Versions Compared

Old Version 17

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Currently, only A and B scenarios are supported. There will be more scenarios in the future.

gbscenarios.pngImage Removed

Scenario A (typical)

Terminals connect to the server via the CAS application's built-in OpenVPN client's secure channel.

  • This is the

...

...

Scenario B (dedicated hardware)

Terminals connect to the server via a VPN provided by additional hardware, such as a router.

  • The VPN configuration is not distributed by CAS.

  • This scenario is considered more secure than Scenario A

...

  • .

...

Scenario “B” Requirements

  1. Set the variable batm.vpn-skip to true in the file /batm/config/gate.properties

    1. This change disables VPN distribution via the Gate service.

    2. See: https://generalbytes.atlassian.net/wiki/x/CYBtz

  2. Delete the /batm/config/vpn file to prevent VPN implementation.

  3. Connect your BATMs to the hardware VPN.

  4. Connect your hardware VPN to your CAS server (or server-side VPN).

The BATMs must be able to communicate with

  • the Gate service on the port 7741, and

  • the Master service on the port 7741.

  • The Gate and Master services use their specific IP addresses, and

  • the Gate service must be able to communicate with the Master service (via port 7747).

...

Notes

Gate service

Listens for terminal’s The Gate service listens for your terminals' pairing requests. In the event of After a successful pairing, the gate Gate service sends the terminal the VPN configuration, including information on how to connect to the master Master service.

  • Prior to pairing, the terminal's VPN configuration must

...

The Gate service uses the batmgate unix user, which is a member of the batm group.
The Gate service is listening listens on port 7741. Please note that The Master service uses the same port uses master service - but on a different interface.

Info

The Gate service’s TCP port 7741 should be temporarily accessible from the Internet only temporarily when performing the a pairing. Don’t For security reasons - don’t leave it open. Leaving it open will encourage attackers to try playing with focus on your server.

Note

The Gate service is only compatible with terminals running on version 20230801 and newer!

  • Terminals

running

  • using older

software

  • firmware will automatically

get upgraded by gate service.

Configuration of gate service

/batm/config/network

See the example below to see that every service has its own bind IP address used to run application enabling expected behavior, basic setup will be created during the first batm-manage start

Code Block
public_ip=1.2.3.4
master_bind_ip=10.3.2.1
gate_bind_ip=10.3.1.1
admin_bind_ip=10.3.2.2

/batm/config/gate.properties

Basic properties fully functional will be generated by the first batm-manage start gate (or all when it comes to gate service)

However, gate service can be further configured by following properties:

...

batm.processing-slots

  • optional, default value: 20

  • this property is used to throttle upgrade traffic so server won’t be overloaded by too many terminals downloading upgrade packages at a time

...

batm.download

  • optional, default value: /batm/app/shared/

  • location where the terminal upgrade package used to upgrade terminals to version 20230801 will be located, the package will be downloaded once and then reused for all terminals

  • make sure the location has the correct permission and is accessible to batmgate user

...

batm.master.hostname

  • optional. by default gate service distributes to terminal master_bind_ip as a target to connect to master service. batm.master.hostname allows you to set FQDN that would be sent to the terminal.

batm.vpn-skip

...

optional, default value: false

this property indicates to gate service that it is not going to distribute VPN configurations to the terminals (because of Deployment Scenario B: value is true ) and therefore it is not a problem when VPN configuration is not found on drive and this step can be skipped.

Master service

...

  • be upgraded to version 20230801

The Gate service configuration file is fully described here: https://generalbytes.atlassian.net/wiki/x/CYBtz

Master service

The Master service communicates with your BATMs. It replies only to BATMs/terminals that are coming from trusted ( paired ) terminals.

  • The Master service uses batmmaster unix user, which is a member of the batm group.

  • The Master service

...

  • listens on port 7741.

    • Please note that the same port uses

...

    • Gate service but on a different interface.

Note

The Master service should never be exposed to the Internet.

Admin service

Listens to user's The Admin service listens for users' browser requests. Enables It enables CAS users to configure ATMs remotely and inspect processed transactions.

  • The Admin service uses batmadmin unix user, which is a member of the batm group.

  • The Admin service

...

  • listens on port 7777.

Note

The Admin service should never be exposed to the Internet.

...

A very powerful way for extending the existing functionality of the server. More can be read here.

More about extensions: