Administrator Guide


Administrator Guide
HP Access Control Secure Printing
Administrator Guide
5: 02/2010
Legal notices
(c) Copyright 2010 Hewlett-Packard Development Company, L.P.
Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation.
February 2010
Confidential computer software. Valid license from HEWLETT-PACKARD required for possession, use or copying. Consistent
with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for
Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HEWLETT-PACKARD products
and services are set forth in the express warranty statements accompanying such products and services. Nothing herein
should be construed as constituting an additional warranty. HEWLETT-PACKARD shall not be liable for technical or editorial
errors or omissions contained herein.
Figures and Tables
Figures ................................................................................................................................................................. 8
Tables ................................................................................................................................................................... 9
1-1 HP Access Control Secure Printing ............................................................................................................. 10
1-2 Usage scenarios .......................................................................................................................................... 10
1-2-1 Secure scan to e-mail .......................................................................................................................... 10
1-2-2 Secure printing and retrieval of documents ......................................................................................... 10
1-2-3 Secure printing for a department recipient .......................................................................................... 11
1-2-4 Secure printing for a remote third party ............................................................................................... 11
Secure printing architecture
2-1 Overview ...................................................................................................................................................... 15
2-1-1 Installation notes.................................................................................................................................. 15
Install HPAC Secure Printing
3-1 Recommended installation process ............................................................................................................. 16
3-2 The authentication hardware ........................................................................................................................ 16
3-2-1 The installation kit ................................................................................................................................ 16
3-3 Printer network settings ................................................................................................................................ 17
3-4 Installation on printers and MFPs ................................................................................................................. 17
3-4-1 Connect the reader to the printer/MFP ................................................................................................ 17
3-4-1-1 CM8050 Color MFP and CM8060 Color MFP devices ............................................................... 17
3-4-1-2 Color LaserJet 4730MFP and Color LaserJet CM4730MFP devices ......................................... 17
3-4-1-3 Other devices ............................................................................................................................. 17
Install the HPAC Secure Printing Server
4-1 Installation on a non-cluster server .............................................................................................................. 18
4-1-1 Create pull printer queues on non-cluster servers............................................................................... 18
4-2 Installation on a cluster server ..................................................................................................................... 19
4-2-1 Cluster environment ............................................................................................................................ 19
4-2-2 Cluster requirements ........................................................................................................................... 19
4-2-3 Recommendation ................................................................................................................................ 20
4-2-4 Cluster environment ............................................................................................................................ 20
4-2-4-1 Create a cluster printer ............................................................................................................... 20
4-2-4-2 Create a pull printer queue in a cluster environment .................................................................. 21
4-2-5 Install and configure the HPAC Print Server in a cluster environment ................................................ 21
4-2-6 Install the Quota Notification tool ......................................................................................................... 24
4-2-6-1 Prerequisites ............................................................................................................................... 24
4-2-6-2 Installation procedure ................................................................................................................. 24
4-2-7 HPAC Print Server upgrade for a cluster environment ........................................................................ 24
4-3 Printer pull printing ports pooling .................................................................................................................. 24
4-3-1 Configure the printer pull printing ports pooling ................................................................................... 25
4-4 Configure job retention ................................................................................................................................. 25
4-5 Remote job storage ...................................................................................................................................... 26
4-5-1 Prerequisites........................................................................................................................................ 26
4-5-2 Share the print job directory ................................................................................................................ 27
4-5-3 Create the Authenticated Users group ................................................................................................ 27
4-5-4 Configure remote job storage .............................................................................................................. 28
4-5-5 Quota notification................................................................................................................................. 29
4-5-5-1 Advanced options ....................................................................................................................... 30
4-5-6 Print job purge ..................................................................................................................................... 32
Install the HPAC Admin Software on a print server
5-1 Installation prerequisites .............................................................................................................................. 33
5-2 HPAC Admin Software installation ............................................................................................................... 34
5-2-1 Save the configuration ......................................................................................................................... 35
Configure HP Access Control
6-1 The HPAC Admin Software interface ........................................................................................................... 36
6-1-1 Navigate the interface.......................................................................................................................... 36
6-2 Firmware viewer ........................................................................................................................................... 36
6-3 License management ................................................................................................................................... 36
6-4 License information summary ...................................................................................................................... 36
6-4-1 Upload license files.............................................................................................................................. 37
6-4-2 Delete license files............................................................................................................................... 38
6-4-3 Remove all license files ....................................................................................................................... 38
6-4-4 View a summary of each license file ................................................................................................... 38
6-5 Printer management ..................................................................................................................................... 38
6-5-1 All printers list ...................................................................................................................................... 38
6-5-1-1 Printers information summary ..................................................................................................... 38
6-5-2 All printers list actions .......................................................................................................................... 39
6-5-2-1 Add a printer to the list ................................................................................................................ 39
6-5-2-2 Move a printer from one group to another .................................................................................. 40
6-5-2-3 Delete one or more printers ........................................................................................................ 40
6-5-2-4 Ungrouped printer list – View a summary ................................................................................... 41
6-5-3 Ungrouped printers list actions ............................................................................................................ 41
6-5-4 All groups list – View a summary for printer groups ............................................................................ 41
6-5-4-1 Printer groups information summary .......................................................................................... 41
6-5-5 All groups list actions ........................................................................................................................... 41
6-5-5-1 Create a new printer group ......................................................................................................... 41
6-5-5-2 Delete a printer group ................................................................................................................. 42
6-5-5-3 Synchronize the printers with the configuration .......................................................................... 42
6-6 Manage printer group details and configuration ........................................................................................... 42
6-6-1 Group details actions ........................................................................................................................... 42
6-6-1-1 Link printers to this group ........................................................................................................... 42
6-6-1-2 Rename the group ...................................................................................................................... 43
6-6-1-3 Change the group language ....................................................................................................... 43
6-6-1-4 Remove printers from the group ................................................................................................. 43
6-6-1-5 Synchronize the printers with the configuration .......................................................................... 43
6-7 Configure printer groups .............................................................................................................................. 43
6-7-1 View detailed information about a configuration .................................................................................. 43
6-7-2 Configure group parameters................................................................................................................ 44
6-7-2-1 The Authentication configuration tab .......................................................................................... 44
6-7-3 Secure Print parameters...................................................................................................................... 47
6-7-4 Billing parameters ................................................................................................................................ 48
6-8 List management .......................................................................................................................................... 49
6-8-1 ID lists .................................................................................................................................................. 50
6-8-2 View a summary of ID lists .................................................................................................................. 51
6-8-3 Local ID list actions.............................................................................................................................. 51
6-8-3-1 Create a new ID list .................................................................................................................... 52
6-8-3-2 Delete an ID list .......................................................................................................................... 52
6-8-3-3 View the details for an ID list entry ............................................................................................. 52
6-8-4 Local ID list entry actions..................................................................................................................... 52
6-8-4-1 Add entries to an ID list .............................................................................................................. 52
6-8-4-2 Add ID list entries from CSV files ............................................................................................... 53
6-8-4-3 Edit the ID list entries .................................................................................................................. 53
6-8-4-4 Delete ID list entries ................................................................................................................... 53
6-8-4-5 Rename an ID list ....................................................................................................................... 54
6-8-4-6 Export ID lists in CSV format ...................................................................................................... 54
6-8-4-7 Notify users ................................................................................................................................. 54
6-8-4-8 Autogenerate PIN list – Import from LDAP ................................................................................. 55
6-9 LDAP list – Generate & Notify ...................................................................................................................... 55
6-9-1 SMTP settings ..................................................................................................................................... 55
6-9-2 PIN List Autogeneration parameters ................................................................................................... 56
6-9-2-1 LDAP settings ............................................................................................................................. 56
6-10 Billing lists .................................................................................................................................................. 56
6-10-1 Billing lists structure ........................................................................................................................... 57
6-10-2 View a summary of billing lists ........................................................................................................... 57
6-10-3 Billing list actions ............................................................................................................................... 57
6-10-3-1 Create a new billing list ............................................................................................................. 57
6-10-3-2 Delete a billing list ..................................................................................................................... 58
6-10-3-3 View the details for a billing list ................................................................................................. 58
6-10-4 Billing list details actions .................................................................................................................... 58
6-10-4-1 Add details to a billing list ......................................................................................................... 58
6-10-4-2 Import billing list codes from a CSV file .................................................................................... 59
6-10-4-3 Delete billing list codes ............................................................................................................. 59
6-10-4-4 Rename a billing list ................................................................................................................. 59
6-11 LDAP profiles ............................................................................................................................................. 59
6-12 View a summary for the LDAP profiles ...................................................................................................... 59
6-12-1 LDAP profile actions .......................................................................................................................... 60
6-12-1-1 Create a new LDAP profile ....................................................................................................... 60
6-12-1-2 Delete an LDAP profile ............................................................................................................. 61
6-12-1-3 View the details for an LDAP profile ......................................................................................... 61
6-12-1-4 Edit the details for an LDAP profile ........................................................................................... 61
6-13 HPAC Print Server management list .......................................................................................................... 62
6-13-1 View a summary of information ......................................................................................................... 62
6-13-2 HPAC server management list actions .............................................................................................. 62
6-13-2-1 Create a new server ................................................................................................................. 62
6-13-2-2 Delete a server ......................................................................................................................... 62
6-13-2-3 View the details for a server ..................................................................................................... 63
6-13-2-4 Edit the details for a server ....................................................................................................... 63
6-14 Smart Card profile ...................................................................................................................................... 63
6-14-1 Smart Card authentication ................................................................................................................. 63
6-14-2 Smart Card profile actions ................................................................................................................. 64
6-14-2-1 Create a new Smart Card profile .............................................................................................. 64
6-14-2-2 Delete a Smart Card profile ...................................................................................................... 65
6-15 HPAC corporate keys ................................................................................................................................. 65
6-15-1 View a summary of information ......................................................................................................... 66
6-15-2 Corporate key list actions .................................................................................................................. 66
6-15-2-1 Create a new HPAC corporate key .......................................................................................... 66
6-15-2-2 Delete an HPAC corporate key ................................................................................................ 66
6-15-2-3 View an HPAC corporate key ................................................................................................... 67
Direct live LDAP authentication
7-1 Introduction .................................................................................................................................................. 68
7-2 Direct live authentication with AD/LDAP databases ..................................................................................... 68
7-3 Configuration ................................................................................................................................................ 69
7-3-1 Configure alternate authentication for MFPs ....................................................................................... 69
7-4 LDAP profiles failover ................................................................................................................................... 69
Configure indirect live LDAP authentication
8-1 Introduction .................................................................................................................................................. 70
8-2 Indirect live authentication with AD/LDAP databases .................................................................................. 70
8-2-1 Support for multiple databases ............................................................................................................ 71
8-2-2 Failover capability ................................................................................................................................ 71
8-2-3 Support for multiple user logins (the alias system) .............................................................................. 71
8-3 Basic configuration sequence ...................................................................................................................... 71
8-3-1 Configure the authentication gateway ................................................................................................. 71
8-3-2 The Directory servers management tab .............................................................................................. 72
8-3-3 Create a profile .................................................................................................................................... 74
8-3-4 Configure the authentication settings .................................................................................................. 75
8-3-4-1 The Enrollment ID field name ..................................................................................................... 76
8-3-5 Save the configuration ......................................................................................................................... 76
8-4 Process graphical description dialog box ..................................................................................................... 77
8-4-1 View the chain of profiles..................................................................................................................... 77
8-5 Get domain information ................................................................................................................................ 77
8-5-1 Configure the Domain field name ........................................................................................................ 77
8-5-2 Customize domain field names in HPAC Print Server ......................................................................... 79
8-5-3 Set the Domain field name to a constant value ................................................................................... 79
User enrollment
9-1 Enrollment prerequisites .............................................................................................................................. 80
9-2 Define the enrollment mode ......................................................................................................................... 81
9-2-1 Enrollment ........................................................................................................................................... 81
9-2-2 Enrollment with roaming ...................................................................................................................... 81
9-2-3 Enrollment to Active Directive .............................................................................................................. 81
9-3 Manage enrolled users ................................................................................................................................. 82
9-3-1 Prerequisites........................................................................................................................................ 82
9-3-2 Browse the list of users ....................................................................................................................... 82
9-3-3 Select users ......................................................................................................................................... 82
9-3-4 Edit a user ........................................................................................................................................... 82
9-3-5 Delete users ........................................................................................................................................ 83
10 Install the driver plug-in for Windows
10-1 Installation procedure ................................................................................................................................. 84
10-2 Deployment to a fleet of PCs ..................................................................................................................... 84
10-3 Deactivate the HPAC Secure Printing Driver Plug-In ................................................................................. 85
10-4 Connect to a printer secured on the print server ........................................................................................ 85
10-5 Secure an MS-Windows printer port on a local PC .................................................................................... 85
10-5-1 Section A – Define a queue ............................................................................................................... 85
10-5-2 Section B – Secure the printer........................................................................................................... 86
10-6 Deactivate HPAC Secure Print on a printer ............................................................................................... 87
10-7 Uninstall the Windows driver plug-in .......................................................................................................... 87
10-8 Windows clients with Netware print server ................................................................................................. 87
10-8-1 Installation – Print server ................................................................................................................... 88
10-8-2 Installation – Client ............................................................................................................................ 88
10-8-3 Secure Printing through Novell Print Servers .................................................................................... 89
10-9 Printing from UNIX through a Windows print server .................................................................................. 89
10-10 Configure the secure print job parameters ............................................................................................... 89
10-11 Send a secure print job to the printer ....................................................................................................... 89
10-12 Print for yourself under Windows ............................................................................................................. 90
10-13 Send a document to other users under Windows .................................................................................... 91
10-14 Send a document to a department under Windows ................................................................................. 91
10-15 Release HPAC print jobs ......................................................................................................................... 91
10-15-1 Release the print job (multifunction printers) ................................................................................... 92
10-15-2 Release the print job (single function printers) ................................................................................ 92
11 Encryption schemes, corporate key
11-1 AES encryption .......................................................................................................................................... 93
11-2 DES encryption .......................................................................................................................................... 93
11-3 Raw Printing ............................................................................................................................................... 93
12 Unencrypted secure printing for ERPs
12-1 Unencrypted secure print files format ........................................................................................................ 94
13 Unencrypted secure printing for SAP R/3
13-1 Modify the device type ............................................................................................................................... 95
13-2 Replace the job header sequence ............................................................................................................. 95
13-3 Replace the job trailer sequence ................................................................................................................ 95
13-4 Activate the device type ............................................................................................................................. 95
14 HPAC Secure Printing Pull (roaming printing)
14-1-1 Prerequisites for roaming printing...................................................................................................... 96
14-1-2 Create a dedicated database login .................................................................................................... 97
14-1-3 Configuration of roaming ................................................................................................................... 97
14-1-4 Test the basic database connection .................................................................................................. 98
14-1-5 Create the tickets database ............................................................................................................... 98
14-1-6 Synchronize the roaming database ................................................................................................... 98
14-2 Job retention aliases – Single sign-on ....................................................................................................... 98
14-2-1 Configure the alias feature ................................................................................................................ 99
14-2-2 Syntax of search filters ...................................................................................................................... 99
14-2-3 Search across chained databases .................................................................................................. 100
15 Ports and communication
15-1 HPAC Secure Printing ports ..................................................................................................................... 102
16 Front panel messages and troubleshooting
16-1 HPAC Print Server logs ............................................................................................................................ 103
16-2 Information messages .............................................................................................................................. 104
16-3 Error messages ........................................................................................................................................ 104
16-3-1 Printer error messages .................................................................................................................... 104
16-3-2 MFP error messages ....................................................................................................................... 105
16-3-3 Smart Card error messages ............................................................................................................ 107
Appendix A
Supported functions per device model ............................................................................................................. 109
Appendix B
Backward compatibility ..................................................................................................................................... 111
Appendix C
Prerequisites for PCs and servers .................................................................................................................... 112
Appendix D
Prerequisites for printers and MFPs ................................................................................................................. 113
Figures and Tables
Figure 1 Direct IP printing option ...................................................................................................................................... 12
Figure 2 Server-based printing option .............................................................................................................................. 13
Figure 3 Server-based printing option .............................................................................................................................. 13
Figure 4 Server-based pull printing option ....................................................................................................................... 14
Figure 5 Server-based pull printing option ....................................................................................................................... 14
Figure 6 Printer Ports ....................................................................................................................................................... 19
Figure 7 HP Access Control SecurePrint Server Port monitor ......................................................................................... 19
Figure 8 Cluster Administrator console ............................................................................................................................ 20
Figure 9 Run window with cluster name .......................................................................................................................... 20
Figure 10 Printers and Faxes .......................................................................................................................................... 21
Figure 11 Printer Ports .................................................................................................................................................... 21
Figure 12 Cluster Administrator – Move group ............................................................................................................... 22
Figure 13 Cluster Administrator – Create a new resource .............................................................................................. 23
Figure 14 Printer ports pooling ........................................................................................................................................ 24
Figure 15 Sharing Permissions ....................................................................................................................................... 27
Figure 16 Permissions for Everyone ............................................................................................................................... 27
Figure 17 Add Authenticated Users ................................................................................................................................ 28
Figure 18 Full Control for Authenticated Users ................................................................................................................ 28
Figure 19 Configure remote job storage .......................................................................................................................... 29
Figure 20 Quota Notification ............................................................................................................................................ 30
Figure 21 HPAC Secure Print Admin Software ............................................................................................................... 33
Figure 22 License Management ...................................................................................................................................... 37
Figure 23 All printers list .................................................................................................................................................. 38
Figure 24 Add a printer by hostname .............................................................................................................................. 40
Figure 25 Modify printer(s) .............................................................................................................................................. 40
Figure 26 Users and ID list local to the printer/MFP ....................................................................................................... 49
Figure 27 Users and ID information in AD/LDAP, direct live lookup ............................................................................... 49
Figure 28 Users and ID information in AD/LDAP, indirect live lookup ............................................................................ 49
Figure 29 Local ID list ..................................................................................................................................................... 52
Figure 30 Notify users ..................................................................................................................................................... 54
Figure 31 LDAP profile .................................................................................................................................................... 60
Figure 32 Smart Card profile ........................................................................................................................................... 64
Figure 33 Corporate Key List .......................................................................................................................................... 66
Figure 34 Direct live LDAP authentication ...................................................................................................................... 68
Figure 35 Indirect live LDAP authentication .................................................................................................................... 70
Figure 36 Directory servers management tab ................................................................................................................. 73
Figure 37 Directory server main parameters ................................................................................................................... 74
Figure 38 Directory server authentication parameters – Profile 1 ................................................................................... 75
Figure 39 Directory servers management tab – Select a profile ..................................................................................... 78
Figure 40 Directory server authentication parameters .................................................................................................... 78
Figure 41 Directory server main parameters ................................................................................................................... 78
Figure 42 Netware print server installation ...................................................................................................................... 88
Figure 43 Netware client installation ............................................................................................................................... 89
Figure 44 Recipients settings .......................................................................................................................................... 91
Figure 45 SQL Server managing console ....................................................................................................................... 97
//Figures and Tables
Figure 46
Figure 47
Figure 48
Figure 49
Figure 50
Alias retrieval .................................................................................................................................................. 98
Alias retrieval settings ..................................................................................................................................... 99
Chained databases ....................................................................................................................................... 100
Value to search replacement settings ........................................................................................................... 101
HPAC Secure Printing logs ........................................................................................................................... 103
Table 1 HPAC Secure Printing Server configuration tool ................................................................................................ 25
Table 2 Advanced Quota Notification options ................................................................................................................. 30
Table 3 License information summary ............................................................................................................................. 36
Table 4 Printers information summary ............................................................................................................................. 38
Table 5 Printer groups information summary .................................................................................................................. 41
Table 6 Authentication parameters .................................................................................................................................. 44
Table 7 Secure Print parameters ..................................................................................................................................... 47
Table 8 Billing parameters ............................................................................................................................................... 48
Table 9 CSV file structure for ID lists ............................................................................................................................... 50
Table 10 ID lists summary ............................................................................................................................................... 51
Table 11 ID list entry fields summary .............................................................................................................................. 53
Table 12 SMTP settings .................................................................................................................................................. 55
Table 13 LDAP settings ................................................................................................................................................... 56
Table 14 Billing list settings ............................................................................................................................................. 57
Table 15 Billing list details ............................................................................................................................................... 58
Table 16 LDAP profile settings ........................................................................................................................................ 59
Table 17 LDAP profile fields ............................................................................................................................................ 61
Table 18 HPAC Print server management list settings ................................................................................................... 62
Table 19 HPAC Print server details ................................................................................................................................. 63
Table 20 Smart Card profile settings ............................................................................................................................... 65
Table 21 HPAC corporate key list settings ...................................................................................................................... 66
Table 22 Direct live LDAP authentication data ................................................................................................................ 68
Table 23 Indirect live LDAP authentication data .............................................................................................................. 70
Table 24 Authentication parameters table ....................................................................................................................... 72
Table 25 Directory servers management parameters table ............................................................................................ 73
Table 26 Directory server main parameters table ........................................................................................................... 74
Table 27 Directory server authentication parameters table ............................................................................................. 75
Table 28 Chain of profile symbols ................................................................................................................................... 77
Table 29 Enrolled user settings ....................................................................................................................................... 83
Table 30 Secure printer port settings .............................................................................................................................. 86
Table 31 Secure print job parameters ............................................................................................................................. 90
Table 32 Sample unencrypted secure print file ............................................................................................................... 94
Table 33 Directory server alias retrieval parameters ....................................................................................................... 99
Table 34 HPAC Secure Printing ports ........................................................................................................................... 102
Table 35 Information messages .................................................................................................................................... 104
Table 36 Printer error messages ................................................................................................................................... 104
Table 37 MFP error messages ...................................................................................................................................... 105
Table 38 Smart Card error messages ........................................................................................................................... 107
Table 39 Supported functions per device model ........................................................................................................... 109
Table 40 Prerequisites for printers and MFPs ............................................................................................................... 113
1-1 HP Access Control Secure Printing
HP Access Control Printing Solutions is a set of solutions for printers, MFPs, and Digital Senders
designed to help mitigate security and compliance risks, prevent fraud, protect data privacy, and
enhance fleet management.
