hp security manager - installation and setup guide

HP Security Manager - Installation and Setup Guide

SUMMARY

This document describes how to install and set up Security Manager or upgrade an existing installation.

Legal informationCopyright and License

© Copyright 2022 HP Development Company, L.P.

Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws.

The information contained herein is subject to change without notice.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Applicable product: J8023AA

Edition 19.0, 03/2022 (version 7.1)

Trademark Credits

Microsoft®, Windows®, and Windows Server® are U.S. registered trademarks of Microsoft Corporation.

Table of contents

1 Introduction .................................................................................................................................................................................................1

System requirements ............................................................................................................................................................................1

Installation and upgrade overview ......................................................................................................................................................2

Verify Administrator account requirements.......................................................................................................................................3

Install the prerequisite software..........................................................................................................................................................4

2 Install the Security Manager system .......................................................................................................................................................5

What you must provide .........................................................................................................................................................................6

Install or use local SQL and create a new database .........................................................................................................................7

Create a new database on an existing SQL server (local or remote) .......................................................................................... 11

Point to an existing database on a remote SQL server (remote only)........................................................................................ 14

Install the database on another computer ..................................................................................................................................... 18

3 Upgrade the Security Manager system................................................................................................................................................ 25

Upgrade the web application and database on the same computer ......................................................................................... 26

Upgrade the web application on one computer and update the database on another computer ........................................ 30Upgrade HP Security Manager and the remote database using the installer with full access rights to the

remote database ............................................................................................................................................................... 31Upgrade the HP Security Manager remote database and web application with no database access rights

using SQL scripts ............................................................................................................................................................... 35

4 Configure Security Manager ................................................................................................................................................................... 42

Configure Auto Logout and Account Lockout.................................................................................................................................. 42

Configure Policy Change Notification ............................................................................................................................................... 42

Configure device replacement and hostname changes behavior ............................................................................................... 43

Configure Database Maintenance..................................................................................................................................................... 43

Export reports to customized locations .......................................................................................................................................... 45

Configure remote access to the Security Manager web application ........................................................................................... 45

Configure remote database security................................................................................................................................................ 46

Configure database security for the existing Microsoft SQL Servers.......................................................................................... 47

Configure Instant On requests .......................................................................................................................................................... 48

Configure which policy will be used for Instant On requests ....................................................................................................... 50

Configure auto discovery to fix network communication errors ................................................................................................. 50

Configure a SQL user account to access the database.................................................................................................................. 51

Configure autogrouping behavior..................................................................................................................................................... 52

Configure automatic retry of EWS credential verification ............................................................................................................. 53

Disable default credential verification for password protected devices..................................................................................... 54

iii

Configure the max number of records to delete ............................................................................................................................ 54

Pause scheduled tasks during nightly maintenance ..................................................................................................................... 55

Configure or mask the IP address..................................................................................................................................................... 55

Firewall configuration for remote access ........................................................................................................................................ 55

5 Uninstall the Security Manager system................................................................................................................................................ 57

Uninstall the web application and database from one computer ............................................................................................... 58

Uninstall the web application from one computer and uninstall the database from another computer............................. 58

6 Solve problems......................................................................................................................................................................................... 60

Solve problems.................................................................................................................................................................................... 60

7 Software license agreement.................................................................................................................................................................. 62

End User License Agreement ............................................................................................................................................................ 62

A Manually install and configure IIS .......................................................................................................................................................... 66

Install IIS on Windows Server ............................................................................................................................................................ 66

Install IIS on a Windows (11, 10, or 8) operating system ............................................................................................................. 68

B Run SQL install/upgrade scripts from SQL Management Studio ..................................................................................................... 70

C Improve performance by running database cleanup scripts ............................................................................................................ 72

D Network port assignments .................................................................................................................................................................... 73

E More information ..................................................................................................................................................................................... 75

iv

Introduction1

HP Security Manager (Security Manager) is a security compliance tool. Use Security Manager to create policies that assess the security of your imaging and printing devices, configure the devices to comply with the policy, and monitor the devices for continued compliance.

Use this guide to install and set up Security Manager or upgrade an existing installation.

NOTE: For general information and instructions on how to use the system, see the Security Manager Help.

System requirementsThe following are the basic requirements for installing the newest version of Security Manager:

● Internet Information Services (IIS) 7.5 or newer versions.

● Microsoft .NET Framework 4.8 or newer version.

NOTE: If the HP Security Manager installer does not detect the .NET Framework 4.8 or newer versions, the installer provides the appropriate installation instructions and Microsoft URL to download the .NET Framework.

NOTE: Security Manager supports platforms that have Microsoft Windows and .NET Framework high-priority updates.

● Database: Security Manager installs Microsoft SQL Server 2019 Express.

For a full list of supported databases, see the Security Manager Release Notes at HP Security Manager product support page.

● A supported Microsoft Windows computer.

● Operating Systems: Supports the following Microsoft Windows 64-bit operating systems:

NOTE: HP no longer supports or tests Microsoft operating systems released for prior HP Security Manager installations. Support will only be provided for the latest Security Manager release versions.

– Windows server 2022

– Windows Server 2019


– Windows Server 2012 R2


– Windows Server 2008 R2

– Windows 11

– Windows 10

Introduction 1

https://support.hp.com/us-en/product/hp-jetadvantage-security-manager-software-licenses/8394886/manuals?openCLC=true

– Windows 8.1

– Windows 8

● Server Hardware: HP recommends the following hardware configuration for the server:

– 4 or more processor cores

– 2.8 GHz or higher processor speed

– 12 GB or more of RAM

– 4 GB of available storage

● Supported browsers: Security Manager supports the following browsers:

NOTE: HP Security Manager is supported in VMWare and Hyper-V environments with the Windows versions listed previously. Hyperthreading is optional for VMware and Hyper-V. Reserve memory is required for Hyper-V.

NOTE: If installing Security Manager on a VMware instance, you must use the hardware (MAC) address of that virtual adapter during the ordering of the license file. Be aware that VMware dynamically generates the virtual adapter MAC address and does not guarantee it will remain static during session restarts or power toggling. If the MAC address changes, the print license service will fail to operate properly. Refer to VMware help documentation for instructions on how to configure a static MAC address or how to change the modified MAC address back to original.

NOTE: Importing a license file might fail on VMware VM’s. If this occurs, reboot the virtual machine.

NOTE: SQL 2017 or 2019 is recommended on VMware because testing with older versions and partially disabled TLS settings resulted in random database connectivity issues.

– Internet Explorer 11 or newer

– Chrome version 60 or newer

– Microsoft Edge (Chromium-based) version 79 or newer

Installation and upgrade overviewThe Security Manager installation program installs the Security Manager web application and database on a single computer or installs the database remotely.

Security Manager can use an existing installation of Microsoft SQL Server or install Microsoft SQL Server 2019 Express, if required.

NOTE: If you use a database that is not installed by the Security Manager installer, then the database permissions must be setup before installation. After Security Manager is installed, see Configure database security for the existing Microsoft SQL Servers on page 47 for instructions.

New Security Manager installations

The installation program provides the following options for a new installation of Security Manager:

● Database Only - Installs only the Security Manager database on a computer that contains an existing installation of Microsoft SQL Server. Use this option to install the Security Manager database separately from the Security Manager web application.

2 Chapter 1 Introduction

● Extract Database Installation Script - Exports the database scripts to the specified path before installation (used to create/upgrade the HPSM database tables).

● Full Install - Installs the Security Manager web application, creates and initializes a new database (DB) or connects and upgrades an existing DB, or configures remote database connection settings without upgrading/installing the remote database. Optionally, Microsoft SQL Server 2019 Express can be installed on a computer that does not contain an existing installation of Microsoft SQL Server. If required, the database can be installed remotely from the Security Manager web application.

Existing Security Manager installations (upgrade)

The Security Manager installation program determines whether an older version(v) is installed and can be upgraded.

NOTE: Security Manager supports a one step upgrade from versions 3.5, 3.6, and 3.6.1. Versions 3.2.1, 3.3, and 3.4 only must first be upgraded to version 3.5 before upgrading to version 3.7.

Earlier versions of Security Manager cannot be upgraded.NOTE: Make sure to use the same version of the Security Manager user interface and Security Manager service.

The installation program provides the following options for an upgrade of Security Manager:

● Upgrade the web application and database on the same computer.

● Upgrade the web application on one computer and update the database on another computer.

NOTE: If requested to restart your workstation when installing or uninstalling the MS installer file due to changes in the registry, you can either restart, or, delete the “PendingFileRenameOperations” key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations) in the registry editor.

For more information, see Solve problems on page 60 (Issue: “A computer restart is required. You must restart this computer before continuing with installation.”)

Verify Administrator account requirementsReview the following information before you begin the Security Manager installation.

● Log in as the Administrator, or use an account that is a member of the HPIPSC group, on the local computer.

NOTE: HP SM 3.4 or newer versions will enable only users added under HPIPSC group to access Security Manager.

● When logging into HP Security Manager web application, make sure to use the correct Administrator credentials where Security Manager service is running format: <domain name>\<admin user> (AUTH\hpsmadmin, for example). If required, guest users can also be included.

