Using an SSL/TLS communication

About the certificate of this machine

Communication between this machine and the computer can be encrypted with SSL to enhance security.

A certificate for this machine is used for the SSL communication between the machine and the computer. As a certificate was registered on this machine upon shipment, you can only enable SSL/TLS on the machine to start the SSL encrypted communication immediately after setup.

This machine can manage multiple certificates and use different certificates depending on the application (protocol). You can self-create a new certificate or install a certificate issued by the Certificate Authority (CA).

The following shows how to use the certificate on this machine.

Usage

Description

Using the certificate registered upon shipment

The certificate that was registered on this machine upon shipment can be used as it is.

Using a self-created certificate

Create a certificate with this machine.

The Certificate Authority (CA) is not required for a self-created certificate, and it can be used simply after entering necessary information for creating the certificate.

Using a certificate issued by the Certificate Authority (CA)

Create certificate signing request data in this machine, and request a trusted Certificate Authority (CA) for issuing a certificate for the machine. When the data is returned from the Certificate Authority after its review, register the data with this machine.

Reference

Using the certificate registered upon shipment

Select a login mode to enable SSL communication. Also select the SSL encryption strength.

Select [Security] - [PKI Settings] - [SSL Setting] in administrator mode of Web Connection, and configure the following settings.

Setting

Description

[Mode using SSL/TLS]

Select a login mode to establish SSL communications (default: [None]).

  • [Admin. Mode]: Establishes SSL communications in the administrator mode only.

  • [Admin. Mode and User Mode]: Establishes SSL communications in both the administrator mode and user mode.

  • [None]: Does not establish SSL communications.

[Encryption Strength]

Select the SSL encryption strength (default: [AES-256, 3DES-168, RC4-128]).

[SSL/TLS Version Setting]

Select the version of the SSL to be used.

Self-creating a certificate

Create a certificate with this machine. The Certificate Authority (CA) is not required for a self-created certificate, and it can be used simply after entering necessary information for creating the certificate.

  1. Select [Security] - [PKI Settings] - [Device Certificate Setting] - [New Registration] - [Create and install a self-signed Certificate.] in administrator mode of Web Connection, and enter information required for creating a certificate, then click [OK].

    The certificate is created and installed on this machine. It may take several minutes to create a certificate.

    Setting

    Description

    [Common Name]

    Displays the IP address of this machine.

    [Organization]

    Enter an organization or association name (using up to 63 ASCII characters).

    [Organizational Unit]

    Enter the organization unit name (using up to 63 ASCII characters).

    You can also specify a null.

    [Locality]

    Enter the locality name (using up to 127 ASCII characters).

    [State/Province]

    Enter the state or province name (using up to 127 ASCII characters).

    [Country]

    Enter the country name. As the country name, specify a country code defined in ISO03166 (using up to two ASCII characters).

    United States: US, Great Britain: GB, Italy: IT, Australia: AU, The Netherlands: NL, Canada: CA, Spain: ES, Czech Republic: CZ, China: CN, Denmark: DK, Germany: DE, Japan: JP, France: FR, Belgium: BE, Russia: RU

    [Admin. E-mail Address]

    Enter the E-mail address of the administrator of this machine (using up to 128 characters, excluding spaces).

    If the E-mail address of the administrator was already registered from [System Settings] - [Machine Setting], this field displays the registered E-mail address.

    [Validity Start Date]

    Displays the starting date of the certificate validity period.

    Displays the date and time of this machine when this screen is displayed.

    [Validity Period]

    Enter the validity period of a certificate with the number of days that have elapsed since the starting date.

    [Encryption Key Type]

    Select a type of encryption key.

  2. When the certificate has been installed, enable SSL communication ( [Using the certificate registered upon shipment] ).

Requesting the Certificate Authority for issuing a certificate

Create certificate signing request data in this machine, and request a trusted Certificate Authority (CA) for issuing a certificate for the machine. When the data is returned from the Certificate Authority after its review, register the data with this machine.

  1. Select [Security] - [PKI Settings] - [Device Certificate Setting] - [New Registration] - [Request a Certificate] in administrator mode of Web Connection, and enter information required for issuing a certificate, then click [OK].

    The certificate signing request data to be sent to the Certificate Authority is created.

    Setting

    Description

    [Common Name]

    Displays the IP address of this machine.

    [Organization]

    Enter an organization or association name (using up to 63 ASCII characters).

    [Organizational Unit]

    Enter the organization unit name (using up to 63 ASCII characters).

    You can also specify a null.

    [Locality]

    Enter the locality name (using up to 127 ASCII characters).

