Océ Large Format systems Security...

Optimizing Security

Large Format Systems

Administrator guideSecurity information

Océ

Copyright

© 2012, OcéAll rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form or by any means without written permission from Océ.Océ makes no representation or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose.Further, Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes.

Edition 2012-07 GB

Trademarks

Océ, and its wide-format printing systems are registered trademarks of Océ.

Microsoft®, Windows®, Windows XP®, Windows XP® embedded, Windows Server® 2003, Windows® Vista™, Windows Server® 2008, Windows ® 7, Windows Embedded Standard® 2009 are either registered trademarks or trademarks of Microsoft® Corporation in the United States and/or other countries.

Linux® is a registered trademark of Linus Torvalds.McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries.Symantec and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.Products in this publication are referred to by their general trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks of their respective companies.

Contents

Chapter 1 Océ Security policy......................................................................................................................5

The Océ Security policy ....................................................................................................................................6Océ online resources.........................................................................................................................................8Overview of the security features available per Océ System .......................................................................9

Chapter 2 Security on Océ TDS / TCS / TC4 systems.............................................................................11

Overview...........................................................................................................................................................12Overview of the security features for the Océ TDS/TCS/TC4 systems ...............................................12

System and Network security........................................................................................................................13Ports - Protocols........................................................................................................................................13

Applications, protocols and ports used on the Océ TDS/TCS/TC systems ..................................13Security Patches........................................................................................................................................16

Policy about Microsoft flaws and vulnerabilities.............................................................................16Install the Océ Remote Patch™ - Remotely install an Océ patch...................................................16

Security levels............................................................................................................................................17Security levels presentation...............................................................................................................17Security levels - Printers and scanner versions compatibility........................................................18Set the Security level - Manage the security levels.........................................................................19Systems with no screen .....................................................................................................................21

Antivirus.....................................................................................................................................................21Antivirus installation: Compatibility and recommendations .........................................................21

Roles and Passwords................................................................................................................................21Roles and Passwords for the Océ TDS/TCS/TC4 systems (except Océ TCS300)..........................22Roles and Passwords for the Océ TCS300........................................................................................22

Data security....................................................................................................................................................24HTTPS through PEWG...............................................................................................................................24

Print data encryption through HTTPS with Océ Print Exec Workgroup........................................24Administration.....................................................................................................................................25Request and import a CA-signed certificate.....................................................................................28HTTPS and certificates error messages.............................................................................................33

E-Shredding (Océ TDS750 1.2.2 and higher, Océ TC4 1.8.2 and higher)..............................................33E-shredding presentation...................................................................................................................33Enable the e-shredding on Océ TDS750 1.2.2 and higher and Océ TC4 1.8.2 and higher - Enable/disable the e-shredding (Océ Power Logic Controller)....................................................................34E-shredding process and system behaviour in Océ TDS750 1.2.2 and higher and Océ TC4 1.8.2 and higher............................................................................................................................................35

Chapter 3 Security on Océ PlotWave 300/350, PlotWave 900 and ColorWave 300..............................37

Overview...........................................................................................................................................................38Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 and the Océ ColorWave 300 systems ...................................................................................................................38


Applications, protocols and ports used on the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 and Océ ColorWave 300 systems.......................................................................39

Contents

1

Security Patches........................................................................................................................................41Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 and Océ ColorWave 300) - Install the Océ Remote patch...................................................................................................41

Security levels............................................................................................................................................43Security levels presentation...............................................................................................................43Set the security level on Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 - Manage the security level...................................................................................................................44Set the security level on Océ PlotWave 900 R1.1 - Manage the security level..............................45

Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300)..................................45The USB connection on the Local user interface ............................................................................45

Antivirus ....................................................................................................................................................46Antivirus installation on the Océ PlotWave 300/350, Océ PlotWave 900 and Océ ColorWave 300: Compatibility and recommendations ...............................................................................................46

Roles and Passwords................................................................................................................................46Roles and profiles in the Océ PlotWave 300/350, Océ Plotwave 900 and Océ ColorWave 300. . .46Passwords policy and behaviour in the Océ PlotWave 300/350 and Océ ColorWave 300...........47Passwords policy and behaviour in the Océ PlotWave 900 ............................................................48

Data Security ...................................................................................................................................................50E-Shredding................................................................................................................................................50

E-shredding presentation...................................................................................................................50Enable the e-shredding - Enable/disable the e-shredding (Océ Express WebTools)....................50E-shredding process and system behaviour ....................................................................................51

IPsec (Océ PlotWave 300/350, Océ ColorWave 300)...............................................................................52IPsec presentation...............................................................................................................................52Configure the IPsec settings on the Océ controller - Activate and configure IPsec on the printer/scanner controller ...............................................................................................................................54Configure the IPsec settings on a workstation or a print server - 1- Add the security snap-in...56When you use Océ WPD on the print server ....................................................................................66Troubleshooting: emergency procedure to deactivate IPsec..........................................................67

Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300)...............69How to prevent 'Print from USB' - How to disable the 'USB direct print' feature........................69How to prevent 'Scan to USB'............................................................................................................69

HTTPS (Océ PlotWave 900).......................................................................................................................70Encrypt print data using HTTPS with the Océ self-signed certificate (Océ PlotWave 900) .........70

Chapter 4 Security on Océ ColorWave 550/600/650 (and Poster Printer).............................................75

Overview...........................................................................................................................................................76Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems.......................................................................................................................................................76


Applications, protocols and ports used on the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550.....................................................................77

Security Patches........................................................................................................................................78Install the Océ Remote patch.............................................................................................................78

Protocol protection....................................................................................................................................80Network protocols protection ...........................................................................................................80

Operating system and software protection............................................................................................80Operating System and software protection.....................................................................................80

Roles and Passwords................................................................................................................................81Roles and profiles in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550.............................................................................................................81Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550.........................................................................................81

Data Security....................................................................................................................................................83

Contents

2

E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave 550............83E-shredding presentation...................................................................................................................83Enable the e-shredding in Océ Express WebTools...........................................................................83E-shredding process and system behaviour.....................................................................................84

Contents

3

Chapter 1 Océ Security policy

The Océ Security policy

DefinitionAt Océ, security is an integral part of system development, and the company is taking a proactive approach to the improvement of security-related issues. Océ is working to address security requirements across all of its digital document systems.For its printing systems connected to the network, Océ strives to ensure the:- Security of the system on the network- Security of the data sent to the printers, with a focus on protecting sensitive documents from being captured by un-authorised persons- Security of the configuration and data on the controller

Note Attention Caution

Note:See the "Table of the security features " on page 9 to get an overview of the security features available per Océ system.

System security and security on the networkFaced with system vulnerabilities, viruses, worms and in order to maximise the protection of the Océ print systems from hackers and networking attacks, Océ has reinforced the security of the Océ systems by:• Introducing the Océ Security levels to offer network security protection against virus / worm

attacks or system vulnerabilities (on Windows Operating Systems).Once the Security Interface is activated, you can define the level of security according to your system needs. Notice that the higher level of security you set, the fewer printing and scanning functionalities you get.

• Protecting the system roles and passwords. The main network and system settings are protected against change. Only authorised users can configure or change these settings

• Regularly checking the relevance of Microsoft flaws and delivering security patches whenever it is necessary.

• Providing OS and software protection mechanism. The internal system software is protected against alteration

• Make the USB connection secure (on systems with USB slot)• Implementing network protocols protection features (by use of the Océ Security levels filtering

or by configuring each network protocol for firewall filtering)• Allowing the installation of an Antivirus software on the Océ system controller• Being compliant with IPv6 and then benefiting from IPv6 secured assets

Note:The availability of the security features depends on the products. See the "Overview of the security features available per Océ System" on page 9.

Data security on the networkTo ensure the security of the print data sent on the network, Océ has implemented:• The HTTPS (HTTP over SSL) protocol to encrypt the submitted print data:

- With Océ Print Exec Workgroup v2.6 and higher for Océ TDS/TCS series


6 Chapter 1 - Océ Security policy

Find all information about "Print data encryption through HTTPS with Océ Print Exec Workgroup" on page 24.- with Océ Publisher Express for Océ PlotWave 900Find all information about "Use the Océ self-signed certificate with Internet Explorer" on page 71.

• The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from the system.This feature prevents the recovery of any deleted user data.

• The IPsec configuration, that provides authentication, data confidentiality and integrity in the network communication between devices.A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network.


Chapter 1 - Océ Security policy 7

Océ online resourcesWe advise that you visit our website regularly in order to take full advantage of all the available resources: • Find the latest supplies from our Media Guide.• Get support on your product and answers to your questions in the Océ Knowledgebase.• Keep up-to-date with the latest information on security, the downloads for your drivers,

software, printers and related documentation.

Get the latest information on SecurityConnect to the International Corporate Website:www.global.oce.comOpen the security page: http://global.oce.com/support/security/default.aspx.

Océ Online KnowledgebaseOcé permanently develops a base of knowledge for its products.You can access this knowledgebase through the Support section of our website.Describe your question or problem in the search field. Then, find the answer in the list of solutions or documents, ordered by relevancy.

Océ online resources

8 Chapter 1 - Océ Security policy

Overview of the security features available per Océ System

Océ TDS / TCS / TC systems Océ PlotWave 300Océ PlotWave 350Océ PlotWave 900Océ ColorWave 300

Océ ColorWave 600 (PP)Océ ColorWave 650 (PP)Océ ColorWave 550

Operating System Windows XP embedded Windows XP embedded Linux and WES 2009 for:- Océ ColorWave 650- Océ ColorWave 550Linux for:- Océ ColorWave 600 (PP)- Océ ColorWave 650 PP

Firewall Yes Yes YesMS Security flaws / Security patches

Yes Yes Yes for Océ ColorWave 650 / 550N/A for Océ ColorWave 600 (PP) and ColorWave 650 PP

Network protocols protection Océ Security levels - 3 levels Océ Security levels - 3 levels Protection configurable per protocol

OS and software integrity mechanism

- - Yes

Antivirus Compatible with 2 antivirus brands

Compatible with 2 antivirus brands

-

IPv6 Yes for:Océ TCS300 1.6 and higherOcé TCS500 1.6 and higherOcé TDS450 1.6 and higherOcé TDS700 1.6 and higherOcé TDS750Océ TC4 1.6 and higher

Yes Yes

Feature to encrypt data on the network

HTTPS IPsec for:Océ PlotWave 300Océ PlotWave 350Océ ColorWave 300HTTPS for:Océ PlotWave 900

-

Password protection Yes for:- User settings- Administration settings

Yes for:- User settings- Administration settings

Yes for:- User settings- Administration settings

Data overwrite E-shredding for:Océ TDS750 1.2.2 and higherOcé TC4 1.8.2 and higher

E-shredding E-shredding for:Océ ColorWave 650 2.0.1 and higherOcé ColorWave 650 PP 2.1 and higherOcé ColorWave 600 1.5 and higherOcé ColorWave 550 2.2 and highe

Overview of the security features available per Océ System

Chapter 1 - Océ Security policy 9

Chapter 2 Security on Océ TDS / TCS / TC4 systems

Overview

Overview of the security features for the Océ TDS/TCS/TC4 systems The following Océ TDS/TCS/TC4 sytems are equipped with security features:• Océ TDS300• Océ TDS320• Océ TDS400• Océ TDS450• Océ TDS600 and TDS600 Premia class• Océ TDS700• Océ TDS750• Océ TDS800• Océ TDS860 (TDS800 Pro Series)• Océ TCS300• Océ TCS400• Océ TCS500• Océ TC4 scanner

Security features overview

Operating System Windows XP Service Pack 2 or Windows XP Service Pack 3 (see below)MS Security patches Océ released patches (on http://global.oce.com)Network protocols protection 3 Océ Security LevelsFirewall YesAntivirus Compatible with 2 Antivirus brandsIPv6 Yes for:

Océ TCS300 1.6 and higherOcé TCS500 1.6 and higherOcé TDS450 1.6 and higherOcé TDS700 1.6 and higherOcé TDS750Océ TC4 1.6 and higher

Data encryption Yes - HTTPS protocol for printing available with Océ Print Exec WorkgroupData overwrite E-shredding (Océ TDS750 1.2.2 and higher and Océ TC4 1.8.2 and higher)Password protection Yes for configuration settings (in the Océ Settings Editor or Océ Express Webt

ools)

Operating System embedded in the Océ TDS/TCS/TC systems

Océ TDS/TCS/TC release installed with Windows XP SP3 Océ TDS/TCS/TC release installed with Windows XP SP2

Océ TDS300 1.1.10 and higherOcé TDS320 1.0.10 and higerOcé TDS400 2.1.10 and higherOcé TDS450 3.6 and higherOcé TDS600 4.1.10 and higherOcé TDS700 1.6 and higherOcé TDS750Océ TDS800 2.1.10 and higherOcé TDS860 1.0.10 and higherOcé TCS300 1.6 and higherOcé TCS400 2.2.10 and higherOcé TCS500 1.6 and higherOcé TC4 1.6 and higher

Océ TDS300 1.1.9 and lowerOcé TDS320 1.0.9 and lowerOcé TDS400 2.1.9 and lowerOcé TDS450 3.4 and lowerOcé TDS600 4.1.9 and lowerOcé TDS700 1.3 and lowerOcé TDS800 2.1.9 and lowerOcé TDS860 1.0.9 and lowerOcé TCS300 1.3 and lowerOcé TCS400 2.2.9 and lowerOcé TCS500 1.5 and lowerOcé TC4 1.0.3 and lower

Overview

12 Chapter 2 - Security on Océ TDS / TCS / TC4 systems

System and Network security

Ports - Protocols

Applications, protocols and ports used on the Océ TDS/TCS/TC systems

Printing applications: security levels, ports and protocols used by the Océ systems

Application /Functionality System Supported security levels (x) and open port

Port used on the controller: protocol

N* M* H*

Océ Windows Printer Driver (WPD)

All Océ TDS and TCS systems(except Océ TC4)

xTCP 515

TCP 65200TCP 80TCP 139

x(1)

TCP 515TCP

65200TCP 80

x(2)

TCP 515TCP 515: LPRTCP 65200: Océ back-channel(**)

TCP 139: SMBTCP 80: HTTP (for advanced accounting)

Starting from:- Océ TDS450 3.8.2- Océ TCS300 1.8.2- Océ TCS500 1.8.2- Océ TDS700 1.8.2- Océ TDS750 1.2.2

UDP 515 UDP 515 UDP 515 UDP 515: Océ protocol (for printer discovery)

Océ Adobe® PostScript® 3™ driver

All Océ TDS and TCS systems(except Océ TC4)

xTCP 515TCP 139

x(3)

TCP 515TCP 139

x(3)

TCP 515TCP 515: LPRTCP 139: SMB

Océ Print Exec Workgroup - Océ TCS400/ TCS500- Océ TDS400/ TDS450/ TDS600/ TDS700/ TDS750/ TDS800/ TDS860

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Print Exec Workgroup over SSL (HTTPS)

- Océ TDS400/ TDS450/ TDS600/ TDS700/ TDS750/ TDS800/ TDS860, Océ TCS400/ TCS500

xTCP 443

TCP 443: HTTPS

Starting from:- Océ TDS450 3.8.2- Océ TCS500 1.8.2- Océ TDS700 1.8.2- Océ TDS750 1.2.2

TCP 443 TCP 443

Océ Publisher Select (v1.8 and higher)

Océ TDS750 xTCP 515

TCP 65200TCP 80

UDP 515

xTCP 515

TCP 65200TCP 80

TCP 80: HTTPTCP 65200: Océ back-channel(*)

TCP 515: LPRUDP 515: Océ protocol (for printer discovery)

Océ ReproDesk All Océ TDS and TCS systems(except Océ TC4)

xTCP 515

TCP 65200

xTCP 515

TCP 65200

TCP 515: LPRTCP 65200: Océ back-channel

Océ PELT Windows All Océ TDS and TCS systems(except Océ TC4 and TDS750)

xTCP 515

TCP 65200

xTCP 515

TCP 65200

x(4)

TCP 515TCP 515: LPRTCP 65200: Océ back-channel

Océ Print Exec Light Web Océ TDS400 1.X, Océ TDS600 2.X, Océ TDS800 1.X, Océ TCS400 <= 2.1

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Print Exec Basic All Océ TDS and TCS systems(except Océ TDS300 Océ TDS320, Océ TCS300 and Océ TC4)

xTCP 80

xTCP 80

TCP 80: HTTP

4


Chapter 2 - Security on Océ TDS / TCS / TC4 systems 13



N* M* H*

Novell NDPS printing All Océ TDS and TCS systems(except Océ TC4)

xTCP 515

xTCP 515

xTCP 515

TCP 515: LPR

LPR printing (command line) All Océ TDS and TCS systems(except Océ TC4)

xTCP 515

xTCP 515

xTCP 515

TCP 515: LPR

FTP printing All Océ TDS and TCS systems(except Océ TC4)

xTCP 21

TCP 4242

x(5)

TCP 21TCP 21: FTPTCP 4242: FTP passive mode (6)

SMB printing - Océ TDS300/ TDS320/ TDS400/ TDS600/ TDS800/ TDS860- Océ TCS400

xTCP 139

TCP 139: SMB

Notes:• * Levels: N: Normal - M: Medium - H: High• (*) Océ back-channel is an Océ proprietary protocol used to retrieve information from the

printer (status, media loaded...) and to display it in the application or driver.• (1) LPR printing with back-channel and advanced accounting. No SMB printing• (2) LPR printing. No back-channel. No SMB printing. No advanced accounting• (3) LPR printing only. No SMB printing• (4) LPR printing. No back-channel• (5) FTP active mode only• (6) For data communication channel

Scanning applications: security levels, ports and protocols used by the Océ systems



N* M* H*

Scan to File Remote SMB All Océ TDS, TCS and TC4 systemsexcept Océ TCS300 and Océ TDS300

x SMB (no incoming port required on the controller)

Scan to File Remote FTP All Océ TDS, TCS and TC4 systemsexcept Océ TCS300 and Océ TDS300

x x(1) x(1) FTP

Scan data retrieval by FTP All Océ TDS, TCS and TC4 systems

xTCP 21

TCP 4242

x(2)


Notes:• * Levels: N: Normal - M: Medium - H: High• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive

mode• (2) FTP active mode only• (3) For data communication channel



Control management: security levels, ports and protocols used by the Océ systems



N* M* H*

PING All Océ TDS, TCS and TC4 systems

x x x ICMP

SNMP based applications Océ TDS450 v3.1 and higher xUDP 161

UDP 161: SNMP

Océ Remote Logic All Océ TDS and TCS systemsexcept Océ TDS700, Océ TDS750, Océ TCS300 and Océ TC4

xTCP 1099TCP 9999TCP 16440

to TCP 16460

TCP 1099TCP 9999TCP 16440 to TCP16460Océ specific protocol

Océ Power Logic Remote Océ TDS700, Océ TDS750 and Océ TC4

xTCP 1099TCP 9999TCP 16440

TCP 1099TCP 9999TCP 16440Océ specific protocol

Océ Settings Editor Web application

Océ TCS300 xTCP 80

xTCP 80

TCP 80: HTTP

Name resolution(**) All Océ TDS, TCS and TC4 systems

x Outgoing connection:- local port (on controller): UDP(/TCP) <dynamic value>- remote port (on DNS server): UDP(/TCP) 53

DHCP All Océ TDS, TCS and TC4 systems

x x x Outgoing connection:- local port (on controller) : UDP 68- remote port (on DNS server): UDP 67

Océ Account CenterAdvanced accounting (WPD)

All Océ TDS, TCS and TC4 systemsexcept Océ TCS300, Océ TDS300 and Océ TDS320

xTCP 80

xTCP 80

TCP 80: HTTP

Accounting information retrieval by FTP

All Océ TDS, TCS and TC4 systemsexcept Océ TCS300, Océ TDS300 and Océ TDS320

xTCP 21

TCP 4242

x(1)


Browse Océ systems on the network with Windows network neighbourhood

Océ TDS450/ TDS700/ TDS750/ TC4Océ TCS300/ TCS500

xUDP 137

UDP 137: NetBios over TCP/IP


Océ TDS300/ TDS320/ TDS400/ TDS600/ TDS800/ TDS860Océ TCS400

xUDP 137

UDP 137: SMB

Océ License Logic All Océ TDS, TCS and TC4 systems

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Remote Patch All Océ TDS, TCS and TC4 systemsexcept Océ TCS300

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Remote Security settings All Océ TDS and TCS systemsexcept Océ TCS300, Océ TDS300, Océ TDS320 and Océ TC4

xTCP 80TCP 443

xTCP 80

TCP 80: HTTP (3)

TCP 443: HTTPS

Starting from:- Océ TDS450 3.8.2- Océ TCS500 1.8.2- Océ TDS700 1.8.2- Océ TDS750 1.2.2

TCP 80TCP 443

TCP 80TCP 443

Océ Service Logic All Océ TDS, TCS and TC4 systems

xTCP 21

TCP 4242

x(1)


4





N* M* H*

Océ Meter Manager Océ TDS450 1.7.1/ TDS700 1.7.1 and higher versionsOcé TDS750Océ TCS300 1.7.1/ TCS500 1.7.1 and higher versions

xUDP 161

UDP 161: SNMP

Notes:• * Levels: N: Normal - M: Medium - H: High• (**) The name resolution is mainly used to determine the IP address of the scan destination

during Scan fo File operation• (1) FTP active mode only• (3) HTTP traffic is automatically redirected to HTTPS• (4) For data communication channel

Security Patches

Policy about Microsoft flaws and vulnerabilities

PolicyOcé regularly checks whether vulnerabilities (mainly described in the Microsoft security bulletins) affect the Océ Power Logic Controller. Then Océ informs the users whether the systems are vulnerable (or not), and in case of vulnerability, publishes a corresponding Océ Patch.

Patch procedureDownload the patches to apply to your printer from the http://global.oce.com website:Select your print system and open the Downloads/security page (example: http://global.oce.com/products/tds700/Downloads.aspx#tab3) to get the latest patches and to check whether a Microsoft flaw impacts the Océ controller. On this page you find:• The latest information about security (MS flaws...)• The Océ security patches• The instructions to apply the patches on the Océ controller• The procedure to identify the Océ patches installed on your system

Note:The patches provided by Microsoft on the Microsoft website cannot be directly installed on the controllers. Use the appropriate Océ patches.

Consult also the Océ Security Web page - http://global.oce.com/support/security/ for general security information.Depending on the version of your system controller, you must download the Océ Remote Patch and install it on the controller (see "Install the Océ Remote Patch™ - Remotely install an Océ patch" on page 16).

Install the Océ Remote Patch™ - Remotely install an Océ patch

PurposeThe Océ Remote Patch™ functionality allows you to:• load and remotely apply Security and software patches onto the controller• check the last patch successfully applied• check the execution status of the latest patch applied ('Success' or 'Failure')



It is available for the following products versions:• Océ TDS300 1.1.9 and higher• Océ TDS320 1.0.9 and higher• Océ TDS400 2.1.9 and higher• Océ TDS450 3.3.1 and higher• Océ TDS600 4.1.9 and higher• Océ TDS700 1.2.1 and higher• Océ TDS750• Océ TDS800 2.1.9 and higher• Océ TDS860 1.0.9 and higher• Océ TCS400 2.2.9 and higher• Océ TCS500 1.4.1 and higher• Océ TC4 scanner 1.0.2 and higherEach time a security patch needs to be remotely installed on the controller.- Download the security patch from the Océ website (Downloads/Security page of your product on http://global.oce.com)Open the Océ Remote Patch page either:- in the web browser of a workstation: enter the URL http://[controller hostname or IPaddress]/OceRemotePatch.htmlor- In Océ Print Exec Workgroup v2.6 and higher: from the Administration menu, click Océ Remote Patch™Log on to the Océ Remote Patch™ page as the controller system administrator.

