Fiscal Devices
TSE Installation / Configuration
The EFR service supports various TSEs, hence there are different installations and configurations for each TSE. The EFR user-interface shows all TSEs which the EFR service already found in the tab "Steuerung". If a TSE is selected, you can click the button "Zuordnung setzen" to assign the TSE to be used. There is also the option to enter the configuration in the EFR profile.
The button "hinzufügen" can be used to enter access data for a new Cloud TSE. Also the information for various TSEs is shown on this page.
Assign PIN, PUK for Hardware-TSEs before Initialization
The EFR service automatically initializes Hardware TSEs. Therefore, the default values for PIN, PUK and default ClientID are used.
There is also an option to assign PIN and PUK with other values before the first usage. To achieve this you need to select the menu "Profile" on the EFR interface and insert the following attributes in the field "attributes": TSE_AdminPin, TSE_AdminPuk, TSE_TimePin, TSE_TimePuk, TSE_ClientId
This setting will then be used for all Hardware TSEs.
For some TSEs there is only one PUK, which has to be entered as AdminPuk.
If a TSE is already initialized before using the EFR for the first time, there is a chance for issues while using the TSE with the EFR. To set your own default values, go to "Steuerung" on the EFR interface, then select a TSE and click "konfigurieren" or use the method above.
Portscan for automatic network-TSE recognition
When the EFR service starts, a portscan is triggered which searches for TSE devices in the local network. During this process, the EFR service will try to communicate to all devices with familiar ports (8009 for Epson and 10001 for Diebold-Nixdorf). This scan can last a few minutes.
Network TSE are not used by default because there can be many network TSEs. A manual assignment POS to TSE has to be done on the EFR interface.
For the network-TSE, search the attribute TSE_PortScan can be used in the EFR profile. This attribute can be used to find network-TSEs faster and cross-networks. Network-TSEs which are found with this attribute will be assigned automatically.
Examples:
TSE_PortScan=192.168.0.5TSE_PortScan=192.168.0.5,192.168.0.18TSE_PortScan=192.168.0.10-20TSE_PortScan=192.168.0.5:10001TSE_PortScan=FALSE
Simulator
For software development and testing reasons, there is a cloud test-TSE available if you do not have an official TSE yet. To use the simulator, "Simulator (TSE_SIM)" has to be chosen for the TSE field in the profile.
Cryptovision TSE (local)
For the cryptovision TSE, no installation is necessary. The driver is delivered within the EFR service. If the TSE is connected to a PC, the EFR service automatically opens a connection and the TSE is shown on the EFR interface.
Deutsche Fiskal TSE (cloud)
Credentials over efsta Portal
Log in to portal.efsta.net and order in PURCHASE the articles required. Delivery is performed within a few seconds in tab FISCAL-UNITS. The TSE is automatically assigned to an EFR once a transaction is sent.
If the TSE is obtained directly from Deutsche Fiskal, you can copy the access data from the Deutsche Fiskal Portal. In EFR tab "Steuerung" click on "hinzufügen" and select the row "Deutsche Fiskal". Paste into TSE Details and save with "speichern".
By default the driver is then downloaded from cloud and installed at the path /ProgramData/EFR/drv/DF (it may take a few minutes), only it was already installed beforehand and is now running at localhost:20001, unless the attribute TSE_install=NO is set.
Multiple Driver Instances
If multiple instances of the DF driver are required, each FCC must run on a separate port (20001, 20002, ...). For each client (Mandant – drop down in head left) add "hinzufügen" as described, specify server:port (e.g. localhost:20001) in field Host:.
The DF driver requires a lot of RAM. Multiple instances can lead to a resource problem.
Networking requirements by the service provider
- The Fiskal Cloud connector needs access to the hostname fiskal.cloud on port 443 via https.
- The service is DNS based, so the IP address cannot be guaranteed and may change without notice.
- The TSS Fiskal Cloud Connector needs continuous connectivity for all signing, export and other operations.
Runtime Exceptions
The #HTTP_504 error indicates a networking fault. Please check proxy/firewall settings.
To force a retry of a failed EFR signature requests, set Fiscal_timeout=9000 (the maximum delay in milliseconds) in "Profil" "Attributes". Successful signatures always depend on a network operation, which cannot be guaranteed on software side.
