Version / Revision: V1.0 / R1
For: Nethserver 7RC

Skill: Intermediate Users
Published: 2016-11-29
Review: 2016-00-00

Contact: Nethserver community forum, robb

SavaPage is a Libre Print Management Solution that uses Open Standards and Commodity Hardware for Secure Pull-Printing, Pay-Per-Print, Tracking and Tracing and PDF Creation that functions on top of CUPS.

SavaPage has all the functions of a regular Print Management System, and more. Including Pay-Per-Print, Secure Follow-Me Printing, Tracking & Tracing, PDF Creation, LDAP (Active Directory) Integration, NFC Authentication, On-line Payments (Credit Cards, Bank Accounts, Bitcoin), Point-of-Sale Payments, Prepaid Print Cards, etc…

SavaPage is a Print Server deployed on a central GNU/Linux system. Any workstation or device that supports the Internet Printing Protocol (IPP) or IP Printing (JetDirect), like Windows, Mac and GNU/Linux workstations, can use SavaPage printers. Mac OS X and iOS devices can use AirPrint® [2]. Android and Chrome OS devices can use Google Cloud Print to print to SavaPage. As a backdoor any device can use Web Print and Mail Print to print.

When a user prints to SavaPage the printed pages are immediately shown in the SavaPage Web Application that runs in any modern web browser. SavaPage accumulates print jobs per user in a single personal preview where it can be manipulated and pruned before storing or routing it as PDF document.

And yes, you can even route to a “real” printer. The SavaPage Web App offers a Common Printing Dialog for printing to printers installed at the server side (proxy printing). This makes SavaPage the only printer you need on your desktop.

The SavaPage Web App is optimized for desktop clients as well as mobile devices. This opens up useful scenario's. Like, a user walking up to the printer of his choice and releasing a print job by pushing a button on his smartphone. Administrators on the go can easily monitor the system on their tablet.

SavaPage turns printing into a user experience where soft copies are likely to be more attractive than hard copies, and where precious paper, trees and money is saved along the way. And, if printing is needed after all, SavaPage is the logical stopover where, on second thought, n-up, gray-scale and duplex proxy-printing can be applied to reduce the costs of printing to a minimum.

So, why print when you can SavaPage?

SavaPage is Libre Software licensed under the GNU Affero General Public License (AGPL) version 3 as published by the Free Software Foundation.

The key benefits of SavaPage are

    * Less administration. SavaPage is the one printer you need to print to any printer in your organization.
    * Zero install. A generic PostScript driver and web browser is all you need to print from Windows, Mac and GNU/Linux and preview the result.
    * Multi-platform. Corporate printers are sandboxed in the Web App Preview and thus available on all mobile and desktop platforms for pass-through (proxy) printing.
    * Easy follow-me printing. Several hold-release scenarios, optionally with NFC cards, are supported. Users can even use their own mobile device as print release terminal.
    * Mobile printing. Google Cloud Print, iOS AirPrint®, Web Print and Mail Print is supported out of the box.
    * Think before you print. SavaPage Web App shows a print preview that makes you think twice. Do you really need to print all these pages?
    * Eco-friendly. Create environmental awareness by drawing end-user attention to the cost of printing, and save precious paper, trees and money along the way.
    * Reduction of printing costs. Remove unnecessary pages and graphics. Save as PDF, or route to a "real" printer with n-up, gray-scale and duplex to reduce printing costs.
    * No pre-printed paper needed. Eliminate the cost of pre-printed paper. Create virtual letterheads and apply them to any print job.
    * Libre Software and Open Standards above Proprietary Software.
    * Commodity Hardware above expensive Proprietary Devices.
    * Peer-To-Peer Cooperation above Centralized Corporation. The SavaPage Community is there to help.