1. Browse to the location of the patch file(*.oce)

Note:Click 'Reset' to clear the field when needed

2. Click 'Apply Patch'3. Confirm

The installation starts. At the end of the process, the controller reboots.4. After the restart:

- in the web browser of a workstation enter the following URL: http://[controller hostname or IPaddress]/OceRemotePatch.htmlor- from the Administration menu of Océ Print Exec Workgroup, click 'Océ Remote Patch™'

5. Log on as the controller system administrator6. Check that the 'Last execution status' of the patch is 'Success': the installation was successful.

Note:When the status is 'Failure', apply the patch again.If the installation fails again, contact your Océ representative.

Security levels

Security levels presentationOcé defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level.

HIGH security levelThe HIGH level is the most secure mode for printing and scanning. The compliant applications are based on the LPR protocol for printing and on the FTP protocol for scanning.Target:



• This level provides you with the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the " security levels supported per application/functionality" on page 13.

• This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level.

MEDIUM security levelThe MEDIUM level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners).Target:This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the HIGH security level).

Normal security levelThis mode offers all the functionalities.Target:• You can select this level if you want to use some features not covered by MEDIUM security

level.• This level is more dedicated for small network infrastructure where security is less required

versus features.

Security levels - Printers and scanner versions compatibilityThe security levels are implemented on the following versions of the printers/scanner controller:

Printers versions

Océ TDS300 v1.1.1 and higherOcé TDS320 All versionsOcé TDS400 v2.1.1 and higherOcé TDS450 All versionsOcé TDS600 v4.1.1 and higherOcé TDS700 All versionsOcé TDS750 All versionsOcé TDS800 v2.1.1 and higherOcé TDS860 v1.0 and higherOcé TCS300 All versionsOcé TCS400 v2.2 and higherOcé TCS500 All versionsOcé TC4 scanner All versions

To check whether your Océ system with no screen is equipped, check the firmware version number on the control panel during the reboot of the printer.For the Océ TDS300, the version number must be 1.1 or higher.For the Océ TDS400, the version number must be 2.1 or higher.For the Océ TCS400, the version number must be 2.2 or higher (you can access it when the printer is off-line, on the 'Configure system' menu).



Set the Security level - Manage the security levelsThe security user interface is available locally on the controller only, from the Océ Settings Editor (no remote access).

Note:You need to be logged on as the System Administrator to access the security level interface and change the security levels.

[1] Log on

From the Edit menu, select Security... to open the Security level window.

[2] Access Security window

It displays the current Security level and the available options.According to the security level selected, the settings are available (in black) or not (in grey):The controller is delivered with the Normal security level by default, but according to your needs, you can switch by selecting the required level.



Illustration

[3] Security level interfaces: High / Medium / Normal

1. In the Security level window, check the level required (Normal, Medium or High). 2. Click OK once, then Cancel. A warning message is displayed:

[4] Security warning message

3. Click OK.4. After processing, a message displays the security level confirmation. Click OK to reboot the

controller:

[5] reboot

When the security level is changed from Normal to Medium or High, the level selected is also displayed on the Océ System Control Panel (click on the Security button):

[6] Océ System Control Panel - Security level information



Systems with no screen

For systems delivered without screen, keyboard nor mouse, it is possible to switch between security levels using diskettes/CD.There is one diskette/CD per security level:• 1 diskette/CD to switch to HIGH security level.• 1 diskette/CD to switch to MEDIUM security level.• 1 diskette/CD to switch to STANDARD / Normal security level.Océ delivers 3 deliverables to build the diskettes/CDs.Please contact your local Océ representative.

Antivirus

Antivirus installation: Compatibility and recommendations To install the Symantec or MacAfee antivirus programmes, contact your Océ representative.


Note:Océ shall not be liable for damages of any kind attributable to the use of an antivirus on the Océ systems controllers.

CompatibilityOcé tested the installation of the 3 following antivirus programmes on the Océ systems controller:

Antivirus installable on the controller of:SymantecAntiVirus Endpoint Protection 11

• Océ TDS300 1.1.8.1 and upper• Océ TDS320 1.0.8.1 and upper• Océ TDS400 2.1.8.1 and upper• Océ TDS450 3.3.1 and upper• Océ TDS600 4.1.8.1 and upper• Océ TDS700 1.2.1 and upper• Océ TDS750• Océ TDS800 2.1.8.1 and upper• Océ TDS860 1.0.8.1 and upper• Océ TCS300 1.2.1 and upper• Océ TCS400 2.2.6 and upper• Océ TCS500 1.4.1 and upper• Océ TC4 scanner 1.0.2 and upper

McAfeeVirusScan Enterprise Edition 8.7iePolicy Orchestrator for AntiVirus update

SymantecAntiVirus Corporate Edition 10 (Norton)

• Océ TDS300 1.1.3 to 1.1.5• Océ TDS320• Océ TDS400 2.1.3 and upper• Océ TDS450• Océ TDS600 4.1.3 and upper• Océ TDS700• Océ TDS750• Océ TDS800 2.1.3 and upper• Océ TDS860 1.0.1 and upper• Océ TCS300• Océ TCS400 2.2.2 and upper• Océ TCS500• Océ TC4 scanner

Roles and Passwords



Roles and Passwords for the Océ TDS/TCS/TC4 systems (except Océ TCS300)

RolesIn all Océ TDS/TCS/TC4 (except TCS300) systems, the main network and system settings are protected against change. Only authorised users can configure or change these settings.4 roles are available:• Key operator:

The Key Operator can manage the jobs and the device settings• Repro operator

The Repro operator can manage jobs (print and scan)• System administrator

The System Administrator can manage the Configuration settings (such as the Network settings, scan destinations settings...) and print jobs

• Océ serviceThis role is used exclusively by the Océ Service Technician

Note:Refer to your Océ TDS/TCS/TC4 user manual to get information related to the authorised users and to the settings access rights.

Passwords usedThe passwords protect:• The roles• The Scan To file remote user name

Password modification table for Océ TDS/TCS/TC4 systems

Password for Can be changed by

Key operator Key operatorRepro operator Repro operatorSystem administrator System administratorScanToFile remote user name Anyone (no login requested)

Note:Keep these passwords. The loss of these passwords may require the intervention of Océ Service.

Passwords storage on the controllerAll passwords are stored encrypted on the controller. There is no open access to the system to change them.You can change them only through the standard user interface on the controller.

Passwords export policyNo password is exported to the backup files, except the passwords for the Scan To File remote user names.The passwords for the Scan To File remote user names are stored encrypted (in the *.sm file)

Roles and Passwords for the Océ TCS300



Roles descriptionIn the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings.4 roles are available:• Key operator:

The Key Operator can manage the jobs and the device settings• System administrator

The System Administrator can manage the Configuration settings such as the Network settings and the scan destinations settings

• Power userThe Power User has both the rights of the Key Operator and the System Administrator

• Océ serviceThis role is used exclusively by the Océ Service Technician

Passwords used in Océ Settings Editor Web applicationIn Océ Océ Settings Editor Web application the passwords protect the roles.

Password modification table for Océ TCS300


Key operator Key operator or Power userSystem administrator System administrator or Power userPower user Power user

Password policy• 256 characters maximum• Any number [0-9]• Any letter lowercase/uppercase [a-z][A-Z]• the following special characters:

_ - ~ ! @ # $ % ^ * ? { }( ) = + , . ; : [ ] / | \

Passwords storage on the controllerAll passwords are stored encrypted on the controller. There is no open access to the system to change them.You can change them only through the standard user interface on the controller.

Passwords export policyThe roles passwords are not stored in the backup set.



Data security

HTTPS through PEWG

Print data encryption through HTTPS with Océ Print Exec WorkgroupTo protect the privacy of your print data on the network, use the HTTPS protocol (HTTP over SSL) with Océ Print Exec Workgroup (v2.6 and higher).You can then send encrypted print data to Print Exec Workgroup using the following URL:https://[Common Name or PrinterHostname or PrinterIPaddress]Example: https://TCS500.oce.com

DefinitionOcé proposes 2 services when printing with Print Exec Workgroup by means of HTTPS instead of HTTP:• the print data encryption to ensure the print data confidentiality• the use of certificates: the client station which submits the print can check the identity of the

controller.

Compatible versions of Océ Print Exec WorkgroupThe HTTPS feature is embedded in Océ Print Exec Workgroup v2.6 and higher, recommended for :• Océ TDS400• Océ TDS400 Prémia Class• Océ TDS450• Océ TDS600• Océ TDS600 Premia Class• Océ TDS700• Océ TDS750• Océ TDS800• Océ TDS800 Pro series• Océ TCS400• Océ TCS500

The self-signed certificate and the CA-signed certificate• By default, Océ delivers an Océ self-signed certificate. This certificate provides encryption of

the print data between the client and the controller. It can be easily used.This self-signed certificate has not been signed by a Certification Authority, consequently the web browser will display a 'Certificate Error' message the first time you use the HTTPS protocol.This certificate may be used with a few limitations (see "Use the Océ self-signed certificate - Use the Océ self-signed certificate with Internet Explorer" on page 25) or while you are waiting for a trusted certificate to be delivered by a Certification Authority.

• When your security policy recommends it, the administrator can request and import a certificate delivered by a Certification Authority (CA-signed certificate).See the " overall procedure to request and import a CA-signed certificate" on page 28.

HTTPS protocol and the Security levelsThe HTTPS protocol in Océ Print Exec Workgroup is available only in Normal security level.The HTTPS protocol uses the TCP port 443.

Data security


AdministrationConfigure the use of HTTPS - Configure the use of HTTPS

You can configure the use of HTTPS through the job submission tool for Océ TDS and TCS systems: Océ Print Exec Workgroup v2.6 and higher.On the Remote Security™ page, set the use of the secured protocol to:- Required to allow only HTTPS protocol- Optional to allow both HTTP and HTTPS protocols

Note:When you set HTTPS to 'required' in PEWG v2.6 or higher, only the Océ Account Center communication protocol remains in HTTP mode.

1. In a web browser, open Océ Print Exec Workgroup v 2.6 or higher (enter the printer IP address or hostname)

2. From the Administration menu, select Océ Remote Security3. Log on as the printer system administrator4. On the Océ Remote Security™ page, select Set the HTTPS mode5. Set the HTTPS mode to Required or keep Optional (default)6. Reboot the controller to apply the change

Use the Océ self-signed certificate - Use the Océ self-signed certificate with Internet ExplorerYou can use the HTTPS protocol with the default Océ self-signed certificate to send encrypted print data to the printer controller.The first time you use a self-signed certificate, your web browser will generate security error messages.In order to easily and securely use the self-signed certificate in your web browser, you must:- View and check the self-signed certificate in your web browser- Configure your web browser to trust the self-signed certificateThe procedures depend on the web browser you use to open Océ Print Exec Workgroup. See below the use with:- Internet Explorer- Mozilla Firefox

1. On a workstation, type the URL address of your printer in Internet Explorer (https://[hostname]).A warning window opens. It displays 2 errors:• The certificate is not issued by a trusted certificate authority.• The Common Name in the certificate does not match the printer hostname (or IP Address) you

typed in the address bar.

Data security


2. In order to view and check the self-signed certificate, continue to the website.

Note:A warning- Security message may open to ask whether you trust the applet distributed by Océ.This message concerns only the Java applets used in Print Exec Workgroup. It is not related to the self-signed certificate.You can check the certificate and click 'Yes'.

3. Océ Print Exec Workgroup opens, but the address bar displays a certificate error. Click on the error.The certificate is invalid.

4. View the certificate.5. The certificate is issued to 'Océ PE WG xxxxxxxx' by 'Océ PE WG xxxxxxxx' (where 'xxxxxxxx' is

the controller Mac Address). Check the Details and the Certification Path.In Details, check the following values:Common Name (CN) = Océ PE WGOrganization Unit (OU) = PE WGOrganization (O) = Océ

6. Click 'Install Certificate...'7. Follow the Wizard's instructions to import the certificate into your web browser.

Validate.When the import is successful, the 'Océ PE WG' Certificate is recognised and its status is OK.

