Kyocera - CPA 2.0

Complete the requirements and follow the steps below to install the second-generation Control Panel Application (CPA) on Kyocera printers. For a list of supported devices, see PrinterLogic CPA.

Installation Instructions

Ensure all of the universal requirements are completed and functional prior to CPA setup. In addition, Kyocera also requires the following.

  • The machine running the Service Client must running Windows OS.
  • Enable Transport Layer Security (TLS) 1.2 on the Multifunction Printer (MFP).
  • At a minimum, Java VM Version 1.8 Subset or newer must be running on the MFP device.
  • MFP must have an SD-Card or a hard drive. One will need to be added if it does not have one by default.
  • The Hostname field on the Service Client's General tab, must be set to the Fully Qualified Domain Name (FQDN) of the Service Client host.
  • In the printer's Device Settings then Energy Saver / Timer section, set the Sleep Timer to at least 10 minutes. This avoids a device timeout which impacts Secure Release Printing and Single Sign-On (SSO) configurations.
  • Set the MFP portal settings.

Additional Port Information

CPA installation and uninstallation occur from the Service Client object to the printer over TCP 8083, TCP 9091 and TCP 9090.

CPA operation requires two main communication paths:

  • From the printer to the Service Client object over TCP 31988.
  • From the printer to the Virtual Appliance instance (cpp-ui.FQDN_of_Virtual Appliance and cpa-api.FQDN_of_Virtual Appliance) over TCP 443.

Everyday printing communication occurs from the workstation to the printer over TCP 9100 (or TCP 515 for LPR queues).

By default, Certificate Revocation List (CRL) checks occur over TCP 80 from the Service Client.

Card Readers Information

  • A Card Authentication Kit (CAK) license is required on the MFP if you use badging.

Certificates

After the installation is complete, ensure the Amazon Root Certificate Authority (CA) and Virtual Appliance CA are installed on the printer.

MFP Portal Settings

Settings Configuration

  1. On the Multifunction Printer (MFP) Portal, under Network Settings then Protocol, in the Other Protocols section, set Enhanced WSD and Enhanced WSD over SSL to On.

    Kyocera printer's MFP Portal showing the Network Settings tab and Network Settings and Protocol side menu options, and in the middle of the page the Enhanced WSD, Available Network, and Enhanced WSD over SSL options are shown.

  2. In Security Settings then Network Security, set Enhanced WSD Security to Not Secure.

    Kyocera MFP Portal showing the Security Settings: Network Security page, showing the Security Settings and Network Security side menu option, and the Enhanced WSD Security option in the middle of the page.

General Authentication Options

What the CPA displays to the end user at the printer is determined by the authentication options on the TCP / IP printer. If you are using the same authentication options for all printers you can use the default settings. If you want to be able to set specific methods on a per-printer basis, you can choose which printer-specific options you want available to set up on individual printers.

Default Settings

Be aware that default authentication settings vary depending on the identity provider. The LDAP settings differ from settings available for an IdP such as Okta or Entra ID (Azure AD).

LDAP

  1. In the Identity Provider Settings section, ensure that LDAP is selected and that your LDAP credentials are configured correctly.

    Identity Provider Settings section of the Admin Console's General tab with the LDAP option selected.

  2. Scroll down to the CPA Specific Settings section and select the options that you want available on the Printer Apps tab.

    General tab's CPA Specific Settings section showing the different authentication methods that can be selected/enabled.

    Not all the options seen here may be available. The printer's Apps tab displays the manufacturer supported options.

  3. To set PIN Settings do the following:
    1. Set PINs to store in either the Virtual Appliance or Active Directory databases. Depending on your selection, enter the field names for the following:
    2. The field name containing User ID

    3. The field name containing PIN.

      If the Database option is selected, the end-user must set the PIN within the Self-service Portal. See User ID and Pin

  4. To set the Badge Settings do the following:
    1. Set badges to store in the Virtual Appliance or Active Directory databases.

    2. For Active Directory provide the field name that contains the badge ID attribute.

      The Database option makes badge registration mandatory. Administrators can manage badges individually through the badge management screen or in bulk by CSV. End-users also can set up their badge within the Self-service Portal. See Badge Self Registration Options.

  5. Scroll down to the Control Panel Application section. The configuration of these settings is optional.

    1. You can set a default Username and Password to access the printer's web interface on all printers where you're installing the CPA.

      General tab's Control Panel Application section showing the Default Single sign-on enable/disable setting.

