CloudPOS SDK
  • CloudPOS SDK
    • EMV Develop Spec
    • Scanning Service Usage
    • API Specification
    • CloudPOS SDK AAR
    • Java API Samples
    • Permissions
    • Error code
    • MDB Communication Protocal
  • POS_Specs
  • FAQ
    • SDK Error Collection
      • Printer
      • PINPAD
      • Contactless Card
      • IC Card
      • MSR Card
    • Hardware/Repair
      • Recover a Tampered Terminal
      • Learning Tampered Events
      • Remotely Reactivate from Tamper
      • TF (Micro SD) Card Suggestion
      • Understand Tamper Reason
    • Printer
      • Verify Terminal Printer Status
      • Print Unsupported Character Sets
      • Use Terminal Bluetooth Printer
      • Print Images
      • Print QR Codes
      • Evaluate HTML Print Performance
      • Evaluate Print Performance
      • Print with TM T88IV
      • Replace HTML Print Font
      • Java API Printer Operations
      • Understanding Image Print Gaps
      • Print with JavaScript
      • Verify Printer Paper Status
    • USB/Serial Port
      • Install Terminal USB Drivers
      • Install UU Cable Driver
      • Reinstall Production Serial Drivers
      • Linux Serial Driver Installation
      • Serial Port Development
      • Add Linux Udev Rules
      • ReOpen Serial after Wake-up
      • Close Serial after Disconnect
      • Connect Accessory Mode
      • Detect UU Cable Connnected
      • Control Fan via Serial Port
      • List Connected USB Devices
      • Accessory Agent Service D22/Q3
    • Firmware
      • Update Firmware
      • Understand Firmware Naming
      • Compare Engineer/User Modes
      • Configure POS Home Settings
      • Configure POS System Settings
      • Prevent Accidental App Uninstallation
      • Troubleshoot "Agent Stopped" Error
      • Resolve Forgotten Lock Password
      • Utilize Q1 Buttons
      • Adapt Q1 4G
      • Customize Boot Logo/Animation
      • Set Wallpaper
      • Activate Startup Special Mode
      • Install Browsers
      • Understand Firmware External Access
      • Get Terminal Firmware Modes
      • Write Customer Serial Numbers
      • Enable Touch Screen Wake-Up
      • Set User System Properties
      • Enable and Disable MTP
      • Update POS WebView
      • Disable File Explorer for TF/Pendrives
      • Manage Screen On/Off
      • Disable notification badges
      • Scheduled Terminal Reboot Setup
    • Settings Menu
      • Perform Factory Data Reset
      • Understand Settings Menus
      • View Terminal Certificate List
      • Understand Merchant Self Test
      • Use Network Self-Test
      • Change System Language
      • Log in as Administrator
      • Change Administrator's Login Password
      • Update Terminal Time
      • Update Terminal Time Zone
      • Update Time Zone from IP
      • Enable Settings Menu Role Control
      • Update Role Passwords API
      • Disable Bluetooth/Wi Fi
      • Enable/Disable Auto Time Zone
      • Enable/Disable Automatic Time
      • Set Display Sleep
      • Grant Accessibility Permission Automatically
      • Disable Security Lock
      • Access Settings Sub Menu
      • Set Language API
    • Battery/Power
      • Understand Special Charging Indicator
      • Preserve Terminal Battery Life
      • Understand Q2 Low-voltage Shutdown
      • Understand Terminal Battery Performance
      • Understand Counter Mode
      • Turn Off Terminal API
    • SIM/Ethenet/WIFI
      • Disable POS Hotspot
      • Activate POS Hotspot
      • Retrieve Terminal IMEI Number
      • Retrieve Terminal MEID Number
      • Understand Modem Bands
      • Troubleshoot Terminal SIM Signal
      • Resolve SIM Network Issues
      • Troubleshoot Network Search Error
      • Check eSIM Status
