Enabling Transport Layer Security encryption for InfoPrint Manager clients for AIX

Normally, there is no need to configure anything on the client side if you use a server certificate from a globally known third-party CA.

If you are using a custom CA certificate, or if you use Mutual Authentication, you must configure the InfoPrint Manager clients to be able to communicate with the server. There are two places where client configuration file can reside:

  • The user configuration directory:

    For AIX/ Linux/ MacOS: ~/.ipm

    For Windows: %APPDATA%\Ricoh\InfoPrint Manager\ssl

  • The administrator enforced configuration directory:

    For AIX / Linux / MacOS : /etc/ipm

    For Windows: %windir%\ipm

A configuration file enforced by an administrator must be readable for everyone, but not writable. Any directive found in administrator version of the configuration file will overwrite the same directive in user version of the configuration file whatever it is configured in the later file or not. At least one of the two client configuration files must exist in order to modify the default SSL encryption behavior. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for InfoPrint Manager clients, you must complete these steps:

  1. Copy the provided sample configuration file ipmssl.cfg from /usr/lpp/pd/cfg-samples/ssl/client directory to the desired location of the client configuration file (user or administrator).
  2. If you are using a custom CA, copy CA certificate file (the public part) to the InfoPrint Manager client.
  3. If the server uses Mutual Authentication, copy the client certificate and key to the machine running InfoPrint Manager client. Ensure that the certificate key is secured and only available for reading to the user running InfoPrint Manager client.
  4. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager client.
  5. Edit ipmssl.cfg file using a text editor.

    If client certificate key file and the server certificate are combined in one file, only CertFile keyword must be configured and KeyFile must be commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

    Uncomment and change the following keywords value (where available):

    1. Optional: uncomment CertFile keyword and specify the filename for client certificate file if InfoPrint Manager server is using Mutual Authentication.
    2. Optional: uncomment KeyFile keyword and specify the filename for client certificate key if InfoPrint Manager server is using Mutual Authentication.
    3. Optional: uncomment CAFile keyword and specify the filename for CA certificate if you are using a custom CA.
    4. Optional: uncomment CrlFile keyword and specify the filename for CRL certificate if you have one available.

    The last two optional keywords are usually used if errors occur during TLS handshake:

    • CertValidationIgnoreHostName can help if server host name from the DNS is different from the value set in the certificate presented by server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 will prevent validation of host name. This table shows how validation is made in case that Subject field from the certificate contain a wildcard:
      Host name Certificate Subject or certificate Subject Alternative Name Validation
      host.example.com host.example.com OK
      host.example.com *.example.com OK
      host.subdomain.example.com *.subdomain.example.com OK
      host.example.com host.another-example.com FAIL
      host.subdomain.example.com host.another-subdomain.example.com FAIL