Need Assistance ?
Contact us 24/7 at 1-800-561-8880 or email support@dlpwireless.com .
Select the ATM manufacturer below for specific SSL/TLS configuration instructions.
Non-SSL/TLS IP Terminals
Click here for non-SSL/TLS IP configuration instructions.
Hyosung
Purpose
This guide instructs DPL customers on how to properly configure SSL/TLS on Hyosung ATMs using a Hercules wireless modem. This guide is based on the Hyosung MoneyMax MX2600SE – the required steps for your model may vary. The document will take you through:
- Installing the DPL rootcert.pem file
- Setting up address-based host setup
- Enabling SSL/TLS
- Enabling certificate validation
By the end of the document you will have a securely connected ATM that should be resilient to Man-in-the-Middle (MITM) attacks involving tampering with the internal link between the ATM and the Hercules modem installed in your unit.
NOTE: To download the non DPL specific Hyosung SSL/TLS configuration guide click here.
Prerequisites
To successfully complete the following steps you will need:
- To ensure your Hercules wireless modem and ATM have the latest firmware updates. If unsure, please contact DPL’s technical support department.
- The DPL rootcert.pem or a rootcert.pem provided by your payment processor
Examples of the required information will be provided in the steps below.
Steps
1. ATM TCP/IP Setup
Before setting up SSL/TLS, confirm you are on a TCP/IP ATM configured for DHCP or static IP as instructed below.
NOTE: DHCP will enable dynamic allocation of the IP address from the Hercules modem that the ATM is plugged into. This is preferred as it means changes to the ATM are not required if changes are made to the Hercules modem. Static IP can be more stable for some older ATMs but requires manual ATM reconfiguration if the Hercules modem is updated to new addresses (or many other network topology changes).
a) Use the ATM Operator Menu to navigate to the communication screen using the path listed below.
ATM Operator Menu > Customer Setup > Select Processor > Communication
NOTE: In order to use SSL/TLS the ATM will need to be capable of TCP/IP communication.
b) Enable either DHCP (preferred for newer installations) or a static IP (using information provided by the installation site or the Hercules modem being used) using the DHCP En/Disable button (and other buttons if using static).
ATM Operator Menu > System Setup > Terminal IP
c) Once your information has been input, press the Cancel key to save the changes.
NOTE: If you have switched from Static to DHCP or vice versa, you may need to reboot the ATM now or after completing the remaining steps. See how to reboot your ATM under "Testing SSL" below.
Alternative: Static IP Configuration
The Hercules can also be used with a static IP configuration. If that is required, use the information provided below and your ATM will be connected to the Hercules. Use the DHCP En/Disable button to switch to static configuration and enter the following:
- IP Address: 192.168.0.55
- Subnet Mask: 255.255.255.0
- Gateway: 192.168.0.1
- DNS: 192.168.0.1
2. Enabling SSL/TLS Properly
In this section we will enable TLS 1.2 to secure the ATM against man-in-the-middle attacks on the Ethernet line and enable certificate verification to make sure the ATM is verifying the certificate chain.
a) Open the TCP/IP Type screen using the path listed below, then match up the information to the image using the highlighted buttons.
ATM Operator Menu > Customer Setup > Select Processor > TCP/IP Type
NOTE: The Hercules modem can use Visa Framed or Standard for the Type.
3. Installation of Root Certificate Files (rootcert.pem)
The rootcert.pem file is used to supplement the list of certificates already installed on your Hyosung ATM. The supplemental certificates are trusted chains used by payment processors that are not always preinstalled on ATMs. These will allow certificate validation to be enabled on the ATM for enhanced protection against logical attacks.
a) Download the DPL rootcert.pem file (or the certificate chain indicated by your payment processor) and install it on a USB drive or SD card that is 2GB or less in size. It should appear as depicted below.
NOTE: The 2GB drive size is a requirement for GenMega ATMs. They can have trouble accessing drives larger than 2GB. WARNING: This is important, if you don't have one, purchase a 2GB drive.
Adding Rootcert.pem to Root of USB Drive/SD Card
b) Plug the USB drive (or SD card) into the appropriate port on your Hyosung's control board (the green USB drive in our example). The Hyosung MoneyMax MX2600SE ports are as seen below. USB is on the right when viewing the ATM from behind.