This manual covers the following HP Access Control Printing Solutions:
HP Access Control Secure Print
This solution delivers enhanced print security through authentication and authorization. It proposes a
breadth of authentication options ranging from PIN code login to card-based capabilities. It also helps
mitigate security and compliance risks and reduces paper waste by allowing print jobs to be encrypted
and stored on a server or printer, until users are ready to retrieve and print.
HP Access Control Secure Pull Printing
This solution helps increase productivity and ease printing by providing print mobility for enterprise-class
companies, through roaming printing and single sign-on.
1-2 Usage scenarios
By way of example, below are sequences of events for four fictional HP Access Control Secure Printing
1-2-1 Secure scan to e-mail
An administrative assistant needs to scan and e-mail a contract to a client. She walks up to a
multifunction printer and quickly identifies herself using her proximity badge.
She loads the contract in the document loader and touches the E-mail button. The system
automatically fills in her name and e-mail address as the e-mail sender. She enters the recipient email address.
The scanned contract is immediately sent to the client. She touches a button to sign out of the
1-2-2 Secure printing and retrieval of documents
It is Tuesday morning. An engineer arrives at work knowing that he has a series of documents to
create and print that day.
At 9:00 a.m., he writes a letter and prints it through HP Access Control Secure Print.
At 11:00 a.m., he writes his latest meeting report and prints it through HP Access Control Secure
Print. All three of his documents are stored in a secure manner in the HP Access Control Secure
Printing server.
At noon, he leaves for lunch, coming back at 1 p.m. He walks up to the first available printer and
authenticates himself using his badge.
All of his morning print jobs are released, and he retrieves his printed documents. He logs out of
the HP Access Control system and goes back to his desk to resume his work.
At 9:45 a.m., he modifies a technical specification and prints it through HP Access Control Secure
1-2-3 Secure printing for a department recipient
A hospital is organized with pools of nurses. The hospital software is configured to print documents
for a nurse pool instead of individual nurses, because individual nurses may not be available to
retrieve a specific patient document when needed. Patient documents are encrypted for HIPPA
compliance and securely stored on the HP Access Control Secure Printing server.
A nurse belonging to a particular pool of nurses authenticates herself on an available printer/MFP
using her badge.
The nurse requests the printing of a document. If one nurse is too busy to release a document,
another nurse from the same pool can collect a document that was previously assigned to the
nurse pool.
The document is printed. After the document is decrypted and printed, the stored print job is
deleted so it is not processed twice.
1-2-4 Secure printing for a remote third party
A corporate attorney in London sends a confidential contract to be printed by his Chief Legal
Officer in New York.
The London attorney enters a billing code for this print job, allocating the cost of the print job to
Client A.
The print job is encrypted and stored on the European server.
The Chief Legal Officer requests the release of the print job. He retrieves the confidential contract,
decrypted and printed in New York.
The Chief Legal Officer in New York goes to his local HP MFP and authenticates. He displays his
pending print jobs and sees the print job sent by his London corporate attorney.
Secure printing architecture
HP Access Control (HPAC) Secure Printing provides the following independent features to protect
important information:
Print job encryption to ensure no one can see or alter print job data
Print job retention and controlled release, to ensure printed documents get in the hands of
authorized persons
It is possible to encrypt without controlling the job release, to control the job release without encrypting
the document, and to both encrypt and control job release.
HP Access Control provides two ways to perform print job retention: retention on the printer hard disk
drive (HDD) and retention on the print server HDD.
Retention on the printer/MFP HDD is convenient as it makes a powerful serverless secure printing
solution. On the other hand, hard disk drive capacity on printers is not as large as on servers—that
may be an issue if very large jobs need to be retained. Print jobs can also only be released on the
printer/MFP where they are stored.
NOTE: This system is only usable if the target printer features a HDD (not available on CM8050
and CM8060 Color MFPs).
Retention on print servers requires more configuration, but is fully scalable, since high-capacity
hard disk drivers are widely available for servers.
The HP Access Control Driver plug-in software is installed where the encryption is required: on the
server or on the client Windows PCs.
The HP Access Control Secure Printing Server does not require the driver plug-in on the server to
encrypt and protect jobs.
Figure 1 Direct IP printing option
HPAC Secure Printing
Secure print jobs
HPAC Secure Printing
/Secure printing architecture
Direct IP printing to physical printer with HPAC Secure Printing Plug-in installed on client PCs, no
server involved.
Print jobs can be encrypted all the way from the client PCs to the printer formatter.
Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication.
Figure 2 Server-based printing option
HPAC Secure Printing Driver Plug-in
Secure print jobs
HPAC Secure Printing
Server-based printing with HPAC Secure Printing Plug-in installed on client PCs, nothing installed
on the server.
Print jobs can be encrypted all the way from the client PCs to the printer formatter, flowing
encrypted through the print server print queues.
Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication.
Figure 3 Server-based printing option
Windows, UNIX, Linux, etc.
HPAC Secure Printing Driver Plug-in
HPAC Secure Printing
HPAC Secure Printing
Server-based printing with HPAC Secure Printing Plug-in installed on the print server.
Print jobs can be encrypted from the server print queue to the printer formatter.
Print jobs can be stored on the printer/MFP hard disk drive for later release upon authentication.
Figure 4 Server-based pull printing option
HPAC Secure Printing Driver Plug-in
HPAC Secure Print Server
HPAC Secure Printing
Server-based pull printing with HPAC Secure Printing Plug-in installed on client PCs and HPAC
Secure Printing Server installed on the print server.
Print jobs can be encrypted all the way from the client PCs to the printer formatter.
Print jobs are retained on the print server hard disk drive for later release from any HPAC-enabled
printer upon user authentication.
Figure 5 Server-based pull printing option
Mac, UNIX, AS/400, etc.
Windows printing
HPAC Secure Print Server
HPAC Secure Printing
Server-based pull printing with only HPAC Secure Printing Server installed on the print server.
Print jobs can be encrypted from the server print queue to the printer formatter.
Print jobs are retained on the print server hard disk drive for later release from any HPAC-enabled
printer upon user authentication.
/Secure printing architecture
2-1 Overview
Secure jobs may be encrypted or not, and they can be secured for the person printing the job as well as
for any other user. It is also possible to assign a secure job to a department; in which case, the first user
from that department claiming it is able to release that print job, which is then deleted and not available
to other users.
To secure print jobs, a special secure driver plug-in (a print processor) must be installed on the client
Windows PCs or on the Windows print server (in which case print jobs are not encrypted from the client
PC to the server).
The HPAC-equipped printer can be addressed using direct TCP/IP or through a server print queue.
The HP Access Control Print Server software already includes encryption and retention technology. The
plug-in does not need to be installed on clients except if encryption of print jobs end-to-end, starting at
the client PCs instead of just between the print server and the printer, is needed.
2-1-1 Installation notes
Jobs must be processed by the HP Access Control Secure Printing Plug-in to be accepted by HP
Access Control. This driver plug-in exists for:
Windows 2000 (32-bit and 64-bit)
Windows XP (32-bit and 64-bit)
Windows 2003 (32-bit and 64-bit)
Windows 2008 (32-bit and 64-bit)
Windows Vista (32-bit and 64-bit)
The HP Access Control Secure Printing Plug-in can be installed either on the client PCs or on the print
NOTE: The print server cannot be both on a client’s PC printer and on the server print server
queue attached to that same printer. Double encryption would occur.
NOTE: Up to 100 print jobs can be stored simultaneously for one user or department on the HP
LaserJet disk, within the limit of the HDD capacity. Be aware that some applications generate very
large print files, up to a few GB.
Install HPAC Secure Printing
This section provides an overview of the installation process, including the hardware components.
3-1 Recommended installation process
1. Install, configure, and test the printer/MFP.
2. If a reader needs to be connected, switch off the printer/MFP. Connect the HP Access Control
reader to the printer/MFP and reboot the device.
3. Copy the required HP Access Control firmware files (RFU files) for the printer/MFP models from
the HP Access Control Secure Printing software source files. Copy these files to a local PC or
4. Copy the HP Access Control Secure Printing Admin software from the HP Access Control Secure
Printing software source files. Copy these files to a local PC or server.
IMPORTANT: The firmware files are automatically loaded onto devices by the HPAC Secure
Printing Admin software. If the printer/MFP displays Chosen personality not available,
followed by Disk operation failed, do not click OK or reboot the device until the
printer/MFP completes the installation and automatically reboots.
5. Install HP Access Control Secure Printing Server if at least one of the following features is used. If
none of the following features are used (for example, only local device enrollment is used), the
Printing Server does not need to be installed.
○ User badge self enrollment
○ Authentication gateway (indirect live Lightweight Directory Access Protocol (LDAP) validation)
○ Secure Printing with print job retention on the print server hard disk drive
6. Configure the HPAC Secure Printing firmware installed on devices. See the Configure HP Access
Control chapter for details.
7. Use the HP Access Control Admin software to configure a group of printers/MFPs.
8. Configure the HP Access Control Secure Printing Server, if needed.
9. Install and configure the HP Access Control Secure Printing driver plug-in, if needed. This driver
plug-in is required for push printing.
10. Test the installed solution and verify its settings are acceptable.
3-2 The authentication hardware
This section applies to proximity badge or Smart Card authentication.
3-2-1 The installation kit
The HP Access Control Secure Printing hardware contains the following parts:
HP Access Control proximity card/badge reader (connects to the Host Universal Serial Bus (USB)
plug inside or outside the printer) or Smart Card reader. There is one reader per type of proximity
card. The cards compatible with the reader are indicated on the back of the reader.
An EIO slot plate with a hole to route the USB cable out of the device formatter.
Two adhesive cable brackets to route the reader cable from the back to the front of the device.
A double-sided adhesive label, applied to the back of the reader, to affix the reader to the device
/ Install HPAC Secure Printing
To correctly apply the adhesive labels onto the readers:
Affix the adhesive label on either side of the reader. Do not affix the adhesive label over the bar
code on the back of the reader (that information is necessary for support).
NOTE: For detailed information on installing card readers, see the Card Reader Install Guide.
3-3 Printer network settings
Ensure that the Domain Name System (DNS) configured on printers equipped with HP Access Control
is always active, otherwise technical problems may occur. Verify that the DNS is within the network and
is not the DNS of an Internet service provider (ISP).
3-4 Installation on printers and MFPs
Printers/MFPs feature a type A female USB slot that accepts special USB devices, such as the HP
Access Control Secure Printing readers.
3-4-1 Connect the reader to the printer/MFP
The reader must be connected to the printer/MFP before the device is started. The device will not
recognize the reader if it is plugged in after the device is switched on.
3-4-1-1 CM8050 Color MFP and CM8060 Color MFP devices
1. Open the lower left side cover of the device next to the back wheel, by removing the four screws.
2. Connect the reader to the USB port located next to the digital counter.
3-4-1-2 Color LaserJet 4730MFP and Color LaserJet CM4730MFP devices
These devices have no internal host USB connector.
1. Switch off the device and detach its power cable.
2. Locate the female Type A USB plug on the back of the formatter board. The plug may be hidden
behind a square gray sticker (this sticker can be removed).
3. Connect the reader to the USB port.
4. Switch on the device.
3-4-1-3 Other devices
1. Switch off the device and detach its power cable.
2. Open the device formatter.
3. Locate the dual USB slots connector.
4. Remove the EIO slot plate and replace it with the supplied EIO plate with cable protection and the
USB cable routed through it.
5. Plug the USB reader into the internal USB port.
6. Close the formatter, plug in the device, and switch it on.
NOTE: If the device has no free EIO slot available to route the cable out, connect the reader to
the USB connector located on the outside of the formatter. That plug may be hidden behind a
square gray sticker (this sticker can be removed).
Install the HPAC Secure Printing Server
HP Access Control Secure Printing Server is a service performing three primary functions:
Retention and encryption of print jobs on the server, to provide pull printing service with release
from any printer contacting that server.
Authentication gateway
The authentication gateway performs complex daisy-chained validations against multiple
LDAP/Active Directory (AD) directories and against MS SQL Server (converts and encrypts IDs).
The enrollment service allows end users to link their credentials with their user LDAP/AD record.
Enrollment is available on supported devices.
No management is required. Enrollment can be performed on a device or PC and users can deenroll themselves.
4-1 Installation on a non-cluster server
This section describes the standard HPAC Secure Printing Server installation procedure. In the case of
servers in a cluster environment, a different installation procedure must be performed as described in
the Installation on a cluster server section.
The HPAC Secure Printing Server file is available on the supplied software source files.
NOTE: Administrator rights must be on the server to install the HPAC Secure Printing Server.
1. Go to the Pre-requisite directory of the software source files.
2. Install the Microsoft libraries packs in the order of their titles (from 1 to 5). Some packs are not
necessary based on the operating system (OS) service pack.
3. In the HPAC-SecurePrintingServer-{version} directory, click the HPACSecurePrintingServer-x86.exe file to launch the installation.
4. If the HPAC Secure Printing Server is already installed on the server, the installation process asks
it to be removed using the Add or Remove Programs tool available in the Windows control panel.
5. An install wizard guides users through the installation process. Read the license agreement and
accept it. Otherwise, the software installation will not proceed.
6. Click Next. A new screen prompts for the directory to install the files.
NOTE: This directory is not where print jobs are stored. That storage directory is defined in the
product configuration.)
7. Click Next to continue the installation. After a few seconds, it prompts to click Close to finish.
4-1-1 Create pull printer queues on non-cluster servers
HP Access Control Secure Print Server receives print jobs from client PCs and servers using an input
queue configured to use the exclusive Print-PS multi-thread port monitor.
To create a pull printer queue:
1. Open the Printers and Faxes control panel.
2. Click the File menu and select Server Properties.
Install the HPAC Secure Printing Server
3. Click the Ports tab and select Add port. The following window displays:
Figure 6 Printer Ports
4. Select HP Access Control SecurePrint Server Port monitor and then click New Port.
5. Enter a port name and choose the temporary spool file directory (with enough free space).
Figure 7 HP Access Control SecurePrint Server Port monitor
6. Click OK.
7. Right-click a device and select Properties.
8. In the Ports tab of the Properties window, choose the previously created HP Access Control Port
as the port.
9. Click OK.
10. Re-open the Properties window of the device. The window has a new tab, HPAC Pull Printing.
Settings for secure print jobs can be defined in this tab.
4-2 Installation on a cluster server
This section provides information on a cluster environment and requirements, and describes how to
install the HPAC Print Server on a cluster server.
4-2-1 Cluster environment
A hardware cluster may be active-passive, in which case some redundant servers are reserved for
failover duty and do not run any applications of their own. It can also be active-active, in which case all
servers in the cluster run their own applications but also reserve resources to allow them to perform
failover duty for each other.
HPAC Print Server is compatible with active-passive cluster environments.
4-2-2 Cluster requirements
HPAC Print Server is compatible with Windows 2000 and 2003 Servers.
1. The cluster must be up and running properly without any critical errors or warnings in the event
2. The Physical Disk and Print Spooler resource must be present on the cluster and running properly.
If not, the system administrator must create it.
4-2-3 Recommendation
It is strongly recommended to always work on the passive node to avoid any strange behavior during
the installation. HPAC Print Server restarts the spooler during the installation process, which could
affect the cluster failover.
4-2-4 Cluster environment
NOTE: All of the cluster environment recommendations and examples are based on a 2 nodes
cluster active-passive. Three IP addresses are needed: node1, node2, and the cluster.
The Cluster Administrator console looks similar to the following example.
Figure 8 Cluster Administrator console
Multiple cluster groups are often used in a client environment.
It is useful to regroup the dependencies resources by group. For example, the base resources are IP
Address and Network Name. These can be left in the same cluster group and another one created for
other resources (for example, printing).
Cluster group resources may be owned by different nodes, which is not correct for an active-passive
environment. Always verify that all resources from all groups are running on the same node. If not,
request more information from the Cluster Administrator.
4-2-4-1 Create a cluster printer
A special procedure is needed to create a cluster printer. Even if connected on the cluster IP address, a
cluster printer cannot be created from the Printers and Faxes control panel.
1. To access the “real” Printers and Faxes cluster, launch a Run window and enter the cluster
Figure 9 Run window with cluster name
NOTE: If the Print Spooler resource is not present, the printers and faxes icon will not display.
Install the HPAC Secure Printing Server
2. Click Printers and Faxes and add a cluster printer.
Figure 10 Printers and Faxes
4-2-4-2 Create a pull printer queue in a cluster environment
To create a pull printer queue in a cluster environment, perform the following additional steps.
1. Open the Printers and Faxes control panel.
2. Click the File menu and select Server Properties.
3. Click the Ports tab and select Add port. The Printer Ports window displays.
Figure 11 Printer Ports
4. Select HP Access Control SecurePrint Server Port monitor, and then click New Port.
5. Enter a port name and choose the temporary spool file directory (with enough free space).
6. Click OK.
7. Right-click a device and select Properties.
8. In the Ports tab of the Properties window, choose the previously created HP Access Control Port
as the port.
9. Click OK.
10. Re-open the Properties window of the device. The window has a new tab, HPAC Pull Printing.
Settings for secure print jobs can be defined in this tab.
4-2-5 Install and configure the HPAC Print Server in a cluster
Use the following steps to install and configure the HPAC Print Server in a cluster environment.
1. Verify which node is active and which is not, and connect to the passive node.
2. Run the HPAC Print Server install setup and follow the instructions for a non-cluster server.
IMPORTANT: Do not use the cluster disk for the installation folder.
3. Run the HPAC Print Server configuration and apply the following modification:
a. In the Job retention tab, change the Storage folder path to a new one pointing to the cluster
disk. Print jobs will be stored on the cluster disk and are available to the active node even after
a failover.
b. All of the other parameters do not relate to the cluster environment and can be configured as
4. Open the server services list and verify that the HPAC Print Server service is in manual startup
mode. If not, change it. Its name is HPAC SP Server or SecureJet Print-PS.
5. Open the Cluster Administrator console and right-click the cluster group. Select Move Group.
Figure 12 Cluster Administrator – Move group
NOTE: The active node is now the passive one and the passive node is the active one.
6. Run the HPAC Print Server install setup and follow the instructions for a non-cluster server.
IMPORTANT: Do not use the cluster disk for the installation folder.
7. Run the HPAC Print Server configuration and apply the following modification:
a. In the Job retention tab, change the Storage folder path to a new one pointing to the cluster
disk. Print jobs will be stored on the cluster disk and are available to the active node even after
a failover.
b. All of the other parameters do not relate to the cluster environment and can be configured as
8. Open the server services list and verify that the HPAC Print Server service is in manual startup
mode. If not, change it. Its name is HPAC SP Server or SJ Print-PS Server.
9. Open the Cluster Administrator console and select the cluster group to place the HPAC Print
Server resource.
NOTE: This resource is used to handle the HPAC Print Server service failover and the replication
of the registry related to the HPAC Print Server parameters.
For example: The disk quota per user is not enough for all users, so connect to the cluster IP
address and modify this parameter on the HPAC Print Server configuration.
Without the shared resource, this modification is applied to the active node but not to the passive
node, unless it is connected to and the same change is performed.
With the HPAC Print Server resource, if the HPAC Print Server configuration on the cluster (active
node) is changed, in case of failover or move group, the resource copies the active HPAC Print
Server registry parameters and copies it on the passive one when it switches to active.
Install the HPAC Secure Printing Server
10. Right-click and create a new resource.
Figure 13 Cluster Administrator – Create a new resource
In the New Resource window, enter a name for the resource (for example, HP Access Control
Print Server). There is no need to enter a description.
11. The resource type is Generic Service. If there are multiple groups, select the correct one.
NOTE: If Run this resource in a separate Resource Monitor is checked, there will not be a
failover if this resource gets an error because the HPAC Secure Printing Server service has
12. Click Next.
13. Specify the possible owners for this resource (required).
NOTE: The possible Owners are nodes in the cluster on which the resource can be brought
14. Click Next.
15. Specify the dependencies for this resource (required).
NOTE: Dependencies are resources that must be brought online by the cluster service first.
The Print Spooler resource and Physical Disk cluster must be brought online before HP Access
Control, because without printer and user jobs, the HPAC Print Server cannot run properly and
answer print, release or authentication requests.
16. Click Next.
17. Enter the correct service name (required). For HP Access Control, the service name is HP AC SP
Server or SJ Print-PS Server.
18. Click Next.
19. Specify the registry key SOFTWARE\Jetmobile\SecureJet\Print Server\Settings that
should be replicated to all nodes in the cluster.
