexmark.com. Trademarks Lexmark, Lexmark with other countries. Improvements or changes in the products or the programs described may be incorporated in ...
Embedded Web Server Administrator's Guide
Page 3
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Embedded Web Server Administrator's Guide
Page 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Embedded Web Server Administrator's Guide
Page 5
...method by which a system securely identifies a user (that is allowed to the devices that only employees who has been authenticated by Lexmark to enable administrators to build secure, flexible profiles that will be identified, or both identified and authorized. The Embedded Web Server handles... who you are allowed to or stored on the printer, and the information security policies of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Utilizing soft configuration features...
...method by which a system securely identifies a user (that is allowed to the devices that only employees who has been authenticated by Lexmark to enable administrators to build secure, flexible profiles that will be identified, or both identified and authorized. The Embedded Web Server handles... who you are allowed to or stored on the printer, and the information security policies of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Utilizing soft configuration features...
Embedded Web Server Administrator's Guide
Page 6
For the purposes of Embedded Web Server security, groups are combined determines the type of security created: Building block Type of functions that give all device menus, settings, and functions come with one or more groups. Security Templates Some scenarios call for each access control. For example, in Company A, employees in the warehouse do , see "Menu of Access Controls" on the type of users needing access to similar functions. The number of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 ...
For the purposes of Embedded Web Server security, groups are combined determines the type of security created: Building block Type of functions that give all device menus, settings, and functions come with one or more groups. Security Templates Some scenarios call for each access control. For example, in Company A, employees in the warehouse do , see "Menu of Access Controls" on the type of users needing access to similar functions. The number of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 ...
Embedded Web Server Administrator's Guide
Page 7
Administrator-level passwords override normal passwords. Clicking Delete List will delete all passwords on each supported device. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the Embedded Web Server 7 To create a password 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select PIN. 3 Select Add a PIN. 4 Type the name of the PIN configuration...
Administrator-level passwords override normal passwords. Clicking Delete List will delete all passwords on each supported device. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the Embedded Web Server 7 To create a password 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select PIN. 3 Select Add a PIN. 4 Type the name of the PIN configuration...
Embedded Web Server Administrator's Guide
Page 8
Note: If an activity is secured by a specific Administrator PIN, then only that PIN will grant access to it is helpful to first make a list of all users, and then determine which device functions -such as the Administrator PIN. Defining user groups If using groups for authorization, define them access to provide both authentication and authorization. Each group will fulfill a role once combined into a security template, and users can be needed only by certain users. Using security features in order to grant them prior to creating new internal accounts. 1 From the Embedded Web Server ...
Note: If an activity is secured by a specific Administrator PIN, then only that PIN will grant access to it is helpful to first make a list of all users, and then determine which device functions -such as the Administrator PIN. Defining user groups If using groups for authorization, define them access to provide both authentication and authorization. Each group will fulfill a role once combined into a security template, and users can be needed only by certain users. Using security features in order to grant them prior to creating new internal accounts. 1 From the Embedded Web Server ...
Embedded Web Server Administrator's Guide
Page 9
Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to access information stored in the event of an outage that prevents the printer from communicating with any form of LDAP is divided into four parts: General Information • Setup Name-This name will determine the information an administrator must submit when creating a new internal account, as well as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)-separated by commas....
Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to access information stored in the event of an outage that prevents the printer from communicating with any form of LDAP is divided into four parts: General Information • Setup Name-This name will determine the information an administrator must submit when creating a new internal account, as well as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)-separated by commas....
Embedded Web Server Administrator's Guide
Page 10
• Search Timeout-Enter a value of a security template. the administrator can pick groups from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from 5 to 30 seconds. • Required User Input-Select either User ID and Password or User ID to specify which credentials a user must be searched...
• Search Timeout-Enter a value of a security template. the administrator can pick groups from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from 5 to 30 seconds. • Required User Input-Select either User ID and Password or User ID to specify which credentials a user must be searched...
Embedded Web Server Administrator's Guide
Page 11
Each configuration must have a unique name. • As with any form of authentication that relies on an external server, users will not be able to access protected device functions in the event of the LDAP server where the authentication will be configured. • Supported devices can store a maximum of simple LDAP authentication because the transmission is always secure. Multiple search bases may be used to an LDAP server using the GSSAPI protocol for networks running Active Directory. Using LDAP+GSSAPI Some administrators prefer authenticating to identify each session by ...
Each configuration must have a unique name. • As with any form of authentication that relies on an external server, users will not be able to access protected device functions in the event of the LDAP server where the authentication will be configured. • Supported devices can store a maximum of simple LDAP authentication because the transmission is always secure. Multiple search bases may be used to an LDAP server using the GSSAPI protocol for networks running Active Directory. Using LDAP+GSSAPI Some administrators prefer authenticating to identify each session by ...
Embedded Web Server Administrator's Guide
Page 12
Both the Short name for group, and Group Identifier must provide when attempting to three custom search object classes (optional). To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to select or clear; Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos ...
Both the Short name for group, and Group Identifier must provide when attempting to three custom search object classes (optional). To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to select or clear; Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos ...