Data security


8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch"

9. Restart the browser and type the URL of your printer in Internet Explorer (https://[hostname]).The padlock is displayed on the address bar, Océ self-signed certificate guarantees:• The identity of the remote computer (controller)• The encryption of the print data on the network.

Use the Océ self-signed certificate - Use the Océ self-signed certificate with Mozilla Firefox1. On a workstation, type the URL address of your printer in Mozilla Firefox (https://[hostname]).

A warning window opens. It displays 2 errors:• The certificate is not trusted because it is self-signed• The certificate is only valid for 'Océ PE WG xxxxxxxx'

Data security


2. In order to view and check the self-signed certificate, continue to add an exception.3. Click 'Add Exception...'4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the

controller web server.The 'Wrong site' and 'Unknown Identity' errors are displayed.

5. Click 'View...' to see the content of the certificate. Check the following values:Common Name (CN) = Océ PE WG xxxxxxxxOrganization Unit (OU) = PE WGOrganization (O) = Océ

6. The certificate is issued to 'Océ PE WG xxxxxxxxx' by 'Océ PE WG xxxxxxxx', so you can confirm the security exception (permanent or temporary exception).

7. A security warning window may pop-up. Click 'Yes' to continue.The Océ Print Exec Workgroup software opens.You can check in the status bar (at the bottom of the window) that the padlock is displayed.In the navigation bar, the Océ certificate is registered as an exception.The identity of the remote controller and the encryption of the data on the network are secured.

Request and import a CA-signed certificateDescription of the overall procedure to request and import a CA-signed certificate

By default the first certificate delivered for the use of HTTPS with Océ Print Exec Workgroup is an Océ self-signed certificate.To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate).

Data security


Information about certificatesWhen you generate a CA-signed certificate request on a controller:• A new private key is created: this key stays in the controller• The certificate request containing the public key is created. Send it to the Certification

Authority.The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller.

In the controller, the private key and the public key must match to enable a secure HTTPS protocol.To request and then import a CA-signed certificate while you are still using HTTPS with Océ Print Exec Workgroup 2.6 and higher, follow these 2 procedures, step by step:

Overall procedure to prepare and generate the CA-signed certificate request (Océ Print Exec Workgroup 2.6 and higher)

Step Description

A1- Back up the current certificate and private key

The current certificate can be:• the original Océ self-signed certificate embedded with Océ Print Ex

ec Workgroup• a CA-signed certificate (delivered by a Certification Authority) you

previously installedSee "Back up a certificate and a private key - Back up the current certificate and private key" on page 29.

A2- Generate the certificate request Make this step when you want to request and install a CA-signed certificate.During the creation of the request, a new private key is created.See "" on page 0 .

A3- Save the content of the certificate request Send this content to the Certification Authority to request a (CA-signed) certificateThe Certification Authority will check the request and reply.- If the request is valid, go to step A4- if the request is not valid, make a new request (A2) according to the remarks/corrections suggested by the CA request feedback

A4- Restart the controller

Overall procedure to import the new CA-signed certificate

Step Description

B1- Save and store the new CA-signed certificate

Save the CA-signed certificate you received from the Certification Authority.

B2- Import the new CA-signed certificate into the controller

Import the CA-signed certificate (Root and/or Intermediate and CA-signed certificates).See "Import a CA-signed certificate (into the controller and workstations) - Import the Root certificate into the controller" on page 31

B3- Restart the controllerB4- Import the Root certificate into the web browsers of the workstations

The Root certificate identifies the Certification Authority. By default, the web browsers contain a list of well-known and trusted Root certificates.In case the Root certificate of the Certification Authority is not in this list, install the CA Root certificate in the 'Trusted Root certificates' list of the web browser, on each workstation.See "" on page 0

B5- Back up the certificate and private key Back up and store the certificate and the private key in order to be able to restore them if needed.See "Back up a certificate and a private key - Back up the current certificate and private key" on page 29.

Back up a certificate and a private key - Back up the current certificate and private key You must back up the certificate and private key:

Data security


• BEFORE you generate a certificate request (step A1 of the " overall procedure" on page 28):To save your current certificate and private key.

• AFTER you import the new certificate (step B5):To save your new certificate and private key, in order to be able to restore them if needed.

1. In a web browser, open Océ Print Exec Workgroup v2.6 or higher (https:\\[IP address or hostname])2. From the Administration menu, select Océ Remote Security

A new HTTPS browser page opens.

Note:A warning message can occur: validate and continue.

3. Log on as the printer system administrator4. In the Océ Remote Security™ page, select Backup certificate and private key5. To save the server certificate and private key, enter a password made of 6 characters at least

(Password used to encrypt the private key)6. Confirm the password7. Click 'Save'8. Download and store the back up file (.jks).

Generate a CA-signed certificate request - Generate a certificate request

PurposeCreate a certificate request in Océ Print Exec Workgroup 2.6 and higher.Use this function only when you want to request a new CA-certificate.Install the latest version of Print Exec WorkGroup for your printer (v2.6 or higher, see http://global.oce.com/products/print-exec-workgroup/)Back up the current Certificate and Private key already installed on the controller (see "Back up a certificate and a private key - Back up the current certificate and private key" on page 29).

1. Note:Step A2 of the " overall procedure" on page 28.

In a web browser, open Océ Print Exec Workgroup v 2.6 or higher (https:\\[IP address or hostname])

2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens.


3. Log on as the printer system administrator4. In the Océ Remote Security™ page, select Generate a certificate request5. Fill out the form with the requested information 6. Note:

In the certificate request the Common Name MUST be the hostname or the Fully Qualified Domain Name (FQDN) of the printer (e.g.: or ''TDS800' or 'TDS800.mycompany.com').This Common Name will be used in the URL when you open Océ Print Exec WorkGroup through HTTPS (e.g.: 'https://[CommonName]).

Click 'Generate'.The web server generates a certificate request. The content of the request is displayed (plain text).Example (fake request):-----BEGIN NEW CERTIFICATE REQUEST-----MIIBvDCCASQAwfDELMAkGA1UEBMCRlIxDDAKBgNVBAgTA0lERjEQMA4GA1UEBxMHQ1JFVEVJTDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECxMDU05TMSowKAYDVQQDEyF0ZHM3MDAtNzQwLnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ2NKQMd

Data security


HjiDZ1khzTJTORxHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnxCJ4pGKY5iKN8KJiJuZG8PHxY7oW/+zpvxN2VtX7TcyTAvyCThUwL+cqo75tvODo5HMCUa2sLdl8GO9WMLpgZkxH5KzIiO+LcI4yQbqhENynywS0C2ObXCq3yksF74+XIO0swhoA2yfDp4T+LuF3wxys8lUH3ZhhkOYg==-----END NEW CERTIFICATE REQUEST-----

Generate a CA-signed certificate request - Save and send the request 1. Note:

Step A3 of the "overall procedure" on page 28.

Click 'Save' to save the content of the request in a .csr file (named 'certificate_request.csr' by default)

2. Restart the controller3. Send the content of this request to the Certification Authority.

Import a CA-signed certificate (into the controller and workstations) - Import the Root certificate into the controller

1. Import the CA-signed certificate into the controller:• Import the 'Root certificate'• Import the 'Intermediate certificate'• Import the CA-certificate

2. Import the Root certificate into the workstations web browser1. Note:

Step B2 of the "overall procedure" on page 28

Note:Save locally or on the network all the CA-signed certificate files the Certification Authority sent you.

In a web browser, open Océ Print Exec Workgroup v2.6 or higher (https:\\[IP address or hostname])2. From the Administration menu, select Océ Remote Security



3. Log on as the printer system administrator4. In the Océ Remote Security™ page, select Import CA-signed certificate5. Select Root certificate6. Browse to the Root certificate file and click Import7. Note:

The Root certificate may already exist in the web server certificates list.

Validate to confirm the import8. When the message Certificate successfully imported. pops up, go on to import the Intermediate

certificate

Note:When an error message is displayed, see its meaning in "Security through PEWG 2.6 and higher: Error messages" on page 33.

Import a CA-signed certificate (into the controller and workstations) - Import the Intermediate certificate1. Select Intermediate certificate2. Browse to the Intermediate certificate file and click Import3. When the message Certificate successfully imported. pops up, go back to the main page to import

the CA-signed certificateImport a CA-signed certificate (into the controller and workstations) - Import the CA-signed certificate

1. Select CA-signed certificate

Data security


2. Browse to the certificate file3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import'4. When the message Certificate successfully imported. pops up, restart the controller.

The certificate is now installed on the server.Check and import (if needed) the CA Root certificate also into the workstations web browser. That will secure the complete data workflow between the workstations and the server.

Import a CA-signed certificate (into the controller and workstations) - Check and import the Root certificate into the workstations browser

1. Note:Step B4 of the "overall procedure" on page 28

On each workstation, open the web browser2. In the Tools - Internet Options - Content window, open the 'Certificates'3. Check if the CA Root certificate is already displayed in the 'Trusted Root Certification Authorities'

list4. If it is not in the list, import the CA Root certificate.

Restore a certificate and a private key - Restore the certificate and private keyYou can restore the certificate and the private key at any moment, in case of need.

1. In a web browser, open Océ Print Exec Workgroup v 2.6 or higher (https:\\[IP address or hostname])

2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens.


3. Log on as the printer system administrator4. In the Océ Remote Security™ page, select Restore certificate and private key5. Browse to the back up file6. Enter the password of the back up file7. Click 'Restore'8. A dialog box opens: This action will overwrite the current certificate. Continue?

Click 'OK'9. When the key and the certificate are successfully restored, restart the controller.

Reset the current certificate - Reset the certificate

PurposeThis procedure creates a new Océ self-signed certificate.You can reset the certificate after a certificate request or at any moment when you want to restore a self-signed certificate.

Note:Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of the original self-signed certificate):Each 'Reset certificate' action generates a new self-signed certificate (with a new private and public key). So each time you reset the certificate, you must import the new certificate into the web browser.

1. In a web browser, open Océ Print Exec Workgroup v2.6 or higher (https:\\[IP address or hostname])2. From the Administration menu, select Océ Remote Security



3. Log on as the printer system administrator

Data security


4. In the Océ Remote Security™ page, select Reset certificate5. Click the 'Reset' button 6. When the reset is successful (Certificate successfully reset), reboot the controller

A new self-signed certificate has been generated on the controller.Configure your web browser to use it (see "Use the Océ self-signed certificate - Use the Océ self-signed certificate with Internet Explorer" on page 25)

HTTPS and certificates error messagesSecurity through PEWG 2.6 and higher: Error messages

Find below the description of the error messages you can encounter when you manage security through Print Exec Workgroup 2.6 and higher:

If the error message is: That means:

'Incorrect Login''Administrator's session has expired'

Type in the correct login/password to open the Océ Remote Security page.The session expires after 5 minutes.

Incorrect password Type the password used to back up the certificateAn internal server error occurred while processing the request. Repeat the operation

• An internal error occurred during the generation of the certificate request

• An internal error occurred during the reset of the certificate

• An internal error occurred during the restoration of the back up file

Repeat the operation. If the operation fails again, contact your system administrator or your Océ local representative.

Certificate import failed. Check the validity of the certificate file.

The file you try to import is not a valid certificate file.

Error: This CA-signed certificate does not match the latest CA-signed certificate request.

The certificate you try to import does not match the certificate request (Private key).Possible causes:• the imported certificate does not match the certificate

request• the certificate has been reset (to a self-signed one)

The certificate chain cannot be established. Import Root and/or Intermediate certificates first.

The controller does not recognise the Root or Intermediate certificate provided by the Certification Authority.Import the Root or/and the Intermediate certificate in the controller before you import the certificate.(See "" on page 0 and "" on page 0 )

Certificate already imported The certificate has already been importedError when saving file. Operation aborted. The back up process failed due to an internal error. Repeat

the operation.

E-Shredding (Océ TDS750 1.2.2 and higher, Océ TC4 1.8.2 and higher)

E-shredding presentationThe e-shredding feature is a security feature which allows to overwrite any user data (print/copy/scan) when it is deleted from the system.This feature prevents the recovery of any deleted user data (files' content and attributes)A deleted job is a job that cannot be retrieved from any user interface.

