B. Autogroup remediation for devices discovered via manual or automatic discovery .............. 35. C. Autogroup remediation ... c04222990ENW, Rev. 10, Mar 2021.
B. Device discovered via manual or automatic discovery method (only remediate the devices which are now added to an autogroup). ... 10, Mar 2021.
Technical white paper HP JetAdvantage Security Manager Instant-On Security and Auto-Group Remediation Table of Contents Overview ............................................................................................................................................3 What is Instant-On Security?............................................................................................................................. 3 What is Instant-On Secure at Install?.............................................................................................................. 3 What is Instant-On Stay Secure? ..................................................................................................................... 3 How do I implement Instant-On Security? ..................................................................................................... 4 Instant-On Security, Part 1 - Device Announcement Agent (DAA).................................4 Introduction to Device Announcement Agent (DAA) ................................................................................. 4 Instant-on workflow.......................................................................................................................................... 7 DAA Workflow Diagram ............................................................................................................................... 8 Explanation of the DAA workflow ................................................................................................................... 8 Device and DNS configuration .................................................................................................................... 8 Network Activity............................................................................................................................................. 11 Initial Device Announcement Use Cases ..................................................................................................... 13 Use Case 1 Auto Discovery and Policy Conformance...................................................................................13 Use Case 2 Semi-Auto Discovery and Policy Conformance.........................................................................14 Use Case 3 Pre-staged Device Discovery and Policy Conformance ..........................................................14 Use Case 4 Filtered Discovery and Policy Conformance..............................................................................14 When are Device Announcement Messages Created?........................................................................... 14 Post-Install Device Announcement Use Cases............................................................................................. 15 Use Case 1 Device Cold Reset ............................................................................................................... 15 Use Case 2 Device Formatter or JetDirect Interface Replacement ................................................ 15 Use Case 3 Device Acquires New IP address ................................................................................... 15 Security and Mutual Authentication .............................................................................................................. 15 Instant-On Security, Part 2 - Security Manager Instant-On Security Settings .........17 Introduction .......................................................................................................................................................... 17 Enabling Instant-on Discovery......................................................................................................................... 17 Enabling Instant-On Security ........................................................................................................................... 18 Configuring Instant On Forwarding to WJA .............................................................................................. 19 Configuring Instant On Mutual Authentication .......................................................................................... 21 Mutual Authentication Configuration........................................................................................................ 25 Announcement Message Summary ........................................................................................................... 30 Configuring Instant On with Device Serial List filtering ........................................................................... 30 Instant-On Assessment Policy with HPSM 3.3 and older ........................................................................ 32 Instant-On Assessment Policy from HPSM 3.4 onwards.......................................................................... 32 Part 3- Autogrouping and autogroup remediation ..........................................................32 A. Autogroup remediation for devices discovered via instant-on ...................................................... 33 B. Autogroup remediation for devices discovered via manual or automatic discovery .............. 35 C. Autogroup remediation at configured time intervals........................................................................ 37 D. Autogroup remediation after editing an autogroup or autogroup policy .................................. 39 Part 4 Performance Implications ..........................................................................................39 Part 4 Summary..........................................................................................................................41 Appendix A ......................................................................................................................................42 Links to other HP Security Manager Whitepapers .................................................................................... 42 2 Overview What is Instant-On Security? HP JetAdvantage Security Manager (HPSM) is the industry's first policy-based security compliance solution for HP printing and imaging devices. Unique to Security Manager, the Instant-On Security feature provides automatic device discovery and security compliance configuration when an HP supported device is first connected to the network. Afterwards, Instant-On Security maintains security compliance when the usual "after installation" scenarios place the device into a non-compliant state. What is Instant-On Secure at Install? Instant-On Security is a dual component solution consisting of dedicated communication between a supported device and appropriately configured Security Manager software. When enabled at the device, a special device announcement agent locates the Security Manager server and requests secure communication. After the agent source is authenticated, the Security Manager server responds by adding the device to the database and applying a pre-configured corporate security policy. This activity will be referred to as Secure at Install throughout the document. What is Instant-On Stay Secure? After being registered with Security Manager, a device generates an announcement when power cycled, cold reset, assigned a different IP address and for other device specific conditions while on the network. Upon receiving an announcement, Security Manager assesses the device and immediately remediates any setting found to be out of compliance with the last security policy applied to that device. This activity will be referred to as Stay Secure throughout the document. Instant-On security does not rely on periodic database refreshing or special device group configuration. The process is simple; any time a device announces, Security Manager will assess the device and remediate any setting found to be out of compliance with the established corporate security policy. 