Watermarking/Job Annotation

Watermarking is a feature that allows a small portion of text to be written to the bottom (or top) of every page. Watermarking is a powerful and flexible feature. Typical uses of watermarking include:

Watermark text is defined by the PaperCut administrator and can be applied to printers individually. Print scripting makes it possible to change watermarks dynamically (see Chapter 17, Advanced Scripting). Watermarks may contain substitution variables allowing the insertion of document metadata such as date/time, username, document name, etc.

A typical watermark is shown the picture immediately below. This watermark uses the %user%, %date% and %signature% substitution variables described in the Substitution Variables section.

An example watermark using variables

Figure 7.15. An example watermark using variables

Important

Watermarking is a new feature that uses advanced printer techniques that can be implemented differently by each device manufacturer. Please report any problems that you may experience to our support team for investigation.

Typical Uses

  1. Owner Identification. Add the username to each page so it is easy to find the owner (e.g. uncollected print jobs).

    Suggested Watermark: Printed by %user%

  2. Student Assignments. Add the username and time of printing to each page. This will help teachers match up student work and help students prove that assignments were delivered on time.

    Suggested Watermark: Printed by %user% at %date% on printer %printer%

  3. Tracking an Organization's Physical Documents. Add a sequentially allocated number to every document printed. This number is a document-level Bates number (http://en.wikipedia.org/wiki/Bates_numbering). It is recorded in the PaperCut NG database and is useful for organizing document trails.

    Suggested Watermark: Document No.: %bates% composed of %pages% pages

  4. Identification and Source Tracking. Add a unique and secure digital signature to each document. This can be used to verify the origin and generation details of a document. (Note: see Digital Signatures in Detail section below if security is required).

    Suggested Watermark: %signature%

  5. Protecting Value of Documents. The copy protection aspects of watermark signatures described above can be used to protect valuable documents where royalties apply.

    Suggested Watermark: Copyright ABC Corporation. All rights reserved. Document Signature: %signature%

  6. Behavioral Change. The cost of each print job is added to the bottom of each page. This gives the user immediate feedback on the cost of their printing.

    Suggested Watermark: The cost of this print job is: %cost%

Tip

To configure watermarking based on the user (e.g. a user's group membership) or job attributes, consider the Advanced Scripting feature. Advanced Scripting allows the watermarking to be enabled/disabled and the watermarking text to be adjusted to meet any need. See Chapter 17, Advanced Scripting for more details.

Requirements

Watermarking is currently available for printers using PostScript and PCL5 drivers. You should ensure that the printer driver uses the PostScript or PCL5 language rather than PCL6 or GDI languages. This can be verified by observing the word Postscript or PCL5 in the Job Log as shown in the screenshot below.

Print Job Log showing the PostScript metadata

Figure 7.16. Print Job Log showing the PostScript metadata

On Windows systems, if the language lists as EMF then you will need to turn off "Advanced Printing Features" as described in the section called “Troubleshooting”.

Enabling Watermarking

Watermarking is enabled in a printer’s Printer DetailsAdvanced Configurationsettings via the options Apply watermarks to all pages.

Enabling watermarking in the Admin Console

Figure 7.17. Enabling watermarking in the Admin Console

Options

Text is the text that will be printed on the watermark. It is possible to use macro substitution variables such as %user% and %date%. Substitution variables are described in the Substitution Variables/Macros section below.

Gray level determines how dark or light the text will appear. Medium is the default. Light should be just viewable.

Font size determines the watermark text size.

Position can be bottom left of page, top left of page, or custom. Custom is intended for advanced situations where some tweaking is required due to differences in page printable area. Custom positions are specified as the distance from the left of the page and distance from the bottom of the page in millimeters.

Substitution Variables/Macros

FieldDescription

%user%

The name (username) of the user that printed the document.

%user_id%

The user's ID code.

%user_full_name%

The full name of the user that printed the document.

%user_email%

The email address of the user that printed the document.

%date%

The date/time that the document was printed. The date is formatted in according the locale of the server. An example of a %date% is 12/12/2010 3:12:37 PM.

%document%

The name of the document that printed.

%server%

The server name that is hosting the printer that printed the print job.

%printer%

The name of the printer where the print job was printed.

%client_ip%

The IP address of the workstation the job was sent from.

