HP JetAdvantage Security Manager User Manual

Technical white paper

HP JetAdvantage Security Manager

Release Notes v3.5

Table of contents

Overview 2 Key Features 2 What’s New in Security Manager 3.5? 3

Features and Usability Improvements 3 New Policy Items and policy changes 4 New Devices Supported 4

Fixes 4 Software Notes and Known Issues 5 Installation 7

Installation Notes 8 Supported Operating Systems and Databases9

Operating Systems 9 Hardware Requirements 10

Notes 10 VMware and Hypervisor Support 10

Requirements 10 Solutions 11 Network Port Assignments 11 Ports diagram 13 Appendix A 15

Release History 15 Appendix B 33

Links to HP Security Manager Whitepapers33

Overview

Announcing HP JetAdvantage Security Manager 3.5, the latest release of the industry’s first policybased solution that helps you increase security, strengthen compliance, and reduce risk across your imaging and printing fleet. With Security Manager, you can gain control of your fleet by enabling an effective, policy-based approach to securing HP imaging and printing devices. Through the intuitive and intelligent security policy editor, you can easily create a custom and comprehensive device security policy that is suited for your specific environment.

A Security Manager Base Policy template is provided as a great place to begin creation of a custom security policy or to use as is, if appropriate, as a baseline security policy for your environment. You can schedule the Assess and Remediate task to execute on a daily, weekly or monthly basis to monitor the print environment for settings that do not comply with the chosen security policy, and then automatically return those settings to the policy-specific state. In addition, the Security Manager Instant-On Security feature can place your HP imaging and printing device into the desired security state, as soon as it is attached to the network. The Instant-On Security feature is also invoked when the device is cold-reset or changes IP addresses.

Security Manager also offers a Fleet Certificate Management solution. This feature eliminates the manually deployed, singular device, network certificate implementation process and replaces it with an automatic, fleet based, security policy centered method of certificate management. By using this feature, you can easily replace the default device self-signed certificate with an authorized Certificate Authority (CA) signed certificate and manage it for validity, expiration, and revocation. Implemented as an extension of the Security Manager policy editor, this solution handles network certificate management as a background task like any other Security Manager assessment and remediation.

Key Features

• The Security Manager Instant-On Security feature allows supported devices to automatically locate

the Security Manager server and receive your company approved device security policy as soon as the device is attached to the network. Instant-On Security then maintains policy-based compliance during device resets and address changes.

• The Security Manager Policy Editor allows print administrators with minimal security knowledge, as

well as experienced security administrators, to build a valid, comprehensive security policy to deploy across the HP imaging and printing fleet. The Policy Editor provides security setting intelligence through basic definition, recommendations, validations and constraints to ensure creation of a valid policy. A Security Manager Base Policy template is provided as a great place to begin creation of a custom policy or to use as is, if appropriate, as a baseline policy for your environment.

• Security Manager can be scheduled to assess and remediate devices on a daily, weekly or monthly

occurrence. When configured in this fashion, Security Manager automatically assesses your fleet for its current setting and returns non-compliant settings to the desired state of the security policy used in the assessment. Unlike other management tools, Security Manager only fixes what is out of compliance, then it reports on exactly what was out of compliance that had to be remediated. This is valuable in understanding where vulnerabilities exist in your environment.

• The Security Manager Certificate Management solution replaces a manual, highly interactive network

certificate deployment process with an automated policy-based solution that deploys and manages network certificates like any other assessed and remediated Security Manager device security setting. Automated fleet deployment of Certificate Authority (CA) signed certificates to accommodate encrypted printing, 802.1x protected network authentication and other print environment related encryption/authentication needs is now possible with this solution.

What’s New in Security Manager 3.5?

Features and Usability Improvements

• 110979/109115 Migration to .net 4.8. The old .net 3.5 is no longer needed.

• 103558 Added account lockout due to invalid password. Account lockout is now configurable in the

web.config file (the already existing option AutoLogOut can be enabled in the same file).

