Note: YSoft SafeQ Embedded Terminal has to be reinstalled a fter any change of MFD configuration (e.g. change of UI default language, adding of a new application to home screen, etc.).

Configuration of MFD

Secure HTTPS communication

HTTPS communication with HP MFDs does not work by default in YSoft SafeQ. The reason is that Terminal Server uses pre-installed certificate distributed with YSoft SafeQ and it is not possible to fulfill all the following conditions a security certificate must meet using the pre-generated certificate. The conditions are:

The subject has a valid name matching the name of the page to be viewed, in this case the IP address of the machine with Terminal Server installed.
The date is valid, certificate is not expired.
It is issued by a trusted certification authority.

In order to enable secure communication between HP MFDs and YSoft SafeQ, proper security certificates must exist and YSoft SafeQ must be configured according to the Selecting certificate of Terminal Server guide.

In case you have problems with SSL/TLS communication, it can be switched off entirely. This is, however, not recommended in a production environment.

To switch off the SSL/TLS, change the YSoft SafeQ configuration property dsSslEnabled to false.

Note: YSoft SafeQ Embedded Terminal has to be reinstalled after change.

Note: Other YSoft SafeQ Embedded Terminals may stop working properly.

1. Matching the name

The HP MFD checks, if the IP address of the server it is connecting to matches the IP address written in its certificate. To achieve this matching, you have to create a certificate for each one of the Terminal Servers in your environment, each with the correct IP address in its Common Name field (described below).

2. Certificate validity

The time while the certificate is valid is also being checked by HP MFDs. The expiration date is added to the certificate by its signer, thus in case of self-signed certificate or certificate signed by your Certification Authority, it is up to you, how long it will be valid. In case you want certificates signed by a trusted third-party CA, they will set this value according to their policy.

3. Trusted certification authority

The certificate must be signed by a Certification Authority trusted by the MFD.Example of generating a key/certificate in the proper format

Generating key/certificate in the proper format

The following steps will guide you through generation of a certificate satisfying all the above mentioned properties, using the OpenSSL tool (binaries can be obtained e.g. from http://slproweb.com/products/Win32OpenSSL.html, both full or light version will work) and keytool (provided with any standard Java distribution in <JAVA_HOME>/bin), for a case you do not have your certificates yet.

It is expected that both, the openssl.exe and keytool.exe, are stored in the PATH environment variable (e.g. C:\OpenSSL-Win32\bin or <SAFEQ_HOME>/Management/java/bin). If the variable does not exist, it is necessary to specify the full path to openssl.exe (or keytool.exe respectively) to run the following commands.

Some of the commands need the path to the file containing configuration options (openssl.cfg or openssl.cnf). Example file is distributed together with the binaries. You can either add this path to each such command in the -config argument, or set the following system variable:

OPENSSL_CONF = c:\OpenSSL-Win32\bin\openssl.cfg (path has to lead to the folder where OpenSSL was installed)

Generate keys and a Certificate Signing Request to be sent to the requested Certification Authority:
openssl req -new -newkey rsa:2048 -sha256 -keyout server.key -out server.csr
Choose a password for protection of your new key and answer all the questions about your organization, especially the required Common name field, which should be the IP address of the machine with running Terminal Server.
Do not fill the optional 'extra' attributes.
a) Send the request to the Certification Authority. You will receive your signed certificate (server.crt), along with the certificate of this CA, most probably concatenated in one file.

b) Or sign it using your own CA. In case you do not have a CA yet, you can create one using the following keytool command:
keytool -genkeypair -keyalg RSA -keysize 4096 -sigalg SHA256WithRSA -alias root -keystore ca.jks -validity 3650 -ext BC=ca:true,pathlen:1
Enter a password for key protection and answer the questions about your organization when you are prompted for them.
Export public certificate of your Root CA from the root.jks to root.crt file:
keytool -exportcert -rfc -keystore ca.jks -alias root -file ca.crt
Now you can sign your Certificate Signing Request:
keytool -gencert -rfc -keystore ca.jks -alias root -storepass CAprotectingpassword -validity 365 -sigalg SHA256WithRSA -outfile server.crt -infile server.csr -ext BC=ca:false
Join your generated private key with the obtained certificates into one Personal Information Exchange (.pfx or .p12) file:
openssl pkcs12 -export -in server.crt -inkey server.key -out serverCert.pfx -chain -CAfile ca.crt -caname root
In case you want to configure your Terminal Servers to use certificates stored in filesystem (and not in Windows Certificate Store), you must not protect this file by a password (do not fill "Export Password" field). However, it is highly recommended to use Windows Certificate Store instead.

