Xerox WorkCentre 5755 Manual

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide181
• Ensure the system time configured on the device is accurate. This is used to set the start time for 
self signed certificates.
Enable Secure HTTP (SSL)
Security certificates cannot be configured until the secure HTTP Protocol (SSL) is enabled:
1. From the Properties tab, click on the [Connectivity] link.
2. Click on the [Protocols] link.
3. Select [HTTP] in the directory tree.
4. In the Configuration area:
a. Under Secure HTTP (SSL), select [Enabled].
b. Enter the [Secure HTTP Port Number] if required.
5. Click on the [Apply] button.
• Close your web browser and then access Internet Services screen again. The Security warning 
appears. Self-signed certificates usually cause browsers to display messages which question the 
trust of the certificate. Click on the [OK] button to continue.
To Create a Digital Certificate
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [Security Certificates] in the directory tree, the Security Certificates page displays.
3. To create a Self Signed certificate:
a. Select the [Xerox Device Certificate] tab.
b. Click on the [Create New Xerox Device Certificate] button.
c. Complete the Self Signed Certificate form with details for:
•2 Letter Country Code
•State/Province Name
•Locality Name
•Organization Name
• Organization Unit
•Subject Alternative Name (if required)
•E-mail Address
•Days of Validity
Note:Common Name on the form is generated by the device and cannot be changed.
d. Click on the [Finish] button to continue. Values from the form will be used to establish a self-
signed certificate, and you will be returned to the Security Certificates page.
Note:A Xerox Device Certificate is inherently less secure than installing a certificate signed by a 
trusted, third party Certificate Authority (CA). However, specifying a self-signed certificate is the 
easiest way to start using SSL. A self-signed certificate is also the only option if your company 
does not have a Server functioning as a Certificate Authority (Windows 2000 running Certificate 
Services, for example), or does not wish to use a third party CA. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 182
4. To create a Certificate Signing Request:
a. Select the CA-Signed Device Certificate(s) tab.
b. Click the [Create Certificate Signing Request (CSR)] button.
c. Complete the Certificate Signing Request (CSR) form with details for:
•2 Letter Country Code
•State/Province Name
•Locality Name
•Organization Name
• Organization Unit
•Subject Alternative Name (if required)
•E-mail Address
Note:Common Name on the form is generated by the device and cannot be changed.
d. Click on the [Finish] button to continue. Values from the form will be used to generate a 
Certificate Signing Request.
e. When the process is complete, you will be prompted to save the Certificate Signing Request. 
Right-click on the [Right-click to save this certificate for submission to a trusted certificate 
authority] link and select [Save Target As].
f. Save the Certificate to your hard drive and send it to a Trusted Certificate Authority.
g. Select [Logout] in the upper right corner of your screen if you are still logged in as 
Administrator, and click on the [Logout] button.
To Upload a Signed Certificate
When a signed certificate is received from the Trusted Certificate Authority, upload the certificate to 
the device.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [Security Certificates] in the directory tree.
3. Select the CA-Signed Device Certificate(s) tab.
4. Click the [Install CA-signed Device Certificate] button.
5. Click the [Browse] button to locate the signed certificate. Click on the [Open] button.
6. Click on the [Next] button. The details of the Certificate are displayed. Change the friendly name 
of the Certificate if required and click [Next].
7. The digital certificate will appear in the installed certificates list.
Note:For the upload to be successful, the signed certificate must match the CSR created by the 
device and must be in a format that the device supports.
Note:The device only supports certificates of type “Base64”.
8. To view installed certificates: 
a. Select [Security Certificates] in the directory tree for [Security].
b. Click on the checkbox for the required certificate in the list. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide183
c. Click [View/Save]. The certificate details are displayed.
IP Sec
IP Sec (IP Security) consists of the IP Authentication Header and IP Encapsulating Security Payload 
protocols, that secure IP communications at the network layer of the group of protocols, using both 
authentication and data encryption techniques. The ability to send IP Sec encrypted data to the 
printer is provided by the use of a public cryptographic key, following a network negotiating session 
between the initiator (client workstation) and the responder (printer or server). To send encrypted data 
to the printer, the workstation and the printer have to establish a Security Association with each other 
by verifying a matching password (shared secret) to each other. If this authentication is successful, a 
session public key will be used to send IP Sec encrypted data over the TCP/IP network to the printer. 
Providing additional security in the negotiating process, SSL (Secure Sockets Layer protocols) are used 
to assure the identities of the communicating parties with digital signatures (individualized checksums 
verifying data integrity), precluding password guessing by network sniffers.
IP Sec security settings are the means by which an administrator can configure multiple groups of 
hosts and groups of protocols. Also this feature is used to setup IPsec and IKE (Internet Key Exchange) 
protocols on the printer.
