Pharos Blueprint 5.4 - Update 2 Release Notes

Release Notes

This update should be applied to all machines hosting Blueprint components, i.e. the Analyst, Collector, Administrator.

The components included in this update are:

The Print Scout package should be distributed to all Workstations where Serverless Printing feature will be used.

What's new in Sentry Print 3.235.1

• Bugfix - Able to access a secured Ricoh device's web image monitor with a user name that does not exist.

• Bugfix - Cached copy of Device's Admin credentials is not immediately cleared when credentials are changed.

• Bugfix - Logging for Xerox devices leaks username and password.

What's new in 5.4 - Update 2 Release

• Support for users belonging to more than 100 Active Directory Groups.

• Blueprint Enterprise now detects if a later version of the Sentry Service is installed, and customers will be promptly warned about it.

• Analyst, Collector & Administrator Only are no longer supported on the following Windows versions:

  • Windows 8

  • Windows 8.1

  • Windows Server 2012 R2

• "Require authentication for all device functions" setting has been added to Sentry Print.

• Added the option to include a warning banner when logging in to the Blueprint Administrator.

• The Blueprint health check has been updated to include a timestamp

The following bugs have been fixed:

• Addressed the problem of missing meter data in reports.

• The issue where a user could access the Ricoh device's WIM (Web Image Monitor) using a non-existing username has been fixed.

• This update resolves a security vulnerability in the Site Service for Xerox printers, specifically in version 3.89.1.0, where user passwords may be accessible to administrators under certain conditions.

Security Update - Mandatory

Blueprint 5.4 Update 2 includes a security update to address a known security issue and must be applied to the Analyst and all Collectors. Please note:

• This update requires MobilePrint version 2.5.0 or later (if used). Refer to the MobilePrint section below for more information.

• Site Security Utility. A new utility is available to use with 5.5.1.12 or later Print Center/Pharos API. This optional but recommended tool adds further protection to credentials used by the Pharos API for communication between Pharos API instances and for MobilePrint communication with Pharos API. The tool and instructions are in the \Integrations\SiteSecurityUtility folder of this update.

What was new in 5.4 - Update 1 Release

• Device Admin Credential management has been improved to ensure rotation of credentials on a physical device is less likely to cause issues with existing secure devices. They can now be updated in the Print Center from the Secure Printers list as well as the dialog for securing a device. In addition they can be imported via the Administrator UI in bulk. Replication of these credentials to collectors has also been improved.

• Customers can download and import the latest models database. Models information now includes whether they are supported by Sentry Print.

• The Pharos API health test has been added to the System Monitor. The Pharos API is used by the Print Center and the Sentry Print Service to interface with the Blueprint services.

• If sentry Print has been manually uninstalled, the Update 1 Patcher can be used to install and configure it again by setting the <InstallSentryPrint> element in the file "Patcher.xml" to "true".
   Note, re-installing the Sentry Print Service will result in a new "Secure Print Trust Root" SSL certificate being created and installed for use by the Sentry Print Service.
  This will not match the SSL certificate installed on the iMFPs by the previously installed Sentry Print Service. To get the devices to work with the newly installed Sentry Print Service, you need to either:

  • Use the Blueprint Server Configuration Tool to rebind the old certificate to the new Sentry Print Service. Or

  • Re-secure the iMFPs with the new Sentry Print Service.

• Customers can specify the Active Directory attribute which holds the "display name" of a user. This is shown as the user's name in the Print Center.

The following bugs have been fixed:

• Server offline detection bugs resulted in servers being incorrectly marked as offline therefore preventing attempts to call those servers. This mainly affected calls from collectors.

• Health tests results were not able to be updated when the Print Spooler was stopped, which prevented collection of Print Spooler performance counters.

• When the "Tracker SSL Support" setting in the Server Configuration Tool was set to "Required" the Tracker Service health test would fail.

• Calls to the Tracker Service would not work when IIS had multiple SSL certificates bound to the web port

• The Authentication method tester when given bad credentials threw an unhandled exception and prompted to be closed.

• Customized Sentry Print Theming on iMFPs revert to defaults when Collectors are unable to communicate with Analyst. Blueprint allows customers to customize the Sentry Print UI that appears on iMFPs. With Blueprint 5.4, the Theme settings for this customization were fetched from the Analyst when required. This meant that when a Collector was unable to contact the Analyst, the UI on iMFPs reverted to the default appearance. In 5.4 Update 1, the Sentry Print Theme settings are now replicated down to the Collectors. Now, when a Collector is unable to contact the Analyst, the iMFPs will continue to display the modified appearance. However, because the settings are replicated, it can take up to 12 hours for changes to be propagated from the Analyst to the Collector which means if you make a change to the Sentry Print Theme settings in the Print Center, it will take up to 12 hours for the changes to be automatically propagated to the Collectors. If you wish the changes to propagate more quickly, you will need to manually clear the "Sentry Print Theme Settings" on each Collector.

How to apply this Update

Warning: Blocked Files

Depending on how this update or its files were copied to the target machine, some of the files may have been 'blocked' by Windows. Trying to update a Blueprint component with a blocked file will most likely prevent that component from working correctly. To check whether a file is blocked and/or unblock it, right-click the file in Windows Explorer and select 'Properties'.

Warning: In use Files

Under some conditions, the upgrader may be unable to replace files because they are in use. If this happens,

1. Stop all the Application Pools in IIS.

2. Run the upgrade again.

3. Start all the Application Pools after the patcher succeeds.

Updating Analyst or Collector

Installation Steps

1. If updating Analyst, make sure you have an up to date backup of the psbprint database.

2. Close the Window's Printers window (if it is open). Close any Pharos applications (e.g. Troubleshooter, Blueprint Administrator) that are open.
    Note: you do not need to stop the Pharos Services. The update installer will do this automatically.

