i. Only local authorization is allowed in the evaluated configuration. Establish local authorization at the device by
following the "Configuring Local Authorization Settings" instructions in Section 4 of the SAG. Note that local
user accounts on the device should be set up first before user permissions are set up.
Set up user roles and user permissions to access device services and features based on the roles users are
assigned by following the instructions for "User Permissions" under "Configuring Authentication Settings" in
Section 4 of the SAG.
ii. Set the permission for all Non-Logged In Users Roles (see "User Roles" in Section 4 of the SAG) to be Not
Allowed, Not Allowed & Hidden or Never, as appropriate, for the following: (1) all print permission categories
(by following the "Editing Print Permissions for the Non-Logged In Users Role" under "Configuring Authorization
Settings" in Section 4 of the SAG) and (2) all services and tools (by following the "Editing Services and Tools
Permissions for the Non-Logged In Users Role" under "Configuring Authorization Settings" in Section 4 of the
SAG). Also set the
4. Personalization: Enable personalization by following the instructions for "Specifying the Method the Printer Uses to
Acquire Email Address of Users" under "Configuring Smart Card Authentication Settings" under "Configuring
Authentication Settings" in Section 4 of the SAG. Configure personalization by following the instructions for
"Configuring User Mappings" under "LDAP" in Section 3 of the SAG.
5. Immediate Image Overwrite: Follow the instructions under 'Enabling Immediate Image Overwrite at the Control
Panel' or 'Enabling Immediate Image Overwrite' in Section 4 of the SAG to enable Immediate Image Overwrite from
the Control Panel or the Web UI, respectively.
Both Immediate Image Overwrite and On Demand Image Overwrite are enabled by default at the factory when the
device is first delivered.
6. Security Certificates: Install a digital certificate on the device before enabling SSL by following the appropriate
instructions under "Security Certificates" in in Section 4 of the SAG for installing the any one of the digital
certificates (Device Certificate, CA Certificate or Trusted Certificate) the device supports.
Note that a Xerox self-signed certificate is installed by default on the device. If a CA certificate is desired a
Certificate Signing Request (CSR) will have to be sent to a Certificate Authority to obtain the CA Certificate before it
can be installed on the device; follow the instructions for "Creating a Certificate Signing Request" under "Security
Certificates" in in Section 4 of the SAG to create the CSR.
7. Secure Sockets Layer (SSL):
i. Follow the instructions under 'Enabling DND/DDNS Settings the Control Panel' or '"DNS" (under "Configuring IP
Settings in CentreWare Internet Services") in Section 3 of the SAG for entering the host and domain names, to
assign the machine a valid, fully qualified machine name and domain from the Control Panel or the Web UI,
respectively (required for SSL to work properly).
ii. If a self-signed certificate is to be used download the generic Xerox root CA certificate from the device by
following the instructions for saving the certificate file under "Viewing, Saving or Deleting a Certificate" in
Section 4 of the SAG and then installing the saved certificate in the certificate store of the System
iii. Enable HTTPS by following the instructions for "Enabling HTTPS (SSL)" under "Secure HTTP (SSL)" in Section 4
of the SAG. Set the 'Force Traffic over SSL' option to be Yes (all HTTP requests will be switched to HTTPS).
8. FIPS 140-2 Mode: Encryption of transmitted and stored data by the device must meet the FIPS 140-2 Standard.
Enable the use of encryption in "FIPS 140 mode" and check for compliance of certificates stored on the device to
the FIPS 140-2 Standard by follow the instructions for "Enabling FIPS 140 Mode and Checking for Compliance" in
Section 4 of the SAG.
9. Data Encryption: Enable data encryption by following the instructions under "Enabling Encryption of Stored Data"
in Section 4 of the SAG; data encryption is enabled by default at the factory when the device is first delivered.
Before enabling disk encryption make sure that the WorkCentre 5845/5855/5865/5875/5890, WorkCentre
7220/7225, WorkCentre 7830/7835/7845/7855 or ColorQube 9301/9302/9303 is not in diagnostics mode and that
there are no active or pending scan jobs.
Smart Card Installation and Operation Guide (CAC/PIV/.Net/Access Client & Rijkspas) Xerox
WorkCentre 7220/7225 Xerox
9301/9302/9303, Version 1.1, April 2013.
WorkCentre 7830/7835/7845/7855 Xerox