How It Works

How It Works

Note: This page is intended as a brief overview of Link for Android Mobile. Please refer to the documentation and example apps in the SDK package (available on the Download page) for more details. When implemented as shown in the SDK example apps, Link Services will handle all of the complex interactions with devices on your network, including device discovery and selection, device reservation, and secure communications.

 

 

This page covers the following topics:

 

The HP JetAdvantage Link Services Package

The HP JetAdvantage Link Services package (Link Services) lets you integrate secure over the local network scanning (with metadata) and printing into your existing Android mobile app (a.k.a. a remote app). Your remote app will use the Link library to utilize the scanning and printing functions of a device through the HP JetAdvantage Link Services package.

SDK Installation and Setup

Developing JetAdvantage Link applications requires installation of the following prerequisites:

To use the Link API, you must import the the JetAdvatage Link library (the JetAdvantageLinkLib-<target>.aar located in Libs folder of the SDK) and compile the project.

After downloading the SDK from the Downloads page and unzipping the SDK to your hard drive:

  1. Select the File drop-down menu, then select New Module from the New menu to open the New Module.
  2. Select Import .JAR/.AAR Package and press Next.
  3. Click the browsing button, and select JetAdvantageLinkLib.aar from JetAdvantage Link SDK Libs folder.
  4. Press Finish, and wait for Gradle Sync completion.

 

 

Method of Operations

Device Discovery and Selection

When requested by your app, Link Services will search for compatible devices on the local WiFi network and/or WiFi Direct. It will list the discovered devices and prompt the user to choose the device they want to use.

Note: WiFi Direct searches will list all HP devices, even those that may not actually support Link for Mobile. WiFi network searches will list only HP devices that actually support Link for Mobile.

Device Reservation

When your app wants to scan/print using the selected device, it uses Link Services to get a UIContext. Link Services will attempt to reserve that device for exclusive use by your app. 

Link Services will verify that the device is idle. If the device is in use by another app or walkup user, the reservation will fail and your app must retry later. (Note: If the device is currently printing jobs from the network, the current jobs will be allowed to finish.)

The Link Services will also verify that your app is trusted to be used with the device (see the Configuring a Device to Trust Your App section below). If your app is not trusted by the device, retrying will not help.

If the device is configured to control user access (see the Configuring a Device to Control User Access section below), Link Services will facilitate user authentication through your app (your app must prompt the user for a PIN or username & password) and verify that the user is allowed to use the device with your app.

If all checks succeed, your app will be given a Context Object and the device will be reserved for exclusive use by your app. Your app will use its Context Object to scan and print using the reserved device.

When reserved, a screen will be displayed on the device's front panel to alert any walkup users: 

 

 

Note that a walkup user always has the option to cancel your app's reservation. You must handle this possibility in your app.

Secure Communications

Link Services uses HTTPS for all communications from the phone/tablet to the device. To protect data in transit from man-in-the-middle attacks, it is recommended that apps turn on server (device identity) certificate validation. However, most devices ship from the factory with self-signed identity certificates, so this may not be possible in all cases. Therefore, apps should allow users to choose. (Note: HP JetAdvantage Security Manager can be used to issue and install CA rooted device identity certificates to devices.)

For printing, Link Services uses the internet printing protocol (IPP) over HTTPS. So please follow the recommendation above regarding server (device identity) certificate validation.

For scanning, Link Services will facilitate the custom encryption (using your app's public and private keys) and transfer (over plain HTTP) of the scan and metadata files from the device to your app. This way, no other app or network-based entity will be able to decrypt them.

 

Installing Link Services on your Android Mobile Phone/Tablet

Install HP JetAdvantage Link Services from the google play store here.

 

The Remote App Security Model

Link for Android Mobile uses PKI technologies to enable the following remote app security features:

  • Enable device administrators to choose the remote apps allowed to be used with their devices
  • Enable device administrators to choose which remote users to allow to use their devices with those apps
  • Enables the remote app and the device to securely exchange scan and print data across the local network

This will require you to generate a PKI private key and a public certificate.

The private key will be held by your application and the same key needs be shared by all installations of your application. Due to its sensitive nature, you must ensure it is kept secret. The links below may provide some suggestions, but you are ultimately responsible for maintaining the secrecy of your app's private key.