● When installing the Security Manager web application and database on separate computers, verify that the account you use to install the Security Manager web application has the correct permissions to connect to the database. When installing the Security Manager web application and the database on the same computer, by default Microsoft SQL Server allows the Administrator to connect to the local database.

NOTE: Make sure that the Windows user installing Security Manager has at least the Create Database rights (sysadmin role preferred) on the MS SQL instance to create a new database. If desired a different account can be used during the installation to create or upgrade Security Manager.

Verify Administrator account requirements 3

To upgrade the database, ensure that the Windows user installing the Security Manager has Database Owner (DBO) rights on the existing database to perform potential tasks using SQL commands on the database such as insert, update, alter, or create table.

Install the prerequisite softwareBefore you install Security Manager, the following software will be installed on the computers where the Security Manager system will run:

NOTE: If required, the Security Manager installation program (HPSecurityManager_Setup.exe) will install these products during the installation, or on-screen prompts will display to install the software correctly.

● Microsoft .NET Framework 4.8 or newer versions

NOTE: After the installation of Security Manager is completed, run Microsoft Windows Update to ensure that the listed software is current.

Make sure to use Chrome 60, Microsoft Edge 79 (Chromium based), or Internet Explorer 11 or newer to run the Security Manager application.

4 Chapter 1 Introduction

Install the Security Manager system2

Use one of the following methods to install Security Manager web application and database.

● Install the web application and the database on a local instance of an existing SQL server on a single computer.

NOTE: This method installs the Security Manager web application and the database on the same server.

● Install the web application on one server and install the database on another server by running the HPSM installer one time.

NOTE: This method installs the Security Manager database on a server that has an existing installation of Microsoft SQL (Server B), and installs the Security Manager web application on a separate server (Server A).

NOTE: In some cases, the rights to create and initialize the remote database might be missing and additional steps must be executed on the remote SQL server with the security manager database installed.

Install the Security Manager system 5

What you must provideThe following are the basic requirements to use Security Manager:

● A supported Microsoft Windows computer.

The following Microsoft Windows 64-bit operating systems are supported:

– Windows Server 2022, 2019, 2016, 2012, 2012 R2 and 2008 R2.

– Windows 11, 10, 8.1, and 8.

● Security Manager is supported in a VMware environment.

Requirements: Microsoft Windows Server 2012 R2 or later (64-bit versions) is a compatible guest operating system in VMware ESX and ESXi versions 4.0 Update 4 or later.

● A supported HP device (printer, MFP, digital sender, or a supported Zebra device).

For a current list of supported HP devices, go to the HP Security Manager product support page.

● Recommended: The latest HP device firmware version.

HP recommends that you install the latest firmware version to ensure that the devices contain the latest security updates and features. For firmware upgrade instructions, see the setup or user guides provided with the device.

● Recommended: The latest HP JetDirect firmware version.

HP JetDirect cards require firmware version 40.xx or newer. For firmware upgrade instructions, see the set up or use guides provided with the HP JetDirect. For products with embedded NIC's, it's always recommended to use the latest firmware.

6 Chapter 2 Install the Security Manager system

https://support.hp.com/us-en/product/hp-jetadvantage-security-manager-software-licenses/8394886/manuals?openCLC=true

Install or use local SQL and create a new databaseUse the following steps to install a local instance of SQL, to install Security Manager and create a new database on the SQL server on a single computer:

1. Log on to the computer where the Security Manager web application and database is or will be installed.

2. Launch the installer.

a. Copy the Security Manager installation program (HPSecurityManager_Setup.exe) to this computer.

b. Double-click the HPSecurityManager_Setup.exe file.

c. On the welcome window, click Next.

d. Review the license agreement, click I accept the terms of the license agreement, and then click Next.

3. On the Setup Type window, select Full install, and then click Next.

Figure 2-1 Full Install selected as Setup Type

4. Select the destination where you want to save the file(s).

● On the Choose Destination Location window, click Next to use the default folder.

OR

● Click Browse, locate and select a different folder, and then click Next.

The installer will now configure IIS and install the Flexera and HP Security Manager service. If the installer cannot configure IIS, then install and configure IIS manually (see Appendix A). After the IIS features have been configured manually, re-run the installer.

NOTE: If a warning is displayed 'A computer restart is required even after restarting the computer', see the section Solve Problems for a solution.

Install or use local SQL and create a new database 7

5. Select Install SQL Server Express 2019 and create and initialize a new database, click Next, and then wait for the installation to complete. A final verification will display when complete.

NOTE: Microsoft SQL Server 2019 supports Windows 10 and newer, and Windows Server 2016 and newer. If an installation is done on Windows 2012 or older, then an older version of SQL (Express) will have to be installed before HP Security Manager can be installed.

6. Select the Database Server.

a. In the Database Server field, use the default server listed or enter the database server instance using the format <name of machine>\<name of database instance>. For example, enter MyComputer\SQLExpress.

NOTE: It is recommended to NOT modify the Database Name field from the drop-down list when upgrading.

NOTE: The installer will automatically detect the database server instance and the selected database name while upgrading to the latest Security Manager version. If the installation program cannot connect to the database, it displays an error. Make sure that the account used to install the service has database connection privileges. For more information, see Verify Administrator account requirements on page 3.


b. If the Windows user who is running the installer does not have access permissions to the SQL database, select the check box Use the following Windows credentials instead of the current Windows user's credentials for SQL access, and then provide the Windows user as the Domain\User with the corresponding Password.

NOTE: The Domain\User and Password required on this screen are Windows authentication credentials for Windows and are not SQL credentials. The login fields are only enabled after selecting the check box which is intended to allow a Windows based account that has access to the SQL database to complete the database installation.

c. Click Next.

NOTE: HPSM can also use an SQL user account to access the database, but this must be configured after the HPSM installation. See the section Configure a SQL user account to access the database.

7. If Create and initialize a new database on an existing SQL Server, or upgrade an existing database is selected and an existing Security Manager database exists, the Database Already Exists window displays.

8. In the Database Already Exists window, select the Use existing database option.

NOTE: This window displays when upgrading a database that already exists on the local or remote SQL server. The database will be upgraded only if the Windows user upgrading the Security Manager installer has DBO rights on the database. If the database was not created previously on the remote SQL server and if the Windows user installing the Security Manager has permission rights to create a database on a remote SQL instance, then the Security Manager installer will proceed to create the remote database, or upgrade the database if it is an older version than the Security Manager version installed.

CAUTION: If the Re-initialize database option is selected, any existing data is permanently deleted.

Install or use local SQL and create a new database 9

9. Select Use an existing certificate for secure client communication, and then click Next.

NOTE: To create a new certificate, select Create a self-signed certificate. If installing a new certificate, make sure that the system where HP Security Manager is or will be installed is added to the domain and configured with the correct DNS. After installation, this new certificate is valid for 5 years. In case there are any certificate binding issues, access “Inetmgr” and manually perform the hpsm site binding. To view available certificates in mmc.exe, locate the Certificates (Local Computer), and then open the Personal folder.

10. Click Install to start the installation or upgrade.


Create a new database on an existing SQL server (local or remote)Use the following steps to install the Security Manager web application and create a new database on a local instance of an existing SQL server on a single computer (can also be used to create a new database on a remote SQL server):











OR




Create a new database on an existing SQL server (local or remote) 11

5. Select Create and initialize a new database on an existing SQL Server, or upgrade an existing database, click Next, and then wait for the process to complete.

NOTE: The Windows user must have proper permissions in the existing SQL Server instance to create a database.

NOTE: If the database was upgraded with the InstallSQLscripts.zip, you can also select Connect to an existing database on local or remote SQL server option.

NOTE: The Security Manager database does not support multiple service connections. Only one Security Manager service installation is set on the database.


a. Select the Database Server from the drop-down list. If you need to change the default selection, click Browse and navigate to the correct server.


b. Select the Database Name from the drop-down list. If you changed the default server selection in the previous step, click Refresh to make the server name visible in the list, and then select it from the drop-down list.

NOTE: Security Manager will automatically detect the database server instance and the selected database name while upgrading to the latest Security Manager version. If the installation program cannot connect to the database, it displays an error. Make sure that the account used to install the service has database connection privileges. For more information, see Verify Administrator account requirements on page 3.

c. If the Windows user who is running the installer does not have access permissions to the SQL database, select the check box Use the following Windows credentials instead of the current Windows user's credentials for SQL access, and then provide the Windows user as the Domain/User with the corresponding Password.


d. When the Database Name displays, click Next.



Create a new database on an existing SQL server (local or remote) 13


Point to an existing database on a remote SQL server (remote only)Use the following steps to point to an existing database on a remote SQL server already installed Security Manager on a local instance of an SQL server on single computer. This method can be used if you do not have access to the SQL server with a current user account:












OR




5. Select Connect to an Existing database on local or remote SQL server, click Next, and then wait for the process to complete.

NOTE: The existing database version must match the HP Security Manager installation version before starting the HP Security Manager as no attempt will be made to upgrade an older database. Only one Security Manager application instance is used on the database. The Security Manager database does not support multiple service connections.

