X

News, tips, partners, and perspectives for the Oracle Solaris operating system

Migrating to Latest Printing Software on Oracle Solaris 11.4 SRU 21 and Higher

Guest Author

Guest Author: Martin Rehak

Oracle Solaris 11.4-SRU 21 and newer delivers a major update of the printing software:

  • cups-2.3.1
  • cups-filters-1.25.11
  • ghostscript-9.27
  • hplip-3.19.5
  • gutenprint-5.2.13

Older Oracle Solaris versions were based on outdated CUPS-1.4.5 software.

What's new?

The most important changes:

  1. TLS/SSL support; policy settings in client.conf
  2. IPP Everywhere conformance including TLS/SSL support
  3. PDF filters is now a separate project and package
  4. PDF has changed the main document processing from PostScript to PDF
  5. Driver based PPDs are still functional, but are deprecated
  6. Raw queues are still functional, but are deprecated

While the core CUPS is developed and maintained by Apple Inc, the CUPS filters are maintained and delivered as part of the OpenPrinting project. Due to this change from the earlier, CUPS software is now delivered through 2 separate packages - cups and cups-filters.

Earlier, typically, all documents submitted for printing were converted to PostScript and handed off to the printer driver which then would convert the PostScript to a language that the printer understands. However, there are 2 major disadvantages to this approach:

  1. There is dependency on the printer driver being available for a given platform
  2. Performance penalty due to multiple format conversions

Nowadays, as most printers can understand and handle PDF, there is no need for either the conversions or a driver being available for the platform. This makes Printing platform independent and print processing faster.

Further, if your printer understands PDF, PostScript or PDF Raster Format, no conversion of the input document is required. All other formats are first converted to PDF and processed. Also, please NOTE that while support for printer drivers still exists, they are deprecated and the support for PPDs will be removed in a future release of CUPS software. And, the printer driver would be replaced by the IPP backend.

Likewise, Raw printer queues are still supported but are deprecated and the support will be removed in a future CUPS release. The reasons are similar to the driver oriented printing. It should be replaced by IPP backend.

As for Network Printing, the everywhere driver is mostly used for almost all modern network printers sold since 2009. It does not require a PPD file.

All CUPS server changes should be done either in Browser User Interface (by default port 631) or Command Line Interface. Manual configuration files editing is strongly discouraged. Generic CUPS settings can be changed using BUI in Administration->Server->Edit Configuration File. Printer queue administration changes can be done using BUI in Printers->queue->Administration or CLI using lpadmin and lpoptions tools. Printer queue maintenance can be done using BUI in Printers->queue->Maintenance or CLI using lpq, lprm and cancel tools.

Regularly updated Oracle Solaris should be secure by default. In case there is a need to set minimal TLS version CUPS client is using for communication with server you must manually add or change SSLOptions keyword in client configuration file. See client.conf(5) manual page for details.

What to expect after update?

To get all the new features you must update to Oracle Solaris to 11.4-SRU 21 or newer.

Post the update to Oracle Solaris 11.4 SRU 21 or later, some of the printer queues could stop working. The most probable reason is the device-uri change between updates. In such situation reconfiguration of the printer is necessary.

If you have a network printer which can talk IPP network protocol, but you have it configured as a local printer using direct backend (usb, serial, parallel, scsi), it is strongly advised that you reconfigure it to use IPP protocol.

Before update

In all cases you should list the existing printer queue configurations and queue options. You should save the information for case something goes wrong.

To list configuration of existing printer queues, please issue the lpstat command:

# lpstat -t
scheduler is running
system default destination: <printer>
device for <printer>: 
<printer-device>
<printer> accepting requests since Wed Apr  8 09:17:32 2020
printer <printer> is idle.  enabled since Wed Apr  8 09:17:32 2020
...

And lpoptions to get the configured printer queue options:

# lpoptions
... device-uri=socket://ip-address:port/ ... printer-info=driver ...

In case you have Trusted Extensions deployed on the system you must read the dedicated section below. After that you are ready to update.

Printer reconfiguration after update

Following steps shows how to reconfigure existing printer from Command Line Interface. Preferred method is to use BUI if possible.

From configuration point of view a printer can be categorized into following cases:

  • HP (configured by hp-setup)
  • non-HP (configured by lpadmin)

HP printers

For HP printers it is recommended to use hp-setup tool to configure your printer. It has an interactive mode. Please run:

hp-setup -i

And you are done.

Refer to its man page for more details.

