4.10. Options

A tap on the Options button in the main menu shows a panel options organized in sections. A tap on one of the sections expands (or collapsed) the underlying detais. Please see the sections below for a detailed description:

4.10.1. User Source

This section is about the configuration of external and internal user sources.

Admin Web App: Options - User Source

Figure 4.52. Admin Web App: Options - User Source


  • Tap the - button if you do not want to import users from an external source. Remember to enable the Internal Users feature if you want to acquire any user into the system.

  • Tap the Unix button if you want to import Unix user accounts defined on the SavaPage host.

  • Tap the LDAP button to import users from an existing LDAP domain. This includes OpenLDAP, Apple Open Directory, Novell eDirectory and Microsoft Active Directory. When this option is selected the LDAP connection data are shown.

  • Press the Apply button to commit the changes.

4.10.1.1. Unix

This option imports user accounts that are setup and defined on the local system as standard Unix accounts or mapped into the system from a central directory service such as LDAP via nsswitch.conf and PAM. Most large established Unix networks will support this option.

4.10.1.2. LDAP

LDAP (Lightweight Directory Access Protocol) directories usually store information about user and groups in an organization. One of the most common uses of LDAP is to provide single sign-on on a network that comprises multiple platforms and applications. When a network consists of Windows computers only, then an Active Directory domain can be used. But when there is a mix of Windows, Apple and GNU/Linux machines then LDAP can provided the single source of user, group and authentication information. (It is worth noting that both Active Directory and Novell eDirectory implement the LDAP protocol).

SavaPage can use an LDAP directory for user authentication and as a source of user and group information. LDAP can either be enabled at installation time, or by changing the user source at this point. When enabling LDAP, a number of configuration settings must be specified to allow the application to connect to the LDAP server. Please ask your LDAP administrator what values to use for the various options.

Admin Web App: Options - User Source - LDAP

Figure 4.53. Admin Web App: Options - User Source - LDAP


  • The Server Type determines which LDAP fields are used to get user and group information. Select one of the following server types that SavaPage supports out-of-the-box:

    However, it is easy to support other server types by adjusting the fields SavaPage uses for LDAP searches. This is discussed in Appendix I, Advanced LDAP Configuration

  • Enter the hostname or IP address of the LDAP server at the Host prompt.

  • Enter the IP port of the LDAP server at the Port prompt. The value defaults to 389.

  • Tick the Use SSL checkbox to use encrypted SSL connection to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.

  • Enter the Base DN of the LDAP server at the Base DN prompt. This is the equivalent of the suffix config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is domain.com then the Base DN might be: DC=domain,DC=com

    The format of the Base DN can differ significantly depending on the configuration. Some older Novell eDirectory installations may require a blank Base DN to operate. Some examples:

    DC=myorganization,DC=com
    DC=mycompany,DC=co,DC=uk
    OU=OrgUnit,DC=domain,DC=com
    DC=local

  • The Admin DN is the DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that only has read-only access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:

    • Microsoft Active Directory (in organizational unit)

      CN=administrator,OU=OrgUnit,DC=domain,DC=com
    • Apple Open Directory

      uid=diradmin,CN=users,DC=domain,DC=com
    • OpenLDAP

      uid=root,DC=domain,DC=com
      uid=ldapadmin,DC=domain,DC=com
    • Microsoft Active Directory

      CN=Administrator,CN=Users,DC=domain,DC=com
    • Novell eDirectory

      CN=root,DC=domain,DC=com
      CN=ldapadmin,OU=users,DC=domain,DC=com

  • The Admin password is the password for the administrator specified in the Admin DN above.

Tip

Some LDAP servers are configured to allow anonymous LDAP query access. In these situations, the Admin DN and Admin password may be left blank.

Admin Web App: Options - User Source - LDAP

Figure 4.54. Admin Web App: Options - User Source - LDAP


At the LDAP fields for alternative authentication section LDAP field names can be entered for the two alternative user authentication methods ID Number and Card Number, as described in Section 4.10.3, “User Authentication”. Field names are optional and can be left empty. The Card Format is relevant when the Card Number is specified. See Section B.1, “Card Number Format”.

Important

The ID and Card Number must each uniquely identify a user, so make sure that no two users have the same number. This means that the numbers defined in LDAP should be unique. If SavaPage encounters a non-unique ID or Card Number that user will not be updated.

4.10.1.3. Internal Users

With the internal users feature you can directly manage users inside SavaPage. Enabling this feature removes the obligation to define an external User Source to create and manage Users. Of course you can enable this feature as an addition to an external source.

Admin Web App: Options - Internal Users

Figure 4.55. Admin Web App: Options - Internal Users


When Internal Users is selected an extra option appears where you can allow internal users to change their password. See Section 3.9, “User Details”.

Tip

Use the Server Command Tool to batch import internal users. See Section C.1.2, “addInternalUser”

4.10.1.4. Internal Groups

SavaPage has the ability to define internal user groups. Just like internal users these groups are internal to the SavaPage system. Internal groups are created in addition to groups already provided by the external user source and are useful in the following situations:

  • You have configured the system to import users from a source that does not support groups.

  • You do not have permission to create new groups in the user source.

  • You'd like to create small groups just for use within SavaPage and it's not appropriate to great a new group in the user source.

Internal Groups are defined in a plain text file and composed of members who are either synchronized from the external user source or who were created as internal user. A fully annotated template text file is present here:

/opt/savapage/server/data/conf/internal-groups.txt.tmpl

... copy this file to ...

/opt/savapage/server/data/conf/internal-groups.txt

... and start defining your groups.

Internal Groups are fully emancipated to their external fellows and can be moved in and out of scope. See Section 4.5.3, “Add & Remove Groups”.

Warning

Internal Groups should have a name distinctive to any groups defined in your external user source. If case of a name clash, the internal group takes precedence.