• 109620 Added Malay and Spanish localization

• 109219 SMB2 and SMB3 can now be disabled via the expanded policy item SMB/CIFS (Shared

Folder)

• 109711/110863 Additional Ciphers have been added to the policy item Web Encryption Settings or

Active Ciphers

• 109226\111922 Added support for Chromium based Microsoft Edge 79 or higher

• 110094 Added support for using System Name in the From Address for the Outgoing E-mail (SMTP)

policy item under Shared Items

• 110519 HPSM services can run as a local user

• 110991 Changed default timeouts and retries to EAPRetry = 1, snmpRequestTimeout = 5000 and

timeBetweenEapRetry= 1000

• 108681 Added support for licenses with different end-dates in UI.

• 10560/110010 Support for Device level assessment of remediation history and alerts on device

level and in dashboard.

• 109851 HPSM will be using the asset identifier from the pfirmware.glf to find the corresponding

firmware level for a device.

• 109827 Added Advanced option for the filter creation.

• 107944 Added CA Certificate support for Zebra devices

• 110675 Added ID Certificate support for Zebra devices

• 109211 Installer now contains SQL Express 2019

• 109706 HPSM installer now asks for credentials before creating/updating the Database

• 109461 Added option under Settings, General to automatic delete device which have status:

network connection error for x number of days.

• 109260 Added configuration options in the hpsm_service.exe.config to either add a device with

same IP address or hostname or to overwrite a device with the same IP address or

hostname

• 111029 EST (Enroll over secure transport) certificate management added. This is currently in beta

and based upon RFC 7030

• 108834 Qualys Service Integration (beta)

• 109615 The words “Use Default Credentials” have been changed into “Specify Credentials” for the

Email Server Settings

• 109667 InstallDBrmt.bat script has been renamed into:

InstallOrUpgradeRemoteDB.bat

The InstallSQLScripts.zip file now contains a Readme_InstallSqlScripts.txt

• 108834 Qualys Service Integration (beta)

• 110580 The term Alerts has been renamed into Alert Subscriptions

New Policy Items and policy changes

• 1009779 E-mail domain restriction

• 109207 The configuration option Digital Send has been renamed into Job Behavior

• 109514 Descriptions to prevent email spoofing have been improved in the policy item Outgoing

E-mail (SMTP)

• 110762 The configuration option System logging has been renamed into Syslog (System logging)

• 110802 All links to existing whitepapers have been added to the HPSM inbuild-help

• 110781 The Group filter option has been renamed into Group membership and all the filter options

are now working

• 111467 DAT log files are now using same time settings as other HPSM log files, thus local time

instead of UTC time

• 110826/109247 Added descriptive comments for configurable parameters in HPSM configuration

file and improved existing descriptions

• 109029 Renamed Jet Advantage Link into HP Workpath (HP Jetadvantage)

• 111342 The names of the configuration options for Stored Data PIN Protections options now in sync

with Futuresmart 4 and the word Temporary has been added to Retain Print Jobs After Reboot and Job Storage Limit.

• 111502 IRM Authentication has been added into HPSM and the descriptions for existing HPAC

authentications have been updated.

New Devices Supported

HP Color LaserJet Enterprise M554 HP Color LaserJet Enterprise M555 HP Color LaserJet Enterprise MFP M578 HP DesignJet T650 24-in

Managed devices: HP Color LaserJet Managed MFP E77428 HP LaserJet Managed MFP E72535 HP LaserJet Managed MFP E72430

Fixes

• 109070 Performance issues/DB growth is no longer occurring when policy change notification is

enabled.

• 109917 Web mail can now be configured in the HPSM UI for Automated report Settings as it’s no

longer required to fill in a Domain.

• 110353 Application Event Log is no longer showing ‘incorrect syntax near ‘)’ during

nightly maintenance when Remove historic data is set to x number of days.

• 109614 It’s now possible to Save Email server settings and unable to Send Test Email without user

credentials

• 109961 HPSM is no longer hanging on Export page when you enter a long or invalid email address

and CPU might go to 100%.

