hp-support-head-portlet

Actions
Loading...
HP Customer Support - Knowledge Base

hp-contact-secondary-navigation-portlet

Actions
Loading...

hp-share-print-widget-portlet

Actions
Loading...
  • Information
    Fix HP Printer issue on macOS

    A [software component] will damage your computer message displays when printing or while installing - Click Here

    Information

    Audio or sound issues? Try our automated HP Audio check!

    Information

    Fix and resolve Windows 10 update issue on HP Computer or Printer. Click here

    Information
    Create an HP account today!

     Connect with HP support faster, manage all of your devices in one place, view warranty information and more. Learn more​

hp-concentra-wrapper-portlet

Actions
Loading...

HP Web Jetadmin - Enable FIPS on the HP Web Jetadmin Server

Enable FIPS on the HP Web Jetadmin Server

Federal Information Processing Standard (FIPS) can be enabled only after you upgrade to HP Web Jetadmin 10.4 or later. This topic provides instructions for upgrading HP Web Jetadmin, making the required changes to the settings in HP Web Jetadmin, and then enabling FIPS. These instructions must be followed in the order provided.
The MD5 and DES protocols are blocked after FIPS is enabled. Communication over SNMPv1/SNMPv2 is still possible after FIPS is enabled.
Upgrade to HP Web Jetadmin 10.4 or later
  1. On the HP Web Jetadmin server, go to www.hp.com/go/webjetadmin, and then download the HP Web Jetadmin software.
  2. Double-click the EXE file.
  3. Follow the instructions in the wizard.
  4. If the installation stops with a warning that a reboot is required, reboot the HP Web Jetadmin server. Launch the installer again to continue the installation.
  5. When the installation is complete, click the Finish button.
Make the required changes to the settings in HP Web Jetadmin and on the devices
If you omit the following steps, HP Web Jetadmin might not be able to communicate with the devices after FIPS is enabled. HP Web Jetadmin displays a status of Device Communication Error for these devices.
  1. If HP Web Jetadmin has already discovered devices by using an SNMPv3 credential that specifies the MD5 and DES protocols, SNMP communication with those devices will not work after FIPS is enabled. The SNMPv3 credential for these devices must be changed to the SHA-1 and AES-128 protocols. However, you cannot use HP Web Jetadmin to determine if the SNMPv3 credential for the devices uses the MD5 and DES protocols.
    Use the following steps to update the SNMPv3 credential on all of the devices that use SNMPv3:
    1. In the Device Management navigation pane, right-click Configuration, and then select Create configuration template. The Create Device Configuration Template wizard starts.
    2. On the Select Template Models page, select the device models to configure, and then click the right arrow button.
    3. Select the network cards to configure, and then click the right arrow button.
    4. Click the Next button.
    5. On the Specify template options page, enter a name for the template in the Name box (up to 48 characters).
    6. In the Device settings navigation pane, go to Security > SNMP Version Access Control.
    7. Select the Modify SNMPv3 option.
    8. In the Current SNMPv3 Credential section, enter the user name, authentication protocol, authentication passphrase, privacy protocol, and privacy passphrase that are currently configured for SNMPv3. The current SNMPv3 credentials are required.
    9. In the New SNMPv3 Credential section, select SHA-1 from the Authentication Protocol list, and select AES-128 from the Privacy Protocol list.
    10. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
        caution:
      To change the authentication and privacy passphrases, the current passphrases must be specified in the device configuration template even if global SNMPv3 credentials are stored in HP Web Jetadmin. If the current passphrases are not specified, the configuration fails.
    11. Click the Next button.
    12. On the Confirm page, verify that the information is correct, and then click the Create Template button.
    13. On the Results page, click the Done button.
    14. In the Device Management navigation pane, right-click Configuration, and then select Apply configuration template. The Apply Device Configuration Template wizard starts.
    15. Select the device configuration template that you just created from the list, and then click the Next button.
    16. On the Select devices page, select the devices to configure from the Available devices list, and then click the > button.
    17. Click the Next button.
    18. On the Confirm page, verify that the information is correct, and then click the Apply Template button.
    19. On the Results page, click the Done button.
  2. Use the following steps to delete the SNMPv3 global credentials that use the MD5 and DES protocols:
    1. Go to Tools > Options > Shared > Credentials > Device > SNMPv3.
    2. Select the SNMPv3 credential that uses the MD5 and DES protocols from the list, and then click the Remove button.