      The credentials used MUST have administrative rights for the printer.

    2. Default Single Sign On settings — select from the following options:

      1. Enabled — the default option. This option requires users authenticate to gain access to the printer's control panel.

      2. Disabled — with this option selected, the users are only asked to authenticate when they select the PrinterLogic from the device's control panel.
  6. Scroll back to the top and select Save.

IdP

  1. In the Identity Provider Settings section, ensure that IdP is selected and that the credentials are configured correctly for your IdP.

    General tab's Identity Provider Settings section with the IdP option on the left enabled.

  2. Scroll down to the CPA Specific Settings section.

    General Tab's CPA specific settings section showing the IdP authentication methods, self-registration options, and badge management options.

    Not all the options seen here may be available. The printer's Apps tab displays the manufacturer supported options.

  3. Select the options you want available on the Printer Apps tab. 

    If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

    1. Enable PIN Authentication — use this option to enable the PIN authentication at the printer level. the PIN gets stored in the IdP database and mapping to a PIN attribute gets completed within the IdPs admin console. If you do not use your IdP to manage PINs, you can select the following option.

      1. Enable self registration of PIN for IdPs — enable this option to allow end users to register their PIN using the Self-service Portal. The PIN is stored in the Virtual Appliance database. See User ID and Pin for end user instructions.

        Do not enable Enable self registration of PIN for IdPs, if you have a PIN attribute mapped through your IdP.

    2. Enable Badge Scan Authentication — use this option to enable badge authentication at the printer level. The badge number and associated user ID get stored in the IdP database. In this case, mapping to a badge attribute and user ID attribute is completed within the IdPs admin console. If you do not use your IdP to manage PINs, you can select the following option.

      1. Enable managing of badges in Virtual Appliance instead of in IdP — enable this option to manage the badge numbers in the Virtual Appliance database. You can register each badge on the badge management page or in bulk by CSV. End users can also register their badge within the Self-service Portal. Reference Badge Self-Registration Options for steps.

        If you Enable managing of badges in PrinterLogic instead of in IdP,Virtual Appliance ignores any badge mapping configured in the IdP admin console.

  4. Scroll down to the Control Panel Application section. The configuration of these settings is optional.

    1. You can set a default Username and Password to access the printer's web interface on all printers where you're installing the CPA.

      General tab's Control Panel Application section showing the Default Single sign-on enable/disable setting.

      The credentials used MUST have administrative rights for the printer.

  5. Default Single Sign On settings — select from the following options:

    1. Enabled — selected by default, this option requires users authenticate to gain access to the printer's control panel.

    2. Disabled — with this option selected, the users are only asked to authenticate when they select the PrinterLogic from the device's control panel.
  6. Scroll back to the top and select Save.

Install the CPA

These steps are to install the CPA on a single printer using the printer's Apps tab. To install the CPA on multiple printers in bulk, reference CPA Manager for steps.

  1. In the Admin Console tree structure, select the printer where you want to install the CPA.
  2. Select the Apps tab.

  3. In the Manufacturer field, select the printer manufacturer.

  4. Select the Service Client you want to use to install the CPA.
  5. Check the box for Install Application.
  6. Check the boxes for any additional apps you wish to install.
    1. Copy/Scan Tracking.
    2. QR Code Display.

Printer object's Apps tab with the Manufacturer drop-down expanded to show the manufacturers that support the control panel application.

Authentication Options

The options presented in this section are based on what was selected in the identity provider settings above. Please note that authentication features may vary depending on the printer manufacturer.

Installation Credentials

  1. For the Credentials to use when installing PrinterLogic applications on this printer options select from the following:
    1. Use default printer administration credentials — with this option you can use the default name and password to access the printer's web interface for all printers See the identity provider instructions above for more details.

    2. Use printer-specific administrator credentials — with this option you can use the administrator credentials set on each printer.

      The credentials used MUST have administrative rights for the printer.

Credentials to use when installing application on this printer section of the Apps tab showing the bubbles where you select to use the default credentials or printer specific credentials.

End User Credentials

If you use an IdP, the Control Panel Application (CPA) only supports badge and PIN authentication.

  1. Single Sign On — use this option to lock down the printer so that end users must authenticate before accessing the device's control panel. Select from the following options:
    1. Disabled — the device does not require authentication.
    2. Enabled as a Provider — the device displays the default Virtual Appliance CPA screen requiring users to authenticate to use the device.
    3. Enabled as a Listener — the CPA runs in the background and when users authenticate using another device application, they can select the PrinterLogic option from the devices application panel.