The IP Sec implementation is a ‘full’ implementation that the device can initiate a connection for print, 
scan and administration, and fully work with other industry IPsec nodes. IPsec is necessary for securing 
many protocols including:
•LPR and Port9100 printing
•FTP Filing
•Scan to E-mail 
•LDAP
•Internet Fax
Security Policies: To Enable IP Sec
Note:IP Sec cannot be enabled until SSL (Secure Sockets Layer) is enabled on the device. To 
enable SSL on a device, the device needs to have a Server Certificate. For instructions to set up a 
Server Certificate, refer to Security Certificate Management on page 179.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [IP Sec] in the directory tree.
3. Ensure [Security Policies] tab is highlighted under the IPsec heading.
4. In the Settings area, check the [Enabled] checkbox for Enablement enable the IP Sec.
5. Click on the [Apply] button.
Note:It is recommended that IP Sec is enabled after the Host Groups, Protocol Groups and Action 
have been configured and defined.
Define Policy 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 184
An IPsec Policy is a set of conditions, configuration options and security settings which allows two 
systems to agree on how to secure traffic between them. Multiple policies can be simultaneously 
active, however the scope and policy list order may alter the overall policy behavior.
Note:Before creating Policies, configure Host Groups, Protocol Groups and Actions.
6. In the Define Policy area, there are three policy options:
•Hosts Groups
•Protocol Groups
•Action
This area allows you to select settings for allowing or disallowing Hosts and Protocols and what 
action to be taken.
7. For each individual option select settings from each drop-down menu.
8. Click on the [Add Policy] button.
Saved Policies
9. In the Saved Policies area, there will be a list of all the policies saved.
10. To delete a policy, highlight the policy and click on the [Delete] button.
11. Also you can prioritise an individual policy by clicking the [Promote] and [Demote] buttons.
Disable IP Sec at the device
Note:To configure this feature or these settings access the Tools pathway as a System 
Administrator. For details, refer to Access Tools Pathway as a System Administrator on page 18.
1. From the To o l s pathway, touch [Network Settings].
2. Touch [IP Sec].
3. Touch [Disable], then touch [Save].
4. Press the  button.
5. Touch [Logout] to exit the Tools pathway.
Host Groups
Host Group page allows you to view and manage host groups. A host group is a logical grouping of 
hosts based on their specific IP Address or subnet address range.This option displays all the Host 
Groups saved and the details of each Host Group.
At your Workstation:
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [IP Sec] in the directory tree.
3. Ensure [Host Groups] tab is highlighted under the IPsec heading.
4. Host Groups can be deleted by highlighting a Host Group in the IP Host Group area, and clicking 
on the [Delete] button. If the Host Group selected is not being used by a security policy, then click 
on the [OK] button. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide185
5. To add or edit a Host Group in the IP Host Group area, either click on the [Add New Host Group] 
button or highlight a Host Group and click on the [Edit] button.
Note:If you change the name of the Host Group that is being used in the Security policy, then 
the updated host group name will also be reflected in the security policy details.
6. In the IP Host Group Details area:
a. To define or modify a Host Group enter the name of the Host Group in the [Name] field.
b. Enter a description or purpose of this Host Group in the [Description] fields.
7. In the Address List area select at least one set of network information.
a. Select either [IPv4] or [IPv6].
b. From the Address Type drop-down menu, select one of the following:
•Specific - to specify a single IP Address.
•All - if all addresses of the IP type are to be included.
•Subnet - to specify a range of IP Addresses.
c. For the [IP Address] field, enter the Specific or Subnet address range. For a Subnet range, 
enter the lowest IP Address in the fields provided, then the final IP lower octet (for IPv4) or 
range (for IPv6) in the final field.
d. Click on the [Add] button, to add the address range to the host group.
8. Click on the [Save] button to return to the IPsec page.
9. Click on the [OK] button when you see the message “Properties have been successfully 
modified” to save changes and return to the IP Sec page.
Protocol Groups
This option displays all the Protocol Groups saved and the details of each Protocol Group. 
1. From the IP Sec page, click on the [Protocol Groups] tab under IPsec heading.
2. Protocol Groups can be deleted by highlighting a Protocol Group in the IP Protocol Groups area 
and clicking on the [Delete] button. If the Protocol Group selected is not being used by a security 
policy, then click on the [OK] button.
3. To add or edit a Protocol Group in the IP Protocol Groups area click on either the [Add New 
Protocol Group] button or highlight a Protocol Group and click on the [Edit] button.