• 109907 HPSM is now accepting an email address which contains a plus sign (+)

• 110997 When SNMPv3 credentials are wrong HPSM will no longer attempt twice with the

wrong credentials during verify

• 110998 When SNMPv3 credentials are wrong HPSM will no longer try 6 times to attempt to

set 3 OID’s

• 111369 Parent Tasks marked as completed if there is any exception while getting data from

the DB

• 109860 The default setting for Delect Rule has been change from No Action to Cascade for

the foreignkeys such as FK984CDE507E9133 for RecToReasonsTable which prevents intermittent Stale database Errors

• 110549 Performance when remediating EWS password while device is set to snmp read-

only has been improved

• 111167 Instant on will now also use the global credentials if the device specific credentials are

not valid for the device

• 112394 HP Devices which have SNMPv3 configured and SNMPv1 disabled will no longer end

up in credentials error during discovery/verify/remediation.

• 110990 After manual importing devices into a group, the number of devices in the group does

now match the discovery list.

• 110918 HPSM can now install certificate on Z9 when CSR Source is set to HPSM

• 109215 HPSM can now remediate SNMP settings on a LJM404 with secure if SNMPv3

configuration is available in the policy.

• 111591 When Hostname Resolution is disabled, Manual discovery will no longer perform a

hostname resolution

• 109614 Email server settings can now be saved without specifying user credentials

• 109917 Webmail servers can now be used for Automated report settings as domain field is no longer

required

• 111180 HPSM can now configure SNMPv3 settings (username remains empty) on HP LaserJet 400

MFP M425

• 109274 When applying an SNMP v3 only policy HPSM no longer indicates unable to remediate with

SNMPv1 credential error when the device is only configured with SNMPv3 only.

• 111738 ID certificate installation using Venafi SCEP service is now downloading the certificate from

the Venafi SCEP server correctly.

• 111368 Syslog Server IP is now removed from a device during remediation of a policy with syslog

disabled.

Software Notes and Known Issues

• 111911 The groups pane on the left might show different number of devices for the same group

which is listed in the main window/pane. This can happen even after hitting the Refresh button for the groups section (left pane) and after hitting the Refresh button for devices screen (right pane). Workaround: run the following script on the HPSM database:

use HPIPSC

--Delete unused DeviceNodeIndentity entries Delete from dbo.DeviceToDeviceNodeIdenityTable where Device_ID not in (select ID from DeviceTable where state=2)

• 113300 The manual maintenance script and nightly maintenance are not making the

recommendations table smaller. This will be fixed in HPSM 3.6. Workaround: see 112833

• 112833 Nightly maintenance task is failing due to too many parameters (in HPSM_Service.log file: The

incoming request has too many parameters. The server supports a maximum of 2100 parameters). This will be fixed in HPSM 3.6. Workaround for 11300 and 112833: run the following script regularly (weekly/biweekly) on the HPSM database:

USE HPIPSC ; -- HPSM database name

DECLARE @X INT=1; DECLARE @DeleteOlderThan INT=10; -- Days. Records older than this day will be deleted

WAY:

SELECT TOP 10000 * into #NEWTABLE FROM (SELECT rec.ID AS recID, rToret.KEY_ID as rToretID, rt.ID AS rtID, rvt.ID as rvtID, rTorv.ID AS rTorvID, rTorat.KEY_ID AS rToratKEY_ID, rat.ID AS ratID, av.ID AS avID, raTop.ID AS raTopID FROM dbo.RecommendationTable rec LEFT OUTER JOIN dbo.RecToReasonsTable rToret ON rToret.KEY_ID = rec.ID LEFT OUTER JOIN dbo.ReasonTable rt ON rt.ID = rToret.Reason LEFT OUTER JOIN dbo.ReasonToReasonValuesTable rTorv ON rTorv.ID = rt.ID LEFT OUTER JOIN dbo.ReasonValueTable rvt ON rvt.ID = rTorv.ReasonValue_ID LEFT OUTER JOIN dbo.RecToRecommendationActionsTable rTorat ON rTorat.KEY_ID = rec.ID LEFT OUTER JOIN dbo.RecommendationActionTable rat ON rat.ID = rTorat.RecommendationAction LEFT OUTER JOIN dbo.AssessmentValueTable av ON av.ID = rat.ActionValue_REF LEFT OUTER JOIN dbo.RecActionsToParametersTable raTop ON raTop.ID = rat.ID

