8.3 Secure Printing Using SSL/TLS

Secure printing takes advantage of SSL, which requires users to authenticate using their eDirectory usernames and passwords. Users authenticate once per eDirectory tree per session. Between the client and the Print Manager, the print data is encrypted and all print communication uses port 443. Without secure printing, the printer is available to anyone inside the firewall on the network and the print data is not encrypted to the server. Secure printing works in conjunction with the security level set for the printer. All print data between the server and the printer is not encrypted because most printers do not support encrypted data.. Also, when you enable iPrint Direct, data is not encrypted between the client and the printer.

If you are using the latest iPrint Client and server software, iPrint automatically attempts to use TLS for printing on port 631. TLS printing supports encrypted and nonencrypted print communication through port 631. Whether or not encryption is used is dependent on the secure printing setting of the Printer Agent. If secure printing is enabled on a printer, the user is required to authenticate and the print data is encrypted. If secure printing is not enabled, the user does not authenticate and the print data is not encrypted.

Beginning with Open Enterprise Server and the iPrint Client v4.05, both non-secure and secure printing URLs use ipp://.

Prior to Open Enterprise Server, printer URLs were based on http:// and https://. When a no-nsecure printer using an http:// URL changes to a secure printer, the URL changes to https:// or ipp:// and users must delete the printer and reinstall the new secure printer.

The following table shows how access is determined, depending on the level of printer security and whether secure printing is enabled or disabled.

Table 8-5 Printing Access for Printer Security and Secure Printing

Printer Security Level

Secure Printing Disabled (No SSL/TLS)

Secure Printing Enabled (with SSL/TLS)

Low

Full access.

eDirectory authentication.

Medium (Default)

Users granted access as if they had been assigned the User role.

eDirectory authentication and check for user’s effective rights.

High

Users must use SSL and authenticate to eDirectory.

Users might receive an error if SSL is not enabled. (See High Security Requires User Authentication.)

eDirectory authentication, check for user’s effective roles, and connection verification.

SSL is automatically enabled when a printer’s security is changed to High when using Novell iManager.

For more information on printer security levels, see Section 8.2, Setting Printer Security Levels.

8.3.1 Considerations When Changing Printer Security

When changing printer security, you should consider the following:

High Security Requires User Authentication

If you change the printer agent’s security level to high, the Requires SSL/TLS and User Authentication check box (enabling SSL) on the IPP Support page of the printer’s Client Support Page in Novell® iManager is enabled automatically.

NOTE:When setting printer agent security at the server console, SSL is not enabled automatically, and users might receive the following error:


Error message: iPrint Client - "The request requires user authentication."

To avoid the error, ensure that the Requires Security check box is checked when a printer agent’s security is changed to High. For more information, see Enabling SSL/TLS.

Lowering Printer Security

Once a printer’s security is set to High and SSL is enabled with the Requires SSL and User Authentication check box, SSL remains enabled even if the security level is lowered.

8.3.2 Enabling SSL/TLS

  1. In Novell iManager, click iPrint > Manage Printer.

  2. Browse to and select the Printer object you want to modify.

  3. Click Client Support > iPrint Support.

  4. Select Enable Secure Printing.

  5. Click Apply or OK to update the printer settings.

8.3.3 Saving Passwords for Secure Printers

When users print to a secure printer, they are prompted for the eDirectory username and password. Users can select to have their workstations remember their password for printing. For Windows NT/2000 users, passwords are saved on a per-user basis.

To disable this feature, see Section 4.7, Using iPrint Client Management.

For more information, see Managing Passwords for Remote iPrint Servers.

8.3.4 Configuring TLS Printing with Proxies

IMPORTANT:Implementing the following changes lets your users print using TLS; however, there are security risks involved. Contact your Security Administrator before completing these steps.

To use a proxy with secure printing:

  1. Modify sys:\apache2\conf\httpd.conf.

  2. Comment out the following lines:

    
    LoadModule proxy_module modules/proxy.nlm
    LoadModule proxy_connect_module modules/proxycon.nlm
    LoadModule proxy_http_module modules/proxyhtp.nlm
    
    
  3. Add the following lines to the end of the file:

    
    ProxyRequests On
    ProxyVia On
    <Proxy *>
        Order deny,allow
        Allow from All
    </Proxy>
    AllowCONNECT 443 563 631