Requirements for Remote Services on Printers Using SHA-2 Authentication Directly at Printer -OR- Via a Device Manager App

Article Id: 1998206.html | Published: 21/01/2020

Product support for
  • Phaser 3610
  • Phaser 3635MFP
  • Phaser 4600/4620
  • Phaser 4620
  • Phaser 4622
  • Xerox Color 550/560/570 Printer
  • Phaser 6600
  • Phaser 7100
  • Phaser 7800
  • ColorQube 8700
  • ColorQube 8900
  • ColorQube 9301/9302/9303
  • Xerox ED95A/ED125 Copier/Printer
  • 3610 Family
  • 3635 Family
  • 4600 Family
  • 550_560_DCP Family
  • 6600 Family
  • 7100 Family
  • 7800 Family
  • C60_C70_DCP Family
  • CQ8700 Family
  • VERSANT_2100 Family
  • VERSANT_80 Family
  • WC3550 Family
  • WC3615 Family
  • WC4265 Family
  • WC5790 Family
  • WC6605 Family
  • WC7120_WC53XX Family
  • WC7556 Family
  • WC7755_WC7765_WC7775 Family
  • Xerox Versant 2100 Press
  • Xerox Versant 80 Press
  • WorkCentre 3550
  • WorkCentre 3615
  • WorkCentre 4250
  • WorkCentre 4260
  • WorkCentre 4265
  • WorkCentre 5325/5330/5335
  • WorkCentre 5735/5740/5745/5755
  • WorkCentre 5765/5775/5790
  • WorkCentre 6605
  • WorkCentre 7120/7125
  • WorkCentre 7525/7530/7535/7545/7556
  • WorkCentre 7755/7765/7775
  • Xerox Color C60/C70
  • Xerox D136 Copier/Printer and D136 Printer
  • Xerox D95/D110/D125 Copier/Printer

WARNING: It is highly recommended to consult with your Network or System Administrator before performing any software (firmware) update. Some updates may cause the machine to become non-compliant and cease to work as intended with the environment in which it is installed.

WARNING: If your printer uses a Print Server, be sure to download the software (firmware) version relative to the current version on your printer. There may be multiple versions available to download from Xerox.com. If the incorrect version is installed on your printer the Print Server also known as the DFE/Rip (Fiery or FreeFlow,) may become unreliable.

BACKGROUND INFORMATION:

Xerox printers use security certificates to authenticate the direct transmission of meters, supplies data and diagnostic information to the Xerox gateway. This enables Automated Supplies Replenishment (ASR), Automated Meter Reads (AMR) and printer troubleshooting and diagnostic support.

Many Xerox devices currently use the SHA-1 certificate (Secure Hash Algorithm) for authentication which ensures data transmissions remain secure. To comply with the latest data transmission security practices, the Xerox Communication Servers are being updated to authenticate only with devices that have the SHA-2 certificate installed.

Effective July 2017 for Xerox Color C60/C70 and Xerox Versant 80 Press and Xerox Versant 2100 Press, and May 2019 for many other products, this change will cause devices not using a SHA-2 certificate to stop communicating device-direct. Device manager communications already utilize SHA-2 and are not impacted by this change.

Many devices can be upgraded to the SHA-2 certificate level with a software upgrade. The software packages are downloadable and customer-installable. This will enable device-direct communication to continue.

Other older device models cannot be upgraded to a SHA-2 certificate level. These devices must utilize a device manager application (Xerox Centre Ware Web, Xerox Device Agent, Xerox Device Agent Partner Edition, and Xerox Device Manager) to communicate meters, supply and device alert information to continue remote services. When installed on the network, the device manager uses Simple Network Management Protocol (SNMP) during discovery operations to retrieve the supplies, meter, and alert information from print devices found on the network. The device manager utilizes a Transport Layer Security (TLS) 1.2 secure encrypted connection to communicate the data externally to the remote Xerox Communication Servers.

Using a device manager application may be a preferable option for customers with a fleet of devices that are affected by the SHA-2 implementation. A single installation of the application will service all the devices on the network. Products that have a software option available to obtain SHA-2 can also be supported by a device manager solution.

Many machines can obtain the SHA-2 certificate with a software upgrade and continue device-direct communication. As an alternative, most devices can be supported by a device manager to securely transmit usage, meter reads, and alerts for remote services. Installing a device manager (Xerox Centre Ware Web, Xerox Device Agent, Xerox Device Agent Partner Edition, or Xerox Device Manager) may be a preferable option for customers with a fleet of devices that are affected by the SHA-2 implementation. A single installation of the application will service all the devices on the network.

To ensure there is no interruption to Automated Supplies Replenishment, Automated Billing, and remote diagnostic support: 

  1. Review the security bulletin with the list of affected products. See the Related Content for additional information.
  2. Understand the options for your devices: whether software is available to continue device-direct communication, or if a device manager application must be used instead.
  3. Perform the software upgrade or install a device manager application, to continue remote services.

Either Method 1 or 2 can be used for communication with remote services. Review the Service Bulletin for your product for specific information. See the Related Content for additional information.

Method 1: Enable SHA-2 Authentication
for Device Direct Communication With Remote Services

  1. The device must be at Software level xx.xxx.x.x or higher for device-direct communication, effective May 2019. The "xx.xxx.x.x" is purposely displayed as a variable here. You must refer to the latest XRX18-001 Security Bulletin for the version specific to your Xerox device. See the Related Content for additional information.
  2. If needed upgrade the device to the required Software level to enable SHA-2 on printer. Use the link on the XRX18-001 SHA Security Bulletini for your product. See the Related Content for additional information.

Method 2: Use a Device Manager Application
for Communication With Remote Services

This product is supported by any of the following device manager apps:

  • Xerox CentreWare Web (CWW)
  • Xerox Device Agent (XDA)
  • Xerox Device Agent (XDA) Partner Edition
  • Xerox Device Manager

To use a Device Manager application for remote services including automated billing, supplies replenishment and diagnostic support:

  1. Validate one of the existing Xerox Device Managers is installed on the network are transmitting data regularly:
    • Xerox CentreWare Web (CWW)
    • Xerox Device Agent (XDA)
    • Xerox Device Agent (XDA) Partner Edition
    • Xerox Device Manager
  2. Test and adjust the transmission time, or re-install, as required.
  3. If an existing Xerox Device Manager is not present on your network:
  4. Restart your search at the Xerox Product selection page and search Support & Drivers for "Xerox Remote Print Services".
  5. From the Xerox Remote Print Services support page, click on the Documentation link and download the Xerox Device Agent User Guide.
  6. From the Xerox Remote Print Services support page, click on the Software link to download the free device manager application, titled Xerox Device Agent.

    IMPORTANT: Make sure to download the correct version for your region.

  7. Follow the Installation Wizard's prompts. You will be asked to provide Admnistrator contact information.
  8. Ensure all of your Xerox devices are being discovered and data transmission is occurring.
  9. Adjust the configuration as needed. Refer to the user guide.

Related content

Did this help?