Enabling Transport Layer Security encryption for InfoPrint Manager servers for AIX
To enable TLS encryption for InfoPrint Manager servers, follow these steps:
- Copy the provided sample configuration file,
ipmssl.cfg, from the/usr/lpp/pd/cfg-samples/ssl/serverdirectory to the/var/pddir/default_cell/ssldirectory. - If you are using a custom CA, copy the CA certificate file (public part) to the InfoPrint Manager server.
- Copy the server certificate and key to the InfoPrint Manager server. Make sure that the certificate key is stored in a secure location and only available for reading to the user that runs the InfoPrint Manager server.
- If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
- Edit the
ipmssl.cfgfile using a text editor. These keywords must be configured: EnableTLS, CertFile, and KeyFile. If the server certificate key file and the server certificate are combined in one file, only theCertFilekeyword must be configured andKeyFilemust be left commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.Uncomment and change the following keyword values (where available):
- Uncomment and set
EnableTLSto 1. - Uncomment the
CertFilekeyword and specify the file name for the server certificate file. - Uncomment the
KeyFilekeyword and specify the file name for the server certificate key. - Optional: uncomment the
CAFilekeyword and specify the file name for the CA certificate if you are using a custom CA. - Optional: uncomment the
CrlFilekeyword and specify the file name for the CRL certificate if you have one available. - ) Optional: uncomment and set
MutualAuthenticationRequiredto 1 if you are planning to use Mutual Authentication.The last two optional keywords are commonly used if errors occur during the TLS handshake:
CertValidationIgnoreHostNamecan help if the client host name from the DNS is different from the value set in the certificate presented by the client during the TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents the validation of the host name.This table shows how validation is made if the Subject field from the certificate contains a wildcard:
Host name Certificate Subject or Certificate Subject Alternative Name Validation host.example.com host.example.com OK host.example.com *.example.com OK host.subdomain.example.com *.subdomain.example.com OK host.example.com host.another-example.com FAIL host.subdomain.example.com host.another-subdomain.example.com FAIL host.example.com host*.example.com FAIL host.example.com *host.example.com FAIL host.subdomain.example.com host*.subdomain.example.com FAIL host.subdomain.example.com *host.subdomain.example.com FAIL Note: To be valid, a host name in certificate must have at least 2 (two) dots.IgnoreCertificateErrorsignores any errors related to the client certificate (invalid value presented in the certificate Subject or SAN fields, certificate expired, client not sending a certificate, and so on.)
- Uncomment and set
- Reboot the computer or restart all InfoPrint Manager components that run (Notification, SAP, LPD, DPF, IPP, LDAP, MVSD Download, Web Server)
and all InfoPrint Manager servers.
Sample ipmssl.cfg configuration file:
# # IPM SSL/TLS configuration file (server) # ############################################################################# # # Empty lines and whitespace-only lines are ignored, as are lines whose # first non-whitespace character is a semicolon (;) or a hash (#). # This file use hashes to denote commentary and semicolons for options # you may wish to configure. # Every comment applies to the following section or option. The defaults # refer to IPM's built-in values, not anything set in this file. # # Uncomment the lines where you want to do a change and enter the # desired value. Option names are case-sensitive. # # If a full path is required but only a file name is provided # (i.e., no '/' or '\' in file name), the lookup for the file is # done only in the directory where this configuration file # is located. Apply to: CAFile, CrlFile, CertFile, KeyFile. # # IMPORTANT: If you make changes to this file, make sure that # you restart all the InfoPrint Manager processes. # On Windows operating system, make sure that you # also restart Print Spooler service. # ############################################################################# # # Enable/disable encryption (0 = disabled, 1 = enabled). # Default: 0 # ;EnableTLS = 0 # # Path to a file containing one or more Certificate Authority (CA). # Required if mutual authentication is enabled and _client_ certificate is # not signed by a globally known CA. See also MutualAuthenticationRequired. # Default: <empty> # ;CAFile = # # Path to a file containing one or more Certificate Revocation List (CRL). # Default: <empty> # ;CertFile = # # If the key is not combined with the certificate this directive will # specify the path to Certificate Private Key (KEY) file. # Default: <not set>, required. # ;KeyFile = # # Enable/Disable mutual authentication (0 = disabled, 1 = enabled). # Default: 0 # # Note that you should NOT use a globally known CA when mutual authentication # is enabled. i.e., using a Verisign certificate as a "known CA" means that # ANYONE who has a certificate signed by them will be authenticated. # This is most likely not what you want. Generate your own CA certificate, # client keys and certificates, etc. # ;MutualAuthenticationRequired = 0 # # When enabled will prevent comparing client name with the name in # certificate subject. Also apply to Subject Alternative Name (SAN). # Ignored if MutualAuthenticationRequired is not enabled. # Ignored if IgnoreCertificateErrors is enabled. # (0 = disabled, 1 = enabled). # Default: 0 # ;CertValidationIgnoreHostName = 0 # # Ignore any errors related to certificate validation (0 = disabled, # 1 = enabled). # Default: 0 # ;IgnoreCertificateErrors = 0