    [State/Province]

    Enter the state or province name (using up to 127 ASCII characters).

    [Country]

    Enter the country name. As the country name, specify a country code defined in ISO03166 (using up to two ASCII characters).

    United States: US, Great Britain: GB, Italy: IT, Australia: AU, The Netherlands: NL, Canada: CA, Spain: ES, Czech Republic: CZ, China: CN, Denmark: DK, Germany: DE, Japan: JP, France: FR, Belgium: BE, Russia: RU

    [Admin. E-mail Address]

    Enter the E-mail address of the administrator of this machine (using up to 128 characters, excluding spaces).

    If the E-mail address of the administrator was already registered from [System Settings] - [Machine Setting], this field displays the registered E-mail address.

    [Encryption Key Type]

    Select a type of encryption key.

  2. Click [Save].

    supplementary explanationClick this button to save certificate signing request data on your computer as a file.

  3. Send the certificate signing request data to the Certificate Authority.

    When the data is returned from the Certificate Authority after its review, register the data with this machine.

  4. Select [Security] - [PKI Settings] - [Device Certificate Setting] - [Setting] - [Install a Certificate] in administrator mode of Web Connection, and paste the text data sent from the Certificate Authority (CA), and then click [Install].

  5. When the certificate has been installed, enable SSL communication ( [Using the certificate registered upon shipment] ).

Using IPsec communication

Configure the setting if your environment requires IPsec.

The IPsec technology prevents the falsification or leakage of data on the IP packet basis by using encryption technology. As IPsec encrypts data in the network layer, secure communication is ensured even if you use protocols in an upper layer or applications that do not support encryption.

  1. Select [Network] - [TCP/IP Setting] - [IPsec] - [IPsec Setting] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and click [OK].

  2. Click [Edit] from [IKEv1] or [IKEv2] in [IPsec Setting], then configure the following settings.

    Setting

    Description

    [Encryption Algorithm]

    Select the encryption algorithm to create a common key used for communication.

    [Authentication Algorithm]

    Select the authentication algorithm to create a common key used for communication.

    [Encryption Key Validity Period]

    Specify the validity period of a common key to securely create a common key used to encrypt communications (default: [28800] sec.).

    When this period has expired, a new key is created. This can secure the communication.

    [Diffie-Hellman Group]

    Select the Diffie-Hellman group (default: [Group 2]).

    [Negotiation Mode]

    Select the negotiation mode (default: [Main Mode]). This option is not available in [IKEv2].

  3. From [SA] in [IPsec Setting], click [Registration] and register the Security Association (SA).

    supplementary explanationUp to 10 groups can be registered for the SA.

    Setting

    Description

    [Name]

    Enter the SA name (using 1 to 10 characters, excluding ").

    [Encapsulation Mode]

    Select the IPsec operation mode (default: [Transport]).

    [Security Protocol]

    Select a security protocol.

    [Key Exchange Method]

    Select the key replacement method to securely create a common key used to encrypt communications (default: [IKEv1]).

    [Tunnel End Point]

    If [Tunnel] is selected in [Encapsulation Mode], enter the IP address of the IPsec gateway that is used as a peer.

    [Lifetime After Establishing SA]

    Enter the lifetime of a common key used to encrypt communications (default: [3600] sec.).

    [IKE Setting]

    Configure IKE settings used for this SA. This is required when [IKEv1] or [IKEv2] is selected in [Key Exchange Method].

    • [Authentication Method]: Select the authentication method.

    • [Local Authentication Method]: Select the authentication method of this machine when [IKEv2] is selected in [Key Exchange Method].

    • [Peer Authentication Method]: Select the peer authentication method when [IKEv2] is selected in [Key Exchange Method].

    • [ESN]: When applying the 64-bit extended sequence number, set this option to ON.

    • [Replay Detection]: When enabling replay defense, set this option to ON.

    • [ESP Encryption Algorithm]: If you select [ESP] for [Security Protocol], configure the ESP encryption algorithm.

    • [ESP Authentication Algorithm]: If you select [ESP] for [Security Protocol], configure the ESP authentication algorithm.

    • [AH Authentication Algorithm]: If you select [AH] for [Security Protocol], configure the AH authentication algorithm.

    • [Perfect Forward-Secrecy]: When increasing the IKE intensity, set this option to ON. Setting to ON increases the time spent for communication.

  4. From [Peer] in [IPsec Setting], click [Registration] and register peers of this machine.

    supplementary explanationUp to 10 peers can be registered.

    Setting

    Description

    [Peer]

    When registering a peer, set this option to ON (default: OFF).