4.10.2. User Creation

This section is about the creation and synchronization of external users. Internal Users are created in the User Web App or with the Server Command Tool. See Section 4.4.3, “Create Internal User” and Section C.1.2, “addInternalUser”.

Admin Web App: Options - User Creation - Import

Figure 4.56. Admin Web App: Options - User Creation - Import


The Import users from group section holds an option to import a subset of users from the source by selecting a group. This option is relevant if you want to restrict access to SavaPage for a subset of external users.

Admin Web App: Options - User Creation - From Group

Figure 4.57. Admin Web App: Options - User Creation - From Group


Caution

In Active Directory, user group membership comes in two flavors. It can either explicitly be assigned, or be implied by the user's Primary Group ID, i.e. the RID of the primary group the user is member of. Because primary group membership is implicit, the Active Directory API will return an empty member attribute for this group. When users are explicitly assigned as member to groups the API will return group members as expected.

For example, because Active Directory sets the Primary Group ID of all users to the built-in Domain Users group, the Active Directory API will not report any members for the Domain Users group.

This issue is discussed in the following Microsoft Knowledge Base article: https://support.microsoft.com/kb/275523

Note

Active Directory supports an advanced feature called Nested Groups. This allows a group to have other groups as member. Since a sub-group can again have sub-group members, nesting can be several levels deep. When importing users from a group, SavaPage traverses the nested group tree to collect all containing users.

Admin Web App: Options - User Creation - Synchronize

Figure 4.58. Admin Web App: Options - User Creation - Synchronize


The Synchronization section holds options for the external user synchronization process.

  • Tick the Update user details checkbox if you want to overwrite user details in the database with details from the source.

    Caution

    An external User will overwrite an internal User with the same user id: as a result the User will become external.

  • Select Import new users overnight to automatically synchronize daily at 10 minutes past midnight[13].

  • Press the Apply button to commit the changes.

Press the Synchronize now button to manually start a synchronization.

  • Tick the Delete users that do not exist in the selected source checkbox to (logically) delete users in the database that were removed from the source. Note that this checkbox is deselected again after each synchronization.

  • Feedback messages from the synchronization process are real-time displayed in the Messages section. Press the Clear button to remove them.

  • Use the Test button to check the effect of the synchronization without updating the database. Messages are shown with a "test" prefix.

Note

Disabled Active Directory users will not be imported by default. If you want to change this behavior you can set the value of configuration key ldap.disabled-users.allow to Y. See Section 4.10.15.10, “Config Editor” on how to change this value.

Tip

To delete all external users, select - as User Source and use Synchronize now with the Delete users option.

Caution

The SafePages of external users not present in the source are deleted.

Admin Web App: Options - User Creation - On Demand

Figure 4.59. Admin Web App: Options - User Creation - On Demand


On demand user creation specifies which events, apart from regular user synchronization, will ad-hoc create new external users in the database.

  • If the user associated with these events is not in the database, SavaPage will check if the user is part of the User Source and thereby a sure Synchronized User candidate. If so, it will ad-hoc synchronize the user into the database.

  • Select At first login to ad-hoc create a user when he successfully passed the SavaPage Login for the first time.

  • Select At first print to ad-hoc create a user when he prints to a SavaPage queue for the first time.

  • Press the Apply button to commit the selection.

4.10.3. User Authentication

This sections describes the global defaults for User Authentication.

Admin Web App: Options - User Authentication

Figure 4.60. Admin Web App: Options - User Authentication


The Persistence section holds a options to persist authentication in Browser Local Storage. When enabled, a successful login to the SavaPage Web App will store an authentication token in the Local Storage[14] of the browser. When the user closes the browser after a successful login and opens it again, login will be automatic, without the need to authenticate again. Separate authentication tokens are held for the User and Admin Web App context. See Section 13.1.3, “Authentication Tokens”.

Note

The presence of an authentication token is essential for the iOS Web Clip to function, and is pure convenience in other environments.

When Browser Local Storage is disabled, authentication persistence is implemented with Web Sessions.

The PIN section holds the defaults for PIN usage.

When Trust User Client is enabled User Web App authentication is automatic when:

The NFC Card section holds the defaults for card swipe logins using a Local Card Reader or Network Card Reader.

  • With Require PIN enabled the user must also provide their associated PIN. This provides additional security for swipe card logins.

  • When the Self Association option is selected, users are allowed to swipe cards previously not used or registered. When swiping such an unregistered card, SavaPage will ask the user if he wants to associate the new card to his account. When the user agrees SavaPage will switch to User Name authentication. After successful authentication the new card will be registered, thereby replacing any previously associated card. This feature is available for User Web App Login only. See Section 3.1.5, “Card Self Association Dialog”.

Admin Web App: Options - User Authentication - Login Methods

Figure 4.61. Admin Web App: Options - User Authentication - Login Methods


In the Login Methods section several login methods can be activated. When a method is activated a detailed section is shown. Detailed sections are explained in:

Note

The globally active Login Methods can be overridden for a specific Terminal by defining Custom User Login settings.

Note

ID Numbers and NFC Card Numbers can be synchronized with an external source like LDAP, or imported from file.

4.10.3.1. Username Login

The Username login method allows a Person to use his regular username and password to login.

Admin Web App: Options - User Authentication - Username Login

Figure 4.62. Admin Web App: Options - User Authentication - Username Login


If the Show in Dialog option is selected, the Username login method is part of the Login dialog. When this option is disabled this login can only be achieved by use of the login URL parameter. See Appendix E, URL Cheat Sheet.

4.10.3.2. ID Number Login

The ID Number login method allows a Person to use his identity number. Identity numbers are convenient when usernames are too long or cumbersome to enter. For example, rather than entering a username like steven.brown-002, it is more convenient to enter the employee or student ID Number 3624.