3 How do I implement Instant-On Security? The remainder of this document includes a general and detailed understanding of the Instant-On Security feature, organized into two primary sections. Part 1 covers the device side component, referred to as the Device Announcement Agent. Part 2 covers the Security Manager Instant-On Security configuration server component. Familiarization with both components will explain Instant-On Security as a complete solution and provide assistance for proper implementation. Instant-On Security, Part 1 - Device Announcement Agent (DAA) Introduction to Device Announcement Agent (DAA) This section provides a general understanding of the Device Announcement Agent, why it was developed, and the value it provides. The Device Announcement Agent (DAA) serves as the device-side component of the Instant-On Security solution and can be found as embedded functionality in most Security Manager supported printers. The DAA can also be found in recently released HP JetDirect network interface cards to provide Instant-On compatibility with legacy HP printers missing the embedded DAA functionality. Please refer to the HP JetAdvantage Security Manager Supported Devices document found at www.hp.com/go/securitymanager for the most current list of Instant-On Security supported devices. Note: Security Manager Instant-On Security supported devices are a subset of Security Manager overall supported devices. Developed strictly for use with the Security Manager Instant-On feature, the DAA combined with Security Manager addresses three primary customer desires: 1. An automatic printing device discovery solution that doesn't require additional network configuration, additional protocol enabling, exhaustive searches or chatty broadcasts 2. A solution that provides a true out-of-the-box device security compliance experience or what is referred to as Secure at Install 3. A solution that can maintain security settings when the installed device is cold reset or changes IP addresses or hostname, referred to as the Stay Secure experience Due to limitations in fully automatic discovery methods, networked printer discovery is generally a manual process requiring device or network specific input. For example, automatic device discovery methods such as SLP (Service Location Protocol) and Bonjour (mDNS) can provide some automation to the discovery process. Both methods commonly possess limitations that prevent them from being a complete solution in most 4 corporate environments. SLP adoption typically faces packet filtering restrictions, and Bonjour is limited to a single broadcast domain, without special DNS configuration. In addition, automatic discovery methods such as exhaustive subnet scanning are not feasible for IPv6 networks due to size of the address space. These and other automatic methods typically involve some manual intervention, lack efficiency, and do not scale well for large enterprises. To overcome such limitations, the innovative Device Announcement Agent (DAA) was developed and provides a supported HP printing device the capability of "announcing" its presence directly to the Security Manager server. This announcement process is handled through common DNS address resolve and dedicated TCP port communication (port 3329). The DAA model alleviates the need for manual intervention, is not chatty, and serves as a more efficient device discovery mechanism. After the initial device discovery process is complete, Security Manager applies the established security policy to the device over a secure TCP connection. A device Secure at Install experience is the result of this two-step process. After the Secure at Install process is complete, Instant-On continues with the Stay Secure process via the DAA announcements that occur for device cold resets, IP address changes and other device specific conditions. The Stay Secure process ensures the device is remediated in accordance with the last security policy applied. With Security Manager, only the settings found to be out of compliance with the established security policy are targeted for remediation. To quickly identify DAA functionality presence on a specific device, you may print a configuration page. A configuration page example of DAA presence is provided below. You may also browse to the device's embedded web server "Networking" page to verify DAA presence. 5 HP Web Jetadmin provides fleet configuration of the Device Announcement Agent. You can set up a device layout in HP Web Jetadmin to include the Device Announcement Agent column. DAA presence is represented by an Enabled, Disabled or Not Supported status in this column. The device DAA functionality is enabled by default but can be manually disabled via the control panel, Embedded Web Server or HP Web Jetadmin. 6 An enabled Device Announcement Agent will announce when the device is powered up on the network for the first time. Announcements also occur during a device power cycle, cold reset, IP address change and link down/link up scenario. Instant-on workflow The Device Announcement Agent is enabled by default. The device is capable of displaying four different DAA states; Disabled, In Progress, Success or Failed. Success indicates the device was able to discover a Security Manager server and establish communication. Failed indicates the device wasn't able to discover a Security Manager server or wasn't able to establish a connection with a discovered Security Manager server. Use the following DAA workflow description and the diagram below to understand the device announcement experience: 1. A supported device is powered up on network with a pre-configured IP address or automatically acquires an IP address after network installation. The DAA is enabled by default on the device, but can easily be disabled if Instant-On Security is not desired. In the disabled scenario, the device will show a disabled status for the announcement agent. 2. If the DAA is enabled, and the Security Manager server IP address is configured on the device, the device will target the provided Security Manager server IP address to begin Instant-On communication. If the Security Manager server IP address is not configured on the device, the device will attempt DNS IP resolution of the following hostname or DNS alias (CNAME): hp-print-mgmt. Note: This hostname or alias must be administratively assigned to the Security Manager server for successful default Instant-On functionality. 3. The Security Manager server Instant-On feature must be enabled and configured to allow DAA communication to proceed without failure. The Instant-On feature can be configured to discover only or discover, assess and remediate. 4. With the Security Manager server IP address known (either through direct configuration or DNS resolve), TCP port 3329 communication is attempted with the Security Manager server. Device announces itself using SSL and its self-signed identity certificate. 5. Upon receiving the announcement, the Security Manager configuration server authenticates the device, retrieves the device's identity details, and adds the device to the database. Security Manager then continues with an assessment of the device based upon the designated Security Manager security policy and remediates the device's non-compliant security settings. 7 DAA Workflow Diagram Explanation of the DAA workflow This section presents the Device Announcement Agent workflow in greater detail, including network configuration for default functionality, network activity, primary use cases, communication specifics, and authentication. Device and DNS configuration DAA communication occurs via a protocol that will be referred to in this document as HDAP (HP Device Announcement Protocol). When a DAA enabled printer comes online in a networked environment, it follows a process of contacting the default Security Manager server to request discovery and compliance with a configured corporate security policy. All use cases follow the same basic workflow, but differ in the way that the device is authenticated to the Security Manager server and if some manual intervention in the workflow is required. In order to leverage the default functionality provided by a DAA enabled printer, the network administrator must make a minimal DNS configuration change to the networked environment. Once the configuration 8 change is complete, any Instant-On supported device coming online will be automatically discovered and configured to a secure setting. The required steps are as follows: 1. The DNS administrator configures a DNS entry for the default Security Manager server hostname hpprint-mgmt on the network where a new HP print device is to be placed. The hp-print-mgmt reference can be the actual Security Manager server hostname or a DNS alias (CNAME) of that specific server. If the administrator is unable or unwilling to configure this DNS entry, the DAA must be manually configured to include the IP address of the Security Manager server. HP Web Jetadmin can assist with the DAA configuration from a fleet management perspective. Pre-configuring the Security Manager server IP address in the DAA eliminates the need for DNS, but adds a manual step to the default Instant-On process. Note: The DAA DNS resolve occurs on the local domain only unless the device is configured to query additional domains or the DNS environment is configured to refer to other domains. The device can be automatically configured with a specific DHCP server option (option 119) that assigns additional domain suffixes or manually configured with the additional domain information via the device's embedded web server. The Microsoft DHCP domain search options differ by server operating system. To understand more about specific server operating system DHCP capabilities and automatic domain search options, please refer to the Microsoft Support Knowledge Base. A network trace example is shown below of DAA behavior when the hp-print-mgmt 9 hostname or DNS alias cannot be found on the local domain and the device searches on other domains for which the network interface may be configured. Note: When IPv6 is enabled on the device, you will notice at least one IPv6 (AAAA) and IPv4(A) DNS request per domain. 2. TCP Port 3329 is registered with the IANA (Internet Assigned Numbers Authority) and specifically assigned to HP Security Manager. This port is dedicated to Instant-On communication between the HP supported device and Security Manager. Port 3329 is also referred to as the hp-device-disc port. If the Security Manager server Windows firewall is in use, ensure the firewall allows TCP Port 3329 communication in both directions. 3. At the Security Manager server, create a security policy that best describes the conformance requirements for devices on this network. This policy should be the most encompassing policy relative to the mix of device models found in your corporate printing environment. 4. At the Security Manager server, configure authentication requirements for communicating with devices. Devices will attempt the highest level of authentication available. Choices are "No 10 Authentication" (true out-of-the box conditions) or "Mutual Authentication" which leverages installed certificates. 5. Place a device which supports the DAA and is enabled, on the network. Network Activity Instant-On security operates with very little impact to the network. As mentioned earlier in this document, the Device Announcement process consists of resolving the Security Manager server hostname or alias of hpprint-mgmt to an IP address. Once the address is resolved, a dedicated TCP port (3329) is opened for direct communication between the device and Security Manager. For a detailed flow of what to expect to see on the network, please see the DNS flow diagram below. Note: If the Security Manager IP address is pre-configured in the DAA, the DNS resolve step in the Instant-On Security process is eliminated. Resolving the hp-print-mgmt hostname or alias: Successful DNS resolution of the hp-print-mgmt hostname or alias (IPv6 Enabled) The trace below is an example of a successful DNS resolution of the default hostname of hp-printmgmt.domain.company.net. After an unsuccessful attempt at DNS resolve over IPv6, the device retried over IPv4. Once the hostname resolved to an IP address, the device then opened up a TCP connection on port 3329. This connection then serves as secure communication between Security Manager and the device. 