    [Name]

    Enter the peer name (using 1 to 10 characters, excluding ").

    [Set IP Address]

    Select the method to specify the peer address. Specify the IP address of the peer depending on the selected method.

    [Pre-Shared Key Text]

    Enter the Pre-Shared Key text to be shared with a peer using up to 128 ASCII characters or up to 256 hexadecimal characters.

    Specify the same text as that for the peer.

    [Key-ID String]

    Enter the Key-ID to be specified for the Pre-Shared Key (using up to 128 bytes).

  5. From [Protocol Setting] in [IPsec Setting], click [Registration] and specify the protocol used for IPsec communication.

    supplementary explanationUp to 10 protocols can be specified.

    Setting

    Description

    [Protocol Setting]

    When registering the protocol setting, set this option to ON (default: OFF).

    [Name]

    Enter the group name with the protocol specified (using 1 to 10 characters, excluding ").

    [Protocol Identification Setting]

    Select a protocol used for IPsec communication (default: [No Selection]).

    [Port No.]

    If [TCP] or [UDP] has been selected in [Protocol Identification Setting], specify the port number used for IPsec communication.

    [ICMP Message Type]

    Specify the ICMP message type when [ICMP] is selected in [Protocol Identification Setting].

    [ICMPv6 Message Type]

    Specify the ICMP message type when [ICMPv6] is selected in [Protocol Identification Setting].

  6. Select [Network] - [TCP/IP Setting] - [IPsec] - [Enable IPsec] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and click [OK].

  7. In [Enable IPsec], configure the following settings.

    Setting

    Description

    [IPsec]

    When using IPsec, set this option to ON (default: OFF).

    [Dead Peer Detection]

    If no response can be confirmed from the peer in a certain period, the SA with the peer is deleted. Select a time that elapses before sending survival confirmation information to the peer how has not responded (default: [15] sec.).

    [Cookies]

    Select whether to enable the defense using Cookies against denial-of-service attacks (default: [Disable]).

    [ICMP Pass]

    Select whether to apply IPsec to the Internet Control Message Protocol (ICMP) (default: [Disable]). Select [Enable] to allow the ICMP packets to pass without applying IPsec to the ICMP.

    [ICMPv6 Pass]

    Select whether to apply IPsec to the Internet Control Message Protocol for IPv6 (ICMPv6) (default: [Disable]). Select [Enable] to allow the ICMPv6 packets to pass without applying IPsec to the ICMPv6.

    [Default Action]

    Select an action to be taken if no settings meet the [IPsec Policy] while IPsec communication is enabled (default: [Allow]). Select [Deny] to discard IP packets that do not meet the [IPsec Policy] settings.

    [Certificate Verification Level Settings]

    To verify the certificate, select items to be verified.

    • [Expiration Date]: Confirm whether the certificate is within the validity period (default: ON).

    • [Key Usage]: Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer (default: OFF).

    • [Chain]: Confirm whether there is a problem in the certificate chain (certificate path) (default: OFF). The chain is validated by referencing the external certificates managed on this machine.

    • [Expiration Date Confirmation]: Confirm whether the certificate has expired (default: OFF). The expiration date confirmation is performed in the order of OCSP (Online Certificate Status Protocol) service, and CRL (Certificate Revocation List).

  8. From [IPsec Policy] in [Enable IPsec], click [Registeration], then configure the following settings.

    supplementary explanationIP packet conditions can be specified to pass or allow the IP packets that meet each of the conditions.

    Setting

    Description

    [IPsec Policy]

    Select whether to use the IPsec policy (default: [OFF]).

    [Name]

    Enter the IPsec policy name (using 1 to 10 characters, excluding ").

    [Peer]

    Select a peer setting. Select the setting from those registered in [Peer] in [IPsec Setting].

    [Protocol Setting]

    Select a protocol. Select the setting from those registered in [Protocol Setting] in [IPsec Setting].

    [IPsec Setting]

    Select an SA setting. Select the setting from those registered in [SA] in [IPsec Setting].

    [Communication Type]

    Select a direction of IPsec communication.

    [Action]

    Select the operation for the IP packet that matches the specified condition.

    • [Protected]: Protect the IP packets that met the conditions.

    • [Allow]: Do not protect the IP packets that met the conditions.

    • [Deny]: Discard the IP packets that met the conditions.

    • [Cancel]: Refuse the IP packets that met the conditions.

  9. Select [IPsec] - [Communication Check], then check that a connection with a peer can be established normally by the configured setting.

    supplementary explanationEnter the peer's IP address into [IP Address], then click [Check Connection].