When is a job deleted?A job is deleted either:• When it is manually deleted from a Smart Inbox• After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a

Smart Inbox' system setting is disabled in the Océ Express Webtools)

Data security


• After a 'ScanToFile to remote destination' has been successfully performed• When it is automatically deleted after a timeout:

- When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart Inbox' system setting is enabled in the Océ Express Webtools and the 'Printed jobs in Smart Inbox: job lifetime' is set)- When the time for the cleanup of the 'Scans in Smart Inbox' is reached

• When a 'Clear system Remove all jobs' is performed on the printer local interface

E-shredding algorithmsSelect one of the three e-shredding behaviours:• DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense

directive):• Gutmann: 35-pass overwriting algorithm with random data• Custom: set the number of passes, from 1 to 35.

Note:The e-shredding feature has been designed to minimise impact of the global system performance.However the more passes selected, the more impact it has on general performance.It is recommended to minimise the number of passes when document production is required.

Enable the e-shredding on Océ TDS750 1.2.2 and higher and Océ TC4 1.8.2 and higher - Enable/disable the e-shredding (Océ Power Logic Controller)

You must be logged as a System Administrator.

Note:When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a Smart Inbox' setting. The jobs previously printed and stored in the Smart Inbox are deleted. They are not e-shredded.

1. Open the system Océ Power Logic Controller2. Open the 'Configuration' - 'Security' tab and go to the 'E-shredding' section3. Log on as a System Administrator4. Click Edit 5. Select 'Enabled'

6. Select the algorithm.

Data security


When you select 'Custom', set the number of passesWhen the E-shredding feature is enabled, a new icon is added to the list of icons (bottom right) in the Océ Power Logic Controller interface.

Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs.For a while, the E-shredding feedback returns 'busy'.In the Océ Power Logic Controller interface, roll the mouse over the e-shredding icon to display the 'E-shredding busy' status

Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ Power Logic Controller interface (roll over the icon).

Note:In case some scanned files have a 'Scan destination file name' composed of more than 256 characters, on the controller or on the remote destination, they will be deleted, but they will not be e-shredded (too long filename).

E-shredding process and system behaviour in Océ TDS750 1.2.2 and higher and Océ TC4 1.8.2 and higher

When you enable the e-shreddingWhen you enable the e-shredding, the system starts the e-shredding process for all scan/copy/print jobs that will be deleted.E-shredding process will occur as a background task.All processed jobs will be e-shredded after they are deleted:- After a manual deletion from the 'Waiting jobs'- After an automatic deletion of the print and scan jobs by the system

Note:On TC4 systems, all jobs processed by Océ Publisher Copy are not e-shredded after deletion.

When you disable the e-shreddingWhen you disable the e-shredding, the system:• Terminates the e-shredding process for files which are being e-shredded• Will not e-shred the new deleted files

Make sure all the scan/copy/print jobs are completely e-shreddedOnce a batch of scan/copy/print jobs has been processed, perform the following actions to make sure all the files are e-shredded:1- Unplug the system from the network

Data security


2- Check that 'Enable Printed jobs' is set to 'Off' (Océ TDS750 only)3- Delete any print jobs from the 'Waiting Jobs' (TDS750), and any scan jobs from the controller4- In the top menu, open 'System'5- Select 'Clear System'6- Wait until the e-shredder status comes back to 'Ready'7- Restart the system8- Wait until the e-shredder status displays 'Ready'

Data security


Chapter 3 Security on Océ PlotWave 300/350, PlotWave 900 and ColorWave 300

Overview

Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 and the Océ ColorWave 300 systems

The Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 and Océ ColorWave 300 are equipped with the following security features:

Security overview

Operating System Windows XP Service Pack 3Firewall YesNetwork protocols protection 3 Océ Security LevelsMS Security patches Océ released patchesAntivirus Compatible with 2 Antivirus brandsIPV6 YesData encryption on the network - IPsec for Océ PlotWave 300, Océ PlotWave 350 and Océ

ColorWave 300- HTTPS for Océ PlotWave 900

Data overwrite E-shreddingPassword protection Yes for administration settings

Overview

38 Chapter 3 - Security on Océ PlotWave 300/350, PlotWave 900 and ColorWave 300


Ports - Protocols

Applications, protocols and ports used on the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 and Océ ColorWave 300 systems

Printing applications: security levels, ports and protocols used by the Océ systems



N* M* H*

Océ Windows Printer Driver (WPD)

Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 515

TCP 65200TCP 80

UDP 515

x(1)

TCP 515TCP

65200TCP 80

x(2)

TCP 515TCP 515: LPRTCP 65200: Océ back-channel(**)

TCP 80: HTTP (for advanced accounting)UDP 515: Océ protocol (for printer discovery)

Océ Adobe® PostScript® 3™ driver


xTCP 515

xTCP 515

xTCP 515

TCP 515: LPR

Océ Publisher Express Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ PlotWave 900

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Publisher Express over SSL

Océ PlotWave 900 xTCP 443

xTCP 443

xTCP 443

TCP 443: HTTPS

Océ Mobile WebTools Océ PlotWave 350 xTCP 80

xTCP 80

TCP 80: HTTP

Océ Publisher Select Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 515

TCP 65200TCP 80

xTCP 515

TCP 65200TCP 80

TCP 80: HTTPTCP 65200: Océ back-channel(*)

TCP 515: LPR

Océ ReproDesk Studio Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 515

TCP 65200

xTCP 515

TCP 65200

TCP 515: LPRTCP 65200: Océ back-channel(*)

Novell NDPS printing Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 515

xTCP 515

xTCP 515

TCP 515: LPR

LPR printing (command line) Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 515

xTCP 515

xTCP 515

TCP 515: LPR

FTP printing Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 21

TCP 4242

x(3)

TCP 21TCP 21: FTPTCP 4242: FTP (4)

Notes:• * Levels: N: Normal - M: Medium - H: High• (**) Océ back-channel is an Océ proprietary protocol used to retrieve information from the

printer (status, media loaded...) and to display it in the application or driver.• (1) LPR printing with back-channel and advanced accounting• (2) LPR printing. No back-channel. No advanced accounting• (3) FTP active mode only• (4) Data channel for FTP passive mode


Chapter 3 - Security on Océ PlotWave 300/350, PlotWave 900 and ColorWave 300 39

Scanning applications: security levels, ports and protocols used by the Océ systems



N* M* H*

Scan to File Remote SMB Océ PlotWave 300/ PlotWave 350Océ ColorWave 300

x -

Océ PlotWave 900 x x x -Scan to File Remote FTP Océ PlotWave 300/ PlotWave

350/ PlotWave 900Océ ColorWave 300

x x(1) x(1) -

Scan data retrieval by FTP Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 21

TCP 4242

x(2)


Scan data retrieval from Smart Inbox (Scans)


xTCP 80

xTCP 80

TCP 80: HTTP

Scan data retrieval from Smart Inbox (Scans) over SSL


xTCP 443

xTCP 443

TCP 443: HTTPS

Notes:• * Levels: N: Normal - M: Medium - H: High• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive

mode• (2) FTP active mode only• (3) Data channel for FTP passive mode

Control management: security levels, ports and protocols used by the Océ systems



N* M* H*

PING Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

x x x ICMP

SNMP based applications Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xUDP 161

UDP 161: SNMP

Océ Express WebTools Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 80

xTCP 80

TCP 80: HTTP

Océ Express WebTools over SSL


xTCP 443

xTCP 443

TCP 443: HTTPS

Name resolution(**) Océ PlotWave 300/ PlotWave 350Océ ColorWave 300

x Outgoing connection:- local port (on controller): UDP(/TCP) <dynamic value>- remote port (on DNS server): UDP(/TCP) 53

Océ PlotWave 900 x x x

DHCP Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

x x x Outgoing connection:- local port (on controller) : UDP 68- remote port (on DNS server): UDP 67

Océ Account CenterAdvanced accounting (WPD)


xTCP 80

xTCP 80

TCP 80: HTTP

4





N* M* H*

Accounting information retrieval by FTP


xTCP 21

TCP 4242

x(1)




xUDP 137

UDP 137: NetBios over TCP/IP

Océ Service Logic Océ PlotWave 300/ PlotWave 350/ PlotWave 900Océ ColorWave 300

xTCP 21

TCP 4242

x(1)


IPsec Océ PlotWave 300/ PlotWave 350Océ ColorWave 300

xUDP 500UDP 4500

UDP 500UDP 4500

Océ Remote Meter Reading Manager


xUDP 161

UDP 161: SNMP

Océ Remote Service Océ PlotWave 900 x x x HTTPS outgoing connection required: TCP/IP port 443 (3)

Notes:• * Levels: N: Normal - M: Medium - H: High• (**) The name resolution is mainly used to determine the IP address of the scan destination

during Scan fo File operation• (1) FTP active mode only• (2) Data channel for FTP passive mode• (3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure

firewall.Please consult 'Océ Remote Service - IT Whitepaper & Data Security Policy' for additional information.

Security Patches

Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 and Océ ColorWave 300) - Install the Océ Remote patch

You can install the Océ Remote patches (Security patches) on the following versions of the systems:• Océ PlotWave 300 1.2.1 and higher• Océ PlotWave 350 1.0 and higher• Océ PlotWave 900• Océ ColorWave 300 1.2.1 and higherDownload the Océ Security patch from the Océ website on http://global.oce.com:Open the product page and go to the Downloads/Security page to find the available security patches

1. Open the Océ Express Webtools2. Open the 'Support' tab



3. Select 'Update'The Authentication window opens.

4. Log in as the System administrator or Power userThe latest patch successfully applied (when any) is displayed

5. Click on the 'Update' icon (top right corner) to open the wizard6. Click OK

7. Browse to the Océ Remote patch and click OK to install it



8. Click OK to confirm the update

Security levels

Security levels presentationOcé defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level.

HIGH security levelThe HIGH level is the most secure mode for printing and scanning.The compliant applications are based on:• the LPR protocol or HTTPS protocol (Océ PlotWave 900 only) for printing• the FTP protocol for scanning.Target:• This level provides you the most secure mode while using the basic feature for printing and

scanning. Only some Océ applications are available. See the "security levels supported per application/functionality" on page 39.

• This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level.

MEDIUM security levelThe MEDIUM level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners).Target:This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the HIGH security level).

Normal security levelThis mode offers all the functionalities.



Target:• You can select this level if you want to use some features not covered by MEDIUM security

level.• This level is more dedicated for small network infrastructure where security is less required

versus features.

Set the security level on Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 - Manage the security level

The Security wizard on the printer user panel gives the option to check or change the security level of the system.The System Administrator or a Power User can protect the security settings with a password.When the protection is activated, you must type the password in the printer user panel before you can change the security level.

1. From the HOME screen select the System tab.2. Select the Setup tab.3. Use the scroll wheel to go to the Security(Configure settings) wizard.

4. Open this section with the confirmation button.5. The screen displays the security level and the active network access options:

6. Two options are possible:• Press the Back key in case you only want to check the security settings.• Press the Next > key in case you want to adapt the security level.

Enter the password if requested and follow the wizard to adapt the security level.



Set the security level on Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 - Protect the security level by a password

1. Open the Océ Express Webtools in a web browser (http://Printer IP address or hostname)2. In the 'Preferences' tab, select 'System settings'3. In the 'Printer Properties', goes to 'Password to change security level'4. Click on the value to edit it5. Log in as the System Administrator or as a Power User6. Select 'New' 7. Type and re-type a numeric password8. Confirm to activate the password.

You must type the password in the printer user panel when you want change the security level.

Set the security level on Océ PlotWave 900 R1.1 - Manage the security levelThe security user interface is available through the Océ Express Tools application.

Note:You need to be logged on as the System Administrator to access the security level interface and change the security levels.

1. Open the Océ Express Webtools in a web browser (http://Printer IP address or hostname)2. On the Configuration tab, select Connectivity3. Go to the Security section4. Click on 'Edit' or double click on the value to open the Security level window5. Set the security level and click 'OK'6. Restart the printer when prompted

After you set the Security level to 'High', you must open Océ Express Web Tools by means of the HTTPS protocol: type https://Printer IP address or hostname in the web browser.

Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300)

The USB connection on the Local user interface A USB connection is available on the Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 Local user interface.This USB connection is used to:• Install and upgrade the controller software• Backup and restore the controller configuration• Scan to the USB storage device• Print from the USB storage device

Security on the USB portGeneral USB port protection:• Booting from the USB device is not possible.• Executing any programme present on the USB device is not possible

The Autorun is disabled and no operation on the controller can execute a programme on the USB device.

• Propagating on network any infected file present on the USB device plugged on the USB port is not possible

Read from / write to USB device protection• Protection of the USB READ operation:

- when restoring a controller configuration from the Local User Interface.In that case, any file infected by a virus appears as an invalid backup file. The controller software detects it and rejects the restore operation.- when printing from the USB device.Any print file infected by a virus will never compromise controller's software integrity.



• Protection of the USB WRITE operation:- during the backup of the controller configuration, from the Local User Interface.The backup is performed by the internal controller software. It cannot contaminate the USB device by any threat.- when making a Scan To File to the USB device:The Scan To File operation to USB device is performed by the internal controller software. It cannot contaminate the USB device by any threat.

Disable the USB featuresYou can disable:• The direct printing operation from USB. See "How to prevent 'Print from USB' - How to disable

the 'USB direct print' feature" on page 69• The scanning operation to USB. See "1- Disable any 'USB stick' scan destination" on page 69

Antivirus

Antivirus installation on the Océ PlotWave 300/350, Océ PlotWave 900 and Océ ColorWave 300: Compatibility and recommendations

Océ PlotWave 300/350, Océ PlotWave 900 and Océ ColorWave 300 compatibility with an antivirusThe following 2 antivirus programmes:• Symantec AntiVirus Endpoint Protection 11• McAfee VirusScan Enterprise Edition 8.7i/ ePolicy Orchestrator for AntiVirus updateCan be installed on the following controller versions of:• Océ PlotWave 300 v1.2 and higher• Océ PlotWave 350 v1.0 and higher• Océ PlotWave 900 v1.1 and higher• Océ ColorWave 300 v1.1.1 and higher

InstallationTo install the Symantec or MacAfee antivirus programmes, contact your Océ representative.Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers.

Roles and Passwords

Roles and profiles in the Océ PlotWave 300/350, Océ Plotwave 900 and Océ ColorWave 300

Roles descriptionIn the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings.4 roles are available:• Key operator:

The Key Operator can manage the jobs and the device settings• System administrator

The System Administrator can manage the Configuration settings such as the Network settings, scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software configuration settings...

• Power user



The Power User has both the rights of the Key Operator and the System Administrator• Océ service

This role is used exclusively by the Océ Service Technician

Passwords policy and behaviour in the Océ PlotWave 300/350 and Océ ColorWave 300There are 2 groups of passwords:• The passwords used in Océ Express WebTools• The passwords used in the printer Local User Interface

Passwords used in Océ Express WebToolsIn Océ Express WebTools the passwords protect:• The roles• The Scan to File remote user name• The security settings (preshared key for IPsec)

Password modification table for Océ PlotWave 300/350and Océ ColorWave 300


Key operator Key operator or Power userSystem administrator System administrator or Power userPower user Power userAny ScanToFile remote user name System administrator or Power userAny preshared key for IPsec System administrator or Power user

Password policyA password can be made of 256 characters maximum.For Océ PlotWave 300 v1.2.1 and higher, Océ PlotWave 350 and Océ ColorWave 300 1.2.1 and higher, all MS Windows characters are allowed in a password.For previous versions of Océ PlotWave 300 and Océ ColorWave 300 the passwords can be made of:• Any number [0-9]• Any letter lowercase/uppercase [a-z][A-Z]• the following special characters:

_ - ~ ! @ # $ % ^ * ? { }( ) = + , . ; : [ ] / | \

Passwords used on the Océ Local User Interface (Océ Plotwave 300/350 and Océ ColorWave 300)• Password to change the Network Settings• Password to change the security level• Password to clear the system• Password to print demo and test prints• Password to change the hardware/software configuration• Password to start the scanner calibration

Note:Keep these passwords. The loss of these passwords may require the intervention of Océ Service.



LUI Passwords modification table for Océ PlotWave 300/350 and Océ ColorWave 300

LUI Password for Can be changed by

Change of the Network Settings

System administrator or Power user

Change of the security levelClear of the systemPrint of demo and test printsChange of the hardware/software configurationStart of the scanner calibration

Password backup/restore policy with the 'Save Set'/'Open Set' featuresSome passwords are stored into the backup set made with the 'Save Set' feature of Océ Express WebTools.

Password backup table for Océ PlotWave 300/350 and Océ ColorWave 300

Password / pincode for Backup with 'Save set'? Restore with 'Open set'?

Change of the Network Settings Yes, encrypted (1) Yes(2)

Change of the security level Yes, encrypted(1) Yes(2)

Clear of the system Yes, encrypted(1) Yes(2)

Print of demo and test prints Yes, encrypted(1) Yes(2)

Change of the hardware/software configuration Yes, encrypted(1) Yes(2)

Start of the scanner calibration Yes, encrypted(1) Yes(2)

Any preshared key for IPsec No -Any ScanToFile remote user name No -Key operator No -System administrator No -Power user No -

(1):- When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the the backup file. It is not encypted- The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user)(2)

- The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation- When a password has been stored with 'Auto' value, it is restored with the 'No password' value

Passwords policy and behaviour in the Océ PlotWave 900

Passwords used in Océ Express WebToolsIn Océ Express WebTools the passwords protect:• The roles• The Scan to File remote user name

Password modification table for Océ PlotWave 900


Key operator Key operator or Power userSystem administrator System administrator or Power userPower user Power userAny ScanToFile remote user name System administrator or Power user



Password policy• 256 characters maximum• Any 'Microsoft Windows' characters

Password backup/restore policy with the 'Save Set'/'Open Set' featuresNone of the passwords for Power user, System administrator, Key operator and ScanToFile remote user is stored in the back up file with the 'Save Set' feature.



Data Security

E-Shredding

E-shredding presentationThe e-shredding feature is a security feature which allows to overwrite any user data (print/copy/scan) when it is deleted from the system.This feature prevents the recovery of any deleted user data (files' content and attributes)A deleted job is a job that cannot be retrieved from any user interface.

When is a job deleted?A job is deleted either:• When it is manually deleted from a Smart Inbox• After it was successfully printed and was not saved in a Smart Inbox ('Save printed jobs in a

Smart Inbox' system setting is disabled in the Océ Express Webtools)• After a 'ScanToFile to remote destination' has been successfully performed• After a 'ScanToFile to USB stick' has been performed successfully or not (only on Océ

PlotWave 300/350 and Océ ColorWave 300)• When it is automatically deleted after a timeout:

- When the end of the job lifetime in the Smart Inbox is reached ('Save printed jobs in a Smart Inbox' system setting is enabled in the Océ Express Webtools and the 'Printed jobs in Smart Inbox: job lifetime' is set)- When the time for the cleanup of the 'Scans in Smart Inbox' is reached





Enable the e-shredding - Enable/disable the e-shredding (Océ Express WebTools)You must be logged as a System Administrator or a Power user.

Note:When you enable the e-shredding, the system automatically disables the 'Save printed jobs in a Smart Inbox' setting. The jobs previously printed and stored in the Smart Inbox are deleted. They are not e-shredded.

1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express WebTools

2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section3. Click Edit 4. Check 'E-shredding' feature to enable it

Data Security


5. Select the algorithm. When you select 'Custom', set the number of passesWhen the E-shredding feature is enabled, an indication is displayed at 2 locations in the system:• On the printer (Océ PlotWave 300/350 and Océ ColorWave 300), on the Local User Interface, an

indication is displayed in the System menu: 'E-shredding enabled'• In the Océ Express WebTools window, a new icon is added to the list of icons (bottom right)

Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs.For a while, the E-shredding feedback returns as 'busy':• On the printer (Océ PlotWave 300/350 and Océ ColorWave 300), on the Local User Interface, an

indication is displayed in the System menu: 'E-shredding busy'• In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the

'E-shredding busy' status

Once the e-shredding data processed is complete, the status comes back to:• 'E-shredding enabled' in the Local User Interface (Océ PlotWave 300/350 and Océ ColorWave

300)• 'E-shredding ready' in the Océ Express WebTools (roll over the icon)

Note:In case some scanned files have a 'Scan destination file name' composed of more than 256 characters, on the controller or on the remote destination, they will be deleted, but they will not be e-shredded (too long name).

E-shredding process and system behaviour

When you enable the e-shreddingWhen you enable the e-shredding, the system starts the e-shredding process for all print/scan jobs that will be deleted.E-shredding process will occur as a background task.All processed jobs will be e-shredded as soon as they are deleted:- After a manual deletion from the Smart Inbox

Data Security


- After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart Inbox, cleanup)


Make sure all the scan/copy/print jobs are completely e-shreddedOnce a batch of scan/copy/print jobs has been processed, perform the following actions to make sure all the files are e-shredded:1- Unplug the system from the network2- Check that 'Saved print jobs in Smart Inbox' is disabled3- Delete any job from the 'Scans' Smart Inbox4- Make a 'Clear System' on the Printer User interface5- Wait until the e-shredder status comes back to 'Ready' (in Océ Express WebTools)6- Restart the system7- Wait until the e-shredder status displays 'Ready' (in Océ Express WebTools)

IPsec (Océ PlotWave 300/350, Océ ColorWave 300)

IPsec presentationIPsec provides authentication, data confidentiality and integrity in the network communication between devices.A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network.IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server).You can connect up to 5 IPsec stations to the printer/copier system.In this configuration below:

• The printer/copier system is physically connected to the network but communicates only with a dedicated station (a Print Server or Scan Server for example)

• The Print Server receives the print request from the workstations via IP on the network

Data Security


• The Print Server send the print requests to the printer/copier system via IPsec• The workstations cannot communicate directly with the printer/copier system

Note:In this configuration, the back-channel communication between a workstation and the printer is unavailable (the back-channel information is not displayed in the Océ WPD driver).


Note:IPsec is compatible with IPv4 only.Make sure IPv6 is 'Disabled' before you configure IPsec on the controller.

Illustration

IPsec parameters in the Océ Express Web Tools (EWT)The following IPsec parameters are available in the Océ Express Web Tools :IPsec Generic section:

IPSec Enabled/Disabled

General setting to enable or disable IPsec.Once enable, only the network traffic defined by the IPsec configuration rules is authorised.

Failsafe optionEnabled/Disabled

Keep this option enabled during the IPsec configuration, until the complete and successful IPsec communication between the printer/copier system and the configured station.- When the option is Enabled (with IPsec enabled), only the network traffic defined by IPsec configuration rules is authorised.All other network traffic is denied except the HTTP traffic for Océ Express Web Tools with any workstation: this allows to change some IPsec settings via Océ Express Web Tools, from any workstation.- When the option is Disabled (with IPsec enabled): only the network traffic defined by the IPsec configuration rules is authorised. All other network traffic is denied.

4

Data Security


Default preshared key You can define a default preshared key that will be used for all the stations connected by IPsec to the printer/scanner system.

Other settings You can display the other IPsec generic settings ('See all').Keep them unchanged.

IPsec stations section:You can configure a maximum of 5 IPsec communications between the printer/copier system and 5 workstations.Enable and configure the parameters for each required station.The parameters can be different for each different workstation:- the IP address- the preshared key (keep the generic default one or set a custom one)

Configure the IPsec settings on the Océ controller - Activate and configure IPsec on the printer/scanner controller

You must be logged as a System Administrator or a Power user.1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Express Web

Tools2. Open the 'Configuration' - 'Connectivity' page and select the IPsec section

3. In 'IPsec generic' section, click 'Edit'4. Check 'IPsec'5. Keep 'Failsafe option' checked during the phase you configure the IPSec.

In case of need, this allows to be able to connect to the Océ Express Web Tools from any workstation in order to be able to change parameters.

