Versions Compared

Old Version 6

changes.mady.by.user Karel Kyovsky

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Currently, only A and B scenarios are supported. There will be more scenarios in the future.

...

Scenario A (typical)

Terminals connect to Server via application’s the server via the CAS application's built-in OpenVPN client’s secure channel.

  • This is

...

Scenario B

Terminals connect to Server via VPN that is being provided by additional hardware such as router. This scenario is considered as more secure then A as the VPN configuration is NOT distributed by CAS.

Notes

Gate service

Listens for terminal’s pairing requests. In case of successful pairing gate service sends terminal VPN configuration including the information on where to connect to master service. Prior paring terminal VPN configuration must exist.
Gate service uses batmgate unix user, which is member of batm group.
Gate service is listening on port 7741. Please note that same port uses master service but on different interface.

...

...

Scenario B (dedicated hardware)

Terminals connect to the server via a VPN provided by additional hardware, such as a router.

  • The VPN configuration is not distributed by CAS.

  • This scenario is considered more secure than Scenario A.

...

Scenario “B” Requirements

  1. Set the variable batm.vpn-skip to true in the file /batm/config/gate.properties

    1. This change disables VPN distribution via the Gate service.

    2. See: https://generalbytes.atlassian.net/wiki/x/CYBtz

  2. Delete the /batm/config/vpn file to prevent VPN implementation.

  3. Connect your BATMs to the hardware VPN.

  4. Connect your hardware VPN to your CAS server (or server-side VPN).

The BATMs must be able to communicate with

  • the Gate service on the port 7741, and

  • the Master service on the port 7741.

  • The Gate and Master services use their specific IP addresses, and

  • the Gate service must be able to communicate with the Master service (via port 7747).

...

Notes

Gate service

The Gate service listens for your terminals' pairing requests. After a successful pairing, the Gate service sends the terminal the VPN configuration, including information on how to connect to the Master service.

The Gate service uses the batmgate unix user, which is a member of the batm group. The Gate service listens on port 7741. The Master service uses the same port - but on a different interface.

Info

The Gate service’s TCP port 7741 should be temporarily accessible from the Internet only when performing a pairing. For security reasons - don’t leave it open. Leaving it open will encourage attackers to focus on your server.

Note

The Gate service is only compatible with terminals running on version 20230801 and newer!

  • Terminals

running

  • using older

software

  • firmware will automatically

get upgraded by gate service.

Configuration of gate service

/batm/config/network

See the example below to see that every service has it’s own bind IP address used to run application enabling expected behavior, basic setup will be created during first batm-manage start

Code Block
public_ip=1.2.3.4
master_bind_ip=10.1.1.1
admin_bind_ip=10.1.1.2
gate_bind_ip=10.1.1.3

/batm/config/gate.properties

Basic properties fully functional will be generated by first batm-manage start gate (or all when it comes to gate service)

However gate service can be further configured by following properties:

  • batm.processing-slots

    • optional, default value: 20

    • this property is used to throttle upgrade traffic so server won’t be overloaded by too many terminals downloading upgrade packages at a time

  • batm.download

    • optional, default value: /batm/app/shared/

    • location where terminal upgrade package used to upgrade terminals to version 20230801 will be located, package will be downloaded once and then reused for all terminals

    • make sure location has correct permission and is accessible to batmgate user

Master service

...

  • be upgraded to version 20230801

The Gate service configuration file is fully described here: https://generalbytes.atlassian.net/wiki/x/CYBtz

Master service

The Master service communicates with your BATMs. It replies only to BATMs/terminals that are coming from trusted ( paired ) terminals.

  • The Master service uses batmmaster unix user, which is a member of the batm group.

  • The Master service

...

  • listens on port 7741.

    • Please note that the same port uses

...

    • Gate service but on a different interface.

Note

The Master service should never be exposed to the Internet.

Admin service

Listens to user's The Admin service listens for users' browser requests. Enables It enables CAS users to configure ATMs remotely and inspect processed transactions.

  • The Admin service uses batmadmin unix user, which is a member of the batm group.

  • The Admin service

...

  • listens on port 7777.

Note

The Admin service should never be exposed to the Internet.

Extensions

Very A very powerful way how to extend existing server’s functionality. More can be read here.for extending the existing functionality of the server.

More about extensions: