Enforce HTTPS communication
You can connect to PaperCut NG/MF using either HTTP or HTTPS, however, you can enforce the use of HTTPS in one of the following ways:
-
Redirect to HTTPS/SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. if available—Redirect HTTP connections to HTTPS. The redirect is performed every time a user attempts to access PaperCut via HTTP, which can allow some vulnerability around man-in-the-middle attacks.
-
Use HTTP Strict Transport Security (HSTSHTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.)—HSTS instructs the browser to only connect via HTTPS and not HTTP for a configured timeout period. The redirect is performed only once in the timeout period when the user first logs in rather than every time the interface is accessed. This minimizes the chance of man-in-the-middle attacks.
-
You must use a signed SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed. to enforce HTTPS, otherwise users will not be able to access PaperCut NG/MF. For more information, see Generate SSL/HTTPS keys.
-
HSTS instructs the browser to connect on port 443 only. Before enabling HSTS, test the connection to PaperCut on port 443.
To enforce HTTPS communication:
-
Test the connection to PaperCut NG/MF on port 443:
-
In a browser, connect to https://<Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. address>.
-
Check that the URL does not include “:9192” at the end.
-
-
Select Options > Advanced. The Advanced page is displayed.
-
In the Security area:
-
Select the Redirect to HTTPS/SSL if available check box.
-
If you want to connect using HSTS, select the Use HTTP Strict Transport Security check box.
IMPORTANTIf you select this option, you must use port 443. For more information about changing the port, see Enable ports 80 (HTTP) and 443 (HTTPS).
-
-
Click Apply.
-
Restart the Application Server. (See Stop and start the Application Server).
-
Perform a test print job to test all MFDs/printers to ensure they can still submit information to the Application Server.
NOTEIf you cannot connect to the Application Server after enabling HSTS, it is likely due to either:
-
an invalid SSL certificate
-
the Application Server is running on a port other than 443
You should roll back your changes:
-
Log in to the server running the PaperCut NG/MF Application Server.
-
Connect to the PaperCut NG/MF Application Server web interface using localhost, for example, http://localhost:9191. Non-secure HTTP connections are allowed when connecting from localhost.
-
Clear the Redirect to HTTPS/SSL and Use HTTP Strict Transport Security check boxes.
-
Restart the Application Server.
-