ControlSuite ClientsUnified ClientsUnified Clients OverviewKofax Unified Client for LexmarkPrepare to deploy the Unified Client for LexmarkEquitrac configurationDCE pinning

DCE pinning

DCE pinning services are used to reduce a man-in-the-middle attack (MITM) and provide additional security by pinning your client to a specific DCE that belongs to your configuration for the duration of that configuration.

This additional security is achieved through certificate pinning where you are bound to the DCE using the certificate that the DCE provides upon connection and use it to validate the trust of subsequent communications with that server.

When the DCE certificate pinning setting is set to True, if you point the device to a new DCE, you must run the Uninstall, then Install and Configure actions in DRS.

Possible failures

You may receive connection failures if the following occurs:

  • Failure to create JavaKeystore (JKS) for any reason (example: HDD issues).
  • Failure to write to the JKS for any reason (example: corrupt file, HDD issues).
  • Invalid certificate is provided by the DCE (MITM server, DCE has changed its certificate sometime after).

  • The device time and server time are not synchronized.

Recovery

Validate if the DCE you are unable to connect to has the same certificate (since your initial client application configuration) to eliminate a possible MITM attack.

To recover from connection issues related to DCE pinning that are not related to hardware failures (HDD):

  • Perform an Update Configuration action for a new configuration using the DRS, or
  • Perform an Install and Configure action.
    A new configuration means that either a DCE endpoint has changed (IP, FQDN) or DCE endpoints have been added or removed from the list.

To reset DCE pinning, if the certificate is expired, updated, or regenerated, use the Uninstall and Install and Configure actions in DRS.