Enabling Transport Layer Security encryption for InfoPrint Manager clients for AIX

Normally, there is no need to configure anything on the client side if you use a server certificate from a globally known third-party CA.

If you are using a custom CA certificate, or if you use Mutual Authentication, you must configure the InfoPrint Manager clients to be able to communicate with the server. There are two places where the client configuration file can reside:

  • The user configuration directory:

    For AIX/ Linux: ~/.ipm

    For Windows: %APPDATA%\Ricoh\InfoPrint Manager\ssl

  • The administrator-enforced configuration directory:

    For AIX / Linux: /etc/ipm

    For Windows: %windir%\ipm

A configuration file enforced by an administrator must be readable for everyone, but not writable. Any directive present in the administrator version of the configuration file overwrites the same directive in the user version of the configuration file, regardless of its configuration in the latter file. At least one of the two client configuration files must exist in order to modify the default SSL encryption behavior. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

To enable TLS encryption for InfoPrint Manager clients, follow these steps:

  1. Copy the provided sample configuration file ipmssl.cfg from /usr/lpp/pd/cfg-samples/ssl/client directory to the desired location of the client configuration file (user or administrator).
  2. If you are using a custom CA, copy the CA certificate file (the public part) to the InfoPrint Manager client.
  3. If the server uses Mutual Authentication, copy the client certificate and key to the machine running the InfoPrint Manager client. Ensure that the certificate key is secured and only available for reading to the user running the InfoPrint Manager client.
  4. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager client.
  5. Edit the ipmssl.cfg file using a text editor.

    If the client certificate key file and the server certificate are combined in one file, only the CertFile keyword must be configured and KeyFile must be commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

    Uncomment and change the following keywords values (where available):

    1. Optional: uncomment the CertFile keyword and specify the file name for the client certificate file if the InfoPrint Manager server is using Mutual Authentication.
    2. Optional: uncomment the KeyFile keyword and specify the file name for the client certificate key if the InfoPrint Manager server is using Mutual Authentication.
    3. Optional: uncomment the CAFile keyword and specify the file name for the CA certificate if you are using a custom CA.
    4. Optional: uncomment the CrlFile keyword and specify the file name for the CRL certificate if you have one available.

    The last two optional keywords are commonly used if errors occur during TLS handshake:

    • CertValidationIgnoreHostName can help if the server host name from the DNS is different from the value set in the certificate presented by the server during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents the validation of the host name. This table shows how the validation is made in case the Subject field from the certificate contains a wildcard:
      Host name Certificate Subject or Certificate Subject Alternative Name Validation
      host.example.com host.example.com OK
      host.example.com *.example.com OK
      host.subdomain.example.com *.subdomain.example.com OK
      host.example.com host.another-example.com FAIL
      host.subdomain.example.com host.another-subdomain.example.com FAIL
      host.example.com host*.example.com FAIL
      host.example.com *host.example.com FAIL
      host.subdomain.example.com host*.subdomain.example.com FAIL
      host.subdomain.example.com *host.subdomain.example.com FAIL
      Note: To be valid, a host name in the certificate must have at least 2 (two) dots.
    • IgnoreCertificateErrors ignores any errors related to the server certificate (invalid value presented in the certificate Subject or SAN fields, certificate expired, and so on.)

  6. Reboot the computer.

Sample ipmssl.cfg configuration file:

#
# IPM SSL/TLS configuration file (client)
#

#############################################################################
#
# Empty lines and whitespace-only lines are ignored, as are lines whose
# first non-whitespace character is a semicolon (;) or a hash (#). This
# file uses hashes to denote commentary and semicolons for options you
# might want to configure.
# Every comment applies to the following section or option. The defaults
# refer to IPM's built-in values, not anything set in this file.
#
# Uncomment the lines where you want to do a change and enter the desired
# value. Option names are case-sensitive.
#
# Any directive found in administrator version of the configuration file
# overwrites the same directive in user version of the configuration file
# regardless of what is configured in the later file or not.
#
# If a full path is required but only a file name is provided
# (i.e., no '/' or '\' in file name), the lookup for the file is 
# done only in the directory where this configuration file 
# is located. Apply to: CAFile, CrlFile, CertFile, KeyFile.
#
# IMPORTANT: If you make changes to this file, make sure that 
#                    you restart all the InfoPrint Manager processes. 
#                    On Windows operating system, make sure that you 
#                    also restart Print Spooler service.
#
#############################################################################

#
# Path to a file containing one or more Certificate Authority (CA).
# Required if _server_ certificate is not signed by a globally known CA.
# Default: <empty>
#
;CAFile =

#
# Path to a file containing one or more Certificate Revocation List (CRL).
# Default: <empty>
#
;CrlFile =

#
# Path to unencrypted PEM Certificate (CRT) file.
# Default: <not set>, required only if the remote server require mutual
# authentication.
#
;CertFile =

#
# If the key is not combined with the certificate, this directive
# specifies the path to Certificate Private Key (KEY) file.
# Default: <not set>, required only if the remote server requires mutual
# authentication.
#
;KeyFile =

#
# When enabled, it prevents comparing _server_ name with the name in
# certificate subject. It also applies to Subject Alternative Name (SAN).
# Ignored if IgnoreCertificateErrors is enabled.
# (0 = disabled, 1 = enabled).
# Default: 0
#
;CertValidationIgnoreHostName = 0

#
# Ignore any errors related to certificate validation (0 = disabled, 1 =
# enabled).
# Default: 0
#
;IgnoreCertificateErrors = 0

Parent topic: Enabling Transport Layer Security encryption for InfoPrint Manager servers for AIX