21
Sat, Dec
3 New Articles

Your Journey to Secure IPP Printing

Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Your journey to secure IPP printing begins with a digital certificate. Mine, on the other hand, began with a phone call. For almost nine years, I've worked as a printing specialist in the iSeries Support Center, and I've loved every minute of it. Educated to be an English teacher, I wound up at IBM supporting printers. And when a customer calls, the teacher in me kicks in. Guiding my students through to a resolution, I try to educate them along the way, often asking questions to make sure they follow the logic of what we are doing. In this way, we reach the solution to the problem together, and they go away better able to help themselves next time. The only part of my job that I dislike is saying "no." Whenever a customer runs up against a wall, I try to find a solution or alternate resolution to get them going. Usually, we can come up with something, but when I have to tell the customer something is impossible, I feel like I've failed.

Now, I have said "no" to secure printing for the last time. I met my match when I got a phone call from Gary Barnett at Arkansas Data Services (ADS).

ADS had recently purchased an IBM 1532 and wanted to print via Internet Printing Protocol (IPP). ADS has an ASP offering for its DOCS/400 medical practice management application. ADS customers use their personal computers and printers at their clinics, but they access the DOCS/400 application on the iSeries located at the ADS office. When ADS wanted to move its application to browser-based from green-screen, there was a need for secure remote printing. The HIPAA medical industry standards dictate that all data transmissions be encrypted because of confidential patient data. With the green-screen mode, secure printing can be accomplished with the SSL support in iSeries Access, but when ADS wanted to move to browser screens, they needed another simple way to send secure AS/400 print to the users' remote LAN printers, and Gary called me to find out about IPP.

In the wild world of iSeries print, IPP is its own animal. Typically, a laser printer is set up as a remote output queue or a PJL/SNMP device description. If the print job fails, a communications trace or joblog will show that it is either configured incorrectly or the printer doesn't support the desired protocol. There is almost always a way to get the printer working. But with an IPP device description, it's just not that easy. While the printer may support the initial IPP connection, it may not support the subsequent requests or the method in which the data is transmitted. But Gary was determined to get encrypted IPP working. In the end, I believe we did much more than get encrypted print data flowing to his printer. When we were done, we had transcended the defined IPP protocol and arrived at an elegant solution that can now be implemented by anyone with a need to print encrypted data and the luck to own the right printer.

The Dawn of iSeries IPP Support

When IPP was first announced at V5R1, Internet printing seemed very promising. The initial role of IPP on the iSeries was as a server, to allow clients to print to iSeries-attached printers through the Internet. Though I initially believed that many customers would call to get help implementing IPP, I was wrong. As with most products, the low call volumes could be attributed to ease of use or unpopularity. Though most likely the latter, the IPP server is easy to implement and could replace NetServer printing for many customers. (Perhaps that would be a good topic for another article.)

At V5R2, iSeries IPP support was enhanced to allow the iSeries to act as an IPP client and to print to IPP-capable printers. To do this, you need to make sure you have the latest IPP PTFs. These can be found in the Software Knowledge Base document 23383453: V5Rx PTF Listing for TCP/IP and LAN printing. After Gary said that he needed to set up an IPP printer, I made sure he had the latest PTFs applied and led him through the initial configuration, which failed. That didn't surprise me.

Chunking Leads to Clunking

While many customers with IPP-capable printers are able to get them to work, some fail to find a working solution. The reason for this is that many IPP-capable printers do not support IPP "chunking," even though RFC 2068: HTTP/1.1 states, "All HTTP/1.1 applications must be able to receive and decode the 'chunked' transfer-coding, and must ignore chunk-extension extensions they do not understand." Instead, many printers require that a byte-count of the expected data stream be sent in the initial IPP connection. This lack of chunking support may be due to the fact that most printers are made for the Microsoft Windows environment, which transforms print data completely before it is sent to the printer.