The key features of SavaPage are:

      - One SavaPage Printer Driver
      - Generic PostScript Driver print from Windows, Mac OS X and GNU/Linux.
      - Secure Internet Print.
    Mobile Print
      - Google Cloud Print from Android and Chrome OS.
      - AirPrint® from iOS (iPad, iPhone).
    Driverless Printing
      - Web Print and Mail Print to print from any device.
    Follow-me Printing
      - Release Terminals
      - NFC Authentication
    Web Apps for Desktops and Mobile Devices
        Easy authentication
           - Username/Password, ID/PIN and NFC Card authentication.
           - LDAP (Active Directory) Integration.
           - Raspberry Pi Network Card Reader.
        User Web App
           - Real-time print preview with Browse, Sort and Delete options.
           - Server-side Proxy Printing (no local drivers needed).
           - PDF Download or Email of accumulated print jobs.
           - Multi-page Letterheads.
           - Option to remove graphics from PDF and proxy print output.
           - Innovative Eco Print to reduce ink and toner cost.
           - Delegated Print for delegates to proxy print for other users and groups.
           - Job Ticket Print for voluminous proxy print jobs.
    Admin Web App
        - Comprehensive Web App to configure the SavaPage environment.
        - Multi-language support.
        - Customizable Web Interface.
        - SSL Encryption.
    SavaPage Financial
        - Pay-per-Print
        - Vouchers
        - Point-of-Sale Web App
        - Online Payments (credit cards, bank accounts, Bitcoin).
    Tooling and Tuning
        - Command-Line Interface to server methods.
        - Web Services API.
        - Third party Database support.
    Third Party Integration
        - External Print Suppliers (Smartschool).
        - Third Party Print Management Systems (PaperCut).
    Comprehensive Documentation
        - User Manual in PDF, EPUB and HTML format.

• NethServer7 base install
• Printserver module

This howto describes the procedure to install SavaPage on a NethServer7 server. There are still some loose ends that need discussion.

SavaPage needs several applications that are installed on most distributions by default.

• which

check by typing which in the terminal
output should be something like:
[root@NS7-sp ~]# which
Usage: /usr/bin/which [options] [--] COMMAND [...]
Write the full path of COMMAND(s) to standard output.
(+ all options)
If which is not installed add it to your server:
yum install which

• gzip

Check with: gzip --version.
Install with: yum install gzip

• strings

Strings is part of binutils package.
Check with rpm -qa | grep binutils.
Install with yum install binutils.

• perl

Check with: perl -v
Install with: yum install perl.

Savapage is a java application. It uses either JDK 7 or 8. Since Webtop 5 will be the default groupware solution which uses JDK 8, it makes sense to use OpenJDK 8:

Check with: java -version

If installed you get this return:

openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b15)
OpenJDK 64-Bit Server VM (build 25.111-b15, mixed mode)

If not installed:

yum install java-1.8.0-openjdk-devel

SavaPage uses Poppler to convert documents to pdf. In order to do the pdf magic, SavaPage uses pdftoppm. Check if Poppler is installed:

pdftoppm -v

If the outcome is as below, poppler is already installed

[root@ns7 ~]# pdftoppm -v
pdftoppm version 0.26.5
Copyright 2005-2014 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1996-2011 Glyph & Cog, LLC

Otherwise install poppler:

yum install poppler-utils

SavaPage needs the convert command of the ImageMagick software suite to manipulate images. Check by entering the following command:

convert –version

If imagemagic is not installed, install it with:

yum install ImageMagick (beware of the CapiTals)

Install Avahi. Avahi is needed if you want to print to SavaPage from iOS devices (iPad, iPod, iPhone). Check if Avahi is already installed:

[root@ns7 ~]# avahi-browse --version
-bash: avahi-browse: command not found

Install Avahi:

yum install avahi-tools

Check if avahi-browse is available:

[root@ns7 ~]# avahi-browse --version
avahi-browse 0.6.31

SavaPage runs and installs under a system user account called savapage. This account is fixed, you cannot choose another name. You are free though to pick a location for the application. However, GNU/Linux Filesystem Hierarchy Standard (FHS) dictates that the application is installed in the /opt/savapage directory.

useradd -r savapage

From the CentOS deployment guide:

-r Create a system account with a UID less than 500 and without a home directory 

Next, create the install directory and set the ownership to the savapage account:

mkdir /opt/savapage

Set ownership to savapage directory:

chown savapage:savapage /opt/savapage

Give SavaPage enough room to open files:

