Setting secured communication with Spooler Controller

Communication with Spooler Controller is not secured by default. In order to start encrypted and authenticated communication, security needs to be enabled and certificates properly set on all the following components (if used). All sides need to be configured to use the same security settings. If one of the sides is set secure and the others are not, the communication does not work.

This guide covers security settings for all the following components:

In order to improve performance, the key agreement is not performed for each message, but once a specific time instead. This period can be configured in the sessionLifeTimeMinutes system property in the Dispatcher Paragon web interface (Advanced option).

CA-signed certificate requirements for Spooler Controller and End User Interface

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the respective server.

  • For importing the certificate you need an appropriate format - Java Keystore (.jks file) containing the private key and whole certificate chain.

  • Both the keystore and key itself need to be protected by a password

  • You will also need a truststore, file containing certificate of the root certification authority, again in the Java Keystore (.jks) format.

In case your key/certificate is in a different format than Java Keystore, convert it following the guide in Conversions between different keystores and certificate types .

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Java Keystore format chapter in System communication hardening.

CA-signed certificate requirements for FlexiSpooler, Mobile Print Server, Workflow Processing System and Mobile Integration Gateway

  • The certificate must be signed by a certification authority trusted in your environment.

  • Certificate (fields Common Name and Subject Alternative Name) must contain all network names (i.e. all hostnames, fully qualified domain names and IP addresses) used for connection to the respective server.

  • For importing the certificate you need it in an appropriate format - Personal Information Exchange (.pfx file) containing the private key and whole certificate chain.

  • Must be created using the Microsoft Enhanced RSA and AES Cryptographic Provider.

In case your key/certificate is in a different format than Personal Information Exchange, you can convert it following the guide in Conversions between different keystores and certificate types .

In case you do not have key/certificate at all, follow the guide in the Generating key/certificate in Personal Information Exchange format chapter in System communication hardening.

Spooler Controller settings

Following settings apply for both cases, when Spooler Controller acts as a server and as a client. In order to enable security, follow the steps below.

  1. Stop Dispatcher Paragon Spooler Controller service.

  2. Enable encrypted communication with Spooler Controller. In the Management web interface go to the System Configuration and under Expert options find the following parameter

    usePlainCommunicationForOrsSubsystems

    and set it to Disabled.

  3. Copy your key/certificate and certificate of the root certification authority, both in the Java Keystore format, to the server where the Spooler Controller is installed.

  4. Set following properties in the <spoc_folder>\conf\ymq_config.properties file (usually C:\DispatcherParagon\SPOC\conf\ymq_config.properties):

    keyStorePath=absolute/path/to/your/keystore.jks
    keyStorePassword=keystoreprotectingpassword
    keyStoreAlias=safeq
    keyStoreAliasPassword=keyprotectingpassword
    trustStorePath=absolute/path/to/your/truststore.jks
    trustStorePassword=truststoreprotectingpassword
    ellipticCurve=secp256r1
    certificateValidationMode=VALIDATE_CERTIFICATE

    certificateValidationMode property is currently mandatory. Recommended value is VALIDATE_CERTIFICATE, what means everything is validated including server hostname. In case you have problems with hostname verification (wrong or missing IP address in the SAN field of the server certificate), you may select IGNORE_HOSTNAME value. This option is taken into account only if this Spooler Controller acts as a client (server is always ignoring client's hostname).

  5. If Spooler Controller groups are used for job roaming, add the following line in the section Java Additional Parameters in the <spoc_folder>\bin\wrapper.conf file (use the real number instead of N based on the number of additional parameters and the real path instead of <spoc_folder>):

    wrapper.java.additional.N = -Dymq_config.properties=<spoc_folder>\bin\ymq_config.properties

  6. Start the Dispatcher Paragon Spooler Controller service.

End User Interface settings

Follow the steps below to set secure connection of the End User Interface to the Spooler Controller, which is set to communicate securely.

