Manuals+

Xerox® Smart Card Installation Guide

Version 2.0, December 2012

Introduction

The Xerox Smart Card solution offers advanced security for sensitive information, allowing organizations to restrict access to Xerox device walk-up features like copy, scan, email, and fax. It utilizes a two-factor identification process: inserting an access card and entering a Personal Identification Number (PIN). This enhances security, especially if a card is lost or stolen. Once validated, users are logged into the Xerox device for all walk-up features, with actions tracked for added security. The Smart Card enablement kit integrates with Xerox multifunction printers and existing smart and personal identity verification cards and readers.

This guide details the installation and configuration of the Smart Card solution, outlining the necessary resources and equipment.

For further information, contact your Local Xerox Representative.

Compatibility

This solution is compatible with the following configuration:

Configuration Software Level CAC PIV .NET
ColorQube™ 8700 and ColorQube ™ 8900 071.160.222.26600 or lower Yes Yes Yes

Note: If your System Software Version is 071.160.222.26601 or higher, refer to the Xerox Smart Card Installation and Configuration Guide for Xerox ColorQube™ 8700/8900 with System Software Version 071.160.222.26601 or higher.

  • To identify the software level on your machine, press the Machine Status button on the control panel. The System Software Version number is displayed.

Card Readers and Card Types

Supported Card Readers

The customer is responsible for providing a compatible card reader for each Xerox device. Compatible readers include:

  • Gemplus GemPC USB SL
  • Gemplus GEMPC Twin
  • SCM Micro SCR3310
  • SCM Micro SCR3311
  • OmniKey Cardman 3021 USB
  • OmniKey Cardman 3121 USB
  • ActivCard USB Reader V2 with SCR-331 firmware
  • Cherry ST1044U

Other CCID compliant readers may function but have not been validated.

Supported Card Types

The customer is also responsible for purchasing and configuring access cards. Supported card types include:

  • CAC
  • PIV & PIV II
  • Gemalto.NET

Other card types may function but have not been validated.

Additional information from your System Administrator may be required to validate card reader compatibility within your environment.

Note: Information about CCID compliant card types can be found on various websites, such as www.pcsclite.alioth.debian.org/ccid. This site is not a Xerox website and is not endorsed by Xerox.

Documentation and Support

For information specific to your Xerox product, the following resources are available:

  • System Administrator Guide: Provides detailed instructions and information about connecting your device to the network and installing optional features. Intended for System/Machine Administrators.
  • User Guide: Provides detailed information about all features and functions on the device. Intended for general users.

Most questions can be answered by the support documentation supplied on disc with your product. Alternatively, contact the Xerox Support Center or visit the Xerox website at www.xerox.com.

Preparation

This section outlines the preparation and resources required to install the Smart Card Reader. Installation typically takes approximately one hour per device.

The following items are required for installation:

Item Supplier
Compatible Card Reader (refer to Supported Card Readers on page 6) Customer
Compatible Access Card (refer to Supported Card Types on page 6) Customer
Smart Card enablement kit 498K17546 (one for each Xerox device) Xerox
Feature Enable Key Xerox
TCP/IP enabled on the device Customer
DNS Host name or static IP address assigned Customer
Network Settings to be checked to ensure network is fully functional Customer
Domain Controller (DC) information:
  • Domain Controller authentication environment
  • IP address or Host Name
  • Domain information
  • Domain Controller Root and Intermediate certificates
  • Check that all certificates are in 64 bit X.509 format
  • Determine if the DC is registered with the OCSP at this site
 Customer
Online Certificate Status Protocol (OCSP) Server Information:
  • OCSP Server URL
  • OCSP - Root and Intermediate Certificates
  • Check that all certificates are in 64 bit X.509 format
 Customer
Proxy Server configuration details Customer

To set up Domain Controller (DC) validation, determine if your site validates the DC against the Online Certificate Status Protocol (OCSP) server. Many sites use OCSP for individual validation but do not register the DC with it. If the Xerox device is set up to validate the DC and it isn't registered, the procedure will fail.

If your site registers the DC with OCSP, decide whether:

  • To validate the DC against OCSP before user validation, or
  • To validate the DC after user validation

The first method involves installing the DC certificate as part of the procedure and is the more accepted method for validation. The second method retrieves the DC certificate automatically for each authentication, not requiring installation on the Xerox device. An optional method combines both, comparing the retrieved DC certificate with the one stored during installation for enhanced security against rogue DCs.