3. Open an elevated Windows command prompt and run Patcher.exefrom the command line. No additional parameters are necessary.

   • The update installer does not create a log file. It is recommended that you run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647) to capture the output of the installer. This output will include error messages if the installer fails.

   • If the update installer fails, you can correct the cause of the error and run Patcher.exe again.

   • At completion, the Patcher may automatically force a restart. Follow the remaining instructions after the restart.

   • To log the installation of MSI files associated with the update, edit <MsiLogFileDirectory> in the Patcher.xml file with a folder path.

   • If Site Monitor with a lite license is installed and the logged on user does not have permissions to remove the Site Monitor database, the DbAdminUser and EncryptedDbAdminPasswordelements can be populated in the patcher.xml to allow full uninstallation of Site Monitor.

     1. Open an elevated command prompt and type in patcher /encrypt:MySecretPassword to retrieve the encrypted version of the Db Admin Password.

4. On Analyst, open the Blueprint Analyst, go to Reporting -> Publications and click on "Publish to Data Warehouse" on the toolbar.

Automated Server Deployment

Customers with a large number of Blueprint Servers may want to deploy this update using an automated software deployment tool (e.g. IBM's Tivoli).

To help with this process, the Patcher can be configured to send an e-mail at the end of the patching process indicating the patching attempt's success or failure. The configuration is held in the file Patcher.xml. Modify the file as follows:

1. Change the <automated> element from "false" to "true".

2. Set "to" to the e-mail address you want the notification sent to.

3. Set "from" to the e-mail address you want the notification to claim it was sent from.

4. Set smtpServerHost to the FQDN of the mail server.

5. Leave smtpServerPort alone, unless the mail server is using a non-standard port. Or you want the communication encrypted using SSL.

6. If the mail server and its Host are configured to support SSL, you can change useSSL to "true" and smtpServerPort to the SSL port (usually 465).

7. Set smtpUserName and smtpPassword to the user and password needed to use the mail server.

8. If you do not want to put an unencrypted password in the Patcher.xml file, you can put the password as encrypted text into smtpEncryptedPassword. You can encrypt the password by calling Patcher.exe from the command line with the flag "/encrypt:". e.g. Assume your mail server's password is "MySecretPassword".

   1. Open an elevated command prompt and type in patcher /encrypt:MySecretPassword

   2. Patcher.exe will return EncryptedPassword:L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"

   3. Set smtpEncryptedPassword="L9EMZX9r1CkvI8rNybP/dikf09zwBPLMfl6OMk7/nXOCgZQpaePQDoGDULN3eAbe"

9. If your deployment tool will run the patcher under an account that has permission to send e-mails, then you can set useDefaultCredentials to "true" and leave smtpUserName, smtpEncryptedPassword and smtpPassword blank.

Updating standalone installations of the Blueprint Administrator

If Workstation Tracker is installed along with the Blueprint Administrator, applying the update will NOT update the Tracker.

1. Close the Window's Printers window (if it is open).

2. Open an elevated Windows command prompt and run Patcher.exe from the command line. No additional parameters are necessary.
   Note: The update installer does not create a log file. It is recommended that you run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647) to capture the output of the installer. This output will include error messages if the installer fails.

3. A reboot might be required after the update is run. This is done automatically so make sure you save any open files prior to applying the update.

4. If the update installer fails, you can correct the cause of the error and run Patcher.exe again. Alternatively, you can contact Pharos for manual upgrade instructions.

Updating Tracker on Print Servers

On all the Windows Print Servers where tracking is required, use the Blueprint Print Scout package contained in the Tracker directory to install or upgrade the Tracker.

Updating Tracker on Windows Workstations

Print Scout packages should be distributed to all workstations hosting the Blueprint Tracker, so you can take advantage of the new features and improvements.

The patcher does not uninstall Site Monitor when database cannot be contacted

Applying Update 5 to Blueprint removes any existing Pharos Site Monitor Lite install on the Analyst. However, the Site Monitor is not removed when the database cannot be contacted by the patcher.

Site Monitor can be uninstalled after running the Patcher.

1. Go to "Add or Remove Programs" and select "Pharos Systems Site Monitor".

2. Select "Uninstall", and when prompted, supply credentials for a MSSQL server administrator account.

Integrations

MobilePrint

The MobilePrint application has been updated to work with the updated security measures implemented in the Print Center. Ensure that your MobilePrint is updated to version 2.5.0 (if used).

MobilePrint won't be able to retreive changes to its configuration until it is updated because it won't be able to establish communication with the Pharos API. Failing to update to the latest version might also lead to a situation where multiple logon requests are generated by MobilePrint. These logon requests do not present a substantial risk. Standard MobilePrint operations, such as file uploads and print release will continue to work.

Other

Updated versions of the following integrations are included in this update.

• Apple Airprint

• MobilePrint

• Pharos Print Center

• VPSX

VPSX, HP ePrint, and Apple UTF-8 Integration

• Any previously installed version of these Integrations will stop working once the update is applied.

• After applying this update, you will need to re-install the integration using the version included with this Update. i.e. replace the deployed DLLs with the new versions.

• If TLS 1.2 is the ONLY cipher suite enabled the VPSX SRH integration will not work.

Limitations

• If "Integrated Security" is used to connect to MS SQL, the Print Center won't work after applying this release. To fix, set the Pharos ASP.NET v4.0 App Pool in IIS to use an account that has MS SQL permissions. Refer to the "New Features" document in the Pharos Community for more information.