11 Note: IPv6 is enabled by default on the device 12 Initial Device Announcement Use Cases Setting up the network as explained above will allow for an initial default out-of-the-box device security configuration experience. Below, is a list of the most common Secure at Install use cases. Use Case 1 Auto Discovery and Policy Conformance A DAA enabled Security Manager supported device is placed on the network for the first time without any staged configuration. The Security Manager server Instant-On feature is configured to "Accept Device 13 Announcements" and "Allow Automatic Remediation". The device acquires a DHCP address and attempts to resolve the DNS hostname or alias of hp-print-mgmt. Once hp-print-mgmt is resolved to the HP Security Manager server IP address, the device is authenticated and Security Manager communication is established. Security Manager places the newly discovered device in the database, assigns a license, and remediates the device in accordance with the established security policy. In this popular use case, a new device when added to the network will be automatically discovered, licensed, assessed, remediated and verified by Security Manager. Use Case 2 Semi-Auto Discovery and Policy Conformance A DAA enabled Security Manager supported device is placed on the network and manually configured with the IP address of the designated Security Manager server. The Security Manager server Instant-On feature is configured to "Accept Device Announcements" and "Allow Automatic Remediation". The device acquires a DHCP address and establishes direct communication with the Security Manager server. Once authenticated, Security Manager places the newly discovered device in the database, assigns a license, and remediates the device in accordance with the established security policy. This use case allows Instant-On functionality without DNS resolve. The trade-off; IT DNS configuration is not required, but device pre-configuration is. Use Case 3 Pre-staged Device Discovery and Policy Conformance A DAA enabled Security Manager supported device is staged and placed on the network in a pre-configured state. This pre-configured state may include an installed mutual authentication certificate and applied security settings. The device is manually configured with the IP address of the designated Security Manager server. The Security Manager server Instant-On feature is configured to "Accept Device Announcements" and "Allow Automatic Remediation". After communication is established and authentication complete, the newly discovered device is placed in the database. A license is assigned, and remediation occurs for any security setting not in compliance with the applied security policy. This use case ensures all the pre-configured new devices are discovered, mutually authenticated through certificates and match security settings with the established security policy. Use Case 4 Filtered Discovery and Policy Conformance A DAA enabled Security Manager supported device is placed on the network without any staged configuration. The Security Manager server Instant-On feature is configured to "Accept Device Announcements", "Allow Automatic Remediation" and utilize device serial numbers as a method of filtering Instant-On activity. The device acquires a DHCP address and attempts to resolve the DNS hostname or alias of hp-print-mgmt. Once hp-print-mgmt is resolved to the Security Manager server IP address and Security Manager communication is established, Security Manager continues the Instant-On process only if the device matches a serial number entry in the Security Manager Instant-On serial number list. If so, Security Manager places the newly discovered device in the database, assigns a license, and remediates the device in accordance with the established security policy. Upon successful interaction, the serial number is then removed from the UI list, but the database entry remains in order to continue the serial number filtering process for Instant-On. This use case provides a filtering option for selective Instant-On processing. When are Device Announcement Messages Created? .Many HP devices support a featured called a Device Announcement Agent whereby announcement packets are sent to Security Manager whenever any of the following condition exist on the device: · Initial boot · Power cycle · Network disconnect/reconnect 14 · IP Address change · Hostname change · Cold Reset · Every 47~48 hours regardless of any other action triggering an announcement. This is not configurable and only available from FutureSmart 4 onwards. Post-Install Device Announcement Use Cases After the Secure at Install process is complete, Instant-On security continues with the Stay Secure process via the DAA announcements that occur for device cold resets, IP address changes and other device specific conditions that might place the device in a non-compliant state. After receiving an announcement, Instant-On ensures the device is assessed and remediated in accordance with the last security policy applied. Below, is a list of the most common Stay Secure use cases. Use Case 1 Device Cold Reset A Security Manager managed device has experienced a condition where a return to a default configuration (cold reset) is required. As a result of the cold reset, many of the security settings applied through the original Security Manager policy remediation are cleared. The cold reset action produces a DAA announcement, thus prompting communication with Security Manager. The Security Manager server processes the announcement, matches device identity with the existing database entry, and applies the last policy the device was assessed with. The device database entry is reconciled with any device identity attributes that might have changed during the cold reset. Through this process, the device is immediately placed back into its secure state. Use Case 2 Device Formatter or JetDirect Interface Replacement A Security Manager managed device has experienced a hardware failure, requiring a Formatter or Jetdirect interface replacement. After completing the repair, the service technician reloads the original serial number into the device. Applying power to the device after placing unit back on the network generates a DAA announcement. The Security Manager server processes this announcement, reconciles the device identity based on the serial number match and applies the last policy the device was assessed with. Through this process, the device is immediately placed back into its secure state. Use Case 3 Device Acquires New IP address Device has moved physical locations and acquires a new IP address. The IP address change produces a DAA announcement, thus prompting communication with Security Manager. The Security Manager server processes the announcement, matches device identity with the existing database entry, and applies the last policy the device was assessed with. The device database entry is reconciled with any device identity attributes that might have changed as a result of the IP address change. Security and Mutual Authentication Once the Security Manager server IP address has been acquired, the DAA attempts to open up communication using the most secure authentication method configured on the device. No authentication is the default state. Require Mutual Authentication via Certificates will provide the most secure configuration method, since certificates must be installed and trusted on this device as well as on the Security Manager server. 15 When Require Mutual Authentication via Certificates is enabled, announcements are sent using trusted SSL/TLS authentication. If certificate authentication is enabled, but fails authentication for any reason, Instant-On communication ceases and an announcement agent failure is posted. If certificates are configured on the device, but Require Mutual Authentication via Certificates is disabled, trusted SSL/TLS authentication is still attempted. However, the DAA allows the SSL/TLS connection to proceed after authentication fails. Security Manager may close the SSL/TLS connection as a result of failing to validate the device certificate. This decision is determined by the device announcement security policy on the Security Manager server. For more information on use of certificates with the Instant-On Security feature, please refer to Mutual Authentication in Part 2 of this document. 16 Instant-On Security, Part 2 - Security Manager Instant-On Security Settings Introduction As mentioned in Part 1, Security Manager Instant-On Security is a dual component solution. The first component is the Device Announcement Agent (DAA), explained in Part 1. The secondary component is the Security Manager server itself, configured for Instant-On functionality. This host component will be referred to as the Instant-On Configuration Server throughout the remainder of this document. When Security Manager is enabled as the Instant-On Configuration Server, it becomes the discovery and configuration server for the supported devices that are able to announce themselves through the Device Announcement Agent. Unlike the Device Announcement Agent, the Instant-On Configuration Server is not enabled by default. Automatic remediations by default are not checked. The configuration options under Instant-On Security can be configured in two different options: enable discovery of devices via instant-on or enable instant-on Security. Enabling Instant-on Discovery Option 1 is discovery only of DAA supported devices by selecting Accept Device Announcements without selecting Allow Automatic Remediation. Upon receiving the device announcement, Security Manager will establish communication with the device, place the device in the database and assign it a license. It will not attempt to apply the configured security policy. This option does not provide Instant-On Security, only discovery through the device announcement agent. 17 Enabling Instant-On Security Option 2 is the selection of Accept Device Announcements and Allow Automatic Remediation with an Initial Assessment Policy. This combined selection will discover the DAA enabled device and apply the security policy that appears in the Initial Assessment Policy field. This combination provides Instant-On Security. To enable listening to device announcements the Accept Device Announcements box must be selected. After selecting Accept Device Announcements, a pop-up notification provides a reminder to ensure TCP port 3329 is not blocked at the firewall. 18 An Instant-On discovered device appears in the device list as Auto Discovered under the Instant On Auto Discovered column, and the Last Policy Used column indicates which policy was used for automatic remediation if enabled. The default Instant-On Security configuration will accept and process discovery and policy requests from every device capable of announcing itself through the device announcement agent. This default configuration does not include the selection of trusted certificate based mutual authentication or serial number filtering of devices and is configured as such to accommodate a true out-of-the-box device security experience. Configuring Instant On Forwarding to WJA Devices discovered via Instant On can be shared with other Security Manager installations or Web Jetadmin installations by adding them as Secondary Listeners. Click New under the Secondary Listeners section and add hostnames or IP Addresses of all Security Manager and Web Jetadmin installations where it is desired to share the Instant On discoverd devices. Check the box named Validate Identity Certificate before sending Device Announcements to this Secondary Listener if it is desired to enforce trust through identity certificates to be certain the secondary listener is who it says it is. In order for Web Jetadmin to receive the Instant On discovered devices sent to it from a primary Security Manager listener server, check the box to Accept Device Announcements from HP JetAdvantage Security Manager under Tools, Options, Instant On Listen in HP Web Jetadmin. Web Jetadmin listens by default on port 3329 for device announcements sent to it from a primary Security Manager listener server and adds those devices to its device list. If you select a custom port in WJA (see screenshot below), you will also have to configure a custom port in HPSM. This can be done in the HPSM_Service.exe.config. Search for the secondary Listener and make changes similar to the following example: <SecondaryListeners> <InstantOnPortMapping> <Mapping ipOrHostname="WJASERVER" port="3033"/> </InstantOnPortMapping> 19 </SecondaryListeners> After making the changes, you will have to restart the HPSM Jetadvantage service. The transaction between the primary listener (HPSM) and secondary listener (WJA) will be encrypted using the self-signed certificate in Web Jetadmin. If it is desired to enforce trust so Security Manager can ensure the Web Jetadmin server is truly who it says it is via a certificate authority, check the box to Validate using the WJA Identity Certificate. If it is desired to allow a second Security Manager receive Instant On discovered devices by a primary Security Manager listener server, check the box named From Primary Listeners. Choose whether just encryption will be used for the transaction via a self-signed certificate or whether trust should be enforced via a CA signed identity certificate. 20 Configuring Instant On Mutual Authentication Instant-On Security configuration options are available to filter device "Instant-On" participation. Selecting Mutual Authentication leverages installed trusted certificates to establish a higher level of Instant-On connection and communication security. When selected and configured, only the devices that complete device identity certificate validation can participate in the Instant-On process. As mentioned in Part 1, HP supported devices now have the capability of announcing their presence on the network. This device capability is enabled by default. The Device Announcement Agent sends an Announcement Message request directly to the Instant-On Configuration Server to announce its presence. This is not a broadcasted message. The device automatically receives the Security Manager server IP address through resolving the DNS hostname of hp-print-mgmt or through manual configuration of the Device Announcement Agent IP address field. The Announcement Acknowledge reply from the Instant-On Configuration Server acknowledges receipt of the message and returns the status of the attempted authentication method. Instant-On Security can be configured for mutual authentication; an announcement option that relies upon device and Security Manager identity assurance through a combined action of client-to-server and server-toclient SSL/TLS (Secure Socket Layer/Transport Layer Security) authentication. Mutual authentication can also be informally referred to as 2-way SSL/TLS authentication. Deploying trusted certificates for mutual authentication provides the most secure method of Instant-On Security. Since certificates remain over a cold reset, this method of Instant-On Security protects the device even if it is cold reset. Successful mutual authentication requires the configuration and installation of a valid identity (ID) certificate on the device and in Security Manager. On the device, the unique identity certificate must be signed by a CA (Certificate Authority) and installed as a replacement of the default self-signed device