Communication problems are encountered and error messages appear or not on the printer. The issue manifests itself differently, depending on which printers are involved and whether Lexmark Document Distributor (LDD) orMarkvision Enterprise (MVE) is being used. Here are some scenarios:
- LDD is unable to discover one of the affected printers. If the printer was already discovered, LDD is unable to perform a policy update to the printer.
- MVE is able to discover the affected printers, but other functions are dependent on whether the printer is secured. Even if the printer is not secured, functions in MVE could only partially work.
How to Confirm Issue:
When this communication problem occurs, the following message shows in the log. The part highlighted in yellow is the message that indicates you are experiencing the problem described in here. This log message appears in the lsas.log file for MVE and the cdcl_wrapper.log file for LDD.
For the MVE 3.0 and LDD 5.0 release, the Java version was upgraded to the latest Java 8 version. With the upgrade to Java 8 comes enhanced security standards regarding communicating with SSL/TLS, which affected some of the Lexmark printers.
Java has defined a list of signature algorithms on certificates that it does not allow to pass the SSL/TLS handshake. In Java 8 they have added to this list to include the md5 signature algorithm . The affected printers currently use the md5 with RSA encryption signature algorithm when generating self signed certificate, thus, after upgrading to Java 8 on these printers, communication over SSL/TLS is blocked.
New certificates must be signed using SHA256 to fix the issue. These steps below will guide you how to sign certificates:
Verify whether the printer accepted has a new certificate by following the How to determine signature algorithm section.
Should MVE/LDD still not work even after deploying the new certificate, please contact Lexmark support and provide the certificate and everything on the escalation checklist for MVE primary escalation requirements
Using Device Deployment Utility (DDU) tool:
To rectify this issue, a revised version of the DDU is now available with new features to update the device certificate with a stronger signature algorithm. This allows the affected devices to satisfy the enhanced security standards of Java 8.
Click here to download the tool.
To launch the DDU Product Page, where you can download the DDU and find other useful support resources. Open up the DDU tool by unzipping the DDU package and running the ddu.bat file in the bin directory, then proceed with the following steps:
Click Add New (A) on the DDU window.
Click Add Task (B) and then select Update Device Certificate (C). Click here to view image.
Add the printers by clicking the plus sign (D). You may add them manually or use a csv file. Make sure to check the Secured Device(E) box, if your printers are secured. Click here to view image.
Click Add Task (F) again and then select Reboot Device (G). Click here to view image.
Provide a name on the Deployment Name (H) field, and click Save (I) to submit the changes. Click here to view image.
Click the Run (J) button to execute the workflow.
If the issue persists, search for more information related to this issue or contact support for further assistance.
How to Determine Signature Algorithm:
In determining what signature is currently being used to sign a device’s certificate, you must access the printer's embedded webserver (EWS – typing printer IP on a browser) and then navigate through:
- For 2005 released printers: Configuration > Security > Certificate Management > View The Certificate Information.
- For 2008 released printers: Settings > Security > Certificate Management > Device Certificate Management
The following sample images show the certificate information when you perform the above steps. Study the boxed sections on these images, as it indicates the signature algorithm currently in use:
Certificate with a newly disallowed signature algorithm
Certificate with a good signature algorithm
LEGACY ID: SO8348