Enabling Transport Layer Security encryption for InfoPrint Manager servers for Linux

To enable TLS encryption for InfoPrint Manager servers, follow these steps:

  1. Copy the provided sample configuration file, ipmssl.cfg, from /usr/lpp/pd/cfg-samples/ssl/server directory to /var/pddir/default_cell/ssl directory.
  2. If you are using a custom CA, copy the CA certificate file (public part) to the InfoPrint Manager server.
  3. Copy the server certificate and key to the InfoPrint Manager server. Make sure that the certificate key is stored in a secure location and only available for reading to the user that runs the InfoPrint Manager server.
  4. If you have Certificate Revocation List (CRL), copy the CRL file to the InfoPrint Manager server.
  5. Edit ipmssl.cfg file using a text editor. These keywords must be configured: EnableTLS, CertFile, KeyFile. If the server certificate key file and the server certificate are combined in one file, only CertFile keyword must be configured and KeyFile must be left commented. If the certificate files and keys are found in the same directory as the configuration file, the full path is optional. Otherwise, the full path should be specified.

    Uncomment and change the following keywords value (where available):

    1. Uncomment and set EnableTLS to 1.
    2. Uncomment CertFile keyword and specify the filename for server certificate file.
    3. Uncomment KeyFile keyword and specify the filename for server certificate key.
    4. Optional: uncomment CAFile keyword and specify the filename for CA certificate if you are using a custom CA.
    5. Optional: uncomment CrlFile keyword and specify the filename for CRL certificate if you have one available.
    6. ) Optional: uncomment and set MutualAuthenticationRequired to 1 if you are planning to use Mutual Authentication.

      The last two optional keywords are usually used if errors occur during TLS handshake:

      • CertValidationIgnoreHostName can help if client host name from the DNS is different from the value set in the certificate presented by the client during TLS handshake (Subject field and X509v3 Subject Alternative Name (SAN) field). Setting this keyword to 1 prevents validation of host name.

        This table shows how validation is made if the Subject field from the certificate contains a wildcard:

        Host name Certificate Subject or certificate Subject Alternative Name Validation
        host.example.com host.example.com OK
        host.example.com *.example.com OK
        host.subdomain.example.com *.subdomain.example.com OK
        host.example.com host.another-example.com FAIL
        host.subdomain.example.com host.another-subdomain.example.com FAIL
        host.example.com host*.example.com FAIL
        host.example.com *host.example.com FAIL
        host.subdomain.example.com host*.subdomain.example.com FAIL
        host.subdomain.example.com *host.subdomain.example.com FAIL

        Note: To be valid, a host name in certificate must have at least 2 (two) dots.
      • IgnoreCertificateErrors ignores any errors related to the client certificate (invalid value presented in the certificate Subject or SAN fields, certificate expired, client not sending a certificate, etc.)

  6. Reboot the computer or restart all InfoPrint Manager components that run (Notification, SAP, LPD, DPF, IPP, LDAP, MVSD Download, Web Server) and all InfoPrint Manager servers.

    Sample ipmssl.cfg configuration file:

    #
    # IPM SSL/TLS configuration file (server)
    #
    
    #############################################################################
    #
    # Empty lines and whitespace-only lines are ignored, as are lines whose
    # first non-whitespace character is a semicolon (;) or a hash (#).
    # This file use hashes to denote commentary and semicolons for options
    # you may wish to configure.
    # Every comment applies to the following section or option. The defaults
    # refer to IPM's built-in values, not anything set in this file.
    #
    # Uncomment the lines where you want to do a change and enter the
    # desired value. Option names are case-sensitive.
    #
    # If a full path is required but only a file name is provided
    # (i.e., no '/' or '\' in file name), the lookup for the file is 
    # done only in the directory where this configuration file 
    # is located. Apply to: CAFile, CrlFile, CertFile, KeyFile.
    #
    # IMPORTANT: If you make changes to this file, make sure that 
    #                    you restart all the InfoPrint Manager processes. 
    #                    On Windows operating system, make sure that you 
    #                    also restart Print Spooler service.
    #
    #############################################################################
    
    #
    # Enable/disable encryption (0 = disabled, 1 = enabled).
    # Default: 0
    #
    ;EnableTLS = 0
    #
    # Path to a file containing one or more Certificate Authority (CA).
    # Required if mutual authentication is enabled and _client_ certificate is
    # not signed by a globally known CA. See also MutualAuthenticationRequired.
    # Default:  <empty>
    #
    ;CAFile =
    
    #
    # Path to a file containing one or more Certificate Revocation List (CRL).
    # Default:  <empty>
    #
    ;CertFile =
    #
    # If the key is not combined with the certificate this directive will
    # specify the path to Certificate Private Key (KEY) file.
    # Default: <not set>, required.
    #
    ;KeyFile =
    #
    # Enable/Disable mutual authentication (0 = disabled, 1 = enabled).
    # Default: 0
    #
    # Note that you should NOT use a globally known CA when mutual authentication
    # is enabled. i.e., using a Verisign certificate as a "known CA" means that
    # ANYONE who has a certificate signed by them will be authenticated.
    # This is most likely not what you want. Generate your own CA certificate,
    # client keys and certificates, etc.
    #
    ;MutualAuthenticationRequired = 0
    
    #
    # When enabled will prevent comparing client name with the name in
    # certificate subject. Also apply to Subject Alternative Name (SAN).
    # Ignored if MutualAuthenticationRequired is not enabled.
    # Ignored if IgnoreCertificateErrors is enabled.
    # (0 = disabled, 1 = enabled).
    # Default: 0
    #
    ;CertValidationIgnoreHostName = 0
    
    #
    # Ignore any errors related to certificate validation (0 = disabled,
    # 1 = enabled).
    # Default: 0
    #
    ;IgnoreCertificateErrors = 0