Point to an existing database on a remote SQL server (remote only) 15

6. If Create and initialize a new database on an existing SQL Server, or upgrade an existing database is selected and an existing Security Manager database exists, the Database Already Exists window displays.






c. If the Windows user who is running the installer does not have access permissions to the SQL database, select the check box Use the following Windows credentials instead of the current Windows user's credentials for SQL access, and then provide the Windows user as the Domain/User with the corresponding Password.





Point to an existing database on a remote SQL server (remote only) 17


10. When the HP Security Manager service starts, stop and exit the service and continue to section Install the database on another computer.

NOTE: After the installation is complete, HP Security Manager service will automatically start but it cannot start correctly because the SQL database has not yet been initialized. The database must be initialized before running HP Security Manager.

Install the database on another computerUse the following steps to install Security Manager on two computers (the web application on one computer and the HP Security Manager on another computer).

If you want to use the install wizard on both computers without manually stopping and restarting the HP Security Manager service, then you should first install the Database on computer B, and then install HP Security Manager on computer A after the database has been installed.

If you want to install and initialize the Database on computer B with the InstallSQLscripts, select the Extract Database Installation Script option.

NOTE: When performing a clean install of HPSM, all three options display (shown below). When upgrading an existing installation, only the Database Only installation option displays.


After selecting the Extract Database Installation Script option, then extract the InstallSQLScripts.zip file on computer A. You can also use the extracted InstallSQLscripts.zip file on Computer B. The zip file contains a .txt file which explains the usage of the SQL scripts.

After the scripts have been executed and the database has been initialized on Computer B, you can continue installing HP Security Manager using the 'Full Install' on Computer A with Remote DB (Computer B) option.

When the SQL scripts are used to configure the remote database, then the HPSM installer does not need to be run on the remote server.

To initialize the database using the HPSM installer, follow these steps:

1. Install and configure Microsoft SQL Server on the same computer on which the Security Manager database will run, if required. For instructions, see the installation and configuration documentation for Microsoft SQL Server.

NOTE: By default, Microsoft SQL Server Express does not allow remote connections. If Microsoft SQL Server Express is used in this configuration, use the instructions on the Microsoft website (support.microsoft.com/kb/914277) to allow remote connections.

2. Log on to the computer where the Security Manager database is located.






4. On the Setup Type window, select Database Only, and then click Next.

Figure 2-4 Database Only selected as Setup Type

Install the database on another computer 19

http://support.microsoft.com/kb/914277

5. On the Select Database Server window, click Browse, locate and select the Microsoft SQL server, and then click Next.

6. Use the instructions provided in Configure remote database security on page 46 to allow access by the Security Manager service.

NOTE: After the changes are completed, continue with the next step to install the Security Manager service and user interface on another server. See section Point to an existing database on a remote SQL server.

7. Log on to the computer where the Security Manager web application (service and user interface) is installed or will be run.











OR












NOTE: Security Manager will automatically detect the database server instance and the selected database name while upgrading to the latest Security Manager version. If the installation program


cannot connect to the database, it displays an error. Make sure that the account used to install the service has database connection privileges. For more information, see Verify Administrator account requirements on page 3.

c. If the Windows user who is running the installer has full access to the HPSM database, then click Next. If you need to access the database with another windows user account, select the checkbox Use the following Windows credentials instead of the current Windows user's credentials for SQL access.







NOTE: To create a new certificate, select Create a self-signed certificate. If installing a new certificate, make sure that the system where HP Security Manager is or will be installed is added to the domain and configured with the correct DNS. After installation, this new certificate is valid for 5 years. In case there are any certificate binding issues, access “Inetmgr” and manually perform the hpsm site binding. To view


available certificates in mmc.exe, locate the Certificates (Local Computer), and then open the Personal folder.



Upgrade the Security Manager system3

Use one of the following methods to upgrade an existing installation of Security Manager, depending on how it is currently installed.

NOTE: The Security Manager (HPSM) installation program determines whether an earlier version is installed and can be upgraded. Make sure to use the same version of the Security Manager for both the web application and the database.

● Upgrade the web application and the database on a local instance of an existing SQL server on a single computer.

NOTE: This method upgrades the Security Manager service, the user interface, and the database at one time when they are installed on the same server.

● Upgrade the web application on one server and update the database on a separate server by running the HPSM installer one time.

NOTE: This method upgrades the Security Manager database on a server that contains an existing installation of Microsoft SQL Server (Server B), and then upgrades the Security Manager web application (service and user interface) that is installed on a separate server (Server A).

Upgrade the Security Manager system 25

Upgrade the web application and database on the same computerUse the following steps to upgrade Security Manager on a single computer:

NOTE: To perform an upgrade, the installation program uninstalls the current Security Manager version, installs the new version, and then upgrades the database. Before running the installation program, verify that you have done a complete backup of the entire Security Manager system.





3. Click Install to begin the installation.

4. Back up the database and then click Yes to continue the upgrade. A message displays indicating that the program is uninstalling an older version of Security Manager and upgrading to the newer version in the same location where it is already installed.

26 Chapter 3 Upgrade the Security Manager system






a. In the Database Server field, use the default server listed or enter the database server instance using the format <name of machine>\<name of database instance>. For example, enter MyComputer\SQLExpress.

NOTE: It is recommended to NOT modify the Database Name field from the drop-down list when upgrading.

NOTE: The installer will automatically detect the database server instance and the selected database name while upgrading to the latest Security Manager version. If the installation program cannot connect to the database, it displays an error. Make sure that the account used to install the service has database connection privileges. For more information, see Verify Administrator account requirements on page 3.

Upgrade the web application and database on the same computer 27

b. If the Windows user who is running the installer does not have access permissions to the SQL database, select the check box Use the following Windows credentials instead of the current Windows user's credentials for SQL access, and then provide the Windows user as the Domain\User with the corresponding Password.


c. Click Next.

NOTE: HPSM can also use an SQL user account to access the database, but this must be configured after the HPSM installation. See the section Configure a SQL user account to access the database.







Upgrade the web application and database on the same computer 29

9. Select the certificate and then click Next.

10. To close the wizard click Finish, or to view the installation log file, select the check box Yes, I want to view the log file and then click Finish.

Upgrade the web application on one computer and update the database on another computer

Use this option to connect to a Security Manager database located on a remote Microsoft SQL Server installation.


Use the following steps to upgrade the Security Manager database. The steps vary depending on whether or not the user has access rights to remotely upgrade the database.

If the Windows user upgrading Security Manager does not have access rights to upgrade the database remotely, first upgrade the database on the remote system, and then upgrade the Security Manager web application.

If the Windows user does have access rights, then use the Security Manager installer to upgrade the remote database while upgrading the HP Security Manager web application, or use the InstallSQLscripts.zip file to upgrade the database on another computer.

NOTE: If you want to install and initialize the Database on computer B with the InstallSQLscripts, select the Extract Database Installation Script option and then extract the InstallSQLScripts.zip file on Computer B. The option Extract Database Installation will not be available when running the installer on a system where an older version of HPSM is already installed. In that case the installer will detect the older version and show the HPSM upgrade screens. The zip file contains a .txt file which explains the usage of the SQL scripts.

After the scripts have been executed and the database has been upgraded on Computer B, you can continue upgrading HP Security Manager on Computer A with Remote DB (Computer B).

If you first upgrade the HP Security Manager web application, then stop the HP Security Manager service after installation. After stopping the service, upgrade the DB on the remote server. Once the upgrade has been completed, restart the HP Security Manager service.

NOTE: The installation program uninstalls the current Security Manager version, installs the new version, and then upgrades the database.

Before running the installation program, verify that you have done a complete backup of the entire Security Manager system. Make sure that the Security Manager web application and database have the same version for the system to work.

Upgrade HP Security Manager and the remote database using the installer with full access rights to the remote database

Follow these steps to upgrade HP Security Manager and the remote database from the server where Security Manager is installed when you have full database access rights to the remote database available.

To upgrade the web application from the server on which HP Security Manager is installed using the InstallShield wizard.

1. Configure remote database security to allow the Security Manager service to access the database. See the instructions provided in Configure remote database security on page 46. After the changes are completed, continue with the next step.







Upgrade HP Security Manager and the remote database using the installer with full access rights to the remote database31



c. If the Windows user who is running the installer has full access to the HPSM database, then click Next. If you need to access the database with another windows user account, select the checkbox Use the following Windows credentials instead of the current Windows user's credentials for SQL access.






Upgrade HP Security Manager and the remote database using the installer with full access rights to the remote database33


Upgrade the HP Security Manager remote database and web application with no database access rights using SQL scripts

If full database access rights are not available from the server, follow these steps to first upgrade the remote database and then upgrade the HP Security Manager web application.

To upgrade the web application on a remote database when you don't have access rights to the remote database, use SQL scripts.

The remote database needs to be upgraded first when the user running the installer on the Security Manager server does not have full access rights to the Security Manager database.

After the database has been upgraded using SQL scripts, the Security Manager web application can be upgraded using the installer.

1. Download and extract the SQL scripts.

NOTE: The SQL scripts can also be extracted from any client PC.

a. Launch the installer.

b. Copy the Security Manager installation program (HPSecurityManager_Setup.exe) to this computer.

c. Double-click the HPSecurityManager_Setup.exe file.

d. Click Install to begin the installation.

