Use Case – Secure Mobile Print for Visitors

1. User sends an e-mail to dedicated Dispatcher Paragon Mobile Print Server e-mail address with the the document to be printed attached.

2. Dispatcher Paragon Mobile Print Server downloads the e-mail via IMAP, extracts the attachment and verifies that the sender's e-mail address doesn't belong to any of existing Dispatcher Paragon users.

3. Dispatcher Paragon Mobile Print Server asks Dispatcher Paragon Site Server to create a new user account with username set to the e-mail sender.

4. Dispatcher Paragon Mobile Print Server converts the attached document into PDF and submits a print job to Dispatcher Paragon Site Server with job owner set to the e-mail sender and with a tag "mobile".

5. Dispatcher Paragon Site Server accepts the print job, holds the print job in secure queue and applies Rule-Based Engine rules to the print job's metadata.

6. One of the Rule-Based Engine rules matches and executes the custom script.

7. Custom script generates random and unique PIN code, assigns the PIN code to the job owner and sends an e-mail containing the generated PIN code to the user.

8. User walks to a device with terminal, authenticates using the PIN code obtained via e-mail, releases the job to the device and picks up the printed pages.

Implementation Details

Known Limitations

• Only the following options are supported for the Dispatcher Paragon conversionPIN setting: "MD5" (the default), "MD5WithoutPrefix", "PrefixPIN" and " Plain ".

  • Note: In the case of the "Plain" option, all PINs must have no more than X digits, and all card numbers must have more than X characters. This is because Credential Generator needs to know X (the threshold), to distinguish a PIN from a card number in the database.

• PIN history settings and puk-ignore-pin System Settings are ignored.

• Sending the e-mail notification about errors encountered to the administrator may fail (for example due to misconfigured e-mail settings), thus this option can not fully replace observing the log file.

• The e-mail message text is a global setting, common to all users.

• The configured cost center is a global setting, common to all users.

• Database failover is not supported.

• Batch credential generator supports only generation of PIN codes (not the CACs or passwords).

• Encrypted configuration option values other than DB password may be mentioned in the debugging messages and thus may leak to the logfile if log level is set to DEBUG.

• Performance of the batch credential generator depends on the speed of SMTP communication – the script itself was able to process 100k users (PostgreSQL on localhost) in less than 10 minutes when e-mail notifications were disabled.

• Client certificate for SSL/TLS connections is not supported.

Pre-requisites

• Dispatcher Paragon installed and configured

  • Both PostgreSQL and Microsoft SQL Server are supported

• Microsoft Visual C++ 2015 Redistributable (latest version)

• SMTP server

• Credential Generator MSI package

• Network access to SMTP server

• Network access to Dispatcher Paragon database

• Secure Mobile Print for visitors only:

  • Installed and enabled Mobile Print Server (enableMobilePrintServer = True)

  • Mailbox on IMAP server

  • Print Management Suite license (technically, at least the Mobile Print, Rule-Based Engine, Pull Printing and Accounting modules; in practice, this means the Print Management Suite)
    

Installation

• Install Credential Generator from MSI package (and optionally change the location of the installed files)

• Adjust Credential Generator's INI configuration file (located in the same folder as credential_generator.exe)

• Uncomment (i.e., delete the hash/pound ("#") character at the start of the line) the line db_schema = tenant_1 and, in the case of a multi-tenant installation, change the database schema name as relevant for the tenant.

• Make sure the log file location (specified in credential_generator.ini on the line log_file = ...) is correct.

• If you want to generate passwords, enable the allowMD5PasswordEncoder system property in Dispatcher Paragon.

• Batch credential generator only:

  • If desired, register a new task for Windows Task Scheduler using the command line ( make sure to replace "XXX" with the full path to the installation directory):

>

>

• Secure Mobile Print for visitors only:
  

  • Create two cost centers: one for users that do not have the credentials yet and one for users that already received the credentials (the procedure below uses names "Needs PIN" and "Has PIN" for these cost centers)

  • Create a user with username set to "template", belonging to the cost center "Needs PIN"

  • In System Settings:
    

    • enableAnonymousMobilePrint = True

    • templateUserLogin = template

  • Create RBE rule:

    • triggers on job reception

    • the print job must have a tag "Mobile"

    • optional: the print job must belong to a user from cost center "needs PIN"

      • Note: this condition is an optional optimization to avoid executing the Credential Generator for every single mobile print job for performance reasons. However, it is incompatible with pin_rewrite values other than Never.

    • executes "XXX\credential_generator\credential_generator.exe [USER_LOGIN]" (without the double-quotes, and make sure to replace "XXX" with the full path to the installation directory)

  • The default configuration is to avoid generating new credentials if the same user already had them generated less than two minutes ago. This is done to avoid sending multiple credentials in the case of an email with multiple attachments, which would only confuse users (they would have to use the credential that was generated last). You can change this using the configuration option min_seconds_between_runs.

• When running the Credential Generator on server(s) different from the database server, especially when the database is installed locally on a Dispatcher Paragon server:

  • Make sure that connections to the database are allowed from outside the database server (both on the firewall and in the database configuration). For PostgreSQL, add the following line to pg_hba.conf:

    • host all all <ip address>/<netmask> md5

INI file configuration

Please see the default credential_generator.ini file and comments within it, which are indicated by the hash/pound ("#") character.

• Options that need to be adjusted for particular environment:
  

  • Example for a PostgreSQL database:
    

    • db_type = PostgreSQL

    • db_connection_string = host=pgsql.domain.local port=5433 dbname=DBNAME user=postgres password=topsecret

  • Example for a Microsoft SQL Server database (SQL authentication):

  • db_type = MS SQL

  • db_connection_string = DRIVER={SQL Server};SERVER=safeq\SQLINSTANCE;DATABASE=DBNAME;UID=sa;PWD=topsecret

• Example for a Microsoft SQL Server database (domain authentication):
  

  • db_type = MS SQL

  • db_connection_string = DRIVER={SQL Server};SERVER=MyServer;DATABASE=MyDB;Trusted_Connection=True

  • In this case the SPOC service has to run under a domain account which has proper rights to the database.

• db_schema = tenant_1

• smtp_server = mailserver.domain.local

• smtp_port = 25

• # change smtp_port usually to 465 if using smtp_ssl

• smtp_ssl = False

• smtp_user = mailuser

• smtp_password = topsecret

• # STARTTLS uses the default SMTP port

• smtp_starttls = False

• # If you enable this, no validation will be done on the SSL/TLS server certificate. Totally insecure.

• smtp_insecure_dont_validate_certificate = False

• # path to a file of concatenated CA certificates in PEM format

• smtp_ca_certificates_pem_file =

• # path to a directory containing several CA certificates in PEM format, following an OpenSSL specific layout

• smtp_ca_certificates_pem_dir =

• email_from = credential.generator@domain.local

• admin_email = admin@domain.local

• email_subject = Dispatcher Paragon Visitor Print: Access granted, pick up your documents

• email_body = Your documents have been queued. To print the documents, please authenticate at any printer by typing your PIN code '{0}'.\nKeep the PIN code for future use.

• email_body_1 = Your documents have been queued. To print the documents, please authenticate at any printer by swiping your card. Use the code '{1}' to assign a card to yourself.

• email_body_2 = Your documents have been queued. To print the documents, please authenticate at any printer by typing your email address as the username and the following as password: '{2}'.

• email_body_is_html = False

• allowed_usernames = [^@]+@[^@]+\.[^@]+

• conversionPIN = MD5 or MD5WithoutPrefix or PrefixPIN or Plain_ X

  • In the case of the "Plain" option, all PINs must have no more than X digits, and all card numbers must have more than X characters. Credential Generator needs to know "X" (the threshold), to distinguish a PIN from a card number in the database. Therefore, if the conversionPIN property is configured to Plain in Dispatcher Paragon, then you must configure conversionPIN=Plain_ X here, where X is the maximum length of PINs. Example: conversionPIN=Plain_6 if PINs have up to 6 digits and all card numbers have at least 7 characters.

