Advanced Security
Security in print management is crucial as it involves managing sensitive documents and networked devices. Proper security measures help prevent unauthorized access to print jobs, ensuring confidentiality and compliance with privacy regulations.
Implementing secure print solutions, such as user authentication and encrypted communication channels, mitigates risks of data breaches through intercepted print jobs.
About Advanced Configuration
The config.ini file can be used for further configuration of the MyQ Print Server. It contains sections with parameters and values for multiple settings, including security.
It is highly recommended to always consult with MyQ Support before editing the file.
Config.ini
is a text file, located by default in C:\ProgramData\MyQ
, and you can edit it in Notepad or any other text editor.
After you edit and save the file, all services need to be restarted for the changes to take effect.
Security Section
In MyQ X, communication security can be adjusted in various ways, providing maximum flexibility to suit any environment.
Security settings of the majority of components can be set with the config.ini
file. Those components are HTTP Router, HTTP Server, SMTP, IPP, LPR, and Messages (WebSockets).
About HTTP Components
For secure network communication, the HTTP Router is a key component.
While, e.g., the minimum SSL/TLS version configured in config.ini
(see below) also applies to HTTP Router, it can be additionally configured with a file called traefik.custom.rules.yaml
in more detail. The options set in the traefik.custom.rules.yaml
file take precedence over the config.ini
settings.
Secondly, the HTTP Server uses settings from the httpd.conf
file.
when editing the HTTP Router settings, make sure you work with the file traefik.custom.rules.yaml
in
Common Security Settings
Minimum TLS version
To specify the minimum security protocol used for communication, go to C:\ProgramData\MyQ
and open the config.ini
file in a text editor.
Add a section called [Security] and in a new line under that, add the parameter sslProtocol
with the value you want. The possible values are TLS1.0, TLS1.1, TLS1.2, and TLS1.3.
From MyQ Print Server 10.2, the default value is TLS1.2.
For example, you can add:
[Security]
sslProtocol=TLS1.3
This applies to all components mentioned above, including the HTTP Router, and thus improves the overall communication security of the entire system.
Save the file and restart all services for the change to take effect.
Supported Cipher Suite
You can also modify the set of supported ciphers alongside the TLS version.
You can do so with the following options:
Use strict secure defaults
You can use the config.ini
flag sslCipherSuites
to enable the strict secure mode. It uses the defaults of the HTTP Router component (and compared to the standard behavior, it deprecates ciphers considered weak).
The options for this flag are:
compatible
– enforces support of selected weak ciphers; might be needed for communication with older devices.'strict
– no weak ciphers allowed.'
[Security]
sslCipherSuites=strict
Ciphers allowed in the compatible mode and not in the strict mode are:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
While it is recommended to always prefer the strict mode that disables weak ciphers, it is not currently MyQ X’s default mode.
By default, MyQ X operates in the compatible mode due to the nature of printing systems, device support, and general update availability. Many still supported printing devices do not have (and might never have) available updates compatible with the strict mode.
Allow only selected ciphers
By editing traefik.custom.rules.yaml
, you can specify what ciphers will be allowed by the HTTP Router during communication.
Example use:
tls:
options: { default: { cipherSuites: [ TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_3DES_EDE_CBC_SHA ] } }
When sslProtocol
is set to allow only TLS 1.3, no ciphers can be disabled or specifically enabled. Secure defaults given by the HTTP Router defaults are used.
Make sure that the connected devices support the required ciphers, and if not, look up available firmware upgrades that may bring security improvements.