Skip to content

Remote Printing

Introduction

As of version 6.0.0, PLOSSYS Output Engine can be used to print jobs at remote sites.

Advantages:

  • central printer configuration at the main site
  • central logging
  • simple installation at remote sites
  • no IT infrastructure needed at remote sites
  • no separate PLOSSYS Output Engine at the remote site
  • no changes to the firewall at remote sites
  • no VPN needed
  • secure (authentication via API keys per default or client certificates)

The following picture shows part of the PLOSSYS infrastructure with the new remote site connection: Remote printing overview

Logging and PLOSSYS Administrator

When a job is printed on a remote site, the remote site's name appears in every log entry of this job, for example "remoteSite": "Inari".

Remote printers are marked with an R in PLOSSYS Administrator. Printer icon with an R next to it

Requirements

  • PLOSSYS Output Engine as of version 6.0.0
  • easyPRIMA
  • custom API keys or client certificates for each remote site

Main Site Configuration

Given the fact that the remote site is outside the companies firewall (on premise installation) or not in the cloud (cloud installation) a secure way of authenticating the remote site at the main site is crucial.

There are two alternatives for authentication. You can either use API key authentication (default) or client certificates authentication.

API Key Creation

You will get the custom API keys for the remote sites from your Project Engineer at SEAL Systems or you can create the API keys with PLOSSYS CLI.

The API key file will contain two sets of secrets per island (aka remote site): one for the island and one for the mainland. The file will also contain a general decryption secret used to decrypt API keys during authentication.

Example of an API key file

{
    "Inari": {
        "island": {
            "REMOTE_SITE": "Inari",
            "DECRYPTION_SECRET": "5063e3561b76ec1a545cfe957288e254276d37b7c66720ebbd65f519a0134fe3", 
            "IV": "c22c5c805241262da6bd9e451230e867",
            "ENCRYPTED_API_KEY": "25c80bd41288e2e4512a654275063e371b76ec1a5695545cfe60134fe326230edd37b7c667c22867220ebbd65f519ac5"
        },
        "mainland": {
            "IV": "86cca6b2020e8651234552412c2d7d9e",
            "ENCRYPTED_API_KEY": "4ebb519ac51063e371b288d65febd2a60427576ec1a5634545cfe60004fe326530edd37b7c667c628611282e45125c10"
        }
    },
    "Hoppu": {
        "island": {
            "REMOTE_SITE": "Hoppu",
            "DECRYPTION_SECRET": "76ec3e3661b76e672045cfe957286720276d7b7c678acebbd65fb49a01d4b28",
            "IV": "9e4512a65c80bd4126230edc5c228672",
            "ENCRYPTED_API_KEY": "15056bd65f51288e2e45519ac37b7c6612a6542554563e371b76ec1995c80bd4acfe4c1e326230edd7c22867220eb34f"
        },
        "mainland": {
            "IV": "a1cc5e8651234652a6b102412c9d7d0a",
            "ENCRYPTED_API_KEY": "3e34ebb519ac510671b288d6a60427576ec1a567c667c62834545cfe61204fe326530edd37b711282e45125c105febd2"
        }
    },
    "general": {
        "DECRYPTION_SECRET": "dbda0985b2e08a3c687a9b20f80bd837fe3650da1393508462ab0b8cae5ef4d"
    }
}

API Key Configuration

Using Consul

The following example describes the API key configuration via SEAL PLOSSYS CLI. Due to the complex nature of the AUTH_CLIENTS key, it might be better to use Consul instead.

Do not use a pipe | when entering data for AUTH_CLIENTS via Consul!

  1. Open a Command Prompt or PowerShell.

  2. Export the complete configuration of PLOSSYS Output Engine from Consul to a YAML file with the following command. So you're making sure, current configuration settings are being used.

    plossys config export <filename>.yml --insecure

  3. Edit the exported file .yml.

  4. In the env section, specify the following mandatory keys for the mainland-checkout service:

    • AUTH_CLIENTS: JSON. Array of remote sites. Each site has these subkeys:

      • REMOTE_SITE: name of the remote site as used for the API key generation
      • ENCRYPTED_API_KEY: mainland API key for the remote site
      • IV: mainland IV for the remote site

    • DECRYPTION_SECRET: general decryption secret

    ...
env:
  service:
    mainland-checkout:
      tag:
        any:
          AUTH_CLIENTS: |
            [
                {
                    "REMOTE_SITE": "Inari",
                    "ENCRYPTED_API_KEY": <mainland_encrypted_api_key_for_Inari>,
                    "IV": <mainland_IV_for_Inari>
                },
                {
                    "REMOTE_SITE": "Hoppu",
                    "ENCRYPTED_API_KEY": <mainland_encrypted_api_key_for_Hoppu>,
                    "IV": <mainland_IV_for_Hoppu>
                },
            ]
          DECRYPTION_SECRET: "dbda0985b2e08a3c687a9b20f80bd837fe3650da1393508462ab0b8cae5ef4d"
...

  5. Add optional keys as needed:

  6. Save the <filename>.yml file.

  7. Re-import it to Consul.

    plossys config import <filename>.yml --insecure

Client Certificates (Main Site)

As an alternative to Api Keys the remote sites can authenticate themselves against the main site with client certificates.

When issuing a client certificate for a remote site, the name of the remote site has to be used as the CN.