• Options specific for Credential generator:

  • move_to_cost_center = True

  • cost_center = Has PIN

  • email_recipient_from_username = True

  • db_retries = 3

  • db_seconds_before_retry = 10

  • pin_send_existing = False/True

  • generate_password = False/True

  • password_rewrite = Never/Always

  • generate_puk = False/True

  • min_seconds_between_runs = 120

• Options specific for Batch credential generator:

  • email_recipient_from_username = False

• Options where default values should be sufficient:

  • generate_pin = True

  • pin_length = 6

  • pin_rewrite = Always

  • max_generation_attempts = 100

  • email_notifications = True

  • email_encoding = UTF-8

  • email_errors = True

  • error_subject = SafeQ Credential Generator encountered an error

  • log_file = C:\\XXX\\logs\\credential_generator.log

  • max_log_size = 8388608

  • log_backups = 9

  • log_format = %(asctime)s %(levelname)9s %(process)d %(message)s

  • log_encoding = utf-8

  • log_level = INFO

• Options that are needed only for special use cases:

  • allowed_usernames = .*@(domain1.com|domain2.com)

  • allowed_emails = [^@]+@example\.com$

  • cost_center_from_username = .*@domain1.com -> Employees; .*@domain2.com -> Contractors; .* -> Guests

  • generate_puk = True

  • puk_length = 6

  • generate_password = True

  • password_length = 10

  • remove_role = True

  • role = Needs PIN

  • remote_logging = True

  • remote_logging_server = cml1.domain.local

  • remote_logging_port = 9020

Note: If allowed_usernames and allowed_emails properties have empty values (only whitespaces after the equal sign) or the value ".*" (period and asterisk), all users are processed (no users are skipped as not matching the criteria). The value is a Python regular expression – see https://docs.python.org/3/howto/regex.html

Note: generate_puk option generates CAC (card activation codes, formerly known as PUK codes).

Note: email_body option can use \n for continuing on another line.

Note: email_body can use placeholders for the actual value of the credentials: {0} for the PIN code, {1} for the CAC and {2} for the password.

Note: email_body can be used multiple times (email_body, email_body_0, email_body_1, email_body_2, etc.). Those that include a placeholder for a credential type that was not generated will be filtered out, and the remaining ones concatenated in order.

Note: Backslashes in paths must be doubled (the backslash itself is an escape character).

Note: True and False values are case-sensitive. None value (case sensitive) is interpreted the same way as empty value. Do not delete unused keys (names of the variables with equal sign). Lines starting with # are treated as a comment and ignored. Lines without equal sign are ignored.

Note: Any configuration option's value can contain an encrypted value (in format code,number,number...) which is automatically decrypted. Example of partially encrypted connection string:

db_connection_string = host=localhost port=5433 dbname=DBNAME user=postgres password=code,-3,5,98,45,18,-7,-125,-92

Note: cost_center_from_username option contains a list of mappings delimited by semicolons. Each mapping consists of two parts delimited by an arrow (minus and greater-than sign), first part is a regular expression applied to the username and second part is cost center name. Leading and trailing whitespaces in first and second part are ignored, whitespaces inside the first and second part are preserved.

Note: Denying unknown e-mail senders (=not generating/sending any credentials for them) can be done using the allowed_usernames option. Since the cost centers in cost_center_from_username are searched sequentially and first matching wins, "catch-all" cost center can be achieved by setting the last pattern to .* (dot and star). Users that do not match any pattern are not moved to any cost center (they retain the cost center of the templateUserLogin).

credential_generator.log sample for Success

>

>

Note: The 4104 number in the log output above indicates the Windows process ID of the script.

Note: Before reporting any issues to Konica Minolta, please set the log_level = DEBUG in the INI file, reproduce the incorrect behavior and include the relevant part of the credential_generator.log in the incident report.

credential_generator.log sample for Failure

>

>

Note: The last line shows the error message (ConnectionRefusedError) and the first line above it that doesn't contain "Python34" shows the part of the script's code that failed (with contextlib.closing(self.smtp_class(self.config["smtp_server"], self.config["smtp_port"])) as smtp:) which means that the connection was refused when trying to send an e-mail via SMTP. The "Rolled back" line indicates that the generated PIN was not committed to the database regardless of the line "PIN generated for user" above.

Note: Parts replaced by ellipsis (...) in the log output above may contain non-existing beginning of the filesystem path – this is caused by packaging the script into an EXE, please ignore it.