Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support
Search

Using SSL Packet Inspection (Man-in-the-Middle) with PaperCut NG/MF

THE PAGE APPLIES TO:

Some network infrastructure can interfere with the SSL/TLS handshake processes used by PaperCut products. Examples include security appliances such as firewalls, proxy servers, corporate VPNs or content filters doing SSL/TLS packet inspection (also known as Man-in-the-Middle).

When using these types of packet inspection, encrypted SSL traffic is opened, inspected, and re-encrypted using whatever certificate is installed on the network appliance. Customers might see SSL handshake errors if the PaperCut Application Server doesn’t trust the certificate.

Some examples of issues seen are with:

  • Integrated scanning - where scans to cloud storage may fail with an error in the server logs:
    • Delivering scan images for scan job jobId@xxxxxxx:scanAction@xxxx:task@xxx failed with an error: unable to find valid certification path to requested target.
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Connections to the Global Entitlements Service used in PaperCut NG/MF version 24.0.1 and later - where the license upgrade may fail, or subsequent updates to the entitlements on the Application Server may fail.

    Errors include:
    • Unable to submit activation key. Contact your Accredited Reseller for support
    • Last background entitlement sync failed
    • Unable to contact PaperCut Gateway Service to register license file
    • ERROR CloudNoticeFetcher - Fetch cloud messages from https://mf.cloud.papercut.com. Will return empty list [http-43] javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Another clue pointing to this potential issue is when you see the certificate for PaperCut cloud services issued by your organisation or security appliance organisation. For example, if you see the certificate for https://scan.cloud.papercut.com or https://mf.cloud.papercut.com issued by a common name different to what you see when you’re on a public network (not using a network appliance or SSL packet inspection).

Screenshot showing the certificate information (including Common name) for scan.cloud.papercut.com and mf.cloud.papercut.com

The screenshot above shows the unaltered certificate information for scan.cloud.papercut.com and mf.cloud.papercut.com. You can view this in most browsers by clicking on a padlock or ‘info’ icon in the URL bar and viewing the certificate details. If you see that the certificates have been issued by a different entity—e.g., your security or networking company, or if it shows your organization name as the Issuer—this points to the network using SSL packet inspection.

Step 1 - Rule out a Proxy

Sometimes the issue is that a proxy server has been configured on the network, but the PaperCut Application Server hasn’t been configured with the proxy config information.

To configure PaperCut to use the Proxy Server - see Configuring PaperCut NG/MF to use a proxy .

Step 2 - Configure the NG/MF Application Server to trust the Proxy / Firewall / Content Filter

If you have ensured that the correct firewall ports are open, and if you’ve configured your proxy as detailed on Configuring PaperCut NG/MF to use a proxy , but you’re still seeing connection errors, you will need to configure the Application Server to trust the network device/appliance by importing its certificate into the Application Server’s keystore.

The other solution, that’s been confirmed, is to download the certificate from the security appliance and add it to the Java Keystore under the runtime.

These steps are borrowed from a Securly Knowledge Base Article about getting Google Cloud Print to work, where PaperCut cannot establish a secure connection because a MiTM is modifying the packets.

  1. Download the certificate from your security appliance doing the SSL packet inspection.

    If you are having issues with the Global Entitlements Service used in PaperCut NG/MF version 24.0.1, and later, this would be https://mf.cloud.papercut.com/

  2. Download KeyStore Explorer and install it for your applicable Operating System.

  3. Run KeyStore Explorer, and then navigate to File -> Open.


  4. Navigate the Open Keystore window to your installation ([Installation Directory]\runtime\win64\jre\lib\security\cacerts), in your case it may be C:\Program Files\PaperCut MF\runtime\win64\jre\lib\security and select cacerts for the keystore to open, and click OK.


  5. The password to unlock the keystore is: changeit

     

  6. Please click on the red ribbon icon from the toolbar, titled Import Trusted Certificate.

    Keystore explorer application screenshot showing the ‘Import Trusted Certificate’ button in the toolbar (a red ribbon)

  7. Select the certificate that you downloaded in the first step and click OK. Then click OK on the alert letting you know this was successful.


  8. Click on the floppy disk icon for Save.

    Keystore explorer application screenshot showing the ‘Save’ button in the toolbar (a floppy disk icon)

  9. Restart the PaperCut Primary Application Server service. (Dee Stopping and starting PaperCut Services for more information.)


Categories: Troubleshooting Articles , Administration

Comments

Last updated July 31, 2024