Xerox WorkCentre 5755 Manual

							Email Encryption and Signing
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide171
Email Encryption and Signing
Email Encryption and Signing allow users to ensure that Emails sent from the device are signed and/or 
encrypted.
Signed e-mails can be sent to any address the user specifies and encrypted email can be sent to any 
recipient with a valid security certificate. 
To enable and configure Email encryption
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click the [Authentication] link and select [Setup] in the directory tree.
Note:Smart Card authentication must be set as the primary authentication method before Email 
encryption and signing are made available.
3. In the table of associated services at the bottom of the screen, click the [Edit...] button next to E-
mail Encryption and signing. 
4. In the Email Encryption Enablement area, select one of the following settings:
•Off - Email encryption is disabled and cannot be activated by a user at the device.
•Always On: Not Editable By User - Email encryption is enabled and cannot be deactivated 
by a user at the device.
•Editable by User - Email encryption is enabled but can be activated or deactivated by a user 
at the device. The default state can be set by selecting one of the following:
•Off - Email encryption is deactivated by default but can be activated by the user.
•On - Email encryption is activated by default but can be deactivated by the user.
5. Select the required Encryption Algorithm to be used.
6. In the Email Signing Enablement area, select one of the following settings:
•Off - Email signing is disabled and cannot be activated by a user at the device.
•Always On: Not Editable By User - Email signing is enabled and cannot be deactivated by a 
user at the device.
•On: Editable by User - Email signing is enabled but can be activated or deactivated by a user 
at the device. The default state can be set by selecting one of the following:
•Off - Email signing is deactivated by default but can be activated by the user.
•On - Email signing is activated by default but can be deactivated by the user.
7. Select the required Signing Hash Key to be used.
8. Click the [Save] button. 
						

							FIPS 140-2 Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 172
FIPS 140-2 Encryption
The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer 
security standards that specify requirements for cryptography modules. Your device supports FIPS 140-
2 Level 1 only.
To Enable FIPS 140-2 Encryption
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click [Encryption] and select [FIPS 140-2] in the directory tree.
3. Select the Enabled radio button and click the [Run Configuration Check & Apply] button.
4. The system runs a configuration check to ensure that all services are FIPS 140-2 compliant. If all 
services are compliant a confirmation page is displayed.
5. Click [Reboot the Machine], the machine will restart with FIPS 140-2 enabled.
To Disable FIPS 140-2 Encryption
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click [Encryption] and select [FIPS 140-2] in the directory tree.
3. Select the Disable radio button and click the [Apply] button.
4. The machine will automatically restart with FIPS 140-2 disabled. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide173
User Data Encryption
User Data Encryption ensures all data or job-sensitive data on the device’s hard drive is protected.
User Data Encryption is automatically enabled on the device and no further configuration is required 
by the administrator.
When enabled, the data on the hard drive will not be meaningful when the hard drive has been 
separated from the device it was originally installed on.
If the hard disk is removed from the device then the encrypted data remains protected because the 
encryption key is not stored on the hard drive.
To Disable User Data Encryption
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [Encryption] link and then select [User Data Encryption] in the directory tree.
3. In the [User Data Encryption Enablement] area, select [Disabled].
4. Click on the [Apply] button.
Note:Changing the User Data Encryption setting will reboot the Network Controller. This may 
result in a loss of user data and will interrupt or delete current jobs on the device.
User Information Database
User Information Database is a local database that contains user data for access by Authentication 
and basic Authorization.
The User Information Database allows you to add new users to the database. User information can be 
edited and deleted from the database.
Password Settings allow you to change password rules.
Note:If the Password rules are changed, old passwords are NOT AFFECTED by the new rules.
If users are created locally on the device using the User Information Database, those users will 
be authenticated only if the Authentication Configuration method is set to “Locally on the 
Device”. If the authentication method is switched to “Remotely on the Network”, those users will 
not be authenticated unless their credentials are also accessible remotely. For further information 
on Authentication Configuration, refer to Authentication on page 155.
To Add a New User to the Database
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [User Information Database] link. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 174
3. Select [Setup] in the directory tree.
4. On the User Information Database page, click on the [Add New User] button. 
5. On the Add New User page, in the User Identification area:
a. Enter a login name that the user will enter to gain access to the device or the Internet 
Services in the [User Name] field.