where rec.Date < getdate()- @DeleteOlderThan Or rec.AssessmentAndPolicyUniqueID NOT IN ( select distinct dal.assessmentAndPolicyUniqueID as uniqueID from dbo.DeviceAssessmentLogTable dal where dal.State = 2 )) as Sub1

--select count (*) from #NEWTABLE

DELETE a FROM dbo.RecToRecommendationActionsTable a INNER JOIN #NEWTABLE B ON a.KEY_ID= B.rToratKEY_ID DELETE a FROM dbo.RecToReasonsTable a inner join #NEWTABLE B on a.KEY_ID = B.rToretID DELETE a FROM dbo.RecommendationTable a inner join #NEWTABLE B on a.ID = B.recID

DELETE a FROM dbo.ReasonToReasonValuesTable a inner join #NEWTABLE B on a.ID = B.rTorvID DELETE a FROM dbo.ReasonTable a inner join #NEWTABLE B on a.ID = B.rtID

DELETE a FROM dbo.ReasonValueTable a inner join #NEWTABLE B on a.ID = B.rvtID DELETE a FROM dbo.RecActionsToParametersTable a inner join #NEWTABLE B on a.ID = B.raTopID DELETE a FROM dbo.RecommendationActionTable a inner join #NEWTABLE B on a.ID = B.ratID DELETE a FROM dbo.AssessmentValueTable a inner join #NEWTABLE B on a.ID = B.avID

SET @X = (select count (*) from #NEWTABLE)

drop table #NEWTABLE

IF @X=10000 GOTO WAY;

• 107960 An assessment or assessment and remediation task for HP Designjet Z3200ps 24in Photo,

HP DesignJet Z2600 PostScript , HP Designjet Z6600 and HP Designjet T7100 devices will fail even while the device is supported by HPSM. This issue is under investigation by HP.

• 112215 HPSM shows status as ERROR when remediating an HP Futuresmart printer with a policy

which includes disk encryption status after performing a partial clean on the device with USB drive inserted . This is under investigation.

• 112383 HPSM in-build help for Admin (EWS) password is not mentioning that Admin (EWS) password

is also supported for Zebra devices

• 112029 Some HPSM Configuration values are not updated after upgrade. HPSM 3.5 has the

following new default settings:

PolicyChangeNotification is now disabled

EAPRetry = 1

snmpRequestTimeout = 5000 timeBetweenEapRetry= 1000 During an upgrade the PolicyChangeNotification will always be disabled, regardless of it’s value in 3.4. If this doesn’t match the desired behavior, change the settings in the hpsm_service.exe.config file and restart the HPSM service.

• 112349 Unable to remediate SNMPv3 settings with a policy which disabled SNMPv1, enables

SNMPv3 with a non-complex passphrase, while the device was enforcing strong encryption for SNMPv3 before the policy was applied. After attempting this combination the device will end up in credentials error with SNMPv1 and SNMPv3 disabled. Workaround: always use a complex passphrase in the policy for SNMPv3. This issue will be fixed in a future release of HPSM.

• 112301 When user switch the language from non-English language to a different non-English

language the fonts and styles are not loading properly.

Resolution: Refresh the browser or open HPSM in a new browser tab.

• 109548 The HPSM installer is using powerscript files (CheckIISInstalled.ps1 and IISInstall.ps1) to

install HPSM. HPSM installation will fail to correctly install HPSM if local security policies do not allow to run unsigned powerscript files. Resolution: temporarily allow to run unsigned powerscript files during HPSM installation.

