Skip to Content Information Center
Lexmark E462

Lexmark E462

Lexmark Document Distributor: Failure to Communicate with the Device Over Secure Channels

Affected Products:

Solution:

  • Lexmark Document Distributor (LDD)

  • Markvision Enterprise (MVE)

Issue Description:

Overview:

Communication problems are encountered and error messages may or may not popup on the printer. The issue manifests itself differently, depending on which printers are involved and whether Lexmark Document Distributor (LDD) or Markvision Enterprise (MVE) is being used. Here are some scenarios:

  • LDD is unable to discover one of the affected printers. If the printer was already discovered, LDD is unable to perform a policy update to the printer.

  • MVE is able to discover the affected printers, but other functions will be dependent on whether or not the printer is secured. Even if the printer is not secured, functions in MVE may only partially work.

How to Confirm Issue:

When this communication problem occurs, the following message will show in the log. The part highlighted in yellow is the message that indicates you are experiencing the problem described in here. This log message appears in the lsas.log file for MVE and the cdcl_wrapper.log file for LDD.

What Happens:

For the MVE 3.0 and LDD 5.0 release, the Java version was upgraded to the latest Java 8 version. With the upgrade to Java 8 comes enhanced security standards regarding communicating with SSL/TLS, which affected some of the Lexmark printers.

Java has defined a list of signature algorithms on certificates that it does not allow to pass the SSL/TLS handshake. In Java 8 they have added to this list to include the md5 signature algorithm . The affected printers currently use the md5WithRSAEncryption signature algorithm when generating self signed certificate, thus, after upgrading to Java 8 on these printers, communication over SSL/TLS is blocked.

Solution:

  1. New certificates must be signed using SHA256 to fix the issue. These steps below will guide you how to sign certificates:

    • For 2005 released printers (E Series, E45x, T64x, W84x, C52x, C53x, C77x, C78x, C92x, C93x, X64x,X85x, X94x)

      Sign the certificate using SHA256 and then deploy it to the device using DDU or EWS and reboot.

    • For 2008 released printers (E46x, T65x, C73x, W85x, X46x, X65x, X73x, X86x)

      Upgrade printer firmware to EC6, access embedded webserver (EWS – typing printer IP on a web browser), delete the printer device certificate and reboot the printer. The new device certificate will now use the SHA256 encryption.


      NOTE:

      You may use the Device Deployment Utility (DDU) tool to update the device certificates and refer to the Using Devicie Deployment Utility Tool section

      for the instructions.

  2. Verify whether the printer accepted has a new certificate by following the

    How to determine signature algorithm

    section

    .

  3. Should MVE/LDD still not work even after deploying the new certificate, please contact Lexmark Technical Support and provide the certificate and everything on the escalation checklist for

    xref_FA893_xref

    /

    xref_FA874_xref

    .


Using Device Deployment Utility (DDU) tool:

To rectify this issue, a revised version of the DDU is now available with new features to update the device certificate with a stronger signature algorithm. This will allow the affected devices to satisfy the enhanced security standards of Java 8.

Click

here

to launch the DDU Product Page, where you can downloadthe DDU and find other useful support resources. Open up the DDU tool by unzipping the DDU package and running the ddu.bat file in the bin directory, then proceed with the following steps:

  1. Click Add New

    (

    A

    )

    on the DDU window.

  2. Click Add Task

    (B)

    and then select Update Device Certificate

    (C)

    .

  3. Add the printers by clicking the plus sign

    (D)

    . You may add them manually or use a csv file.


    Note:
    Make sure to check the Secured Device box

    (E)

    if your printers are secured.

  4. Click Add Task

    (F)

    again and then select Reboot Device

    (G)

    .

  5. Provide a name on the Deployment Name field

    (H)

    and click Save

    (

    I

    )

    to submit the changes.

  6. Click the Run button

    (J)

    to execute the workflow.

Back to Recommended solution


How to Determine Signature Algorithm:

In determining what signature is currently being used to sign a device’s certificate, you will need to access the printer's embedded webserver (EWS – typing printer IP on a browser) and then navigate through:

  • For 2005 released printers: Configuration > Security > Certificate Management > View The Certificate Information

  • For

    2008

    released printers:

    Settings

    >

    Security

    >

    Certificate Management

    >

    Device Certificate Management

The following sample images show the certificate information when you perform the above steps. Study the boxed sections on these images, as it will indicate the signature algorithm currently in use:

Certificate with a newly disallowed signature algorithmCertificate with a good signature algorithm

Back to Recommended solution


Still Need Help?

Have the following available when calling Lexmark Technical Support;

  • Printer model(s)

  • Printer serial number

  • Name and version of solution or app

LEGACY ID: SO8348

Was this article helpful?
Top