Xerox® Smart Card Installation Guide

Introduction

The Xerox Smart Card solution provides an advanced level of security for sensitive information by restricting access to walk-up features of Xerox devices to authorized users only. This ensures that only authorized users can copy, scan, email, and fax information.

The primary benefit of this solution is its two-factor identification requirement, where users must insert their access card and enter a Personal Identification Number (PIN) at the device. This enhances security, especially if a card is lost or stolen. Once validated, a user is logged into the Xerox device for all walk-up features, and the system tracks these functions for added security.

The Xerox Smart Card enablement kit integrates with Xerox multifunction printers and existing smart and personal identity verification cards and readers. This guide details the installation and configuration of the Smart Card solution, including the necessary resources and equipment.

For further information, contact your Local Xerox Representative.

Compatibility

This solution is compatible with the following products and configurations:

To identify the software level on your machine, press the Machine Status button on the control panel. The System Software Version number is displayed.

Card Readers and Card Types

Supported Card Readers

Customers are responsible for providing a card reader compatible with the solution. The following card readers are supported:

• Gemplus GemPC USB SL
• Gemplus GEMPC Twin
• SCM Micro SCR3310
• SCM Micro SCR3311
• OmniKey Cardman 3021 USB
• OmniKey Cardman 3121 USB
• ActivCard USB Reader V2 with SCR-331 firmware
• Cherry ST1044U

Other CCID compliant readers may function with the solution, but have not been validated.

Supported Card Types

Customers are also responsible for purchasing and configuring access cards. The following card types are supported:

• CAC
• PIV & PIV II
• Gemalto.NET

Other card types may function with the solution, but have not been validated.

Additional information from your System Administrator may be required to validate which card reader works best in your environment.

Note: Information about CCID compliant card types can be obtained from various websites, for example www.pcsclite.alioth.debian.org/ccid. This site is not a Xerox website and is not endorsed by Xerox.

Documentation and Support

For information specific to your Xerox product, the following resources are available:

• System Administrator Guide: Provides detailed instructions and information about connecting your device to the network and installing optional features. This guide is intended for System/Machine Administrators.
• User Guide: Provides detailed information about all the features and functions on the device. This guide is intended for general users.

Most answers to your questions can be found in the support documentation supplied with your product. Alternatively, you can contact the Xerox Support Center or visit the Xerox website at www.xerox.com.

Preparation

This section outlines the preparation and resources required to install the Smart Card Reader. The installation process typically takes about one hour per device. The following items are necessary for a complete installation:

To set up Domain Controller (DC) validation, you must determine if your site validates the DC against the Online Certificate Status Protocol (OCSP) server. Many sites use OCSP to validate individuals but do not register the DC with it. If you configure the Xerox device to validate the DC and it is not registered, the procedure will fail.

If your site registers the DC with OCSP, you need to decide whether:

• to validate the DC against OCSP before user validation, or
• to validate the DC after user validation

The first method requires DC certificate installation as part of the procedure and is the more accepted method for validation. The second method automatically retrieves the DC certificate for each authentication and does not require installation of the DC certificate onto the Xerox device.

An optional method is to combine both options and compare the retrieved DC certificate with the one stored during installation. This offers the highest security by preventing rogue DCs from masquerading as the real DC.

Note: Certificates are often obtained from the Information Technology professionals supporting your organization. If you cannot obtain the required certificates, refer to the process outlined in Appendix A. You can determine your registered domain using the process outlined in Appendix B.

Server Specifications

Before installation, ensure your network infrastructure supports Smart Card or Personal Identification Verification (PIV). Server and domain names or IP addresses are required during setup.

Electrical Requirements

The USB port on the back of the Xerox device network controller provides power for all supported card readers.

Installation

This section provides instructions for installing and configuring the Smart Card solution. There are four main installation procedures to follow in sequence:

• Enabling and Configuring Smart Card: Use the Feature Enable Key to enable the Smart Card for configuration.
• Configuring Smart Card: Enable the Smart Card function and customize settings.
• Hardware Installation: Unpack the Smart Card Enablement kit and install the card reader device.
• Using Smart Card: Instructions on how to use the card reader device to access device functions.