• 110914 Unable to install ID certificate on DesignJet T790 and Z6 when the device is set to a

non-English language. The following error message will be visible: " The certificate request returned from the printer was empty". This is caused by a firmware limitation. Resolution: Change the language of the device to English before installing the ID certificate with HPSM.

• 112568 HPSM will not send an email when after finishing a remediation task if one of the devices in

the group has network connection error. Instead the task details will show: Error while sending automated email. Invalid email address. This issue does not occur on new installations.

• 111092 HPSM can not install a ID certificate with HPSM on T790 and T1300 which have an HP

JetDirect 640N. This issue is under investigation.

• Older versions of Web Jetadmin may not have assigned rights for Network Service to use its self-

signed certificate. If so, Instant on Reflection will fail if attempting to add Instant On discovered devices to that Web Jetadmin installation. Manually assign rights for Network Service to use the selfsigned certificate to resolve.

• Email Summary Remediation report sent via email claims devices are remediating successfully when

they are powered down and cannot be remediating successfully.

• Upgrades from version 2.1.2 directly to version 3.1 or beyond are not supported and will result in

tasks being unable to run. Upgrade to version 2.1.4 or 2.1.5 first from version 2.1.2 before upgrading to version 3.1 or beyond.

• A locked policy automatically becomes unlocked after 2 hours.

• For better representation of pages, maximum recommended zoom is 150%.

• For the Web Encryption Strength individual ciphers, a device status can display as Network Connection

Error if the device is verified after applying a policy with RC4-SHA and RC4-MD5 ciphers enabled. In order to ensure communication between a server and client, both sides need to have the same set of supported ciphers. If a device is set to use RC4-SHA/RC4-MD5 as the active ciphers after remediation,

but the operating system doesn’t support these ciphers, a Network Connection Error will be displayed.

RC4-SHA and RC4-MD5 are considered weak ciphers and are not supported in the operating system.

• DesignJet devices do not allow device guest permission to be configured from Security Manager under

Role Based Access Control if the devices are not configured with an Admin password.

• If a Policy has Subject Alternate names (SANs) enabled with a Domain name entered to include the

Universal Printer name (UPN) as a SAN, the UPN is sent as ‘username@domainName’ to DNS. This is

not accepted by an OpenTrust CA.

• If browser security level is set to High, Security Manager will not be able to perform any file related

operations in IE until the security level is set to any other stage.

Installation

The Security Manager software is provided as a universal installation executable that is compatible with all supported operating systems. Installation options include a full local install or a full local install with a remote database option. For proper Security Manager installation and operation, specific Microsoft software must be present.

The requirements are listed below:

• Microsoft .NET Framework 4.8.

• Microsoft SQL Server Database

• Microsoft Internet Information Services (IIS) - (part of installation script)

If these are not present on the system, the installation process installs some of the required software. This includes the option to install the Microsoft SQL Server Express 2019 database which is bundled with the product.

Note: SQL Express 2019 is not supported on all operating systems. When using an operating system on which SQL 2019 is not supported, then you must install manually an older version of SQL (Express) before starting the HPSM installer.

Installation Notes

• The browser-based interface requires Internet Information Services (IIS) in order to operate. The installer

will verify that IIS is enabled with the proper settings enabled and will offer to enable the proper settings if desired. The Installation Guide specifies the proper IIS setting to be enabled if it is desired to perform manually. If the installer fails to set some of the IIS settings, it may be necessary to configure them manually. Since the installer is attempting to enable IIS, it may prompt for a machine restart.

• The browser-based interface is set to use port 7637 by default during installation. Security Manager is

launched in a browser as such: https://localhost:7637. If it is desired to change this port, it can be changed by editing the bindings for the HPSM web site under IIS Manager.

• The browser-based interface offers the ability to use an existing server certificate or to create a self-

signed certificate during installation. The self-signed certificate allows the data to be encrypted between client and server, while an existing server certificate not only encrypts data but also provides trust that the server is who it says it is. IIS will always search and bind for the server certificate in the personal store of

computer account. An identity certificate needs to be of the type “Server Authentication” in order to

provide trust.