Note:If you change the name of a Protocol Group that is being used in Security policy, then the 
updated protocol group name will also be reflected in the security policy entry.
a. In the IP Protocol Group Details area, enter the name of the protocol group in the [Group 
Name] field.
b. Enter description for this protocol group in the [Description] field.
c. Check the required services checkboxes for this protocol group under [Service Name].
4. In the Custom Protocol area:
a. Check the corresponding checkboxes to select or deselect a custom protocol. Enter details in 
the [Service Name] field.
b. From the [Protocol] drop-down menu select the protocol type.
c. Enter the port number in the [Port] field. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 186
d. From the [Device is] drop-down menu, select either [Server] or [Client].
Note:The Service Name, Protocol Type, Port Number and Device is fields for a Custom Protocol 
will be disabled when its associated checkbox is unchecked.
5. Click on the [Save] button to return to the IPSec page.
Actions
This option displays the list of actions associated with the IPsec security policies. You can view and 
manage IP actions that can be used in the security policies.
1. From the IP Sec page, click on the [Actions] tab under IPsec heading.
2. To delete an Action, highlight an Action in the IP Actions area and click on the [Delete] button. If 
the Action selected is not being used by a security policy, then click on the [OK] button.
3. To add or edit an Action, in the IP Protocol Group area:
a. Click either on the [Add New Action] button to add a new Action or highlight an Action and 
click on the [Edit] button to edit details of an Action.
Note:If you change the name of an Action that is being used in Security policy, then the updated 
action name will also change in the security policy entry.
4.Step 1 of 2 page displays, in the IP Action Details area:
a. Enter a name for this IP Action in the [Action Name] field.
b. Enter description for this IP Action in the [Description] filed.
5. In the Keying Method area:
a. Select a Keying Method. This will specify the type of authentication used in an IP Sec policy. 
Select one of the following:
•Manual Keying - this method is used if client devices are not configured for, or do not 
support, IKE.
•Internet Key Exchange (IKE)- this is a keying protocol that works on top of IPsec. IKE 
offers a number of benefits including: automatic negotiation and authentication; anti-
replay services; certification authority (CA) support; and the ability to change encryption 
keys during an IPsec session. Generally, IKE is used as part of virtual private networking. 
•X.509 Certificate (Local Certificate) - this is a public key certificate. 
•Trusted Root Certificate. 
•Pre-shared Key Passphrase - the use of pre-shared key authentication is not 
recommended because it is a relatively weak authentication method.
b. If you select [Internet Key Exchange (IKE)], enter the pre-shared key passphrase in the [Pre-
shared Key Passphrase] field.
Note:Only one Action may be created when selecting Internet Key Exchange (IKE) Keying 
Method.
6. Click on the [Next] button to display the Step 2 of 2 screen.
If you Selected Manual Keying as the Keying Method:
1. In the Mode Selections area, select one of the [IPsec Mode] options from the drop-down menu:
•Tra n s p o r t  M o d e - this is the default Mode for IP Sec. This only encrypts the IP payload. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide187
•Tunnel Mode - this mode encrypts the IP header and the payload. It provides protection on 
an entire IP packet by treating it as an AH (Authentication Header) or ESP (Encapsulating 
Secuirty Payload) payload. 
When this mode is selected, you have the option of specifying a host IP Address
2. In the Security Selections area select preferred option and enter the required information.
3. Click on the [Save] button to return to the IP Sec - Action page.
If you Selected Internet Key Exchange (IKE) as the Keying Method:
IKE Phase 1 authenticates the IPSec peers and sets up a secure channel between the peers to enable 
IKE exchanges.
IKE Phase 2 negotiates IP Sec System Administrator to set up the IP Sec tunnel.
1. In the IKE Phase 1 area:
a. For [Key Lifetime] enter length of time that this key will live, either in seconds, minutes or 
hours.
b. Select required option from the [DH Group] drop-down menu. Choose one of following:
•DH Group 2 - which provides a 1024 bit Modular Exponential (MODP) keying strength.
•DH Group 14 - which provides a 2048 bit MODP keying strength. Diffie-Hellman (DH) is 
a public-key cryptography scheme that allows two parties to establish a shared secret 
over an insecure communications channel. It is also used within IKE to establish session 
keys.
c. For Hash - Encryption, check the required checkboxes:
•SHA1 (Secure Hash Algorithm 1) and MD5 (Message Digest 5) are one-way hashing 
algorithms used to authenticate packet data. Both produce a 128-bit hash. The SHA1 
algorithm is generally considered stronger but slower than MD5. Select MD5 for better 
encryption speed, and SHA1 for better security.
•3DES (Triple-Data Encryption Standard) is a variation on DES that uses a 168-bit key. As 
a result, 3DES is more secure than DES. It also requires more processing power, resulting 
in increased latency and decreased throughput.