  1. Stop Dispatcher Paragon End User Interface service.

  2. Copy your key/certificate and certificate of the root certification authority, both in the Java Keystore format, to the server where EUI is installed.

  3. Set following properties in the <eui_folder>\ui-conf\environment-configuration.properties file (usually C:\DispatcherParagon\SPOC\EUI\ui-conf\environment-configuration.properties):

    messagingContext.secureMechanism=secured-messaging-context
    messagingContext.keyStorePath=absolute/path/to/your/keystore.jks
    messagingContext.keyStorePassword=keystoreprotectingpassword
    messagingContext.keyStoreAlias=safeq
    messagingContext.keyStoreAliasPassword=keyprotectingpassword
    messagingContext.trustStorePath=absolute/path/to/your/truststore.jks
    messagingContext.trustStorePassword=truststoreprotectingpassword
    messagingContext.ellipticCurve=secp256r1
    messagingContext.encryptionKeyLength=16

    There is one additional property which you can set:

    messagingContext.certificateValidationMode - default value is IGNORE_HOSTNAME. You should select VALIDATE_CERTIFICATE value unless you have problems with hostname verification (wrong or missing IP address in the SAN field of the SPOC certificate). VALIDATE_CERTIFICATE value means that everything is validated including server hostname.

  4. Start the Dispatcher Paragon End User Interface service.

FlexiSpooler settings

  1. Stop Dispatcher Paragon FlexiSpooler service.

  2. Copy your key/certificate in the Personal Information Exchange format to the server where the FlexiSpooler is installed.

  3. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My" "dispatcherparagoncertificate.pfx"

    In the Windows Server 2008 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "dispatcherparagoncertificate.pfx"

  4. If you have not installed your Root CA as a trusted authority yet, do it following the guide in chapter Installing your Root CA to truststores of SafeQ machines - Windows Certificate Store in System communication hardening.

  5. Set following properties in the <fsp_folder>\Service\spooler.config file (usually C:\DispatcherParagon\FSP\Service\spooler.config):

    "CertificateThumbprint":"000102030405060708090a0b0c0d0e0f10111213","encryption":"Aes128"

    The value is a thumbprint (SHA1 hash) of a certificate stored in Windows certificate store, in the Local Computer \ Personal folder. You can obtain the thumbprint by opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the Thumbprint field. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

    In case you have problems with hostname verification (wrong or missing IP address in the SAN field of the SPOC certificate), you may turn off hostname verification by using value ValidateServerCertificateHost ("ValidateServerCertificateHost":"false") in the spooler.config file. This is, however, not recommended. If you do not specify it, the default value is true.

  6. Start the Dispatcher Paragon FlexiSpooler service.

Mobile Print Server settings

  1. Stop Dispatcher Paragon Mobile Print Server service.

  2. Copy your key/certificate in the Personal Information Exchange format to the server where the Mobile Print Server is installed.

  3. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My" "dispatcherparagoncertificate.pfx"

    In the Windows Server 2008 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "dispatcherparagoncertificate.pfx"

  4. If you have not installed your Root CA as a trusted authority yet, do it following the guide in chapter Installing your Root CA to truststores of SafeQ machines - Windows Certificate Store in System communication hardening.

  5. In the <mps_folder>\Service\conf\mps.config file (usually C:\DispatcherParagon\MPS\Service\conf\mps.config) edit the following tag to contain certificate thumbprint (hash) and the encryption type.

    <communicator connectionLostTimeout="4000" controllerPort="5555" certificateThumbprint="000102030405060708090a0b0c0d0e0f101213" encryption="Aes128" />

    The value is a thumbprint (SHA1 hash) of a certificate stored in Windows certificate store, in Local Computer \ Personal folder. You can obtain the thumbprint by opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the Thumbprint field. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

    In case you have problems with hostname verification (wrong or missing IP address in the SAN field of the Spooler Controller certificate), you may turn off hostname verification by using attribute ValidateServerCertificateHost (ValidateServerCertificateHost="false") in the communicator tag above. This is, however, not recommended. If you do not specify it, the default value is true.