6. Keep the other parameters as they are.

Data Security


7. In the 'IPsec stations' section, click 'Edit'8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10. Create and enter the 'IPsec station 1: Preshared key' using the following policy:

• 256 characters maximum• Any number [0-9]• Any letter lowercase/uppercase [a-z][A-Z]• the following special characters:

_ - ~ ! @ # $ % ^ * ? { }( ) = + , . ; : [ ] / | \

Note:Write it down, this preshared key will be required during the IPsec configuration on the workstation.

Note:In the 'TCP/IP: IPv6' section, make sure TCP/IP (IPv6) is disabled.

The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server).

Data Security


Configure the IPsec settings on a workstation or a print server - 1- Add the security snap-in

PurposeComplete the IPsec configuration for a secure connection between the printer/copier system and a workstation.Follow the 6 steps below:1- Add the security snap-in2- Create the security policy3- Create the filter list4- Define the filter actions and security negotiation5- Define the security rule6- Assign the security policyAfter the IPsec configuration on the controller.Log on the workstation with the Administration rights.


Note:The procedure below shows the configuration steps on Windows server 2008.The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7)

1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console

2. In the top menu select 'File' - 'Add/Remove Snap-in' 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console

Data Security


4. Keep 'Local computer' checked and click 'Finish'The security snap-in is added, click 'OK'

Configure the IPsec settings on a workstation or a print server - 2- Create the security policy1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security

Policy'

Data Security


2. Click 'Next' to open the wizard3. Enter the name for the policy and click 'Next'

4. Uncheck 'Activate the default response rule'

Data Security


5. Uncheck 'Edit properties' and click 'Finish'Configure the IPsec settings on a workstation or a print server - 3- Create the filter list

1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions…'

2. In the 'Manage IP filter lists' tab click 'Add'

3. Enter a filter name and a description and click 'Add'

Data Security


4. Click 'Next' to open the wizard5. Check the 'Mirrored' checkbox and click 'Next'

6. Select 'My IP address' as the 'Source address and click 'Next'7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the

controller

8. Select 'Any' as the 'IP Protocol Type' and click 'Next'9. Click 'Finish'10. In the 'IP filter list' window, click OK

The filter list is set

Data Security


Configure the IPsec settings on a workstation or a print server - 4- Define the filter actions and security negotiation

1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard.

2. Click 'Next'3. Give a name to the filter actions and click 'Next'

Data Security


4. Select 'Negotiate security' and click 'Next'

5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Next'

6. Select 'Custom' and click on the 'Settings...' button

7. Configure the settings as below

Data Security


8. Click 'OK' and 'Next', then 'Finish'Configure the IPsec settings on a workstation or a print server - 5- Define the security rule

1. In the console, right click on the IP security policy just created and select 'Properties' to open the wizard

2. Click 'Next'3. Select 'This rule does not specifiy a tunnel', and click 'Next'

4. As the Network type, select 'All network connections' and click 'Next'

Data Security


5. Select the filter previously created then click 'Next'

6. Select the filter action previously created then click 'Next'

7. In the 'Authentication method' window, check 'Use this string to protect the key exchange (preshared key)'

Data Security


8. Enter the preshared key you set in Express WebTools (see "" on page 0 ), then click 'Next' 9. Click 'Finish'10. Click 'OK' to validate the Security rule

Configure the IPsec settings on a workstation or a print server - 6- Assign the security policy1. In the console, right click on the security policy just created and select 'Assign'

Data Security


The configuration is activated on the workstation:

2. To test the configuration, open a 'command' window and issue a 'ping' command from the workstation to the printer/scanner controllerWhen the test works properly it is recommended to disable the 'Failsafe mode' on the printer/scanner controller. So, only the workstation is allowed to communicate with the printer/scanner system.

Note:In case you use the WPD driver, see "When you use Océ WPD on the print server" on page 66.

When you use Océ WPD on the print server It can happen that a user on a workstation not configured with IPsec sends a job to the printer via a print server (configured with IPsec) through a shared driver (WPD) installed on the print server. In this case, when the 'Faisafe mode' is disabled, the communication between the workstation (not configured as a IPsec destination) and the printer controller is blocked (the HTTP communication is stopped).

Illustration

Use of the WPD driver on the workstation configured as a print server, when the 'Failsafe mode' is disabled

Consequences:

Data Security


- The back-channel information from the printer is not displayed on the driver interface- The jobs sent with the driver are not printed when the basic or advanced accounting is activated. The jobs are stored in the Smart Inbox, on the controllerAn error message is displayed when opening the 'Accounting' settings in the driver (see the illustration).You must go to the printer user interface to enter the Accounting information and print the jobs.

When the 'Failsafe mode' is enabledWhen you enable the 'Failsafe mode':- The back-channel information is not displayed in the driver- But the accounting communication and process are maintained

Troubleshooting: emergency procedure to deactivate IPsecIn the following case:• IPsec is enabled and activated on the printer/scanner controller• The 'Failsafe mode' is disabled• The communication between the controller and the station failsYou cannot open remotely the Océ Express WebTools to change the settings. The system is locked.Then you can use the emergency procedure to disable IPsec via the Local User Interface on the printer/scanner system.

PurposeDisable IPsec

1. On the Local User Interface, click on 'System' 2. Select 'Setup'

3. Roll down to the Security item and open the Security menuThe status is 'IPsec is enabled'

Data Security


4. Click 'Next' several times to open the IPsec window

Note:Enter the password if required (depending on the configuration of the access to the Security menu).

5. Select 'Disabled' to deactivate IPsec

6. Click 'Next' to the end of the procedure7. Restart the controller

IPsec is disabled.

Data Security


After the restart, you will be able to open the Océ Express WebTools remotely from a workstation (HTTP).

Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300)

How to prevent 'Print from USB' - How to disable the 'USB direct print' featureYou can disable any access to the USB device by preventing printing from / scanning to the USB device.

Illustration

[7] USB direct print: Disabled


2. Open the 'Preferences' - 'System settings' page and select the 'Printer properties' section3. Go to the 'USB direct print' setting 4. Click on the value to open the 'USB direct print' window5. Log in6. Select 'Disabled' and 'Ok'

How to prevent 'Scan to USB'You can neutralize the 'Scan to File to USB storage device' capability.

titleTo prevent scanning to USB destination you must:1. Disable any 'USB stick' scan destination2. Remove the USB destination from all Scan templates

1- Disable any 'USB stick' scan destinationYou can neutralize the 'Scan to File to USB storage device' capability.To prevent scanning to USB destination you must:1. Disable any 'USB stick' scan destination2. Remove the USB destination from all Scan templates

PurposePrevent any user from scanning to a USB device.

Data Security


Illustration

[8] Disable the 'Scan to USB'


2. Open the 'Configuration' - 'Scan destinations' page 3. Edit the 'Scan destination 2: Local to USB storage device'4. Uncheck the setting 'Scan destination 2 enabled' and click 'Ok'5. For each scan destination from 'Scan destination 3' to 'Scan destination 10', make sure that the

scan destination type is NOT 'Local to USB storage device'

2- Remove the USB destination from all Scan templates1. In Océ Express WebTools open the 'Preferences' - 'Scan job defaults' page 2. In each 'Scan template: File' section, check that the 'Destination' is not 'USB stick'3. When the destination is 'USB stick', edit the setting to change it

HTTPS (Océ PlotWave 900)

Encrypt print data using HTTPS with the Océ self-signed certificate (Océ PlotWave 900) On Océ PlotWave 900, you can use the HTTPS protocol with the default Océ self-signed certificate:

Data Security


- to send encrypted print data to the printer controller via Océ Publisher Express- to securely manage the configuration of the system through Océ Express WebToolsThe HTTPS protocol is available with all security levels.All settings and options available through HTTP are also available through HTTPS.

Note:Only the Océ self-signed certificate is supported (this excludes the Certificate Authority signed certificates).

Before you beginThe first time you use a self-signed certificate, your web browser will generate security error messages.In order to easily and securely use the self-signed certificate in your web browser, you must:- View and check the self-signed certificate in your web browser- Configure your web browser to trust the self-signed certificate

Use the Océ self-signed certificate with Internet Explorer1. On a workstation, type the URL address of your printer in Internet Explorer: https://[common Name

or PrinterHostname or PrinterIPaddress] A warning window opens. It displays 2 errors:• The certificate is not issued by a trusted certificate authority.• The Common Name in the certificate does not match the printer hostname (or IP Address) you

typed in the address bar.

2. In order to view and check the self-signed certificate, continue to the website3. Click on 'Certificate error':

4. Click 'View certificates'

Data Security


5. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools'6. Click 'Install Certificate...'7. Follow the Wizard's instructions to import the certificate into your web browser

Click 'OK'When the import is successful, the 'Océ Express WebTools' Certificate is recognised and its status is OK.

8. Open the Tools menu\Internet options\Advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch"

9. Restart the browser and type the URL of your printer in Internet Explorer (https://[common Name or PrinterHostname or PrinterIPaddress]).The padlock is displayed on the address bar, Océ self-signed certificate guarantees:• The identity of the remote computer (controller)• The encryption of the print data on the network

Data Security


Use the Océ self-signed certificate with Mozilla Firefox1. On a workstation, type the URL address of your printer in Mozilla Firefox (https://[common Name

or PrinterHostname or PrinterIPaddress]). A warning window opens. It displays 2 errors:• The certificate is not trusted because it is self-signed

2. In order to view and check the self-signed certificate, continue to add an exception.3. Click 'I Understand the Risks' and 'Add Exception...'4. In the 'Add Security Exception' window, click 'Get Certificate' to get the certificate from the

controller web server. The 'Wrong site' and 'Unknown Identity' errors are displayed.

5. Click 'View...' to see the content of the certificate. Check the following values:Common Name (CN) = Océ Express WebToolsOrganization (O) = OcéOrganization Unit (OU) = WFPS

Data Security


6. The certificate is issued to 'OcéExpress WebTools' by 'Océ Express WebTools', so you can confirm the security exception (permanent or temporary exception).

7. A security warning window may pop-up. Click 'Yes' to continue.The Océ Express WebTools software opens.You can check in the status bar (at the bottom of the window) that the padlock is displayed.In the navigation bar, the Océ certificate is registered as an exception.The identity of the remote controller and the encryption of the data on the network are secured.

Data Security


Chapter 4 Security on Océ ColorWave 550/600/650 (and Poster Printer)

Overview

Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 systems

The Océ ColorWave 550 and Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) have been designed around the secured Linux Operating System. However any new release of the Linux operating system always embeds the latest security fixes.The Océ ColorWave 650 uses Windows Embedded Standard 2009 (WES 2009) operating system for scanning operations.This operating system is not accessible from the network.Moreover, the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 offer the following security features:

Security overview

Operating System Linux for Océ ColorWave 600 (Poster Printer) and Océ ColorWave 650 Poster PrinterLinux and WES 2009 for Océ ColorWave 650 and Océ ColorWave 550

Firewall YesNetwork protocols protection Yes (per protocol, through firewall)MS security patches Océ released patchesOS and software integrity YesAntivirus NoIPv6 YesData overwrite E-shredding (for Océ ColorWave 600 R1.5 and higher / Océ

ColorWave 650 (PP) and Océ ColorWave 550)Password protection Yes

- Configuration settings password- Local user interface pincode

Overview

76 Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer)


Ports - Protocols

Applications, protocols and ports used on the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550

Printing applications: ports and protocols used by the system

Application /Functionality Port used on the controller: protocol Remarks

Océ Windows Printer Driver (WPD) TCP 515: LPRTCP 65200: Océ back-channel(*)

TCP 80: HTTP (for advanced accounting)UDP 515: Océ protocol for Printer Discovery

Printer Discovery:Océ ColorWave 600 R1.3.1 and higher / Océ ColorWave 600 Poster Printer R1.4 and higher / Océ ColorWave 650 (PP) / Océ ColorWave 550

Océ PostScript 3 driver TCP 515: LPROcé Publisher Express TCP 80: HTTPPublisher Select TCP 80: HTTPOcé Reprodesk Studio TCP 515: LPR

TCP 65200: Océ back-channel(*)

Novell NDPS printing TCP 515: LPRLPR printing TCP 515: LPRFTP printing TCP 21

TCP 4242 (for data channel in FTP passive mode)

Océ Publisher Copy TCP 80: HTTP

* Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. For IPv4 only

Scanning applications in Océ ColorWave 650 and Océ ColorWave 550 only: ports and protocols used by the system


Scan to File Remote SMB Outgoing connection: SMBScan to File Remote FTP Outgoing connection:

Local port (on controller): UDP(/TCP) <dynamic value>

FTP passive mode only (1)

Scan data retrieval from Smart Inbox (Scans)

TCP 80: HTTP

Notes:• (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive

mode

Control management: ports and protocols used by the system


PING ICMP (incoming echo request only)SNMP based applications UDP 161: SNMPName resolution Outgoing connection:

Local port (on controller): UDP(/TCP) <dynamic value>

Remote port (on DNS server): UDP(/TCP) 53

4


Chapter 4 - Security on Océ ColorWave 550/600/650 (and Poster Printer) 77


Océ Express WebTools TCP 80: HTTPOcé Account Center / Advanced accounting (WPD)

TCP 80: HTTP

Accounting information retrieval TCP 80: HTTPOcé Service Logic TCP 21: FTP

TCP 4242: FTP passive modeOcé Meter Manager UDP 161: SNMP Océ ColorWave 600 R1.3.1 and higher /

Océ ColorWave 600 PP R1.4 and higher / Océ ColorWave 650 (PP) / Océ ColorWave 550

Océ Remote Service Outgoing connection HTTPS outgoing connection required: TCP/IP port 443 (1)

Notes:(1) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall.Please consult Océ Remote Service - IT Whitepaper & Data Security Policy for additional information.