Diebold-Nixdorf TSE (local)
For the Diebold-Nixdorf TSE, an additional driver must be installed which is delivered with the TSE. If a special linux system is used, please contact Diebold-Nixdorf directly.
The Diebold-Nixdorf driver starts its own service, which runs on default port 10001. After the installation, it may be required to start the Diebold-Nixdorf service once. In Windows systems, this process should initiate automatically after a reboot. To check whether the service is running, you can click on the following link: http://localhost:10001.
Afterwards, the EFR service should automatically detect the Diebold-Nixdorf TSE if the appropriate TSE stick is connected. Should another port be used, the host configuration can be entered in the profile at the field TSE Cfg (e.g.: Host=localhost:10001).
Diebold-Nixdorf TSE Connectbox
For the Diebold-Nixdorf Connectbox, no additional driver is needed as it will automatically find the TSEs in the network. However, the username and password (admin, beetle) of the Connectbox must NOT be changed, because the EFR service uses them to get the serial numbers of the TSEs.
If the username/password from the Connectbox is changed, you have to add this information to the EFR service. Therefore the attribute Device_Auth (e.g.: Device_Auth=admin:password) has to be added in the profile of the EFR.
If the Connectbox is not found, you can manually set the TSE "Diebold-Nixdorf" in the profile and the host (eg. Host=192.168.0.189) in the TSE Cfg field.
Once the TSEs of the Connectbox are found, every EFR service has to select one TSE on the EFR user-interface and assign it by pressing the button "Zuordnung setzen".
Epson TSE Printer/Server (network)
For the Epson Printer/Server TSE, no further installation is required. The Epson server/printer must be connected to the local network via LAN. If an Epson printer is used, the setting "ePOS-Device Use" has to be enabled. If the EFR interface is open, the EFR service automatically scans the network to find Epson devices. This can last up to one minute.
If the server/printer is connected to another IP-range, or it is not found, the configuration must be added manually in the EFR profile. In this case, select the TSE "Epson (TSE_Epson, network)" and enter the host configuration in the field TSE Cfg (e.g.: Host=192.168.0.156:8009). The Epson devices communicate on port 8009 by default. If you want to configure an Epson server, the serial number must be entered as well, e.g.: Host=192.168.0.156:8009 Serial=B1C6F5C523238046D07DB0A0ED02547F3DE14D808CBFFBBF642CFC97E81F0CC3.
Afterwards, either the Epson TSE should be displayed on the EFR interface or an error, in case the connection is not possible. If the TSE was found automatically then the assignment for the EFR is necessary. This can be done by clicking the button "Zuordnung setzen".
The Epson server can also be configured in the browser on Port 80. Please consider that the EFR needs the standard configuration of the server, since changes could possibly cause communication errors. Especially the default username and password (admin, admin) must NOT be changed, as the EFR service uses them to get the serials of the TSEs.
If the username/password from the epson server is changed, you have to add this information to the EFR service. Therefore the attribute Device_Auth (e.g.: Device_Auth=admin:password) has to be added in the profile of the EFR.
It is also useful to assign a static IP address to the EPSON server/printer, because changing the IP address can lead to problems with the EFR finding the server/printer.
Epson TSE (local)
For the local Epson TSE, no further installation is required. Afterwards, when the TSE is connected to a PC, the EFR service automatically opens a connection and the TSE is shown on the EFR interface.
Fiskaly TSE (cloud)
No installation is needed for the fiskaly TSE. To use this cloud TSE, you have to login to the efsta Portal and order a Fiskaly cloud TSE. The TSE is automatically assigned to an EFR once a transaction is sent.
If the TSE is obtained directly from Fiskaly, you can copy the access data from the Fiskaly Portal (https://dashboard.fiskaly.com/) . In EFR tab "Steuerung" click on "hinzufügen" and select the row "Fiskaly". Paste into TSE Details and save with "speichern".
Now you can select the TSE and assign it by pressing the button "Zuordnung setzen".
Swissbit TSE (local)
For the swissbit TSE there is no installation necessary. The driver is delivered within the EFR service. If the TSE is connected to a PC, the EFR service automatically opens a connection and the TSE is shown on the EFR interface.
SignServer / SignClient
The EFR service offers the opportunity to sign via another EFR, which has one or more local TSEs connected.