Edit /etc/security/limits.conf

add the following lines at the end of the file:

savapage    hard    nofile    65535
savapage    soft    nofile    65535

CUPS: change /etc/cups/cupsd.conf

replace everything between

Maxlogsize 0

and

Set the default printer/job policies…

with

# Allow remote access
Port 631
# Show shared printers on the local network.
Browsing Off
BrowseOrder allow,deny
BrowseAllow all
BrowseLocalProtocols CUPS dnssd
WebInterface Yes
Listen /var/run/cups/cups.sock
Listen localhost:631
#
MaxJobs 0
PreserveJobHistory Yes
PreserveJobFiles No
SystemGroup admin
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Restrict access to the server...
<Location />
# Allow shared printing...
  Order allow,deny
  Allow @LOCAL
</Location>
# Restrict access to the admin pages...
<Location /admin>
  Order allow,deny
  Allow @LOCAL
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
  AuthType Default
  Require user @SYSTEM
  Order allow,deny
  Allow @LOCAL
</Location>

Samba:

For Samba, just edit the /etc/samba/smb.conf file and disable the [printers] share definition.

SavaPage uses several ports. They must be opened in Shorewall.

config set savapage service status enabled TCPPorts 8631,8632,8639,5353,5222 UDPPorts 8631,8632,8639,5353,5222 access green
signal-event firewall-adjust

In terminal type:

sudo su -c 'echo a4 > /etc/papersize'

Change to the savapage user

sudo su savapage 
cd /opt/savapage

Download the latest savapage-setup-version-linux-x64.bin file from the savapage.org website (where version is the latest version)

wget https://www.savapage.org/download/installer/savapage-setup-version-linux-x64.bin

Install with

sh ./savapage-setup-version-linux-x64.bin (where version is the latest version of savapage)

During install you will be prompted for accepting the AGPL license. Type yes and press <enter>

Some parts of the installation require root privileges. If the savapage user has these privileges, you can let them be done by the savapage user, otherwise you will be prompted for root credentials.

After install you can access the savapage admin webinterface at https://yourserver:8632/admin Log in with user: admin and passwd admin. Change this immediately after logging in.

Configuring SavaPage is highly depending on how you want to use the software. Read the admin manual for more information on this. There are a LOT of options, so don’t skip reading the admin manual part! (you have been warned)

BEWARE: savapage overwrites the systemd cups.service

See the /opt/savapage/server/providers/cups/linux/roottasks script, and https://issues.savapage.org/view.php?id=692 why this is done.

Later in the install process you need to configure an external (PostgGreSQL) database. In order to populate this databse properly, you need a backup of your default internal database.

Creating a backup can be done through the webinterface of the admin or through the commandline.

Via admin webinterface:

on the left side: click options
then on the right side: click backups and the backup now button.

Via commandline:

Stop the SavaPage service: sudo systemctl savapage.service stop.
Then as user savapage: savapage-db --db-export

By default SavaPage uses an internal database. For production this must change in order to prevent a hanging and unresponsive system. Your whole server can hang if you have too many concurrent printjobs using the internal server.

SavaPage currently supports PosgreSQL as external database.

Steps to install and configure SavaPage using PostgreSQL are as follows:

Exit the savapage user from the commandline:

exit

Install PostgreSQL as root or sudoer:

sudo yum install postgresql-server postgresql-contrib

Initialize postgresql:

sudo postgresql-setup initdb

By initializing postgresql the postgresql.conf and pg_hba.conf (amongst others) are created. These are the main configuration files we need to tweak postgresql.

By default, PostgreSQL does not allow password authentication. We will change that by editing its host-based authentication (HBA) configuration.

Edit pg_hba.conf

Open the HBA configuration file with your favorite text editor:

$ sudo nano /var/lib/pgsql/data/pg_hba.conf

Find the lines that looks like this, near the bottom of the file:

pg_hba.conf excerpt (original)
	host    all             all             127.0.0.1/32        ident
	host    all             all             ::1/128             ident

Then replace “ident” with “md5”, so they look like this:

pg_hba.conf excerpt (updated)
	host    all             all             127.0.0.1/32        md5
	host    all             all             ::1/128             md5

Configure PostgreSQL TCP connections

NOTE: if PostgreSQL is installed on the same server as SavaPage, you can leave it as it is, and accept the defaults, i.e. access from localhost only.