Software Enablement

Before installing the Xerox Smart Card solution, the software must be enabled on your Xerox device using Internet Services. The Feature Enable Key is provided on the inside cover of the Enablement guide within the Xerox Smart Card kit.

Follow the instructions below to enable the device software.

Note: Some steps may require the System Administration password for your device.

1. Access Internet Services
   1. Open a web browser on your workstation.
   2. In the URL field, enter http://[IP Address of the device]. For example: http://192.168.100.100.
   3. Press Enter to view the Home page.
2. Access Properties
   1. Select the Properties tab.
   2. If prompted, enter the Administrator User ID and Password. The default is admin and 1111.
   3. Select the Login button.
3. Enable the Smart Card software
   1. Select the Security link.
   2. Select the Access Rights link.
   3. Select Setup in the directory tree.
   4. In the Authentication Configuration area, select Next.
   5. Set the Device User Interface Authentication option to Smart Card (CAC)/Personal Identity Verification (PIV) using the drop-down menu. If you need the device to use the E-mail address registered to the authenticated user, select Personalization.
   6. Select Next.
   7. Enter the unique Feature Enable Key provided on the inside cover of the Smart Card Enablement Guide.
   8. Select Next.
   9. A confirmation message is displayed. Select Next. The Smart Card settings are now ready for configuring.

   Note: No services will be restricted until Smart Card has been fully configured using Internet Services.

Configuring the Smart Card

Once the Xerox Smart Card feature is enabled on the device, it can be configured using Internet Services.

Follow the instructions below to enable and configure the Smart Card:

1. Access Internet Services and select Properties. Refer to Access Internet Services on page 12 for instructions.
2. Configure the Date & Time to update automatically
   1. Select the General Setup link, then Date & Time.
   2. Select Automatic Using NTP.
   3. Verify the Time Zone is set correctly for your region.
   4. Select Apply. The device will reboot to apply the changes.

   Notes:

   • The sign in front of the number is important. Most of Europe is plus of Greenwich Mean Time, while North America is minus. Consider the implications of Daylight Savings Time when selecting the Offset of Local Time Zone option.
   • If Network Time Protocol is not available, verify that the time set on the device matches the network time on the Domain Controller Authentication Server. Refer to the System Administrator guide for instructions. If using Network Time Protocol (NTP), do not change the time on the device.
3. Access the Smart Card settings
   1. Select the Security link.
   2. Select the Access Rights link.
   3. Select Setup in the directory tree.
   4. Select Configure from the Authentication Configuration window.
4. Enter the Smart Card Timeout required between 1 and 120 minutes. The default setting is 5 minutes. If the machine is inactive for the specified period, it will end the session automatically.
5. Configure Domain Controller Validation

If your site does not register the DC with OCSP:

• Uncheck all three Domain Controller OCSP Certificate Validation boxes and add the required Domain Controller.
• Select Save. Go back and add other Domain Controllers as needed.

If you wish to validate the DC against OCSP before user validation:

• Check the box for Validate before CAC/PIV Authentication.
• Enter the OCSP Server Service URL details.

Note: Depending on your environment, these details may be case sensitive.

If you wish to validate the DC against OCSP after user validation:

• Check the box for Validate after CAC/PIV User Authentication.
• Enter the OCSP Server Service URL details.

If you wish to validate the DC certificate retrieved as part of the user authentication process against the one stored during installation, check the box for Domain Controller Signature must match uploaded Domain Controller Certificate.

Enter the Domain Controller details for the authentication server:

• Determine how many Domain Controllers your environment requires for the device to access.
• Identify the order in which Domain Controllers should be interrogated when users present their card for authentication. The Domain Controller serving most users should be listed first, followed by less popular Domain Controllers.
• Enter the controllers in the preferred search order.

Note: The search order can be modified later.

• Select Add.
• Ensure the Domain Controller Type is configured correctly for your authentication environment.
• Enter the IP Address or the Domain Controller Host Name (this must be the fully qualified Host Name).
• Ensure Port 88 is selected unless your Kerberos Port is different.
• Enter the Domain Name (this must be the fully qualified Domain Name).
• Select Save. If you selected the option that the Domain Controller Signature must match the uploaded Domain Controller Certificate, a field will appear to enter that certificate. This field will be missing if it is not required to upload the Domain Controller Certificate.
• At the Domain Controller Certificate option, select Add and browse to the Domain Controller Certificate.

Note: If you are unable to obtain the required certificates, refer to Retrieving the Certificate from a Domain Controller or OCSP Server on page 33 of Appendix A.

• Select the Certificate, then select Upload Domain Controller Certificate. If the Domain Controller certificate is not available, the certificate used to issue the Domain Controller certificate can be uploaded instead.
• The Domain Controller certificate, or its issuing certificate, is needed by the device to validate interactions between the device and the domain controller.
• Select Save.
• Repeat the process to enter details for all Domain Controllers. If an error is made, select the Domain Controller from the list, make corrections, select Edit, make changes, then select Save.

Note: To change the Domain Controller search order, select the controller and use the up and down arrows on the right side of the screen to promote or demote the controller order.

Load the DC root and intermediate certificates and the OCSP root and intermediate certificates.

Note: This step is only required if using any of the OCSP Certificate Validation options.

• Select Security, then Trusted Certificate Authorities Page or select Trusted Certificate Authorities from the menu.
• At the Trusted Certificates Authorities screen, select Add.
• Browse to the previously retrieved certificates and add them one at a time.
• Select the certificate, then select the Upload Certificate Authority button to add each one.
• Repeat the process until all certificates are installed.
• Select Close.

Check the Proxy Server details are configured

• If required by your network environment, ensure the Proxy Server details have been configured.
• Select the Properties tab, then Connectivity, Protocols and Proxy Server and enter the details.
• Select Apply.

The Smart Card settings are now configured. You are ready to install the Smart Card hardware using the instructions on the next page.

Hardware Installation

Install the card reader device using the following instructions.

1. Unpack the Smart Card Enablement Kit

   The kit contains the following items:

   • Xerox Smart Card Enablement Guide (1)
   • Four Dual Lock Fastener pads (Velcro) (2)
   • Three Cable Ties (3)
   • One Ferrite Bead (4)

   Ensure you have read the license agreement and agree to the terms and conditions specified prior to installation.

2. Locate the card reader device being installed
   • There are four types of card reader available: one upright model or three slimline models.
   • Locate the device being installed and ensure it has been configured.

   Note: The System Administrator should configure the cards prior to the card reader being installed on the machine.

3. Attach the ferrite bead to the reader cable.

   Note: The ferrite bead should be clipped onto the cable directly behind the connector.

4. Attach the fasteners to the card reader device
   • Fasteners have been provided to secure the card reader to the Xerox device.
   • Peel back the fastener backing strip.
   • Position the fastener on the underside of the card reader, as shown.
   • Repeat for each of the fasteners supplied.
5. Remove the fastener backing strips

   When all fasteners have been attached to the card reader, remove the backing strips on each of the fasteners.

6. Place the card reader on the Xerox device
   • Gently place the card reader on the device (do not fix in place at this point).
   • Position the card reader in a suitable location, ensuring it does not obstruct the opening of the document handler side cover.
   • Check the cable has sufficient length to connect to the rear of the network controller.
   • Once in a suitable location, press firmly on the card reader to fix it in place.
7. Connect the card reader to the Xerox device
   • Insert the USB connection into the slot provided on the rear of the network controller.
   • Use the cable ties provided to ensure the cabling is neat and tidy.

   The hardware installation is now complete.

8. Confirm the installation
   • When the card reader and software have been installed and configured, the Card Reader Detected screen displays on the Xerox device local user interface.
   • Select OK.

   The Smart Card is now ready for use.

   Note: If the card reader is not detected, refer to Troubleshooting Tips on page 29 for information.