  6. Start the Dispatcher Paragon Mobile Print Server service.

Workflow Processing System settings

  1. Stop Dispatcher Paragon Workflow Processing System service.

  2. Copy your key/certificate in the Personal Information Exchange format to the server where the Workflow Processing System is installed.

  3. Import the key with signed certificate to Windows Certificate store.

    In Windows Server 2012 use the following command:

    certutil.exe -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My" "dispatcherparagoncertificate.pfx"

    In the Windows Server 2008 use the following command:

    certutil.exe -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "dispatcherparagoncertificate.pfx"

  4. If you have not installed your Root CA as a trusted authority yet, do it following the guide in chapter Installing your Root CA to truststores of SafeQ machines - Windows Certificate Store in System communication hardening.

  5. In the <wps_folder>\WpsService.exe.config file (usually C:\DispatcherParagon\WPS\WpsService.exe.config) add the following keys, where the value of certificateThumbprint key is set to the client certificate thumbprint (hash):

    <add key="certificateThumbprint" value="000102030405060708090a0b0c0d0e0f101213" />
    <add key="ymqEncryption" value="Aes128" />

    The value is a thumbprint (SHA1 hash) of a certificate stored in Windows certificate store, in Local Computer \ Personal folder. You can obtain the thumbprint by opening the certificate (.cer or .crt) file in Windows. In the Details tab, you can find the Thumbprint field. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

    In case you have problems with hostname verification (wrong or missing IP address in the SAN field of the Spooler Controller certificate), you may turn off hostname verification by using key validateServerCertificateHost (<add key="validateServerCertificateHost" value="false" />) in the WpsService.exe.config file. This is, however, not recommended. If you do not specify it, the default value is true. If the validation is enabled, Workflow Processing System will check that CN specified in the certificate matches with Spooler Controller server address specified in the configuration file.

  6. Start the Dispatcher Paragon Workflow Processing System service.

Terminal Server settings

Once Workflow Processing System is set for secure communication, Workflow Processing System endpoint is accessible only using HTTPS address. You need to set this in the Terminal Server configurations along with the valid certificate.

In case you have problems with hostname verification (wrong or missing IP address in the SAN field of the Workflow Processing System certificate), you may turn off hostname verification by using key validateServerCertificateHost (<add key="validateServerCertificateHost" value="false" />) in the <spoc_folder>terminalserver\TerminalServer.exe.config file (usually C:\DispatcherParagon\SPOC\terminalserver\TerminalServer.exe.config). This is, however, not recommended. If you do not specify it, the default value is true. If the validation is enabled, Terminal Server will check that CN specified in the certificate matches with Workflow Processing System server address specified in the configuration file.

Mobile Integration Gateway settings

  1. Stop YSoft Mobile Integration Gateway service.

  2. Copy your key/certificate in the Personal Information Exchange format to the server where the Mobile Integration Gateway is installed.

  3. Import the key with signed certificate to Windows Certificate store.
    In Windows Server 2012 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "My" "dispatcherparagoncertificate.pfx"

    In the Windows Server 2008 use the following command:

    certutil.exe -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importpfx "dispatcherparagoncertificate.pfx"

  4. If you have not installed your Root CA as a trusted authority yet, do it following the guide in chapter Installing your Root CA to truststores of SafeQ machines - Windows Certificate Store in System communication hardening.

  5. In the <mig_folder>\bin\MigService.exe.config file (usually C:\DispatcherParagon\MIG\bin\MigService.exe.config) add the following key with value set to the client certificate thumbprint (hash).

    <add key="certificate-hash" value="000102030405060708090a0b0c0d0e0f10111213" />

    The value is a thumbprint (SHA1 hash) of a certificate stored in Windows certificate store, in Local Computer \ Personal folder. You can obtain the thumbprint by opening the certificate (.cer or .crt) file in Windows. In the Details tab you can find the Thumbprint field. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

  6. Start the YSoft Mobile Integration Gateway service.