This folder contains the tool "aqhbci-tool". It can be used to setup and
manage HBCI users/customers/accounts.
Content
1. Command Overview
2. Setup Scenarios
2.1. Setup using a blank RSA card
2.2. Setup using a new RSA keyfile
2.3. Setup using a DDV card
2.4. Setup using Pin/Tan
2.5. Setup using an existing RSA keyfile
2.6. Setup using a pre-personalized RSA card
1. Command Overview
===================
The following commands are implemented:
mkpinlist
---------
Creates an empty PIN file to be used by "aqbanking-tool".
addmedium
---------
Makes a new crypttoken available to AqHBCI.
listmedia
---------
Shows a list containing the currently known media.
adduser
-------
Creates a HBCI user. Currently only importing of existing security media is
supported.
getkeys
-------
Retrieve the servers keys and store them in the crypttoken of the given
user.
createkeys
----------
Create new keys for the given user. These must be sent to the server.
resetkeys
---------
Use this function to overwrite keys which already exist on your crypttoken.
Only use this for keys you haven't already sent to the bank !
sendkeys
--------
Send the users keys to the bank server. After this you will have to print
the ini letter and sent this via mail to your bank. A few days later your
account will be activated and you can use the next commands.
getaccounts
-----------
Retrieves a list of accounts from the bank. However, some banks don't return
such a list.
getsysid
--------
Retrieves a system id for this application. This is needed for PIN/TAN and
RDH modes.
activate
--------
Activates AqHBCI so that it can be used with AqBanking programs.
deactivate
----------
Deactivates AqHBCI.
2. Setup Scenarios
==================
Please note that after successfully setting up an HBCI account you must
use the command
"aqhbci-tool activate"
to activate the AqHBCI backend of AqBanking.
2.1. Setup using a blank RSA card
---------------------------------
1) gct-tool create -t starcoscard
This is only needed if the card does not already have a pin !!!
This is the case with completely new and empty cards. In this case
the pin must be changed from the preset value (the serial number of
the card in bcd encoding) in order to make the card available for use.
2) aqhbci-tool addmedium -t card
3) aqhbci-tool listmedia
4) aqhbci-tool adduser -m 0 [-s SERVER-ADDRESS]
5) aqhbci-tool getkeys [-c CUSTOMER_ID]
You will be asked three times to enter a pin:
a) normal cardholder pin
b) normal cardholder pin
c) gateway pin
Normally this pin is left to the initial value, so in this case you
must hit the ENTER key without entering any data !
You will then be asked whether you want to use the default value
which is ok in this case.
However, some banks set this pin to a secret value. In such a case you
can not change public or private keys on the card.
6) aqhbci-tool iniletter -B [-c CUSTOMER_ID]
This prints the iniletter of your bank. Please compare the data to the
one on the letter from your bank.
7) aqhbci-tool createkeys [-c CUSTOMER_ID]
You will be asked twice to enter a pin:
a) normal cardholder pin
b) gateway pin
Normally this pin is left to the initial value, so in this case you
must hit the ENTER key without entering any data !
You will then be asked whether you want to use the default value
which is ok in this case.
However, some banks set this pin to a secret value. In such a case you
can not change public or private keys on the card.
8) aqhbci-tool sendkeys [-c CUSTOMER_ID]
9) aqhbci-tool iniletter [-c CUSTOMER_ID]
This prints your iniletter to stdout.
If you just created and sent your keys you will have to create the
INI-Letter and send it via mail to your bank.
A few days later the bank will approve your application and enable your
HBCI account. Only then you can continue with the following steps.
10) aqhbci-tool getsysid [-c CUSTOMER_ID]
11) aqhbci-tool getaccounts [-c CUSTOMER_ID]
11) aqhbci-tool listaccounts
2.2. Setup using a new RSA keyfile
----------------------------------
1) gct-tool create -t ohbci -n ABSOLUTE_PATH_TO_NEW_FILE
This creates an empty keyfile. This file can not be used with older
version of AqHBCI/AqBanking or OpenHBCI!
2) aqhbci-tool addmedium -t file -m ABSOLUTE_PATH_TO_FILE
3) aqhbci-tool listmedia
4) aqhbci-tool adduser -m 0 [-s SERVER-ADDRESS]
5) aqhbci-tool getkeys [-c CUSTOMER_ID]
6) aqhbci-tool iniletter -B [-c CUSTOMER_ID]
This prints the iniletter of your bank. Please compare the data to the
one on the letter from your bank.
7) aqhbci-tool createkeys [-c CUSTOMER_ID]
8) aqhbci-tool sendkeys [-c CUSTOMER_ID]
9) aqhbci-tool iniletter [-c CUSTOMER_ID]
This prints your iniletter to stdout.
If you just created and sent your keys you will have to create the
INI-Letter and send it via mail to your bank.
A few days later the bank will approve your application and enable your
HBCI account. Only then you can continue with the following steps.
10) aqhbci-tool getsysid [-c CUSTOMER_ID]
11) aqhbci-tool getaccounts [-c CUSTOMER_ID]
11) aqhbci-tool listaccounts
2.3. Setup using a DDV card
---------------------------
1) aqhbci-tool addmedium -t card
2) aqhbci-tool listmedia
3) aqhbci-tool adduser -m 0 [-s SERVER-ADDRESS]
4) aqhbci-tool getaccounts [-c CUSTOMER_ID]
5) aqhbci-tool listaccounts
2.4. Setup using Pin/Tan
------------------------
1) aqhbci-tool addmedium -t pintan
2) aqhbci-tool listmedia
3) aqhbci-tool adduser -m 0
-u USER_ID [-c CUSTOMER_ID]
-b BANKLEITZAHL
[-s SERVER-ADDRESS]
4) aqhbci-tool getsysid [-c CUSTOMER_ID]
This is the first contact with the bank server, so you will most
probably be presented a dialog which contains the servers SSL
certificate. Please check the line "Status : xyz".
If this line looks suspect to you or the given finger print does not
match a known fingerprint of the servers SSL certificate you should
abort the connection and contact your bank.
5) aqhbci-tool getaccounts [-c CUSTOMER_ID]
6) aqhbci-tool listaccounts
2.5. Setup using an existing RSA keyfile
----------------------------------------
You can only import keyfiles created by programs based on OpenHBCI or
AqHBCI/AqBanking.
Proprietary keyfiles (StarMoney, MoneyPlex) can not be used since the
manufacturers of these programs do not publish the format of their files.
1) aqhbci-tool addmedium -t file -m ABSOLUTE_PATH_TO_FILE
2) aqhbci-tool listmedia
3) aqhbci-tool adduser -m 0 [-s SERVER-ADDRESS]
4) aqhbci-tool getsysid [-c CUSTOMER_ID]
5) aqhbci-tool getaccounts [-c CUSTOMER_ID]
6) aqhbci-tool listaccounts
2.6. Setup using a pre-personalized RSA card
--------------------------------------------
You can simply import RSA cards which have been used with other
programs (like MoneyPlex, or OpenHBCI-/AqHBCI-based programs).
1) aqhbci-tool addmedium -t card
2) aqhbci-tool listmedia
3) aqhbci-tool adduser -m 0 [-s SERVER-ADDRESS]
4) aqhbci-tool getsysid [-c CUSTOMER_ID]
5) aqhbci-tool getaccounts [-c CUSTOMER_ID]
6) aqhbci-tool listaccounts