Note: Certificates are typically obtained from your organization's Information Technology professionals. If you cannot obtain the required certificates, refer to Appendix A. You can determine your registered domain using the process in Appendix B.

Server Specifications

Prior to installation, ensure your network infrastructure supports Smart Card or Personal Identification Verification (PIV). Server and domain names or IP addresses are required during setup.

Electrical Requirements

The USB port on the back of the Xerox device network controller provides power for the supported card readers.

Installation

This section provides instructions for installing and configuring the Smart Card solution. There are 4 main installation procedures to follow in sequence.

  • Enabling and Configuring the Smart Card: Use the Feature Enable Key to enable Smart Card configuration.
  • Configuring the Smart Card: Enable the Smart Card function and customize settings.
  • Hardware Installation: Unpack the Smart Card Enablement kit and install the card reader device.
  • Using Smart Card: Instructions on how to use the card reader device to access device functions.

Software Enablement

Before installing the Xerox Smart Card solution, the software must be enabled on your Xerox device using Internet Services. The Feature Enable Key is provided on the inside cover of the Enablement guide within the Xerox Smart Card kit.

Follow the instructions below to enable the device software.

Note: Some steps may require the System Administration password for your device.

  1. Access Internet Services
    1. Open a web browser on your Workstation.
    2. In the URL field, enter http://[IP Address of the device]. For example: http://192.168.100.100.
    3. Press Enter to view the Home page.
  2. Access Properties
    1. Select the Properties tab.
    2. If prompted, enter the Administrator User ID and Password. The default is admin and 1111.
    3. Select the Login button.
  3. Enable the Smart Card software
    1. Select the Security link.
    2. Select the Authentication link.
    3. Select Setup in the directory tree.
    4. In the Authentication, Authorization, and Personalization area, select Edit.
    5. Set the Authentication method on the machine's touch interface (Touch UI) to Smart Cards using the drop-down menu. If the device should use the E-mail address registered to the authenticated user, select the Personalize the machine's touch interface checkbox.
    6. Select Save.
    7. In the CAC/PIV Enablement area, enter the unique Feature Enable Key from the Smart Card Enablement Guide.
    8. Select Next.
    9. A confirmation message is displayed. Select Next. The Smart Card settings are now ready for configuring.

Note: No services will be restricted until Smart Card is fully configured using Internet Services.

Configuring the Smart Card

Once the Xerox Smart Card feature is enabled, it can be configured using Internet Services.

Follow the instructions below to enable and configure the Smart Card:

  1. Access Internet Services and select Properties. Refer to Access Internet Services on page 12 for instructions.
  2. Configure the Date & Time to update automatically
    1. Select the General Setup link, then Date & Time.
    2. Select Automatic Using NTP.
    3. Verify the Time Zone is set correctly for your region.
    4. Select Apply. The device will reboot to apply changes.

Notes:

  • The sign in front of the number is important. Europe is typically plus of Greenwich Mean Time, while North America is minus. Consider Daylight Savings Time implications when selecting the Offset of Local Time Zone.
  • If Network Time Protocol is unavailable, ensure the device time matches the Domain Controller Authentication Server time. Refer to the System Administrator guide for instructions. Do not change the time on the device if using Network Time Protocol (NTP).
  1. Access the Smart Card settings
    1. Select the Authentication link.
    2. Select Setup in the directory tree.
  2. Configure the Smart Card Inactivity Timer
    1. Select Smart Card Inactivity Timer Edit... from the Configuration Settings list.
    2. Enter the Smart Card Inactivity Timer minutes required (between 1 and 120). The default is 5 minutes. If the machine is inactive for the specified period, the session will end automatically.
    3. Select Save.
  3. Enter the Domain Controller details for the authentication server.
    1. Select Domain Controller(s) Edit... from the Configuration Settings list.
    2. Select Add Domain Controller.
    3. Ensure the Domain Controller Type is configured correctly for your authentication environment.
    4. Enter the IP Address or the Domain Controller Host Name (this must be the fully qualified Host Name).
    5. Ensure Port 88 is selected unless your Kerberos Port is different.
    6. Enter the Domain (this must be the fully qualified Domain Name).
    7. Select Save.
    8. Select Close.
  4. Configure Certificate Validation
    1. Select Certificate Validation Edit... from the Configuration Settings list.

