Technical White Paper HP Security Manager

NumberFixHPSM -1351HPSM will now start a task immediately even when the browser is in a different timezone. When creating a task HPSM will now always be using the server time.HPSM-1356When a device is replaced and using the same IP address or hostname, the discoverydate will be updated during discovery of this new device while overwriting old deviceinformation.HPSM 799HPSM can now also handle public key length above 2048 bytes when using NDES andcan use now ECDSA certificates for device communication.HPSM 1355HPSM will now make a case insensitive comparison under the following conditions:1. there is no SAN selected in the policy2. the device has a hostname and domain configured under Network Identification3. the ID certificate on the device has two entriesNote: HPSM is already using a case insensitive SAN comparison when SANs areenabled in a policy.HPSM 1441A login problem for the work from home devices (flexworker devices) has been fixed.

Software Notes and Known Issues HPSM-1448 Unable to create a task with IE on Windows server 2019 with German OS (andpossible other localized versions). Microsoft has retired IE out of support.Solution: Use Edge or Chrome instead of IE.Note: the same issue can be seen with FirefoxHPSM-1449 Unable to re-run a task after upgrading to 3.8 or new task never finishing afterupgrading to 3.8.Check for NHibernate ERROR in the HPSM service.log file around invalid column name"LastSuccessfulAutoEWSPasswordResetOn". If this is present, then a database column ismissing.Solution: run the installSQLscripts (again) on the 3.8 database. See also HPSMTroubleshooting whitepaper.HPSM-1379 HPSM cannot min/max TLS 1.3 versions and cannot configure TLS-AESencryption. This functionality will be added in HP FutureSmart 5.5. This is planned forHPSM 3.9.HPSM-1128 Garbage emailed reports. This can happen when the HPSM delivered fonts arenot installed correctly.Solution: See the HPSM Troubleshooting Guide.HPSM-1359 HPSM is reporting medium risk for IPSEC/Firewall when it is part of a largerpolicy. This issue is under investigation.HPSM-1323 LDAP Server search root in policy, but not getting configured on the device.HPSM-1152 Unable to set email domain restriction on FS3 devicesHPSM-1404 Unable to set SNMPv3 password on HP FutureSmart 5.4 devices when thedevice does not have an EWS password and is configured with SNMPv1 set and getcommunity names. The error message mentions that the password in the policy is notcomplaint with the password policy on the device.Solution: Upgrade to HP FutureSmart 5.5Workaround: configure EWS password first, or put SNMPv1, V3 and EWS passwordconfiguration in one policy.HPSM-1311 Zebra devices with LinkOS 6.2 - SNMP SetCommunityNameare not gettingremediated. This is under investigation.HPSM-1410 HPSM is taking client time for report Schedule instead of server time in thereportsHPSM-1411 Identity certificate using SCEP does not include State value.HPSM-1196 After upgrading an HPSM 3.5 installation, which is installed on a E:\ or D:\ drive,to 3.7.1 when using an SQL 2012 or older database and with a user account which has itsdefault schema set to something different then dbo, the HPSM service will stop shortlyafter being started. The HPSM service.log will contain ERROR messages about invalidcolumn.Solution: Run the InstallOrUpgradeRemoteDB.bat from the HPSM 3.8 InstallSQLscripts.zip.After that restart the HPSM application pool and start the HPSM service. See also theHPSM troubleshooting guide for further details.

