Currently, only A and B scenarios are supported. There will be more scenarios in the future.
Scenario A (typical)
Terminals connect to the server via the CAS application's built-in OpenVPN secure channel.
This is the default implementation for Operators.
No dedicated VPN routers required/deployed for network attached BATMs.
Scenario B (dedicated hardware)
Terminals connect to the server via a VPN provided by additional hardware, such as a router.
The VPN configuration is not distributed by CAS.
This scenario is considered more secure than Scenario A.
Notes
Gate service
The Gate service listens for your terminals' pairing requests. After a successful pairing, the gate service sends the terminal the VPN configuration, including information on how to connect to the master service.
Prior to pairing, the terminal's VPN configuration must already have been generated.
The Gate service uses the batmgate unix user, which is a member of the batm group. The Gate service listens on port 7741. The master service uses the same port - but on a different interface.
Gate service’s TCP port 7741 should be temporarily accessible from the Internet only when performing a pairing. For security reasons - don’t leave it open. Leaving it open will encourage attackers to focus on your server.
The Gate service is only compatible with terminals running on version 20230801 and newer!
Terminals using older firmware will be automatically upgraded by the gate service.
Gate service configuration
/batm/config/network
The example below demonstrates that every individual service has its own bind IP address. During installation, a default configuration will be created upon the initial execution of batm-manage start
public_ip=1.2.3.4 master_bind_ip=10.3.2.1 gate_bind_ip=10.3.1.1 admin_bind_ip=10.3.2.2
/batm/config/gate.properties
Basic properties fully functional will be generated by the first batm-manage start gate (or all when it comes to gate service)
However, gate service can be further configured by following properties:
batm.processing-slotsoptional, default value:
20this property is used to throttle upgrade traffic so server won’t be overloaded by too many terminals downloading upgrade packages at a time
batm.downloadoptional, default value:
/batm/app/shared/location where the terminal upgrade package used to upgrade terminals to version
20230801will be located, the package will be downloaded once and then reused for all terminalsmake sure the location has the correct permission and is accessible to
batmgateuser
batm.master.hostnameoptional. by default gate service distributes to terminal master_bind_ip as a target to connect to master service.
batm.master.hostnameallows you to set FQDN that would be sent to the terminal.
batm.vpn-skipoptional, default value:
falsethis property indicates to gate service that it is not going to distribute VPN configurations to the terminals (because of Deployment Scenario B: value is
true) and therefore it is not a problem when VPN configuration is not found on drive and this step can be skipped.
Master service
Listens to terminal’s requests. Answers only terminal requests that are coming from trusted ( paired ) terminals.
Master service uses batmmaster unix user, which is a member of the batm group.
Master service is listening on port 7741. Please note that the same port uses gate service but on a different interface.
Master service should never be exposed to the Internet.
Admin service
Listens to user's browser requests. Enables CAS users to configure ATMs remotely and inspect processed transactions.
Admin service uses batmadmin unix user, which is a member of the batm group.
Admin service is listening on port 7777.
Admin service should never be exposed to the Internet.
Extensions
A very powerful way for extending the existing functionality of the server. More can be read here.