      • Ethernet Connectivity Usage
      • Set Communication Mode
      • Troubleshoot USSD Issues
      • Set Preferred Network Type API
      • Add APN API
      • Set Static Ethernet API
      • Enable/Disable Mobile Data API
      • Set Network Operators API
      • Activate eSIM
      • Enable/Disable Ethernet
    • Certificate
      • Apply App Certificates
      • Renew App Certificate
      • App Installation Controls
      • Install CA Certificates
      • Clear Terminal Certificates
      • Understand Certificate Visibility
    • Card
      • Contactless Card Distance
      • NFC Buffer Size Understanding
      • Use Contactless CPU Card
      • Use Felica Card
      • Use Mifare Card
      • Understand PSAM Card Exceptions
      • Optimal Tap Positioning Guide
    • FingerPrint
      • Fingerprint Module Usage Guide
      • Fingerprint DPI Specifications
      • Fingerprint Data Formats
    • Other Development
      • New Android Studio Versions
      • Setup ANDROID HOME
      • App Signing Process
      • Install POS Applications
      • Create First Android App
      • Retrieve Terminal Logs
      • Resolve APK Signature Conflict
      • Obtain Unfiltered Full Log
      • Obtain Terminal Current Location
      • Use Terminal Camera
      • Get Test APKs
      • Learn ADB Commands
      • Get Advanced Demos
      • Import Java SDK in C
      • Obtain Signal Strength
      • Get D3 Demos
      • Learn Kiosk Mode
      • Block Status Bar API
      • Display Full-Screen API
      • Display Full Screen Android API
      • Disable Home Key
      • Capture Power Button API
      • Retrieve Terminal Info
      • Save Files Locally
      • Set Default Launcher
      • Get Firmware Version
      • Get Firmware&EMV Version
      • Implement TLSv1.3
      • Auto-Run Post-Install
      • Understand Secure Connections
      • Use AnyDesk
      • Export Database to SD
      • Migrate App to Q2Premium
      • Auto-Run App Post-Boot
      • Integrate Java SDK in Flutter
      • Call AIDL Interface
      • Connect wirelessly
      • Get POS SN
      • UPT development-related
      • Q3 PDA Terminal Barcode Scanner
    • Key Injection
      • Inject Test Keys Remotely
      • Understand DUKPT
      • Understand Master&Session Keys
      • Use TMK KeyLoader POS
      • Understand Remote Key Injection
      • Resolve Serial Timeout
      • Import TMK Error: 74496
    • PINPAD
      • PINPAD Configuration Summary
      • Customize PINPAD GUI
    • TMS/Wizarview
      • TMS Overview
      • TMS User Guide
      • Register Terminal to WizarView
      • Accept TMS File Downloads
      • Handle User Locked Status
      • Apply WizarView Account
      • Batch Import Terminals
      • Unbind App Configuration
      • Remove App via TMS
      • Understand Agent Error Codes
      • Understand TMS IP Ports
      • Understand Update Scenarios
      • Understand App Binding Types
      • Apply RMA Maintenance Account
      • Update Firmware Remotely
      • Push APK to Specific Device
      • Set Agent Working Mode
      • Manage APK Prompt Installation
      • Network Control in Agent
      • Push Apps Using Tags
      • Deploy AID/CAPK via TMS
    • EMV
      • What's Tag91
      • What's CAPK
      • Set Issuer Scripts
      • Resolve Detection Priority Conflict
  • Wizarview Open API
Powered by GitBook
On this page
  • Recommended Practices for Secure TCP/IP Connections
  • Mutual Authentication and Secure Connection
  • Trusted Store Management
  • Hardware SSL Configuration
  • Quick SSL and HTTPS Demonstration Using Provider Method
  • Quick SSLSocket and HTTPS Demonstration Using Property Method
  • Secure Configuration Details
  1. FAQ
  2. Other Development