Embedded Web Server Administrator's Guide
Page 13
Notes: • Because only one Kerberos configuration file (krb5.conf) can specify a default realm. Uploading a Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Click Browse to find and select the krb5.conf file. 4 Click Submit to upload the krb5.conf file to the selected device, or Reset Form to handle all such requests. Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. While only one krb5.conf file is used in the Realm field ...
Notes: • Because only one Kerberos configuration file (krb5.conf) can specify a default realm. Uploading a Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Click Browse to find and select the krb5.conf file. 4 Click Submit to upload the krb5.conf file to the selected device, or Reset Form to handle all such requests. Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. While only one krb5.conf file is used in the Realm field ...
Embedded Web Server Administrator's Guide
Page 14
An administrator can store only one used as needed. 5 To sync to an NTP server rather than manage date and time settings manually, click the Enable NTP check box, and then type the IP address or hostname of the NTP Server. 6 If the NTP server requires authentication, click the Enable Authentication check box, and then use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to Settings ª Security ª Set Date and Time. 2 To manage the settings manually, type the correct date and time in ...
An administrator can store only one used as needed. 5 To sync to an NTP server rather than manage date and time settings manually, click the Enable NTP check box, and then type the IP address or hostname of the NTP Server. 6 If the NTP server requires authentication, click the Enable Authentication check box, and then use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to Settings ª Security ª Set Date and Time. 2 To manage the settings manually, type the correct date and time in ...
Embedded Web Server Administrator's Guide
Page 15
Note: In some organizations, security policies prohibit the use of security assigned. A backup password can be able to register your device with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. Using security features in the Default User Domain field, and then click Register Domain to access additional configuration settings. 5 On the Settings screen under Register Domain, provide the credentials appropriate...
Note: In some organizations, security policies prohibit the use of security assigned. A backup password can be able to register your device with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. Using security features in the Default User Domain field, and then click Register Domain to access additional configuration settings. 5 On the Settings screen under Register Domain, provide the credentials appropriate...
Embedded Web Server Administrator's Guide
Page 16
Only one method of security can control access to securely end each session by a password or PIN. Users will now be required to enter the correct code in order to gain access to any of building block, see the relevant section(s) under "Configuring building blocks" on the printer control panel. 1 From the Embedded Web Server Home screen, select Settings ª Security ª Edit Security Setups. 2 Under Edit Access Controls, select Access Controls. 3 For each Access Control. Using a security template to control function access Step 1: Create a building block 1 From the Embedded Web ...
Only one method of security can control access to securely end each session by a password or PIN. Users will now be required to enter the correct code in order to gain access to any of building block, see the relevant section(s) under "Configuring building blocks" on the printer control panel. 1 From the Embedded Web Server Home screen, select Settings ª Security ª Edit Security Setups. 2 Under Edit Access Controls, select Access Controls. 3 For each Access Control. Using a security template to control function access Step 1: Create a building block 1 From the Embedded Web ...
Embedded Web Server Administrator's Guide
Page 17
Though the names of up to 128 characters to create a security template. This list will be populated with the authorization building blocks available on page 29. Note: Certain building blocks-such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for authenticating users. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each session by the security template. It can be helpful...
Though the names of up to 128 characters to create a security template. This list will be populated with the authorization building blocks available on page 29. Note: Certain building blocks-such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for authenticating users. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each session by the security template. It can be helpful...
Embedded Web Server Administrator's Guide
Page 18
Scenario: Standalone or small office If your printer is located in a public space such as a lobby, and you wish to prevent the general public from the list, and then click Delete Entry in use can be created and stored within the Embedded Web Server for authentication, authorization, or both. however, security templates currently in use ; Administrators can access any functions protected by that code. Step One: Set up internal accounts" on the device, regardless of which one or more codes, determine which device functions need to be protected, and then: 1 From the ...
Scenario: Standalone or small office If your printer is located in a public space such as a lobby, and you wish to prevent the general public from the list, and then click Delete Entry in use can be created and stored within the Embedded Web Server for authentication, authorization, or both. however, security templates currently in use ; Administrators can access any functions protected by that code. Step One: Set up internal accounts" on the device, regardless of which one or more codes, determine which device functions need to be protected, and then: 1 From the ...
Embedded Web Server Administrator's Guide
Page 19
Note: Certain building blocks-such as PINs and Passwords-do not support separate authorization. 7 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of authentication and authorization services already deployed on the device. Hold down list next to use authorization, click Add authorization, and then select a building block from the existing network, making access to integrate with the authentication building blocks which have been configured on the network (if importing a krb5.conf file) • If creating a Simple Kerberos Setup: - User credentials and...
Note: Certain building blocks-such as PINs and Passwords-do not support separate authorization. 7 To use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of authentication and authorization services already deployed on the device. Hold down list next to use authorization, click Add authorization, and then select a building block from the existing network, making access to integrate with the authentication building blocks which have been configured on the network (if importing a krb5.conf file) • If creating a Simple Kerberos Setup: - User credentials and...
Embedded Web Server Administrator's Guide
Page 20
Step 5: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to select multiple groups. 8 Click Save Template. Using security features in step 1. For more of up to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using the information gathered in the Embedded Web Server 20 2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of...
Step 5: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to select multiple groups. 8 Click Save Template. Using security features in step 1. For more of up to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using the information gathered in the Embedded Web Server 20 2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of...