Note: Ensure the Domain Controller is configured before the next step. The default setting for registering the DC with OCSP is No. Depending on your environment, details may be case sensitive.

  • If you wish to validate the DC against OCSP after user validation: Select Yes for "Validate the certificate returned from the domain controller server against the OCSP server." Select Next. Enter the OCSP Server Service URL details.
  • If you wish to validate the DC against OCSP before user validation: Select Yes for "Validate the domain controller certificate stored on the Xerox machine against the OCSP server." Select Next. Enter the OCSP Server Service URL details.
  • If you wish to validate the email encryption certificate on the smartcard for validity on an OCSP server: Load the required certificate and select Yes for "Validate the e-mail encryption certificate from the smart card against the OCSP server." Select Next. Enter the OCSP Server Service URL details.
  • If you wish to validate the DC certificate retrieved during user authentication against the one stored during installation: Select Yes for "Validate domain controller certificate returned by the domain controller server matches the domain controller certificate stored on the Xerox machine."

Note: To change the Domain Controller search order, select the controller and use the up/down arrows to promote or demote the controller order.

  1. Load the DC root and intermediate certificates and the OCSP root and intermediate certificates.
    1. Setup the SSL protocol before uploading certificates: Select Properties > Connectivity > Protocols from the menu. Select HTTP. Under Secure HTTPS, select Enabled.

Note: When Secure HTTP is enabled, all pages in CentreWare Internet Services will contain https:// in the URL.

  1. Load the DC root and intermediate certificates and the OCSP root and intermediate certificates.
    1. Setup the SSL protocol before uploading certificates: Select Properties > Connectivity > Protocols from the menu. Select HTTP. Under Secure HTTPS, select Enabled.
    2. Select Install Missing Certificates from the Domain Controller Certificates list. Alternatively, select Security > Certificates > Security Certificates from the menu.
    3. At the Security Certificates screen, select Download the Generic Xerox Trusted CA Certificate and Open to install the certificate.
    4. Select the Domain Controller Certificates tab and select Install Domain Controller Certificate.
    5. Select the required Domain Controller Certificate and select Next.
    6. Enter the Domain Controller Certificate Friendly Name and select Next.
    7. Repeat the process until all certificates are installed.
  2. Check the Proxy Server details are configured.
    1. If required by your network environment, ensure the Proxy Server details have been configured.
    2. Select the Properties tab, then Connectivity, then Protocols and Proxy Server and enter the details.
    3. Select Apply.

The Smart Card settings are now configured. You are ready to install the Smart Card hardware using the instructions on the next page.

Hardware Installation

Install the card reader device using the following instructions.

  1. Unpack the Smart Card Enablement Kit

    The kit contains:

    • Xerox Smart Card Enablement Guide (1)
    • Four Dual Lock Fastener pads (Velcro) (2)
    • Three Cable Ties (3)
    • One Ferrite Bead (4)

    Ensure you have read and agree to the license agreement terms and conditions before installation.

    Diagram showing the contents of the enablement kit: a guide, four fastener pads, three cable ties, and a ferrite bead.

  2. Locate the card reader device being installed

    There are four types of card reader available: one upright model and three slimline models. Locate the device and ensure it has been configured.

    Note: The System Administrator should configure the cards before the card reader is installed on the machine.

    Diagram showing four different types of card readers.

  3. Attach the ferrite bead to the reader cable.

    Note: The ferrite bead should be clipped onto the cable directly behind the connector.

    Diagram illustrating how to attach a ferrite bead to a cable.

  4. Attach the fasteners to the card reader device
    • Fasteners are provided to secure the card reader to the Xerox device.
    • Peel back the fastener backing strip.
    • Position the fastener on the underside of the card reader, as shown.
    • Repeat for each fastener.

    Diagram showing the process of attaching fasteners to a card reader.

  5. Remove the fastener backing strips

    After attaching all fasteners to the card reader, remove the backing strips.

    Diagram showing the removal of fastener backing strips.

  6. Place the card reader on the Xerox device
    • Gently place the card reader on the device (do not fix it yet).
    • Position the card reader in a suitable location, ensuring it does not obstruct access points or openings.
    • Check that the cable has sufficient length to connect to the rear of the network controller.
    • Once in a suitable location, press firmly to fix the card reader in place.