Security Patches

Install the Océ Remote patchYou can install the Océ Remote patches (Security patches) on the following (versions of the) systems:• Océ ColorWave 650• Océ ColorWave 550Download the Océ Security patch from the Océ website on http://global.oce.com:Open the product page and go to the Downloads/Security page to find the available security patches

1. Open the Océ Express Webtools2. Open the 'Support' tab

3. Select 'Update' The Authentication window opens.



4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed

5. Click on the 'Update' icon (top right corner) to open the wizard6. Click OK

7. Browse to the Océ Remote patch and click OK to install it



8. Click OK to confirm the update

Protocol protection

Network protocols protection On the Océ ColorWave 600 (Poster Printer), Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 systems, you can completely disable some protocols in order to protect them against attacks.

List of network protocols

Protocols Available Protection

FTP Yes.Can be disabled*

SNMP YesCan be disabled*

LPD YesCan be disabled*

Backchannel Always EnabledOcé proprietary protocol

HTTP No, always EnabledICMP No, always EnabledDNS No, always Enabled

* To disable a network protocol, go to the Configuration / Connectivity section of the Océ Express WebTools and uncheck the protocol.

Operating system and software protection

Operating System and software protection

Linux OS and software protectionOn the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) and Océ ColorWave 550 the Linux operating system and associated software are stored on 'read only' partitions to guaranty the Operating System and software integrity at each reboot.At power on, the original Linux system software is loaded. This original system software cannot be modified (except when using the Océ procedures for update)Any exploit of the security vulnerability can only affect temporary files.A reboot of the system brings it back to the original genuine one.

Windows Embedded Standard 2009 OS and software protectionAn additional Operating System is used for scanning on the Océ ColorWave 650 and Océ ColorWave 550: Windows Embedded Standard 2009 .



It is protected by the Linux OS so it is not accessible from the network.

Roles and Passwords

Roles and profiles in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550

Roles description4 different roles exist in the product. Each of them has the ability to configure or modify some system settings.The roles are:• Key operator:

The Key operator can manage the jobs and the device settings• System administrator

The System administrator can manage the Configuration settings, such as the Network settings• Power user

The Power User has both the rights of the Key operator and the System administrator• Océ service

This role is used exclusively by the Océ Service Technician

Passwords policy and behaviour in the Océ ColorWave 600 (Poster Printer) / Océ ColorWave 650 (Poster Printer) / Océ ColorWave 550

There are 2 groups of passwords:• The passwords used in Océ Express WebTools• The passwords used in the Printer Operator Panel

Passwords used in Océ Express WebToolsIn Océ Express WebTools the passwords protect the roles.

Password modification table for Océ ColorWave 600, Océ ColorWave 650 and Océ ColorWave 550


Key operator Key operator or Power userSystem administrator System administrator or Power userPower user Power userAny ScanToFile remote user name (Océ ColorWave 550 / 650 only)

Key operator or System administrator or Power user

Password policy• 256 characters maximum• Any number [0-9]• Any letter lowercase/uppercase [a-z][A-Z]• the following special characters:

_ - ~ ! @ # $ % ^ * ? { }( ) = + , . ; : [ ] / | \

Password used on the Océ Printer Operator Panel (local user interface)On the Printer Operator Panel, the System administrator or Power user can redefine the 'Password to change Network Settings'.



Password backup/restore policy with the 'Save Set'/'Open Set' featuresThe 'Password to change network settings' is stored encrypted into the backup set made with the 'Save Set' feature of Océ Express WebTools.The roles passwords are not stored in the backup set.

Note:- When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the the backup file. It is not encypted- The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user)- The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation- When a password has been stored with 'Auto' value, it is restored with the 'No password' value

Password backup/restore policy with the 'Export templates'/'Import templates' featuresDuring the "Export templates" operation, the passwords for any ScanToFile remote user name are stored encrypted in the file 'remotedestinationTemplates.xml' (included in the file 'exportTemplates.zip').The 'Import templates' operation restores the passwords.



Data Security

E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave 550

E-shredding presentationThe e-shredding feature is a security feature which allows to overwrite any user print data (for Océ ColorWave 600 / 650 PP) and any user print/copy/scan data (for Océ ColorWave 650 / 550) when it is deleted from the system.This feature prevents the recovery of any deleted user data (files' content and attributes)A deleted job is a job that cannot be retrieved from any user interface.The e-shredding functionality is available on:- Océ ColorWave 600 R1.5 and higher- Océ ColorWave 650- Océ ColorWave 650 Poster Printer- Océ ColorWave 550

When is a job deleted?A job is deleted either:• When it is manually deleted from a Smart Inbox• After it was successfully printed and was not saved in a Smart Inbox ( 'Keep completed jobs in

the Smart Inbox' system setting is disabled in the Océ Express Webtools)• After a 'ScanToFile to remote destination' has been successfully performed• When it is automatically deleted after a timeout: the end of the job lifetime in the Smart Inbox

is reached('Keep completed jobs in the Smart Inbox' is enabled, with 'Expiration time-out for Smart Inbox' set in the job management settings of the Océ Express Webtools)





Enable the e-shredding in Océ Express WebToolsYou must be logged as a System Administrator or a Power user.Recommendation: in the Océ Express Webtools ('Preferences'), make sure you:- Disable 'Keep completed jobs in the Smart Inbox' in the Job management settings (so that all the print jobs will be automatically deleted after successful printing) before enabling the e-shredding.- Disable 'Save received jobdata for service' in 'In case of errors' settings.


2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section

Data Security


3. Click Edit 4. Check 'E-shredding' feature to enable it

5. Select the algorithm. When you select 'Custom', you must set the number of passes:On Océ ColorWave 650 (PP) / 550, click on the value of 'E-shredding custom number of passes' to set the number of passes

[9] Set the number of passes for Océ ColorWave 650

When the E-shredding feature is enabled, a new icon is added to the list of icons (bottom right) in the Océ Express WebTools window.

Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs.For a while, the E-shredding feedback returns 'busy'.In the Océ Express WebTools window, roll the mouse over the e-shredding icon to display the 'E-shredding busy' status

Once the e-shredding data process is complete, the status comes back to 'E-shredding ready' in the Océ Express WebTools (roll over the icon).

E-shredding process and system behaviour

Data Security


When you enable the e-shreddingWhen you enable the e-shredding, the system starts the e-shredding process for all scan/copy/print jobs that will be deleted.E-shredding process will occur as a background task.All processed jobs will be e-shredded after they are deleted:- After a manual deletion from the Smart Inbox- After an automatic deletion of the print or scan jobs by the system (timeout, disabled Smart Inbox, cleanup)


Make sure a file is completely e-shredded (e-shredding enabled)Perform the following actions to make sure this file is e-shredded:1- Check the "Save received jobdata for service" setting is 'off' (in Océ Express WebTools/Preferences/System properties/In case of errors)2- Send the print file, make a copy or make a scan3- Once the job has been printed/copied/scanned, make sure it has been deleted from the Smart Inbox (in Océ Express WebTools/Jobs)4- Shut down the system (e-shredding will terminate the system clean up before the shut down)

Data Security


Index

AAntivirus

Océ ColorWave 300 ...................................................46Océ PlotWave 300 .....................................................46Océ PlotWave 350 .....................................................46Océ PlotWave 900 .....................................................46Recommendations.....................................................21

CCA-signed certificate

Overall procedure......................................................28Certificate

Backup.........................................................................29Error messages..........................................................33Import....................................................................31, 32Request.................................................................30, 31Reset............................................................................32Restore........................................................................32

DData encryption................................................................24

EE-shredding

Algorithms..................................................................83Presentation................................................................83

E-shredding Algorithms............................................................34, 50Presentation..........................................................33, 50

E-shreddingBehaviour........................................................35, 51, 84Enable.............................................................34, 50, 83

E-shredingActivation....................................................................83

E-shreedingActivation..............................................................34, 50

HHTTPS on PEWG

Configuration..............................................................25HTTPS

CA-signed certificate..................................................28Certificates..................................................................24Data encryption..........................................................24Océ Print Exec Workgroup........................................24Océ Remote Security.................................................25Self-signed certificate..............................25, 27, 71, 73

IIPsec

Controller configuration............................................54Océ Express WebTools settings...............................53Presentation................................................................52Workstation configuration...........56, 57, 59, 61, 63, 65

KKnowledgebase..................................................................8

MMicrosoft flaws.................................................................16

OOcé Remote Patch................................................16, 41, 78Océ Security Patch...........................................................16Océ security policy.............................................................6OS and software protection: Linux/WES2009

Océ ColorWave 650....................................................80OS and software protection: Linux

Océ ColorWave 600 (PP)............................................80

PPassword

Backup.........................................................................82Password

Backup...................................................................48, 49Password policy

Océ ColorWave 300....................................................47Océ ColorWave 6x0....................................................81Océ PlotWave.............................................................47Océ PoltWave 900......................................................48Océ TCS300................................................................22Océ TDS/TCS/TC systems..........................................22

PasswordLUI password..............................................................81LUI passwords............................................................47Restore............................................................48, 49, 82

Ports and protocols....................................................13, 39

RRoles............................................................................46, 81

Océ TCS300................................................................22Océ TDS/TCS/TC systems..........................................22

SScan to USB

Neutralize..............................................................69, 70Security..............................................................................45Security levels

Available applications....................................13, 39, 77Available protocols........................................13, 39, 77Ports......................................................................13, 39Presentation..........................................................17, 43

UUSB direct print

Disabled......................................................................69

Index

87

WWebsite................................................................................8

downloads....................................................................8URL................................................................................8

Wizard: Security................................................................44

Index

88

Printing forProfessionals

Creating global leadership in printingCanon and Océ have joined forces to create the global leader in the printing industry. Our customers can choose from one of the industry's broadest range of products backed by best-in-class service and support organizations. Look to the new Canon-Océ combina-tion for:

• Enterprise printing in the office and corporate printroom

• Large format printing of technical documentation, signage and display graphics

• Production printing for marketing service bureaus and graphic arts

• Business Services for document process outsourcing

www.oce.comFor more information visit us at:

© 2012 Océ. Illustrations and specifications do not necessarily

apply to products and services offered in each local market.

Technical specifications are subject to change without prior

notice. Trademarks mentioned in this document are the

property of their respective owners.

Beyond the Ordinary

GB2012-07

Océ Large Format systems Security...

Documents

Transcript of Océ Large Format systems Security...