NOTE: The HPAC Secure Printing Server service stores parameters in the registry. Therefore, it
is important to have this data available on the node on which they are running.
20. Click Finish and wait for the message indicating a successful operation.
21. The HPAC Print Server created resource is offline. Right-click the resource and select it to bring it
22. Open the Printers and Faxes cluster and select the printer created previously.
23. Open the Properties window and select the Port tab.
24. Click Add Port and add a new HPAC Print Server port.
25. Select this port as the printer port and click Apply.
26. Close the Properties window.
27. Open the Properties window again and select the Secure Print tab to change secure printing
queue parameters.
28. Print a job to verify that the job is correctly stored on the cluster disk folder path defined during the
HPAC Print Server configuration.
4-2-6 Install the Quota Notification tool
The Quota Notification tool is an optional tool that accompanies the HP Access Control Secure Printing
Server. It allows the administrator to set up a system that automatically sends e-mails to users when
they approach, reach, or breach their printing quotas.
4-2-6-1 Prerequisites
For a complete list of technical prerequisites, see Appendix C.
4-2-6-2 Installation procedure
1. Double-click the HPAC-SecurePrintingQuotaNotification_x86.msi or HPACSecurePrintingQuotaNotification_x86.exe.
2. The installation launches. Follow the steps of the wizard until the tool is fully installed.
4-2-7 HPAC Print Server upgrade for a cluster environment
TIP: It is strongly recommended to always work on the passive node.
The procedure to upgrade the HPAC Print Server is to first uninstall the old version, and then install the
new one.
1. Bring the HPAC Print Server resource offline (since the service name changed, it is possible to
encounter a problem and failover during the upgrade procedure).
2. Use the Add or Remove Programs console to remove the HPAC Secure Printing Server module.
4-3 Printer pull printing ports pooling
Printer ports pooling allows the HPAC Secure Printing Server to handle a large number of jobs flowing
to one unique print queue.
IMPORTANT: It is mandatory to define multiple ports. Otherwise, a bottleneck effect on incoming
jobs occurs, with jobs delayed for release due to other large pending jobs.
Figure 14 Printer ports pooling
Install the HPAC Secure Printing Server
Printer queue
Receives jobs from clients
Multiple HP Access Control
Secure Printing Server port
Encryption and storage of print jobs on the server disk drive
4-3-1 Configure the printer pull printing ports pooling
In the Ports tab of the print queue, activate the Enable printer pooling option.
Multiple ports can now be activated for this queue so incoming print jobs are dispatched as they come
in. In theory, there is no limit to the number of ports.
4-4 Configure job retention
HPAC Secure Printing retains print jobs on the server or in a remote directory on another machine. The
following parameters can be set in the HPAC Secure Printing server configuration tool to define where
and how those files are kept. Other parameters are described later in this manual as they relate to
authentication, alias, or enrollment.
IMPORTANT: A power outage results in the deletion of pending print jobs stored on the print
Run the HPAC Secure Printing server configuration software.
Table 1 HPAC Secure Printing Server configuration tool
Job Server Tab
Defines the communication settings for the retention server
Max Simultaneous Printings
HPAC Secure Printing features a sophisticated output load balancing
mechanism that provides parallel printing. This system allows for the
management of multiple simultaneous printing requests, while still
regulating it to not overflow the server.
The number of print jobs that can be concurrently sent to devices can
be tuned (value: from 10 to 100) based on LAN available bandwidth and
the server speed and performance.
A value between 10 and 20 is enough for most users.
NOTE: This feature does not split a single print job across multiple
TCP Port
Enter the TCP port used to communicate with printers equipped with
HPAC Secure Print. The value by default is 2000.
The port must be open if communication between HPAC Secure
Printing server and printers/MFPs is performed through a firewall.
Table 1 HPAC Secure Printing Server configuration tool
Load configuration
This button allows a saved communication configuration to be loaded.
Save configuration
This button allows communication settings to be saved for future use.
Job Retention Tab
Defines the settings of print job retention
Storage Location
Defines in which directory retained user jobs are to be stored. Jobs are
owned by users, so ensure that directory is accessible by all users (for
example: C:\Program Files\Hewlett-Packard\HP Access
Control Secure Printing Server\Jobs.
The storage location can also be a remote directory provided that the
machine with the remote directory belongs to the same domain as the
HPAC Printing Server (for example, \\server1\shareduser\jobs).
For more details, see Remote job storage.
Disk quota per user/department
Enter the maximum number of MB authorized for each user and
department to store jobs. Be aware that color printing can result in very
large jobs, sometimes greater than 1GB based on the application and
the printer driver used.
Jobs quota per user/department
Enter the maximum number of simultaneously stored jobs for each user
and department.
NOTE: Up to 50 print jobs can be stored simultaneously for a single
user or department. To increase the number of print jobs, consult an HP
Retention limit (days)
Enter the maximum number of days of retention authorized for user
jobs. This value has priority over the settings defined by the users at
print time. Jobs are deleted automatically by the system when the first
expiration date is reached.
Windows Terminal Server
Check this option if the server is running Windows Terminal Server or
Citrix Metaframe. This ensures the pop-up window is sent to a specific
screen and not to all sessions.
Quota Notification
Use this button to configure the quota notification system (for example,
automatic e-mail sending when users approach, reach , or exceed their
print job quotas).
Other Tabs
Other tabs are for advanced authentication, enrollment, and alias features. They are described in the following
4-5 Remote job storage
The print job storage location can also be a remote directory provided that the machine with the remote
directory belongs to the same domain as the HPAC Printing Server (for example,
4-5-1 Prerequisites
The remote directory must be on a machine that belongs to the same domain as the HPAC
Printing Server.
Users must have complete access to the remote directory (for example, a shared directory for all
users with full rights).
The job storage folder must be configured to grant full rights to the Authenticated Users group.
Install the HPAC Secure Printing Server
4-5-2 Share the print job directory
Use the following steps to share the print job directory.
1. Browse to the location of the remote print job storage folder.
2. Right-click the folder and select Sharing and Security.
3. Click Permissions.
Figure 15 Sharing Permissions
4. Select the Everyone group and check the Full Control box.
Figure 16 Permissions for Everyone
5. Apply the changes by clicking OK in both windows.
4-5-3 Create the Authenticated Users group
Use the following steps to create the Authenticated Users group.
1. Browse to the location of the remote print job storage folder.
2. Right-click the folder and select Properties.
3. Click Security.
4. Click Add.
5. In the Select Users or Groups window, enter Authenticated Users, and then click OK.
Figure 17 Add Authenticated Users
6. In the Properties window, select Authenticated Users.
7. Check the Full Control box, and then click OK.
Figure 18 Full Control for Authenticated Users
4-5-4 Configure remote job storage
Use the following steps to configure remote job storage.
1. Open the HP Access Control Secure Printing Server configuration tool.
2. Click Job Retention and enter the remote directory path in the Storage Folder Path field. Make
sure to use the server name, and not the server IP address.
Install the HPAC Secure Printing Server
Figure 19 Configure remote job storage
4-5-5 Quota notification
A Quota Notification tool is available as an extension to the print job quota feature. This tool is not
automatically installed with HP Access Control Secure Printing Server—it has to be installed separately.
The quota notification system can be configured to send different types of warning e-mails to users.
There are three types of quota notifications:
Approaching quota notification: This warning e-mail is sent when a user nears the defined printing
Reached quota notification: This warning e-mail is sent when a user has reached the defined
printing quota.
Exceeded quota notification: This warning e-mail is sent when a user has exceeded the defined
printing quota.
Figure 20 Quota Notification
Use the following tools to configure the notification settings.
Enter the number of jobs before the print job quota is reached that serves as the trigger for the
notification. For example, if 5 is entered and the job quota is 50, the user receives an approaching
quota notification after the 45th print job.
Enter the number of megabytes before the disk space quota is reached that serves as the trigger
for the notification. For example, if 5 is entered and the disk space quota is 100, the user receives
an approaching quota notification after the 95th megabyte is used.
NOTE: These two notification thresholds can be combined so that a user receives the quota
notification e-mail when the first of these thresholds is reached.
4-5-5-1 Advanced options
The Advanced options link allows for the configuration of logs linked to the quota notification system.
The table below provides a description of the data displayed in the different columns.
Table 2 Advanced Quota Notification options
Internal Notification TCP Port
The TCP port used for the internal quota notification system.
Trace Level
Defines the trace level (i.e. the amount of information written in the
log files according to degrees of importance). Choose between:
Trace Path
Extra verbose
Defines where the log files are stored.
Install the HPAC Secure Printing Server
Table 2 Advanced Quota Notification options
Configure SMTP settings
Server host name
IP address of SMTP server (for example,
Server TCP Port
Port of SMTP server (for example, 25)
Account name
Authorized login on SMTP server (for example, johnsmith)
The password associated to the login
Check this box if to use SSL.
Configure e-mail settings
E-mail address of the sender (usually the administrator email address)
Approaching quota e-mail subject
Subject of the e-mail sent when a user is approaching the
quota. Variables are available for customization, as
explained below.
Reached quota e-mail subject
Subject of the e-mail sent when a user has reached the
quota. Variables are available for customization, as
explained below.
Exceeded quota e-mail subject
Subject of the e-mail sent when a user has exceeded the
quota. Variables are available for customization, as
explained below.
Approaching quota e-mail content
The e-mail text sent to users notifying them that they are
approaching the quota. Variables are available for
customization, as explained below.
Reached quota e-mail content
The e-mail text sent to users notifying them that they have
reached their quota. Variables are available for
customization as explained below.
Reset/Test links (at the bottom of the Quota Notification window)
Reset “E-mail Settings” to default values
This allows a reset of all values to the original values.
Test the configuration
This allows a test of whether the quota notification system is
correctly configured.
Variables can be used in some of the fields mentioned above. The available variables are the following:
○ {0} to indicate:
− The number of remaining jobs or disk space before reaching the quota limit. This value
must be above 0 and followed by ‘jobs’ or ‘MB’.
− The number of jobs or disk space above the limit. This value must be above 0 and followed
by ‘jobs’ or ‘MB’.
○ {1} to indicate the limit. This value must be followed by “jobs” or “MB.”
○ {2} to indicate the name of the job
○ {3} to indicate the name of the user
4-5-6 Print job purge
Print jobs are purged from the server at regular intervals. The expiration frequency is set to hourly by
default. Use the following steps to modify the purge frequency:
1. In Windows, open the Control Panel, and then select Scheduled Tasks.
2. In the list of scheduled tasks, right-click Job Purge, and then select Properties.
3. Click the Schedule tab.
4. Click Advanced.
5. Configure the task frequency as desired.
Install the HPAC Admin Software on a print server
Install the HPAC Admin Software on a print
HP Access Control Secure Print Admin Software is web-based central administration software to
deploy, configure, license, and monitor the solution on a fleet of devices.
Figure 21 HPAC Secure Print Admin Software
NOTE: Administrator rights must be on the server to install HPAC Secure Print Server.
5-1 Installation prerequisites
NOTE: For information regarding the technical prerequisites, see Appendix C, Prerequisites for
PCs and servers.
The following are the prerequisite steps for installing the HPAC Secure Print Server.
1. Install .NET Framework 3.5.
2. Install the C++ Libraries. Make sure that the installed C++Libraries match the server (32-bit or 64bit).
3. Create a new web site using the following steps.
a. Install the Internet Information Services (IIS) Manager if it is not already installed. Make sure to
use the Add/Remove Windows Components option. For Windows Server 2008, IIS 7.0 must
have the IIS 6.0 Management Compatibility Components activated.
i. Open the Server Manager (click Start > Administrative Tools > Server Manager).
ii. In the left panel, expand Roles.
iii. Right-click Web Server (IIS) and click Add Role.
iv. In the Role Services panel, scroll to IIS 6 Management Compatibility.
v. Check the check box for IIS 6 Management Compatibility (this will automatically check the
check boxes of all elements contained in this category).
vi. Click Next, then select Install.
vii. Click Close to exit the Add Role Services wizard.
b. Open the Internet Information Services (IIS) Manager.
c. Right-click Web Sites and select New > Web Site on the menu.
d. Follow the wizard steps to create a new Web site.
i. Assign a name to the Web site.
ii. Enter a different TCP port used by the Default Web Site or stop the Default Web Site.
iii. Set the Web site directory (default: C:\Inetpub\wwwroot).
iv. Set the Web site access permission (Read permission is sufficient).
e. After completing the wizard, go back to the IIS Manager and right-click the previously created
Web site. Select Properties on the menu.
f. In the Properties window, click the ASP.NET tab and change the ASP.NET version to
g. Click the Directory Security tab. Edit the Anonymous access and authentication control by
checking the Integrated Windows authentication option.
The following steps only apply to Windows Server 2003:
h. In the IIS Manager, open the Web Service Extensions folder.
i. Select the ASP.NET Web service extension (the version should be 2.0.50727).
j. Click Allow.
4. Install the appropriate .NET Framework extension (32-bit or 64-bit).
Install the 32-bit .NET Framework extension:
a. Open a command prompt (click Start > Run and enter cmd in the Run window).
b. Enter the following command to disable the 32-bit mode: cscript
%SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET
W3SVC/AppPools/Enable32bitAppOnWin64 0
c. Enter the following command to install the version of ASP.NET 2.0 and the install the script
maps at the IIS root:
%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe –i
d. In the IIS Manager, click the Web Service Extensions folder.
e. Select the ASP.NET Web service extension (version 2.0.50727) and click Allow.
Install the 64-bit .NET Framework extension:
a. Open a command prompt (click Start > Run and enter cmd in the Run window).
b. Enter the following command to install the version of ASP.NET 2.0 and the install the script
maps at the IIS root: %SYSTEMROOT%\
Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
c. In the IIS Manager, click the Web Service Extensions folder.
d. Select the ASP.NET Web service extension (version 2.0.50727) and click Allow.
5. Install SQL Server Compact Edition 3.5 SP1. Make sure that the SQL Server Compact Edition
version installed matches the server (32-bit or 64-bit).
5-2 HPAC Admin Software installation
1. Click SETUP or the MSI file of HPAC Admin Software source files to launch the installation.
2. Click Next in the first window.
3. In the second window, select the previously created Web site in the Site drop-down list.
4. Click Next.
5. Select HPAC manage all certificates and then click Next.
6. Enter the port for the SSL binding and click Next.
7. A window displays asking whether to load a previously saved configuration. Click Yes or No,
depending on what is preferred.
8. Click OK and restart the IIS or the server.
Install the HPAC Admin Software on a print server
TIP: It is not recommended that HPAC Secure Print Admin Software be installed on the Default
Web Site. Should it be installed, make sure that both the parent node and the HPAC site have the
same configuration. Any modifications made require a restart of the IIS or the server. After HPAC
is installed, it is recommended that the HPAC node of the IIS not be modified.
5-2-1 Save the configuration
Should the HP Access Control Secure Print Admin Software need to be uninstalled, it is possible to
save the configuration for future use. To do so, choose to save the configuration when prompted during
the uninstallation process. Then load this saved configuration when installing the HP Access Control
Secure Print Admin Software. All settings and licenses will be restored.
If the software is being uninstalled, use the following steps to save the configuration for future use.
1. Click Start, Control Panel, and then Add or Remove Programs.
2. Select HP Access Control Secure Print Admin Software.
3. Click Remove.
4. When prompted by the uninstaller, choose to save the configuration and choose a directory (not in
the C:\Inetpub\wwwroot\Hpac directory) to save the file.
Configure HP Access Control
This chapter describes how to configure the HP Access Control Secure Print system.
The HP Access Control Admin Software contains four main sections:
Firmware Viewer: Displays the firmware used
License management: License devices
Printer management: List and group devices
Lists and profiles management: Define users in lists and parameters as profiles, apply them to
printer and printer groups
6-1 The HPAC Admin Software interface
The interface is divided into three main sections:
The main menu on the left (Main Menu)
The main content area in the center (HP Access Control)
Possible actions on the right (Related Actions)
6-1-1 Navigate the interface
On the left side of the screen, the Main Menu uses a hierarchical “open and close” tree structure.
1. Click the plus and minus signs to open or close menu sub-items.
2. To view the content related to a particular menu item, click directly on the desired menu item. Its
related content displays in the main content area.
Certain elements in the content area enable different actions to be performed. These actions display in
the right column, the Related Actions column.
6-2 Firmware viewer
The Firmware Viewer allows a user to obtain an overview of the RFUs used by the devices. It can also
identify problematic RFUs.
To only display the problematic RFUs, check the Incorrect firmware only box.
6-3 License management
The License management section provides an overview of the available and used licenses, and allows
license files to be uploaded and deleted.
NOTE: Following installation, printers and MFPs can run HP Access Control and Secure Printing
software for seven days without a license token.
6-4 License information summary
The table below provides a description of the data displayed in the different columns.
Table 3 License information summary
Configure HP Access Control
File name
Displays the name of the loaded license file
License ID
Displays the unique license ID.
Displays the number of Authentication license tokens provided by
the license file.
Secure Print
Displays the number of Secure Print license tokens provided by the
license file.
Displays the number of Tracking license tokens provided by the
license file.
Expiration Date
Displays the license expiration date.
A second table is provided to give an overall view of the available and used license tokens per module.
6-4-1 Upload license files
To upload a license file:
1. Click License management.
2. In the Related Actions section, click Upload a license file.
3. In the pop-up window, browse to the location of the license file and click Upload file.
4. The license file is loaded. It is added to the list of license files and the number of license tokens per
module is provided.
Figure 22 License Management
License tokens are automatically allocated to printers/MFPs after they are configured in the HP Access
Control Admin software (for example, after they are added to a group).
The devices obtain the tokens when they boot. A device can operate under HPAC for seven days
without a license token. After this evaluation period, the device contacts the HPAC Print Server Admin
Software server and requests a token. After it has the token, the device contacts the HPAC Print Server
Admin Software server every 24 hours to check its licensing status. If the device does not reach the
server, it enters into a grace period. During this grace period, the device attempts to contact the server
every six hours. If it does not reach the server five times consecutively, HPAC ceases to function and
the device attempts to reach the server every five minutes. Rebooting the device removes the token.
6-4-2 Delete license files
To delete a license file:
1. Click License management.
2. Check the box next to the license file to delete.
3. In the Related Actions section, click Delete.
4. Click Yes to confirm the deletion of the license file.
6-4-3 Remove all license files
To remove all license tokens from all printers/MFPs:
1. Click License management.
2. In the Related Actions section, click Remove all tokens.
3. Click Yes to confirm the removal of all tokens from the device.
6-4-4 View a summary of each license file
To view a summary of information for each license file:
1. Click License management.
2. Click the license file.
3. The license file details display in the content area of the screen.
6-5 Printer management
The Printer management section allows users to browse information related to the devices and to
manage this information. It contains the following sub-sections:
All printers list
All groups list
6-5-1 All printers list
To view a summary of information for all printers managed by the HPAC Secure Print Admin Software
and manage the licenses:
1. In the main menu, click Printer management.
2. Click All printers list.
Figure 23 All printers list
6-5-1-1 Printers information summary
The table below explains each of the items listed in the content area. Sort the printers in the list by
clicking the column titles.
Table 4 Printers information summary
Configure HP Access Control
Table 4 Printers information summary
The printer’s hostname
The printer’s IP (resolved dynamically)
The name of the group the printer belongs to. None designates a
printer that does not belong to any group.
Sync. Status
The status for this printer:
Pending Synchronization
Awaiting response from printer/MFP
HPAC License status per module:
Aut: authentication
Module licensed
SP: Secure Printing
Module using a trial license
T: Tracking
Grace period
Module not licensed
6-5-2 All printers list actions
A series of actions are available to manage the printers in the All printers list:
○ By name
○ Create by CSV file
6-5-2-1 Add a printer to the list
To add a printer to the All printers list:
1. In the main menu, click Printer management, and then All printers list.
2. In the Related Actions section, click the desired option for adding the printer:
a. By name – In the empty field, enter the printer host name and click Add. Enter the login and
password for the printer as configured in its EWS. Activate Add even if offline, if appropriate
(otherwise the IP resolution is attempted immediately and the operation fails if the device is off).
Figure 24 Add a printer by hostname
b. Create by CSV file – Browse the disk, select the file to add, and then click Upload file. Ideally,
the CSV file with all devices listed comes from HP Web Jetadmin.
IMPORTANT: All printers/MFPs must have EWS logins and passwords configured to function
under HPAC.
6-5-2-2 Move a printer from one group to another
To modify the group of a printer in the All printers list:
1. In the main menu, click Printer management, and then All printers list.
2. The content area displays a list of all printers. Check the box next to the name of the printer to
move from one group to another.
3. In the Related Actions section, click Modify.
4. Select the new group in the list, and then click Ok.
Figure 25 Modify printer(s)
6-5-2-3 Delete one or more printers
To delete one or more printers from the All printers list:
1. In the main menu, click Printer management, and then All printers list.
2. The content area displays a list of all printers. Check the box next to the printers to delete.
3. In the Related Actions section, click Delete.
4. A list of the selected printers displays. Click Ok to confirm.
Configure HP Access Control
6-5-2-4 Ungrouped printer list – View a summary
To view a list of all printers that are not members of a group and might not be synchronized with
In the main menu, click Printer management, and then Ungrouped printers list.
