Installation
Wayne Nucleus™ Point-of-Sale (POS) System
Secure FTP Back-Office Interface Version 1.02 R1
READ THIS MANUAL BEFORE YOU BEGIN
Dispensers have both electricity and a hazardous, flammable and potentially explosive liquid.
Fail-ure to follow the below precautions and the Warning and Caution instructions in this manual may
result in serious injury. Follow all rules, codes and laws that apply to your area and installation.
SAFETY PRECAUTIONS - INSTALLATION AND MAINTENANCE
Always make sure ALL power to the dispenser is turned OFF before you open the dispenser
cabi-net for maintenance. Physically lock, restrict access to, or tag the circuit breakers you turn off
when servicing the dispenser. Be sure to trip (close) the emergency valve(s) under the dispenser
BEFORE beginning maintenance.
Make sure that you know how to turn OFF power to the dispenser and submersible pumps in an
emergency. Have all leaks or defects repaired immediately.
HOW TO CONTACT WAYNE
Problems with the installation of this kit should be referred to Wayne Technical Support
(1-800-926-3737).
INDICATORS AND NOTATIONS
Danger indicates a hazard or unsafe practice which, if not avoided, will result in severe injury or possibly death.
Warning indicates a hazard or unsafe practice which, if not avoided, may result in severe injury or possibly death.
Caution indicates a hazard or unsafe practice which, if not avoided, may result in minor injury.
NOTE: Important information to consider, otherwise, improper installation and/or damage to
components may occur.
DANGER
DANGER
WARNING
Wayne Nucleus™ Point-of-Sale (POS) System
Secure FTP Back-Office Interface
Table of Contents
Title Page
1 INTRODUCTION . . . 7
2 SFTP BACK OFFICE SYSTEM (BOS) ENVIRONMENT OVERVIEW . . . 7
3 SFTP INSTALLATION AND CONFIGURATION . . . 8
3.1 Obtain a OneShot Password . . . 8
3.2 Turn Off Whitelisting . . . 10
3.3 Continuing SFTP Installation . . . 10
3.4 Configure SFTP . . . 12
4 ADJUST THE NUCLEUS POS SYSTEM BACK-OFFICE CONFIGURATION . . . 13
5 USING WINSCP TO ACCESS THE BOS FILES ON THE NUCLEUS POS SYSTEM . . . 14
5.1 Converting an OpenSSH private key to PuTTY key format . . . 15
5.2 Connecting to BOS_SFTP Account on the Nucleus POS System with WinSCP . . . 18
6 TROUBLESHOOTING . . . 20
6.1 Issues during install of SFTP on the Nucleus POS System . . . 20
6.2 Issues on BOS or other systems using SFTP . . . 20
1
INTRODUCTION
In the past, File Transfer Protocol (FTP) has been one of the available methods for transferring information between the Wayne Nucleus™ Point-of-Sale (POS) system and Back-Office systems (BOS). However, due to a number of deficiencies in FTP from a security perspective, it is being replaced by more secure alternatives in Payment Card Industry (PCI) compliant versions of the Nucleus POS system software. Secure FTP (SFTP) is one of those alternative methods.
SFTP implements file transfer functionality on top of the Secure Shell (SSH) protocol. Two main advantages of SFTP/SSH over FTP from a security perspective is that SSH establishes an encrypted channel between the client and server for all data transfer and provides a public/private key authentication mechanism.
This document provides an overview of the SFTP BOS environment for the Nucleus POS system, as well as installation/setup procedures.
When SFTP is enabled, Blackpipe is typically disabled. There are however certain circumstances where SFTP and Blackpipe are both enabled, such as when there is a BOS and a fuel-monitoring application both trying to access the POS data. When both SFTP and Blackpipe are enabled, SFTP should only be used to download files.
NOTE:
SFTP is not a replacement or upgrade for Blackpipe. Wayne Sales/Technical staff should be consulted when considering installation of SFTP so that there is a complete understanding of what SFTP will and will not do. It is important to note that unlike Blackpipe, SFTP does not automatically transfer files, a separate process needs to be implemented (usually on the BOS) to poll the Nucleus POS system and transfer files. Also the BOS vendor should be consulted to see if their product supports SFTP.2
SFTP BACK OFFICE SYSTEM (BOS) ENVIRONMENT OVERVIEW
The BOS SFTP environment provides remote access to the back-office interface folders that typically reside in
D:\BOS on the Nucleus POS system via OpenSSH under Cygwin.