Admin Web App: Options - User Authentication - ID Number Login

Figure 4.63. Admin Web App: Options - User Authentication - ID Number Login


If the Show in Dialog option is selected, the ID Number login method is part of the Login dialog. When this option is disabled this login can only be achieved by use of the login URL parameter. See Appendix E, URL Cheat Sheet.

When Mask input is set the ID Number will be masked when entered (like a password).

With Require PIN set the user must also provide their associated PIN. This provides additional security for ID Number logins.

4.10.3.3. Local NFC Card Login

The Local NFC Card login method allows a Person to login by swiping an NFC Card across a Local Card Reader.

Admin Web App: Options - User Authentication - Local NFC Card Login

Figure 4.64. Admin Web App: Options - User Authentication - Local NFC Card Login


If the Show in Dialog option is selected, the Local NFC Card login method is part of the Login dialog. When this option is disabled this login can only be achieved by use of the login URL parameter. See Appendix E, URL Cheat Sheet.

The Format of the card number must be specified. See Section B.1, “Card Number Format”.

Warning

This setting applies to any Local Card Reader hooked up to any device. If a card reader is used that produces a different format a Terminal definition with a Custom User Login needs to be created for the device the reader is hooked up to.

4.10.3.4. YubiKey Login

The YubiKey login method allows a Person to login with a YubiKey Token.

Admin Web App: Options - User Authentication - YubiKey Login

Figure 4.65. Admin Web App: Options - User Authentication - YubiKey Login


If the Show in Dialog option is selected, the YubiKey login method is part of the Login dialog. When this option is disabled this login can only be achieved by use of the login URL parameter. See Appendix E, URL Cheat Sheet.

Get the YubiKey API credentials from yubico.com, and enter them as configuration item.

Configuration ItemDescription

auth-mode.yubikey.api.client-id

The YubiKey API client ID.

auth-mode.yubikey.api.secret-key

The YubiKey API secret key.

Table 4.2. YubiKey Configuration Items


See Section 4.10.15.10, “Config Editor” on how to set these items.

4.10.3.5. Google Sign-In

With Google Sign-In for Websites users can log into SavaPage quickly and securely with their Google account.

Admin Web App: Options - User Authentication - Google Sign-In

Figure 4.66. Admin Web App: Options - User Authentication - Google Sign-In


The Hosted Domain is the G Suite domain host to which users must belong to sign in. When void any valid Google account can log in. The following extra configuration items must be set:

Configuration ItemDescription

auth-mode.google.client-id

Your Google Sign-In Client ID formatted as:

YOUR_CLIENT_ID.apps.googleusercontent.com

Table 4.3. Google Sign-In Configuration Items


See Section 4.10.15.10, “Config Editor” on how to set these items.

4.10.3.6. Default Login

Admin Web App: Options - User Authentication - Default Login

Figure 4.67. Admin Web App: Options - User Authentication - Default Login


Select the Login method that is displayed as default in the Login dialog.

Note

When Google Sign-In is activated, it makes no sense to select it as default, since doing so would have no impact on the appearance of the Login dialog.

4.10.4. Mail

This section holds the settings for outgoing mail.

Admin Web App: Options - Mail - SMTP

Figure 4.68. Admin Web App: Options - Mail - SMTP


Enter the SMTP connection parameters:

  • The host name or IP address of the Host.

  • The IP port at Port. The standard SMTP ports are: 25 (insecure), 465 (SSL/TLS) and 587 (STARTTLS). The value defaults to 465 (SSL/TLS).

  • Select the connection security: - for an insecure connection, and STARTTLS[15] or SSL/TLS[16] for a secure connection.

  • Enter the User Name and Password if authentication is required.

Admin Web App: Options - Mail - Messages

Figure 4.69. Admin Web App: Options - Mail - Messages


The Messages section holds the sender and reply parameters used for email messages send by the system:

  • Sender address : enter a valid email address representing the sender of the message.

  • Sender name : the name default to SavaPage.

  • Reply address : enter a valid email address the recipient can reply to.

  • Reply to name : the name to reply to.

Press the Apply button to commit the changes.

Admin Web App: Options - Mail - Test

Figure 4.70. Admin Web App: Options - Mail - Test


Check if all mail parameters are valid by sending a test email.

  • Enter a valid email address to send a message To and press Test. Check the mailbox of the recipient to see if the message arrived.

4.10.5. PaperCut Integration

PaperCut is a popular print and copy management software product developed by PaperCut Software based in Melbourne, Australia. Some functions not present in PaperCut can be implemented with SavaPage as pre-processor and integrator. See Appendix M, PaperCut Integration.

When PaperCut Integration is enabled, connectivity parameters for the PaperCut Server (XML-RPC API) and PaperCut Database (JDBC) can be entered. Press the Apply button to commit the changes. Press the Test button to test the PaperCut connectivity: a message confirming the connection status is displayed.

Admin Web App: Options - PaperCut Integration

Figure 4.71. Admin Web App: Options - PaperCut Integration


Admin Web App: Options - PaperCut Server

Figure 4.72. Admin Web App: Options - PaperCut Server


Admin Web App: Options - PaperCut Database

Figure 4.73. Admin Web App: Options - PaperCut Database


4.10.6. Smartschool Print

This section is shown when the Smartschool Print Module (deprecated) is enabled. The options are discussed in section Section N.2, “Smartschool Print Options”.

4.10.7. Google Cloud Printer

Google Cloud Print ™ (GCP) is a Google service by which any Cloud Print aware application (web, desktop, mobile), on any device connected to the cloud, can print to any remote printer connected to that cloud.

The service is agnostic about the abundant combinations of client devices and target printers, and clients do not need to install device drivers to get things going. However, documents need to be fully transmitted to the Google cloud first, before they can be printed.