The description for the table elements are the same as for the All printers list. See the Printers
information summary section for full details.
6-5-3 Ungrouped printers list actions
A series of actions are available to manage the printers in the Ungrouped printers list:
Add printer
○ By name
○ Create by CSV
The instructions for using these actions are the same as for the All printers list. See the All printers list
actions section for full details.
6-5-4 All groups list – View a summary for printer groups
HPAC Secure Printing allows users to organize devices into groups; for example, a group of devices
with similar setups or located in a specific building.
In the main menu, click Printer management, and then All printers list.
6-5-4-1 Printer groups information summary
The table below explains each of the items listed in the content area.
Table 5 Printer groups information summary
The name of printer group. Click Name to toggle the listing from
descending to ascending order by printer group name.
Printers count
The total number of printers in this group
6-5-5 All groups list actions
A series of actions are available to manage the printer groups in the All group list:
○ By name
○ By copy
6-5-5-1 Create a new printer group
To add a new printer group to the All groups list:
1. In the main menu, click Printers management, and then All groups list.
2. In the Related Actions section, click the desired option for creating the printer group:
a. By name – In the empty field, enter the printer group name, choose the functions to activate
and configure (Billing, Authentication, Secure Printing), and then click Add.
b. By copy – Create a new group by copying an existing group. The drop-down list displays the
existing groups. Select the desired group to copy, and then click Add.
NOTE: It is recommended to have separate groups for single function printers and MFPs because
MFP configurations control functions that do not exist on single function printers (such as Send to
6-5-5-2 Delete a printer group
To delete one or more printer groups from the All groups list:
1. In the main menu, click Printer management, and then All groups list.
2. The content area displays a list of all printer groups. Check the box next to the printer groups to
3. In the Related Actions section, click Delete.
4. A list of the selected printer groups displays. Click Ok to confirm.
6-5-5-3 Synchronize the printers with the configuration
To deploy the configuration of the different groups to printers:
1. Check the boxes next to the groups to synchronize.
2. Click Synchronization.
3. Printers on which the HPAC Secure Print firmware is not yet installed are first loaded with the
software. The icon on the right side of the printer information reflects the synchronization status.
6-6 Manage printer group details and configuration
Click a printer group name to view and edit its details and configuration.
See the All printers list actions section for detailed information concerning the different actions for
editing printer parameters.
6-6-1 Group details actions
A series of actions are available to manage the printer groups in the All group list:
Link printers to this group
Change language
Remove selected printers
6-6-1-1 Link printers to this group
To add a new printer to the group:
1. Click Link printers to this group.
2. A list of ungrouped printers displays.
3. Select the printers to add and click Yes.
NOTE: A printer cannot be part of two groups.
Configure HP Access Control
NOTE: It is recommended to have separate groups for single function printers and MFPs because
MFP configurations control functions that do not exist on single function printers (such as Send to
6-6-1-2 Rename the group
To rename a printer group:
1. Click Rename.
2. Enter a new name and click Rename.
6-6-1-3 Change the group language
To change the language for the group of printers:
1. Click Change language.
2. Select a language on the drop-down menu.
3. Click Yes to apply.
6-6-1-4 Remove printers from the group
To remove a printer from the group:
1. Click Remove selected printers.
2. A list of printers displays.
3. Click Remove.
NOTE: Removing a printer from a group removes the HPAC SP solution from the printer.
6-6-1-5 Synchronize the printers with the configuration
To deploy the current configuration for the group to printers:
1. Select the printers and click Synchronization.
2. Printers on which the HPAC Secure Print firmware is not yet installed are first loaded with the
software. The icon on the right side of the printer information reflects the synchronization status.
IMPORTANT: HPAC Secure Print Admin Software takes the HPAC Secure Print firmware files
from the following directory of its website: App_Data\rfu.
Copy and decompress all updates and new versions of HPAC Secure Print in that directory.
6-7 Configure printer groups
Printer parameters for authentication, billing, secure printing, etc. are configured in the tabs displayed
below a group’s list of printers.
6-7-1 View detailed information about a configuration
To view detailed information about a configuration:
1. Display the summary of information for the desired configuration type (such as Billing or
Authentication) by clicking the appropriate tab under the group’s list of printers.
2. The content area displays the details and configurable parameters.
3. Click Apply to save any changes made to the settings.
For more information on all of the parameters that can be configured, see the respective section for
each type of configuration under Configure group parameters.
6-7-2 Configure group parameters
This section covers all of the parameters that can be configured for a group.
6-7-2-1 The Authentication configuration tab
To configure the parameters for Authentication:
1. Follow the steps in View detailed information about a configuration to display the details for the
group to configure.
2. Click Apply at the bottom of the screen to save any changes.
The table below explains each of the Authentication parameters.
Table 6 Authentication parameters
Authentication behavior
Reader type
Select the reader type from the drop-down list. Select None for PIN
codes identification or when performing badge lookup through the
HPAC Secure Print Server (acting as a gateway).
PX: Proximity readers
SW: Swipe cards readers
SC: Smart Card readers (see the Smart Card profile section to
configure Smart Card authentication)
When authenticating through the HPAC Secure Print Server, the
badge type and mask is defined in the Authentication tab.
HID Site code allowed
(only for HID Prox badges)
This code uses the site code to discriminate badges. Select 0
(zero) to disable discrimination.
Extraction mask
Enter the extraction mask.
Extraction Alignment
Align the extraction mask on the right or left of the read ID.
Custom extraction
(only for HID Prox badges, using the PX-Custom format)
Site Code – Enter the beginning and ending bit numbers for the
site code, followed by the beginning and ending bit numbers for the
badge number.
Allow manual authentication from panel
This option allows a user to log in by manually entering a badge
number or network credentials using the touchscreen printer panel.
Enter a maximum time (in seconds) to authenticate during
interactive authentication (authentication request on the front
Display ID
If this option is activated, the user ID displays on the printer/MFP
screen when the user authenticates.
Configure HP Access Control
Table 6 Authentication parameters
Authentication process
WARNING! If the Instant release option is selected in Secure Printing, the badge reader is only usable to
release print jobs. It cannot authenticate for other activities. Enrollment is also not possible with this option.
Authentication method(s)
Select the primary authentication method (for example, Local ID
list, HPAC Print Server, LDAP ID Lookup or Local Smart Card).
In the field to the right, select the authentication method to use.
Click Apply at the bottom of the window to configure one or more
alternate authentication methods (the fields only display after
Apply is clicked).
When more than one authentication method is configured, an
additional field (Rank) displays on the right, allowing modifications
of the failover order.
The following can be combined:
1 Local ID list with 5 LDAP Credentials Lookup
5 HPAC Print Servers with 5 LDAP Credentials Lookup
5 LDAP ID Lookups with 5 LDAP Credentials Lookup
1 Local Smart Card with 1 LDAP Credentials Lookup
NOTE: It is not possible to configure alternate (failover)
authentication for single function printers.
Lock count
Maximum number of authorized consecutive wrong user IDs. This
is a numeric value between 1 and 9.
After this maximum number is reached, the printer authentication
enters into lock mode for the period specified in the Lock delay
Lock delay
Printer authentication lockout time in seconds after the maximum
number of wrong IDs is reached.
Failed over Login & Password LDAP
This check box is editable when the first LDAP Credentials
alternate authentication method is configured.
Unchecking it deactivates the LDAP Credentials alternate
authentication method(s). This allows the configuration to be saved
for future use, even though it was not selected for present use.
NOTE: It is not possible to configure alternate (failover)
authentication for single function printers.
Enable cache for LDAP process
If this option is set, after a user succeeds in his first authentication
procedure, the system stores the user’s ID information in RAM. The
next time this user identifies himself on that device, the system
searches the cache directly instead of searching the LDAP
database for the user information. There can be up to 200 users in
the circular cache list.
Stored information: User login, User department, User e-mail,
User HomeDirectory, User Fullname.
The list is cleared when the device is switched off.
Enable self enrollment
Controls whether the Enroll me button displays on the device’s
control panel. See the User enrollment chapter for details.
Table 6 Authentication parameters
Select the authentication method for every activity.
Use HP Web Jetadmin to configure authentication for activities not
listed in HPAC Secure Print Admin software.
Activity - Agent
Set the Device Activity/Functions that require users to
successfully sign in before use. Each function can require a
different Sign In Method named Agent.
The activities correspond to the list of activities found on the device
EWS. See the printer/MFP documentation for further information.
Send to E-mail
HPAC Secure Printing Authentication can auto-complete the e-mail
fields with the user information (e-mail address, full name) upon
valid authentication.
The From field can be predefined to
• be blank
• use the default MFP settings, or contain the authenticated
user’s e-mail address.
The To, Cc, and Bcc fields can be predefined to:
• be blank or
• contain the authenticated user’s e-mail address.
Prevent the user from changing the information by checking the
Prevent Changes boxes.
NOTE: To use this function, the device web page’s Default From
Address section must be configured. (See the E-mail Settings
section on the Digital Sending tab.)
Group List
This field displays the names of all the groups that have this
Save changes by clicking Apply.
For Authentication modules that include a badge reader, this badge reader can read some specific
badge types. These types are indicated on the manufacturing label below the reader. Make sure that
type matches your corporate badges or the badges supplied with HP Access Control.
When HP Access Control starts, it verifies automatically what authentication hardware is connected to
the printer/MFP (for example, swipe card reader, keypad, proximity badge).
For Proximity badges, it detects what model is connected (for example, HID, Mifare, Hitag, Legic, EMMarin).
The following settings can be tuned:
Mask applied on raw badge number (By default the mask is 111111111 applied from the right, to
give a 9-digit user ID).
HID Prox 125KHz badge model (there are various HID Prox badges models).
HID Prox badges site code: The Site code field can be different from 0 only if the badge holds a
site code to be used for authentication.
The mask allows extracting a smaller value from a raw badge value. It can be made of 1 and X: 1
keeps the digit, X drops it.
Indicate if the mask applies from the right or the left of the number.
For example, for badge 123456789 the mask 1111X1 gives 12346 when applied to the left, and 45679
when applied to the right.
Configure HP Access Control
6-7-3 Secure Print parameters
To configure the parameters for Secure Printing:
1. Follow the steps in View detailed information about a configuration to display the details for the
group to configure.
2. Click Apply at the bottom of the screen to save any changes.
The following table explains each of the Secure Print parameters.
Table 7 Secure Print parameters
HP AC Secure Print Servers
Host name
Select the host from the drop-down list.
Designates the priority ranking for an HPAC print server. Click the
arrow signs to increase or decrease the priority ranking of an
HPAC print server.
Secure Print corporate key
Select the desired Secure Print encryption corporate key from the
drop-down list. This is the private key associated with this
configuration, securely stored on every device.
Secure Print Jobs Release
Instant release (MFP only)
(with Proximity badges only)
When this option is checked, the HPAC proximity cards reader
permanently scans for badges. When a badge is within range, all of
the user’s jobs are released. This allows instantaneous release of
print jobs upon badge reading, without any front panel interaction.
NOTE: This setting only works with HPAC Secure Printing
This setting is not active until the next MFP reboot.
IMPORTANT: Due to the absence of any interaction, when this
setting is activated the HP Access Control authentication cannot be
used within the HP authentication manager to control other
functions such as e-mail or copy.
Print without confirmation
On printers, if this option is not checked, the printer requests print
jobs release confirmation and reader beeps until the user confirms
the job release using the printer front panel. If there are no pending
jobs, the user authenticates their badge and no message displays
on the printer informing the user there are any jobs in the queue.
On single function printers, when this option is checked, jobs are
released and printed immediately when the user authenticates;
confirmation is not required.
For most cases, it is recommended to activate this option. With the
option off, no printing can happen until the user validates or
cancels the job release using the front panel (there is no time-out).
On MFPs, if this option is checked, all jobs are released when the
user presses the HPAC Secure Printing button (after being
authenticated); no job list is proposed. This option saves time when
users do not need to pick jobs to release in a list.
Jobs type – Stop
HP Access Control can stop some types of jobs from being processed, to help enforce security policies.
Check the box next to a job type to filter them.
Table 7 Secure Print parameters
Anonymous print jobs
These jobs do not contain the user information in the PJL header,
preventing audit and accounting.
Jobs linked to a user and machine either come from a PC equipped
with the HPAC Secure Print driver plug-in, or an HP printer driver
released after February 2002; and have a special PJL header
bearing the user login name.
Non-anonymous print jobs
These jobs contain the user information in the PJL header.
The HPAC Secure Print driver plug-in and HP printer drivers
released after February 2002 generate this information.
Secure Print Non-Encrypted jobs
These jobs are processed by HPAC Secure Print but are not
Secure Print Encrypted jobs
These jobs are processed by HPAC Secure Print and are
Save changes by clicking Apply.
6-7-4 Billing parameters
Users can optionally enter a billing code during authentication to allocate the cost of the action to a
project or a client. The billing configuration allows users to enable the billing allocation functionality and
to associate a billing list to this configuration.
A list of billing codes is a CSV file that can be defined using an Excel spreadsheet or any other software
capable of generating a CSV file.
See the Billing lists section for detailed information on creating and configuring billing lists.
To configure the parameters for Billing:
1. Follow the steps in View detailed information about a configuration to display the details for the
group to configure.
2. Click Apply at the bottom of the screen to save any changes.
The table below explains each of the Billing parameters.
Table 8 Billing parameters
Enable billing
Check this box to enable the billing functionality during
Enable billing validation
Check this box to validate entered billing codes against billing lists.
Secure Print corporate key
Select the desired Secure Print encryption corporate key from the
drop-down list. This is the private key associated with this
configuration, securely stored on every device.
Billing list
The name of the billing list file. See the Billing lists section for
detailed information on creating and configuring billing lists. Select
None to deactivate the billing code validation.
Save changes by clicking Apply.
Configure HP Access Control
6-8 List management
The List management section allows users to consult and manage information related to five different
list types. The list types are:
Local ID list – Lists of authorized users and ID codes (PIN, badge number) for local authentication
LDAP List Generate & Notify
Billing list – Lists of billing codes. Users can enter a billing code at copy, fax, e-mail or print time to
allocate the cost of the action to a project or a client
LDAP Profiles – LDAP lookup configuration
HPAC Print Server management – Lists for servers and their respective ports
Smart Card Profiles
Corporate Key Lists
The ID list, LDAP settings and HPAC Secure Print Server relate to authentication and determining the
user behind an ID (PIN code, badge).
HP Access Control can validate the user ID in three different ways, each having its benefits.
Figure 26 Users and ID list local to the printer/MFP
HPAC Admin Software
CSV file
Figure 27 Users and ID information in AD/LDAP, direct live lookup
NOTE: HPAC direct live LDAP validation is only for MFPs, except the CM8050 and CM8060 MPFs
Figure 28 Users and ID information in AD/LDAP, indirect live lookup
HPAC Secure Print Server
6-8-1 ID lists
The list of users and PIN codes is a CSV file that can be defined in two ways:
Using the Excel spreadsheet or any other software capable of generating a CSV file (this software
is not supplied with HP Access Control)
Using the LDAP synchronization function of HPAC Secure Print Admin Software
A sample file is provided with the HPAC Secure Print Admin Software. Administrators can also build
custom applications to interface the file with assisted data entry or database lookup using Excel Visual
Basic scripts programming.
The CSV file must comply with the structure in the following table. Data between “quotes” must be
entered as shown. Data fields are separated by a semicolon ‘;’ or by a comma ‘,’.
NOTE: The list must include a minimum of two users.
Table 9 CSV file structure for ID lists
A-1 cell
B-1 cell
Users list version number. The string is alphanumeric with a
maximum of 10 characters.
C-1 cell
A-2 cell
B-2 cell
Maximum number of authorized consecutive wrong user IDs. This
is a numeric value between 1 and 9.
A-3 cell
B-3 cell
Printer authentication lockout time in seconds after the maximum
number of wrong IDs has been reached.
A-4 cell
B-4 cell
Set this parameter to 30.
A-5 cell
B-5 cell
Maximum delay in seconds to show/enter an authentication on
MFPs before the automatic cancellation of the process.
A-6 cell
B-6 cell
Maximum number of authorized consecutive wrong authentications
for remote update. This is a numeric value between 1 and 9.
A-7 cell
B-7 cell
Printer configuration update lockout time in minutes after the
maximum number of wrong admin PIN codes has been reached
during remote update attempts.
Users information start at line 8 and column C
Column C (required for every user)
ID (PIN, badge number) Numeric from 4 to 9 digits.
Configure HP Access Control
Table 9 CSV file structure for ID lists
Column D (required for every user)
Domain\Login name. Alphanumeric from 1 to 41 characters. If the
domain name is omitted the \ must also be omitted.
Column E (required for every user)
User department. Alphanumeric from 1 to 30 characters or
UNKNOWN for no department.
Column F (required for every user)
User e-mail address for automatic user information update
notification (up to 180 characters) or UNKNOWN for no e-mail
Column G
Date when the user was added to the list (format=YYYYMMDD).
Column H
User full name (up to 30 characters). If the name is omitted, the
system uses the login name as user name.
Columns I–Z
Do not use columns I to Z for other personal information as future
versions may use them.
In the line following the last entry of the
list, column A
After the file has been filled out, it must be exported to CSV Semi-Colon-Delimited Format (File > Save
As > Save-As-Type .csv) with semi-colon as delimiter to be loaded in the HPAC Admin Software.
IMPORTANT: The HPAC Admin software cannot open invalid files.
6-8-2 View a summary of ID lists
To view a summary of information on ID lists:
In the main menu, open Lists management, and then click Local ID list.
The table below explains each of the items listed in the content area.
Table 10 ID lists summary
The name of the ID list
List number
The number of entries in each list
Total number of groups associated with this list
6-8-3 Local ID list actions
The following actions are available to manage the ID lists:
View the details
6-8-3-1 Create a new ID list
To add a new ID list:
1. In the main menu, open List management, and then click Local ID list.
2. In the Related Actions section, click Create.
3. In the empty field, enter the new ID list name, and then click Ok.
4. After the list is created, select it to import data.
6-8-3-2 Delete an ID list
To delete an ID list:
1. In the main menu, open List management, and then click Local ID list.
2. The content area displays a list of all ID lists. Check to box next to the ID list to delete.
3. In the Related Actions section, click Delete.
4. A list of the selected ID lists displays. Click Ok to confirm.
6-8-3-3 View the details for an ID list entry
To view the details for an ID list entry:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list entry to view.
3. The content area displays detailed information for the chosen ID list entry.
6-8-4 Local ID list entry actions
The following actions are available to manage the ID lists:
○ By Name
○ Create by CSV
Export as CSV
Notify users
Autogenerate PIN list
6-8-4-1 Add entries to an ID list
To add entries to an ID list:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list name to add entries.
3. The content area displays detailed information for the chosen ID list.
4. In the Related Actions section, click Create.
5. Enter the information for each field.
6. When finished, click Add.
The table below explains each of the items listed in the content area.
Figure 29 Local ID list
Configure HP Access Control
NOTE: Only the ID code and Login fields are mandatory.
Table 11 ID list entry fields summary
Name (required)
Name of the ID list entry
ID code (required)
ID must be a numeric value, from 1000 to 999999999.
For HP Access Control PIN code authentication, the ID represents
the PIN code. For the HP Access Control Proximity reader, it
represents the badge number.
User domain
Login (required)
User login
User department
User e-mail
Creation date
The second table in the content area displays the groups associated to this list.
6-8-4-2 Add ID list entries from CSV files
To import ID list entries from a CSV file:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list name.
3. Click Create by CSV.
4. Browse to the location of the CSV file and click Upload file.
6-8-4-3 Edit the ID list entries
1. Display the details for an ID list entry by following the steps in the View the details for an ID list
entry section.
2. Edit the fields as desired.
3. Click Ok to save changes.
6-8-4-4 Delete ID list entries
1. In the main menu, open List management, and then click ID list.
2. The content area displays a list of all ID lists. Check the boxes next to the ID list entries to delete.
3. In the Related Actions section, click Delete.
4. A list of the selected ID list entries displays. Click Ok to confirm.
6-8-4-5 Rename an ID list
To rename an ID list:
1. In the main menu, open List management, and then click ID list.
2. The content area displays a list of all ID lists. Click the ID list to rename.
3. In the Related Actions section, click Rename.
4. Enter the new name for the ID list.
5. Click Ok to confirm.
6-8-4-6 Export ID lists in CSV format
To export ID list entries in CSV format:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list name.
3. Click Export as CSV.
4. Choose whether to open or save the CSV file. If the save option is selected, indicate where to save
the file.
6-8-4-7 Notify users
The Notify users option allows for the definition of which users should receive an e-mail containing the
identifiers. Select All users if the list is new, Users since for users freshly added to the list, or Only
users below if some users have forgotten their PIN code and request a new notification.
NOTE: To use this option, the LDAP list Generate & Notify parameters must first be configured.
To notify users of their identifiers:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list name.
3. Click Notify users.
4. Select All users, Users since (select the date from which the users were added), or create a list
of users to be notified.
5. Click Ok to confirm.
Figure 30 Notify users
Configure HP Access Control
6-8-4-8 Autogenerate PIN list – Import from LDAP
Badge numbers and user information can be automatically extracted from LDAP.
PIN codes and users information can be automatically generated for the users or extracted from LDAP
(for example, to use the employee number as a PIN code).