    Diagram showing placement of the card reader on a Xerox device.

  7. Connect the card reader to the Xerox device
    • Insert the USB connection into the slot on the rear of the network controller.
    • Use the provided cable ties to ensure neat cabling.

    Diagram showing USB connection and cable management.

    The hardware installation is now complete.

  8. Confirm the installation
    • When the card reader and software are installed and configured, the Card Reader Detected screen displays on the Xerox device local user interface.
    • Select OK.

Smart Card is now ready for use.

Note: If the card reader is not detected, refer to Troubleshooting Tips on page 29.

Using Smart Card

Once the Smart Card is enabled, each user must insert a valid card and enter their Personal Identification Number (PIN) on the touch screen. To end the session, the user must remove their card from the card reader. If a user forgets to remove their card, the machine will automatically end the session after a specified period of inactivity.

Follow the instructions below to use the Smart Card:

  1. The Authentication Required window may be displayed on the touch screen, depending on device configuration.
  2. Insert your card into the card reader.
  3. Use the touch screen and numeric keypad to enter your PIN and then select Enter.
  4. If the card and PIN are authenticated, access is granted.
  5. Complete the job.
  6. To end the session, remove your card from the card reader. The current session is terminated, and the Authentication Required window is displayed.

Note: If the access attempt fails, refer to Troubleshooting Tips on page 29.

Troubleshooting

For optimal performance from your card reader, follow these guidelines:

  • The Card Reader is only compatible with network-connected products.
  • Ensure the Card Reader is plugged into the Network Controller. Refer to Connect the card reader to the Xerox device on page 24 for instructions.
  • Do not position the Card Reader in direct sunlight or near a heat source like a radiator.
  • Ensure the Card Reader does not get contaminated with dust and debris.

Fault Clearance

When a fault occurs, a message displays on the User Interface with fault information. If a fault cannot be resolved using the provided instructions, refer to Troubleshooting Tips on page 29.

If the problem persists, identify whether it relates to the card reader device or the Xerox device.

  • For card reader device problems, contact the manufacturer for assistance.
  • For Xerox device problems, contact the Xerox Welcome and Support Center. Provide the nature of the problem, the Machine Serial number, any fault code, and your company's name and location.

Contact Xerox at 1-800-ASK-XEROX or 1-800-275-9376.

Locating the Serial Number

  • Press the Machine Status button on the control panel.
  • The Machine Information tab is displayed.
  • The Machine Serial Number is displayed on this screen.

Note: The serial number can also be found on a metal plate inside the front door.

Troubleshooting Tips

The table below lists problems, possible causes, and recommended solutions.

During Installation

Problem Possible Cause Solution
Card reader is installed but no message displays on the User Interface Card reader is faulty. Try a different card reader.
Contact the System Administrator.
Card reader connection is faulty. Check the cable is plugged in correctly. Refer to Connect the card reader to the Xerox device on page 24 for instructions.
Unplug the card reader cable then plug back in.
Plug the card reader into a different USB port.
Card reader is not compatible. Check that the card reader is on the list of compatible devices; refer to Supported Card Readers on page 6.
Smart Card access is not enabled on the machine. Enable CAC through the Properties set up screens using Internet Services; refer to Software Enablement on page 12.

After Installation

Problem Possible Cause Solution
Authentication failures Incorrect PIN has been entered. Retry entering the correct PIN. If the problem persists, contact the System Administrator for advice.
Card is locked due to too many failed PIN attempts. Contact Registration Authority to reload or get a new card.
Identity certificate has been revoked.
Authentication with Domain Controller Failed. Check network cable is firmly connected.
Contact the System Administrator.
Unable to validate server certificate. Contact the System Administrator.
Smart Card Authentication System Failed. Contact the System Administrator.
Authentication Failed. Contact the System Administrator.
System Administrator has not selected All Features or Scanning Service Only. Contact the System Administrator.

Time for date mismatch error

Problem Possible Cause Solution
Time for date mismatch error There is a mismatch between the time and date setting on the Xerox device and the authentication server time or date setting. Verify that Network Time Protocol is properly set up.
Verify that the date and time and GMT Offset (Time Zone) is correct; refer to Configure the Date & Time to update automatically on page 14 for instructions.
Verify that GMT offset is correct for Daylight Savings Time.
Contact your System Administrator.