P.S. in that case, you might consider setting the “password_encryption = on” anyhow.

If SavaPage is installed on another server, change the location to allow access to pgsql: # Access from another host, in this case: x.x.x.x (for ip6 enter the ip6 address)

host    all             all             x.x.x.x/32     	md5
host    all             all             ::1/128               md5

Save and exit

Edit postgresql.conf

By default TCP/IP connections are disabled from remote computers. To enable access from remote computers uncomment listen_address. If PostgreSQL is on the same server as SavaPage, you can keep listenaddress as localhost.

$ sudo nano /var/lib/pgsql/data/postgresql.conf

Change:

#listen_addresses = localhost
to:
Listen_addresses = 'x.x.x.x'

This allows remote access from ip address x.x.x.x only. If you want remote access from multiple computers in your network use a comma separated list of addresses:

Listen_addresses='addres1,addres2,localhost'

Uncomment:

#password_encryption = on

to:

password_encryption = on

Save and exit the editor

Restart the PostgreSQL service

systemctl restart postgresql

By default the postgres user has no password. Set a (strong) password for this user:

sudo -u postgres psql postgres

You are now in psql, the command interface for postgresql, and in the database “postgres”. In your terminal it looks like this at the moment:

$ postgres=#

To change your password:

$ \password postgres

and type your new password when asked for it.

Type ‘\q’ and hit enter to quit.

Create a psql user and database for SavaPage

sudo -u postgres createuser -P savapage
sudo -u postgres createdb -O savapage savapage

SSL: SavaPage installs with a self-signed certificate. This can be changed with a letsencrypt certificate. If necessary, scripts are available. You can also use your own SSL certificate. In the SavaPage manual you can find how: https://www.savapage.org/docs/manual/app-tools-ssl-key.html#app-tools-ssl-key-import

For easy access add the path to the savapage commands in profile.d

echo 'pathmunge /opt/savapage/server/bin/linux-x64/' > /etc/profile.d/savapage.sh

Make the script executable:

chmod +x /etc/profile.d/savapage.sh

Stop SavaPage service:

systemctl stop savapage.service

Edit the savapage server settings

nano /opt/savapage/server/server.properties

Scroll all the the way down and find the database settings. Comment the internal database entry by adding a # in front of the line:

#database.type=Internal

Remove the # in front of the parameters for PostGreSQL use:

 # PostgreSQL connection example
database.type=PostgreSQL
database.driver=org.postgresql.Driver
database.url=jdbc:postgresql://localhost/databasename
database.user=databaseuser
database.password=databaseuser password

Save and exit the editor

Change to the SavaPage user:

sudo su savapage

Initialize the database for SavaPage. If you already have printers and users in the local database, do a backup of the internal database first.

savapage-db --db-init

Restore the backup of the internal database:

In step 12 you created a backup of the default database. 
As user savapage restore the database: savapage-db --db-import /path/to/backup/savapage-backup (default path is /opt/savapage/server/data/backups/savapage-export-timestamp.zip)

Start the SavaPage service as root or sudo user.

Type exit to return to root user.
sudo systemctl start savapage.service

Now head over to https://yourNS7server:8632/admin You will be able to log in with the admin account. Default password is admin, if you didn’t already change this, now is a good time to do so.

When you log in the admin interface for the first time you will see the dashboard. On the right there is an overview of your SavaPage install. You will notice a “Setup is needed” in red. This means that the initial configuration for SavaPage has not been done yet.

There are a few steps you need to take to configure SavaPage for use:

(If not already done) Change the admin password As a first security measure change the master password for the built-in admin account. This account is independent and not related to the operating system or domain. The password needs to meet minimum strength requirements, and must contain at least six characters. Select Options → Advanced → Reset internal admin password Enter and confirm the new password and press the Apply button.

Set Locale Set the system's locale; ensure that these are correct before proceeding. Select Options → Advanced → Locale, and enter the locale string. Some examples are: en, en-GB, en-US, nl, nl-NL, nl-BE. You can leave the locale empty to accept the system default. The locale is applied to all system messages which are logged in the system log or send by email.

Set Currency Code Set the system's currency code; ensure that these are correct before proceeding. Select Options → Financial, and enter the ISO 4217 Currency code. Some examples are: USD, EUR, GBP. The currency symbol is determined in the context of the user or system locale.

Set User Source SavaPage optionally imports user information from a Unix (PAM, NIS, etc.) or LDAP source. Select Options → User Source. Select Unix if the user accounts are setup and defined on the local system as standard Unix accounts or mapped into the system from a central directory service such as LDAP via nsswitch.conf and PAM. Most large established networks will use this option. Note: For administrators wishing to customize the PAM authentication method at the application level, SavaPage reports itself as “savapage”. The LDAP option is appropriate for large networks with existing LDAP domains. This includes networks running OpenLDAP, Apple Open Directory, Novell eDirectory and Microsoft Active Directory. More information on LDAP is available in Section 4.10.1.2, “LDAP”. After selecting the source, enter the necessary parameters (LDAP only) and press the Apply button.

For NethServer specific configuration, you need to configure LDAP as follows:

Adjust the settings to what you have chosen for Samba4 AD information on your NethServer7 instance.

User Synchronization Skip this step if you did not set an external User Source in the previous step. Otherwise, select Options → User Creation → Synchronization → Synchronize now to import users. Important An option exists to import a subset of users from the source by selecting a group. This option is relevant if only a subset of users will ever use SavaPage. Select Options → User Creation → Change Group to select the group.

Tip Test the import first by pushing the Test button. A simulated import will start, with each step echoed below the button, so you can verify the effect of your action.

Set Mail Options Select Options → Mail, enter the SMTP and Message options and press the Apply button. Data from the Messages section is used for system generated mail messages. You can send a test mail message to a recipient of your choice by pressing the Test button after you applied the changes.

Driverless Printing Mail Print and Web Print are disabled by default. You can enable and configure these options at Options → Mail Print and Options → Web Print. If you enabled one of the driverless printing options, decide which PDF converters you want to enable at Options → Advanced → Converters. Beware that you might need to install the converter software on the SavaPage host.

Share SavaPage Client Files SavaPage client files are located in directory /opt/savapage/client. This includes the SavaPage Printer Driver and JMX related files. It is useful to share this directory over the network so users can use, copy or install the files they need on their workstation. Common sharing methods include: • Samba - used to share files to Windows based workstations. GUI tools are available on GNU/Linux to help you with sharing the client directory via Samba. However, some system administrators may be more comfortable creating the share by hand-editing the /etc/samba/smb.conf file. The following configuration will share the directory in read-only form: [savapage-client] path = /opt/savapage/client comment = SavaPage Client public = yes only guest = yes read only = yes • NFS - a popular sharing method used for GNU/Linux and Unix based workstations. Note The /opt/savapage/client directory is standard shared via the client/ URL.

Testing Now the installation is complete, it is time to do a basic test to check if the system is ready-to-use.

• Pick a workstation and login as a user that is part of the user source as configured in “Set User Source”.
• Install the SavaPage Printer Driver. See the instructions at Section 10.1 of the SavaPage user manual: https://www.savapage.org/docs/manual/ch-printer.html#ch-printer-driver, “Printing with a Driver”.
• Open a Web Browser and go to the User Web App at https://server.domain.tld:8632/user
• Login to the Web App with the same credentials as used in the workstation login.
• Print a test document such as a web page or basic document to the SavaPage printer.
• Thumbnail images of the printed pages should appear in the Web App.

Add a balance to allow loggin in If the user has no credit to print, he can not log in the userinterface. In order to add credit to the user balance,

Savapage website: https://www.savapage.org

Savapage Download location: https://www.savapage.org/download

Savapage wiki: https://wiki.savapage.org

Savapage manual: https://www.savapage.org/docs/manual/