• The browser-based interface supports Microsoft Internet Explorer, Google Chrome and Microsoft Edge

Chromium based. The following settings may need to be configured on certain machines or operating systems if Security Manager is having difficulty loading:

o Internet Explorer may require the “Display intranet sites in Compatibility View” box to be unchecked

under Compatibility View Settings if the login screen for Security Manager is not appearing.

o Internet Explorer may require the “Bypass proxy server for local addresses” box to be checked under

Internet Options, Connections, LAN Settings if the login screen for Security Manager is not appearing.

o Windows 10 may require HTTP2 to be disabled in the browser if Security Manager continually logs out

the user.

• Newer versions of Google Chrome may require the following technique to disable HTTP2:

Launch chrome by disable http/2 through RUN cmd.

Open RUN prompt and type "chrome.exe --disable-http-2"

Open registry and add two new parameters:

o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Cleartext DWORD 0 o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHttp2Tls DWORD 0

• Based on the system state, in some cases, installation/uninstallation prompts for a system restart. This is

caused by the MS Installer seeing a particular value present in the registry. A workaround rather than rebooting is to change an entry available in registry:

o HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\pendingFileRenameOperation

This entry needs to be deleted if it exists.

• Users need to be re-added to the HPIPSC group after software upgrade.

• Licenses need to be re-loaded if the operating system is upgraded.

• Licenses need to be re-added if the database is being restored from 2014 to 2016 SQL Express.

• The Security Manager service must have the proper permissions to access the Security Manager service

database. If the service and database are installed on the same computer, the installation process manages the assignment of database permissions. If the service and the database are installed on separate computers, you must configure the correct permissions for the remote database. For complete Security Manager installation information, see the Security Manager Installation and Setup Guide at www.hp.com/go/securitymanager. Also see the whitepaper titled “HP JetAdvantage Security Manager - Using Microsoft® SQL Server” for more information.

• If a firewall is installed on the computer on which the Security Manager service runs, and the service will be

accessed from the user interface on a remote computer, the firewall must be set to allow access to the service. The older Security Manager service listens on port 8002, which must be opened in the firewall to allow remote access to the service. The new browser-based interface listens on port 7637 be default. If you do not want to allow remote access to the Security Manager web service for either version, then you can block the respective ports with a firewall.

• For complete uninstallation, all the HPSM installation files/folders should be closed before uninstalling.

Supported Operating Systems and Databases

Operating Systems

Client and Server

• Windows 8

• Windows 8.1

• Windows 10

• Microsoft Server 2008 R2

• Microsoft Server 2012

• Microsoft Server 2012 R2

• Microsoft Server 2016

• Microsoft Server 2019

Note: Windows 7 SP1 is no longer tested. Therefore, it is no longer officially supported but can be

used at customer’s own risk. Also, only 64-bit operating systems are tested.

Tested Browsers

• Microsoft Internet Explorer 11 and greater

• Google Chrome v70.0 and greater

• Microsoft Edge, Chromium based, version 79 and greater

.NET Versions

Recommended: .NET 4.8

IIS Versions

Recommended: 7.5 or newer.

Tested Databases

• Microsoft SQL Server Express 2014

• Microsoft SQL Server 2016

• Microsoft SQL Server 2017

• Microsoft SQL Server Express 2019 (bundled with HPSM 3.5 installer)

HP Jet Advantage Security Manager requires a Microsoft SQL database to store data. For customers who do not have their own full SQL Server or do not want to use a SQL license, Security Manager bundles a recent version of SQL Server Express that can be installed and used if desired. Since organizations usually upgrade SQL Server less often than operating systems, older versions may be used for quite some time, especially if the applications accessing SQL don't use the features added to the new SQL versions. While Security Manager only tests the two most recent SQL versions at the time of release, there should be no issues using older or newer SQL versions as Security Manager uses basic calls into the SQL database that would be supported by virtually all SQL releases.

Backward and forward compatibility should be present, there just isn’t capacity to test the multitude of SQL

versions offered over the years.