HPSM-1035 OZ (legacy LaserJet) devices will be showing with Credential Failed statusinstead of EWS Admin Credentials Failed due to different firmware behavior. HPSM-778 SNMPv3 password Complexity can only be configured for the followingflexworker devices with HP FutureSmart 5.3 or higher with the HP default flexworkerpolicy:o HP LaserJet Managed MFP E42540fo HP Color LaserJet Managed MFP E47528fo HP Color LaserJet Managed E45028dno HP LaserJet Managed E40040dn. HPSM-1035 OZ (legacy LaserJet) devices will be showing with Credential Failed statusinstead of EWS Admin Credentials Failed due to different firmware behavior.HPSM-1063 Device status of a new device is showing the assessment result of a deleteddevice when the new device is using the IP address of the deleted device.112029 Some HPSM Configuration values are not updated after upgrade. HPSM 3.5introduced the following new default settings:o PolicyChangeNotification is now disabledo EAPRetry 1o snmpRequestTimeout 5000o timeBetweenEapRetry 1000o During an upgrade, the PolicyChangeNotification will always be disabled regardless ofits value before the upgrade. If this does not match the desired behavior, change thesettings in the hpsm service.exe.config file, and then restart the HPSM service.112301 When user switch the language from non-English language to a different nonEnglish language the fonts and styles are not loading properly.Solution: Refresh the browser or open HPSM in a new browser tab.109548 The HPSM installer is using PowerScript files (CheckIISInstalled.ps1 andIISInstall.ps1) to install HPSM. HPSM installation will fail to correctly install HPSM if localsecurity policies do not allow to run unsigned PowerScript files.Solution: temporarily allow to run unsigned PowerScript files during HPSM installation.Older versions of Web Jetadmin may not have assigned rights for Network Service to useits self-signed certificate. If so, Instant on Reflection will fail if attempting to add Instant Ondiscovered devices to that Web Jetadmin installation. Manually assign rights for NetworkService to use the self-signed certificate to resolve.Email Summary Remediation report sent via email claims devices are remediatingsuccessfully when they are powered down and cannot be remediating successfully.Upgrades from version 2.1.2 directly to version 3.1 or beyond are not supported and willresult in tasks being unable to run. Upgrade to version 2.1.4 or 2.1.5 first from version 2.1.2before upgrading to version 3.1 or beyond.A locked policy automatically becomes unlocked after 2 hours.For better representation of pages, maximum recommended zoom is 150%.For the Web Encryption Strength individual ciphers, a device status can display asNetwork Connection Error if the device is verified after applying a policy with RC4-SHAand RC4-MD5 ciphers enabled. In order to ensure communication between a server andclient, both sides need to have the same set of supported ciphers. If a device is set to useRC4-SHA/RC4-MD5 as the active ciphers after remediation, but the operating systemdoes not support these ciphers, a Network Connection Error will be displayed. RC4-SHAand RC4-MD5 are considered weak ciphers and are not supported in the operatingsystem.

DesignJet devices do not allow device guest permission to be configured from SecurityManager under Role Based Access Control if the devices are not configured with an Adminpassword. If a Policy has Subject Alternate names (SANs) enabled with a Domain name entered toinclude the Universal Printer name (UPN) as a SAN, the UPN is sent asʻusername@domainName’ to DNS. This is not accepted by an OpenTrust CA. If browser security level is set to High, Security Manager will not be able to perform any filerelated operations in IE until the security level is set to any other stage.

