Setting server spooler authentication for job transfer

This communication link is encrypted by default. However, the pre-installed certificate cannot have the correct IP address/domain name of your machine where FlexiSpooler is installed and thus it is ignored on the client side (FlexiSpooler in the client mode, Mobile Print Server, Mobile Integration Gateway ). In order to ensure secure connection, you need to use certificate trusted in your environment.

This guide will help you with the configuration of the secured connection (HTTPS) to the FlexiSpooler in the server mode, using a CA-signed certificate.

Certificate of your Root CA must be installed on all subsystems you use for sending job data to FlexiSpooler (client Spooler, Mobile Print Server, Mobile Integration Gateway ), otherwise after the certificate validation is enabled, this communication would be denied by the client.

CA-signed certificate requirements

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the FlexiSpooler in server mode.

  • For importing the certificate you need it in an appropriate format - Personal Information Exchange (.pfx file) containing the private key and whole certificate chain.

In case your key/certificate is in a different format than Personal Information Exchange, you can convert it following the guide in Conversions between different keystores and certificate types.

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.

Configuring Server FlexiSpooler to use secure communication channel

In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config) configuration file specify the certificate source by adding or modifying configuration option dsCertificateSource.This option has three possible values (all case insensitive):

  • Default - default certificate provided with YSoft SafeQ

  • WindowsCertStore - finds certificate in Windows Certificate Store

  • FileSystem - tries to find certificate on local or network storage

Windows Certificate Store

  1. Stop the YSoft SafeQ FlexiSpooler service.

  2. Copy your key/certificate in the Personal Information exchange format to the server where the FlexiSpooler is installed.

  3. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -importpfx "My" "safeqcertificate.pfx"

    In Windows Server 2008 use the following command:

    certutil.exe -importpfx "safeqcertificate.pfx"
  4. In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config) configuration file add or modify following configuration options:

    "dsCertificateSource":"windowscertstore",
    "dsCertificateStore":"my",
    "dsCertificateStoreIdentifier":"000102030405060708090a0b0c0d0e0f10111213"

    Configuration option dsCertificateStoreIdentifier is used for specification of certificate in selected certificate store. The certificate in store can be specified by its name (value entered in Common Name (CN) field when generating a certificate signing request) or by its unique thumbprint , which can be obtained by double-clicking the certificate and browsing the Details tab for Thumbprint field. In case you are copying certificate thumbprint from the window, remove spaces and make sure there are no invisible characters (it adds an invisible character at the beginning!).

  5. Start the YSoft SafeQ FlexiSpooler service.

File system

  1. Stop the YSoft SafeQ FlexiSpooler service.

  2. Copy your key/certificate in the Personal Information exchange format to the server where the FlexiSpooler is installed.

  3. In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config) configuration file add or modify following configuration options:

    "dsCertificateSource":"filesystem",
    "dsCertificateFileSource":"absolute\path\to\your\certificate.pfx"

    FlexiSpooler loads certificate from filesystem. This certificate is automatically installed into Windows Certificate Store specified by configuration option dsCertificateStore.

    To specify location of file on local disc or network storage, configuration option dsCertificateFileSource must be provided. Path to the certificate can be specified as follows:

    • Full path to certificate file - e.g. C:\Certificates\fsp.pfx

    • Directory containing certificate - e.g. C:\Certificates, first .pfx file found in this directory is taken

  4. Start the YSoft SafeQ FlexiSpooler service.

Client FlexiSpooler settings

In the <fsp_folder>\Service\spooler.config (usually C:\SafeQ6\FSP\Service\spooler.config) configuration file set the following property to validate the server certificate:

"IgnoreCertificateChainError":"false"

Mobile Print Server settings

In the <mps_folder>\Service\conf\mps.config (usually C:\SafeQ6\MPS\Service\conf\mps.config) configuration file set the following property to validate the server certificate:

<mps>
<http ignoreCertificateChainErrors="false" />
...
</mps>

Mobile Integration Gateway settings

In the <mig_folder>\bin\MigService.exe.config file (usually C:\SafeQ6\MIG\bin\MigService.exe.config) edit the following key to enable certificate validation:

<add key="validate-spooler-certificate" value="T" />

Notes

This setting provides server verification only. Without verification of the client anyone in the internal network is able to call and use FlexiSpooler web API. Find more at .YSoft SafeQ FlexiSpooler Security considerations v6.0.38.