Error:

Javascript is disabled in this browser. This page requires Javascript. Modify your browser's settings to allow Javascript to execute. See your browser's documentation for specific instructions.

hp-support-head-portlet

Actions

HP Customer Support - Knowledge Base

hp-contact-secondary-navigation-portlet

Actions

hp-share-print-widget-portlet

Actions

Information

Need Windows 11 help?
Check the information on compatibility, upgrade, and available fixes from HP and Microsoft. Windows 11 Support Center

Feedback

hp-concentra-wrapper-portlet

Actions

HP Web Jetadmin - Enable FIPS on the HP Web Jetadmin Server

You can enable Federal Information Processing Standard (FIPS) only after you upgrade to HP Web Jetadmin 10.4 or later and then make some required changes to the settings in HP Web Jetadmin. You must follow the instructions provided in this topic in the order specified.

The MD5 and DES protocols are blocked after FIPS is enabled. Communication over SNMPv1/SNMPv2 is still possible after FIPS is enabled.

Upgrade to HP Web Jetadmin 10.4 or later

Use the following steps to upgrade HP Web Jetadmin:

On the HP Web Jetadmin server, go to the HP Software Depot for HP Web Jetadmin website.
Click the Request button. The HP account login page opens.
Choose one of the following options:
- If you already have an HP account, log in with your credentials.
- If you do not have an HP account, click the Sign up link at the bottom of the page. Follow the instructions to create an HP account, and then log in.
On the HP Web Jetadmin page, follow the instructions to download the current software.
Double-click the EXE file.
Follow the instructions in the wizard.
If the installation stops with a warning that a restart is required, restart the HP Web Jetadmin server. Launch the installer again to continue the installation.
When the installation is complete, click the Finish button.

Make the required changes to the settings in HP Web Jetadmin and on the devices

If you omit the following steps, HP Web Jetadmin might not be able to communicate with the devices after FIPS is enabled. HP Web Jetadmin displays a status of Device Communication Error for these devices.

If HP Web Jetadmin has already discovered devices by using an SNMPv3 credential that specifies the MD5 and DES protocols, SNMP communication with those devices will not work after FIPS is enabled. The SNMPv3 credential for these devices must be changed to the SHA-1 and AES-128 protocols. However, you cannot use HP Web Jetadmin to determine if the SNMPv3 credential for the devices uses the MD5 and DES protocols.

Use the following steps to update the SNMPv3 credential on all of the devices that use SNMPv3:
1. In the Device Management navigation pane, right-click Configuration, and then select Create configuration template. The Create Device Configuration Template wizard starts.
2. Select the device models to configure, and then click the right arrow button.
3. Select the network cards to configure, and then click the right arrow button.
4. Click the Next button. The Specify template options page opens.
5. In the Name field, enter a name for the template (up to 48 characters).
6. In the Device settings navigation pane, go to Security > SNMP Version Access Control.
7. Select the Modify SNMPv3 option.
8. In the Current SNMPv3 Credential section, enter the user name, authentication protocol and passphrase, and privacy protocol and passphrase that are currently configured for SNMPv3. The current SNMPv3 credentials are required.
9. In the New SNMPv3 Credential section, select SHA-1 from the Authentication Protocol list, and select AES-128 from the Privacy Protocol list.
10. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
  
  CAUTION:
  To change the authentication and privacy passphrases, the current passphrases must be specified in the device configuration template even if global SNMPv3 credentials are stored in HP Web Jetadmin. If the current passphrases are not specified, the configuration fails.
11. Click the Next button. The Confirm page opens.
12. Verify that the information is correct, and then click the Create Template button. The Results page opens.
13. Click the Done button.
14. In the Device Management navigation pane, right-click Configuration, and then select Apply configuration template. The Apply Device Configuration Template wizard starts.
15. Select the device configuration template that you just created from the list, and then click the Next button. The Select devices page opens.
16. From the Available devices list, select the devices to configure, and then click the > button.
17. Click the Next button. The Confirm page opens.
18. Verify that the information is correct, and then click the Apply Template button. The Results page opens.
19. Click the Done button.
Use the following steps to delete the SNMPv3 global credentials that use the MD5 and DES protocols:
1. From the top menu bar, go to Tools > Options > Shared > Credentials > Device > SNMPv3.
2. Select the SNMPv3 credential that uses the MD5 and DES protocols from the list, and then click the Remove button. The Confirm Delete window opens.
3. Click the Yes button.
4. Repeat these steps for each SNMPv3 credential that uses the MD5 and DES protocols.
Run a discovery to rediscover all of the SNMPv3-configured devices.
Trap forwarding that is configured to use SNMPv3 credentials with the MD5 and DES protocols does not work after FIPS is enabled. Use one of the following procedures to update the alert subscriptions that are configured to forward SNMP traps to a server using SNMPv3 credentials with the SHA-1 and AES-128 protocols.