Figure 2-1 BOS FTP Environment
This environment is implemented as a 'sandbox' (chroot) environment where the only files made available to an SFTP client are the BOS files; all other files are hidden from view.
8 P/N 000-W2940174 Rev. 05 September 2015
Figure 2-2 BOS Files
For security reasons, authentication via an SSH key pair is used to secure access to the BOS folder. This key is typically site-specific.
3
SFTP INSTALLATION AND CONFIGURATION
The SFTP BOS Interface Patch is distributed on a CD-ROM.
The recommended method of installation is by using the Nucleus POS system “Copy CD for Later” function (Section 3.3). A reboot of the system is required after an installation/update of the SFTP BOS interface files, but is not required for configuration changes, such as the installation of a new key pair.
3.1 Obtain a OneShot Password
To install and setup the SFTP BOS Interface on the Nucleus POS system, access to the Copy CD for Later function is necessary. If you don’t have access to the Copy CD for Later function, then obtain a OneShot password and try again.
1. From the Nucleus POS system Operations screen, press the Nucleus button and select One Shot from the menu; obtain a password from Wayne Technical Support and enter it.
Figure 3-1 OneShot Access
Figure 3-2 OneShot Access Granted
2. Go to Programming > System > Extensions and check if Whitelisting is installed on your machine. If you see Extended Security Control then Whitelisting is installed on your machine and you should proceed with Section 3.2 otherwise, skip to Section 3.3.
Click the Nucleus button then select OneShot Provide the OneShot key to Wayne Technical Support who will in turn provide the OneShot
password
OneShot access granted
10 P/N 000-W2940174 Rev. 05 September 2015
3.2 Turn
Off
Whitelisting
1. Go to Programming > System > Extensions > Extended Security Update Mode Control. The following window will be displayed indicating the current mode of the Enhanced Security feature. In the following example the Whitelisting function is enabled which indicates that updates are not allowed.
Figure 3-3 Enhanced Security Mode - Enabled
2. Afer selecting “Turn on Update Mode” the following screen will be displayed indicating the Update mode is enabled. In this mode changes to the system are allowed.
Figure 3-4 Enhanced Security Mode - Disabled
3. Select the button on the window to change the mode of the Enhanced Security feature to turn on Update Mode as indicated by the button text. For example, if the button text is “Turn On Update Mode”, selecting the button will put the Enhanced Security feature into Update Mode. Selecting “Turn Off Update Mode” will turn off Update Mode.
4. If you selected the button by mistake and do not wish to change the mode of the Enhanced Security feature, select the button again to change the status back to its original setting.
5. Click the X in the upper right corner of the window to close it, and then select File > Close to close the Programming window.
NOTE:
After completing any necessary software installation or maintenance, return to the Extended SecurityUpdate Mode Control panel and turn off Update Mode.
3.3 Continuing
SFTP
Installation
NOTE: If you are installing at a Chevron site with 8.05A or better, you should skip to Section 3.4 since SFTP is already installed.
Figure 3-5 Insert CD Prompt
2. Place SFTP CD into CD/DVD drive and close the tray and click [OK] button. The Copy CD process will then apply the SFTP configuration update.
Figure 3-6 DispatchCD Copying Files
12 P/N 000-W2940174 Rev. 05 September 2015
Figure 3-7 Copy Files Successful
3.4 Configure
SFTP
1. Go to Start > All Programs > OpenSSH-Cygwin > cygwin.
2. Enter the following at the command line: /Install/Generate-bos-sftp-keys.sh and press <Enter>. If prompted to overwrite the existing file, select Y.
3. The system will prompt you for a passphrase. Choose a passphrase, enter it at the command line and press <Enter>. Enter the passphrase again to confirm. (Make a note of this passphrase as you will need it again later in this procedure.)
4. Enter the following at the command line: /Install/enable-sftp-for-bos.sh and press <Enter>. 5. Enter the following at the command line: /Install/test-bos-sftp.sh and press <Enter>.