Installing and UpgradingThe Security Manager software is provided as a universal installation executable that iscompatible with all supported operating systems. Installation options include a full local install ora full local install with a remote database option. For proper Security Manager installation andoperation, specific Microsoft software must be present.The detailed requirements are listed in the install and setup guide. Required: Microsoft .NET Framework 4.8.Microsoft SQL Server DatabaseMicrosoft Internet Information Services (IIS) - (part of installation script)If these are not present on the system, the installation process installs some of the requiredsoftware. This includes the option to install the Microsoft SQL Server Express 2019 databasewhich is bundled with the product.NOTE: SQL Express 2019 is not supported on all operating systems. When using an operatingsystem on which SQL 2019 is not supported, then you must install manually an older version ofSQL (Express) before starting the HPSM installer.Installation Notes The browser-based interface requires Internet Information Services (IIS) in order to operate.The installer will verify that IIS is enabled with the proper settings enabled and will offer toenable the proper settings if desired. The Installation Guide specifies the proper IIS setting tobe enabled if it is desired to perform manually. If the installer fails to set some of the IISsettings, it may be necessary to configure them manually. Since the installer is attempting toenable IIS, it may prompt for a machine restart. The browser-based interface is set to use port 7637 by default during installation. SecurityManager is launched in a browser as such: https://localhost:7637. If it is desired to changethis port, it can be changed by editing the bindings for the HPSM web site under IIS Manager. The browser-based interface offers the ability to use an existing server certificate or tocreate a self-signed certificate during installation. The self-signed certificate allows the datato be encrypted between client and server, while an existing server certificate not onlyencrypts data but also provides trust that the server is who it says it is. IIS will always searchand bind for the server certificate in the personal store of computer account. An identitycertificate needs to be of the type “Server Authentication” in order to provide trust. The browser-based interface supports Microsoft Internet Explorer, Google Chrome andMicrosoft Edge Chromium based. The following settings may need to be configured oncertain machines or operating systems if Security Manager is having difficulty loading:oooInternet Explorer may require the “Display intranet sites in Compatibility View” box to beunchecked under Compatibility View Settings if the login screen for Security Manager isnot appearing.Internet Explorer may require the “Bypass proxy server for local addresses” box to bechecked under Internet Options, Connections, LAN Settings if the login screen for SecurityManager is not appearing.Windows 10 may require HTTP2 to be disabled in the browser if Security Managercontinually logs out the user.

Newer versions of Google Chrome may require the following steps to disable HTTP2:1. Launch chrome by disabling http/2 using a RUN cmd.2. Open RUN prompt and type "chrome.exe --disable-http-2"3. Open registry and add two new parameters:o HKEY LOCAL ameters\EnableHttp2Cleartext DWORD 0o HKEY LOCAL ameters\EnableHttp2Tls DWORD 0 Depending on the system state, installation/uninstallation might prompt for a system restart.This is caused by the MS Installer seeing a particular value present in the registry. Aworkaround rather than rebooting is to change an entry available in registry:o er\pendingFileRenameOperationIf it exists, this entry needs to be deleted:o Users need to be re-added to the HPIPSC group after software upgrade.o Licenses need to be re-loaded if the operating system is upgraded.o Licenses need to be re-added if the database is being restored from 2014 to 2016SQL Express. The Security Manager service must have the proper permissions to access the SecurityManager service database. If the service and database are installed on the same computer,the installation process manages the assignment of database permissions. If the service andthe database are installed on separate computers, you must configure the correctpermissions for the remote database. For complete Security Manager installationinformation, see the Security Manager Installation and Setup Guide atwww.hp.com/go/securitymanager. See also the whitepaper HP Security Manager - UsingMicrosoft SQL Server for more information. If a firewall is installed on the computer on which the Security Manager service runs, and theservice will be accessed from the user interface on a remote computer, the firewall must beset to allow access to the service. The older Security Manager service listens on port 8002,which must be opened in the firewall to allow remote access to the service. The new browserbased interface listens on port 7637 be default. If you do not want to allow remote access tothe Security Manager web service for either version, then you can block the respective portswith a firewall. For complete uninstallation, all the HPSM installation files/folders should be closed beforeuninstalling.