Upgrade the HP Security Manager remote database and web application with no database access rights using SQL scripts35

e. Select the Extract Database Installation Script option and click Next.

f. Click Browse to select a destination folder other than the C: drive, navigate to and select the installation folder from the directory, click OK, and then click Next.


g. After the database installation scripts are extracted successfully, a message prompt displays to continue the installation. Select No to cancel it.

h. When the Installshield Wizard Completed screen displays, select Finish to close the installer.

The InstallSqlScripts.zip is downloaded to the selected destination.

i. Unzip the InstallSqlScripts.zip.

The extracted files include a ReadMe file with all details and instructions.

2. Stop and shut down the Security Manager service.

IMPORTANT: Do not skip this step. The service must be stopped before continuing to ensure a successful upgrade.

3. Back up the database.

4. Upgrade the database.

a. Run the update command from a command prompt using administrator rights. For more information, see the ReadMe file that corresponds with the script file.

InstallOrUpgradeRemoteDB .\Instancename HPIPSC_DB_name RemoteDBWhere Instancename is the name of the SQL instance

Where HPIPSC_DB should be replaced with the actual database name

When complete, a status prompt displays: Create/Upgrade Database successfully completed!!!

b. Log on to the computer where the Security Manager database is located.

NOTE: The initial steps are only needed to retrieve the InstalSQLScripts.zip and can be done from any PC without an HP Security Manager installation.

c. Run the batch file.

NOTE: If you do not want to run the batch file using steps below, see Appendix B for instructions on how to Run SQL install/upgrade scripts from SQL Management Studio.

The database upgrade is complete. Continue with the next step to update the HP Security Manager web application.

5. Go to the Security Manager server and start the installer (HPSecurityManager_Setup.exe) from this server, and wait for the wizard to prepare the files and extract the .msi.


6. Select Yes to continue the upgrade, and wait for the wizard to verify the IIS configuration.

A message displays indicating that the program is uninstalling an older version of Security Manager and upgrading to the newer version.

7. Select Connect to an Existing database on local or remote SQL server, and click Next.

NOTE: The existing database version must match the HP Security Manager installation version before starting the HP Security Manager as no attempt will be made to upgrade an older database. Only one Security Manager application instance is used on the database. The Security Manager database does not support multiple service connections.






c. When the Database Name displays, click Next.





12. When prompted, make sure the IPSC database has been upgraded and then click OK.



Configure Security Manager4

Use the following sections to configure Security Manager.

Configure Auto Logout and Account LockoutIf 5 failed incorrect logins are attempted, users will be unable to login for 30 minutes. This is the default Account Lockout setting. After logging-in successfully, users will remain logged in, even after hours of inactivity. This is the default Auto Logout setting.

This behavior can be changed in the Web.config file which is located in the installed directory:

For example, C:\Program Files (x86)\HP Security Manager\WebApp

The following options are available for this:

● <add key="MaximumInvalidLoginCount" value="5" />

● 

● <add key="UserAccountLockoutDurationInMins" value="30" />

● 

● 

● 

● <add key="AutoLogoutEnabled" value="false" />

After making changes to this file, restart or recycle the HPSM application pool in IIS.

Configure Policy Change NotificationSecurity Manager can send create policy notifications when a task is running and when it’s using a policy setting which has been changed since the task ran last time. These notifications can be registered as a windows event and/or they can be e-mailed. The notification recipients can be configured under Settings, Automated Email.

Policy change notification can be enabled in the HPSM_service.exe.config file. When enabled, windows events will be created. If it’s enabled, then it’s possible to enable policy change notifications via e-mail. It’s not possible to enable only policy change notification via e-mail.

The following settings are available for this:

● <add key="enablePolicyChangeNotification" value="false" />

● 

● <add key="emailPolicyChangeNotification" value="false" />

After making changes to this file, restart the HP Security Manager service.

42 Chapter 4 Configure Security Manager

Configure device replacement and hostname changes behaviorOver time existing devices on the network might be replaced with newer devices or reconfigured (example new hostname). During the device replacement, the new device can obtain the same IP address or hostname as the original device. When the same IP address or hostname is used and found during a discovery, Security Manager needs to decide if it has to overwrite the old device, or if it has to create new entries in the database with the same IP address or hostname.

This behavior is controlled with the following variables in the HPSM_service.exec.config file:

● 

● <add key="OverwriteDeviceDetailsWhenIPsMatches" value="true" />

● 

● <add key="OverwriteDeviceWhenHostNameMatches" value="true" />

After making changes to this file, restart the HP Security Manager service.

Configure Database MaintenanceLearn how to configure database maintenance for Security Manager.

By default, HPSM runs a nightly maintenance task starting at 01:00h. The start time is not configurable. The maintenance task will stop after the configured duration window even if it has not been completed and will continue the following night. This duration window is a configurable option (the default is 30 minutes).

During the nightly maintenance, a weekly index tuning is performed along with several other activities such as Database (DB) shrinking, Indexing, Cleaning up tables like Scheduled Tasks, Reports data, etc.

Follow these steps to configure database maintenance parameters and control the maintenance behavior:

NOTE: If the shrinkDB or IndexPerformanceTuning parameter is disabled, then the database must be manually monitored and cleaned up.

1. Open the HPSM_service.exe.config file.

2. Configure the maintenance duration window using the ClearOldRecommendationTasksMaxDuration parameter.



<add key="ClearOldRecommendationTasksMaxDuration" value="30" />

Configure device replacement and hostname changes behavior 43

3. Configure daily and weekly maintenance options using the manageDB, ShrinkDB, and IndexPerformanceTuning parameters.

NOTE: If the shrinkDB or IndexPerformanceTuning parameter is disabled, then the database must be manually monitored and cleaned up.

● manageDB - Use the value true/false for all maintenance tasks (daily and weekly) to enable or disable DB Shrinking, Indexing, Cleaning up tables like Scheduled Tasks, Reports data, etc. In order to prevent unnecessary database growth, it’s recommended to always keep this parameter set to true.

<add key="manageDB" value="true" />

● shrinkDB - If this value is set to true when manageDB is also set to true, HPSM performs database shrink operations with the weekly maintenance task.

<add key="shrinkDB" value="true" />

● IndexPerformanceTuning - If this value is set to true when manageDB is also set to true, HPSM re-indexes during the nightly or weekly maintenance. When set to true, HPSM changes the DB Recovery mode to SIMPLE before indexing and then restores the previous setting after the re-indexing operation has been completed.

<add key="IndexPerformanceTuning" value="true" />

● SetRecoveryModeForMaintenance - When set to true, HPSM will set the recovery mode to "SIMPLE" before the maintenance task starts and HPSM will set back the recovery mode to its original configuration. If set to false, then HPSM will not change the recovery mode and will use the configured recovery mode during the maintenance task (which can be SIMPLE or FULL).

NOTE: Setting it to false will prevent the following error in the maintenance.log file: 2022-02-10 01:01:01,497 ERROR MaintenanceTask - Error - May be a DB access issue - calling SetRecoveryModeSystem.Data.SqlClient.SqlException (0x80131904): The operation cannot be performed on database "HPIPSC" because it is involved in a database mirroring session or an availability group. Some operations are not allowed on a database that is participating in a database mirroring session or in an availability group.

ALTER DATABASE statement failed.

4. Configure weekly maintenance of indexing using the IndexTuningFrequency and IndexTuningDayOrDate parameters



<add key="IndexTuningFrequency" value="Weekly" />

<add key="IndexTuningDayOrDate" value="Sunday" />

5. After making changes to this file, restart the HP Security Manager service.

Export reports to customized locationsTo export the reports of the Security Manager into customized locations, make changes to the following “Config files” in the Installation folder:

● HPSM_Service.exe.config file

● Web.config file

The “Config files” are located in the following installed path by default:

● For example, HPSM_Service.exe.config file: C:\Program Files (x86)\HP JetAdvantage Security Manager\HPSM_Service.exe.config

● For example, Web.Config file: C:\Program Files (x86)\HP JetAdvantage Security Manager\WebApp\Web.config

In the HPSM_Service.exe.config file and the Web.config file of WebApp, make sure to configure the file location as the following value for the key “exportReportsFileLocation”.

NOTE: If the SMTP server does not have the capacity to send large files over email, export the following file location in HPSM_Service.exe.config file as "sendOnlyExecutiveSummaryOverEmail" to send the Executive summary report over email.

Configure remote access to the Security Manager web applicationThe Security Manager web application must be configured to allow user access from a remote computer.

By default, the web application allows remote access to all users who are members of the local Administrators group on the machine on which the Security Manager web application runs. All other users who require remote access must be added to the local group named HP Security Manager, which the installation program creates, on the machine on which the Security Manager web application is installed.

NOTE: Use the following steps to add a user to the local group named HP Security Manager:

1. Click Start, right-click My Computer, and then select Manage.

2. From the System Tools item, select Local Users and Groups, and then select Groups.

Export reports to customized locations 45

3. From the group name list, right-click HP Security Manager, and then select Add to Group.

4. Click Add, and then enter the name of the account.

5. Click OK to save the changes.

For instructions on configuring the firewall for remote access to the Security Manager web application, see Firewall configuration for remote access on page 55.

