PrinterOn KB Powered By ePRINTit USA

How to force all traffic to use HTTPS, and disable http in PrinterOn Enterprise - c06620957

Using the steps below the administrator of the PrinterOn Enterprise solution is able to force all traffic to use HTTPS while disabling HTTP traffic. Each component of the solution will need to be verified. There may be 2 areas to review: the component's communication with CPS to validate licensing & serial numbers, and incoming requests to the component.

Service URL & Internal Service URL

See Article 'How to update your Service URL' for details on how to update your Service URL to reflect HTTPS. The same steps can be used to update your Internal Service URL.

See Article 'Internal Service URL' for details on the correct syntax for your Internal Service URL. The Internal Service URL is http by default.

Central Print Services (CPS)

By changing the Service URL and Internal Service URL, user communication to CPS will be done using https. Apache Tomcat must be updated to utilize a trusted certificate. A Java keystore or PFX file are the best formats to use. See Article 'How to define a PFX SSL certificate file within the PrinterOn Enterprise server.xml file' for details on how to configure Apache Tomcat for use with a PFX certificate, or Article 'Detailed steps to get CA-signed SSL cert into Apache' for details on how to configure Apache Tomcat for use with a Java keystore.

In addition, the communication from CPS to PrintAnywhere can be secured further, and an http -> https redirect can be put in place for the web print page.

  1. Open the PrinterOn Configuration Manager and navigate to Advanced -> Components
  2. Select Configure on the Central Print Services, then click on the Advanced tab
  3. Copy the PrintAnywhere Server URI, typically this is http://localhost/PasServlet/PasServlet
  4. Paste that URL but change the address to be HTTPS instead of HTTP in the browser and validate an XML error is displayed when connecting
    NOTE:
    This error is good, if visiting this URL does not display the XML error; that issue needs to be resolved before continuing. If you get a certificate error that's fine as well.
  5. If the XML error is seen, update the PrintAnywhere Server URI on the Central Print Service's Advanced tab to be https://localhost/PasServlet/PasServlet (https)
  6. Navigate to Home -> Services then select to stop the Central Print Services
  7. Open Windows Explorer and navigate to C:\Program Files (x 86)\ PrinterOn Corporation\Apache Tomcat\Conf
  8. Edit the web.xml file with Notepad in administrator mode
  9. Scroll all the way to the very bottom of the file just before the paste the information below
  10. Save the web.xml file (you might need to save this file to the desktop first before you can copy it back to this same directory)
  11. Once the changes have been saved, navigate back in the Configuration Manager, then the Services tab
  12. Select start on the Central Print Service , wait about 5 minutes, then try going to the http URL and validate it routes properly to https.

PrintAnywhere (PAS)

PrintAnywhere can only utilize https to communicate with CPS. No changes will be required within this component.

Note that the 2 services within this component ( PrintAnywhere Status Server & PrintAnywhere Processing Server) communicate over TCP socket based ports 5200 & 5400 which cannot be secured with SSL/TLS. These ports should be secured by blocking incoming requests to these ports. When clustering, precaution must be taken to ensure direct access to the server on these ports is not available except from the - this may require deploying an internal Load Balancer behind a public Load Balancer.

Print Delivery Gateway (PDG)

PDG uses https to communicate with CPS by default.

Proper syntax of the Service URI shown on the Print Delivery Gateway Networking tab is https://IP-or-DNS/cps eg. https://acme.printanywhere.com/cps

To verify PDG is using https to communicate with CPS:

  1. Open the PrinterOn Configuration Manager and navigate to Advanced -> Components
  2. Select Configure on the Print Delivery Gateway, then click on the Networking tab
  3. Review the Service URI field and confirm it begins with https and ends with /cps

PDG listens on port 6310 https by default using a self-signed certificate. To update this certificate you'll need a keystore which contains your root and intermediate certificates. See Article 'How to configure Print Delivery Gateway to utilize a signed/trusted certificate' for details on how to configure PDG to utilize a trusted keystore to receive jobs.

Print Delivery Hub (PDH)

PDH uses http by default to communicate with CPS.

Proper syntax of the Service URI shown on the Print Delivery Hub Networking tab is https://IP-or-DNS/cps/rest eg. https://acme.printanywhere.com/cps/rest

To update PDH to communicate with CPS on https:

  1. 1.Open the PrinterOn Configuration Manager and navigate to Advanced -> Components
  2. 2.Review the Services Manager URL field and confirm it begins with https and ends with /cps/rest

PDH listens on port 631 http by default. To update this component to use a trusted/signed certificate you'll need a keystore which contains your root and intermediate certificates. See Article 'How to configure Print Delivery Hub to utilize a signed/trusted certificate' for details on how to configure PDH to utilize a trusted keystore to receive jobs.

Print Delivery Station (PDS)

PDS uses http by default to communicate with CPS.

Proper syntax of the Service URI shown on the Print Delivery Station Networking tab is https://IP-or-DNS/cps/rest eg. https://acme.printanywhere.com/cps/rest

To update PDS to communicate with CPS on https:

  1. 1.Open the PrinterOn Configuration Manager and navigate to Advanced -> Components
  2. 2.Select Configure on the Print Delivery Station , then click on the Networking tab
  3. 3.Review the Services Manager URL field and confirm it begins with https and ends with /cps/rest

PDS listens on port 631 http by default. To update this component to use a trusted/signed certificate you'll need a keystore which contains your root and intermediate certificates. See Article 'How to configure Print Delivery Station to utilize a signed/trusted certificate' for details on how to configure PDS to utilize a trusted keystore to receive jobs.

NOTE:

Applies to PrinterOn Enterprise 3.x and later.