Hyosung MoneyMax MX2600SE USB Port/SD Card Slot
c) To install the new rootcert.pem navigate to the TCP/IP Type screen using the path listed below and press the Download Cert. From USB button.
NOTE: If you encounter an error at this stage, you either misnamed the rootcert.pem file or your USB drive or SD card is not 2GB or less and FAT formatted (see previous steps).
ATM Operator Menu > Customer Setup > Select Processor > TCP/IP Type
Once this is complete you should see an Operation Success displayed on screen.
4. SSL Host Configuration
In this section we will configure the host addresses for SSL/TLS. Configured the address fields to tls.dplwireless.com and the port fields to 8000. DPL manages the connection from the Hercules modem through our secure network to your payment processor. Please contact our technical support department to configure the payment processor information for your Hercules modem or log in to the Hercules Portal to configure it yourself (learn how).
a) Enable URL with the button on the left. Then configure the settings with the data listed above using the highlighted buttons.
ATM Operator Menu > Host Setup > Host Address
5. Testing SSL
Test that SSL is configured properly on your ATM by completing either of the steps below:
- Perform a dummy transaction on the ATM
- Use the Connect button on the TCP/IP screen of the Diagnostics to test the connection
For the purposes of this document the Connect option of the Diagnostics mode will be used: - Navigate to the TCP/IP screen using the path listed below and press the Connect button. If everything is configured correctly a success message will be displayed. Ensure all the fields match the example below.
ATM Operator Menu > Diagnostics > Yes > TCP/IP
NOTE: If you encounter any issues use the Reboot Now button on the Reboot / Shutdown screen as seen below to reboot the ATM to ensure the TCP/IP information has taken effect.
ATM Operator Menu > System Setup > System Control > Reboot/Shutdown
If there is a failure at this point, go back and double check all the configuration options from the previous steps. If you see Operation Success then congratulations, the ATM is now configured correctly.
Conclusion
After completing all the above steps your Hyosung ATM will be set to use SSL (TLS 1.2) on all transactions with the Hercules modem. This ensures that no third parties can listen on the line, get any usable data, terminate the SSL connection and proxy it out (MITM attack), or commit any other nefarious logical attack against outgoing data from your ATMs.
Genmega
Purpose
This guide instructs DPL customers on how to properly configure SSL/TLS on GenMega ATMs using a Hercules wireless modem. This guide is based on the GenMega G2500 ATM – the required steps for your model may vary. The document will take you through:
- Installing the DPL rootcert.pem file
- Setting up address-based host setup
- Enabling certificate and hostname verification
- Enabling SSL/TLS
By the end of the document you will have a securely connected ATM that should be resilient to Man-in-the-Middle (MITM) attacks involving tampering with the internal link between the ATM and the Hercules modem installed in your unit.
NOTE: To download the non DPL specific GenMega SSL/TLS configuration guide click here.
Prerequisites
To successfully complete the following steps you will need:
- To ensure your Hercules wireless modem and ATM have the latest firmware updates. If unsure, please contact DPL’s technical support department.
- The DPL rootcert.pem or a rootcert.pem provided by your payment processor
Examples of the required information will be provided in the steps below.
Steps
1. ATM TCP/IP Setup
Before setting up SSL/TLS, confirm you are on a TCP/IP ATM configured for DHCP or static IP as instructed below.
NOTE: DHCP will enable dynamic allocation of the IP address from the Hercules modem that the ATM is plugged into. This is preferred as it means changes to the ATM are not required if changes are made to the settings of the Hercules modem. Static IP can be more stable for some older ATMs but requires manual ATM reconfiguration if the Hercules modem is updated to new addresses (or other network topology changes).
a) Use the ATM Operator menu to navigate to the TCP/IP menu. Using the path listed below.
ATM Operator Menu > System Setup > Device Setup > ATM TCP/IP Settings
b) Enable either DHCP (preferred for newer installations) or a static IP (using information provided by the installation site or the Hercules modem being used) using the Change TCP/IP Mode button (and other buttons if using static).
c) Once your information has been input, press the Apply button to save the changes.
NOTE: If you have switched from Static to DHCP or vice versa, you may need to reboot the ATM now or after completing the remaining steps. See how to reboot your ATM under "Testing SSL" below.
