Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Current »

Currently, only A and B scenarios are supported. There will be more scenarios in the future.

Scenario A (typical)

Terminals connect to the server via the CAS application's built-in OpenVPN secure channel.

image-20240814-154805.png

Scenario B (dedicated hardware)

Terminals connect to the server via a VPN provided by additional hardware, such as a router.

  • The VPN configuration is not distributed by CAS.

  • This scenario is considered more secure than Scenario A.

image-20240814-155346.png

Scenario “B” Requirements

  1. Set the variable batm.vpn-skip to true in the file /batm/config/gate.properties

    1. This change disables VPN distribution via the Gate service.

    2. See: https://generalbytes.atlassian.net/wiki/x/CYBtz

  2. Connect your BATMs to the hardware VPN.

  3. Connect your hardware VPN to your CAS server (or server-side VPN).

The BATMs must be able to communicate with

  • the Gate service on the port 7741, and

  • the Master service on the port 7741.

  • The Gate and Master services use their specific IP addresses, and

  • the Gate service must be able to communicate with the Master service (via port 7747).

Notes

Gate service

The Gate service listens for your terminals' pairing requests. After a successful pairing, the Gate service sends the terminal the VPN configuration, including information on how to connect to the Master service.

The Gate service uses the batmgate unix user, which is a member of the batm group. The Gate service listens on port 7741. The Master service uses the same port - but on a different interface.

The Gate service’s TCP port 7741 should be temporarily accessible from the Internet only when performing a pairing. For security reasons - don’t leave it open. Leaving it open will encourage attackers to focus on your server.

The Gate service is only compatible with terminals running on version 20230801 and newer!

  • Terminals using older firmware will automatically be upgraded to version 20230801

The Gate service configuration file is fully described here: https://generalbytes.atlassian.net/wiki/x/CYBtz

Master service

The Master service communicates with your BATMs. It replies only to BATMs/terminals that are coming from trusted ( paired ) terminals.

  • The Master service uses batmmaster unix user, which is a member of the batm group.

  • The Master service listens on port 7741.

    • Please note that the same port uses Gate service but on a different interface.

The Master service should never be exposed to the Internet.

Admin service

The Admin service listens for users' browser requests. It enables CAS users to configure ATMs remotely and inspect processed transactions.

  • The Admin service uses batmadmin unix user, which is a member of the batm group.

  • The Admin service listens on port 7777.

The Admin service should never be exposed to the Internet.

Extensions

A very powerful way for extending the existing functionality of the server.

More about extensions:

  • No labels

Copyright © 2020-2024 General Bytes USA LLC