%client_machine%

The name of the workstation that sent the print job.

%job_id%

The PaperCut NG job id of the job.

%copies%

The number of copies of the document that was printed.

%cost%

The cost of the print job.

%pages%

The total number of pages in the print job.

%bates%

A sequentially incrementing number based on a Bates Numbering (http://en.wikipedia.org/wiki/Bates_numbering) scheme. All pages in the document are stamped with the same number. The number is recorded as a signature in the print log.

%signature%

A unique secure digital signature (in text form) generated via an MD5 HMAC. The signature is recorded in the print log. See Digital Signatures in Detail (Advanced) below for technical details.

%digest%

A unique digital signature (in text form) generated using an MD5 of various document attributes.

%sig_md5%

Same as %signature%.

%digest_md5%

Same as %digest%.

%sig_sha1%

Same as %signature% but based on the SHA1 message digest algorithm.

%digest_sha1%

Same as %digest% but based on the SHA1 message digest algorithm.

Table 7.3. Substitution Variables/Macros

Restrictions and Limitations

To ensure a document that has a unique single signature, only one digital signature macro should be used in a watermark. The digital signature macros are:

  • %bates%

  • %signature%

  • %sig_md5%

  • %sig_sha1%

Digital Signatures in Detail (Advanced)

Signature Algorithm

PaperCut NG document digital signatures are generated using a cryptographic technique called an HMAC (http://en.wikipedia.org/wiki/HMAC). This works by taking various print job attributes such as print time, username, printer name and document name and combining them with a secret key. The result is then passed through a digest algorithm such as MD5. The resulting signature is unique to the document. The secret key portioning ensures that it is not possible to predict a signature. Two message digest algorithms are available: MD5 And SHA1. In our opinion MD5 will be secure enough for print job signature applications, however for cryptographic completeness SHA1 is provided as an option. Using MD5 makes it easier to enter keys to find matching print jobs because the signatures are shorter.

Note

The algorithm used is:

  • Digest = Hash(date time || username || server name || printer name || document name || event id)

  • Signature = Hash(Digest || Key)

where

  • key is a random string generated on first use and stored in the config key "print.signature.hmac-key" and hash is either MD5 or SHA1.

  • date time is formatted in ISO 8601 basic format from year to second ("yyyyMMddTHHmmss"). The time is local time (not UTC). E.g. "20100130T141059"

Verifying a Signature

If a document is located, say due to an information leak, the signature can be used to track down the print event details such as the originating user, time of print, and other details. This is done as follows:

  1. Printers -> Job Log

  2. Expand the filter section

  3. Enter the signature in the signature signature field.

  4. Press Apply. The matching job should list.

For example, the following screenshot shows how to search for the print job with signature b608c7a39f08643768051217f2f5315a in the job log.

Searching job log for signature b608c7a39f08643768051217f2f5315a

Figure 7.18. Searching job log for signature b608c7a39f08643768051217f2f5315a

Troubleshooting

Watermarking requires print jobs to be printed in PostScript or PCL5 format. If your document is printing in EMF you may be able to print in PostScript or PCL5 by following the procedure listed in the EMF section below. For all other drivers please see the section called “PCL6 and Other Printer Languages”.

EMF

On Windows systems, if the printer language for a job lists as EMF then you will need to turn off "Advanced Printing Features". Disabling this option will cause print jobs to be rendered into their printer language on the client side. Enabling it can result in rendering on the server side, which is usually unwanted.

Job Log showing an EMF job

Figure 7.19. Job Log showing an EMF job

You can do this by following these steps:

  1. On the print server, navigate to: StartControl PanelPrinters[right-click printer]PropertiesAdvanced

  2. Turn off (disable) the option Enable advanced printing features.

  3. Test printing and check the printer language to ensure that it is now PostScript or PCL5.

You can read more about this setting on the Microsoft website at: http://support.microsoft.com/?kbid=268093.

PCL6 and Other Printer Languages

If the printer language for a job is listed as a language other than PostScript or PCL5, such as PCL6, then the printer may also support PostScript or PCL5. Please check the printer manufacturer's website download page for details.

Job Log showing a PCL6 job

Figure 7.20. Job Log showing a PCL6 job

Updating Printer Drivers

When updating printer drivers, it is important to update the printer drivers on both the client and the server.