•AES (Advanced Encryption Standard) is a more secure method compared to 3DES.
2. In the IKE Phase 2 area:
a. Select from the [IPSec Mode] drop-down menu one of the following:
•Tra n s p o r t  M o d e - this provides a secure connection between two endpoints as it 
encapsulates the IP payload, while Tunnel Mode encapsulates the entire IP packet.
•Tunnel Mode - this provides a virtual ‘secure hop’ between two gateways. It is used to 
form a traditional VPN, where the tunnel generally creates a secure tunnel across an 
untrusted Internet.
b. If you select [Tunnel Mode], then select either [Disabled], [IPv4 Address] or [IPv6 Address].
c. If you select IPv4 Address or IPv6 Address, enter IP Address details.
d. From the [IPsec Security] drop-down menu, select either, Both, ESP or AH.
AH (Authentication Header) and ESP (Encapsulating Security Payload) are the two main 
wire-level protocols used by IPsec, and they authenticate (AH) and encrypt and authenticate 
(ESP) the data flowing over that connection. They can be used independently or together.
e. For [Key Lifetime] enter length of time that this key will be valid for, either in seconds, 
minutes or hours. 
						

							User Data Encryption
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 188
f. Select the preferred option from the [Perfect Forward Secrecy] drop-down menu. Default is 
‘None’ 
g. Check the required checkboxes for [Hash] and [Encryption]. 
Hash refers to the authentication mode, which calculates an Integrity Check Value (ICV) over 
the packet's contents. This is built on top of a cryptographic hash (MD5 or SHA1).
Encryption uses a secret key to encrypt the data before transmission. This hides the contents 
of the packet from eavesdroppers. Algorithm choices are AES and 3DES
Note:Encryption will not be shown if [IPsec Security] is set to AH.
3. Click on the [Save] button to return to the IPSec - Action page. 
						

							Security Certificates
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide189
Security Certificates
A Trusted Certificate Authority is a Certificate Authority (CA) that is trusted to authenticate digital 
certificates. This page allows trusted root certificates to be uploaded to a server so that the server will 
‘trust’ any certificates that have been signed by that CA.
Digital certificates and the enablement of SSL provides encryption for all workflows where the device is 
used as a HTTPS server.
Workflows include:
• Administration of the device via Internet Services
• Printing via Internet Services
• Printing via IPP
• Scan Template Management
• Workflow Scanning via HTTPS
• Administration of Network Accounting
To Access the Security Certificates Screen
The device exports the signed certificate to the client to establish an SSL/HTTPS connection.
Note:To configure this feature or these settings access the Properties tab as a System 
Administrator. For details, refer to Access Internet Services as System Administrator on page 24.
1. From the Properties tab, click on the [Security] link.
2. Select [Security Certificates] in the directory tree.
The Security Certificates page shows any currently installed trusted root certificates in the 
Root/Intermediate Trusted Certificate(s) tab.
To Install a Machine Root Certificate
To complete this procedure you must have a digital certificate available. For instructions to configure a 
digital certificate, refer to Security Certificate Management on page 179.
1. At the Security Certificates screen, select the [Root/Intermediate Trusted Certificate(s)] tab 
and click on the [Install external Root/Intermediate trusted certificates] button.
2. Click the [Choose File] button to locate the signed certificate from the Trusted Certificate 
Authority. This file has an extension “CER” or “CRT”. Click on the [Open] button.
3. Click on the [Next] button. The details of the Certificate are displayed. Change the friendly name 
of the Certificate if required and click [Next].
4. The digital certificate will appear in the installed certificates list in the Root/Intermediate Trusted 
Certificate(s) area.
To Delete a Certificate
1. At the Security Certificates screen, select a certificate from the list in the Installed Certificate 
area. 
						

							Security Certificates
WorkCentre™ 5735/5740/5745/5755/5765/5775/5790
System Administrator Guide 190
2. Click on the [Delete] button.
3. Click on the [OK] button when the acknowledgement message appears.
To Request a Machine Root Certificate
If the device does not have a trusted root certificate, or if it is using a self-signed certificate, users may 
see an error message related to the certificate when attempting to connect to the device’s Internet 
Services server. To resolve this, install the generic Xerox Root CA Certificate in user's Web browsers.
1. At the Security Certificates screen, right-click on the [Download the Generic Xerox Device CA] 
link which appears at the bottom of the screen, under the installed Certificates list.
2. Select [Save Target As].
3. Browse to the location where you want to save the cacert.crt file and click on [Save].
The cacert.crt file is now ready to be uploaded to any device needing a Machine Root Certificate.