Note:
Alert subscriptions that are configured to only write alerts to the alert history log or to send email notifications when alerts occur do not need to be updated.

Option 1: Update the alert subscriptions that were created by using an alert subscription template that is configured to forward SNMP traps
1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
2. In the All Subscriptions pane, click the Expand all button to display the details for each alert subscription.
3. To identify the alert subscription templates that must be updated, look for alerts that have SNMPv3 Trap Forwarding in the Notification Type column and have Linked in the Linked to Template column. The name of the alert subscription template is shown in the Subscription Name column.
4. In the Device Management navigation pane, go to Alerts > Templates.
5. In the Alerts - Subscription Templates pane, select the alert subscription template from the list, and then click the Edit button. The Edit Subscription Template wizard starts.
6. Click the Next button until the Specify notification settings page opens.
7. In the SNMPv3 credential section, select SHA-1 from the Authentication protocol list, and select AES-128 from the Privacy protocol list.
8. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
9. Click the Next button until the Confirm page opens.
10. Verify that the information is correct, and then click the Save Template button. The Results page opens.
11. Click the Done button.
  
  All of the alert subscriptions that are linked to this alert subscription template are automatically updated with the new SNMPv3 credentials.
12. Repeat these steps for each alert subscription template.
Option 2: Update the alert subscriptions that were created without using an alert subscription template and are configured to forward SNMP traps
1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
2. In the All Subscriptions pane, select the alert subscription from the list, and then click the Edit Subscription button. The Edit Subscription wizard starts.
3. Click the Next button until the Specify notification settings page opens.
4. In the SNMPv3 credential section, select SHA-1 from the Authentication protocol list, and select AES-128 from the Privacy protocol list.
5. If required, enter the new values for the user name, authentication passphrase, and privacy passphrase.
6. Click the Next button until the Confirm page opens.
7. Verify that the information is correct, and then click the Edit Subscription button. The Results page opens.
8. Click the Done button.
9. Repeat these steps for each alert subscription that was created without using an alert subscription template.
-or-

If any future changes are made to the alert subscriptions, all of the alert subscriptions must be changed. To prevent this in the future, HP recommends that you use the following steps to create new alert subscriptions that are linked to alert subscription templates:
1. In the Device Management navigation pane, go to Alerts > All Subscriptions.
2. In the All Subscriptions pane, select the alert subscription from the list, and then click the Unsubscribe button. The Delete Alert Subscriptions wizard starts.
3. Click the Unsubscribe button. The Results page opens.
4. Click the Done button.
5. In the Device Management navigation pane, go to Alerts > Templates.
6. In the Alerts - Subscription Templates pane, select the alert subscription template from the list, and then click the Apply button. The Apply Alert Subscription Template wizard starts.
  
