How to harden the communication with Ricoh terminal

In order to harden the communication between TS and Ricoh's terminal, a terminal version major of 1.0.9 is needed

Enable the secure configuration on Terminal Server

In order to enable the secure configuration on Terminal Server, follow the steps specified in Configuring secured connection between terminals and Terminal Server.
In case that you want to use the already supplied generated CA so that you can use the default certificate for Terminal Server, you can export the server certificate with the following

openssl pkcs12 -in .\SafeQTerminalServer.pfx -cacerts -nokeys -out ca.cer

The default keystore has no password.

Add the truststore to the app certificate store

  1. Extract the truststore file from the 320400101.zip zipfile of the Ricoh application (by default, it is stored in {TERMINAL_SERVER_FOLDER}\Apps\Ricoh)

  2. Add the new CA into that truststore file, using the keytool from Java version 1.7. It is required to use the keytool from Java 1.7 version, as the format of the truststore could change with a newer version.

    1. EXAMPLE: keytool -import -alias ca -file ca.cer -keystore truststore -storetype jks -storepass changeit
  3. Extract the SafeQEmbeddedTerminalXlet.dalp file from the zipfile

  4. Change the value of enableServerCertificateValidation to true in the <application-desc>...</application-desc> section of the SafeQEmbeddedTerminalXlet.dalp file, resulting like the following:

    <argument>enableServerCertificateValidation=true</argument>
  5. Add the SafeQEmbeddedTerminalXlet.dalp file back to the zipfile

  6. Add the trustore file back to the zipfile

  7. Install the Ricoh app in to the MFD.

Additional security information

The implementation of the SRET application will use the default TLS version configured in the JVM.

Troubleshooting

Logging has been enhanced, so in case there is some issue while configuring the communication, it should be visible by accessing the device logs using the SRET configuration Servlet: "http://{device_ip}:8080/sqet/Login"