Configure remote database securityIf the database was installed remotely from the Security Manager service, the database must be configured to allow access by the service.

The Security Manager service runs as NT AUTHORITY/NETWORK SERVICE. When the service accesses the Security Manager database across the network, it uses the service computer’s credentials, which is an account named <Domain Name>\<Computer Name>$. The dollar symbol ($) symbol must be appended to the computer name. For the Security Manager service to access the database, use Microsoft SQL Server Management Studio to add the computer account to the logins for this database instance, add this account as a user for the database, and make this account an owner of the database.

NOTE: Microsoft SQL Server Management Studio is a free tool available from Microsoft and can be obtained from the Microsoft download site.

In the following steps, the computer account is AUTH\hpsmserver$, where AUTH is the domain name, hpsmserver is the computer name, and the dollar symbol ($) is appended to the computer name.

1. Open the database in Microsoft SQL Server Management Studio.

a. Log on to the computer where the Microsoft SQL Server instance is installed.

b. To start Microsoft SQL Server Management Studio, click Start, and then select All Programs. Select Microsoft SQL Server, and then click SQL Server Management Studio.

c. Select the database instance where the Security Manager database is installed.

d. Expand the Security folder.

e. Right-click Logins, and then select New Login.

2. Enter the account name in the Login name field. In this example, the login name is AUTH\hpsmserver$.

3. Select the HPIPSC option.

a. From the Select a page panel, click User Mapping.


b. From the Users mapped to this login table, select the check box for HPIPSC

c. From the Database role membership for: HPIPSC panel, select the check box for db_owner.

d. Click OK to save the changes and then exit.

Configure database security for the existing Microsoft SQL ServersIf you use Microsoft SQL Server 2014 or SQL Server 2014 Express locally or remotely, the database must be configured to allow access by the Security Manager service.

The Security Manager service runs as NT AUTHORITY/NETWORK SERVICE. When the service accesses the Security Manager database, it must have the correct credentials to access the Microsoft SQL Server 2014 or SQL Server 2014 Express database. Use Microsoft SQL Server Management Studio to add the service name and to connect to the database for users.

NOTE: Microsoft SQL Server Management Studio is a free tool available from Microsoft. The tool for Microsoft SQL Server 2014 or SQL Server 2014 Express can be obtained from the Microsoft download site.

1. Open the database in Microsoft SQL Server Management Studio.

a. Log on to the computer where the Microsoft SQL Server instance is installed.

b. To start Microsoft SQL Server Management Studio, click Start, and then select All Programs. Select Microsoft SQL Server, and then click SQL Server Management Studio.

Configure database security for the existing Microsoft SQL Servers 47

c. Select the database instance where the Security Manager database is installed.

d. Expand the Security folder.

e. Right-click Logins, and then select New Login.

2. Enter the account name of NT AUTHORITY\NETWORK SERVICE in the Login name field.

3. Select the HPIPSC option.

a. From the Select a page panel, click User Mapping.

b. From the Users mapped to this login table, select the check box for HPIPSC

c. From the Database role membership for: HPIPSC panel, select the check box for db_owner.

d. Click OK to save the changes and then exit.

4. Restart the Security Manager service to complete the permission change.

Configure Instant On requestsLearn how to configure Instant On requests to reduce the load impact on Security Manager.

Many HP devices support a feature called Device Announcement Agent whereby announcement packets such as Instant On are sent to Security Manager (HPSM). This occurs whenever any of the following conditions occur on the device:


● Initial boot

● Power cycle

● Network disconnect/reconnect

● IP address change

● Hostname change

● Cold reset

● Every 48 hours regardless of any other action triggering an announcement (in HP Futuresmart 4 and newer)

● Every 12 hours regardless of any other action triggering an announcement (in HP Futuresmart 5.2.0 and newer)

The processing of Instant On packets followed by Instant On remediation is generating a lot of load for HPSM. HPSM has three configuration options to regulate this. To configure the processing of Instant On packets, follow these steps:


2. Configure the following options for Instant On processing:

● AssessOnlyNewDevice - To allow only new devices for Access and Remediation, set this variable to True. To allow all devices for Access and Remediation, set this value to False.

 <add key="AssessOnlyNewDevice" value="false" />

● AllowRepetitiveInstantOnPolicyAfter - If an already assessed device is announced again within a configured interval, that request will not be processed for Access and Remediation (it will be based on the last assessed time). If this threshold elapsed from last assessed time, it will be processed for A&R.



<add key="AllowRepetitiveInstantOnPolicyAfter" value="0.0:0" />

● IgnorePeriodAnnouncement - If the instant on announcement contains the Periodic Announcement flag, then HPSM can be configured to ignore those periodic announcements. To ignore instant on announcements, set this value to True (default behavior). Only HP Futuresmart firmware 5.4 or 4.12 and newer will send out the instant on announcement with the periodic flag information.

<add key="IgnorePeriodAnnouncement" value="true"/>


Configure Instant On requests 49

Configure which policy will be used for Instant On requestsLearn how to configure a policy for Instant On requests.

When Allow Automatic Remediation for Instant On message is enabled, HPSM will use by default the Initial Assessment Policy for all Instant On requests.

Or, the last applied policy can be used instead of the default configuration. To configure the policy for Instant On packets, follow these steps:


2. Configure the following options for Instant On processing:

● Allow Automatic Remediation - To use the default Initial Assessment Policy for all Instant On requests, select the checkbox to enable this configuration for Instant On messages.

● alwaysUseLastAppliedPolicyForInstantOn - To re-apply the last applied policy instead of the Initial Assessment Policy, enable the configuration option by setting this option to TRUE in the HPSM_service.exe.config file.





<add key="alwaysUseLastAppliedPolicyForInstantOn" value="false"/>


Configure auto discovery to fix network communication errorsLearn how to configure HP Security Manager to automatically rediscover devices that are having network communication issues.

If there are devices having a network communication error, Security Manager will try to fix the communication issues by rediscovering those devices.

This broadcast discovery will only be performed for 4 hops. The discovery will be done every 24 hours at 2.15 a.m. The start time and frequency is not configurable, but the automatic discovery process for devices in a network communication error can be enabled or disabled.


2. Configure auto discovery using the enableDeviceListRefreshTask option.

<add key="enableDeviceListRefreshTask" value="true" />

3. Restart the HP Security Manager service.

Configure a SQL user account to access the databaseLearn how to configure a SQL user account to access the database.

The HPSM provides the option to access a remote database with a different Windows user account.

NOTE: HPSM can also use an SQL user account to access the database, but this must be configured after the HPSM installation.


2. Configure account access using the Integrated Security=SPPI parameter.

● Default - To provide access to a local SQL database while HPSM is running as network service, use the default entry:

<add key="dbConnection" value="Server=(local)\SQLEXPRESS;initial catalog=HPIPSC;Integrated Security=SSPI" />

<add key="dbMasterConnection" value="Server=(local)\SQLExpress;initial catalog=master;Integrated Security=SSPI;Connection Timeout=15" />

● SQL database - To provide access to a remote SQL database while HPSM is running a domain user:

<add key="dbConnection" value="Server=HPSM.mydomain.com;initial catalog=HPIPSC;Integrated Security=SSPI" />

<add key="dbMasterConnection" value="Server=HPSM.mydomain.com;initial catalog=master;Integrated Security=SSPI;Connection Timeout=15" />

● SQL user account - To provide access to an SQL user account while HPSM is connected to the database, change the Integrated Security=SSPI parameter:

UserId=sqlUserName;Password=sqlUserPassword

where sqlUserName is the name of the sql account

sqluserPassword is the password for the sql account (in plain text)

The following example uses sql user of HPSM_sql_user and password 1234!#$:

<add key="dbConnection" value="Server=(local)\SQLExpress;initial catalog=HPIPSC;User Id=HPSM_sql_user;Password=1234!#$"/>

Configure a SQL user account to access the database 51

<add key="dbMasterConnection" value="Server=(local)\SQLExpress;initial catalog=HPIPSC; HPSM_sql_user;Password=1234!#$"; Connection Timeout=15" />

3. Open the config files HPSM_service.exe.config and WebAppWeb.config from the installed location. For example, C:\Program Files (x86)\HP Security Manager\.

4. Change the values for the dbConnection and dbMasterConnection keys.

5. After making changes to this file, restart the HP Security Managerservice.

NOTE: The SQL password is stored unencrypted in the configuration file.

Configure autogrouping behaviorLearn how to configure autogrouping behavior.

Autogroups can be used to move devices automatically into a group based upon configured filter criteria. It is also possible to automatically remediate devices which are entering an autogroup. Devices can be added to HPSM after a discovery or after receiving an instant-on request from the device.

NOTE: Flow diagrams for instant on and device discovery can be found in whitepaper Instant-On Security and Auto-Group Remediation.


2. Configure autogrouping using the autoGroupDiscoveryAutoRemediationEnable option.

● To apply the policy to all New devices in the autogroup, set this value to TRUE. When the device is discovered (using manual or automatic discovery), then autogroup policy will be automatically applied.



