Fiscal Devices
According to the Austrian Cash Register Ordinance (Registrierkassenverordnung RKSV), the use of a signature unit is mandatory.
Signature Generation and Expression
Signatures can be created as follows:
- Locally via Smartcard
- At facility via Sign-Server (eg. Smartcard via LAN on Raspberry PI)
- At central Sign-Server with Smartcard(s)
- Via HSM
Smartcard signature
If the signature is supposed to be created locally (i.e. on the same machine EFR is running on), it has to be ensured that a smartcard reader and an appropriate smartcard containing a hardware certificate (as required by RKSV) is installed. Appropriate drivers for the intended system architecture have to be installed and functional as well. Special care has to be taken that all drivers are compliant with the intended system architecture. The smartcard driver has to support the internal operating system (OS), as well as the OS version of the smartcard used.
If these parameters are not met, the EFR may be operational but will be unable to fulfill its intended function.
Smartcards supported:
- A-Trust (CARDOS53 and ACOS04 [old])
- Global-Trust (CARDOS53 and 50 [old])
- Prime-Sign
Activate Smartcard
Connect the smartcard device to the computer/cash register (attach smartcard reader and respectively put in the smartcard or plug in USB smartcard).
EFR settings are checked via a browser-window by opening http://localhost:5618/config or http://localhost:5618/smartcard directly.
Windows 7 64bit may show unexpected behaviour at this point by trying to install a separate driver for the smartcard. Specification-compliant smartcards however do not require such a driver. Consequently, the driver installation fails and an error is displayed. Preliminary testing shows that the card will usually function normally and the display of the false installation error can be disabled by deactivating the smartcard in the device manager. This should have no impact on the functionality of the card itself, even if disabled in this way. This erroneous behaviour is a specific Win7.64bit problem.
Enter PIN and test connection. If ok [save] the configuration.
HSM signature
Every cash register in Austria must have a signature creation unit (Signaturerstellungseinheit SEE) that handles the digital signing process. This unit works either as a:
- Hardware component (e.g. in the form of a signature module in the cash register or as a smart card),
- Software-based solutions or
- Cloud-based solution that offers signature services via the Internet.
The values for Sign_require and Sign_Cfg must be entered in the EFR profile. If the HSM was ordered in the efsta portal, these values are automatically set by the efsta system.
| Sign_require | Sign_Cfg example | Description |
|---|---|---|
| A-Trust | username=u123456789 password=123456789 | External HSM "a.sign RK ONLINE" (A-Trust) |
| A-Trust | host=hs-abnahme.a-trust.at keylabel=testkeylabel | Internal HSM "a.sign RK HSM" (http) In production environment attribute host will refer to an inhouse server |
| Prime-Sign | username=user123 password=a4cfdc96-d083-4236-befc-64fa4cd9e6bb host=rs-2759ffb9.ps.prime-sign.com [taxid=ATU…] | External HSM Values to used for “username” is “userID”, for “password” it is “shared Secret”, for “host” it is “Host”. |
| SignClient | host=192.168.0.1:5618 | Remote signature over another EFR within LAN. This is used if no local smartcard is accessible (backup). Set also Attributes: UdpServer_disable to avoid random usage of local EFR instances for signature. |
Sign_Cfg example attributes can be used for HSM test access. These are used by default, if Sign_Cfg is left empty.
Be sure to allow access to the host address from the computer running EFR (firewall, router, …) or to configure approprioate Proxy settings in profile.