10.2 Using SSL/TLS for Secure Printing

Secure printing takes advantage of SSL, which requires users to authenticate using their eDirectory usernames and passwords. Users authenticate once per eDirectory tree per session. Between the client and the Print Manager, the print data is encrypted and all print communication uses port 443. Without secure printing, the printer is available to anyone inside the firewall on the network and the print data is not encrypted to the server. Secure printing works in conjunction with the security level set for the printer. All print data between the server and the printer is not encrypted because most printers do not support encrypted data. Also, when you enable iPrint Direct, data is not encrypted between the client and the printer.

If you are using the latest iPrint Client and server software, iPrint automatically attempts to use TLS for printing on port 631. TLS printing supports encrypted and non-encrypted print communication through port 631. Whether or not encryption is used is dependent on the secure printing setting of the Printer Agent. If secure printing is enabled on a printer, the user is required to authenticate, and the print data is encrypted. If secure printing is not enabled, the user does not authenticate and the print data is not encrypted.

Beginning with Open Enterprise Server and the iPrint Client v4.05, both non-secure and secure printing URLs use ipp://.

Prior to Open Enterprise Server, printer URLs were based on http:// and https://. When a non-secure printer using an http:// URL changes to a secure printer, the URL changes to https:// or ipp:// and users must delete the printer and reinstall the new secure printer.

10.2.1 Enabling SSL/TLS

  1. In Novell iManager, click iPrint > Manage Printer.

  2. Browse to and select the Printer object you want to modify.

  3. Click Client Support > iPrint Support.

  4. Select the Enable Secure Printing check box.

  5. Click Apply or OK to update the printer settings.

10.2.2 Saving Passwords for Secure Printers

When users print to a secure printer, they are prompted for the eDirectory username and password. Users can select to have their workstations remember their password for printing. For Windows NT/2000 users, passwords are saved on a per-user basis.

For more information, see Managing Passwords for Remote iPrint Servers.

10.2.3 Configuring TLS Printing with Proxies

To use a proxy with secure printing:

  1. Create a file in /etc/opt/novell/httpd/conf.d named mod_proxy.conf.

  2. Add the following lines to the file:

    LoadModule proxy_module /usr/lib/apache2-worker/mod_proxy.so
    LoadModule proxy_connect_module /usr/lib/apache2-worker/mod_proxy_connect.so
    LoadModule proxy_http_module /usr/lib/apache2-worker/mod_proxy_http.so
    # This is the port the proxy will listen on
    Listen 8080
    ProxyRequests On
    ProxyVia On
    <Proxy *>
        Order deny,allow
        Allow from All
    AllowCONNECT 631 443
  3. Set the proxy port on the client to 8080.

  4. Restart Apache.

To set up a Squid proxy:

IMPORTANT:Implementing the following changes lets your users print using TLS; however, there are security risks involved. Contact your Security Administrator before completing these steps.

  1. Rename the Squid configuration file by using the following command: mv /etc/squid/squid.conf /etc/squid/squid.conf.orig

  2. Create a new /etc/squid/squid.conf file.

  3. Add the following lines to the file:

    http_port 3128
    acl all src
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 80 443 563 631
    acl Safe_ports port 80          # http
    acl Safe_ports port 21          # ftp
    acl Safe_ports port 443 563 631 # https, snews
    acl Safe_ports port 70          # gopher
    acl Safe_ports port 210         # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280         # http-mgmt
    acl Safe_ports port 488         # gss-http
    acl Safe_ports port 591         # filemaker
    acl Safe_ports port 777         # multiling http
    acl CONNECT method CONNECT
    acl ipp_access port 631
    http_access allow all
    miss_access allow all
    http_access allow CONNECT ipp_access
    http_reply_access allow all
    icp_access allow all
    miss_access allow all
  4. Set the proxy port on the client to 3128.

  5. Restart Squid.