Cannot see the Internet Services web page after software upgrade

Problem Possible Cause Solution
Cannot see the Internet Services web page after software upgrade IP Address incorrect or has been reset. Check the IP Address printed on the configuration report. Ensure the DHCP settings match your site settings.
To print a configuration report at the Xerox device, select Machine Status, then Information Pages. Select the Configuration Report from the list and select Print.

Appendix A: Retrieving the Certificate from a Domain Controller or OCSP Server

  1. Access the Domain Controller using a web browser with the following syntax: https://[IP Address of the Domain Controller]:636. For example: https://111.222.33.44:636. A Security Alert warning window will be displayed, similar to the one shown.
  2. Click on View Certificate to proceed. If the window does not display, double-click the padlock icon in the lower-right corner of your browser window. The Certification Information window is displayed.
  3. Select the Details tab. Record the name of the Certificate Authority (CA) that issued this certificate (the "Issuer"). A certificate from this CA will be required during Smart Card setup.
  4. Select the Copy to File... button. The Certification Export Wizard is displayed.
  5. Select Next.
  6. Select Base-64 encoded X.509 (.CER).
  7. Select Next.
  8. Select Browse. Browse to a directory to save the Certificate.
  9. Enter a filename for the Certificate and select Save.
  10. Select Next.
  11. Select Finish. The Certificate is retrieved from the server and saved in the selected directory. A pop-up message will confirm that the Certificate has been successfully saved. Once saved, the Certificate can be loaded onto the device. This process can be repeated to retrieve Certificates from each required server.

Appendix B: Determining the Domain in which your Card is Registered

  1. From your PC, click the Start menu and right-click on My Computer.
  2. From the drop-down list, select Properties. When the System Properties window opens, click on the Computer Name tab. Beneath the Full Computer name is the Domain Name.
  3. Copy and paste the Domain Name directly into the CAC setup page on the Internet Services user interface. Refer to Configuring the Smart Card on page 14 for instructions.
  4. Select Cancel to close the System Properties window.

PDF preview unavailable. Download the PDF instead.

ColorQube 8700 8900 Smart Card Guide v2 Acrobat Distiller 8.0.0 (Windows)

Related Documents

Preview Xerox Smart Card Installation Guide
This guide provides instructions for installing and configuring the Xerox Smart Card solution for Xerox WorkCentre 7755/7765/7775 and Xerox ColorQube 9201/9202/9203/9301/9302/9303 devices.
Preview Secure Installation and Operation Guide for Xerox WorkCentre and ColorQube Devices
This guide provides essential information for the secure installation, setup, and operation of Xerox WorkCentre 5845, 5855, 5865, 5875, 5890, 7220, 7225, 7830, 7835, 7845, 7855, and ColorQube 9301, 9302, 9303 devices. Learn about security protocols, configuration settings, and best practices for maintaining a secure operating environment.
Preview Xerox Global Print Driver V3 Version 5.759.5.0 Product Enhancements
This document details the product enhancements for the Xerox Global Print Driver V3, version 5.759.5.0, released in December 2020. It includes software release details, new fixes and features, installation notes, archived changes, and additional documentation links.
Preview Xerox Product Security: Data Protection, Image Overwrite, Encryption, and Disk Removal Guide
Comprehensive guide from Xerox detailing product security features such as image overwrite, disk encryption, and disk removal procedures for various Xerox devices to protect sensitive data.
Preview Xerox Product Compatibility with macOS Sonoma
A comprehensive guide detailing the compatibility of various Xerox printers, multifunction printers, and digital front end products with Apple's macOS Sonoma operating system. Includes compatibility levels and links to download drivers.
Preview Xerox Smart Start User Guide
A user guide for Xerox Smart Start software, detailing its features, installation process, and troubleshooting for Xerox printers.
Preview Xerox Mobile Scanner User Guide - Portable Document Scanning
Your essential guide to the Xerox Mobile Scanner. Learn setup, scanning to USB/SD cards, mobile device connectivity, maintenance, and safety. Enhance your document management on the go.
Preview Xerox C310, C315, C410, VersaLink C415 Installation Guide
Detailed, step-by-step instructions and visual descriptions for installing components on Xerox C310, C315, C410, and VersaLink C415 printers. Includes guidance on paper trays and internal parts.