NOTE: To use this option, the LDAP list Generate & Notify parameters must first be configured.
To import user information from LDAP into an ID list:
1. In the main menu, open List management, and then click Local ID list.
2. Click the ID list name to import data from LDAP.
3. In the Related Actions section, click Autogenerate PIN list.
4. Select whether to replace the existing users (check the Replace existing user(s) box) or just add
the new users (leave the Replace existing user(s) box unchecked).
NOTE: If the Replace existing user(s) box is checked, the process takes longer as all existing
user entries are updated.
HPAC Secure Print Admin Software replaces the content of the ID list with the data extracted from the
LDAP server while extracting/creating the unique ID codes.
This system allows adding users to printers, MFPs or Digital Senders without having to change the ID
code of existing users.
6-9 LDAP list – Generate & Notify
If required, users can be automatically notified of their ID code (PIN code, badge number) by the HPAC
Secure Print Admin Software.
We recommend validating the LDAP parameters using any third party LDAP browser.
The following sections explain how to fill in the fields of this screen.
6-9-1 SMTP settings
The SMTP setting information is required to send e-mails from the software. Ask the network
administrator for all of the required information.
Table 12 SMTP settings
SMTP server IP address
IP address of SMTP server (for example,
SMTP server TCP/IP Port
Port of SMTP server (for example, 25)
Account name
Authorized login on SMTP server (for example, johnsmith)
The password associated to the login (for example,
User name
Check this box to use the account name and password for
identification on the SMTP server. Leave the box unchecked to
connect anonymously.
Check this box to use SSL.
E-mail message
Table 12 SMTP settings
E-mail address of the sender (usually the administrator e-mail
Subject of the e-mail
The Message field allows entering the e-mail text sent to all users
to notify them about their new or future valid PIN code. Variables
are available for customization: the %u is replaced by the user
name, and %c by the ID code given to that user.
NOTE: The e-mail text cannot exceed 900 characters.
6-9-2 PIN List Autogeneration parameters
6-9-2-1 LDAP settings
LDAP settings are fields that configure the access to the LDAP directory and its data.
Table 13 LDAP settings
LDAP profile
The LDAP profile that should be used to generate the PIN lists.
LDAP version
Specifies the protocol version that is used to perform the LDAP
connection. The version can be either 2 or 3.
Defines the rule of search to access specific records. The standard
LDAP search syntax must be used.
Department Filter
Can be used to extract users from a list of specific departments.
Multiple department names can be entered (up to 2500
characters), separated by semi-colons ‘;’.
NOTE: Department names cannot include the ‘;’ character as ‘;’ is
a separator. This Directory filter is not linked to the LDAP filter and
can replace it for department extractions.
Authentication Type
Define credential information to access the LDAP database.
Click Anonymous if no login is required.
ID Size
Defines how many digits the PIN codes must contain (from 4 to 9).
After all settings are defined, click Apply to save the parameters.
6-10 Billing lists
Users can enter a billing code at copy, fax, e-mail or print time to allocate the cost of the action to a
project or a client. This ensures all jobs can be allocated to a valid project/client.
Billing codes entered on the MFP front panel can be used to allocate the cost of an operation to a client,
a project, or a department. By default, any text can be entered. It is also possible to validate that billing
Configure HP Access Control
code against a predefined list of up to 1 million codes. Such validated billing codes can only be numeric,
with values from 1000 to 999999999 (nine digits).
The list of billing codes is a CSV file that can be defined using the Excel spreadsheet or any other
software capable of generating a CSV file (this software is not supplied with HP Access Control).
A sample file is provided with the admin software. Administrators can build custom applications to
interface the file with assisted data entry or database lookup using Excel Visual Basic scripts
NOTE: The billing functionality is only available when local ID list authentication is used (for
example, it cannot be combined with live LDAP/Active Directory authentication).
6-10-1 Billing lists structure
The CSV file must comply with the following structure:
Billing code followed by a comma “,”
Billing codes information starts at line 1, column A
Column A: Billing code, from 1 to 9 digits
For example:
NOTE: There is no special command to end the list of billing codes.
6-10-2 View a summary of billing lists
To view a summary of information on billing lists:
In the main menu, open List management, and then click Billing list.
The table below explains each of the items listed in the content area.
Table 14 Billing list settings
The name of the billing list
List number
The number of billing codes assigned in each list
Group number
Total number of groups associated with this list
6-10-3 Billing list actions
The following actions are available to manage the billing lists:
View the details
6-10-3-1 Create a new billing list
To add a new billing list:
1. In the main menu, open List management, and then click Billing list.
2. In the Related Actions section, click Create.
3. In the empty field, enter the new billing list name.
4. Click Add.
6-10-3-2 Delete a billing list
To delete a billing list:
1. In the main menu, open List management, and then click Billing list.
2. The content area displays all billing lists. Check the box next to the billing list to delete.
3. In the Related Actions section, click Delete.
4. A list of selected billing lists displays. Click Yes to confirm.
6-10-3-3 View the details for a billing list
To view the details for a billing list:
1. In the main menu, open List management, and then click Billing list.
2. Click the billing list name to view.
3. The content area displays the detailed information for the selected billing list.
The table below explains each of the billing list details listed in the content area.
Table 15 Billing list details
Users can enter a billing code at copy, fax, e-mail or print time to
allocate the cost of the action to a project or a client.
By default, the billing code can be any numeric value from 1 to 9
digits, but HP Access Control can also control the entry against a
list of authorized billing codes. This ensures all jobs can be
allocated to a valid project/client. See the Billing lists section for
more information.
The second table in the content area displays the groups associated to this list.
6-10-4 Billing list details actions
The following actions are available to manage a specific billing list:
○ By Name
○ Create by CVS
6-10-4-1 Add details to a billing list
To add details to a billing list:
1. In the main menu, open List management, and then click Billing list.
2. Click the billing list name to add the details.
3. The content area displays the detailed information for the selected billing lists.
4. In the Related Actions section, click By Name.
5. Enter the information for each field.
6. When finished, click Add.
Configure HP Access Control
6-10-4-2 Import billing list codes from a CSV file
To import a billing list:
1. In the main menu, open List management, and then click Billing list.
2. Click the list to import the data of the CSV file.
3. In the Related Actions section, click Create by CSV.
4. Browse to the location of the CSV file and click Upload file.
5. Click Yes to confirm.
6-10-4-3 Delete billing list codes
To delete billing list codes:
1. In the main menu, open List management, and then click Billing list.
2. Click the list to import the data of the CSV file.
3. Check the box next to the billing code to delete.
4. Click Delete.
6-10-4-4 Rename a billing list
To rename a billing list:
1. In the main menu, open List management, and then click Billing list.
2. The content area displays all billing lists. Click the billing list to rename.
3. In the Related Actions section, click Rename.
4. Enter the new name for the billing list.
5. Click Rename to confirm.
6-11 LDAP profiles
The LDAP profile section enables the management of two types of LDAP profiles:
LDAP Authentication – The lookup for the user behind an ID (badge or PIN code) is done directly
against the LDAP server, without going through the HPAC Secure Print Server gateway.
Alternate Authentication – Login and password authentication.
6-12 View a summary for the LDAP profiles
To view a summary of information about LDAP profiles:
1. In the main menu, open List management.
2. Click LDAP profiles.
The table below explains each of the details listed in the content area.
Table 16 LDAP profile settings
The profile name
The host domain
The host name of the LDAP server
Host port
The host port
Table 16 LDAP profile settings
The total number of groups associated with this profile
6-12-1 LDAP profile actions
The following actions are available to manage the LDAP profiles:
6-12-1-1 Create a new LDAP profile
To add a new LDAP profile:
1. In the main menu, open List management, and then click LDAP profiles.
2. Click LDAP profile.
3. In the Related Actions section, click Create.
4. Enter the name for the new LDAP profile.
5. Click Yes.
6. Click the newly created LDAP profile to configure it.
Figure 31 LDAP profile
The table below explains each of the LDAP profile fields.
Configure HP Access Control
Table 17 LDAP profile fields
The profile name
The host domain
The host name of the LDAP server
Host port
The host port
The login
The password
ID code field name
Active Directory field for the ID code
Login field name
Active Directory field for the login
Department field name
Active Directory field for the department
E-mail field name
Active Directory field for the e-mail
Full name field name
Active Directory field for the full name
Home directory field name
Active Directory field for the home directory
Search base
LDAP search path
Search timeout (in number of seconds)
6-12-1-2 Delete an LDAP profile
To delete one or more LDAP profiles:
1. In the main menu, open List management, and then click LDAP profiles.
2. The content area displays all LDAP profiles. Check the box next to the LDAP profile to delete.
3. In the Related Actions section, click Delete.
4. A list of selected LDAP profiles displays. Click Yes to confirm.
6-12-1-3 View the details for an LDAP profile
To view the details for a LDAP profile:
1. In the main menu, open List management, and then click LDAP profiles.
2. The content area displays all LDAP profiles. Click the LDAP profile to view.
The previous table explains each of the LDAP profile details listed in the content area.
The second table in the content area displays the groups associated to this LDAP profile.
6-12-1-4 Edit the details for an LDAP profile
To edit the details for a LDAP profile:
1. In the main menu, open List management, and then click LDAP profiles.
2. The content area displays all LDAP profiles. Click the LDAP profile to edit.
3. Edit the fields as desired.
4. Click Apply to save changes.
6-13 HPAC Print Server management list
6-13-1 View a summary of information
To view a summary of information for HP Access Control Print servers:
In the main menu, open List management, and then click HP Access Control Print server
management list.
The table below explains each of the items listed in the content area.
Table 18 HPAC Print server management list settings
HPAC Print Server
The server host name
The total number of groups associated with this server
6-13-2 HPAC server management list actions
The following actions are available to manage the HP Access Control Print server management lists:
6-13-2-1 Create a new server
To add a new HP Access Control Print server to the list:
1. In the main menu, open List management, and then click HP Access Control Print server
management list.
2. In the Related Actions section, click Create.
3. In the empty field, enter the new HP Access Control Print server name.
4. Click Add.
6-13-2-2 Delete a server
To delete one or more HP Access Control Print servers from the list:
1. In the main menu, open List management, and then click HP Access Control Print server
management list.
2. The content area displays all HP Access Control Print servers. Check the box next to the HP
Access Control Print server to delete.
3. In the Related Actions section, click Delete.
4. A list of selected HP Access Control Print servers displays. Click Ok to confirm.
Configure HP Access Control
6-13-2-3 View the details for a server
To view the details for an HP Access Control Print server profile:
1. In the main menu, open List management, and then click HP Access Control Print server
management list.
2. The content area displays all HP Access Control Print servers. Check the box next to the HP
Access Control Print server to view.
3. The content area displays the detailed information for the selected HP Access Control Print server.
The table below explains each of the server details listed in the content area.
Table 19 HPAC Print server details
The server host name
The server port
The second table in the content area displays the groups associated to this list.
6-13-2-4 Edit the details for a server
To edit the details for a HP Access Control Print server:
1. In the main menu, open List management, and then click HP Access Control Print server
management list.
2. The content area displays all HP Access Control Print servers. Click the HP Access Control Print
server to edit.
3. Edit the fields as desired.
4. Click Apply to save changes.
6-14 Smart Card profile
6-14-1 Smart Card authentication
HP Access Control Secure Print provides contact Smart Card authentication capabilities. Contact Smart
Cards must not be confused with contactless Smart Cards. While contactless Smart Cards are mainly
proximity badges with advanced communication encryption and secure storage sectors, contact Smart
Cards consist of microchips embedded in a small plastic card with golden or silver contacts on the
surface. Such Smart Cards have advanced computing and encryption capabilities, being able to run
software in proprietary OS, in Java, or even .NET.
All Smart Cards are different and communication protocol is proprietary, defined by the OS or the applet
loaded and called on the Smart Card. Verify the compatibility of HPAC Secure Print Smart Card
Authentication with both the Smart Card hardware platform and the OS or applet loaded on the Smart
Card platform by the Smart Card middleware.
HPAC Secure Print Smart Card Authentication supports the following Smart Card platforms: JCOP,
Siemens CardOS M4, Micardo, Oberthur, OpenPGP, FineID, US DOD CAC/PIV, Setec Setcos,
Giesecke & Devrient Starcos and Seccos , TCOS based NetKey E4, SignTrust, Smartkey and AKIS
Smart Cards.
HPAC Secure Print Smart Card Authentication is a middleware used to authenticate users with Smart
Cards. It runs directly on the printer.
1. If validation is needed, the Certificate Revocation List CRL (.crl) and Certificate Authority CA
(.ca) files have to be preloaded on the MFPs using the HPAC Admin software. This reduces traffic
and allows a large CRL to be used and updated according to the administrator’s wishes.
2. The user selects a function requiring Smart Card authentication (for example, e-mail).
3. The user inserts his/her Smart Card in the Smart Card reader located on the MFP.
4. The printer/MFP keyboard is used to enter the card PIN code (numeric or alphanumeric).
5. The first authentication certificate is extracted from the Smart Card public container.
6. The PKI proof of ownership of the certificate verification is performed on the card. It can be
deactivated, if needed.
7. The certificate signature is verified using the CA file. This can be deactivated, if needed.
8. The content of the SubjectAlternativeName extension of the X509 certificate is used directly
or indirectly:
○ Directly: It is used for the e-mail address. The user name is the text preceding the @ character.
○ Indirectly: It is supplied to the HPAC Secure Printing Server authentication service that uses it
to perform a lookup against one or more LDAP/SLDAP/AD servers. The user information (full
name, login name, e-mail address, domain, department, home directory) is returned by the
authentication service and injected in the printer authentication manager for usage by
applications, such as e-mail sending, secure printing, and scan to folder.
6-14-2 Smart Card profile actions
Two actions are available to manage the Smart Card profiles:
6-14-2-1 Create a new Smart Card profile
To add a new Smart Card profile:
1. In the main menu, select Smart Card profile.
2. In the Related Actions section, click Create.
3. In the empty field, enter the new Smart Card profile name and click Ok.
4. After the profile is created, configure the validation method.
a. Click the newly created Smart Card profile (displayed on the left in the main section of the
b. Configure the Smart Card profile validation parameters as desired (see the table below for
further information).
5. Click Apply to save changes.
Figure 32 Smart Card profile
Configure HP Access Control
Table 20 Smart Card profile settings
Displays the Smart Card profile name. To rename it, enter a new
Use CA/CRL for validation
Check this box to use both the CA and the CRL to validate the
Smart Card.
Gives the name of the CA file used. To upload a CA file, click
Import file and browse to the desired file.
Gives the name of the CRL file used. To upload a CRL file, click
Import file and browse to the desired file.
A CRL file must only be loaded if the Use CA/CRL for validation
option is checked.
Use PS for lookup
Check this option to perform the lookup against the Print Server
user list.
Verify the PIN code
This option is currently unavailable.
Parse the X509 certificate for field(s)
This option is currently unavailable.
Perform proof of possession challenge
Check this option to verify that the certificate used belongs to the
Smart Card used.
Read the certificate
This option is currently unavailable.
6-14-2-2 Delete a Smart Card profile
To delete one or more Smart Card profiles:
1. In the main menu, select Smart Card profile.
2. Check the boxes next to the Smart Card profiles to delete, or check the top box to select all Smart
Card profiles.
3. In the Related Actions section, click Delete.
4. A list of all the selected Smart Card profiles displays.
5. Click Ok to confirm the deletion.
6-15 HPAC corporate keys
The HP Access Control system uses two encryption keys, a private and a public one. The public key is
distributed to all users who might use Advanced Encryption Standard (AES) encryption for their jobs.
The distribution is done through the Print-SMP Driver plug-in and it is configured by the system
The private key is sent by the system to all printers. When a user sends a job to print, the job is first
encrypted using the public key. When the user requests the release of this secure print job, the print job
is decrypted using the private key.
Generate a list of corporate keys and manage them in the Corporate Key list section.
After the keys pair has been created, the private key is loaded securely on all devices by the HPAC
Admin Software.
For more information on the HPAC Secure Printing encryption, see the Encryption schemes, corporate
key chapter of this manual.
6-15-1 View a summary of information
To view a summary of information for HP Access Control corporate keys:
In the main menu, open List management, and then click Corporate Key list.
Figure 33 Corporate Key List
The table below explains each of the items listed in the content area.
Table 21 HPAC corporate key list settings
The name of corporate key
The total number of groups associated with this key
6-15-2 Corporate key list actions
The following actions are available to manage the HP Access Control corporate keys:
View key
6-15-2-1 Create a new HPAC corporate key
To add a new HP Access Control corporate key to the list:
1. In the main menu, open List management, and then click Corporate Key list.
2. In the Related Actions section, click Create.
3. In the empty field, enter the new HP Access Control corporate key.
4. Click Ok.
6-15-2-2 Delete an HPAC corporate key
To delete one or more HP Access Control corporate keys from the list:
1. In the main menu, open List management, and then click Corporate Key list.
2. The content area displays all HP Access Control corporate keys. Check the box next to the HP
Access Control corporate keys to delete.
3. In the Related Actions section, click Delete.
4. A list of selected HP Access Control corporate keys displays. Click Ok to confirm.
Configure HP Access Control
6-15-2-3 View an HPAC corporate key
To view an HP Access Control corporate key:
1. In the main menu, open List management, and then click Corporate Key list.
2. Check the boxes next to the HP Access Control corporate keys to view.
3. In the Related Actions section, click View key.
4. In the Related Actions section, click a key to view.
Direct live LDAP authentication
7-1 Introduction
HPAC Secure Print authentication modules installed on MFPs can directly validate a PIN code or
swipe/proximity badge number against one or more Active Directory or LDAP servers and retrieve the
user information.
Table 22 Direct live LDAP authentication data
Data Supplied to AD/LDAP
Data Returned (Example)
ID (1234)
Domain (marketing)
Login (jsmith)
Department (sales)
E-mail (
Full name (John Smith)
7-2 Direct live authentication with AD/LDAP
The HPAC Secure Print authentication module installed on the MFP can directly retrieve user
information from Active Directory/LDAP servers. The complete retrieval of the user login name,
department, e-mail address, and full name is carried out directly by the HPACSP firmware on the MFP.
NOTE: If CM8050/CM8060 Color MFPs or single function printers are used, use the indirect live
LDAP authentication procedure described in the next chapter, as direct LDAP lookup is not
available for those devices.
Figure 34 Direct live LDAP authentication
User ID (PIN, badge number)
Complete user information
Active Directory or LDAP
/Direct live LDAP authentication
When direct live authentication is activated, there is no need to load the user list on every MFP. On the
other hand, authentication is not possible if the communication with the LDAP server is not permanently
available and fast (in case of cable, router, switch, or server failure).
7-3 Configuration
The procedure for configuring Live LDAP authentication is described in the LDAP profiles section of this
7-3-1 Configure alternate authentication for MFPs
If users forget their badges, HP Access Control offers two optional alternate authentication methods that
can be used on MFPs:
Badge number: Users type their badge number instead of using their badge/card.
Network credentials: Users enter their LDAP login/password credentials instead of using their
To invoke alternate authentication:
1. Users need to press a function button (for example, Copy) instead of using their badge.
2. The screen requesting an alternate ID displays.
Alternate authentication is activated and configured using the Authentication parameters. For more
details, see The Authentication configuration tab.
NOTE: On CM8050 and CM8060 Color MFPs, alternate authentication is featured by the MFP
itself and not by HPAC Secure Printing.
1. Users press the function button of interest (for example, Copy).
2. The CM8050 or CM8060 Color MFP displays a screen requesting the badge,
together with an Advanced button.
3. Users can press the Advanced button to default to another authorized
authentication method for that function.
7-4 LDAP profiles failover
When multiple LDAP profiles are defined, the profiles are used one after the other in a failover mode.
This makes it possible to look for a user in multiple directories.
Configure indirect live LDAP authentication
8-1 Introduction
With the Directory Server authentication service, HP Access Control Authentication modules installed
on printers and MFPs supply the HPAC Secure Print server authentication service with a user ID and
receive in return all the user information, extracted from an Active Directory or from LDAP directories.
Table 23 Indirect live LDAP authentication data
Data Supplied to HPAC SP Server Data Returned (Example)
User ID from HPAC Authentication
Domain (marketing)
Login (jsmith)
Department (sales)
E-mail (
Full name (John Smith)
8-2 Indirect live authentication with AD/LDAP
The HP Access Control authentication module installed on the printer/MFP retrieves user information
from the AD/LDAP. The complete retrieval of the user login name, department, e-mail address, and full
name is carried out through the server hosting the HPAC Print Server.
Figure 35 Indirect live LDAP authentication
User ID (PIN, badge number)
Complete user information
HPAC Print Server service
Server with Windows 2000, XP, 2003 or Vista and HPAC Print Server service
/Configure indirect live LDAP authentication
Active Directory or LDAP
When indirect live authentication is activated, there is no need to load the user list on every printer/MFP.
On the other hand, authentication is not possible if the communication with the HPAC Print Server is not
available (in case of cable, router, switch or server failure).
8-2-1 Support for multiple databases
In some environments, multiple Active Directory and/or LDAP databases are used to store the badge
number and the user information. HP Access Control features a highly flexible system to gather data
from multiple databases, using common information to retrieve the correct record.