GCP is part of Android and Chrome OS and is, apart from that, available on all mobile devices and desktops via Google Cloud Print enabled Web Apps[17].

Several hardware vendors have already integrated their solution with Google Cloud Print services so their printers can receive jobs from the Google cloud.

SavaPage closes the ranks with its own GCP integration so it truly qualifies as Google Cloud Ready Printer.

Note

Google Cloud Print maps to the reserved Queue /gcp.

4.10.7.1. Google Cloud Printer Registration

This section describes how to register the Google Gloud Printer just after you installed SavaPage.

Tip

During registration additional browser tabs and windows are opened. Therefore, it is more convenient to use a desktop browser during registration.

Admin Web App: Options - Google Cloud Print - Status

Figure 4.74. Admin Web App: Options - Google Cloud Print - Status


The top panel in this section shows the printer status with the following items:

  • Enable. A check-box indicating whether the Cloud Printer is enabled or not.

  • Printer. The name of the Cloud Printer.

  • Owner. The Google User acting as owner of the printer.

  • State. The state of the printer.

Initially the Printer name defaults to SavaPage, the Owner is unspecified and the State is Disabled.

Tap the name SavaPage to set the authenticated Google account.

A new browser tab opens with the Google Cloud Print home page for the authenticated Google User of the current browser session.

Make sure you are authenticated with the Google account meant for the Owner of the SavaPage Cloud Printer.

When not authenticated Google invites you to Sign in to continue to Google Cloud Print. When already authenticated, logout from an existing Google account different from the intended owner, and tap the SavaPage name again.

Note

Although any Google account can be used as owner, we recommend to create a dedicated account to administer the Google Cloud Printer. A personal account is not convenient since it may be deleted or become out-of-date.

Go back to the SavaPage Admin Web App and press the Enable check-box to enable Google Cloud Printing.

A panel is shown for entering the Google OAuth credentials and Printer name. The credentials are needed by SavaPage to create and monitor the printer belonging to the owner. Although credentials from any Google account other than the one from the printer owner could be used, it is advised to use one and the same account. This track will assume this is the case.

Note

Cloud Ready Printer manufacturers normally use their own OAuth credentials for all printer registrations. For reasons of security and independence SavaPage let you use your own credentials.

Press the Apply button to save the Enable setting.

Tap the link called Web Application Credentials to get the OAuth credentials.

This opens a new browser tab with the Google Developers Console of the Google account acting as printer owner (as authenticated in the previous step).

If this is a brand new account, follow Google's instructions to get started. When no API project is present, which will be the case for a new account, follow Google's suggestion to create a project.

Warning

Google's web site is subject to change, so instructions below might not exactly fit the labels you encounter. Just follow the logic and hook into the offered dialog.

At the newly created project:

  • Select the APIs & authCredentials option from the (left hand side) menu.

  • Select Create new Client ID in the OAuth section.

  • Select Web application as Application type (the other entry fields are irrelevant).

  • Press the Configure consent screen button.

Admin Web App: Options - Google Cloud Print - OAuth

Figure 4.75. Admin Web App: Options - Google Cloud Print - OAuth


Now that the Client ID for web application is created, copy the Client ID and Client secret from the Google console to the corresponding fields in the SavaPage panel.

Press the Register button.

A Google Cloud Printer confirmation window will pop-up.

Press the Finish printer registration button in the pop-up.

Registration is now complete, and you can close the pop-up window.

Press the Refresh button in the SavaPage status panel.

Notice that the Printer name and Owner have changed according to your registration, and that a new Online button has appeared. Press this button to make the printer available for printing (pressing the Offline button makes the printer unavailable again).

This finishes the registration of the Google Cloud Ready Printer.

Important

The Google Cloud Print Service parameters are stored in the file /opt/savapage/server/gcp.properties. Make a backup of this file now, and store it at a secure place, so you can restore it in case of a server crash or when you need to migrate to a new server.

4.10.7.2. Edit Google Cloud Printer

The Cloud Printer can be edited and consulted in the Google Cloud Print page, which can simply be accessed by tapping the Printer name in the Status panel. Several actions can be performed here like sharing, renaming or deleting the printer.

After a Rename of the Cloud Printer, you need to press the Offline and Online button if you want to see the new name in the Status panel.

A Delete of the printer will result in State Not found in the Status panel (press Refresh to update the panel if it does not show). At this point you need to Register again if you want to use Google Cloud Print.

You can Share the printer by inviting other Google users to use it.

4.10.7.3. Google Cloud Print User Registration

For a Person to use Google Cloud Print he must have a Google account. This account may be acquired privately, or provided via the Google Apps environment already present in your organization.

The Owner of the Cloud Printer must share the printer by inviting Google users. See Section 4.10.7.2, “Edit Google Cloud Printer”.

Tip

You may share the Cloud Printer with individual users by entering a list of Google email addresses. But you may also share printers with a Google Group. For example, you could set up a dedicated Google Group and share the printer to this group. A Google Group can be set up for users to self-register, but you may chose need to moderate these registrations. Google provides mechanisms for users to request membership to a Google Group and for a moderator to accept or reject those requests.

A SavaPage Administrator must associate the Google account with the right SavaPage User. This is done in the User Edit dialog by making sure that the Google account is present as primary or secondary address. For example, John Brown may be known by his primary email address john.brown@example.com while one of other email addresses matches his Google account john.brown@gmail.com.

Note that the primary email address of external users is synchronized from the User Source, and can be overwritten. So, take care of using the primary email for a Google account, unless you know for sure that the Google account is part of the user source.

Tip

User email addresses can also be edited with the Server Command Tool. See Section C.1.16, “setUserProperties”.

4.10.7.4. User Notifications

In case the associated Google account (email address) of a Google Print Job cannot be matched with a SavaPage user the job is canceled. You can opt to send an email to the user explaining the situation with instructions how to proceed.