Terminal Server and MFD configuration

Configure all the Terminal Servers in your environment to use the appropriate certificate following the guide in chapter Selecting certificate of Terminal Server .
The Certification Authority must be known to the MFD. In order to upload it to the HP MFD, just reinstall the YSoft SafeQ Embedded Terminal on this device after you correctly configure certificates on all your Terminal Servers.
The certification authority is uploaded to the MFD during YSoft SafeQ Embedded Terminal installation.
Note: When the server certificate is in the Windows store, the certification authority must be placed in the Trusted Root Certification Authorities or the Intermediate Certification Authorities.
Note: When server certificate is in the filesystem, the certification authority must be included.
You can check the Certification Authorities trusted by your MFD in the MFD's administration web page in the tab Security -> Certificate Management

images/download/attachments/69352313/image2016-4-27_17_30_17.png

Time Configuration

Time settings have to be configured for proper accounting of jobs and assignment of billing codes to these jobs.

Go to Web Administration > General > Date and Time, and configure Device time Settings and Time Zone Settings to comply with configuration of your server, where Terminal Server is running.

Next, there are two options possible, based on availability of NTS (time) server in your network change NTS Settings accordingly

images/download/attachments/68191087/webDateAndTime.png

Inactivity Timeout

To configure timeout after which the user is logged out due to inactivity, from Home screen go to Web Administration > General > Control Panel Administration menu > Display Settings > Inactivity Timeout and set up the timeout as required. The value is in seconds.
NOTE: The timeout set in YSoft SafeQ web administration is applied only to screens of the YSoft SafeQ Terminal Application. For more information see Adding and configuring users.

images/download/attachments/68191087/InactivityTimeout.png

USB Print

Print from USB drive needs to be enabled in the device's Web Administration. To do that, go to Copy/Print -> Retrieve from USB setup -> Enable Retrieve from USB and click Apply.

images/download/attachments/68191087/HPUsbPrint.png

To add "Retrieve from USB" application to home screen, in device's Web Administration go to General -> Control Panel Customization and drag and drop the application icon from the Available Applications into the Home Screen.

images/download/attachments/68191087/RetrieveFromUSBApp.png

Cancel print jobs after unattended error

To configure Cancel print jobs after unattended error after inactivity timeout, from Home screen go to Web Administration > Security > Printing and check a checkbox.

images/download/attachments/68191087/image2017-10-30_14_12_54.png

Position of the YSoft SafeQ application on the home screen

When the YSoft SafeQ Embedded Terminal is installed for the first time, the YSoft SafeQ application is always on the 1^_stposition on the home screen.

To change the position of the application, go to the Web Administration. In the tab General -> menu item Control Panel Customization, drag and drop the items to reorder them.

NOTE: It is possible to disable some of the native application. To ensure that the position of the YSoft SafeQ application won't change after the Embedded Terminal reinstallation, do not place any disabled applications on the positions prior to the position of the YSoft SafeQ application.

Configuration of YSoft SafeQ

Scan with different paper format and orientation

By default all scanned documents are scanned as A4 format and as portrait orientation. To allow user to scan in different paper format and orientation user parameters must be set see Managing scan workflows.

To change page orientation to landscape set user parameter with name 'Landscape'
To change paper format selects all format to match your needs from list: A3, A4, A5, B4, B5, B6, BusinessCard, Exec, Inch8Point5x13, Inch12x18, JB4, JB5, JB6, K8, K16, Ledger, Legal, Letter, PK8, PK16, Statement

images/download/attachments/68191087/hpScanWorkflow.png