8-2-2 Failover capability
Up to five HPAC Print Server addresses can be entered in the Authentication Module configuration. If
the first address does not respond after a timeout, the second address is used, and so on. This allows
setting up multiple HPAC Print servers for live authentication and to have a complete failover capability,
should a server not respond in a timely manner.
8-2-3 Support for multiple user logins (the alias system)
In a corporate IT environment, a user usually has more than one login: one for Windows, one for the
mainframe, one for the UNIX system, one for Enterprise Resource Planning (ERP), and so on. This
means that print jobs from these various systems come with a different login name, while the job owner
is unique and has a unique ID (such as badge, PIN code). Furthermore, each login and user information
might be in a system-specific Active Directory or LDAP database.
HPAC Print Server allows defining an alias search in multiple AD and/or LDAP databases, using
common information, such as the employee number, to find the appropriate user record in these
different database systems. As a result, all print jobs pertaining to a single user, independently of the
login used, are allocated to one unique (main) login. The user can then authenticate their print jobs
using one unique ID.
8-3 Basic configuration sequence
The basic sequence for configuring live authentication is to create a profile for the database, configure
the parameters, and then save changes. Detailed instructions for these steps are in this section.
To execute the configuration:
1. Run HP Access Control Print Server configuration.
2. Configure the authentication gateway in the Authentication tab.
3. Configure the authentication settings in the Directory server management tab.
4. Save the configuration.
8-3-1 Configure the authentication gateway
To configure the authentication gateway:
1. In the HP Access Control Secure Printing Server window, click the Authentication tab.
2. Configure the authentication device settings.
3. Click Apply to validate and save the authentication settings.
Table 24 Authentication parameters table
Card Type
Select the reader type from the drop-down list. Select:
• FP for MFP front-panel PIN code identification or when
performing badge lookup through the HPAC Secure Printing
Server (acting as a gateway).
• PX for Proximity readers
• SW for Swipe cards readers
• None for PIN code
When authenticating through the HPAC Secure Printing Server, the
badge type and mask do not need to be defined at the device level.
Mask (decimal)
The mask allows for the extraction of a smaller value from a raw
badge value. It can be made of 1 and X. 1 keeps the digit, X drops
Enter the extraction mask to apply to the badge number string.
NOTE: Leading zeros are ignored in the string. 00140167 is
considered as 140167.
Mask alignment
Indicate if the mask applies to the right or left of the number string.
For example, for badge 123456789, the mask 1111X1 gives 12346
when applied to the left, and 45679 when applied to the right.
Most and least significant bits positions
Bit-wise extraction mask applied on the binary badge value
between two bits positions. Define the position of the most and
least significant bits for the extraction.
ID search filter
Customize the search filter to use. Can be left blank.
8-3-2 The Directory servers management tab
The Directory servers management tab in the HPAC Print Server software enables the definition of how
user information is retrieved across one or more AD and/or LDAP databases (profiles).
/Configure indirect live LDAP authentication
Figure 36 Directory servers management tab
Table 25 Directory servers management parameters table
Directory servers actions
Authenticate, start with profile
Activate authentication alias (first create a profile).
Click Show steps to view if one or more authentication steps were
Click Test to simulate the authentication of a badge ID. To perform
a test, enter the desired badge ID.
Retrieve alias, start with profile
Activate alias (first create a profile).
Click Show steps to view if one or more authentication steps were
Click Test to simulate the authentication of a user login. To perform
a test, enter the desired user login.
Directory servers profiles management
Directory servers profiles management
Enter a new profile.
To save the profile, click Save current profile.
To save current profile with another name, click Save current
profile as.
To delete the current profile, click Delete current profile.
Current Directory server profile settings
Main parameters settings
See the Create a profile section.
Authentication settings
See the Configure the authentication gateway section.
Alias retrieval settings
See the Job retention aliases – Single sign-on section.
Value to search replacement settings
See the Search across chained databases section.
Table 25 Directory servers management parameters table
This profile is usable
The check box displays a check if the necessary fields for Main
parameters settings are entered. The displayed check only means
that data has been entered. There is no verification procedure to
check if the data is correct.
This profile can be used for
Same as above for Authentication settings.
This profile can be used for alias
Same as above for Alias retrieval settings.
This profile can replace the value to
Same as above for Value to search replacement settings.
8-3-3 Create a profile
To create a new profile:
1. In the Directory server management tab, keep <New profile> set in the Directory servers
profiles management box.
2. In the Current Directory server profile settings section, click Main parameters settings.
3. The following window displays. Enter specific data. For a detailed description of each parameter,
see the table below.
Figure 37 Directory server main parameters
4. After entering all the values and testing the binding, click OK to validate the settings.
IMPORTANT: Do not forget to save the profile to save the settings. They are not saved
Table 26 Directory server main parameters table
Directory server binding parameters
Enter the domain
Server name
Enter the server name
NOTE: It is recommended to enter the IP address instead of the
DNS name. Incorrectly configured DNS on MFPs or DNS lookup
failures may lead to errors.
/Configure indirect live LDAP authentication
Table 26 Directory server main parameters table
Server port
Enter the server port (default: 389)
Other parameters
In case of failure, use profile
Enter the profile to use in case of failure. This parameter allows
multiple authentications to be daisy chained.
Use protocol
Select Active Directory or LDAP
Directory server binding credentials
User login
Login to access Active Directory information
User password
Password to access Active Directory information
Test Directory server binding
Test binding
8-3-4 Configure the authentication settings
To configure the authentication settings:
1. In the Directory server management tab, under the Current Directory server profile settings
section, click Authentication settings to define which data to use in the AD or LDAP database.
2. The following window displays:
Figure 38 Directory server authentication parameters – Profile 1
Table 27 Directory server authentication parameters table
ID conversion
Optional conversion to apply to the ID (PIN code, badge number)
received from the printer/MFP.
ID field name
Optionally enter the field name where the user ID can be stored in
AD/LDAP with the Direct AD/LDAP enrollment.
Enrollment ID field name
Enter the enrollment ID field name. For further information, see
The Enrollment ID field name.
ID search filter
Customize the search filter to use. Can be left blank.
Table 27 Directory server authentication parameters table
AD/LDAP fields
Domain field name
AD/LDAP field where the user information is stored.
For the Domain field name enter the following string:
Login field name
AD/LDAP field where the user login information is stored.
Department field name
AD/LDAP field where the user department information is stored.
E-mail field name
AD/LDAP field where the user e-mail information is stored.
Full name field name
AD/LDAP field where the user full name information is stored.
Home directory
AD/LDAP field where the user information is stored.
Currently not used.
Test buttons
Test authentication with user
Test the authentication by manually entering an ID
Test authentication for enrollment with
Test authentication for enrollment with userTest the authentication
by manually entering the user login
NOTE: Each parameter must point to a different AD/LDAP field to be valid. If two parameters
point to the same AD/LDAP field, when the Test authentication with user button is pressed,
“UNKNOWN” returns for the second parameter. This is normal AD/LDAP behavior.
8-3-4-1 The Enrollment ID field name
When HPAC Print Server receives the information from the user’s badge, it queries the Active Directory
to obtain the desired data referring to this particular user. The Enrollment ID field name is the field
searched in the Active Directory to match the user login name and get his information.
See the Configure the authentication gateway section for an example of where the user’s login name
(sAMAccountName) is entered.
8-3-5 Save the configuration
3. After entering all values and testing the binding, click OK to validate the settings.
4. Click Save current profile and enter a new profile name, reflecting the defined configuration
parameters. The profile is now saved.
Define a profile for each Active Directory and LDAP servers that are accessed for retrieving information
concerning all users.
NOTE: Multiple authentications can be daisy-chained by defining a profile in the field Other
parameters / In case of failure, use profile. This option is found under Main parameters
/Configure indirect live LDAP authentication
8-4 Process graphical description dialog box
Since profiles can lead to complex configurations, it can be difficult for administrators to visualize how
profiles are involved in a process (authentication or alias retrieval).
8-4-1 View the chain of profiles
To view the chain of profiles:
1. In the Directory servers management tab, click Show steps.
2. An Authentication process window opens in a tree view, displaying profiles in a chronological
order of use.
Profile chaining is represented as “father-son” relationships, meaning a chained profile is represented
as a sub-element of its caller.
The replacement and transmission of a value to another profile is represented as a “sibling” relationship,
meaning such profiles are at the same level. Since chaining takes priority over replacement and
transmission, these profiles are always at the top level in the tree.
The following symbols are used.
Table 28 Chain of profile symbols
Profile change (either by chaining or by replacement and transmission)
The process can be performed successfully
The process cannot be performed successfully
NOTE: Since no data is supplied to the dialog box, it shows whether the process may succeed,
but not whether the process has succeeded for a specific value. A process may succeed only
according to the search value it starts with.
NOTE: Remember that in chained profiles, not all the profiles of the chain are used. If the final
information is found in a profile that is not the last, all following profiles are skipped.
8-5 Get domain information
8-5-1 Configure the Domain field name
For tracking purposes, or to allow the maximum flexibility for the Active Directory domain name, a
Domain field name is in the HPAC Print Server.
Use the following steps to configure the Domain field name.
1. Run HP Access Control Print Server configuration.
2. Click the Directory servers management tab.
3. Choose a profile from the drop-down list under Directory servers profiles management.
Figure 39 Directory servers management tab – Select a profile
4. Click Authentication settings.
5. The following screen displays (standard field contents are shown).
Figure 40 Directory server authentication parameters
6. The Domain field name requests the information configured in the Domain field from the Directory
server main parameters.
Figure 41 Directory server main parameters
For example, a Domain configured as follows:
<domain> returns:
/Configure indirect live LDAP authentication
8-5-2 Customize domain field names in HPAC Print Server
Using the previous example, Domain is configured as follows:
For tracking purposes, or to report only partial information, the Domain field name can be configured as
follows, where <domain_hr(1)> only returns the content of the first dc field, or Idaho.
The number inside the parentheses specifies which dc field is returned.
Any of the dc fields can be returned. For example, setting the Domain field name to
<Domain_hr(1,3,4)> returns the first, third, and fourth dc field from domain. The result is:
8-5-3 Set the Domain field name to a constant value
To retrieve a completely different value from the actual domain value, replace <Domain_hr(1,3,4)>
with <domain_const(ABCD)>, where ABCD is the returned value.
For example, if the domain field name is set to <Domain_const(Texas)>, it returns Texas.
User enrollment
On MFPs, the enrollment functionality allows users to directly enroll their badge IDs into the HPAC
Secure Printing authentication on the device. This feature is not available on single function printers due
to the lack of embedded LDAP/Kerberos pre-authentication capabilities.
1. The user touches the Enrollment button on the MFP front panel (placed last in the buttons list
because it is not used regularly).
2. This calls the authentication linked to the User enrollment agent in the MFP Authentication
Manager (typically LDAP or Kerberos).
3. The user enters his/her network credentials to identify himself/herself.
4. If there is already a badge enrolled for that user, he/she is given the option by the enrollment
system to de-enroll that badge.
5. Otherwise, the user is requested by the enrollment system to show his/her badge to the reader.
After the badge ID is read, it is stored together with the user information in a secure place.
HPAC Print Server offers three options related to the secure storage of the ID and user enrollment
information. Only one enrollment behavior can be active at a given time. Each system has its own
benefits; use the one that meets specific needs.
Immediate and easy, does not require any database setup. IDs are stored on the server HDD in a
proprietary format. They can be encrypted as a SHA256 hash for security purposes.
Enrollment data is only available on devices authenticating through that HPAC Secure Printing
This enrollment is usable for a maximum of 5,000 enrolled users.
Enrollment with roaming
User and ID information is stored in a local or remote Microsoft SQL Server or MSDE database.
Enrollment data is accessible through multiple HPAC Secure Printing Server authentication
gateways, therefore to all printers and MFPs.
Database can be backed-up, browsed, and edited by standard MS SQL Server tools.
Enrollment to Active Directory
User ID numbers are stored directly in the user Active Directory or LDAP record.
This allows for standardization on AD or LDAP for all user-related authorizations and credentials.
This enrollment mode requires a binding login/password that has write access to the field where
the ID is written.
9-1 Enrollment prerequisites
Enrollment is performed after the user pre-authenticates. The pre-authentication is not performed by HP
Access Control, but by one of the MFP- built-in authentication agents, typically Kerberos or LDAP.
1. The authentication must be configured. See the HP MFP manual for more information.
2. Verify that authentication works as expected before applying it to enrollment pre-authentication.
3. In the HP Access Control Admin software, configure the Authentication with self enrollment.
The pre-authentication is called when the user touches the Enrollment button on the MFP front panel.
After a user is pre-authenticated, he/she is requested to show his/her badge. The information obtained
from the pre-authentication is merged with the user ID read from the badge. The global information is
/User enrollment
stored either in the MS-SQL Server or on the server HDD, or the user ID is added to the AD or LDAP
user record.
9-2 Define the enrollment mode
9-2-1 Enrollment
Enrollment is done locally on the server HDD. No database is used to store user information.
1. User ID authentication must be performed through the HPAC Secure Printing server.
2. Activate remote authentication using the Authentication option of the HPAC Secure Print Admin
3. Open the HPAC Secure Printing Server software, and then click the Enrollment tab.
4. Check the Activate local Enrollment behavior box in the bottom left section of the window.
Enrollment with storage of user IDs on the Server HDD is now configured.
9-2-2 Enrollment with roaming
Enrollment with roaming uses a Microsoft SQL Server database to store the user and ID information.
The SQL Server must accept SQL authentications, not only Windows authentications.
1. User ID authentication must be performed through the HPAC Secure Printing server.
2. Activate remote authentication using the Authentication option of the HPAC Secure Print Admin
3. Open the HPAC Secure Printing Server software, and then click the Enrollment tab.
4. Check the Activate Database Enrollment behavior box in the bottom left section of the window.
5. Fill in the database information:
a. Enter sa in the User Name field.
b. Enter the database password in the Password field.
c. Enter the connection information in the Connection field.
For example:
Provider=SQLOLEDB;Data Source=;address=,1433
NOTE: above should be substituted with the IP address of the machine where the
SQL server is installed.
1433 is the default SQL TCP port number; change it if needed.
6. Test the connection by clicking Test Connection. A pop-up message displays, signaling the
connection is successful.
7. Create the database:
d. If the connection was successful, click Create Database to create the database.
e. If there is an existing database, it is deleted. The following prompt displays Delete existing
table, do you want to proceed?
f. Click Yes to proceed with the creation of the new database.
g. Upon the creation of the new database, the following message displays: Database upgrade
has succeeded!
h. Click OK. Enrollment with storage of user IDs in a MS SQL Server database is now configured.
9-2-3 Enrollment to Active Directive
Enrollment to Active Directory stores user IDs directly in the Active Directory.
1. Launch the HP Access Control Print Server configuration software.
2. Select the Directory Servers Management tab. The Configure the authentication gateway section
describes how to configure the AD/LDAP settings defined by the Authentication settings button.
3. Verify all parameters. The attribute/field name where the user ID is stored is defined in the ID field
name entry field.
4. Select the Enrollment tab.
5. Check the Activate Active directory Enrollment behavior box in the bottom left section of the
IMPORTANT: Be sure to click Apply, otherwise changes are not saved.
9-3 Manage enrolled users
HP Access Control Enrollment Manager allows users to be selected, edited, and deleted from the
enrollment database.
This management is performed by the HP Access Control Enrollment Manager software, which is
installed at the same time the HPAC Secure Printing server is installed.
9-3-1 Prerequisites
The user must be administrator on the PC where the Enrollment Manager is run.
The Enrollment Manager must be run from the same server.
HPAC Secure Printing Server enrollment must have been correctly installed and configured.
Enrollment must have been successfully tested.
9-3-2 Browse the list of users
The screen displays the list of all users who are enrolled on HPAC Secure Print.
The screen displays the following fields and buttons:
Search for – Enter the string to look for in the list. Use the * as a wildcard. The search is not case
sensitive. For example, smi* finds Smith and *hn finds John.
In – Select the field where the string is to be found.
Search button – Click Search to launch the user search. The screen displays the list of users
matching the search query.
NOTE: When enrollment is set without roaming and without Active Directory, user information can
only be searched in two fields (ID and Login). The exact string must be entered—the wild card
character * cannot be used. As a result, only one user can be searched for at a time in the list.
For more advanced search capabilities, activate the enrollment with roaming capability.
9-3-3 Select users
Every user record is preceded by a check box. Check the box to select an individual user or click Select
All to select all the users displayed in the list.
9-3-4 Edit a user
The record for a user can be edited. Only one record can be selected at a time for modification. When
Modify is clicked, a new window displays where the user record can be edited.
Click Validate to save the record after it has been edited, or click Cancel to cancel the editing.
/User enrollment
Table 29 Enrolled user settings
Badge number for the user
Login name for the user
Domain name for the user
Department name for the user
E-mail address of the user
Full name
Full name of the user
Home Directory
Windows home directory for the user
Double Factor
Reserved for future use
9-3-5 Delete users
User records can be deleted from the enrollment database. Deleted users have to re-enroll to gain
access to devices.
Select one or more users in the list and then click Delete. After confirmation, the users are permanently
deleted from the enrollment database.
10 Install the driver plug-in for Windows
The HPAC Secure Printing driver plug-in file is available in the supplied software source files.
The HPAC Secure Printing Plug-in encrypts and tags data in memory, right out of the printer driver.
To perform the HPAC Secure Printing Plug-in installation, the following are needed:
○ The HPAC Secure Printing Plug-in
○ Sufficient administrator rights to install printers, create ports, and install system DLLs on the
machine. The best profile is the ADMIN rights profile.
10-1 Installation procedure
1. The HPAC Secure Printing Plug-in installation can be copied from the supplied software source
files to a network drive and launched from there.
2. Click the setup.exe program to run it.
3. The installation procedure starts. This procedure installs the HPAC Secure Printing Plug-in and
encryption capability on the PC.
NOTE: Carefully read the license agreement for HPAC Secure Print. The driver plug-in can be
installed on an unlimited number of client PCs, as long as it is used exclusively to send secured
print jobs to a printer equipped with a valid license of HP Access Control, and as long as the
license terms are respected.
4. Click Yes to accept the license terms. Otherwise, click No and contact the distributor as per the
license preamble terms.
5. The Driver Plug-In installs itself and a confirmation window displays.
10-2 Deployment to a fleet of PCs
Network administrators can easily propagate the driver plug-in to remote PCs using the .msi and .reg
files. The propagation and remote execution must be performed by a third party software, such as
Microsoft SMS.
Work on a freshly installed PC to create the master configuration with no prior HPAC Secure Printing
installation on it.
1. Create the printer(s) with the same name(s) that users have displayed on their PCs.
2. Install the driver plug-in.
3. Configure the driver plug-in as needed for the printers to secure.
4. Open regedit and reach the following registry branch:
HP Access Control SecurePrint Port monitor
5. Save the registry branch in a .reg file. This is the list and settings of the HPAC Secure Printing
Driver Plug-in.
6. Open the printers registry branch:
7. Save the printer registry branch in a .reg file.
8. Use the software deployment system to:
/Install the driver plug-in for Windows
Create the same printer(s) with the same name(s) on remote PCs.
Stop the spooler (net stop spooler).
Propagate the printer registry .reg file, to be injected in the remote PCs registry.
Propagate and run on those PCs the following files:
− The HPAC-SecurePrintingDriverPlugin.msi file (to be executed with the /quiet
parameter and admin rights)
− The printer port monitors .reg file, to be injected in the remote PCs registry
e. Start the spooler (net start spooler).
10-3 Deactivate the HPAC Secure Printing Driver
To deactivate the HPAC Secure Printing Driver Plug-In on a remote PC printer:
Use the software deployment system to:
1. Stop the spooler (net stop spooler).
2. Change the value of the Port registry key in the printer definition, containing the port used by the
printer. The HPAC Secure Printing port names start with lcl_ followed by the original port name
(for example: lcl_IP_156.29.78.41).
3. Change the Port key to the printer port original name (without the lcl_ prefix) to deactivate HPAC
Secure Printing for that printer (for example, IP_156.29.78.41).
4. Start the spooler (net start spooler).
10-4 Connect to a printer secured on the print
If the HPAC Secure Printing Plug-in secures the printer directly on the print server, there is no need to
install anything.
1. Use Explorer to connect to the server.
2. Right-click the shared printer and select Connect.
10-5 Secure an MS-Windows printer port on a local
This case only applies to situations where the HPAC Secure Printing Plug-in is not installed on a print
server print queue.
10-5-1 Section A – Define a queue
If a queue to address the secure printer is already defined, skip to Section B – Secure the printer.
Otherwise, follow these steps:
1. Click Start > Settings > Printers and click Add printer.
2. Choose My computer. The secured driver must be local, otherwise unsecured data would
communicate between the computer and a print server hosting the drivers. The list of all printer
ports available in the computer displays on the screen.
NOTE: It is possible to install the HPAC Secure Printing Plug-in on the Windows Print Server, but
data from print jobs are not encrypted from the PCs to the print server. Additionally, no window
displays on client PCs for setting the different printing options. If HP Access Secure Printing
server is used on the server, there is no need to also install the driver plug-in.
3. Click Create new port or Add port. In the list, choose the connection linking the computer to the
shared printer on the server. If the link is a queue name, select Local port and enter the queue
name in the following format: \\serverName\queueName.