Using Smart Card

Once the Smart Card has been enabled, each user must insert a valid card and enter their Personal Identification Number (PIN) on the touch screen. When a user finishes using the Xerox device, they must remove their card from the card reader to end the session. If a user forgets to remove their card, the machine will automatically end the session after a specified period of inactivity.

Follow the instructions below to use the Smart Card:

1. The Authentication Required window may be displayed on the touch screen, depending on your device configuration.
2. Insert your card into the card reader.
3. Use the touch screen and numeric keypad to enter your PIN and then select Enter.
4. If the card and PIN are authenticated, access is granted.
5. Note: If the access attempt fails, refer to Troubleshooting Tips on page 29.
6. Complete the job.
7. To end the session, remove your card from the card reader. The current session is terminated and the Authentication Required window is displayed.

Troubleshooting

For optimal performance from your card reader, ensure the following guidelines are followed:

• The Card Reader is only compatible with network-connected products.
• Ensure the Card Reader is plugged into the Network Controller. Refer to Connect the card reader to the Xerox device on page 23 for instructions.
• Do not position the Card Reader in direct sunlight or near a heat source such as a radiator.
• Ensure the Card Reader does not get contaminated with dust and debris.

Fault Clearance

When a fault occurs, a message displays on the User Interface providing information about the fault. If a fault cannot be resolved by following the provided instructions, refer to Troubleshooting Tips on page 29.

If the problem persists, identify whether it relates to the card reader device or the Xerox device.

• For problems with the card reader device, contact the manufacturer for further assistance.
• For problems relating to the Xerox device, contact the Xerox Welcome and Support Center. The Welcome and Support Center will need to know the nature of the problem, the Machine Serial number, the fault code (if any), and the name and location of your company.

Contact Xerox using the numbers 1-800-ASK-XEROX or 1-800-275-9376.

Locating the Serial Number

• Press the Machine Status button on the control panel.
• The Machine Information tab is displayed.
• The Machine Serial Number is displayed on this screen.

Note: The serial number can also be found on a metal plate inside the front door.

Troubleshooting Tips

The table below provides a list of problems, possible causes, and recommended solutions.

If you experience a problem during the installation process, refer to the During Installation problem-solving table below. If you have successfully installed the Smart Card solution but are experiencing problems, refer to After Installation on page 30.

During Installation

After Installation

Appendix A: Retrieving the Certificate from a Domain Controller or OCSP Server

1. Access the Domain Controller using a web browser with the following syntax: https://IP Address of the Domain Controller:636. For example: https://111.222.33.44:636 where 111.222.33.44 is the IP address of the appropriate server. A Security Alert warning window will be displayed, similar to the one shown.

2. Click on View Certificate to proceed. If the window does not display, double-click the padlock icon in the lower right-hand corner of your browser window.

The Certification Information window is displayed.

3. Select the Details tab. Record the name of the Certificate Authority (CA) that issued this certificate, the "Issuer". A certificate from this CA will be required during Smart Card setup.

4. Select the Copy to File button.

The Certification Export Wizard is displayed.

5. Select Next.

6. Select Base-64 encoded X.509 (.CER).

7. Select Next.

8. Select Browse. Browse to a directory to save the Certificate.

9. Enter a filename for the Certificate and select Save.

10. Select Next.

11. Select Finish.

The Certificate is retrieved from the server and saved in the selected directory. A pop-up message will confirm that the Certificate has been successfully saved. Once saved, the Certificate can be loaded onto the device. This process can be repeated to retrieve Certificates from each of the required servers.

Appendix B: Determining the Domain in which your Card is Registered

1. From your PC, click the Start menu and right-click on My Computer.

2. From the drop-down list, select Properties. When the System Properties window opens, click on the Computer Name tab. Beneath the Full Computer name is the Domain Name.

3. Copy and paste the Domain Name directly into the CAC setup page on the Internet Services user interface. Refer to Configuring the Smart Card on page 14 for instructions.

4. Select Cancel to close the System Properties window.