Admin Web App: Options - Google Cloud Print - Notifications

Figure 4.76. Admin Web App: Options - Google Cloud Print - Notifications


4.10.8. Mail Print

Mail Print is an implementation of Driverless Printing which allows users to print documents by mailing them to SavaPage. The email address from the sender is used to find the corresponding Person. See Section 11.1.14, “Mail Print Authentication”.

Note

Mail Print maps to the reserved Queue /mailprint.

Admin Web App: Options - Mail Print (IMAP)

Figure 4.77. Admin Web App: Options - Mail Print (IMAP)


Check the Allow user to mail documents to enable the Mail Print function. Then enter the IMAP connection parameters:

  • The host name or IP address of the Host.

  • The IP port at Port. The standard IMAP ports are: 143 (insecure), 993 (SSL/TLS) and 143 (STARTTLS). The value defaults to 993 (SSL/TLS).

  • Select the connection security: - for an insecure connection, and STARTTLS or SSL/TLS for a secure connection.

  • Enter the User Name and Password for the required authentication.

Important

The IMAP host must support the IDLE Command, which is a widely implemented standard extension to the core IMAP protocol. See RFC2177.

Print jobs are read from the Inbox and moved to the Trash folder after processing. Enter the name of both folders:

  • Inbox : the name of the Inbox folder.

  • Trash : the name of the Trash folder.

Admin Web App: Options - Mail Print (Attachments)

Figure 4.78. Admin Web App: Options - Mail Print (Attachments)


Limit the print job size per email message by setting the Maximum attachment size (MB) and Maximum attachments. Use integers as value. Leave empty to allow unlimited size.

  • Press the Apply button to commit the changes.

  • Press the Test button to test the connection. A feedback message will be displayed with the result.

  • Use the flip-switch to turn the Mail Print service On and Off. Note that after disabling the service it is automatically turned Off.

Note

Because Mail Print is an open channel SavaPage does not reply to unknown users. This is unlike Google Cloud Print notifications, since incoming GCP jobs are from authorized users whose Gmail address is not yet known in SavaPage.

For uploaded file types that do not have a page size defined (HTML, TXT) the default paper size is used.

The Report Font is used for plain text files (TXT).

4.10.9. Web Print

Web Print is an implementation of Driverless Printing which allows users to print documents to SavaPage by simply uploading them from their User Web App. See Section 3.10, “Upload”.

Note

Web Print maps to the default Queue /webprint.

Admin Web App: Options - Web Print

Figure 4.79. Admin Web App: Options - Web Print


Check the Allow user to upload documents to enable the Web Print function. Then enter the restriction parameters:

  • Limit the print job size by setting the Maximum document size (MB). Use an integer as value. Leave empty to allow unlimited size.

  • Enter IPv4 address ranges as a CIDR Set at IP addresses allowed to restrict upload based on the requesting IP address. If the field is empty all requesting IP addresses are allowed to upload.

4.10.10. Internet Print

Secure Driver Printing to SavaPage over public Internet is activated when port 443 of a public IP address is forwarded to port 8632 of the private intranet IP address of the SavaPage server. To authenticate the requesting user a special Printer URI format is used:

ipps://[host]/printers/internet/user/[number]/uuid/[uuid]

… where [host] is the public DNS name or IP address, and [number] and [uuid] are the ID Number and UUID of the user. See Section 4.4.2.4, “Card and ID”, Section 4.4.2.5, “UUID” and Appendix E, URL Cheat Sheet.

Admin Web App: Options - Internet Print

Figure 4.80. Admin Web App: Options - Internet Print


Enter the protocol://authority of the Internet Printer Device URI as shown to users and press the Apply button to commit. When the value is left blank users won't be able to see their private Internet Printer Device URI. See Section 3.9.1, “Internet Printer”.

Important

Internet Print maps to the default Queue /internet. All print requests over public Internet will have the same remote IP address. To exclusively accept prints from Internet you should set the IP addresses allowed to this remote address. See Section 4.7.3, “Edit Queue”.

Caution

Beware that by enabling Internet Print the SavaPage Web Apps are also accessible over public Internet, so take extra care to protect access to these Apps. See Section 13.2, “Access over Internet”.

4.10.11. Proxy Print

Admin Web App: Options - Proxy Print General

Figure 4.81. Admin Web App: Options - Proxy Print General


The Maximum number of copies per job restricts the number of copies a user can select in the Print Job Settings. Enter a positive number.

The Maximum number of pages per job restricts the number of pages for proxy print jobs. A proxy print job that exceeds this maximum will be denied. Leave empty to allow unrestricted printing.

To enforce that input documents or pages are deleted after a proxy print, enable Delete pages after printing, and select one of the options below. Also see Section 3.4.4, “Print Job Settings”.

  • All documents: all input documents are deleted.

  • Selected documents: documents for which pages were printed are deleted.

  • Selected pages: all pages selected for printing are deleted.

Check the Allow Non-Secure Proxy Print option if you want to allow users to print to any enabled Proxy Printer from any device. You can optionally restrict non-secure printer access by entering a Proxy Printer Group.

Non-Secure means that users are able to initiate print jobs from locations (desktop, mobile device) remote from the actual printer. This implies that jobs will sit uncollected at the printer, at least for a while. In the mean time, prints containing sensitive information may be read by unauthorized eyes. Or jobs may be forgotten at all, adding up to paper and toner waste.

Any printer that falls beside the non-secure printer pool must be secured by Terminal or Network Card Reader Devices that have a fixed position at the target printer . See Section 4.9.1.2, “Proxy Print Authentication” and Section 4.9.2.1, “Custom Proxy Print”.