Find device-uri

To find the printers available (visible) to CUPS use following command:

# lpinfo -v
direct hal:///org/freedesktop/Hal/devices/pci_0_0/pci1458_5006_1d/hub_1/printer_5_printer_0
network dnssd://Hewlett-Packard%20PSC%20900%20Series._ipp._tcp.local/?uuid=848c9c3a-bc2a-39ef-52ba-485c08917fd7

URI returned is your device-uri.

If your network printer is not found by lpinfo you can form your device-uri manually.

In case your printer supports IPP protocol, your device-uri is:

ipp://hostname-or-ip:port/ipp/print
ipp://hostname-or-ip:port/printers/name
ipps://hostname-or-ip:port/ipp/print
ipps://hostname-or-ip:port/printers/name

In case your printer supports AppSocket (JetDirect) protocol your device-uri is:

socket://hostname-or-ip

non-HP printers

The following command lists all drivers known to CUPS.

# lpinfo -m

You should find your model there. There could be more options. Start of the line in form <family>:/<ppd> is your <driver>.

Remove existing printer
# lpadmin -x <printer>
Add and configure new printer
# lpadmin -p <printer> -v <device-uri> -m <driver> -E -o <option1=value1> -o ...

Oracle Solaris with Trusted Extension enabled

To update a system with Solaris Trusted Extensions enabled, you would need to configure the Trusted system to have access to the pkg repository. Hence, you would need to add the Trusted IP and the port related to the pkg repository to your trusted configuration files. Trusted IPs are stored in the /etc/security/tsol/tnrhdb file and Trusted ports are configured in /etc/security/tsol/tnzonecfg file. Please refer to Oracle Solaris 11.4 Information Library and relevant Trusted Extensions entries for details.

Before the upgrade, you would also need to comment out the pam_dhkeys.so.1 entries in /etc/pam.d/other and /etc/pam.d/login files as they are no longer used, are part of the legacy code and thus, will not be installed. If you fail to comment out the entries, post the update, you would not be able to login to the system.

Time to pkg update.

Post the update, to allow ssh login to the trusted system, please re-enable allow_remote and allow_unlabeled options in the /etc/security/pam_policy/unix file as follows:

pam_config=/etc/security/pam_policy/unix
perl -p -i.pretx -e 's/$/ allow_remote/ if(m/^(other\s+)?account\s+requisite\s+pam_roles\.so\.1\s*$/); s/$/ allow_unlabeled/ if(m/^(other\s+)?account\s+required\s+pam_tsol_account.so.1\s*$/)' $pam_config

Most of the printer configuration remains as-is and requires no change post the update. While the CUPS printer queues survive the upgrade, the job-sheets gets reset to none, and hence, requires you to set it to labeled value as follows:

lpoptions -p <printer_name> -o job-sheets=labeled,labeled

Once the above change is taken care of, your trusted system should print protected documents as expected.

Description of Trusted Printing changes

Due to the CUPS design changes, the original Trusted Printing had to be re-worked to deliver expected technology to the customer.

Trusted Printing does not leverage the new PDF based document processing in CUPS as that would imply PostScript banner/trailer page design change. New Trusted Printing delivers the functionality and preserves the design format. The files are at the same location as for older printing:

/usr/share/cups/banners/labeled
default banner description file
/usr/lib/cups/filter/tsol_separator.ps
main body of PostScript design
/usr/lib/cups/filter/tsol_banner.ps
PostScript to append when banner page is requested
/usr/lib/cups/filter/tsol_trailer.ps
PostScript to append when trailer page is requested

The mime type of the banner description file has been changed:

#LABELED-BANNER

In the rest of the file the following keywords are recognized:

Template
Its value is a path to the main body of PostScript design (tsol_separator.ps in cups-1.4.5).
TemplateBanner (optional)
Its value is a path to a file containing an additional PostScript appended to Template main body if the banner page (the first page) is requested.
TemplateTrailer (optional)
Same as for TemplateBanner, but for the trailer page (the last page).

Paths could be either absolute if they start with / character or relative to CUPS_DATADIR environment variable.

There is no Show keyword as all Trusted Printing recognized variables are available in the PostScript dictionary. Do not refer to them in case you don't need them. The job dictionary defines the following variables which can be referenced in the Template file:

Job_Printer
Job_Host
Job_User
Job_JobID
Job_Title
Job_DoPageLabels
Job_Date
Job_Hash
Job_Classification
Job_Protect
Job_Caveats
Job_Channels
Job_SL_Internal

Please refer to the commented Template design file (/usr/lib/cups/filter/tsol_separator.ps by default) for page layout and meaning of each variable.

Reference

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.