4. Click Next.
5. Enter the connection information in the next windows.
6. Select the printer driver to install. HP Access Control works with any printer language. PCL5 and
PCL-XL drivers are recommended for the compactness of their output, resulting in faster
7. Finish the process by answering the last questions. Adding -HPAC at the end of the printer name is
recommended, so the computer user can easily find the device.
10-5-2 Section B – Secure the printer
1. Click Start > Settings > Printers.
2. Right-click the printer to secure, and click Properties.
3. An HP Access Control tab displays, together with the standard tabs. Select the HP Access
Control tab.
4. Check the Activate HP Access Control Secure Print box.
5. Click Apply to activate the tab options. The port linked to the printer is updated to a virtual port.
6. Configure the following settings: the encryption parameters, the print-time pop-up window option,
and the option to hide the pop-up window at print time and to use default values. See a detailed
description of each option in the table below.
7. Apply the modifications by clicking Apply in the driver configuration window. The HP Access
Control installation is now finished.
Table 30 Secure printer port settings
Activate HP Access Control Secure
Check this option and click Apply if the printer is equipped with
HPAC Secure Print functionality.
Encryption settings:
Jobs can be encrypted on their way to the printer and decrypted
only at print time. If None is selected, the job is not encrypted.
AES encryption
Default user recipient
AES is a sophisticated encryption scheme using the AES 128bits
algorithm combined with RSA PKI encryption public/private keys. A
pair of PKI RSA keys unique to your organization can be generated
from the HPAC Secure Printing Admin Software. The private key is
securely propagated to the printers; the public key must be copied
in the Corporate key field of that tab. The public key cannot
decrypt the print job.
If this option is checked, the pop-up requests the login name of the
end user for the secure job.
NOTE: This option must be disabled if the HPAC Secure Printing
Plug-in is installed on a printer server with shared network printers.
Ask for department recipient
If this option is checked, the pop-up requests the name of the
department for the secure print job.
NOTE: This option must be disabled if the HPAC Secure Printing
Plug-in is installed on a printer server with shared network printers.
/Install the driver plug-in for Windows
Table 30 Secure printer port settings
Default department recipient
Force all print jobs going to this printer to be secure for a specific
department. For example, a document can be sent to a pool of
nurses, and any nurse in the pool can release and print the
document. After it is printed, the document is deleted.
Confirm recipient name
If selected, the recipient name is asked twice, for confirmation. This
option is useful in highly sensitive environments.
NOTE: This option must be set to No if the HPAC Secure Printing
Plug-in is installed on a printer server with shared network printers.
Ask about retention
If selected, the pop-up window asks if the job should be retained
(see Default retention mode).
NOTE: This option must be disabled if the HPAC Secure Printing
Plug-in is installed on a printer server with shared network printers.
Default retention mode
This option is useful in PUSH printing mode, when print jobs are
sent directly to the target printer.
If set to Yes, print jobs are stored on the device HDD until their
owner authenticates and requests the job release. This should be
the setting in pull printing mode.
If set to No, print jobs are printed immediately (after being
decrypted if necessary).
Ask for billing code
If selected, the pop-up window prompts for the billing code for
every print job and refuses empty entries.
NOTE: This option must be disabled if the HPAC Secure Printing
Plug-in is installed on a printer server with shared network printers.
Default expiration time
Define the default expiration date/time for secure print jobs.
NOTE: The HP Access Control pop-up window does not display if
all of the Ask check boxes are deselected and Apply is clicked.
NOTE: This configuration is ideal if no user interaction is needed
and the driver plug-in is installed on a print server.
10-6 Deactivate HPAC Secure Print on a printer
To stop securing a printer, simply open its driver configuration page and unclick Activate HP Access
Control Secure Printing Driver Plug-in.
10-7 Uninstall the Windows driver plug-in
Should the driver plug-in files need to be removed, use the Add or Remove Programs option of the
Windows control panel to uninstall the driver plug-in.
10-8 Windows clients with Netware print server
HP Access Control Secure Pull Printing can be used in a Novell Netware network. Print jobs must be
secured on the client PC, flow through the Netware print server, and be stored on the printer/MFP hard
If the Novell print server redirects jobs to a Windows print server using LPR/LPD, the HPAC Print
Server can also be used to provide pull printing.
10-8-1 Installation – Print server
The printer is installed as a Novell Distributed Print Services (NDPS) printer agent with the Novell LPR
and prints by LPR on the network printer.
NOTE: The printer agent must be configured so that it enables LPR print jobs.
Figure 42 Netware print server installation
10-8-2 Installation – Client
The printer must be installed as a local printer, in standard TCP/IP.
The IP address is the address of the print server.
LPR queue is the printer agent object.
No NPDS-client components are needed.
The printer port configuration: Standard TCP/IP (for example, novellServer as the print server
/Install the driver plug-in for Windows
Figure 43 Netware client installation
The HPAC Secure Printing Plug-in installed on the client has settings similar to direct IP printing.
10-8-3 Secure Printing through Novell Print Servers
After a user prints a job:
1. The print job is generated as PCL/PS by the driver, and then encrypted by the HPAC Secure
Printing Plug-in.
2. The print job is sent to the Novell print server by LPR through TCP/IP.
3. The print job is then sent to the printer or HPAC Print Server (with an LPR/LPD print queue) using
4. The printer receives the print job, and upon authentication decrypts and prints it; or the HPAC Print
server receives the print job and stores it.
10-9 Printing from UNIX through a Windows print
If printing from UNIX through a Windows Server, make sure to create/set LpdPrinterPassThrough to 1
in the registry. For more information, see
This option prevents the Windows driver from altering the data coming from the UNIX spooler.
10-10 Configure the secure print job parameters
The HP Access Control system can be configured to offer the user additional options when printing a
secure document.
To configure these options, see the Send a document to other users under Windows section.
10-11 Send a secure print job to the printer
1. To print a secure print job, proceed as normal to print the documents (from the application, select
Print, configure the printing job options, and click OK).
2. If all of the secure printing parameters have been automatically set, immediately proceed to the
retrieval of the print jobs.
3. If additional secure printing options for the user are set, the Secure print job parameters pop-up
window displays. One or more of the secure print job parameters can be set. See the following
4. Configure the secure print job parameters shown in the pop-up window.
5. Click OK to send the print job to the printer.
Table 31 Secure print job parameters
Print without retention
Select this option to cancel the authentication procedure for the print
job. This option is useful if the printer is located right next to a user,
therefore making authentication unnecessary to assure security
when releasing print jobs. Another possible scenario is if a user
forgets their badge at home and they do not have access to an
alternate authentication procedure.
Billing code
(may be required)
Enter a billing code for the job. This billing code is assigned to the
print job to charge back a client or project with the cost of the action.
Expiration date
(required - ranges from 1 hour to
48 days)
This option determines how long the system keeps the unclaimed
print job before deleting it.
Specify the recipient for the print job (user or department):
To assign the print job to a specific user:
1 Click the radio button next to User.
2 Type in or select from the drop-down list the login name of the
user that will release the print job.
3 If prompted, retype the username in the Confirm recipient field.
IMPORTANT: In case someone else is assigned as the print job
recipient, you are responsible for notifying them that they have a
secure print job pending.
Depending on how the system is configured, the user field may be
allowed to be left blank. The system then automatically inserts the
Windows login in the User field.
If a print job is assigned to a department, any user that belongs to
this department is able to release the print job. For security
purposes, documents are erased from the server or printer HDD
after they are released by one of the department users.
To assign a print job to a specific department:
1 Click the radio button next to Department.
2 Type in or select from the drop-down list the department name.
3 If prompted, retype the department name in the Confirm
recipient field.
10-12 Print for yourself under Windows
When printing from Windows, by default, the user login name displays in the User recipient field.
Click OK to secure the document.
If print jobs are always assigned to yourself (and never to other people), then the HPAC Secure Printing
Plug-in pop-up window can be disabled. Printing is as simple as clicking the Print icon of the
application. The driver plug-in can then be installed locally on the PC or on a remote server.
/Install the driver plug-in for Windows
10-13 Send a document to other users under
The driver plug-in must be installed locally to type in a recipient addressee login name in the HPAC
Secure Printing Plug-in pop-up window. If the driver plug-in is on a network printer, the pop-up displays
on the server and not on the client (the server spooler runs as system and not with the credentials).
The HPAC Secure Printing Plug-in remembers the last 20 entries, unless the Remember recipients
option is unchecked in the driver plug-in configuration.
Figure 44 Recipients settings
A document can be sent to another user by forcing all print jobs of a queue to be secure for that specific
user. In the Windows printer configuration HP Access Control tab, enter the recipient login name in the
Default user recipient field.
NOTE: The driver plug-in can then be installed on the print server and multiple queues can be set
up, each securing jobs for a specific user.
10-14 Send a document to a department under
The driver plug-in must be installed locally to type in a department addressee name in the HPAC
Secure Printing Plug-in pop-up windows. If the HPAC Secure Printing Plug-in is on a network printer,
the pop-up displays on the server and not on the client (the server spooler runs as system and not with
the credentials).
HPAC Secure Printing Plug-in remembers the last 20 entries, unless the No history option is selected
in the driver plug-in configuration.
A document can be sent to a department by forcing all print jobs of a queue to be secure for that
specific department. In the Windows printer configuration HP Access Control tab, enter the department
login name in the Default department recipient field.
NOTE: The HPAC Secure Printing Plug-in can then be installed on the print server and multiple
queues can be set up, each securing jobs for a specific department.
NOTE: Department jobs are currently only supported on MFPs, as single function printers
currently do not provide a GUI to select user or department jobs.
10-15 Release HPAC print jobs
Print jobs are retained securely by HP Access Control on the printer hard disk or on remote HPAC
Secure Printing Servers until their release or deletion upon expiration. The procedure for releasing print
jobs for MFPs is slightly different than for single-function printers. See the HP Access Control User
Guide for details.
10-15-1 Release the print job (multifunction printers)
To release a secure print job, the user must first authenticate. This authentication is done directly on the
printer where the job will be released. See the HP Access Control User Guide for more information.
1. Ensure the printer is loaded with paper.
2. The user should authenticate using their PIN code or badge. When their name displays at the top
of the screen, press the HPAC Secure Printing button on the front touchscreen panel.
3. The system authenticates the ID, and then displays the print jobs list.
4. The following actions are available: Select all, Job info, Print, Delete and Back.
5. When finished using the MFP, log out of the system.
10-15-2 Release the print job (single function printers)
To release a secure print job, users first need to authenticate where the job will be released. Upon
authentication, pending print jobs are immediately decrypted and printed.
For detailed instructions, see the HP Access Control User Guide.
NOTE: If the device does not have the Release without confirmation option on, the reader
flashes and the printer is in “pause” mode as long as the user has not acknowledged the status.
NOTE: Department jobs cannot be released on non-MFP printers.
/Encryption schemes, corporate key
11 Encryption schemes, corporate key
HPAC Secure Printing can secure the print jobs’ content by encrypting its data and job ownership
information. There are two levels of encryption: Advanced Encryption Standard (AES) and Data
Encryption Standard (DES).
11-1 AES encryption
This encryption technology benefits from the latest technologies in encryption.
A random AES 128bits key is generated for every single print job, and is used to encrypt the document.
The key is encrypted using a RSA public key, split and injected in the print job. The printer decrypts the
key using a RSA private key and decrypts the print job using that decrypted key.
HPAC Secure Print features a default pair of RSA keys so that encryption can be performed easily and
quickly. For the best protection, generate a unique pair of corporate encryption keys using the HPAC
Admin software.
The public key needs to be propagated to clients (propagation together with the driver plug-in settings)
and/or to the HP Access Control Secure Print server tab of the print queue property. The private key
is propagated to devices equipped with HPAC Secure Print using the Print-SMP Driver plug-in.
11-2 DES encryption
This encryption technology is based on the widely used DES symmetrical encryption. A random key is
generated for every single job, and is used to encrypt the document. The key is encrypted and injected
in the print job. The printer decrypts the key using some decryption patterns and decrypts the print job
using that decrypted key.
11-3 Raw Printing
The Raw Printing option is for troubleshooting. Do not use it unless requested by support.
12 Unencrypted secure printing for ERPs
HPAC Secure Printing server can secure the release of unencrypted jobs sent directly to an HP Access
Control-enabled printer or to HPAC Print Server. These jobs are controlled and tracked as HPAC nonencrypted jobs. The jobs themselves are not encrypted; only their release is made secure by being
only feasible by the addressee.
12-1 Unencrypted secure print files format
Jobs data must start with <Esc>%-12345X@PJL<LF> followed by header lines, as in the sample
below. <Esc> is ASCII 27 decimal, 1B hexadecimal.
Data in bold is sample text to be changed for the real values.
Text in italics is information about the data and should not be included in the header.
Dates have the following format: yyyymmddhhmmss00
Actual print spool data starts after @PJL EOSJ<LF>.
Spool data must end with the following sequence: <Esc><Esc><Esc>E<Esc>%-12345X
This open format secures the delivery of print jobs generated, for example, by DOS, UNIX, AS/400
(SCS) or Mainframe (SCS) applications.
Table 32 Sample unencrypted secure print file
@PJL SJOB NAME=This is a test job Job name
@PJL SJOB ID=00982340 unique random job #
@PJL SJOB DATE=2008070316300000 job date & time
@PJL SJOB EXPIRYDATE=2008090110300000 job expiration date & time
@PJL EOSJ end of HP Access Control
Pre-existing PJL header is to be put here
Dear client,
If you have any questions please contact your support contact.
The security team
/Unencrypted secure printing for SAP R/3
13 Unencrypted secure printing for SAP R/3
HP Access Control Pull Printing can secure the release of unencrypted Systems, Applications and
Products (SAP) SAPScript and SmartForms print jobs sent directly to an HP Access Control-enabled
printer or to an HPAC Print Server. These jobs are controlled and tracked as HP Access Control nonencrypted jobs. The jobs themselves are not encrypted; only their release is made secure by being
only feasible by the addressee.
NOTE: Advanced Business Application Programming (ABAP) list printing is not supported as its
header cannot be modified.
13-1 Modify the device type
The device type needs to be modified to interface R/3 and HP Access Control. See the R/3 technical
guides on how to modify a device type.
13-2 Replace the job header sequence
The existing job header in the device type must be replaced with the sequences listed below.
NOTE: All lines shown should be appended one after the other without any carriage returns
between them. (Carriage returns were inserted in the listing below only for the purpose of
improved readability.)
@PJL SJOB EXPIRYDATE=2010030110300000\r\n
13-3 Replace the job trailer sequence
The following sequences must be used to replace the existing job trailer in the device type.
13-4 Activate the device type
After the device type is saved, activate it in the production environment and use it to produce
documents. To verify that the modification is active, print to a PCL5 file and verify its header/footer.
14 HPAC Secure Printing Pull (roaming
The HP Access Control Print Server roaming printing functionality allows the release of documents
stored on any HPAC Print Server on the Intranet from a printer/MFP equipped with HPAC Secure Pull
This functionality offers many powerful workflow capabilities, such as:
A user in China prints a document for his colleague in New York
The job is securely stored on the server closest to the user in China
The American addressee reaches an MFP in New York and authenticates
The document output by his Chinese colleague is listed
The American addressee requests the job release
The document is sent directly from the Chinese server to the New York MFP
The HPAC Print Server architecture uses print job tickets stored on a shared Microsoft SQL Server
database (software not provided with HPAC Secure Printing). The tickets only include information about
print jobs—print job data remains on the servers where it is stored. Printers/MFPs get the list of print
jobs from their contact print server. The list includes local jobs as well as all tickets stored on the shared
database for that user.
Local print job storage print queues can display on client PCs based on the IP address of the PC. This
policy is defined in the Active Directory. A roaming user can then always have a local print pull printing
queue defined on his/her laptop. This architecture allows local print job storage to always be used,
ensuring no useless communication occurs between servers and MFPs.
14-1-1 Prerequisites for roaming printing
Roaming printing requires a database on one server (this server does not need to have HPAC Print
Server installed):
A functional Microsoft SQL Server 2000 or newer (with SQL or mixed Windows/SQL
A MSDE database (SP3A with SQL or mixed Windows/SQL authentication), and administrator
SQL/MSDE network configuration: TCP (default port 1433)
On each server equipped with HPAC Secure Printing Server, MDAC 2.8 needs to be installed if the
connection is not possible with the database server.
The firewall of every gateway and every server equipped with HPAC Secure Printing Server network
connection should be set up to accept communication through the MS SQL server port (1433 by
NOTE: Before starting, make sure that the HPAC Secure Printing Server can ping the SQL
database server.
/HPAC Secure Printing Pull (roaming printing)
14-1-2 Create a dedicated database login
NOTE: If the default login supplied by MS SQL Server (named sa) is preferred to be used, and its
password is known, skip this chapter.
1. Open the SQL Server managing console (Start > Microsoft SQL Server > Enterprise Manager).
2. In the left side of the console, find the Logins object. It is located at Console Root > Microsoft
SQL Servers > SQL Server Group > <SQL Server to use> > Security.
Figure 45 SQL Server managing console
3. Create a new login (right-click the right part of the console, click the New Login entry of the pop-up
4. In the General tab, enter any name in the Name field.
5. Click the SQL Server Authentication radio button. Enter a password in the Password field.
IMPORTANT: This password is the one to be entered in the HPAC Print Server configuration.
6. In the Server Roles tab, check the Database Creators box.
IMPORTANT: Do not modify the settings of the Database Access tab if the database has not yet
been created by the HPAC Print Server configuration utility.
7. If the database already exists, select the Database Access tab. Check the SJPS box in the first
list, and the public and db_owner boxes in the second list.
NOTE: These rights have been determined as sufficient. To set an exact match for the rights of
the default user (sa), check all boxes in the first list.
14-1-3 Configuration of roaming
1. Launch the HP Access Control Secure Printing Server configuration software.
2. Select the Roam Printing tab.
3. Check the Activate Database support box.
4. Fill in the User Name and Password fields with the login and passwords chosen in the previous
5. In the Connection field, replace the default string after Data Source= with the IP address of the
database server. For example:
Provider=SQLOLEDB;Data Source=99.99.999.999; initial catalog=SJPS
14-1-4 Test the basic database connection
Click Test Connection to test the link with the database. If it succeeds, the Connection to the
database server has succeeded message displays. Otherwise, an error message displays.
NOTE: If the message This SQL server does not exist or access is denied
displays, a firewall (on the database server, on a gateway, or on the HPAC Secure Printing
Server) may be blocking the SQL communication.
14-1-5 Create the tickets database
Create the database on the MS SQL or MSDE server. This operation must be performed only once,
from any HPAC Print Server.
Click Create Database. If the database already exists, a confirmation is requested before a new
database erases the existing one.
14-1-6 Synchronize the roaming database
HPAC Secure Printing Server still works if the roaming database communication is failing, but the
roaming capability is disabled and only local jobs display.
If an HPAC Print Server database goes offline and print jobs are received by the related HPAC Print
Server, the roaming database server is not notified. The administrator can then resynchronize the
database from any HPAC Print Server, by clicking Synchronize All Servers. The database queries all
servers for their current jobs and updates itself.
14-2 Job retention aliases – Single sign-on
Using Active Directory and/or LDAP to retrieve a user’s single sign-on is one of the features of HPAC
Secure Pull Printing. The goal of this action is to allocate all jobs for a user to a single sign-on, even if
that user has multiple identifiers/logins.
To perform an alias retrieval, the program extracts the user login from the information related to the job,
searches for a match within the Active Directory, and changes it to the corresponding AD data (that
should be unique).
Figure 46 Alias retrieval
Alias (for example, JS908)
HPAC Print Server
Login (for example, jsmith)
/HPAC Secure Printing Pull (roaming printing)
Active Directory containing user information (for example, JS435, TSCHOLL JS908, JSMITH)
Disk storage
14-2-1 Configure the alias feature
1. In the Current Directory server profile settings section, click Alias retrieval settings.
2. The following window displays. Enter the specific data. For a detailed description of each
parameter, see the following table.
Figure 47 Alias retrieval settings
The above dialog box enables the configuration of parameters to retrieve an alias for the job recipient
value during the HP Access Control job processing. The job owner name is searched in the Active
Directory field named in the first parameter of the dialog box (Search the login in field), using the
second parameter as a search filter (using the search filter). If a record is found, the field value of that
record is returned (named in the third parameter).
NOTE: The user login fields used in the alias function must not contain the following value:
3. The Test alias retrieval with login button enables a test of whether the alias retrieval using the
current profile works as expected. The user is first asked to provide a login to search, and then the
test is performed.
Table 33 Directory server alias retrieval parameters
Search the login in field
Look for the incoming job login in this field, using the
supplied search filter.
using search filter
Use this search filter – see the Syntax of search filters
section for instructions on search filter syntax.
and replace it with the value in field
Replace it with the content of this field, in the same
14-2-2 Syntax of search filters
Search filters should be written using the LDAP syntax. Since information is usually searched on user
records, two variables are supplied. The default search filter is as follows:
The <src_field_name> value is replaced during execution by the name of the field in which the
search must be done. The <src_value> is replaced during execution by the value used as the search
For example, with the value 1234 searched on the field customID, the dynamically generated filter
would be:
This filter can be modified to fit custom needs, as long as it contains both <src_field_name> and
<src_value> variables.
