How to harden the communication with Ricoh terminal
In order to harden the communication between TS and Ricoh's terminal, a terminal version major of 1.0.9 is needed
Enable the secure configuration on Terminal Server
In order to enable the secure configuration on Terminal Server, follow the steps specified in Configuring secured connection between terminals and Terminal Server.
In case that you want to use the already supplied generated CA so that you can use the default certificate for Terminal Server, you can export the server certificate with the following
openssl pkcs12 -in .\SafeQTerminalServer.pfx -cacerts -nokeys -out ca.cer
The default keystore has no password.
Add the truststore to the app certificate store
Extract the truststore file from the 320400101.zip zipfile of the Ricoh application (by default, it is stored in {TERMINAL_SERVER_FOLDER}\Apps\Ricoh)
Add the new CA into that truststore file, using the keytool from Java version 1.7. It is required to use the keytool from Java 1.7 version, as the format of the truststore could change with a newer version.
EXAMPLE: keytool -import -alias ca -file ca.cer -keystore truststore -storetype jks -storepass changeit
Extract the SafeQEmbeddedTerminalXlet.dalp file from the zipfile
Change the value of enableServerCertificateValidation to true in the <application-desc>...</application-desc> section of the SafeQEmbeddedTerminalXlet.dalp file, resulting like the following:
<argument>enableServerCertificateValidation=true</argument>
Add the SafeQEmbeddedTerminalXlet.dalp file back to the zipfile
Add the trustore file back to the zipfile
Install the Ricoh app in to the MFD.
Additional security information
The implementation of the SRET application will use the default TLS version configured in the JVM.
Troubleshooting
Logging has been enhanced, so in case there is some issue while configuring the communication, it should be visible by accessing the device logs using the SRET configuration Servlet: "http://{device_ip}:8080/sqet/Login"