  Note:
  If an alert subscription template is not available, create an alert subscription template that meets your specific needs.
7. From the Available devices list, select the devices, and then click the > button.
8. Click the Next button.
9. Choose one of the following options:
  - To link the selected alert subscription template to this alert subscription, select the Link template to subscription option. Changes that are made to the selected alert subscription template are automatically applied to the devices that are associated with this alert subscription.
  - To create an alert subscription that is not linked to the selected alert subscription template, select the Do NOT link template to subscription option, and then enter a name for this alert subscription in the Subscription name field. Changes that are made to the alert subscription template are not applied to the devices that were previously configured with this alert subscription template.
10. Click the Next button. The Confirm page opens.
11. Verify that the information is correct, and then click the Apply Template button. The Results page opens.
12. Click the Done button.
13. Repeat these steps for each alert subscription that was created without using an alert subscription template.
On the client machines where the HP Web Jetadmin client is launched, use the following steps to enable the TLS protocol:
1. Open a supported web browser.
2. Go to Tools > Internet options, and then click the Advanced tab.
3. Scroll down to the Security section, and then select the check boxes for one or more of the TLS versions (TLS 1.0, TLS 1.1, and TLS 1.2).
Use the following steps to verify that the devices are configured to communicate with the TLS protocol:
1. Select the device from any device list.
2. On the Config tab, go to Network > Mgmt Protocol.
3. Verify that any version of TLS (TLS 1.0, TLS 1.1, and TLS 1.2) is enabled.
4. Repeat these steps for each device.
Use the following steps to enable FIPS-140 mode on the devices. Enabling FIPS-140 mode affects only the following device configuration options:
- SNMP Version Access Control configuration option: The SHA-1 authentication protocol and AES-128 privacy protocol must be configured.
- Mgmt Protocol configuration option: The TLS 1.0, TLS 1.1, or TLS 1.2 protocol must be enabled.
Tip:
The following steps are not required. However, you can use these steps to troubleshoot any FIPS-related problems.
1. Select the device from any device list.
2. On the Config tab, go to Security > FIPS-140 Mode.
3. Select the Enabled option.
4. Click the Apply button.
5. Repeat these steps for each device.
If any of the following device configuration options are configured on a device, enabling FIPS-140 mode fails for that device:
- SNMP Version Access Control configuration option: The MD5 authentication and DES privacy protocols must not be specified.
- IPsec/Firewall Policy configuration option: The DES-CBC-MD5 algorithm must not be specified for the Kerberos setting.
- Upload Jetdirect Certificate configuration option: Certificates must not be signed by using MD5 or earlier (MD2 or MD4).
- Upload CA Certificate configuration option: Certificates must not be signed by using MD5 or earlier (MD2 or MD4).
- Mgmt Protocol configuration option: The SSL 3.0 or earlier protocol must not be enabled.
HP Web Jetadmin does not report the exact reason for the failure. However, if you use the device HP Embedded Web Server to enable FIPS-140 mode, the HP Embedded Web Server does report the exact reason for the failure. The FIPS-140 mode setting is available in the HP Embedded Web Server from the Networking tab > Security link > Settings page.

Enable FIPS on the HP Web Jetadmin server

Use the following steps to enable FIPS on the HP Web Jetadmin server:

Stop the following services. These services must be stopped in the specified order.
1. HPWSProAdapter
2. HPWJAService
3. mssql$HPWJA
Use the following steps to enable FIPS on the HP Web Jetadmin server as a local security policy:

Tip:
For more information about the System cryptography setting, see the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing document. This document is available from the Microsoft Documentation website.
1. Go to Control Panel > Administrative Tools > Local Security Policy > Local Policies > Security Options.
2. Right-click System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing, and then select Properties.
3. On the Local Security Setting tab, select the Enabled option, and then click the OK button.
Start the following services. These services must be started in the specified order.
1. mssql$HPWJA
2. HPWJAService
3. HPWSProAdapter
Use the following steps to verify that HP Web Jetadmin can communicate with all of the devices:
1. In the All Devices list, look for any devices that have Device Communication Error in the Status column.
2. Verify that you can use HP Web Jetadmin to configure a device.
3. In the All Devices list, right-click a device, and then select Refresh Selection (Full). Verify that the refresh completes.
If any devices have a status of Device Communication Error, you cannot use HP Web Jetadmin to configure a device, or the Refresh Selection (Full) fails, access the device HP Embedded Web Server, and then verify the following settings:
- Click the Networking tab, and then click the Network Settings link. If SNMPv3 is enabled, verify that the authentication protocol is SHA n and the privacy protocol is AES.
- Click the Security tab, and then click the Certificate Management link. Select a certificate, and then click the View Details button. Verify that the self-signed certificate uses a signature algorithm other than MD5. Repeat this step for each self-signed certificate.

hp-feedback-input-portlet

Actions

hp-feedback-banner-portlet

Actions

hp-country-locator-portlet

Actions

Country/Region: Flag

Slovenia

hp-detect-load-my-device-portlet

Actions

hp-hero-support-search

Actions

Examples: "LaserJet Pro P1102 paper jam", "EliteBook 840 G3 bios update"