Alternative: Static IP Configuration
The Hercules can also be used with a static IP configuration. If that is required, use the information provided below and your ATM will be connected to the Hercules. Use the Change TCP/IP Mode button to switch to static configuration and enter the following:
- IP Address: 192.168.0.55
- Subnet Mask: 255.255.255.0
- Gateway: 192.168.0.1
- DNS: 192.168.0.1
2. Enabling SSL/TLS Properly
In this section we will enable TLS 1.2 to secure the ATM against man-in-the-middle attacks on the Ethernet line, enable hostname verification to block certificate spoofing, and enable certificate verification to make sure the ATM is verifying the certificate chain.
a) Navigate to the Communication screen using the path listed below. Configure the Communication field to SSL Length Prefix w/o ETX or check with your payment processor for the setup you require.
ATM Operator Menu > Customer Setup > Change Processor
NOTE: For the Hercules you can use Standard 1 or Standard 3 Message Format.
b) Navigate to the SSL Configuration screen using the path listed below. Configure the options for secure communication by pressing the SSL button on the Change Processor screen.
ATM Operator Menu > Customer Setup > Change Processor > SSL
3. Installation of Root Certificate Files (rootcert.pem)
The rootcert.pem file is used to supplement the list of certificates already installed on your GenMega ATM. The supplemental certificates are trusted chains used by payment processors that are not always preinstalled on ATMs. These will allow validation to be enabled on the ATM for enhanced protection against logical attacks.
a) Download the DPL rootcert.pem file (or the certificate chain indicated by your payment processor) and install it on a USB drive or SD card that is 2GB or less in size. It should appear as depicted below.
NOTE: The 2GB drive size is a requirement for GenMega ATMs. They can have trouble accessing drives larger than 2GB. WARNING: This is important. If you don't have one, purchase a 2GB drive.
Adding rootcert.pem to Root of USB Drive/SD Card
b) Plug the USB drive (or SD card) into the appropriate port on your GenMega's control board (the green USB drive in our example). The GenMega G2500 ports are as seen below. USB is on the right when viewing the ATM from behind.
GenMega G2500 USB Port/SD Card Slot
c) To install the new rootcert.pem, navigate to the SSL Configuration screen using the path listed below and press Load Cert. From USB.
NOTE: If you encounter an error at this stage, you either misnamed the rootcert.pem file or your USB drive or SD card is not 2GB or less and FAT formatted (see previous steps).
ATM Operator Menu > Customer Setup > Change Processor > SSL
Once this is complete you should see an Operation Success displayed on screen.
4. SSL Host Configuration
In this section we will configure the host addresses for SSL/TLS. Configure the address fields to tls.dplwireless.com and the port fields to 8000. DPL manages the connection from the Hercules modem through our secure network to your payment processor. Please contact our technical support department to configure the payment processor information for your Hercules modem or log in to the Hercules Portal to configure it yourself (learn how).
a) Configure the information using the data from your processor or Hercules modem using the highlighted buttons.
ATM Operator Menu > Host Setup > Host IP Address
NOTE: For the Hercules set the Configuration Schedule to Not Scheduled and enable Configuration At Boot Time.
5. Testing SSL
Test that SSL is configured properly on your ATM by completing either of the steps below:
- Perform a dummy transaction on the ATM
- Use the Download Key button on the Host IP Address screen to test the connection
For the purposes of this document the Download Key options will be demonstrated.
a) Navigate to the Host IP Address screen using the path listed below and press the Download Key button. If everything is configured correctly a success message will be displayed.
ATM Operator Menu > Host Setup > Host IP Address
NOTE: If you encounter any issues use the Reboot System button on the Set Reboot Time screen as seen below to reboot the ATM to ensure the TCP/IP information has taken effect.
ATM Operator Menu > System Setup > Set Reboot > Reboot System
Once this is complete go back and attempt to test the SSL connection again. If there is a failure at this point, go back and double check all the configuration options from the previous steps.
Conclusion
After completing all the above steps your GenMega ATM will be set to use SSL (TLS 1.2) on all transactions with the payment processor. This ensures that no third parties can listen on the line, get any usable data, terminate the SSL connection and proxy it out (MITM attack), or commit any other nefarious logical attack against outgoing data from your ATMs.