Hardware Requirements

Server minimum hardware

• CPU: Dual-core processor or greater – 2.33 GHz or greater

• RAM: 64-bit systems – Minimum 8 GB

• STORAGE: Minimum of 4 GB

Client minimum hardware

• CPU: PC with 1.8 GHz or greater processor

• RAM: 64-bit systems – 4 GB or greater

The following hardware requirements are recommended, especially with the inclusion of IIS for the web-based interface. Microsoft recommends quad core processors and 10 GB RAM for IIS.

Recommended Server Hardware

• CPU: 4 or more processor cores – 2.8GHz or higher processor speed

• RAM: 64-bit systems – 12 GB or greater

• STORAGE – 4 GB or greater

Notes

• Connecting to a remote database is made possible through the install process. See whitepaper titled

“HP JetAdvantage Security Manager - Using Microsoft® SQL Server” for more information.

• After upgrading to Security Manager 3.1 and beyond from earlier versions, existing policies must be

opened in the policy editor and saved to be compatible with Security Manager 3.1.

• Before any upgrade or machine restart, it is required that no tasks are in running state. Otherwise, the

tasks will remain in the database in a running state.

• For better performance, it is recommended to start new tasks only after the completion of the current

task. For example, launch verification task only after the discovery task is complete.

VMware and Hypervisor Support

Security Manager is supported in a VMware and Hyper-V with windows versions listed previously.

Requirements

The Supported Operating Systems and Databases listed above, are also supported in VMware and Hyper-V environments. Hyperthreading is optional for VMware and Hyper-V. Reserve memory is required for Hyper-V.

Note 1

If installing Security Manager on a VMware instance, you must use the hardware (MAC) address of that virtual adapter during the ordering of the license file. Be aware that VMware dynamically generates the virtual adapter MAC address and does not guarantee it will remain static during session restarts or power toggling. If the MAC address changes, the print license service will fail to operate properly. Refer to VMware help documentation for instructions on how to configure a static MAC address or how to change the modified MAC address back to original.

Note 2:

Importing a license file might fail on VMware VM’s. Resolution: reboot the virtual machine.

Note 3:

SQL 2017 or 2019 is recommended on VMware as testing with older versions and partially disabled TLS settings did show random database connectivity issues.

Solutions

When used with third party solutions or any print or management solution requiring access to the device, the Security Manager Base Policy template, or any template defined to meet the security standards for a company, might require changes to the security settings. See the solution documentation to determine whether policy changes are required to accommodate specific functionality. Care should be taken when creating policies as to not disrupt the operation of any solutions that may be installed on devices.

NOTE: Testing a small number of devices in a sandbox or test environment when solutions are present on

devices is highly recommended before applying settings to a fleet as undesired behavior may occur with certain settings on certain solutions. Solutions may fail to install/operate, or potentially even worse behavior can occur on devices, when some settings are applied to devices with solutions present.

Security settings that have been known to affect either the installation or operation of solutions include:

• DNS server configured

• SNMP GET Community Name (Read Community Name) required for installation and configuration

• EWS password required for installation and configuration

• Command Load & Execute enabled

• PJL Access Commands enabled

• Remote Firmware Updates enabled

• Allow PJL Access enabled

• PJL Password not set

• Legacy Firmware Upgrades enabled (Current versions of firmware are signed with the SHA-256

hashing algorithm. Enabling this option allows installation of legacy firmware signed with the less secure SHA-1 algorithm)

• Control Panel Timeout

Please see the whitepaper titled “HP JetAdvantage Security Manager - Policy Editor Settings” for more detailed information regarding settings for solutions.

Network Port Assignments

This section lists the ports used by Security Manager.

Port

Protocol

Service

Notes

Client to Server

7637 (version 3.0+)

TCP

HTTPS

Port set during installation to be used to secure data between client and HPSM server via browser. This port may be changed to something else by editing bindings for the HPSM web site under IIS Manager. HPSM versions 3.0 and beyond.

+ 23 hidden pages