You must distribute the public key to your customers (device administrators) in the form of a public certificate. Please follow your internal IT/Security policies for the creation and distribution of certificates to your customers.

 

Generating Your App's Private Key and Public Certificate

Your public certificate will hold not only your app's public key, but also its name (used for user interfaces on the device) and its GUID (used to uniquely identify your app on every device). You can generate a GUID using any tool you wish. (Note: For comparison purposes, devices will handle GUIDs as case-sensitive strings, meaning "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa" != "AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA".)

This section describes how to generate a private key and self signed public certificate using OpenSSL. Note that other tools can be used. 

Please refer to http://www.openssl.org/ for additional information on how to install, set up, and use OpenSSL. (Please note that the openssl version used in this example is above 0.9.8.)

Generate a private key and self signed certificate as follows:

A: Create a directory called “RemoteAppCertificate” under your home folder.

B: Change the directory to “RemoteAppCertificate” on your command prompt

C: Edit the “[ req_distinguished_name ]” section of the openssl configuration file (openssl.cnf) as follows:

Ensure that it has “title” and “pseudonym” fields. By default, they may not be present, so you may need to add them as shown here:

Note: You will be prompted for the actual values for your app in step F below.

D: In order to make sure that the openssl is referring to the correct openssl.cnf file, you can set the config file path in windows command prompt as below. (Similar option should be available on Linux platform):

>set OPENSSL_CONF=[path-to-OpenSSL-config-file]\openssl.cnf

E: Create a 2048-bit key to be used when creating your certificate

>openssl genrsa -des3 -out certificate.key 2048

You will be asked to supply a pass phrase for certificate.key. The pass phrase will be requested whenever you use this key, so make sure you remember it.

This will create a file called “certificate.key”, containing your app's private key.

F: Create a self-signed certificate as shown below

>openssl req -new -x509 -sha256 -days 4000 -key certificate.key -out certificate.cer

You will be asked to enter a pass phrase. Make sure you enter the pass phrase used in Step E.

You will then be asked to provide the Common Name (your app's guid), Title (your app's name), and Package Name.

For example:

The output certificate request will be generated in “certificate.cer”.

Note: Self signed public certificate obtained above, will be used to import in the device so that the device can trust your App.

G: Generate a .PFX file / PKCS#12 certificate

>openssl.exe pkcs12 -export -in certificate.cer -inkey certificate.key -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -out certificate.pfx

You will be asked to enter a pass phrase. Make sure you enter the pass phrase used in Step E.

You will also be asked to supply an export password. Provide accordingly.

This will create your app's “certificate.pfx” private certificate file containing the private key.

Note: This private key has to be shipped/bundled along with the app as part of the PKI infrastructure.

Configuring a Device to Trust Your App

To configure a device to trust your remote app, folow these steps:

A. Check the list of compatible devices to be sure your device supports the Link platform
B. Upgrade the device to the latest firmware
C. Install your app's public certificate using the device's EWS as follows:

  1. Sign in
  2. Navigate to the Security Tab
  3. Navigate to the Manage Remote Apps page
  4. Click on the Choose File button in the Add Remote App Certificates section of the page
  5. Select your app's public certificate
  6. Click the Import button
  7. View your app's information in the Registered Remote App Certificates section of the page

 

Configuring a Device Web Proxy Exception

As described above, scan data is is sent securely from the device to the mobile/tablet using HTTP.

If your device is configured to use a Web Proxy, you may need to configure it with an exception to ensure that local network HTTP connections do not go through the Web Proxy. For example, if your local network IP addresses start with 192.168, you will need to add 192.168.* to the Web Proxy Exception List.

You can find instructions for configuring the Web Proxy here.

 

Configuring a Device to Control User Access

To configure a device to control remote access by users of your app, follow these steps using the EWS:

  1. Sign in
  2. Navigate to the Security Tab
  3. Navigate to the Access Control page
  4. Scroll down to view your app's information in the Remote Apps section of the page and configure the desired access control settings, including the sign-in method

Note: Only Local Device (PIN), LDAP, (username and password), and Windows (username and password) sign-in methods can be used to authenticate remote users.