certificate. On the Security Manager server, a unique identity certificate signed by a (CA) and placed in the local computer personal store is also required. The corresponding (CA) certificate must also be installed on the 21 device (See Figure 26) and in the Security Manager server local computer trusted root certification authorities store. Using a single (CA) to sign both identity certificates isn't required, but can simplify the process by reducing the number of necessary components. Certificates can be configured manually, or a certificate manager can be used. Handshake When mutual authentication is configured for Instant-On communication, appropriate handshaking occurs to establish an encrypted channel prior to any message exchanges. The handshake includes dialogue to establish the identities of the device and Security Manager via the mutual presentation of signed digital certificates. The dialogue is similar to the example below: · Client sends a message proposing the SSL/TLS options · Server responds with SSL/TLS option selection · Server presents its identity certificate · Server requests client's certificate · Server negotiation is complete · Client presents its identity certificate · Client sends key (encrypted with server's public key) · Client notifies server that it owns the sent certificate · Client sends message activating the negotiated options · Client sends "finished" message, asking server to check negotiated options · Server sends message activating the negotiated options · Server sends "finished" message, asking client to check negotiated options Authentication Authenticating the server consists of "checks" that include: · Has the server certificate expired or been revoked? · Can the CA (Certificate Authority) that issued the certificate, be trusted? · Does the CA's public key validate the digital signature? · Does the domain name in the certificate match the domain name of the server? Authenticating the client consists of "checks" that include: · Does the client public key validate the client digital signature? · Has the client certificate expired or been revoked? · Can the CA (Certificate Authority) that issued the certificate, be trusted? · Does the CA's public key validate the digital signature? Certificate Selection The figure below provides the Security Manager example of how to invoke Mutual Authentication and select the appropriate certificate. The figure below also provides the device embedded web server example of where and how to install a JetDirect and CA certificate. 22 23 Note: During the Instant-On mutual authentication process, the device and Security Manager toggle between roles of client and server. When creating (ID) certificates for the printer and Security Manager, ensure the certificates are configured for Server and Client Authentication under Enhanced Key Usage. To participate in a Mutual Authentication announcement, each device must be set to Require Mutual Authentication via Certificates. From Security Manager, select Mutual Authentication and choose the 24 Certificate to use from the list of security certificates found on the server. The Security Manager list of available certificates is derived from entries found in the Local Computer Personal Store. Note: When generating the identity certificate for Security Manager, it is a best practice to assign a friendly name to the certificate for easy identification in the Security Manager certificate list. In the example above, "ipsctestcert" was used. Mutual Authentication Configuration To assist with certificate deployment, a basic understanding of mutual authentication and a simplified deployment process is presented in figures. Figure 30 begins by showing the usual out-of-the box configuration and the expected behavior. By default, only a JetDirect self signed certificate is installed. This certificate is not unique and does not represent the true identity of the printer. Because of this, a user (client) browsing to the printer's embedded web page (server) will be presented with a warning that the website cannot be trusted. Microsoft Internet Explorer will give a warning that, "There is a problem with this website's security certificate". See next figure . Other browsers will present a similar warning. 25 A JetDirect certificate request has been generated and provided to the Certificate Authority (CA) for signing. The (CA) generates a signed identity certificate based upon this request. The newly signed JetDirect certificate is installed, replacing the default self-signed certificate. However, the connection remains untrusted because the client hasn't knowledge of the (CA) that generated the JetDirect certificate. The client is made aware of the (CA) that generated the JetDirect's signed certificate. The CA's identity certificate was exported and installed in the client's Trusted Root Certificate Authorities store. Trusted communication now exists, but only in one direction; from client to server. Mutual authentication between the pc and printer does not exist at this point. 26 For Instant-On mutual authentication, the figure below shows the required role reversal between the printer and the pc. With Security Manager installed and the Instant-On Security feature enabled, the printer becomes the client looking to establish secure communication with Security Manager, the server. 27 Security Manager now installed on PC Mutual Authentication selected in DAA With the printer now in the role of client, it requires knowledge of the CA that will be generating the identity certificate for the pc, now the server. The (CA) certificate is exported and installed on the printer. To install the CA certificate on the device. 28 At this point, the only missing component needed to achieve mutual authentication is the identity certificate of the server. As was the case when the printer was the server, a certificate request is generated from the Security Manager server and submitted to the CA server for signing. Once signed and installed in the Local Computer Personal Store, trusted client-to-server communication and thus mutual authentication now exists. 29 If trusted certificates are not installed or leveraged on either the device or server, the device uses its selfsigned certificate for identification purposes and the server handles authentication in an anonymous fashion. If trusted certificates are installed and leveraged on the device and server, mutual authentication can be selected to provide a higher level of communication security. Mutual authentication can serve as a form of Instant-On Security device filtering, as well. More authentication discussion is provided later in this section. The announcement and acknowledge message communication occur directly over registered TCP Port 3329 (named port hp-device-disc). Announcement Message Summary The device Announcement Message is always sent using the most secure authentication method the device is configured for. When the Device Announcement Agent is set for Require Mutual Authentication via Certificates, only trusted SSL/TLS authentication is allowed. When set, the Announcement Message requires valid identity and CA certificates be installed on the device. If this requirement is not met, the