6. The system will prompt you for a passphrase. Enter the passphrase from step 3 at the command line and press <Enter>. The system will prompt you with “Are you sure you want to continue connecting (yes/no)?” Select Yes and press <Enter>.
At the prompt type CD BOS and press <Enter> then type dir and press <Enter>. The folders NLINK, XMLEXPORT, and XMLIMPORT should be present.
NOTE:
To verify that SFTP was installed correctly, you can then use Explorer to navigate to the D:\BOS folder and check that the NLINK, XMLEXPORT, and XMLIMPORT folders are present.7. Change the Nucleus White Listing setting to turn off Update Mode. See Section 3.2 on page 10. 8. Navigate to the D:\OpenSSH-CGWIN\install folder and copy the file called boskey and the file called
boskey.pub to a folder on the USB drive called BosKey. This Security Key Pair will be needed later in
Section 5.
IMPORTANT:
Secure FTP implementations should use a unique Security Key Pair per connection to ensure compliance with industry standards.4
ADJUST THE NUCLEUS POS SYSTEM BACK-OFFICE CONFIGURATION
Some versions of the Nucleus POS system application impose additional controls on the SFTP service, requiring a change in the Nucleus POS system programming to enable access from a BackOffice computer. Access the Nucleus POS system programming utility via the Programming option on the main Nucleus POS system menu (If the logged in user does not have sufficient privilege to access the programming options, a One
Shot will be required).
Figure 4-1 Programming Access
1. Select System -> BackOffice Configuration.
Figure 4-2 Nucleus POS System Programming Screen
The following screen is then displayed.
14 P/N 000-W2940174 Rev. 05 September 2015
Figure 4-3 Back Office Configuration Screen
2. If there is a Secure FTP Server Enabled option on the screen, check it [x] to enable access from the BackOffice computer.
3. If Secure FTP Server Enabled is checked then be sure that the FTP Server Enabled is unchecked. 4. Disable Blackpipe by un-checking Enable Blackpipe.
5. Click [OK] to confirm the programming change.
Figure 4-4 Enable Secure FTP Server
6. Select File -> Close from the programming menu then reboot the Nucleus POS system for the programming changes to take effect.
7. Shutdown and reboot the Nucleus POS system so that changes to the Windows account permissions are put into effect.
5
USING WINSCP TO ACCESS THE BOS FILES ON THE NUCLEUS POS
SYSTEM
This section illustrates how the WinSCP client software and the PuTTY utility installed on a Windows back office machine may be used to access the Nucleus POS system BOS files. The actual methods at a specific
customer site will vary according to the Secure FTP and BackOffice packages that are installed.
NOTE:
WinSCP and puttygen.exe are required utilities and are located in the \tools folder of the SFTP5.1 Converting an OpenSSH private key to PuTTY key format
WinSCP uses the PuTTY (.ppk) private key format, so the generated key for the BOS_SFTP account must be converted from OpenSSH format. This may be accomplished with the PuTTYgen tool.
1. First off, verify that you have PuTTYgen version 0.63 or later, otherwise you may get an error when trying to load the BOSKey.
Figure 5-1 Verify PuTTYgen Version
2. Copy the bos key file from the USB to the desktop of the BOS.
3. Start PuTTYgen by selecting Programs > PuTTY > PuTTYgen from the Windows [Start] menu.
Figure 5-2 Start PuTTYgen
4. The following window will be displayed. Verify Release 0.63 or later
16 P/N 000-W2940174 Rev. 05 September 2015
Figure 5-3 PuTTY Key Generator Window
5. Select [Load] and navigate to the location where you copied the boskey file. From the “Files of Type” pull-down, select All Files so that the boskey file is visible then select it and click Open.
Figure 5-4 Load Private Key
Figure 5-5 Enter Passphrase Prompt
7. The following window will then be displayed.
Figure 5-6 Successful Import
18 P/N 000-W2940174 Rev. 05 September 2015
Figure 5-7 Save Private Key
9. Specify the filename for the key, specify a file type of PuTTY Private Key Files (*.ppk) and click [Save].
5.2 Connecting to BOS_SFTP Account on the Nucleus POS System with WinSCP
1. To use WinSCP to access files on the Nucleus POS system BOS_SFTP account, open the application from the [Start] Menu using link WinSCP3 -> WinSCP.
Figure 5-8 WinSCP Login
2. Enter the following:
Host name or IP address of the Nucleus POS system
User name BOS_SFTP
The location of the Private key file in .ppk format. NOTE: an alternative method of accessing the private key is via the Putty Authentication agent (Pageant), but will not be covered here.
The BOS passphrase 3. Click Login to continue.
Figure 5-9 Key Passphrase
4. When prompted, enter the passphrase for the private key.
5. Select the BOS folder to access the BOS-related files on the Nucleus POS system.
20 P/N 000-W2940174 Rev. 05 September 2015
From this point on, files may be uploaded or downloaded normally.
6
TROUBLESHOOTING
The following section contains troubleshooting tips for issues that may be encountered during installation.
6.1 Issues
during
install of SFTP on the Nucleus POS System
• Copy CD for later - When loading the SFTP CD, verify that the installation media is a CD and not a DVD. IBM x200, x205, and x206 machines are equipped with CD-ROM drives and not DVD drives.
• System Times out during install - During the install process you run an install test which validates that the Nucleus POS system is set up and calling out. If it fails, then you re-install the application. This could occur in older slower machines where things time out during the install.
If the issue is still present once the install test has completed successfully, then the issue must reside with the outside application.
6.2 Issues on BOS or other systems using SFTP
• Firewall validate that:Open SSH Server is enabled Port 22 is enabled
• BOSKEY Issues - Back Office cannot connect to the Nucleus POS system, you can ping the Nucleus POS system from the Back Office System but you get a time out error when trying to connect with WinSCP or other tools. Found at times the users loaded the Back Office machine with an incorrect bosKey from their USB device.
Figure 6-1 Connection Timeout Error Message
Connection error
even though the ping is successful
To correct this, the user needs remove the incorrect BosKey then get the correct BosKey from the POS (D:\OpenSSH-Cygwin\install\BOSkey) and load it to their Back Office System.
6.3 If system fails after being installed and running
• Validate that recovery settings are enabledOn the POS go to My Computer > Manage > System Tools and look for errors in Application or System. If no errors are found, go to service and applications, open service then open up CYGWIN SSHD. Ensure that Recovery settings are set to Restart the Service and the same for FranSvc.
INSTALLATION
Secure FTP Back Office Interface
© 2015 Wayne Fueling Systems. Printed in the United States of America.
This manual and any software described herein are furnished under the terms of sale or other applicable contract in-cluding any license, and may be used or copied only in accordance with those terms.
No part of this publication may be electronically or mechanically reproduced, stored in a retrieval system, or transmitted, in any form or by any means, except as permitted by such terms. Translation of this material to another language with-out express written permission from Wayne Fueling Systems is prohibited.
This publication is intended for informational purposes only and this material is subject to change without notice. Wayne Fueling Systems has not made, and does not make, any representations or warranties of any kind, expressed or im-plied, with respect to any information in the publication, including any warranty as to the accuracy, correctness, or com-pleteness of any of the information. Wayne Fueling Systems shall not be responsible or liable for any damages or losses that occur as a result of the receipt and/or use of the information contained herein.
Wayne, the Wayne logo, iX Pay, Ovation, and combinations thereof are trademarks or registered trademarks of Wayne Fueling Systems, in the United States and other countries. EMV is a registered trademark of EMVCo, LLC. NAMOS is a trademark of Wincor Nixdorf. Other names are for informational purposes and may be trademarks of their respective owners.
This product complies with Part 15 of the FCC rules and regulations. Operation is subject to the fol-lowing two conditions: (1) This product may not cause harmful interference, and (2) this product must accept any interference received, including interference that may cause undesired operation. Note: This equipment has been tested and found to comply with the limits for a Class A digital device as set forth in Part 15 of the FCC Rules. Those limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy, and if it is not installed and used in accordance with the instruction manual, it may cause harmful interference to radio communica-tions. Operation of this equipment in a residential area is likely to cause harmful interference, in which case you will be required to correct the interference at your own expense.
Modifications: Any modifications made to this product that are not approved by Wayne Fueling Sys-tems could void your authority to operate this equipment.