● If you do not want the policy to be applied to all new devices in the autogroup, set this value to FALSE. When the device is discovered (using manual or automatic discovery), then the device autogroup policy will not be automatically applied.

<add key="autoGroupDiscoveryAutoRemediationEnable" value="false" />

3. Make the same change in the web.config file, and then restart the HPSM application pool.

NOTE: If only the HPSM_service.exe.config file was changed, then only a restart of the HP security manager service is required.

4. Restart the HP security manager service.

6. To add or remove devices to/from an autogroup, change the autoGroupEditOrDailyRefreshAutoRemediationEnable setting to TRUE in the HPSM_service.exe.config file.



<add key="autoGroupEditOrDailyRefreshAutoRemediationEnable" value="false" />

7. To configure the refresh frequency for the autogroup membership change the autoGroupFilterExecutionFrequency setting in the HPSM_service.exe.config file.





<add key="autoGroupFilterExecutionFrequency" value="1:0:0:0" /> 


Configure automatic retry of EWS credential verificationLearn how to configure HP Security Manager to automatically retry to validate Embedded Web Server (EWS) credentials in the event of a cipher mismatch.

Security Manager will only try a provided password one time. This is the default configuration for credentials verification for the EWS.

In the event of a cipher mismatch between Security Manager and the device due to network and/or device issues, the EWS password will not be validated and the device status will result in Credentials Not Validated or Incorrect with no reattempt to validate the credentials entered.

To prevent this scenario and configure Security Manager to retry the verification of the EWS credentials (with the same credentials), follow these steps:


2. Change the eapAdminCredentialRetryDelay value.

NOTE: The default setting for eapAdminCredentialRetryDelay is -1 which means no retry is attempted.

● No retry attempted - Set the value to -1.

● Retry the same credentials - Set the value from 1 to 500 (or any other positive value).

NOTE: By giving it a positive value, Security Manager will retry the same credentials for devices in which the EWS password could not be validated after the specified amount of milliseconds (ms). Internal testing showed improvements while using a value of 500ms.

Configure automatic retry of EWS credential verification 53

3. Change the CredentialRetryWhenInconclusive value.

● No retry attempted - Set the value to FALSE

● Retry the same credentials - Set the value to TRUE


Disable default credential verification for password protected devicesLearn how to disable default credential verification for devices that have been configured with a password.

If HP Security Manager does not have the credentials of a device, it will try to use the configured global credentials. If those also fail, then Security Manager will try to use the default credentials.

If Security Manager is only used with devices which have been configured with a password, it’s possible to skip the default credential verification.

To configure Security Manager to skip the verification of default credentials, follow these steps:


2. Change the UseDefaultCredentials value.

● To use default credentials - Set the value to TRUE

NOTE: Use for devices with no EWS password set and with a public SNMP community name assigned.

● To disable default credentials - Set the value to FALSE

NOTE: Use for devices which have been configured with an EWS password.


Configure the max number of records to deleteLearn how to configure the max number of records to delete during nightly maintenance.

By default, HP Security Manager deletes up to 10,000 records in a single transaction during nightly maintenance. This number can be increased to improve performance.

To configure Security Manager to delete a higher number of records in one transaction during maintenance, follow these steps:


2. Change the MaxOldRecommendationRecordsToDelete value.

3. Change the MaxDeviceRecordsToDelete value.

NOTE: Sometimes the MaintenanceTaskQueryTimeout value must be increased as well (to 1200, for example).



Pause scheduled tasks during nightly maintenanceLearn how to configure HP Security Manager to pause tasks when performing nightly maintenance.

The default setting allows Security Manager to run scheduled tasks at the same time as nightly maintenance.

In order to prevent a heavy load on the database and to improve the nightly maintenance performance, it’s possible to change this default behavior.

To configure Security Manager to pause any new assessment and remediation tasks and queue new instant on announcements during nightly maintenance, follow these steps:


2. Change the AllowScheduledTasksDuringMaintenanceTaskRun value.

● Allow all tasks will be executed at the same time as maintenance - Set the value to TRUE

● Pause all tasks during nightly maintenance and resume all tasks after complete - Set the value to FALSE

NOTE: When this value is set to FALSE, any new discovery, verification task, AR task, or instant on task with a policy will be queued and paused as long as the maintenance task is running.


Configure or mask the IP addressLearn how to configure HP Security Manager to use either the real IP address or a masked IP address.

When the KeepRequestedDeviceIPAddressForCommunication value is set to TRUE, HPSM will request the IP address of the device to the device directly via SNMP. If this is different than the IP address which was used so far for communication, then HPSM will use the newly received IP address for further communication.

When set to FALSE, HPSM will not check the device's IP address over SNMP. Instead, it will always use the IP address which was used to discover the device. This setting is required when devices such as PS60 are connecting to the printer and masking the actual printer's IP address.

To configure Security Manager to show or hide the IP address, follow these steps:


2. Change the KeepRequestedDeviceIPAddressForCommunication value.

● KeepRequestedDeviceIPAddressForCommunication - Set the value to TRUE to show the IP address.

● KeepRequestedDeviceIPAddressForCommunication - Set the value to FALSE to mask the IP address.


Firewall configuration for remote accessIf a firewall is installed on the computer on which the Security Manager web application runs and Security Manager is accessed from the web browser on a remote computer, the firewall must be set to allow access to the web application.

Pause scheduled tasks during nightly maintenance 55

The Security Manager web application configured during the installation listens on port 8002 and 7637, which must be opened in the firewall to allow remote access to the web application.


Uninstall the Security Manager system5

Use one of the following methods to uninstall the Security Manager system:

NOTE: It is not necessary to stop the Security Manager service before running the uninstall program. The service is stopped as part of the process.

● Uninstall the web application and the database from a local instance of an existing SQL server on a single computer.

NOTE: This method uninstalls the service, the user interface, and the database at one time when they are installed on the same server.

● Uninstall the web application from one server and uninstall the database from another server by running the HPSM installer one time.

NOTE: This method uninstalls the database on an existing Microsoft SQL Server (Server B), and then uninstalls the web application (service and user interface) that is installed on a separate server (Server A).

Uninstall the Security Manager system 57

Uninstall the web application and database from one computerUse the following steps to uninstall Security Manager when the web application and database are installed on the same computer.


2. Remove HP Security Manager using Programs and Features.

CAUTION: The uninstall program permanently removes the Security Manager information from the database. To save this information, verify that you have created a backup before continuing.

a. Click Start, and then click Control Panel.

b. Click Add or Remove Programs or Programs and Features, depending on the operating system.

c. Select the entry for HP Security Manager, and then click Remove or click Uninstall, depending on the operating system.

3. On the Would you like to delete the HP Security Manager Database? confirmation window, click Yes to permanently remove the Security Manager information from the database.

4. On the Do you want to remove the license file? confirmation window, indicate whether or not the license file should be removed.

Uninstall the web application from one computer and uninstall the database from another computer

Use the following steps to uninstall the Security Manager when the web application is installed on one computer and the database is installed on another computer.

58 Chapter 5 Uninstall the Security Manager system







3. On the Do you want to remove the license file? confirmation window, indicate whether or not the license file should be removed.

4. Log on to the computer where the Security Manager database is located.






Uninstall the web application from one computer and uninstall the database from another computer 59

Solve problems6

Use this section to solve typical installation problems.

Solve problemsUse the following sections to identify and solve common installation issues.

“A computer restart is required. You must restart this computer before continuing with installation.”, displays when installing or uninstalling the MS installer file.

This message prompts when the MS installer detects files that need to be replaced are in use in the registry.

Solution:

Restart the workstation.

OR

Follow these steps to delete the PendingFileRenameOperations key in the registry:

1. Go to the registry editor (regedit.exe).

2. In the left navigation pane, select the following keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.

3. In the right navigation pane, right-click the PendingFileRenameOperations key, and then select Delete.

4. Close the registry editor.

“Installation of Security Manager failed.”, displays when attempting to uninstall.

The installation files might be corrupted.

Solution:

Run the Microsoft Windows Installer CleanUp Utility to try to correct the uninstall failure.

“Service Not Running.”, displays when attempting to open Security Manager web application.

Several issues might cause this symptom.

● The Security Manager service might not be running.

Solution:

1. Log on to the computer where the Security Manager web application runs.

2. Click Start, and then select Control Panel.

3. From the Administrative Tools folder, double-click Services.

4. Locate and select HP Security Manager in the list, and then click Start the service.

5. Try restarting Security Manager. If this fails, see the following solution.

60 Chapter 6 Solve problems

● The Security Manager installation might be corrupt.

Solution:

1. Select Control Panel, and then open Add/Remove Programs.

2. Right-click the HP Security Manager entry, and then select Repair.

● The Security Manager web application might not be running.

Solution:

1. Log on to the computer where the Security Manager web application runs.

2. Click Start, and then select Control Panel.

3. Select System and Security, and then select Administrative Tools.

4. In the Administrative Tools window, double-click Internet Information Services (IIS) Manager.

5. Restart the Security Manager web application.

If the application fails to start, check the Security Manager installation log and IIS logs.