announcement is not sent. In addition, if the Instant-On Configuration Server certificate is determined to be invalid, the device will cease to contact the server, until the next announcement scenario presents itself. In either case, mutual authentication is denied and DAA status will show Fail. Configuring Instant On with Device Serial List filtering Selecting No Authentication and Use Device Serial-Number List configures the Instant-On Configuration Server to work only with the devices whose serial numbers are provided in the list. For example, managing a group of devices included in a Managed Print Services contract or for some other specific device scenario. Along with the product name, MAC address and IP address, the device serial number is included in the announcment message. The device's Announcement Message request includes device identity information, such as; the MAC address, the IP address, model and the serial number. Upon initial authenticated communication between the device and server, Security Manager inserts this gathered identity information into the database. This identity information, specifically the serial number, can now be used if the serial number filtering option is chosen. Every announcement scenario is handled in identical fashion to the initial device discovery scenario. However, once the device has been discovered, no further database entry will occur to eliminate the possibility of duplicate device entries. Device Table 30 Instant-On Security includes the ability to utilize serial numbers as a means of filtering the devices that participate in the Instant-On process. Serial numbers can be singularly added or imported via a text file. With serial number filtering enabled, only the devices whose serial numbers match a database entry in the Serial Number List table are granted Instant-On processing. The image below shows how the Serial Numbers can be added to HPSM. The image below shows the two tables that require a serial number match. As devices announce, are discovered and placed into the Device Table, the serial number entry is removed from the UI serial number list. From the devices tab, status will show device as being Auto Discovered. As 31 long as Use Device Serial Number List remains selected in the Instant-On settings window, only the serial numbers in the Serial Numbers Filter Table will participate in the Instant-On Security process. Instant-On Assessment Policy with HPSM 3.3 and older The policy used in the Instant-On Security feature is labeled as the Initial Assessment Policy and as a best practice should always reflect the minimum device security required for all devices participating in Instant-On. Devices participating in Instant-On for the first time will always receive this initial policy. The device will continue to receive the initial policy during Instant-On unless that device was later assessed with a policy other than the Initial Assessment Policy. In this case, that particular policy will be applied the next time the device enters into an Instant-On scenario. Security Manager keeps track of the policy the device was last assessed with and will always apply that policy during Instant-On. Instant-On Assessment Policy from HPSM 3.4 onwards Due to the introduction of autogroup remediation policies HPSM 3.4 will always use the selected Initial Assessment Policy for instant-on remediation when Allow Automatic Remediation is enabled under Instant-On Security. This change was made as more choices are now possible with autogrouping and autogroup policies. This will be explained in next chapter. Part 3- Autogrouping and autogroup remediation HPSM 3.4 introduced the option to configure Autogroups with auto group remediation policies. Autogrouping now includes ability to have one policy automatically remediated when a device is added to the group. Remediations can occur in these scenarios if the autogroup has a policy assigned to it and under the following situations: 32 A. Device discovered via Instant-on (only remediate the devices which are added to an autogroup via instant on) B. Device discovered via manual or automatic discovery method (only remediate the devices which are now added to an autogroup) C. Every x days:hours:minutes:seconds after starting HPSM service (remediate all devices in the autogroup) D. An auto group or auto group policy has been changed/edited (remediate all devices in the autogroup) The actual behavior for the above situations is controlled by different configuration settings in the HPSM_Service.exec.config file and in the Web.config file. The HPSM_Service.exe.config (in C:\Program Files (x86)\HP JetAdvantage Security Manager) contains the following configuration settings to define the behavior <add key="autoGroupDiscoveryAutoRemediationEnable" value="false" /> <add key="autoGroupEditOrDailyRefreshAutoRemediationEnable" value="false" /> <add key="autoGroupFilterExecutionFrequency" value="1:0:0:0" /> The Web.config (in C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp) contains the following configuration settings to control this: <add key="autoGroupEditOrDailyRefreshAutoRemediationEnable" value="false" /> A. Autogroup remediation for devices discovered via instant-on When a device must receive an autogroup policy after HPSM received the instant-on message, then Allow Automatic Remediation must be enabled with an Initial Assessment Policy. After receiving an instant on message HPSM will then first send the Initial Assessment Policy and after that the autogroup policy. It's possible to send only the autogroup policy after receiving an Instant-on message by setting the skipInstantOnPolicy to true in the HPSM_service.exec.config file. The next picture shows the instant-on flow diagram for HPSM. 33 34 The same information, but in a different format can be seen in the following table: SkipInstantOnPolicy TRUE FALSE Policy Device membership Device member of AutoGroup with Policy Device member AutoGroup without Policy, or device member of manual group or device only belongs to all devices Apply Instant-On Apply Policy (Initial Autogroup assesment policy) Policy No Yes No or NA as the device is not Yes member of an autogroup with autogroup policy Instant-On Policy (Initial assesment policy) Apply Autogroup Policy Yes (1st policy) Yes (2nd policy) No or NA as the device is not Yes member of an autogroup with autogroup policy This way at least one policy will always get applied when an Initial Announcement Policy has been activated B. Autogroup remediation for devices discovered via manual or automatic discovery By default when a device is discovered or re-discovered it's not getting remediated with the autogroup policy at the time of the discovery. A device might be added or removed from autogroups during discovery . It's possible to enforce an immediate remediation when a device is discovered via manual discover of automatic discovery and when the device is new in the autogroup. This can be done by setting the autoGroupDiscoveryAutoRemediationEnable to true in the HPSM_service.exe.config file. The next picture shows the manual/automatic discovery flowchart for HPSM. 35 36 C. Autogroup remediation at configured time intervals Devices which are newly added to an autogroup can be remediated at specified time intervals with the configured autogroup policy. By default this is disabled. In order to enable this the setting autoGroupEditOrDailyRefreshAutoRemediationEnable must be set to true in the file HPSM_service.exe.config (in C:\Program Files (x86)\HP JetAdvantage Security Manager) file. After making this change the HP Jetadvantage Security Manager service needs to be restarted. The actual frequency can be controlled by changing the value of autoGroupFilterExecutionFrequency (also located in the HPSM_Service.exe.config file). By default it's set to "1:0:0:0" which means once a day (meaning 24 hours after starting the HPSM service). If you need to apply a policy to an autogroup to all devices in that autogroup, then you have to schedule a (daily/weekly/monthly) task. The next picture shows the flowchart for autogroup remediation. 