Enabling Transport Layer Security encryption for InfoPrint Manager clients for Linux

Normally, there is no need to configure anything on the client side if you use a server certificate from a globally known third-party CA.

If you are using a custom CA certificate, or if you use Mutual Authentication, you must configure the InfoPrint Manager clients to be able to communicate with the server. There are two places where the client configuration file can reside:

  • The user configuration directory:

    For AIX/ Linux/ MacOS: ~/.ipm

    For Windows: %APPDATA%\Ricoh\InfoPrint Manager\ssl

  • The administrator-enforced configuration directory:

    For AIX / Linux / MacOS : /etc/ipm

    For Windows: %windir%\ipm

A configuration file enforced by an administrator must be readable for everyone, but not writable. Any directive present in the administrator version of the configuration file overwrites the same directive in the user version of the configuration file, regardless of its configuration in the latter file. At least one of the two client configuration files must exist in order to modify the default SSL encryption behavior. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for InfoPrint Manager clients, follow these steps:

  1. Copy the provided sample configuration file ipmssl.cfg from /usr/lpp/pd/cfg-samples/ssl/client directory to the desired location of the client configuration file (user or administrator).
  2. If you are using a custom CA, copy the CA certificate file (the public part) to the InfoPrint Manager client.
  3. If the server uses Mutual Authentication, copy the client certificate and key to the machine running the InfoPrint Manager client. Ensure that the certificate key is secured and only available for reading to the user running the InfoPrint Manager client.
  4. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager client.
  5. Edit the ipmssl.cfg file using a text editor.

    If the client certificate key file and the server certificate are combined in one file, only the CertFile keyword must be configured and KeyFile must be commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

    Uncomment and change the following keywords values (where available):

    1. Optional: uncomment the CertFile keyword and specify the file name for the client certificate file if the InfoPrint Manager server is using Mutual Authentication.
    2. Optional: uncomment the KeyFile keyword and specify the file name for the client certificate key if the InfoPrint Manager server is using Mutual Authentication.
    3. Optional: uncomment the CAFile keyword and specify the file name for the CA certificate if you are using a custom CA.
    4. Optional: uncomment the CrlFile keyword and specify the file name for the CRL certificate if you have one available.

    The last two optional keywords are commonly used if errors occur during TLS handshake:

    • CertValidationIgnoreHostName can help if the server host name from the DNS is different from the value set in the certificate presented by the server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents the validation of the host name. This table shows how the validation is made in case the Subject field from the certificate contains a wildcard:
      Host name Certificate Subject or Certificate Subject Alternative Name Validation
      host.example.com host.example.com OK