  1. Open a Command Prompt or PowerShell.

  2. Export the complete configuration of PLOSSYS Output Engine from Consul to a YAML file with the following command. So you're making sure current configuration settings are being used.

    plossys config export <filename>.yml --insecure

  3. Edit the exported file .yml.

  4. In the env section, specify the following mandatory keys for the mainland-checkout service:

    • AUTH_TYPE: cert, default: apiKey

    • CACERT: File name with full path of the certificate of the certification authority (CA) that issued the client certificates or the certificate content

  5. Save the <filename>.yml file.

  6. Re-import it to Consul.

    plossys config import <filename>.yml --insecure

  7. Continue with Printer Configuration

Printer Configuration

Creating a remote site printer is basically the same as creating a main site printer. The only difference is an additional key remoteSite.

  1. Create a queue for the remote printer in easyPRIMA.

  2. Set the IP address of the remote printer as Output Destination, for example 192.168.178.39.

  3. Move the queue parameter REMOTESITE from the HIDDEN to the PLOSSYS tab.Enter the name of the remote site.

    Remote site configuration

    No typos

    The name of the remote site has to be exactly the same as used to create the API keys and as specified in the mainland configuration.

    EasyPRIMA documentation

    As of version 1.10.1, easyPRIMA comes with a preconfigured REMOTESITE parameter for queues as described above. If you use an older version of easyPRIMA, add the parameter manually. For more information, refer to easyPRIMA, System Description, Chapter 12 Queue Data, Add Customer-Specific Parameters.

  4. Confirm with Apply.

  5. Export the data to PLOSSYS Output Engine.

  6. Continue with Remote Site Installation.

Remote Site Installation

The remote site installer provides the seal-island-checkout service and writes the connection details to the registry.

API Keys

  1. Download the installation file for the seal-island-checkout from the SEAL Systems delivery platform.

  2. Start the client installation.

    • Linux: If you have a YAML configuration file, save it as /opt/seal/etc/seal-island-checkout.yml. Execute the installer.

      Example of seal-island-checkout.yml

      env:
    SERVICE_URL: "http://localhost:3002"
    LOG_LEVEL: "debug"
    REMOTE_SITE: "Inari"
    MAINLAND_URLS: [MAINLAND_URLS]
    SERVICE_DISCOVERY: "cloud"
    TLS_UNPROTECTED: "world"
    DECRYPTION_SECRET: xxx
    ENCRYPTED_API_KEY: xxx
    IV: xxx

    • Windows: If you have a preconfigured *.mst file for the remote site, open a command line and execute the following command to start the installer:

      /i seal-island-checkout seal-island-checkout-x.x.x.x.msi TRANSFORMS=<island_configuration>.mst

      Otherwise start the installer by double-clicking it.

  3. Enter the connection data:

    • API Key: API key for the remote site (leave blank in case of client certificate authentication)
    • IV: IV for the remote site (leave blank in case of client certificate authentication)
    • Secret: decryption secret for the remote site (leave blank in case of client certificate authentication)
    • Urls: URL of the Output Engine system, accessible from the outside
    • Remote Site: name of the remote site

    If you used a configuration file, you only have to enter the Secret.

    No typos

    The name of the remote site has to be exactly the same as used to create the API keys and as specified in the mainland configuration.

    Remote site installation example

  4. Confirm with Next and start the installation with Install.

    Registry

    The installer stores the connection data in the registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\SEAL Systems\seal-island-checkout

    Registry entries for the seal-island-checkout service

  5. After the installation is finished, test the connection by clicking Open Monitor or calling https:\\localhost:3002 in your browser.

    Open monitor

Modifying the installation

When changing the seal-island-checkout on a Windows client using the Repair option, default values will be written into the registry instead of the changed data. To prevent that issue, uninstall the current client first, then install anew.

Repair or remove installation

Client Certificates (Remote Site)

  1. If authentication via client certificates is configured at the main site, the remote site needs a client certificate. When issuing a client certificate for a remote site, the name of the remote site has to be used as the CN.

  2. On the remote site the client certificate and the private key have to be provided via environment variables:

    • CLIENT_CERT: File name with full path of the client certificate or the certificate content
    • CLIENT_KEY: File name with full path of the private key belonging to the client certificate or the key content

  3. Download the installation file for the seal-island-checkout from the SEAL Systems delivery platform:

  4. Start the client installation. The fields API Key, IV and Secret can be left blank.

    No typos

    The name of the remote site has to be exactly the same as used to create the API keys and as specified in the mainland configuration.

  5. After the installation is finished, test the connection by clicking Open Monitor or calling https:\\localhost:3002 in your browser.

    Open monitor

Hint

SEAL Systems does not provide any support for distribution or management of these client certificates.

Modifying the installation

When changing the seal-island-checkout on a Windows client using the Repair option, default values will be written into the registry instead of the changed data. To prevent that issue, uninstall the current client first, then install anew.

Repair or remove installation

Update

... With No Changes

Normal updates can be done by the customer themselves:

  1. Download the installation file for the seal-island-checkout from the SEAL Systems delivery platform.

  2. Execute the installation file. The required fields are prefilled with the existing configuration.

... With Configuration Changes

If a remote site or parts of the security configuration have changed, the complete installation process has to be repeated:

  1. Main Site Configuration

  2. Printer Configuration

  3. Remote Site Installation

Modifying the installation

When changing the seal-island-checkout on a Windows client using the Repair option, default values will be written into the registry instead of the changed data. To prevent that issue, uninstall the current client first, then install anew.

Repair or remove installation

Back to top