To improve speed and efficiency on the iSeries, as Host Print Transform converts a spooled file into the printer's required data stream, transformed portions are sent to the printer as they become available to the writer. Because we do not know how large the fully transformed spooled file will be, IPP servers (in this case, actual printers) that do not support chunking will fail to work on the iSeries. Usually, a printer that does not support the chunking transfer-coding will fail with the message CPD6F83 ("Could not establish Internet Print Protocol (IPP) communications with device") with a reason code of 2. This reason code means that the device didn't understand the IPP request.

If your printer does not provide chunking support, you need to contact the printer vendor and seek a firmware or microcode fix. Gary was able to get a microcode fix from IBM Boulder for his Infoprint 1532, and we were advised that the same patch could be applied to my 1552, as well as any other monochrome printer in the Infoprint 15xx series.

Once we had Gary's printer patched to enable IPP chunking, the configuration worked flawlessly, and I thought we were done. That was when he told me that he wanted to use the secure IPP connection provided by the SECURECNN parameter on the device configuration. I told him that we knew of no known printer that supported that option but that a couple of servers did: the iSeries IPP server and the UNIX Common UNIX Printing Solution (CUPS) server. My idea was that he could place a Linux server in each location and print through CUPS to his printers, but Gary didn't share my enthusiasm for that solution. It was cost-prohibitive and bulky. I agreed, but I didn't know what else to do. Here's why:

When the IPP driver was programmed, the iSeries developers chose to follow the guidelines of RFC 2910 - Internet Printing Protocol/1.1: Encoding and Transport, which describes the recommended method of secure IPP printing via an upgrade to TLS/SSL:

8.1.2 Transport Layer Security (TLS) IPP Printers should support Transport Layer Security (TLS) [RFC2246] for Server Authentication and Operation Privacy. IPP Printers may also support TLS for Client Authentication. If an IPP Printer supports TLS, it must support the TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA cipher suite as mandated by RFC 2246 [RFC2246]. All other cipher suites are optional. An IPP Printer may support Basic Authentication (described in HTTP/1.1 [RFC2617]) for Client Authentication if the channel is secure. TLS with the above mandated cipher suite can provide such a secure channel.

The iSeries IPP developers decided to follow the suggested secure upgrade method (TLS), as it seemed to be the one that the printer vendors would standardize on. In reality, we know of no printer vendors that did, and we were left with a secure connection that worked to other iSeries machines and CUPS, whose developers also chose to implement TLS, but not directly to a real printer. Traces taken to IPP-configured printers with the SECURECNN parameter set to *YES would inevitably fail with the message CPD6F84: "Could not establish secure connection with device." Up until now, each customer that had contacted me about secure IPP printing received the same answer: "It won't work."

In all honesty, if IBM's developers did choose to program to a non-standard IPP implementation—say, one favored by Hewlett-Packard or Microsoft—it could look like favoritism. And programming to a non-standard protocol means that we would have to adapt to any changes in that protocol and be subject to the whims of other programmers. It also would go against the ways we have chosen to support other printing protocols, such as LPR and PJL, where we stick to the standards and expect printer vendors to do the same.

Still, Gary was dissatisfied with my response, and he made a good point to back up his case. He pointed out that the help text for the SECURECNN parameter in the CRTDEVPRT command says, "Specifies whether a secure connection is established with the printer" and asked why the word "printer" was used if it had never actually worked to a real printer. He had us there. I contacted my developers and relayed Gary's concerns. They gave me the well-known story about lack of printer support for the recommended TLS/SSL upgrade method, which I knew already. Lucky for us, that developer shared the problem with a co-worker over lunch. That ingenious fellow suggested that, even though the IPP specification refers only to port 631, perhaps the printer manufacturers allowed secure IPP traffic over port 443, the default HTTPS port.