Note:The login name is case-sensitive.
b. Enter a name that will be associated with the login name in the [Friendly Name] field.
c. Enter a password in the [Password] field, and retype the password in the [Retype Password] 
field to confirm that it is correct.
6. In the User Role area, select one of the following roles for the new user:
•System Administrator: This will appear in the Role column as “SA”. This role has access to all 
pathways, services and features on the device.
•Accounting Administrator: This will appear in the Role column as “AA”. The accounting 
administrator can access all pathways, services, and features on the device, as well as 
accounting tools and any non-secured tools features. The accounting administrator can 
neither edit nor create any new users for the device.
•User: This will appear in the Role column as “USER”.
7. Click on the [Add New User] button to save the new user settings.
To Edit a User on the Database 
As a System Administrator
Note:Accounting Administrator cannot access this page.
Note:Any user on the database can log into the Internet Services and edit their own password.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [User Information Database] link.
3. Select [Setup] in the directory tree.
4. On the User Information Database page, click on the [Edit] link next to the user you want to edit.
5. On the Edit User page:
a. In the User Identification area, edit any relevant field.
Note:The [User Name] field is not editable.
b. In the [User Role] area, select the type of role for the user.
6. Click on the [Edit User] button to save the changes.
As an Individual User
Note:To configure this feature or these settings, you will have to access the Properties tab. This 
will require you to log in using your individual User ID and Password.
1. At your Workstation, open the web browser, enter the IP Address of the device in the Address bar.
2. Press . 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide175
3. Click on the [Properties] tab.
4. If prompted, enter details in the [User ID] and [Password] fields.
5. Click on the [Login] button.
6. From the Properties tab, click on the [User Information Database] link.
7. Select [Setup] in the directory tree.
8. On the Edit User page:
a. In the User Identification area, edit any relevant field.
Note:The [User Name] field is not editable.
b. In the [User Role] area, select to change the role of the user.
9. Click on the [Edit User] button to save the changes.
To Delete a User
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [User Information Database] link.
3. Select [Setup] in the directory tree.
4. On the User Information Database page, under the User Name column, check the user checkbox 
you want to delete and click on the [Delete] button to delete the user.
5. A pop-up window will state “All associated data will be lost. Delete Selected User Account?”. 
Click on the [OK] button to confirm selection.
Password Settings
Use this page to set or change the password rules. This page is only available to users who are System 
Administrators
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Click on the [User Information Database] link.
3. Select [Password Settings] in the directory tree.
4. On the Password Settings page, in the Password Rules area:
a. Enter the minimum number of characters that will be accepted as a password in the 
[Minimum Length] and [Maximum Length] field.
b. Optionally, you can also check to select either or all options:
• Cannot contain “Friendly Name”.
• Cannot contain “User Name”.
•Must contain “at least 1 number”.
5. Click on the [Apply] button to save your changes and return to the User Information Database 
page. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 176
IP Filtering
The IP Filtering security feature provides the ability to prevent unauthorized network access based on 
IP Address and/or port number filtering rules set by the System Administrator using Internet Services.
Authorized users will be able to create IP Address filtering rules.
Authorized users can enter a list of addresses that are allowed access to the device, and/or a list of 
addresses that are not allowed access to the device.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [IP Filtering] in the directory tree.
In the IP Filter Rule List area, the following information is displayed:
•Rule Number - Display the rule order. Rule ordering is important in IP Filtering, because rules 
can negate each other if placed in an incorrect order.
•Action - displays how IP Filtering handles incoming packets.
•Source IP/Mask - displays which IP or IP range and network mask the rule has been created 
to handle.
•Source Port - displays the originating port (if applicable) that the rule has been created to 
handle. If the incoming packet did not originate from this source port, the rule is not applied.
•Destination Port - displays the port to which the packet was sent. If the incoming packet was 
not sent to this port, the rule is not applied.
•ICMP Message - displays the ICMP Message the rule was created to handle. ICMP Messages 
are only shown when the protocol is set to ICMP.
•Protocol - displays which protocols the rule handles.