Attempts to uninstall Security Manager might fail if the policy editor is open to an unsaved policy.

A Files in Use window is typically displayed. However, clicking OK does not resolve the issue.

The file is in use.

Solution:

1. Exit the policy editor.

2. Exit the Security Manager system.

3. From the Files in Use window, click OK to continue with the uninstall.

Solve problems 61

Software license agreement7

This section contains legal statements.

End User License AgreementREAD CAREFULLY BEFORE USING THIS SOFTWARE EQUIPMENT: This End-User license Agreement ("EULA") is a legal agreement between (a) you (either an individual or a single entity) and (b) HP Inc. ("HP") that governs your use of any Software Product, installed on or made available by HP for use with your HP product ("HP Product"), that is not otherwise subject to a separate license agreement between you and HP or its suppliers. Other software may contain a EULA in its online documentation. The term "Software Product" means computer software and may include associated media, printed materials and "online" or electronic documentation.

An amendment or addendum to this EULA may accompany the HP Product.

RIGHTS IN THE SOFTWARE PRODUCT ARE OFFERED ONLY ON THE CONDITION THAT YOU AGREE TO ALL TERMS AND CONDITIONS OF THIS EULA. BY INSTALLING, COPYING, DOWNLOADING, OR OTHERWISE USING THE SOFTWARE PRODUCT, YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU DO NOT ACCEPT THESE LICENSE TERMS, YOUR SOLE REMEDY IS TO RETURN THE ENTIRE UNUSED PRODUCT (HARDWARE AND SOFTWARE) WITHIN 14 DAYS FOR A REFUND SUBJECT TO THE REFUND POLICY OF YOUR PLACE OF PURCHASE.

1. GRANT OF LICENSE. HP grants you the following rights provided you comply with all terms and conditions of this EULA:

● Use. You may use the Software Product on a single computer ("Your Computer"). If the Software Product is provided to you via the internet and was originally licensed for use on more than one computer, you may install and use the Software Product only on those computers. You may not separate component parts of the Software Product for use on more than one computer. You do not have the right to distribute the Software Product. You may load the Software Product into Your Computer's temporary memory (RAM) for purposes of using the Software Product.

● Storage. You may copy the Software Product into the local memory or storage device of the HP Product.

● Copying. You may make archival or back-up copies of the Software Product, provided the copy contains all of the original Software Product's proprietary notices and that it is used only for back-up purposes.

● Reservation of Rights. HP and its suppliers reserve all rights not expressly granted to you in this EULA.

● Freeware. Notwithstanding the terms and conditions of this EULA, all or any portion of the Software Product which constitutes non-proprietary HP software or software provided under public license by third parties ("Freeware"), is licensed to you subject to the terms and conditions of the software license agreement accompanying such Freeware whether in the form of a discrete agreement, shrink wrap license or electronic license terms accepted at time of download. Use of the Freeware by you shall be governed entirely by the terms and conditions of such license.

● Recovery Solution. Any software recovery solution provided with/for your HP Product, whether in the form of a hard disk drive-based solution, an external media-based recovery solution (e.g. floppy disk, CD or DVD) or an equivalent solution delivered in any other form, may only be used for restoring the hard disk of the HP Product with/for which the recovery solution was originally purchased. The use of any Microsoft operating system software contained in such recovery solution shall be governed by the Microsoft License Agreement.

62 Chapter 7 Software license agreement

2. UPGRADES. To use a Software Product identified as an upgrade, you must first be licensed for the original Software Product identified by HP as eligible for the upgrade. After upgrading, you may no longer use the original Software Product that formed the basis for your upgrade eligibility. By using the Software Product, you also agree that HP may automatically access your HP Product when connected to the internet to check the version or status of certain Software Products and may automatically download and install upgrades or updates to such Software Products on to your HP Product to provide new versions or updates required to maintain the functionality, performance, or security of the HP Software and your HP Product and facilitate the provision of support or other services provided to you. In certain cases, and depending on the type of upgrade or update, notifications will be provided to you (via pop-up or other means), which may require you to initiate the upgrade or update.

3. ADDITIONAL SOFTWARE. This EULA applies to updates or supplements to the original Software Product provided by HP unless HP provides other terms along with the update or supplement. In case of a conflict between such terms, the other terms will prevail.

4. TRANSFER.

● Third Party. The initial user of the Software Product may make a one-time transfer of the Software Product to another end user. Any transfer must include all component parts, media, printed materials, this EULA, and if applicable, the Certificate of Authenticity. The transfer may not be an indirect transfer, such as a consignment. Prior to the transfer, the end user receiving the transferred product must agree to all the EULA terms. Upon transfer of the Software Product, your license is automatically terminated.

● Restrictions. You may not rent, lease or lend the Software Product or use the Software Product for commercial timesharing or bureau use. You may not sublicense, assign or transfer the license or Software Product except as expressly provided in this EULA.

5. PROPRIETARY RIGHTS. All intellectual property rights in the Software Product and user documentation are owned by HP or its suppliers and are protected by law, including but not limited to United States copyright, trade secret, and trademark law, as well as other applicable laws and international treaty provisions. You shall not remove any product identification, copyright notices or proprietary restrictions from the Software Product.

6. LIMITATION ON REVERSE ENGINEERING. You may not reverse engineer, decompile, or disassemble the Software Product, except and only to the extent that the right to do so is mandated under applicable law notwithstanding this limitation or it is expressly provided for in this EULA.

7. TERM. This EULA is effective unless terminated or rejected. This EULA will also terminate upon conditions set forth elsewhere in this EULA or if you fail to comply with any term or condition of this EULA.

8. CONSENT TO COLLECTION/USE OF DATA.

● HP will use cookies and other web technology tools to collect anonymous technical information related to HP Software and your HP Product. This data will be used to provide the upgrades and related support or other services described in Section 2. HP will also collect personal information including your Internet Protocol address or other unique identifier information associated with your HP Product and data provided by you on registration of your HP Product. As well as providing the upgrades and related support or other services, this data will be used for sending marketing communications to you (in each case with your express consent where required by applicable law).

To the extent permitted by applicable law, by accepting these terms and conditions you consent to the collection and use of anonymous and personal data by HP, its subsidiaries, and affiliates as described in this EULA and as further described in HP’s privacy policy: www.hp.com/go/privacy

End User License Agreement 63

http://www.hp.com/go/privacy

● Collection/Use by Third Parties. Certain software programs included in your HP Product are provided and separately licensed to you by third party providers (“Third Party Software”). Third Party Software may be installed and operational on your HP Product even if you choose not to activate/purchase such software. Third Party Software may collect and transmit technical information about your system (i.e., IP address, unique device identifier, software version installed, etc.) and other system data. This information is used by the third party to identify technical system attributes and ensure that the most current version of the software has been installed on your system. If you do not want the Third Party Software to collect this technical information or automatically send you version updates, you should uninstall the software prior to connecting to the Internet.

9. DISCLAIMER OF WARRANTIES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HP AND ITS SUPPLIERS PROVIDE THE SOFTWARE PRODUCT “AS IS” AND WITH ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES, GUARANTEES, AND CONDITIONS, EITHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF TITLE AND NON-INFRINGEMENT, ANY IMPLIED WARRANTIES, DUTIES, GUARANTEES, OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, AND OF LACK OF VIRUSES ALL WITH REGARD TO THE SOFTWARE PRODUCT. Some states/jurisdictions do not allow exclusion of implied warranties or limitations on the duration of implied warranties, so the above disclaimer may not apply to you in its entirety.

IN AUSTRALIA AND NEW ZEALAND, THE SOFTWARE COMES WITH GUARANTEES THAT CANNOT BE EXCLUDED UNDER AUSTRALIAN AND NEW ZEALAND CONSUMER LAWS. AUSTRALIAN CONSUMERS ARE ENTITLED TO A REPLACEMENT OR A REFUND FOR A MAJOR FAILURE AND COMPENSATION FOR OTHER REASONABLY FORESEEABLE LOSS OR DAMAGE. AUSTRALIAN CONSUMERS ARE ALSO ENTITLED TO HAVE THE SOFTWARE REPAIRED OR REPLACED IF IT FAILS TO BE OF ACCEPTABLE QUALITY AND THE FAILURE DOES NOT AMOUNT TO A MAJOR FAILURE. NEW ZEALAND CONSUMERS WHO ARE PURCHASING GOODS FOR PERSONAL, DOMESTIC OR HOUSEHOLD USE OR CONSUMPTION AND NOT FOR THE PURPOSE OF A BUSINESS (“NEW ZEALAND CONSUMERS”) ARE ENTITLED TO REPAIR, REPLACEMENT OR REFUND FOR A FAILURE AND COMPENSATION FOR OTHER REASONABLY FORESEEABLE LOSS OR DAMAGE.

10. LIMITATION OF LIABILITY. Subject to local law, notwithstanding any damages that you might incur, the entire liability of HP and any of its suppliers under any provision of this EULA and your exclusive remedy for all of the foregoing shall be limited to the greater of the amount actually paid by you separately for the Software Product or U.S. $5.00. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HP OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, OR OTHERWISE IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IF HP OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF THE REMEDY FAILS OF ITS ESSENTIAL PURPOSE. Some states/jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation or exclusion may not apply to you.