NOTE: Leaving a search filter blank is equivalent to using the default search filter:
14-2-3 Search across chained databases
It is possible to find a record using the user ID, and then use the data contained in a field of this
retrieved record to look for another record in the same or another database.
This action is available for both authentication and alias retrieval purposes, and these database
searches can be daisy-chained.
This daisy-chain search action is used, for example, when there are multiple databases: one that
handles the badge numbers or PIN codes and links them to a global ID, and other databases that hold
information linked to global IDs.
Figure 48 Chained databases
PIN or badge number (for example, 1234)
Database 1 – search for PIN or badge number (1234) to find global ID
Global ID found (for example, U98E894)
Database 2 – search for global ID (for example, U98E894)
linked user information found
User information retrieved
For example:
globalID: U98E894
sAMAccountName: jsmith
displayName: John Smith
department: Marketing
For example:
John Smith
/HPAC Secure Printing Pull (roaming printing)
NOTE: Connection to an AD server might take some time, so it is strongly advised to make the
number of AD servers involved in this action as small as possible.
To set up the search parameters:
1. Click Value to search replacement settings. The following screen displays.
Figure 49 Value to search replacement settings
2. Enter the data for the fields and click OK.
The incoming information (job owner or user ID) is searched in the field named Search the value in
field. If necessary (for IDs only - optional badge number), it can be converted using the data in the field
using source conversion. Enter the search filter in the field on search filter.
If a record matches the search data, the value in the field If found, replace it with the value in field
replaces the value that was searched, and it is transmitted to the profile named in the fifth field (and
transmit it to the profile), in a process of daisy-chained cross database searches.
15 Ports and communication
15-1 HPAC Secure Printing ports
HPAC Secure Printing uses the following ports.
Table 34 HPAC Secure Printing ports
Protocol Port
Sending of HPACSP
firmware files to printers
Install the printer under Windows using its
IP address and print a test page.
Configuration of HPACSP
on printers
telnet <printer IP> 9400, a line with @PJL
should display on the screen
Direct ID lookup from
printer to LDAP
Replace the printer with a PC and use
LDAP test software such as Softerra
LDAP browser.
Communication between
printer and HPAC Secure
Printing Server
Replace the printer with a PC, telnet
<server IP> 2000, multiple lines of text
should display.
Communication between
HPAC Secure Printing
Server and LDAP
Use LDAP test software such as Softerra
LDAP browser to test the LDAP settings
and connection.
Communication between
HPAC Secure Printing
Server and SQL
In case of firewall issues:
Print job release from
HPAC Secure Printing
Server to printer
Install the printer under Windows using its
IP address and print a test page.
IMPORTANT: For corporate firewall users, packets sent to HPAC Secure Printing Server on port
2000 are intercepted by some firewalls ASA, even when the firewall seems wide open. Traffic to
the port 2000 is inspected and matched to Skinny Call Protocol (SCCP), and packets are
dropped. If this issue occurs, allow SCCP in the firewall.
/Front panel messages and troubleshooting
16 Front panel messages and troubleshooting
When using HP Access Control, information and/or error messages may display on the printer/MFP.
NOTE: These messages may display in the language selected on the configuration page.
16-1 HPAC Print Server logs
Activating the logging functionality can be helpful in detecting a problem and/or diagnosing if a simple
solution is available to solve a problem. The communication log is encrypted and logs the
communication between the printer and HPAC Print Server.
Figure 50 HPAC Secure Printing logs
Log tabs in the HPAC Print Server configuration software:
Configuration utility log
Job processing DLL log
Service log
CRL log for HP Access Control Auth-SC (Smart Cards)
If, after activating the logging functionality and analyzing the logs, a solution to a problem cannot be
found, contact technical support for further help in diagnosing and solving the problem.
For the HPAC Secure Printing Admin Software, a message displays when there is a problem. If a
critical problem develops, a tracking functionality is activated thanks to a special procedure furnished by
technical support.
16-2 Information messages
The following are information messages that may display on the device.
Table 35 Information messages
Retrieving from Printer.
HPAC Secure Printing is in the process
of retrieving the user or department jobs
from the printer hard disk.
Retrieving from your
HPAC Secure Printing is in the process
of retrieving the user or department jobs
from the HPAC Print Server hosting the
Releasing X jobs
HPAC Secure Printing is in the process
of releasing X jobs on a single function
ID update in progress.
Try Later.
A users local ID list is being uploaded to
the printer.
Wait for the end of the list
16-3 Error messages
This section includes a list of the HP Access Control error messages. The listing also includes
troubleshooting tips and/or instructions for some of the messages.
If technical support needs to be contacted regarding an issue, make sure to note the error message
code displayed within brackets.
16-3-1 Printer error messages
Table 36 Printer error messages
[B4] HPACSP: ID update failed
• Check the HPAC Secure Printing Server IP
[B5] HPACSP: BILLING update failed
• Check the HPAC Secure Printing Server port
[B13] HPACSP: Invalid PS server
• Check the HPAC Secure Printing Server service
• Check the response time of the server. If > 20s,
the error message displays.
• Check the compatibility between the printer and
the HPAC Secure Printing Server version.
/Front panel messages and troubleshooting
16-3-2 MFP error messages
Table 37 MFP error messages
[A10] HPACSP: No Hard
Disk, please contact
HPAC Secure Printing could not
release a stored job.
Retry the process or delete the job.
A hard disk read/write operation
The disk might need reformatting,
or might be defective.
[C15] HPACSP: System
error, please power cycle
[C16] HPACSP: Print
request failed.
[C17] HPACSP: Hard disk
operation failed.
IMPORTANT: This message is
normal during product installation
and must be ignored.
connection failed (SC).
HPAC Secure Printing could not
establish an IP connection.
Verify if the LAN is alive at the
printer, routers, and firewalls and if
the printer’s internal configuration
web page can be accessed (this is
not the Jetdirect web page).
[C24] HPACSP: No server
The HPAC Secure Printing Server
response, server: [display hosting the jobs does not answer
IP], please contact
Verify the network, routers,
firewalls, and the HPAC Print
Server status.
[C25] HPACSP: No server
The HPAC Secure Printing Server
response, server: [display hosting the jobs does not answer
IP], please contact
Verify the network, routers,
firewalls, and the HPAC Print
Server status.
[C26] HPACSP: Out of
The system ran out of memory.
memory, please power cycle
Reboot the device and notify
support if this happens again.
[C28] Read error from
server: [display IP],
please contact
Verify the network, routers,
firewalls, and the version of HPAC
Print Server.
HPAC Secure Printing received
corrupted data from the server.
Table 37 MFP error messages
[C30] HPACSP: Invalid PS
server: [display IP].
The HPAC Secure Printing Server
hosting the jobs does not answer
requests or sends incorrect data.
Verify the network, routers,
firewalls, and the HPAC Print
Server version and status.
• Check the HPAC Secure
Printing Server IP address.
• Check the HPAC Secure
Printing Server port number.
• Check the firewall status (read
the special chapter on ports
and firewalls)
• Check the HPAC Secure
Printing Server service status.
• Check the response time of the
server. If > 20s, the error
message displays.
• Check compatibility between
the printer and the HPAC
Secure Printing Server version.
[C31] HPACSP: Write error The HPAC Secure Printing Server
from server: [display IP]. hosting received incorrect data.
Verify the network, routers,
firewalls, and the HPAC Print
Server version and status.
[C42] HPACSP: Device is
not licensed, please
contact Administrator.
The device does not have a valid
license for HP Access Control.
Verify the license status and
number of devices already served.
[C65] HPACSP: ID error
(invalid badge).
The badge is not compatible with
authentication parameters.
Verify the configuration:
• Check the reader settings.
• Check the ID validity.
• Check the Active Directory field
containing the ID.
[C66] ID error
(transmission failure).
Data received from the badge
reader is corrupted.
Authenticate again, or contact
support if the problem occurs
[D14] HPACSP: Server
[display IP] is
unreachable, please
contact Administrator.
The HPAC Secure Printing Server
hosting the jobs does not answer
Verify the network, routers,
firewalls, and the HPAC Print
Server status.
[D26] HPACSP: Failed to
contact host
The HPAC Secure Printing Server
hosting the jobs does not answer
Verify the network, routers,
firewalls, and the HPAC Print
Server status.
[D29] HPACSP: An error
occurred during the login
process, please
authenticate again.
The function is not linked to any
authentication agent in the
authentication manager.
Verify the settings in the HP
Authentication Manager.
The printer has not been initialized
with a users list.
Use the HPAC SP Admin Software
to send a valid list to the printer, or
link to enrollment or live LDAP
Corrupted user list.
Contact Admin
The list of users and IDs is
corrupted on the printer.
Reload the users list to the device.
/Front panel messages and troubleshooting
Table 37 MFP error messages
Chosen language not
HPAC Secure Pull Printing is not
active in the printer.
Print the printer configuration
pages and verify that the HP
Access Control application is
Server X does not respond. The HPAC Secure Pull Printing
server hosting the jobs does not
answer requests.
Verify the network and the HPAC
Secure Printing server status.
16-3-3 Smart Card error messages
Table 38 Smart Card error messages
[G2] HPACSP: Invalid
[G3] ACSP: Failed to
upgrade reader settings.
The Smart Card reader could not
get its parameters from the MFP.
Regenerate the Smart Card
configuration and reboot the MFP.
[G4] HPACSP: Device is not The device does not have a valid
licensed, please contact
license for HP Access Control.
Verify the license status and
number of devices already served.
[G6] HPACSP: Internal
error (ADK), please
contact Administrator.
The Smart Card library
encountered an internal error.
Reboot the MFP. Contact support if
the problem happens again.
[G11] HPACSP: Invalid
Print Server: [display
IP], please contact
Identification process between an
HPAC Secure Printing server and
HPAC Secure Printing
authentication failed.
Verify the HPAC Secure Printing
server IP addresses and port,
firewalls, antivirus, and
compatibility between the versions
of HPAC SPS Admin Software and
HPAC Secure Printing.
• Check the HPAC Secure
Printing Server IP address.
• Check the HPAC Secure
Printing Server port number.
• Check the HPAC Secure
Printing Server service status.
• Check the response time of the
server. If > 20s, the error
message displays.
• Check compatibility between
the printer and the HPAC
Secure Printing Server version.
[G12] ACSP: Invalid Card.
The Smart Card is not sending
expected data.
• Check the reader settings.
• Check the Smart Card
compliance with the
• Check the Active Directory
lookup for Smart Cards.
Table 38 Smart Card error messages
[G19] ACSP: Initialization The MFP cannot communicate with Check if the reader is ON.
failed, please power cycle the Smart Cards reader.
[G23] ACSP: LDAP Error –
contact Administrator.
The LDAP Smart Card
configuration is incorrect.
Verify the LDAP Smart Card
[G24] ACSP: LDAP Error –
DATA, please contact
The LDAP Smart Card
configuration is incorrect.
Verify the Smart Card LDAP
[G25] ACSP: LDAP Error –
The LDAP connection is not
CONNECTION, please contact working.
Verify the LDAP Smart Card
[G29] ACSP: Invalid login
and/or password.
The login/password entered for the
alternate authentication are
Verify the network credentials.
[G30] ACSP: Failed to get
user information.
The Smart Card LDAP
configuration is incorrect.
Verify the LDAP Smart Card
/Appendix AAppendix
Appendix A
Supported functions per device model
HPAC Secure Printing provides authentication and secure printing services. Some devices are not
supported by all functions, or will be supported in the future. See the table below and get updates on
support from
Table 39 Supported functions per device model
HP Device Model
Proximity Badges
Smart Card
PIN Code
Secure Printing
CLJ 3000
LJ P3005
LJ CP3505
LJ CP3525
CLJ 3800
LJ P4014
LJ P4015
LJ P4515
LJ CP4020
LJ CP4025
LJ CP4520
LJ CP4525
LJ M3035 MFP
LJ M4345 MFP
LJ CP6015
CM8050/8060 MFP
LJ M9040/M9050 MFP
LJ M9059 MFP
Table 39 Supported functions per device model
HP Device Model
Proximity Badges
Smart Card
PIN Code
Secure Printing
DS 9250c (no printing)
LJ 2410 1
LJ 4250
LJ 4350
CLJ 4650
CLJ 4700
LJ 4345 MFP
LJ 4730 MFP 2
LJ 2420
LJ 2430
LJ 5200/5200L
CLJ 5550
LJ 9040/9050
LJ 9040/9050 MFP
DS 9200c (no printing)
CLJ 9500
No HDD available for these devices.
One USB slot and one Compact Flash slot available only.
/Appendix B
Appendix B
Backward compatibility
HPAC Print Server 6.2 is compatible with devices installed with 5.3.5, 6.0, and 6.1 RFU packages.
HPAC Admin 6.2 software is compatible with devices installed with 5.3.5, 6.0, and 6.1 RFU
HPAC Admin 6.2 software cannot license devices installed with 5.3.5 and 5.3 RFU packages.
Appendix C
Prerequisites for PCs and servers
Prerequisites for the Administration PC running HPAC Secure Printing Admin Software:
Windows 2003 or 2008 Server (32-bit and 64-bit)
512 MB of RAM
1 GB of free HDD capacity
.NET Framework 3.5
Internet Information Services (IIS) Manager 6.0 or 7.0
ASP.NET 2.0.50727
SQL Server Compact Edition 3.5 SP1
Microsoft Visual C++ 2008 Redistributable
Prerequisites for servers running the HPAC Secure Printing Server software:
Windows XP (32-bit) / 2003 or 2008 Server (32-bit) / Vista (32-bit)
512 MB of RAM
Enough HDD capacity to store user’s print jobs
.NET Framework 3.5
.NET Framework 2.0 and Dotnetfx
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable
Prerequisites for the optional Quota Notification tool:
Windows XP / 2003 Server / Vista (32-bit)
Windows Active Directory
.NET Framework 3.5
Prerequisites for the HPAC Secure Print driver plug-in:
Windows XP (32-bit and 64-bit) / 2003 or 2008 Server (32-bit and 64-bit) / Vista (32-bit and 64-bit)
512 MB of RAM
.NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable
/Appendix D
Appendix D
Prerequisites for printers and MFPs
As support for new devices is constantly evolving, visit for the most current list of
supported printers, MFPs, and Digital Senders.
Printers must have a storage media (HDD, USB stick) with 50 MB free, an active TCP/IP LAN
connection, and one free host USB slot available when using a badge authentication solution.
All printers/MFPs must have EWS logins and passwords configured to function under HPAC.
NOTE: The printer/MFP must be connected to the LAN at boot time.
Table 40 Prerequisites for printers and MFPs
HP Device Model
Support Media
Minimum FW
Minimum Memory
CLJ 3000
192 MB
LJ P3005
80 MB
128 MB
LJ CP3505
256 MB
LJ CP3525
512 MB
512 MB
CLJ 3800
256 MB
LJ P4014/P4015
128 MB
LJ P4515
128 MB
LJ CP4020/CP4025
512 MB
LJ CP4520/CP4525
512 MB
384 MB
LJ M3035 MFP
256 MB
LJ M4345 MFP
256 MB
LJ M5035 MFP
256 MB
LJ CP6015
512 MB
Table 40 Prerequisites for printers and MFPs
HP Device Model
Support Media
Minimum FW
Minimum Memory
512 MB
512 MB
512 MB
CM8050/CM8060 MFP 3
1024 MB
384 MB
LJ 2410/2420/2430
Compact Flash
128 MB
LJ 4250/4350/4240
Compact Flash
128 MB
CLJ 4650
Compact Flash
128 MB
CLJ 4700
Compact Flash/USB
128 MB
LJ 4345 MFP
Compact Flash
128 MB
LJ 4730MFP
Compact Flash/USB
256 MB
LJ 5200/5200L 4
Compact Flash
128 MB
CLJ 5550
Compact Flash
256 MB
LJ 9040/9050
Compact Flash
128 MB
LJ 9040/9050 MFP
Compact Flash
256 MB
DS 9200c (no printing
Compact Flash
256 MB
CLJ 9500 MFP
Compact Flash
256 MB
LJ M9040/M9050/M9059 MFP
DS 9250c (no printing)
IMPORTANT: The HP LaserJet CP6015 does not support firmware more recent than 04.043.2.
If printing documents with Asian characters (for example, Chinese, Japanese, Korean), be sure that the
MFP front panel supports those languages and has the appropriate base firmware. The EWS page for
the device displays the current firmware version.
No HDD available for these devices.
For technical reasons the device must be equipped with a hard disk drive.
Glossary term
Called “dot net,” this is a component of Microsoft Windows used to develop
Advanced Business Application Programming
Active Directory
A directory structure used on Microsoft Windows based computers and servers
to store information and data about networks and domains.
Advanced Encryption Standard
AES is a sophisticated encryption scheme using the AES 128bits algorithm
combined with RSA PKI encryption public/private keys.
American Standard Code for Information Interchange
Character encoding based on the English alphabet.
The process of gathering identifying information from a user and validating this
information with a trusted source.
Comma Separated Values file format
Data Encryption Standard
An encryption technology based on DES symmetrical encryption.
Domain Name System
A data query service for translating hostnames into Internet addresses. Also, the
style of hostname used on the Internet, though such a name is properly called a
fully qualified domain name.
Extended Input/Output
Enterprise Resource Planning
Embedded Web Server
Web capabilities embedded in the device that allow a device to be managed
from any location using a browser.
File Transfer Protocol
Graphical User Interface
Hard Disk Drive
HP Access Control
Glossary term
Internet Information Services
Internet-based services for servers created by Microsoft for use with Microsoft
I/O Filter
SDK to allow applications to manipulate the print job stream (for example,
decryption, e-forms, job accounting).
In-Printer Agent
Lightweight Directory Access Protocol
LDAP is a relatively simple protocol for accessing online directory services, to
update and search directories running over TCP/IP.
Line Printer Remote protocol
Provides printer spooling and network print server functionality for Unix-like
Multi-Function Peripheral
A device consisting of printing, scanning, and copying; along with faxing and/or
digital sending (for example, e-mail or folder) capabilities.
Novell Distributed Print Services
Operating System
Personal Identification Number
A number that is used to gain access, similar to a password. A PIN is often not
shown when typed, such as replacing each character with an asterisk '*'.
Printer Job Language
Public Key Infrastructure
An arrangement with public and private keys to allow verification of identity. This
is used to “sign” trusted applications on the device.
Remote Firmware Upgrade
Upgrading printer/MFP firmware over the network, without using a parallel cable
to connect the printer/MFP directly to a computer.
Systems, Applications and Products
Secure Mobile Printing
Simple Mail Transfer Protocol
A protocol used to transfer electronic mail between computers, usually over
Ethernet. It is a server-to-server protocol, so other protocols are used to access
the messages.
Glossary term
Secure Sockets Layer
A protocol that provides encrypted communications on the Internet. SSL is
layered beneath application protocols such as HTTP, SMTP, Telnet, FTP,
Gopher, and NNTP; and is layered above the connection protocol TCP/IP. It is
used by the HTTPS access method.
Transmission Control Protocol over Internet Protocol
The standard Ethernet protocols. TCP/IP was developed for internetworking,
and encompasses both network layer and transport layer protocols. While TCP
and IP specify two protocols at specific protocol layers, TCP/IP is often used to
refer to the entire DoD protocol suite based upon these, including telnet, FTP,
UDP and RDP.
Universal Print Driver
One driver for office printing, with simple discovery of devices and features, and
centralized control and security—easy to use and manage.
Universal Serial Bus
Web Jetadmin
HP’s web-based network peripheral management software.
eXtensible Markup Language
A simple dialect of SGML suitable for use on the World Wide Web.
AD, 18, 64, 70, 71, 72, 75, 80, 81,
98, 101
alias, 25, 26, 71, 73, 77, 98, 99, 100
authentication gateway, 16, 18, 71,
authentication settings, 75
badge reader, 16, 17, 45, 46, 106
billing code, 48, 49, 56, 57, 58, 87,
firewall, 25, 96, 98, 102, 105, 106,
HDD, 12, 15, 80, 81, 87, 90, 112,
installation kit, 16
job retention, 12, 16, 18, 25, 26, 98
Kerberos, 80
cluster server, 19
corporate key, 47, 48, 49, 65, 66,
CSV, 39, 40, 41, 48, 50, 51, 54, 57,
daisy chain, 18, 75, 76, 100, 101
DNS, 17
EWS, 39
failover, 19, 20, 22, 23, 24, 45, 69,
LDAP, 16, 18, 45, 49, 50, 55, 56,
59, 61, 64, 68, 69, 70, 71, 75, 76,
80, 81, 82, 98, 99, 102
license agreement, 18, 84
messages: error, 104; information,
104; Smart Card, 107
non-cluster server, 18, 21, 22
PIN code, 10, 44, 49, 50, 53, 54,
55, 56, 59, 64, 65, 68, 71, 72, 75,
92, 100
private key, 65, 86, 93
proximity card, 16, 47
public key, 65, 86, 93
reboot, 16, 47, 105, 107
remote directory, 25, 26
RFU, 16, 43, 111
roaming printing, 10, 80, 81, 82, 96,
97, 98
security, 10, 47, 80, 90
self enrollment, 16, 45, 80
server logs, 103
Smart Card, 16, 44, 45, 49, 63, 64,
65, 103; error, 107
SMTP, 55
TCP/IP, 15, 25, 34, 55, 88, 89, 102,
uninstall, 24, 87
USB, 16, 17, 113