Tip for further reading:

4.10.11.1. Proxy Print Modes

Admin Web App: Options - Proxy Print Modes

Figure 4.82. Admin Web App: Options - Proxy Print Modes


The expiration period for each Print Mode can be entered. See:

4.10.11.2. Proxy Print Delegation

Admin Web App: Options - Proxy Print Delegation

Figure 4.83. Admin Web App: Options - Proxy Print Delegation


In this section you can:

The Delegator Invoicing from PaperCut subsection offers an export of printing cost totals for delegators from selected Accounts within a time period export. The result is a CSV file with a line for each delegator. Lines are ordered by user id and specify the cost total within the period and extra data like account and number of transactions per job type, like duplex/simplex,color/grayscale, page format A4, A3, etc. See PaperCut User Prints.

Tip for further reading:

4.10.12. Eco Print

Eco Print is a filter that converts PDF pages to images for eco-friendly proxy printing. The result, including ink and toner savings, is comparable to Ecofont. There is a difference though. While Ecofont uses True Type Font technology at the start of the print chain (document editing), SavaPage Eco Print uses bitmap technology at the end of the chain. Eco Print intelligently punches holes in all non-white areas of the PDF version of a document, just before proxy printing, downloading or emailing it.

Since Eco Print processes bitmap patterns it is font agnostic and therefore can handle all font types. And, as an extra, it punches graphics along the way. Contrary to Ecofont, which is a non-free Windows only solution, Eco Print is a Libre solution that works for all client platforms since filtering is performed server side.

Warning

The downside of ad-hoc filtering is performance. Eco Print takes about 3 seconds per page (i5 processor, 300 DPI), but is done unobtrusive in the background and need only be done once per PDF document, since the result is cached. Anyhow, Eco Print is not suitable for very large documents.

4.10.12.1. Eco Print Examples

A few Eco Print examples are depicted below.

Plain Print:

Eco Print:

Eco Print magnified:

Eco Print Graphics:

4.10.12.2. Eco Print Settings

Admin Web App: Options - Eco Print

Figure 4.84. Admin Web App: Options - Eco Print


Check the Allow users to Eco Print to enable the Eco Print function. Then specify:

  • A Proxy Printing Discount Percentage (integer) to be applied to proxy printing costs as specified for any Proxy Printer. See Section 4.8.2, “Edit Proxy Printer”.

  • The Maximum document size (pages) for automatic filtering. In this example the value of 1 means that any document printed to SavaPage with 1 page is automatically filtered in the background. A value of 3 will automatically filter incoming documents of 3 pages or less. A value of 0 disables this automatism.

  • The Resolution DPI of the Eco Print page image.

4.10.13. Financial

This section holds the options for SavaPage Financial.

4.10.13.1. Currency Code

Admin Web App: Options - Financial - Currency

Figure 4.85. Admin Web App: Options - Financial - Currency


The ISO 4217 currency code of the financial subsystem can be entered here during installation. When the application status is ready-to-use the code can only be changed by using a Server Command. See Section C.1.4, “changeBaseCurrency”.

4.10.13.2. General Financial Options

Admin Web App: Options - Financial - General

Figure 4.86. Admin Web App: Options - Financial - General


General options are:

Note

SavaPage stores financial amounts with a precision of 6 decimals.

4.10.13.3. Point-of-Sale

Admin Web App: Options - Financial - POS

Figure 4.87. Admin Web App: Options - Financial - POS


These are the options for the Point-of-Sale:

  • Payment methods: see Section 6.1, “Deposit”.

  • Receipt header text: this typically contains a legal text placed in the Receipt header.

4.10.13.4. Vouchers

Admin Web App: Options - Financial - Vouchers

Figure 4.88. Admin Web App: Options - Financial - Vouchers


These are the options for the Voucher System:

  • Header: the header text of the voucher card.

  • Footer: the footer text of the voucher card.

  • Font: the font used for the PDF Document with vouchers. See Section 14.2, “Internal Fonts”.

  • You need to explicitly Allow users to redeem vouchers.

4.10.13.5. Transfer Funds

Admin Web App: Options - Financial - Transfer funds

Figure 4.89. Admin Web App: Options - Financial - Transfer funds


These settings apply to Transfer Credit dialog in the User Web App. Check the options to Allow users to transfer funds to other users and to Allow users to add comments to manual transfers.

The minimum and maximum amount to transfer are held in the configuration items financial.user.transfers.amount-min and financial.user.transfers.amount-max. They can be changed with the Configuration Editor.

4.10.14. Backups

The Backups section shows the backup location and time of the last backup.

Admin Web App: Options - Backups

Figure 4.90. Admin Web App: Options - Backups


  • Press the Backup now button to launch the backup process in the background. The progress and result of the process is not echoed real-time in this section, but can be monitored in the Real-time Activity section of the Dashboard.

Admin Web App: Options - Automatic Backups

Figure 4.91. Admin Web App: Options - Automatic Backups


The Automatic Backups section holds options for creating weekly snapshots of the database.

  • Tick the Enable automatic weekly backups checkbox to enable the process[18].

  • The number of days a backup should be kept, must be entered at Keep backups for.

  • A purge of old log data, executed after the backup, can be activated by selecting the Delete older than check-boxed for Application Logs, Document Logs and Transaction Logs. Please enter the number of days the logs should be held.

  • Press the Apply button to commit the changes.

4.10.15. Advanced

4.10.15.1. User Client Authentication

The User Client uses the system account name of the user to identify itself to the SavaPage server. In a strict Single Sign-On (SSO) environment, where a user is already logged in and authenticated as domain user, the system account name can be trusted by default. In environments where non-domain systems are allowed, local accounts are not authenticated by domain services, and therefore can not be trusted.

Admin Web App: Options - Advanced - User Client

Figure 4.92. Admin Web App: Options - Advanced - User Client


User Client uses the system account name as user identification (unless overridden by a command line option).

  • When Trust system user is enabled the User Client will trust the system account name.

  • When Trust system user is disabled the User Client will pop-up a login dialog to authenticate the user, unless the following trust sources are available:

    • When Trust User Web App is enabled and the user is already authenticated in a User Web App on the same IP address, User Client will trust the Web App user as user identification.

    • When an administrator uses the secret Admin passkey in the start-up script it will enforce trust of the offered user identification. See Chapter 7, User Client.

  • Press the Apply button to commit the change.

4.10.15.2. Admin Password

The Reset internal admin password section is the place to change the master password for the built-in admin account.

Admin Web App: Options - Advanced - Reset Admin Password

Figure 4.93. Admin Web App: Options - Advanced - Reset Admin Password


  • Enter the new password twice at New password and Confirm password.

  • The password must contain the same minimum number of characters as defined for Internal Users. See Section 4.4.3, “Create Internal User”.

  • Press the Apply button to commit the change.

Caution

Keep the new password at a secure place, since it is the master key to your system.

4.10.15.3. JMX Agent

SavaPage runs in a Java Virtual Machine, which has built-in instrumentation that enables client applications to monitor and manage it with the help of Java Management Extensions (JMX). SavaPage configures the built-in JMX agent for remote monitoring, so it can be securely accessed by remote client management applications, such as Java VisualVM or JConsole.

This section shows the JMX remote process connection string, and enables you to reset the admin connection password.

Admin Web App: Options - Advanced - JMX Agent

Figure 4.94. Admin Web App: Options - Advanced - JMX Agent


Java VisualVM is the standard Java JMX client that was first bundled with the Java Development Kit (JDK) version 6, update 7. It can be found in JDK_HOME/bin, where JDK_HOME is the directory where the JDK is installed.

If JDK_HOME/bin is in your system path, you can start Java VisualVM by simply typing jvisualvm in a command (shell) prompt. Otherwise, you have to type the full path to the executable file.

Since SavaPage enforces SSL for remote JMX communication, jvisualvm needs to be started with two special parameters referring to the Java truststore, holding the trusted SSL certificate, and the truststore password.

The shared client directory /opt/savapage/client/jmx contains the JMX server certificate jmxremote.crt, a ready to use jmxremote.ts truststore, and a sample GNU/Linux and Mac shell script jmxremote.sh and Windows command file jmxremote.cmd to start jvisualvm with the right parameters.

Note

The password of the provided jmxremote.ts truststore is: savapage. Of course you are free to import jmxremote.crt into your own truststore and use it with your own password.

Add JMX Connection with Java VisualVM

Figure 4.95. Add JMX Connection with Java VisualVM


Add a new JMX Connection and enter the IP address and port number of the Connection and as shown in the JMX Agent section, in our case this would be 192.168.1.35:8639.

Enter the Username admin and the Password as set in the JMX Agent section above. Press the OK button to save the connection and start it from the Java VisualVM Applications pane.

Older JDK versions have JConsole as standard JMX client. If you want to use JConsole copy and edit the scripts in /opt/savapage/client/jmx so jconsole is used instead of the default jvisualvm.

Connecting to Remote Process with JConsole

Figure 4.96. Connecting to Remote Process with JConsole


When starting JConsole it prompts you to enter the parameters for the New Connection. Select the Remote Process option and enter the IP address and port number as shown in the JMX Agent section, in our case this would be 192.168.1.35:8639.

Enter the Username admin and the Password as set in the JMX Agent section above. Press the Connect button to open the connection.

More information about the JMX configuration can be found in Section 13.5, “Secured JMX Connection”.

4.10.15.4. Locale

Enter the System Locale string at the Locale section.

Admin Web App: Options - Advanced - Locale

Figure 4.97. Admin Web App: Options - Advanced - Locale


  • The format of the locale conforms to IETF BCP 47.

  • Some examples are: en, en-GB, en-US, nl, nl-NL, nl-BE.

  • You can leave the locale empty to accept the system default.

  • The locale is applied to all system messages which are logged in the system log or send by email.

  • Press the Apply button to commit the change.

Note

This system locale is not used for the language and country default used in the Web App. The Web App default is picked up from the locale settings of the Web browser, optionally overruled by the language and country URL parameters. See Appendix E, URL Cheat Sheet.

4.10.15.5. Default Paper Size

The Default Paper Size is used as the paper size for the printed document of a Printable File Type which itself does not have a document structure with a clearly defined page size. These types typically include HTML, TXT and images offered via Web Print and Mail Print. Choose Letter or A4, or accept the system default.

Admin Web App: Options - Default Paper Size

Figure 4.98. Admin Web App: Options - Default Paper Size


See Section 2.4.1, “Set Default Paper Size” on how to set the system default.

4.10.15.6. Report Font

The Report Font is used as default font for all PDF reports.

Admin Web App: Options - Default Paper Size

Figure 4.99. Admin Web App: Options - Default Paper Size


See Section 14.2, “Internal Fonts”.

4.10.15.7. Converters

Converters are used to convert files offered for printing via Web Print or Mail Print to PDF. This is the place to enable the converters. For installation see:

Admin Web App: Options - Converters

Figure 4.100. Admin Web App: Options - Converters


When Enable multiple services is checked, the LibreOffice converter acts as multi-threaded load-balancing service for easy upscaling of conversion throughput. The configuration items that determine the behavior of this service are summarized in the table below. The defaults will work fine in most situations. By adding extra soffice.connection.ports you can enhance conversion throughput, as long as hardware resources permit.

Warning

Tuning LibreOffice configuration values is an advanced task. Please consult your SavaPage Community Representative about which values give the best performance in your situation. Then use the Configuration Editor to change the defaults.