To Add IP Filter Rule
1. On the IP Filtering page, click on the [Add] button to display the Add IP Filter Rule page.
2. In the Define IP Filter Rule area:
a. From the [Protocol] drop-down list, select the protocol (All, TCP, UDP or ICMP) that the rule 
will apply to.
b. From the [Action] drop-down list, select how you wish IP Filtering to handle the incoming 
packets the options are Accept, Drop, or Reject.
c. From the [Move This Rule To] drop-down list, select either End of List or Beginning of List 
for the location of this rule. The order of the rules should be determined by the expected 
traffic to the device. Note that rule order is important in IP Filtering because rules can negate 
each other if placed in an incorrect order. For example, specific rules should be added to the 
top of the list, whereas blanket policies should be added to the bottom of the list
d. Enter the [Source IP Address] to which this rule will apply. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide177
e. Enter a number for the [Source IP Mask] to which this rule will apply. The allowable range of 
0 to 32 corresponds to the 32 bit binary number comprising IP Addresses. A number of 8, for 
example, represents a Class A address (mask of 255, 0, 0, 0). The number 16 represents a 
Class B address (mask of 255, 255, 0, 0). The number 24 represents a Class C address (mask 
of 255, 255, 255, 0).
3. Click on the [Apply] button to accept the changes or on the [Cancel] button to exit the window 
without saving changes.
Audit Log
Audit Log is a log that tracks access and attempted access to the server. With TCP/IP and HTTP-based 
processes running on the server, exposure to access attacks, eavesdropping, file tampering, service 
disruption, and identity (password) theft is significantly increased. The Audit Log, regularly reviewed by 
the System Administrator, often with the aid of third party analyzing tools, helps to assess attempted 
server security breaches, identify actual breaches, and prevent future breaches. Access to the log’s data 
is protected by enabling SSL (Secure Sockets Layer) protocols. The Audit Log, and its associated data 
protected by strong SSL encryption, helps to meet the Controlled Access Protection (Class C2) criteria, 
set by the United States Department of Defense. To enable this feature, perform the following steps.
IMPORTANT: Audit Log cannot be enabled until SSL (Secure Sockets Layer) is enabled on the device. 
To enable SSL on a device, the device needs a Server Certificate. For instructions on how to set up a 
Server Certificate, refer to Security Certificate Management on page 179.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [Audit Log] in the directory tree. 
Note:You must enable SSL before enabling Audit Log.
3. In the Enabling Audit Log on machine area, check the [Enabled] checkbox for Audit Log.
4. Click on the [Apply] button, then click on the [OK] button when you see the message “Properties 
have been successfully modified”.
5. Click on the [Save] button to save the Audit Log as a text file.
6. In the Audit Log Download Form page:
a. Right-click on the [Download Log] link and select [Save Target As] to download file.
b. Specify the location for the Audit Log to be saved in. The Audit Log is saved as 
[Auditfile.txt.gz]. This is a text file compressed as a GZIP file. Click on [Save].
c. Open the [Auditfile.txt.gz] compressed file. 
d. The Auditfile.text is a raw text file. To view the Audit Log as tab-delimited text, open the 
Auditfile.txt document in an application that can import text as a tab-delimited document, 
such as Microsoft
® Excel. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 178
To  V i e w  t h e  A u d i t  L o g
Note:Copy jobs and Embedded Fax jobs are not recorded in the Audit Log. The completion status 
of both types of jobs can be checked by viewing the applicable Completed Job Log entries.
Note:For a LAN Fax job, the event in the Audit Log will be recorded under the title of “print/driver 
fa x ” .
Note:To record the user’s name in the Audit Log, Network Authentication must be configured and 
enabled.
If “Guest Access” is enabled, job entries in the Audit Log will be associated with the generic 
identity “Local User”. Therefore ‘Guest Access’ is not recommended for secure configurations.
Note:There may not be an entry made in the Audit Log for a scan-to-mailbox job, although the 
job completion status will be reported in the Completed Job Log. If a scan-to-mailbox job is 
deleted from its scan-to-mailbox folder, there will be no entry created in either the Completed Jobs 
Log or the Audit Log for the job deletion.