11. U.S. GOVERNMENT CUSTOMERS. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under HP's standard commercial license.

12. COMPLIANCE WITH EXPORT LAWS. You shall comply with all laws and regulations of the United States and other countries ("Export Laws") to assure that the Software Product is not (1) exported, directly or indirectly, in violation of Export Laws, or (2) used for any purpose prohibited by Export Laws, including, without limitation, nuclear, chemical, or biological weapons proliferation.

13. CAPACITY AND AUTHORITY TO CONTRACT. You represent that you are of the legal age of majority in your state of residence and, if applicable, you are duly authorized by your employer to enter into this contract.

14. APPLICABLE LAW. This EULA is governed by the laws of the country in which the equipment was purchased.

64 Chapter 7 Software license agreement

15. ENTIRE AGREEMENT. This EULA (including any addendum or amendment to this EULA which is included with the HP Product) is the entire agreement between you and HP relating to the Software Product and it supersedes all prior or contemporaneous oral or written communications, proposals and representations with respect to the Software Product or any other subject matter covered by this EULA. To the extent the terms of any HP policies or programs for support services conflict with the terms of this EULA, the terms of this EULA shall control.

© Copyright 2020 HP Development Company, L.P.

The information contained herein is subject to change without notice. All other product names mentioned herein may be trademarks of their respective companies. To the extent permitted by applicable law, the only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. To the extent permitted by applicable law, HP shall not be liable for technical or editorial errors or omissions contained herein.

End User License Agreement 65

Manually install and configure IISA

Manually install and configure Internet Information services (IIS) and its features (2008 R2, 2012, 2012 R2, 2016, and 2019) on a Windows server or a Windows client operating system (Windows 8 and newer).

HP Security Manager supports Internet Information Services (IIS) versions 7.5 and newer.

Several IIS features need to be enabled before running HP Security Manager.

Normally, the installer can automatically enable those features. If one of the following installation failures is received, the Information Services (IIS) features will need to be added and configured manually.

If an error is received, or if Security Manager is unable to install all the recommended features of IIS, then the Security Manager installation will be aborted and the features will need to be added manually.

NOTE: The order of the steps presented might vary slightly depending on the Windows operating system.

Install IIS on Windows ServerUse the following steps to install Internet Information Services (IIS) on a Windows server.

66 Appendix A Manually install and configure IIS

When you receive a prompt from the installer that some 'Information Service features must be enabled', make sure the features are enabled before continuing the installation.

NOTE: To install IIS on a Windows server or a Windows operating system, you must have an administrative account or administrative user rights.

1. Click Start, select Administration Tools, and then click Server Manager.

2. On the left pane in Server Manager, select Roles. In the Roles Summary sub-section, click Add Roles.

3. Read the security warnings and then click Next.

4. On the Select Server Roles page, select the Web Server (IIS) check box role option, and then click Next.

5. After reading the introduction to IIS, click Next to continue.

6. On the Select Role Server page, make sure to select the following IIS components check boxes to enable the role services for IIS.

NOTE: If the Add Roles Wizard launches, select the Add Required Role Services button.

● Web Server

– Common HTTP Features

○ Default Document

○ Directory Browsing

○ HTTP Errors

○ Static Content

○ HTTP Redirection

– Health and Diagnostics

○ HTTP Logging

○ Logging Tools

○ Request Monitor

– Performance

○ Static Content Compression

– Security

○ Request Filtering

– Application Development

○ .NET Extensibility 4.8

○ ASP

○ ASP.NET 4.8

○ ISAPI Extensions

Install IIS on Windows Server 67

○ ISAPI Filters

● Management Tools

– IIS Management Console

– IIS 6 Management Compatibility

○ IIS 6 Metabase Compatibility

○ IIS 6 WMI Compatibility

– IIS Management Scripts and Tools

– Management Service

7. Click Next to continue.

8. Click Install to install IIS.

9. After the installation finishes, click Close.

Install IIS on a Windows (11, 10, or 8) operating systemUse the following steps:

1. Select Control Panel from the Windows start menu.

2. Select Programs, in the Programs and Features section, and then click Turn Windows Features on or off.

3. Expand Internet Information Services

4. Select the following components check boxes to enable IIS.

● Web Management Tools

– IIS 6 Management Compatibility

○ IIS 6 Management Console

○ IIS 6 Scripting Tools

○ IIS 6 WMI Compatibility

○ IIS 6 Metabase and IIS 6 configuration compatibility

– IIS Management Console

– IIS Management Scripts and Tools

– Management Service

● World Wide Web Service

– Application Development Features

○ .NET Extensibility

○ ASP

68 Appendix A Manually install and configure IIS

○ ASP.NET

○ ISAPI Extensions

○ ISAPI Filters

● Common HTTP Features

– Default Document

– Directory Browsing

– HTTP Errors

– HTTP Redirection

– Static Content

● Health and Diagnostics

– HTTP Logging

– Logging Tools

– Request Monitor

5. Click OK.

Install IIS on a Windows (11, 10, or 8) operating system 69

Run SQL install/upgrade scripts from SQL Management Studio

B

Learn about SQL install/upgrade scripts used with the SQL Management Studio.

SQL commands are listed in the InstallOrUpgradeRemoteDb.bat file. These are all needed (except for adding rights for networkservice) to install/upgrade scripts from SQL Management Studio. To run the scripts, replace $(DBNAME) in each SQL command with the actual DBname in all of the SQL scripts, and then run the scripts with SQL Management Studio.

IMPORTANT: Access rights will also need to be given to the remote database manually. With a new DB, the upgrade scripts are not required as the DB is already up to date. If you try to install/upgrade on a new DB, a warning message will display: Exiting!! The current database schema version is not compatible with this upgrade script.

CreateHPIPSC.sql

Createtables.sql

AutoCloseOff.sql

SetDBSchemaVersion.sql

UpgradeDbSchemaVer1to2.sql










CreateRebuildIndex_StoredProcedure.sql

Recommendation_FK_DeleteCascade.sql





70 Appendix B Run SQL install/upgrade scripts from SQL Management Studio


SMMetadataInsert.sql

CreateStoredProcedure_RebuildIndex.sql

Recommendation_FK_DeleteCascade.sql

CreateStoredProcedure_DeleteSingleTask.sql

CreateStoredProcedure_DeleteAllDeletedTasksAndReferencedRecords.sql

CreateOrUpdateIndexes.sql

CreateUserDefinedTableTypes.sql

CreateStoredProcedure_MaintenanceTasks.sql

Run SQL install/upgrade scripts from SQL Management Studio 71

Improve performance by running database cleanup scripts

C

Learn about how to use database cleanup scripts to improve HP Security Manager performance.

The installSQLscripts.zip file in the program files (x86)\Security Manager directory have two sql scripts to improve the performance:

● CreateStoredProcedure_ClearRecommendationData.sql

and

● CreateStoredProcedure_DeleteInActiveTasksAndItReferences.sql

Each script has a corresponding ReadMe that describes how and when these scripts should be used.

72 Appendix C Improve performance by running database cleanup scripts

Network port assignmentsD

This section lists the ports that Security Manager uses.

Table D-1 Ports used from the Security Manager service to the printer or MFP

Service Port IP Protocol Notes

HTTP 80 and 8080 TCP Used only when SSL is not supported on the device

HTTPS 443 TCP HTTP Web over SSL

PING N/A ICMP Echo ping

SNMP 161 UDP Simple Network Management Protocol

SOAP-HTTP 7627 TCP Web service port used to manage communications on FutureSmart devices.

Table D-2 Ports used from the user interface to the Security Manager service


HTTPS 7637 TCP Used during installation.

Port used to secure data between the client and the HPSM server when using a browser. To change the port, edit the port bindings for HPSM website in Internet Information Services (IIS) Manager.

WCF NET.TCP 8002 TCP WCF with message encryption

Service port and service .NET TCP

8003 TCP HP Security Manager Windows Service port and service .net tcp

Table D-3 Port used from the Security Manager service to the database


MS SQL 1433 TCP Standard database connection.

Used from the Security Manager service to a remote SQL database.

Network port assignments 73

Table D-4 Port used from the device to the Security Manager service


HP Instant-On Security or hpdevice-disc (IANA name)

3329 TCP Uses SSL

Table D-5 Port used from the Security Manager service to Email


Simple Mail Transfer Protocol 25 SMTP Used to communicate to mail server if Automated Email feature is enabled.

Table D-6 Port used from the Security Manager service to Certificate Authority


DCOM/RPC 135 TCP Used between Security Manager service and CA server.

Table D-7 Local ports used by the Security Manager service and the HP Print License Flexera Service


Flexera service 27000 TCP Used between the Flexera service and HP Print License service.

74 Appendix D Network port assignments

More informationE

Learn how to find more help with HP Security Manager.

For more information about how to set up, configure, and/or use HP Security Manager, go to http://www.hp.com/go/securitymanager and click the Manuals tab.

More information 75

https://support.hp.com/us-en/product/SM/8394886/manuals?openCLC=true

hp security manager - installation and setup guide

Documents