  2. In the CPA Authentication section, select from the following:

    1. Enable User ID with PIN Authentication — with this option enabled, users enter their User Id and PIN.

    2. Enable Badge Scan Authentication — with this option enabled, users must scan their badge, card, or dongle.

      The user is prompted for their network credentials upon first scan to validate the badge.

      1. Require PIN (beta) — with this option enabled, end users are prompted to enter their PIN after scanning a badge.

        This feature is incompatible if the SSO option enabled.

  3. Extended debug — this is an optional setting. When enabled, the following options become available:

    1. Certificates — link to download the Virtual Appliance certificate for CA.
    2. PrinterLogic Control Panel Application manual install URL

  4. Select Save to start the installation.

    During the installation process, it is normal for the printer to undergo multiple reboots. Rebooting is an expected behavior as part of the installation procedure.

CPA authentication section of the printer object's Apps tab with the Single Sign-on options, and the authentication options for user ID with pin and enable badge scan authentication showing.

If you use Single Sign-On (SSO) as a Listener, configure the following in the printer's Web Portal:

  1. Navigate to Management Settings then Authentication thenAuthentication Settings.
  2. Select Network Authentication.
  3. Scroll down further to the Network User Settings section and select Server Settings.
  4. In the Acquisition of User Information section, in the Name 1 field, enter msDS-PrincipalName.

If you don't use SSO, ensure you have permitted Unknown ID Jobs.

  1. Navigate to Management Settings then Authentication then Authentication Settings.
  2. Scroll to the Action Settings section, if Unknown ID Job is not set to Permit, select the Authentication Settings option on that screen and set it to Permit.

Check Certificates

If the Amazon Root CA and Virtual Appliance CA are not installed on the printer, see the following steps:

Amazon Root CA

Export the Certificate

The instructions below are for the Chrome browser. To see the steps for other browsers, see Amazon Root CA 1 Cert.

  1. In the web browser, open the Virtual ApplianceAdmin Console, then select the Site Information icon Chrome site information icon to the left of the URL.

    Browser bar for a Virtual Appliance instance showing the site information icon next to the URL.

  2. Select Connection is secure.

  3. Select Certificate is valid.

  4. In the Certificate Viewer modal, select the Details tab.
  5. Select the Amazon Root CA 1, then select Export.

Windows OS

  1. open the certificate with the Crypto Shell Extensions wizard.
  2. Select the Details tab and ensure that <All> is selected in the Show field.
  3. Select Copy to File and select Next.
  4. Select the Base-64 encoded X.509 (.CER) option and select Next.
  5. Browse to the location where you want the certificate and give it a name, the select Next.
  6. Select Finish to complete the wizard.

Mac / Linux

  1. Open a terminal and navigate to the location of the downloaded certificate.

  2. Run the following command replacing <infile> with the certificate name as it was downloaded, and <outfile> with the name you want.

    Copy Code 
    $ openssl base64 -in <infile> -out <outfile>

Virtual Appliance Certificate
  1. On the printer's Apps tab, scroll down to the Extended Debug section.
  2. Select Enable extended debug.
  3. Under Certificates, select the Download the PrinterLogic certificate for CA link.

Install the Amazon Root CA Certificate
  1. Open a browser and sign in to the printer's web portal.
  2. Select Security Settings from the side navigation.
  3. Select Certificates.
  4. Scroll down to the Root Certificate section.
  5. On the first empty root certificate option, select Settings.
  6. Select the Import button.
  7. Select Choose File and locate the certificate, then select Open.
  8. Select Submit on the bottom-right.
  9. Use the Restart/Reset link at the bottom of the page.

Web portal security settings, certificates opptions

Install the Device Certificate
  1. Open a browser and sign in to the printer's web portal.
  2. Select Security Settings from the side navigation.
  3. Select Certificates.
  4. On the first empty root certificate option, select Settings.
  5. Select the Import button.

  6. Select Choose File and locate the certificate, then select Open.

    Web portal, import device certiicate option

  7. Enter password.
  8. Select Submit on the bottom-right.
  9. Use the Restart/Reset link at the bottom of the page.

Web portal security settings certificates screen

Uninstall the CPA

  1. Open the Apps tab for the printer where you want to uninstall the CPA.

  2. Uncheck the features you want to uninstall from the printer.

  3. Select Save.

Troubleshooting Help