Supported Operating Systems and DatabasesSee setup and install guide. As SQL databases are missing in the install and setup guide, they aretemporarily listed here:Tested Databases Microsoft SQL Server 2012 Microsoft SQL Server 2014 Microsoft SQL Server 2016 Microsoft SQL Server 2017 Microsoft SQL Server 2019 Microsoft SQL Server Express 2019 (bundled with HPSM installer)HP Security Manager requires a Microsoft SQL database to store data. For customers who donot have their own full SQL Server or do not want to use a SQL license, Security Manager bundlesa recent version of SQL Server Express that can be installed and used if desired. Sinceorganizations usually upgrade SQL Server less often than operating systems, older versions maybe used for quite some time, especially if the applications accessing SQL do not use the featuresadded to the new SQL versions. While Security Manager only tests the two most recent SQLversions at the time of release, there should be no issues using older or newer SQL versions asSecurity Manager uses basic calls into the SQL database that would be supported by virtually allSQL releases.Backward and forward compatibility should be present, there just is not capacity to test themultitude of SQL versions offered over the years.Hardware RequirementsSee setup and install guide.VMware and Hypervisor SupportSee setup and install guide.SolutionsWhen used with third party solutions or any print or management solution requiring access to thedevice, the Security Manager Base Policy template, or any template defined to meet the securitystandards for a company, might require changes to the security settings. See the solutiondocumentation to determine whether policy changes are required to accommodate specificfunctionality. Care should be taken when creating policies as to not disrupt the operation of anysolutions that may be installed on devices.NOTE: Testing a small number of devices in a sandbox or test environment when solutions arepresent on devices is highly recommended before applying settings to a fleet as undesiredbehavior may occur with certain settings on certain solutions. Solutions may fail toinstall/operate, or potentially even worse behavior can occur on devices, when some settings areapplied to devices with solutions present.Security settings that have been known to affect either the installation or operation of solutionsinclude: DNS server configured

SNMP GET Community Name (Read Community Name) required for installation andconfigurationEWS password required for installation and configurationCommand Load & Execute enabledPJL Access Commands enabledRemote Firmware Updates enabledAllow PJL Access enabledPJL Password not setLegacy Firmware Upgrades enabled (Current versions of firmware are signed with the SHA256 hashing algorithm. Enabling this option allows installation of legacy firmware signed withthe less secure SHA-1 algorithm)Control Panel TimeoutFor more detailed information regarding settings for solutions, see the whitepaper titled HPSecurity Manager - Policy Editor Settings.

Network Port AssignmentsProtocol ServicePortClient to ServerNotes7637(version 3.0 )TCPHTTPSPort set during installation to be used to secure databetween client and HPSM server via browser. This port maybe changed to something else by editing bindings for theHPSM web site under IIS Manager. HPSM versions 3.0 andbeyond.8002(version 2.1.5-)TCPWCF-NET.TCPWCF with message encryption - port used from a remoteclient interface to the Security Center service. HPSMversions 2.1.5 and prior.Server to Devices and cloud80 and SOAP-HTTPPort used for HTTP communication to devices only whenSSL is not supported on the device. Also used to gather thelatest firmware versions from the web if firmwareassessments are enabled and configured to dynamicallyretrieve from web.Port used for secure HTTP communication to devices, HTTPWeb over SSL and to connect to the HP Cloud1)Internet Control Message Protocol - port used to check ifnode is active.Simple Network Management Protocol - port used for manyconfiguration items on devices as well as discovery ofdevices.Web service port used to manage communications on HPFutureSmart devices.Devices to Server3329TCPHP Instant-OnSecuritySecure port (uses SSL) used from the device to the SecurityManager service for Instant-On discovered devices.Server to SQL database1433TCPMS SQL1434UDPMS SQL BrowserservicedynamicTCPMS SQLStandard DB Connection - port used from the SecurityManager service to a remote SQL database with a defaultinstance. Can be customized in a configuration file.Standard connection to SQL browser service to retrieve theTCP port for the named SQL instanceStandard DB connection to a named SQL instance usingdynamic portsServer to Email25SMTPSimple MailTransfer ProtocolTypical port used for communication to mail server ifAutomated Output feature is enabled. Port can becustomized under File, Settings, Automated Output.Server to Certificate Authority135TCPDCOM/RPCCertificate management - port used between SecurityManager service and CA server.Randomallocated highTCP portsabove 1024TCPDCOM/RPCCertificate manage

Security Manager also offers a Fleet Certificate Management solution. This feature eliminates the manually deployed, singular device, network certificate implementation process and replaces it . locate the Security Manager server and receive your company approved device security . HPSM 1373 Symantec plugin name has changed into DigiCert .