37 38 D. Autogroup remediation after editing an autogroup or autogroup policy It's possible to apply an autogroup policy immediate to all devices in the autogroup after editing the autogroup or the autogroup policy. This can be done by changing the default value for autoGroupEditOrDailyRefreshAutoRemediationEnable from false to true in the Web.config file. The following picture shows the flow diagram for editing an autogroup or editing an autogroup filter. Part 4 Performance Implications Performance on the Security Manager server can definitely suffer in cases of large amounts of device announcements being received and automatic assessments/remediations being performed. Comparing the threading model, it is easy to see why it takes much longer to assess 1000 devices discovered thru Instant On announcements vs. 1000 devices scheduled for an assessment as a scheduled task. 39 Instant On assessment tasks are processed at one device per task because they are received one at a time, and Security Manager processes a maximum of 10 tasks at a time by default. This number of maximum tasks at a time can be controlled using a configuration item in the HPSM_Service.exe.config file found under \Program Files (x86)\HP JetAdvantage Security Manager <add key="maxNumberTasks" value="10" /> For scheduled assessment tasks, since the number of devices is predefined, a parent task is broken into child tasks of 25 devices each. Each child task of 25 devices is also threaded at 10 threads simultaneously, just like Instant On tasks. However the difference here is that instead of one device being assessed in a threaded task, 25 devices are being assessed. Any remediations or credential failures requiring additional credential retries are performed as one individual task each at the same maximum of 10 threads simultaneously. A high volume of Instant On device announcements occurring in the background will absolutely affect performance. If Instant On is being enabled for the first time, expect delays as it takes time to process the fleet. Scheduled tasks will likely go into a waiting state until these Instant On devices can be processed. However, it is possible there are a few devices causing such a high volume even after the initial enabling on Instant On. If many of the messages are coming from one device, it could be because a faulty device is going off of the network and coming back again. There could also be devices constantly rebooting for some reason. Try eliminating such devices if suspicions arise they may be responsible for the bulk of Instant On tasks. The Tasks tab contains a button to view all active Instant On tasks: This can help to determine if Instant On tasks are constantly bombarding the Security Manager server. It may boil down to if the fleet is exceptionally large and Instant On seems to be consuming a bulk of the bandwidth, a separate server may be required to process just the Instant On tasks. This will allow for the "instant" remediation benefit of Instant On in cases where a device is cold reset, for example. However, it won't compromise the ability of the scheduled tasks to keep the entire fleet in compliance if running on a separate server. A second Security Manager server can be setup as a secondary Instant On listener so the primary server receiving the device announcements can forward those devices to the secondary server, thus preserving the discovery portion of Instant On. 40 Part 4 Summary Instant-On Security is a high value feature of HP JetAdvantage Security Manager. Enabling this feature allows supported devices to be automatically discovered, assessed and remediated with the configured security policy when first placed on the network. When security configuration loss scenarios are experienced by the device after placement on the network, Instant-On Security automatically keeps the device secure by remediating the settings out of compliance with the security policy. Used in conjunction with frequently scheduled assessment and remediation tasks, the supported fleet can be kept security policy compliant with minimal to no manual intervention. Instant-On supported devices announce themselves directly to the Security Manager server (mutual authentication is an option) and do not require special network configuration for successful operation. Instant-On supported devices are a subset of Security Manager supported devices. The following figure contains a summarized representation of the Instant-On process. 41 Appendix A Links to other HP Security Manager Whitepapers There are a lot of whitepapers/manuals available for HP Jetadvantage Security Manager. The overview on the web, can be found by going to: http://www.hp.com/go/securitymanager After that click on the link Whitepapers and Support Documents. This will show the following list: HP JetAdvantage Security Manager - Policy Editor Settings (white paper) HP JetAdvantage Security Manager - Reporting, Email Alert Subscriptions & Remediation Summary, Auditing & Syslog Functionality (white paper) HP JetAdvantage Security Manager - Using licenses and troubleshooting licensing issues (white paper) HP JetAdvantage Security Manager - Securing the HP JetAdvantage Security Manager (white paper) HP JetAdvantage Security Manager - User Guide HP JetAdvantage Security Manager - Supported devices and features table HP JetAdvantage Security Manager - Installation and Setup Guide HP JetAdvantage Security Manager - Credential Management (white paper) HP JetAdvantage Security Manager - Release Notes with Ports (white paper) HP JetAdvantage Security Manager - Tracking Device Identity (white paper) HP JetAdvantage Security Manager - Instant-On Security (white paper) HP JetAdvantage Security Manager - Automation Output Feature (white paper) HP JetAdvantage Security Manager - Sizing and Performance (white paper) HP JetAdvantage Security Manager - Supported Devices (white paper) HP JetAdvantage Security Manager - Certificate Management (white paper) HP JetAdvantage Security Manager - Manage devices with FutureSmart 4.5 Firmware HP JetAdvantage Security Manager - Using Microsoft® SQL Server (white paper) HP JetAdvantage Security Manager - Troubleshooting Issues (white paper) 42 © Copyright 2020 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. c04222990ENW, Rev. 10, Mar 2021 43Microsoft Word for Microsoft 365