Need Assistance?
Contact us 24/7 at 1-800-561-8880 for support.
Purpose
This guide instructs DPL customers on how to properly configure SSL/TLS on Hyosung ATMs using a Hercules wireless modem. This guide is based on the Hyosung MoneyMax MX2600SE – the required steps for your model may vary. The document will take you through:
- Installing the DPL rootcert.pem file
- Setting up address-based host setup
- Enabling SSL/TLS
- Enabling certificate validation
By the end of the document you will have a securely connected ATM that should be resilient to Man-in-the-Middle (MITM) attacks involving tampering with the internal link between the ATM and the Hercules modem installed in your unit.
NOTE: To download the non DPL specific Hyosung SSL/TLS configuration guide click here.
Prerequisites
To successfully complete the following steps you will need:
- To ensure your Hercules wireless modem and ATM have the latest firmware updates. If unsure, please contact DPL’s technical support department.
- The DPL rootcert.pem or a rootcert.pem provided by your payment processor
Examples of the required information will be provided in the steps below.
Steps
1. ATM TCP/IP Setup
Before setting up SSL/TLS, confirm you are on a TCP/IP ATM configured for DHCP or static IP as instructed below.
NOTE: DHCP will enable dynamic allocation of the IP address from the Hercules modem that the ATM is plugged into. This is preferred as it means changes to the ATM are not required if changes are made to the Hercules modem. Static IP can be more stable for some older ATMs but requires manual ATM reconfiguration if the Hercules modem is updated to new addresses (or many other network topology changes).
a) Use the ATM Operator Menu to navigate to the communication screen using the path listed below.
ATM Operator Menu > Customer Setup > Select Processor > Communication
NOTE: In order to use SSL/TLS the ATM will need to be capable of TCP/IP communication.
b) Enable either DHCP (preferred for newer installations) or a static IP (using information provided by the installation site or the Hercules modem being used) using the DHCP En/Disable button (and other buttons if using static).
ATM Operator Menu > System Setup > Terminal IP
c) Once your information has been input, press the Cancel key to save the changes.
NOTE: If you have switched from Static to DHCP or vice versa, you may need to reboot the ATM now or after completing the remaining steps. See how to reboot your ATM under "Testing SSL" below.
Alternative: Static IP Configuration
The Hercules can also be used with a static IP configuration. If that is required, use the information provided below and your ATM will be connected to the Hercules. Use the DHCP En/Disable button to switch to static configuration and enter the following:
- IP Address: 192.168.0.55
- Subnet Mask: 255.255.255.0
- Gateway: 192.168.0.1
- DNS: 192.168.0.1
2. Enabling SSL/TLS Properly
In this section we will enable TLS 1.2 to secure the ATM against man-in-the-middle attacks on the Ethernet line and enable certificate verification to make sure the ATM is verifying the certificate chain.
a) Open the TCP/IP Type screen using the path listed below, then match up the information to the image using the highlighted buttons.
ATM Operator Menu > Customer Setup > Select Processor > TCP/IP Type
NOTE: The Hercules modem can use Visa Framed or Standard for the Type.
3. Installation of Root Certificate Files (rootcert.pem)
The rootcert.pem file is used to supplement the list of certificates already installed on your Hyosung ATM. The supplemental certificates are trusted chains used by payment processors that are not always preinstalled on ATMs. These will allow certificate validation to be enabled on the ATM for enhanced protection against logical attacks.
a) Download the DPL rootcert.pem file (or the certificate chain indicated by your payment processor) and install it on a USB drive or SD card that is 2GB or less in size. It should appear as depicted below.
NOTE: The 2GB drive size is a requirement for GenMega ATMs. They can have trouble accessing drives larger than 2GB. WARNING: This is important, if you don't have one, purchase a 2GB drive.
Adding Rootcert.pem to Root of USB Drive/SD Card
b) Plug the USB drive (or SD card) into the appropriate port on your Hyosung's control board (the green USB drive in our example). The Hyosung MoneyMax MX2600SE ports are as seen below. USB is on the right when viewing the ATM from behind.
Hyosung MoneyMax MX2600SE USB Port/SD Card Slot
c) To install the new rootcert.pem navigate to the TCP/IP Type screen using the path listed below and press the Download Cert. From USB button.
NOTE: If you encounter an error at this stage, you either misnamed the rootcert.pem file or your USB drive or SD card is not 2GB or less and FAT formatted (see previous steps).
ATM Operator Menu > Customer Setup > Select Processor > TCP/IP Type
Once this is complete you should see an Operation Success displayed on screen.
4. SSL Host Configuration
In this section we will configure the host addresses for SSL/TLS. Configured the address fields to tls.dplwireless.com and the port fields to 8000. DPL manages the connection from the Hercules modem through our secure network to your payment processor. Please contact our technical support department to configure the payment processor information for your Hercules modem or log in to the Hercules Portal to configure it yourself (learn how).
a) Enable URL with the button on the left. Then configure the settings with the data listed above using the highlighted buttons.
ATM Operator Menu > Host Setup > Host Address
5. Testing SSL
Test that SSL is configured properly on your ATM by completing either of the steps below:
- Perform a dummy transaction on the ATM
- Use the Connect button on the TCP/IP screen of the Diagnostics to test the connection
For the purposes of this document the Connect option of the Diagnostics mode will be used: - Navigate to the TCP/IP screen using the path listed below and press the Connect button. If everything is configured correctly a success message will be displayed. Ensure all the fields match the example below.
ATM Operator Menu > Diagnostics > Yes > TCP/IP
NOTE: If you encounter any issues use the Reboot Now button on the Reboot / Shutdown screen as seen below to reboot the ATM to ensure the TCP/IP information has taken effect.
ATM Operator Menu > System Setup > System Control > Reboot/Shutdown
If there is a failure at this point, go back and double check all the configuration options from the previous steps. If you see Operation Success then congratulations, the ATM is now configured correctly.
Conclusion
After completing all the above steps your Hyosung ATM will be set to use SSL (TLS 1.2) on all transactions with the Hercules modem. This ensures that no third parties can listen on the line, get any usable data, terminate the SSL connection and proxy it out (MITM attack), or commit any other nefarious logical attack against outgoing data from your ATMs.
Comments
0 comments
Please sign in to leave a comment.