News, tips, partners, and perspectives for the Oracle Solaris operating system
-
Technologies / Oracle Solaris 11
May 19, 2020
Migrating to Latest Printing Software on Oracle Solaris 11.4 SRU 21 and Higher
Guest Author: Martin Rehak
Oracle Solaris 11.4-SRU 21 and newer delivers a major update of the printing software:
- cups-2.3.1
- cups-filters-1.25.11
- ghostscript-9.27
- hplip-3.19.5
- gutenprint-5.2.13
Older Oracle Solaris versions were based on outdated CUPS-1.4.5 software.
What's new?
The most important changes:
- TLS/SSL support; policy settings in client.conf
- IPP Everywhere conformance including TLS/SSL support
- PDF filters is now a separate project and package
- PDF has changed the main document processing from PostScript to PDF
- Driver based PPDs are still functional, but are deprecated
- Raw queues are still functional, but are deprecated
While the core CUPS is developed and maintained by Apple Inc, the CUPS filters are maintained and delivered as part of the OpenPrinting project. Due to this change from the earlier, CUPS software is now delivered through 2 separate packages - cups and cups-filters.
Earlier, typically, all documents submitted for printing were converted to PostScript and handed off to the printer driver which then would convert the PostScript to a language that the printer understands. However, there are 2 major disadvantages to this approach:
- There is dependency on the printer driver being available for a given platform
- Performance penalty due to multiple format conversions
Nowadays, as most printers can understand and handle PDF, there is no need for either the conversions or a driver being available for the platform. This makes Printing platform independent and print processing faster.
Further, if your printer understands PDF, PostScript or PDF Raster Format, no conversion of the input document is required. All other formats are first converted to PDF and processed. Also, please NOTE that while support for printer drivers still exists, they are deprecated and the support for PPDs will be removed in a future release of CUPS software. And, the printer driver would be replaced by the IPP backend.
Likewise, Raw printer queues are still supported but are deprecated and the support will be removed in a future CUPS release. The reasons are similar to the driver oriented printing. It should be replaced by IPP backend.
As for Network Printing, the everywhere driver is mostly used for almost all modern network printers sold since 2009. It does not require a PPD file.
All CUPS server changes should be done either in Browser User Interface (by default port 631) or Command Line Interface. Manual configuration files editing is strongly discouraged. Generic CUPS settings can be changed using BUI in Administration->Server->Edit Configuration File. Printer queue administration changes can be done using BUI in Printers->queue->Administration or CLI using lpadmin and lpoptions tools. Printer queue maintenance can be done using BUI in Printers->queue->Maintenance or CLI using lpq, lprm and cancel tools.
Regularly updated Oracle Solaris should be secure by default. In case there is a need to set minimal TLS version CUPS client is using for communication with server you must manually add or change SSLOptions keyword in client configuration file. See client.conf(5) manual page for details.
What to expect after update?
To get all the new features you must update to Oracle Solaris to 11.4-SRU 21 or newer.
Post the update to Oracle Solaris 11.4 SRU 21 or later, some of the printer queues could stop working. The most probable reason is the device-uri change between updates. In such situation reconfiguration of the printer is necessary.
If you have a network printer which can talk IPP network protocol, but you have it configured as a local printer using direct backend (usb, serial, parallel, scsi), it is strongly advised that you reconfigure it to use IPP protocol.
Before update
In all cases you should list the existing printer queue configurations and queue options. You should save the information for case something goes wrong.
To list configuration of existing printer queues, please issue the lpstat command:
# lpstat -t scheduler is running system default destination: <printer> device for <printer>: <printer-device> <printer> accepting requests since Wed Apr 8 09:17:32 2020 printer <printer> is idle. enabled since Wed Apr 8 09:17:32 2020 ...
And lpoptions to get the configured printer queue options:
# lpoptions ... device-uri=socket://ip-address:port/ ... printer-info=driver ...
In case you have Trusted Extensions deployed on the system you must read the dedicated section below. After that you are ready to update.
Printer reconfiguration after update
Following steps shows how to reconfigure existing printer from Command Line Interface. Preferred method is to use BUI if possible.
From configuration point of view a printer can be categorized into following cases:
- HP (configured by hp-setup)
- non-HP (configured by lpadmin)
HP printers
For HP printers it is recommended to use hp-setup tool to configure your printer. It has an interactive mode. Please run:
hp-setup -i
And you are done.
Refer to its man page for more details.
Find device-uri
To find the printers available (visible) to CUPS use following command:
# lpinfo -v direct hal:///org/freedesktop/Hal/devices/pci_0_0/pci1458_5006_1d/hub_1/printer_5_printer_0 network dnssd://Hewlett-Packard%20PSC%20900%20Series._ipp._tcp.local/?uuid=848c9c3a-bc2a-39ef-52ba-485c08917fd7
URI returned is your device-uri.
If your network printer is not found by lpinfo you can form your device-uri manually.
In case your printer supports IPP protocol, your device-uri is:
ipp://hostname-or-ip:port/ipp/print ipp://hostname-or-ip:port/printers/name ipps://hostname-or-ip:port/ipp/print ipps://hostname-or-ip:port/printers/name
In case your printer supports AppSocket (JetDirect) protocol your device-uri is:
socket://hostname-or-ip
non-HP printers
The following command lists all drivers known to CUPS.
# lpinfo -m
You should find your model there. There could be more options. Start of the line in form <family>:/<ppd> is your <driver>.
Remove existing printer
# lpadmin -x <printer>
Add and configure new printer
# lpadmin -p <printer> -v <device-uri> -m <driver> -E -o <option1=value1> -o ...
Oracle Solaris with Trusted Extension enabled
To update a system with Solaris Trusted Extensions enabled, you would need to configure the Trusted system to have access to the pkg repository. Hence, you would need to add the Trusted IP and the port related to the pkg repository to your trusted configuration files. Trusted IPs are stored in the /etc/security/tsol/tnrhdb file and Trusted ports are configured in /etc/security/tsol/tnzonecfg file. Please refer to Oracle Solaris 11.4 Information Library and relevant Trusted Extensions entries for details.
Before the upgrade, you would also need to comment out the pam_dhkeys.so.1 entries in /etc/pam.d/other and /etc/pam.d/login files as they are no longer used, are part of the legacy code and thus, will not be installed. If you fail to comment out the entries, post the update, you would not be able to login to the system.
Time to pkg update.
Post the update, to allow ssh login to the trusted system, please re-enable allow_remote and allow_unlabeled options in the /etc/security/pam_policy/unix file as follows:
pam_config=/etc/security/pam_policy/unix perl -p -i.pretx -e 's/$/ allow_remote/ if(m/^(other\s+)?account\s+requisite\s+pam_roles\.so\.1\s*$/); s/$/ allow_unlabeled/ if(m/^(other\s+)?account\s+required\s+pam_tsol_account.so.1\s*$/)' $pam_config
Most of the printer configuration remains as-is and requires no change post the update. While the CUPS printer queues survive the upgrade, the job-sheets gets reset to none, and hence, requires you to set it to labeled value as follows:
lpoptions -p <printer_name> -o job-sheets=labeled,labeled
Once the above change is taken care of, your trusted system should print protected documents as expected.
Description of Trusted Printing changes
Due to the CUPS design changes, the original Trusted Printing had to be re-worked to deliver expected technology to the customer.
Trusted Printing does not leverage the new PDF based document processing in CUPS as that would imply PostScript banner/trailer page design change. New Trusted Printing delivers the functionality and preserves the design format. The files are at the same location as for older printing:
- /usr/share/cups/banners/labeled
- default banner description file
- /usr/lib/cups/filter/tsol_separator.ps
- main body of PostScript design
- /usr/lib/cups/filter/tsol_banner.ps
- PostScript to append when banner page is requested
- /usr/lib/cups/filter/tsol_trailer.ps
- PostScript to append when trailer page is requested
The mime type of the banner description file has been changed:
#LABELED-BANNER
In the rest of the file the following keywords are recognized:
- Template
- Its value is a path to the main body of PostScript design (tsol_separator.ps in cups-1.4.5).
- TemplateBanner (optional)
- Its value is a path to a file containing an additional PostScript appended to Template main body if the banner page (the first page) is requested.
- TemplateTrailer (optional)
- Same as for TemplateBanner, but for the trailer page (the last page).
Paths could be either absolute if they start with / character or relative to CUPS_DATADIR environment variable.
There is no Show keyword as all Trusted Printing recognized variables are available in the PostScript dictionary. Do not refer to them in case you don't need them. The job dictionary defines the following variables which can be referenced in the Template file:
Job_Printer Job_Host Job_User Job_JobID Job_Title Job_DoPageLabels Job_Date Job_Hash Job_Classification Job_Protect Job_Caveats Job_Channels Job_SL_Internal
Please refer to the commented Template design file (/usr/lib/cups/filter/tsol_separator.ps by default) for page layout and meaning of each variable.