Triton
Purpose
This guide instructs DPL customers on how to properly configure SSL/TLS on Triton ATMs using a Hercules wireless modem. This guide is based on the Triton Argo RL2413 – the required steps for your model may vary. The document will take you through:
- Setting up address-based host setup
- Enabling SSL/TLS
By the end of the document you will have a securely connected ATM that should be resilient to Man-in-the-Middle (MITM) attacks involving tampering of the Ethernet or modem.
NOTE: To download the non DPL specific Triton SSL/TLS configuration guide click here.
Prerequisites
To successfully complete the following steps ensure your Hercules wireless modem and ATM have the latest firmware updates. If unsure, please contact DPL’s technical support department. Examples of the required information will be provided in the steps below.
Steps
1. ATM TCP/IP Setup
Before setting up SSL/TLS, confirm you are on a TCP/IP ATM configured for DHCP or static IP as instructed below.
NOTE: DHCP will enable dynamic allocation of the IP address from the Hercules modem that the ATM is plugged into. This is preferred as it means changes to the ATM are not required if changes are made to the settings of the Hercules modem. Static IP can be more stable for some older ATMs but requires manual ATM reconfiguration if the Hercules modem is updated to new addresses (or other network topology changes).
a) Open the communication menu and use the ATM Operator Menu to navigate to the Communication screen seen as below. From this screen, enable TCP/IP by pressing the 1 key and choosing TCP/IP.
ATM Operator Menu > Terminal Configuration > Communication
b) Enable either DHCP (preferred for newer installations) or a static IP (using information provided by the Hercules modem) using the 6 key on the keypad to toggle DHCP, then save using the Save and Return button on screen.
ATM Operator Menu > Diagnostics > Modem / Ethernet > Configure Ethernet Settings
c) Once your information has been input press Save and Return on the screen to save the changes.
NOTE: If you have switched from Static to DHCP or vice versa, you may need to reboot the ATM now or after completing the remaining steps. See how to reboot your ATM under "Testing SSL" below.
Alternative: Static IP Configuration
The Hercules can also be used with a static IP configuration. If that is required, use the information provided below and your ATM will be connected to the Hercules. Use the Enable DHCP check box to switch to static configuration and enter the following:
- IP Address: 192.168.0.55
- Subnet Mask: 255.255.255.0
- Primary WINS: Leave Blank
- Gateway: 192.168.0.1
- Primary DNS: 192.168.0.1
2. Enabling SSL/TLS Properly
In this section we will enable TLS 1.2 to secure the ATM against man-in-the-middle attacks on the Ethernet line.
a) Navigate to the Communication screen using the path listed below, then check the Enable SSL box by pressing the 0 key on the keypad.
ATM Operator Menu > Terminal Configuration > Communication
3. SSL Host Configuration
In this section we will configure the host addresses for SSL/TLS. For the Hercules the address field is tls.dplwireless.com and the port field is 8000. Triton uses a URI instead of independent fields, for this reason, combine them to be tls.dplwireless.com:8000 – this should be entered directly into the Primary and Backup Host Addresses. DPL manages the connection from the Hercules modem through our secure network to your payment processor. Please contact our technical support department to configure the payment processor information for your Hercules modem or log in to the Hercules Portal to configure it yourself (learn how).
a) Configure the information using the data listed above. Navigate to the Communication screen and enter the host information.
ATM Operator Menu > Terminal Configuration > Communication
4. Testing SSL
The easiest way to perform a test of your new SSL configuration for your is to perform a dummy transaction on your Triton Argo RL2413.
NOTE: If you encounter any issues use the 5 key to Restart The Terminal on the System Parameters screen as seen below as seen below to reboot the ATM to ensure the TCP/IP information has taken effect.
ATM Operator Menu > System Parameters > Restart The Terminal
If there is a failure at this point, go back and double check all the configuration options from the previous steps.
Conclusion
After completing all the above steps your Triton ATM will be set to use SSL (TLS 1.2) on all transactions with the payment processor. This ensures that no third parties can listen on the line, get any usable data, terminate the SSL connection and proxy it out (MITM attack), or commit any other nefarious logical attack against outgoing data from your ATMs.
Comments
0 comments
Please sign in to leave a comment.