Tips & Techniques > Systems Management

Encrypted Printing via Internet Printing Protocol

IBM* System i* customers who must comply with government regulations from HIPAA, Sarbanes-Oxley or the Gramm-Leach-Bliley Act may face a chink in their System i armor. Spooled files, unless sent over a secure VPN connection, travel in a clear text format that anyone using a sniffer or other packet-analysis software can read. Recent discoveries have led to a working Internet printing protocol (IPP) solution, and with the right hardware and configuration, it can work for you.

IBM OS/400* V5R2 introduced the IPP driver that allows for a direct connection to an IPP-capable printer. Make sure you're on R520 or later and have applied the latest IPP PTFs. You can find these in Software Knowledge Base document 23383453: "V5Rx PTF Listing for TCP/IP and LAN printing" (www-912.ibm.com/s_dir/slkbase.nsf/slkbase).

Get the Right Printer

The printer you choose is important. As with non-secure IPP communications, your printer must support chunking. The HTTP/1.1 protocol that governs IPP requires chunking, but many printers made for Microsoft* Windows* don't support it. OS/400 chunks transform data as soon as it becomes available, so this support is critical. Your hardware vendor may offer microcode updates to enable chunking support. For example, IBM printing systems offer such an update for the IBM 15xx series of printers.

Additionally, the printer must be able to import or create a digital certificate, as they play a key role in secure IPP printing. Currently, no printers are known to support the recommended method of secure connection - via an upgrade to transport-layer security - described in "RFC2910: Internet Printing Protocol/1.1: Encoding and Transport" (www.apps.ietf.org/rfc/rfc2910.html). The only known print servers to support this method are the iSeries* IPP Server and the common UNIX* printing system. The method described in this article uses digital certificates instead.

Find Digital Certificates on the Printer

Your printer must support the import of a signed digital certificate from a third party, or the creation and export of its own, self-signed digital certificate. Both are equally secure, and both methods have been tested to work on System i architecture. The certificate installed on the printer must be exported and imported into the System i platform, so the server (the printer) and the client (the System i platform) have matching certificates.

The following instructions match the screens you'll likely find on the Infoprint 15xx series of printers, but may differ greatly from your printer. Any questions regarding how a given printer manages digital certificates should be directed to its manufacturer.

1. Connect to the printer via your Web browser.
2. Set the correct time and date on the printer.
3. Navigate to the certificate-management function. On the Infoprint 1552, this is listed under Links and Index>Certificate Management.
4. Install a new self-signed certificate. I did this by clicking "Generate a New Private Key" and after that had processed, clicking on "Update the Certificate Signing Request." I had to create a new certificate because the default certificate expired in 1972.
5. Export the certificate. My printer's certificate-management interface had an option to download the current certificate, and it was saved to my PC as SystemCert.pem. When displayed, the file will look something like Figure 1.
6. FTP the certificate in ASCII mode to an IFS file location. I chose to send it to my home directory of /home/kschroe/SystemCert.pem.

Next page: >>