Event ID
A unique value that identifies the entry. The following list shows the ID number allocated to each type 
of activity displayed in the Audit Log:
Event Description
The Audit Log contains a maximum list of the last 15,000 activities on the device. The activities that 
are displayed include:
• System start-up and shutdowns.
• On demand image overwrites completed.
•Jobs completed.
IDActivityIDActivity
1
System start-up12Print/Fax driver LAN Fax job
2System shut down13Data Encryption
3On Demand Image Overwrite started14Scheduled ODIOD Standard started
4On Demand Image Overwrite complete15Scheduled ODIO Standard complete
5Print job16Scheduled ODIO Full started
6Network Scan Job17Scheduled ODIO Full complete
7Server Fax job18Scan to Mailbox job
8IFAX19Delete File/Dir (CPSR)
9E-mail job20USB
10Audit Log Disabled21Scan to Home
11Audit Log Enabled23System Configuration Data Changes 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide179
•Embedded Fax jobs.
•Store Files jobs.
• Accounting information.
• Workflow Scanning jobs - one scan to file audit log entry is recorded for each network destination 
within the scan job. 
• Server Fax jobs - one audit log entry is recorded for each job. 
• E-mail jobs - one audit log entry is recorded for each SMTP recipient within the job.
Completion Status
The Completion Status column shows the status of jobs and has the following values:
• comp-normal - the job completed correctly.
• comp-deleted - the job was deleted.
• comp-terminated - the job was cancelled.
Identify the PC or User
To record the user's name in the Audit Log, Network Authentication must be configured on the Xerox 
device.
IIO Status
If IIO (Immediate Image Overwrite) is enabled, this column will show the status of overwrites 
completed on each job.
Entry Data
This column contains any additional data that is recorded for an Audit Log entry, for example:
• Machine name
•Job name
•Username
• Accounting Account ID (when Network Accounting is enabled)
Security Certificate Management
A Machine Digital Certificate provides keys for encryption/decryption of data. It ensures the data is not 
tampered with and validates the source of data.
A Digital Certificate is like an ‘Electronic Driver’s License’. It contains the following:
•Name of whom the Certificate is issued to
•Serial Number
•Expiration Date
•Name of the Certificate Authority that issued the Certificate
•A Public Key
•A Digital Signature of the Key from a Certificate Authority
•Country Code 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 180
Other information it contains:
•State/Province Name
•Locality Name
•Organization Name
•Organization Unit
•E-mail Address
The device can be configured for secure access with the SSL (Secure Socket Layer) protocol via Digital 
Certificates. The enablement of SSL provides encryption for all workflows where the device is used as a 
HTTPS server. 
Workflows include:
•Administration of the device via Internet Services
•Printing via Internet Services
•Printing via IPP
•Scan Template Management
•Workflow Scanning via HTTPS
•Administration of Network Accounting
The device exports the signed certificate to the client to establish an SSL/HTTPS connection.
There are two options available to obtain a server certificate for the device:
• Have the device create a Self Signed Certificate.
• Create a request to have a Certificate Authority sign a certificate that can be uploaded to the 
device.
A self-signed certificate means that the device signs its own certificate as trusted and creates the 
public key for the certificate to be used in SSL encryption.
A certificate from a Certificate Authority or a server functioning as a Certificate Authority, for example 
Windows 2000 running Certificate Services, can be uploaded to the device.
Note:A separate request is required for each Xerox device.
With SSL enabled (from the Connectivity/Protocols/HTTP selections of the Properties tab of Internet 
Services), and a digital certificate installed, remote users accessing the system over an HTTP-based 
interface are assured of having their network communications protected against eavesdropping and 
tampering, using strong encryption. The only action required by the workstation user is to type https:// 
followed by the IP Address (or fully qualified domain name) of the system into the Address or URL box 
of the web browser. The subsequent acceptance of a Digital Certificate completes the exchange of the 
Public Key enabling the encryption process to proceed.
Information Checklist
Before starting the procedure, ensure the following items are available or tasks have been performed:
• An IP Address or Host Name must be configured on the device.
• DNS must be enabled and configured on the device.
• HTTP must be enabled so that Internet Services can be accessed.