    3. On the Confirm Delete window, click the Yes button.
    4. Repeat steps b through c for each SNMPv3 credential that uses the MD5 and DES protocols.
  3. Run a discovery to rediscover all of the SNMPv3-configured devices.
  4. Trap forwarding that is configured to use SNMPv3 credentials with the MD5 and DES protocols does not work after FIPS is enabled. Use one of the following procedures to update the alert subscriptions that are configured to forward SNMP traps to a server using SNMPv3 credentials with the SHA-1 and AES-128 protocols.
    note:
    Alert subscriptions that are configured to only write alerts to the alert history log or to send email notifications when alerts occur do not need to be updated.
    Update the alert subscriptions that were created by using an alert subscription template that is configured to forward SNMP traps
    1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
    2. At the top of the All Subscriptions pane, click the Expand all button to display the details for each alert subscription.
    3. To identify the alert subscription templates that must be updated, look for alerts that have SNMPv3 Trap Forwarding in the Notification Type column and have Linked in the Linked to Template column. The name of the alert subscription template is shown in the Subscription Name column.
    4. In the Device Management navigation pane, go to Alerts > Templates.
    5. In the Alerts - Subscription Templates pane, select the alert subscription template from the list, and then click the Edit button. The Edit Subscription Template wizard starts.
    6. Click the Next button until the Specify notification settings page appears.
    7. In the SNMPv3 credential section, select SHA-1 from the Authentication protocol list, and select AES-128 from the Privacy protocol list.
    8. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
    9. Click the Next button until the Confirm page appears.
    10. On the Confirm page, verify that the information is correct, and then click the Save Template button.
    11. On the Results page, click the Done button.
      All of the alert subscriptions that are linked to this alert subscription template are automatically updated with the new SNMPv3 credentials.
    12. Repeat steps c through k for each of the alert subscription templates.
    Update the alert subscriptions that were created without using an alert subscription template and are configured to forward SNMP traps
    1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
    2. In the All Subscriptions pane, select the alert subscription from the list, and then click the Edit Subscription button. The Edit Subscription wizard starts.
    3. Click the Next button until the Specify notification settings page appears.
    4. In the SNMPv3 credential section, select SHA-1 from the Authentication protocol list, and select AES-128 from the Privacy protocol list.
    5. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
    6. Click the Next button until the Confirm page appears.
    7. On the Confirm page, verify that the information is correct, and then click the Edit Subscription button.
    8. On the Results page, click the Done button.
    9. Repeat steps b through h for each alert subscription that was created without using an alert subscription template.
    -or-
    If any future changes are made to the alert subscriptions, all of the alert subscriptions must be changed. To prevent this in the future, HP recommends that you use the following steps to create new alert subscriptions that are linked to alert subscription templates:
    1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
    2. In the All Subscriptions pane, select the alert subscription from the list, and then click the Unsubscribe button. The Delete Alert Subscriptions wizard starts.
    3. On the Confirm page, click the Unsubscribe button.
    4. On the Results page, click the Done button.
    5. In the Device Management navigation pane, go to Alerts > Templates.
    6. In the Alerts - Subscription Templates pane, select the alert subscription template from the list, and then click the Apply button. The Apply Alert Subscription Template wizard starts.
      note:
      If an alert subscription template is not available, create an alert subscription template that meets your specific needs.
    7. On the Select devices page, select the devices from the Available devices list, and then click the > button.
    8. Click the Next button.
    9. To link the selected alert subscription template to this alert subscription, select the Link template to subscription option. Changes that are made to the selected alert subscription template are automatically applied to the devices that are associated with this alert subscription.
      -or-
      To create an alert subscription that is not linked to the selected alert subscription template, select the Do NOT link template to subscription option, and then enter a name for this alert subscription in the Subscription name box. Changes that are made to the alert subscription template are not applied to the devices that were previously configured with this alert subscription template.
    10. Click the Next button.
    11. On the Confirm page, verify that the information is correct, and then click the Apply Template button.
    12. On the Results page, click the Done button.
    13. Repeat steps b through l for each of the alert subscriptions that were created without using an alert subscription template.
  5. On the client machines where the HP Web Jetadmin client is launched, use the following steps to enable the TLS protocol:
    1. Open an Internet Explorer browser.
    2. Go to Tools > Internet options, and then click the Advanced tab.
    3. Scroll down to the Security section, and then select the checkboxes for one or more of the TLS versions (TLS 1.0, TLS 1.1, and TLS 1.2).
  6. Use the following steps to verify that the devices are configured to communicate with the TLS protocol:
    1. Select the device from any device list.
    2. On the Config tab, go to Network > Mgmt Protocol.
    3. Verify that any version of TLS (TLS 1.0, TLS 1.1, and TLS 1.2) is enabled.
    4. Repeat steps a through c for each device.
  7. Use the following steps to enable FIPS-140 mode on the devices. Enabling FIPS-140 mode affects only the following device configuration options:
    • SNMP Version Access Control configuration option: The SHA-1 authentication protocol and AES-128 privacy protocol must be configured.
    • Mgmt Protocol configuration option: The TLS 1.0, TLS 1.1, or TLS 1.2 protocol must be enabled.
    note:
    The following steps are not required. However, you can use these steps to troubleshoot any FIPS-related problems.
    1. Select the device from any device list.
    2. On the Config tab, go to Security > FIPS-140 Mode.
    3. Select the Enabled option.
    4. Click the Apply button.
    5. Repeat steps a through d for each device.
    If any of the following device configuration options are configured on a device, enabling FIPS-140 mode fails for that device:
    • SNMP Version Access Control configuration option: The MD5 authentication and DES privacy protocols must not be specified.
    • IPsec/Firewall Policy configuration option: The DES-CBC-MD5 algorithm must not be specified for the Kerberos setting.
    • Upload Jetdirect Certificate configuration option: Certificates must not be signed by using MD5 or earlier (MD2 or MD4).
    • Upload CA Certificate configuration option: Certificates must not be signed by using MD5 or earlier (MD2 or MD4).
    • Mgmt Protocol configuration option: The SSL 3.0 or earlier protocol must not be enabled.
    HP Web Jetadmin does not report the exact reason for the failure. However, if you enable FIPS-140 mode by using the device HP Embedded Web Server (EWS), the EWS does report the exact reason for the failure. The FIPS-140 mode setting is available in the EWS from the Networking tab > Security link > Settings page.
Enable FIPS on the HP Web Jetadmin server
  1. Stop the following services. These services must be stopped in the specified order.
    1. HPWSProAdapter
    2. HPWJAService
    3. mssql$HPWJA
  2. Use the following steps to enable FIPS on the HP Web Jetadmin server as a local security policy:
    note:
    For more information about the System cryptography setting, see the “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting effects in Windows XP and in later versions of Windows document. This document is available from the Microsoft support page.
    1. Go to Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options.
    2. Right-click System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing, and then select Properties.
    3. On the Local Security Setting tab, select the Enabled option, and then click the OK button.
  3. Start the following services. These services must be started in the specified order.
    1. mssql$HPWJA
    2. HPWJAService
    3. HPWSProAdapter
  4. Use the following steps to verify that HP Web Jetadmin can communicate with all of the devices:
    1. In the All Devices list, look for any devices that have Device Communication Error in the Status column.
    2. Verify that you can configure a device by using HP Web Jetadmin.
    3. In the All Devices list, right-click a device, and then select Refresh Selection (Full). Verify that the refresh completed.
    If there are any devices that have a status of Device Communication Error or you cannot complete step b or c, access the device EWS, and then verify the following settings:
    • Click the Networking tab, and then click the Network Settings link. If SNMPv3 is enabled, verify that the authentication protocol is SHA x and the privacy protocol is AES.
    • Click the Security tab, and then click the Certificate Management link. Select a certificate, and then click the View Details button. Verify that the self-signed certificate uses a signature algorithm other than MD5. Repeat this step for each self-signed certificate.

hp-feedback-input-portlet

Actions
Loading...

hp-feedback-banner-portlet

Actions
Loading...

hp-country-locator-portlet

Actions
Loading...
Country/Region: Flag Indonesia

hp-detect-load-my-device-portlet

Actions
Loading...