Configuration itemDescription

soffice.home

The LibreOffice home location. When empty, a probe to likely candidates is performed to retrieve the location. Default: empty.

soffice.profile.template-dir

When empty, a temporary profile directory is created for each UNO connection process with its own defaults settings. Otherwise, this configuration item must provide a profile directory containing customized settings. This template directory will be copied to the temporary profile. Default: empty.

soffice.connection.ports

A comma/space separated list of TCP/IP ports to localhost LibreOffice (UNO) connection instances to be launched by SavaPage. Default: 2002,2003

soffice.connection.restart-task-count

The number of executed tasks after which a UNO connection is restarted. When 0 (zero) the connection is never restarted. Default: 200

soffice.task.queue-timeout-msec

Wait time (milliseconds) for a UNO connection to become available for task execution. Default: 10000

soffice.task.exec-timeout-msec

Wait time (milliseconds) for a conversion task to complete. Default: 20000

soffice.respond.retry-msec

Retry interval (milliseconds) for host process to respond. Default: 250

soffice.respond.timeout-msec

Wait time (milliseconds) for host process to respond (after retries). Default: 30000

soffice.start.retry-msec

Retry interval (milliseconds) for host process to start. Default: 1000

soffice.start.timeout-msec

Wait time (milliseconds) for host process to start (after retries). Default: 120000

Table 4.4. LibreOffice Configuration items


4.10.15.8. SafePages

This section contains advanced options regarding encrypted PDF and the expiration of SafePages input documents.

Admin Web App: Options - Advanced - Proxy Printing

Figure 4.101. Admin Web App: Options - Advanced - Proxy Printing


  • Allow Encrypted PDF for Proxy Printing holds the policy to as described in Section 10.7, “Printing Encrypted PDF”. The option is enabled by default. Disable it if you do not endorse the policy: this will ignore every print SavaPage job request holding an encrypted PDF document.

  • When Delete documents at Web App logout is checked all print-in documents are deleted when the users logs out.

  • Document expiration time manages the input document life cycle. Any document older than the number of entered minutes is considered expired and will be automatically deleted. For instance, a value of 1440 will delete the SafePages document 24 hours after it was printed. The expiration time is shown in the Document Details dialog. The user is notified by pop-up after an expired document is auto-deleted. User action is required to close the pop-up. This way we are sure the user noticed the delete and his expectation is set right. When a user logs out and logs in again after some time, expired documents will be auto-deleted to begin with, but the user will not be notified of this event.

  • Use the Expiration time signal value to signal the user when expiration is due. For instance, a value of 15 will mark the document thumbnails with a clock icon in a colored (orange) footer, 15 minutes before expiration. This will alert the user, so he can do some last minute actions on old documents.

  • Press the Apply button to commit the changes.

4.10.15.9. Pagometers

In analogy with the term Odometer, the term Pagometer is coined as an instrument to count the number of processed pages of SavaPage input and output documents. Pagometers are used to display usage statistics and Printing Impact from a global viewpoint as in the Dashboard, or in specialized views for User and Users, Queues and Proxy Printers. The counters can be reset in the Reset Pagometers section.

Admin Web App: Options - Advanced - Pagometers

Figure 4.102. Admin Web App: Options - Advanced - Pagometers


  • Tick the checkboxes of the pagometers to reset.

  • Press the Apply button to execute the action.

4.10.15.10. Config Editor

Most of the SavaPage configuration settings can be edited in dedicated sections of the Admin Web App. However, many extra settings are present without an editing interface. Luckily a generic Configuration Editor is available for editing individual configuration items, so the defaults of "hided" settings can be changed when needed.

Warning

If you use the Config Editor incorrectly, you may cause serious problems which can only be fixed by re-installation of the application. Use the Config Editor at your own risk.

Tap the Configuration Editor (advanced) button to start the editor. See Figure 4.103, “Admin Web App: Configuration Editor - List” for a detailed description.

Admin Web App: Configuration Editor - List

Figure 4.103. Admin Web App: Configuration Editor - List


  • All configuration items are listed alphabetically by default with their name and value. Secret values are encrypted and shown as ******** in the list, see Section 13.6, “Encrypted Secrets”.

  • Push the Select and Sort button to expand (collapse) the section.

  • The list can be traversed by tapping one of the buttons at the pager at the top or bottom of the page.

  • Select items by entering the containing text (fragment) of their name. So, entering "ldap" will select "auth.ldap.port" and "ldap.schema.group-member-field".

  • The list can be sorted Ascending or Descending on name.

  • Tap the Apply button to (re)display the list.

  • A tap on the Default button resets the selection and sort field to their default values.

  • Tap the Edit button to edit the item. See Figure 4.104, “Admin Web App: Configuration Editor - Edit”.

Admin Web App: Configuration Editor - Edit

Figure 4.104. Admin Web App: Configuration Editor - Edit


  • The value of the item is shown in the entry field and can be edited. Secret values are shown decrypted.

  • Press the OK button to commit the change and return to the list.

  • The Cancel button brings you back to List without changing anything.



[13] Overnight user synchronization takes place according to the default CRON expression "0 10 0 * * ?" contained in configuration key schedule.daily. See Section 4.10.15.10, “Config Editor” on how to change this value.

[14] Local Storage is a W3C standard and stores data in the browser with no expiration date. The data will not be deleted when the browser is closed, and will be available the next day, week, or year.

[15] STARTTLS is a way to take an existing insecure connection, and upgrade it to a secure connection using SSL/TLS.

[16] SSL and TLS both provide a way to encrypt the communication between a client and a server computer. TLS is the successor to SSL and the terms SSL and TLS are used interchangeably.

[17] A list of Web Apps that work with Google Cloud Print can be found at https://www.google.com/cloudprint/learn/apps.html.

[18] Default weekly backups take place at 20 minutes past midnight on Sunday morning, as in the CRON expression "0 20 0 ? * 1" contained in configuration key schedule.weekly. See Section 4.10.15.10, “Config Editor” on how to change this value.