After hearing this, I quickly reconfigured my own printer device to use that port and address (https://9.10.11.12:443/) and traced the driver. It failed again, but this time I got a new message, CPD6F84: "Secure connection failed-6000-Certificate is not signed by a trusted certificate authority." It did not complain that the upgrade to TLS/SSL had failed, as I had bypassed that requirement. This was the first time I had seen a digital certificate error on the iSeries. I knew what they were but hadn't thought of them as having anything to do with print.

My Infoprint 1552 was IPP-capable, so I accessed the printer via its secure HTTPS URL. It prompted me to accept a digital certificate, which I did. Then, I could see the online configuration. The Links and Index>Certificate Management menu showed the available options, including Generate a New Private Key and Update The Certificate Signing Request. After talking to a digital certificate expert in our support center, I decided to download a trial certificate from Verisign and load it into the printer. Then, I exported the certificate from the printer and loaded it into the iSeries Digital Certificate Manager (DCM). The next time I sent a spooled file to the printer, it printed. That was the first successful test of secure IPP.

I decided to test out the printer's capability to generate its own self-signed certificate. After a cold reset and a reload of the microcode, I tried to export the digital certificate and load it into the iSeries. The process worked, but the printer writer failed because the shipped digital certificate had expired in 1972. I set the correct date and time on the printer and clicked Generate a New Private Key, followed by Update the Certificate Signing Request. This time, the certificate I imported into DCM worked fine, and my spooled file printed successfully. That proved that we could offer a complete solution to customers, without having to recommend third-party digital certificate providers. This is important because, although some customers may choose to purchase certificates from a third party, self-signed ones are free and equally secure.

I contacted Gary and led him though the steps to create and export a self-signed certificate into DCM and reconfigure his printer device description. It worked the first time, and Gary had a solution.

Making Secure IPP Work for You

System i customers that need to comply with regulations from HIPAA, Sarbanes-Oxley, or the Gramm-Leach-Bliley Act may find secure IPP printing to be a useful and important tool for data transmission. If you want to take advantage of secure IPP, follow these simple steps:

Make sure you are at V5R2 or higher and have the latest IPP PTFs applied.

Ensure that the printer you choose is IPP-capable, supports chunking, and can export its digital certificate. On my 1532 and Gary's 1352, the certificate was exported as SystemCert.pem and then FTPed in ASCII mode to the IFS. The certificate, when displayed, will resemble the following:

-----BEGIN CERTIFICATE-----
A large, incomprehensible chunk of data
A large, incomprehensible chunk of data
A large, incomprehensible chunk of data
-----END CERTIFICATE-----

Import the certificate into DCM. This will be done via the System i Tasks page located at http://systemname:2001. You will open the DCM, click on Select a Certificate Store, and choose the *SYSTEM store. If you are prompted for a password, type default. Troubleshooting information for these types of problems is on the iSeries Information Center. Once you are in the Certificate Store, find the option to Work with CA Certificates and click on the Import button. Enter the IFS location of the certificate and provide a certificate label. The successfully imported certificate will appear at the top of the list of installed certificates.

Configure your IPP device description. Set the port number to 443 and the remote location name to https://printeraddress:443/. Interestingly enough, our testing showed that the SECURECNN parameter is ignored when the well-known HTTPS port 443 is specified. Vary the device on and start the writer.

Troubleshooting

If the configuration fails, troubleshoot it. Change the User Defined Options (USRDFTOPT) parameter on the device description to *IBMDEBUG *IBMHEX and recreate the problem. This will generate a trace that shows the IPP driver messages. You should also take a concurrent communications trace and gather the joblog for complete problem diagnosis. Finally, it is worth noting that any problem with printer output cannot be diagnosed over a secure connection, because the data sent to the printer is encrypted, making it unreadable!

Kurt Schroeder works as a System i printing specialist at IBM in Rochester, Minnesota, but the views expressed in this article are his own, not necessarily those of IBM. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it. and would appreciate feedback on this article, which can be provided directly via email or through the forums discussion associated with this article.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: