Lexmark Document Distributor (LDD)
Markvision Enterprise (MVE)
Communication problems are encountered and error messages may or may not popup on the printer. The issue manifests itself differently, depending on which printers are involved and whether Lexmark Document Distributor (LDD) or Markvision Enterprise (MVE) is being used. Here are some scenarios:
LDD is unable to discover one of the affected printers. If the printer was already discovered, LDD is unable to perform a policy update to the printer.
MVE is able to discover the affected printers, but other functions will be dependent on whether or not the printer is secured. Even if the printer is not secured, functions in MVE may only partially work.
How to Confirm Issue:
When this communication problem occurs, the following message will show in the log. The part highlighted in yellow is the message that indicates you are experiencing the problem described in here. This log message appears in the lsas.log file for MVE and the cdcl_wrapper.log file for LDD.
For the MVE 3.0 and LDD 5.0 release, the Java version was upgraded to the latest Java 8 version. With the upgrade to Java 8 comes enhanced security standards regarding communicating with SSL/TLS, which affected some of the Lexmark printers.
Java has defined a list of signature algorithms on certificates that it does not allow to pass the SSL/TLS handshake. In Java 8 they have added to this list to include the md5 signature algorithm . The affected printers currently use the md5WithRSAEncryption signature algorithm when generating self signed certificate, thus, after upgrading to Java 8 on these printers, communication over SSL/TLS is blocked.
New certificates must be signed using SHA256 to fix the issue. These steps below will guide you how to sign certificates:
For 2005 released printers (E Series, E45x, T64x, W84x, C52x, C53x, C77x, C78x, C92x, C93x, X64x,X85x, X94x)
Sign the certificate using SHA256 and then deploy it to the device using DDU or EWS and reboot.
For 2008 released printers (E46x, T65x, C73x, W85x, X46x, X65x, X73x, X86x)
Upgrade printer firmware to EC6, access embedded webserver (EWS – typing printer IP on a web browser), delete the printer device certificate and reboot the printer. The new device certificate will now use the SHA256 encryption.
You may use the Device Deployment Utility (DDU) tool to update the device certificates and refer to the Using Devicie Deployment Utility Tool section
for the instructions.
Verify whether the printer accepted has a new certificate by following theHow to determine signature algorithm
Should MVE/LDD still not work even after deploying the new certificate, please contact Lexmark Technical Support and provide the certificate and everything on the escalation checklist for Information Required to Escalate MVE Issues
/Information Required to Escalate Enterprise Solutions Issues
Using Device Deployment Utility (DDU) tool:
To rectify this issue, a revised version of the DDU is now available with new features to update the device certificate with a stronger signature algorithm. This will allow the affected devices to satisfy the enhanced security standards of Java 8.
to launch the DDU Product Page, where you can downloadthe DDU and find other useful support resources. Open up the DDU tool by unzipping the DDU package and running the ddu.bat file in the bin directory, then proceed with the following steps:
Click Add New
on the DDU window.
Click Add Task
and then select Update Device Certificate
Add the printers by clicking the plus sign
. You may add them manually or use a csv file.
Note:Make sure to check the Secured Device box
if your printers are secured.
Click Add Task
again and then select Reboot Device
Provide a name on the Deployment Name field
and click Save
to submit the changes.
Click the Run button
to execute the workflow.
Back to Recommended solution
How to Determine Signature Algorithm:
In determining what signature is currently being used to sign a device’s certificate, you will need to access the printer's embedded webserver (EWS – typing printer IP on a browser) and then navigate through:
For 2005 released printers: Configuration > Security > Certificate Management > View The Certificate Information
released printers: Settings
> Certificate Management
> Device Certificate Management
The following sample images show the certificate information when you perform the above steps. Study the boxed sections on these images, as it will indicate the signature algorithm currently in use:
|Certificate with a newly disallowed signature algorithm||Certificate with a good signature algorithm|
Back to Recommended solution
Still Need Help?
Have the following available when calling Lexmark Technical Support;
Printer serial number
Name and version of solution or app
LEGACY ID: SO8348