Understand Secure Connections

Recommended Practices for Secure TCP/IP Connections

It is advised to always use a secure connection for transmitting payment data. This ensures data protection and integrity during transmission.

Mutual Authentication and Secure Connection

Our terminals are equipped with a hardware security module that enhances secure connections through the following features:

  • Mutual authentication using SSL.

  • Mandatory use of TLSv1.2 protocol.

  • Storage of the terminal's private key within the hardware security module.

  • Trusted server certificates are also stored in the hardware security module.

  • Elimination of insecure algorithms in SSL connections, including MD5, SHA1, RC4, etc.

  • Limited session timeout duration for added security.

Trusted Store Management

Certificates in the trusted store must be authenticated either by the acquirer's root public key or the vendor's terminal root public key, which is embedded in the firmware of the security module. All trusted server certificates must be signed by the acquirer or vendor before being managed through the HSM management API.

Hardware SSL Configuration

  • Issuing Client Certificates: The application initializes by obtaining the terminal's CSR, generated by the internal RSA private key of the hardware security module. This CSR must be submitted to a CA to obtain the relevant certificate, which is then injected into the hardware security module with an appropriate alias.

  • Importing Server Certificates: Server certificates, signed by the terminal acquirer's private key, should be injected into the hardware security module as trusted certificates.

Quick SSL and HTTPS Demonstration Using Provider Method

This approach is recommended for new projects and affects only the current application's connections.

  • KeyManager and TrustManager Preparation: Customize these managers to select the appropriate terminal public key and to manage server certificate information.

    private class AliasKeyManager implements X509KeyManager {
        private String mAlias;
        private AliasKeyManager(KeyStore ks, String alias, String password) {
            this.mAlias = alias;
        }
        public String chooseClientAlias(String[] str, Principal[] principal,Socket socket) {
            return this.mAlias;
        }
        @Override
        public String chooseServerAlias(String keyType, Principal[] issuers,Socket socket) {
            return null;
        }
        @Override
        public X509Certificate[] getCertificateChain(String alias) {
            return null;
        }
        @Override
        public String[] getClientAliases(String keyType, Principal[] issuers) {
            return null;
        }
        @Override
        public String[] getServerAliases(String keyType, Principal[] issuers) {
            return null;
        }
        @Override
        public PrivateKey getPrivateKey(String alias) {
            return null;
        }
    }

    private class TestTrustManager implements X509TrustManager {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
        @Override
        public void checkClientTrusted(
                java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
        }
        @Override
        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
            // The server certificates are already authenticated by HSM.
            // You can do more business logic to the server certificates here.
            for (X509Certificate x509c : chain) {
                Logger.debug("checkServerTrusted chain,length=" + chain.length + ",content=\n" + x509c.toString());
            }
        }
    }

  • Using SSL Socket and HTTPS: Ensure the use of the "HSMTLS" security provider and the correct public key alias, allowing the use of keys and certificates stored in the HSM.

Using SSL Socket

            KeyManager[] keyManagers = 
new KeyManager[]{new AliasKeyManager(null,"terminal_pub", null)};
            TrustManager[] trustManager = new TrustManager[]{new TestTrustManager()};
            SSLContext context = SSLContext.getInstance("TLSv1.2", "HSMTLS");
            context.init(keyManagers, trustManager, null);

            SSLSocketFactory factory = context.getSocketFactory();
            SSLSocket socket = (SSLSocket) factory.createSocket(serverIP, port);

Using HTTPS

            KeyManager[] keyManagers = new KeyManager[]{new AliasKeyManager(null, "terminal_pub", null)};
            TrustManager[] trustManager = new TrustManager[]{new TestTrustManager()};
            SSLContext context = SSLContext.getInstance("TLSv1.2", "HSMTLS");
            context.init(keyManagers, trustManager, null);
            
            URL sslURL = new URL(url);
            HttpsURLConnection con = (HttpsURLConnection) sslURL.openConnection();

The public key alias, like "terminal_pub," should be authenticated by the server and may vary depending on the server.

Quick SSLSocket and HTTPS Demonstration Using Property Method

This older method impacts the global environment and is not recommended for new projects. It involves setting up system properties for SSL Socket and HTTPS connections.

Using SSL Socket

        System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-wizarpos");
        String terminalPublicCertAlias = "terminal";
        System.setProperty("javax.net.ssl.certAlias", terminalPublicCertAlias);
        try {
            SSLContext sslContext = SSLContext.getInstance("TLS");

Using HTTPS

        System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-wizarpos");
        String terminalPublicCertAlias = "terminal";
        System.setProperty("javax.net.ssl.certAlias", terminalPublicCertAlias);
        HttpPost httpPost = new HttpPost(strURL);

Secure Configuration Details

  • Key Management: Secure connections utilize mutual authentication. The host verifies the terminal's certificate (related to certAlias) issued by the CA in the host's truststore. The terminal authenticates the host's certificate using the communication root certificate in the hardware security module. Both certificates are stored in X509 format.

  • Session Managemen

PreviousAuto-Run Post-InstallNextUse AnyDesk

Last updated 1 year ago