SignServer
First the SignServer must configure a TSE as described above. Afterwards, the checkbox "SignServer" must be checked and saved. Then, broadcast messages are sent to other EFRs in the local network, informing that this EFR can be used for signing.
SignClient
If a SignServer exists, it is displayed on the EFR interface of the Client as "SignClient"-TSE. With the button "Zuordnung setzen" the SignServer will be used for signing. Alternatively, the configuration can be entered manually in the EFR profile. The TSE "SignClient (Network)" must be selected first, and the host configuration has to be entered in the Sign Cfg field (e.g.: Host=192.168.0.155:5618). With the initial signature, the SignServer chooses a TSE for the one client with the least clients. This TSE is then used all the time, until the SignServer does not find this TSE anymore.
TSE Management
Registration of the TSE
The registration of a TSE must be reported to the financial authority. Because of that, you need the manufacturer and serial number of the TSE. Registration of a TSE is not yet required, but is expected to be in 2025
TSE Assignment
A local TSE or a (pre)defined cloud TSE can be used without further configuration. The ruleset used for SignServer or network TSEs is described in the document "TSE Assignment".
TSE Export
All signatures created are persistent on TSE storage and remain there for the whole lifetime of the TSE. All offered models have sufficient storage capacity. In case of a tax audit, the auditor may request an export of the audit file named TSE TAR file. The file download can be started via browser http://localhost:5618/control (Export TSE) or via the appropriate function of your frontend application. The TSE has to be connected or accessible via network.
TSE Backup
Upon transaction, signatures are registered immediately in the EFR journal and archived in the efsta cloud (Online EFR).
During operation, additional signatures are created for internal processes ('sysLog'), which have to be included in the TSE export to prove the recording is complete. Therefore, the EFR automatically performs a periodic TSE backup and saves these in an audit-proof manner under record type "_":"audit".
With online EFR systems, a TSE export from the efsta cloud can be performed at any time (within a 10 years retention period). For details, see the document "TSE Backup".
Offline Handling
In the case of a TSE failure, or if the EFR cannot reach the TSE, all receipts will be marked appropriately, showing that the fiscal device is broken.
Please note that a failure must be recorded in the process documentation (Verfahrensdokumentation (status June 2024)).
Offline while starting a transaction
If the TSE cannot be reached while starting a transaction (TraS), the EFR will return RC="OK". The transaction ID (TID) is 0, because this is assigned by the TSE. When the transaction is finished (Tra), the TID=0 will be sent to the EFR.
<TraS>
<ESR TL="1" TT="1"/>
</TraS>
Response:
<TraC SQ="2344">
<Result RC="OK">
<ErrorCode>#TSE_NF</ErrorCode>
<Warning>w-#TSE_NF device not available</Warning>
</Result>
<Fis TID="0" StartD="2020-04-21 15:25:11"/>
</TraC>
If the TSE is reachable while sending the final request, a new start transaction is done automatically and a successful signature with a new TID will be sent back.
Offline while finishing a transaction
If the TSE is not reachable while sending the final request, there will also be a response with RC="OK", because the bon can still be printed. But there is also a Fis Tag Sicherheitsmodul ausgefallen, which must be printed on the bon.
<Tra>
<ESR D="2018-04-01T17:36:27" TL="1" TT="1" TID="2264" T="12.35">
...
Response:
<TraC SQ="2345">
<Result RC="OK">
<ErrorCode>#TSE_NF</ErrorCode>
<UserMessage>Sicherheitsmodul ausgefallen</UserMessage>
<Warning>w-#TSE_NF device not available</Warning>
</Result>
<Fis TID="0">
<Tag Label="Beg.:" Value="2020-04-21 15:25:11" Name="StartD"/>
<Tag Label="Ende:" Value="2020-04-21 15:26:20" Name="FinishD"/>
<Tag Label="" Value="Sicherheitsmodul ausgefallen" Name="Info"/>
</Fis>
</TraC>
TSE Status
GET /control/tse
Request Header
| Name | Value |
|---|---|
| Accept | application/json or application/xml |
Response Header
| Name | Value |
|---|---|
| Content-type | application/json or application/xml |
| Content-disposition | Attachment;filename=jou.zip |
Request Example
http://localhost:5618/control/tse