Difference between revisions of "AqBanking"

From GnuCash
Jump to: navigation, search
(little more about EBICS)
(HBCI Security Media: Start structural order and support level)
Line 8: Line 8:
 
[[GnuCash]] compiles with all available versions of AqBanking. There used to be some version restrictions, but since gnucash 2.2.7 all versions are supported, as noted on [[AqBanking3_Porting]].
 
[[GnuCash]] compiles with all available versions of AqBanking. There used to be some version restrictions, but since gnucash 2.2.7 all versions are supported, as noted on [[AqBanking3_Porting]].
  
== HBCI Security Media ==
+
== HBCI/FinTS Security Type ==
 
HBCI/AqBanking can use the following security Media
 
HBCI/AqBanking can use the following security Media
* PIN/TAN: supported on all OS
+
;Single step authentication:
* self-generated keyfile: supported on all OS
+
:;HBCI 1: self-generated asymetric keypair with
* Chipcards: Supported on Linux, but '''Chipcards are not supported on Windows'''. (They are supported on Windows by the latest libchipcard version 4 with gwenhywfar version 3, but gnucash does not compile with those versions yet.)
+
::* public part given to the bank
 +
::* private part stored on your floppy or USB stick
 +
::supported on all OS, but many banks dropped single step authentication.
 +
;Two step authentication:
 +
:;HBCI 2, FinTS 3: PIN/TAN pairs
 +
::You have always to log in with your fix Personal Identification number (PIN).
 +
::Then each transaction needs authentication with an own Transaction Authentification Number (TAN).
 +
::The way, the TAN is generated varies by method:
 +
::;PIN/TAN (classic): from simple paper list: supported on all OS
 +
::;iTAN: from indexed paper list: supported on all OS
 +
::;mTAN: TAN per ''mobile'': supported on all OS
 +
::;chipTAN: [same as below?]
 +
::;opticalTAN, aka Flicker code: GC does not generate the flickering image, but you can manually enter the displayed number in your ''TAN generator''
 +
;[more details required, not up to date]:
 +
:;Chipcards: Supported on Linux, but '''Chipcards are not supported on Windows'''. (They are supported on Windows by the latest libchipcard version 4 with gwenhywfar version 3, but gnucash does not compile with those versions yet.)
  
 
== Setting up a HBCI PIN/TAN account ==
 
== Setting up a HBCI PIN/TAN account ==

Revision as of 08:51, 18 March 2018

Aquamaniacs Banking is the successor of openhbci, a module which supported the open german online banking standard home banking common interface, which since 2003 is called FinTS. In between also

  • Electronic Banking Internet Communication Standard EBICS, used in CH, DE, FR and
  • OFX Direct Connect are supported.

Deutsche Version: De/HBCI (German version of this page)

Compatibility

GnuCash compiles with all available versions of AqBanking. There used to be some version restrictions, but since gnucash 2.2.7 all versions are supported, as noted on AqBanking3_Porting.

HBCI/FinTS Security Type

HBCI/AqBanking can use the following security Media

Single step authentication
HBCI 1
self-generated asymetric keypair with
  • public part given to the bank
  • private part stored on your floppy or USB stick
supported on all OS, but many banks dropped single step authentication.
Two step authentication
HBCI 2, FinTS 3
PIN/TAN pairs
You have always to log in with your fix Personal Identification number (PIN).
Then each transaction needs authentication with an own Transaction Authentification Number (TAN).
The way, the TAN is generated varies by method:
PIN/TAN (classic)
from simple paper list: supported on all OS
iTAN
from indexed paper list: supported on all OS
mTAN
TAN per mobile: supported on all OS
chipTAN
[same as below?]
opticalTAN, aka Flicker code
GC does not generate the flickering image, but you can manually enter the displayed number in your TAN generator
[more details required, not up to date]
Chipcards
Supported on Linux, but Chipcards are not supported on Windows. (They are supported on Windows by the latest libchipcard version 4 with gwenhywfar version 3, but gnucash does not compile with those versions yet.)

Setting up a HBCI PIN/TAN account

By Commandline

This instructions will explain how to set up a HBCI account with PIN/TAN authentification. The access data is from a test account that can be used by any gnucash developer; the instructions are also in src/import-export/hbci/HACKING-HBCITEST.txt.

Instructions are copied from http://linuxwiki.de/AqBanking/aqhbci-tool where they are in German. We have also a german page (deutsche Seite) and the content might be partial different.

We assume you have aqbanking and gnucash installed, and aqbanking's program aqhbci-tool is in your PATH.

Attention developers: If you call these programs and/or gnucash from the MSYS command line, you must change your HOME env variable to be the value of the USERPROFILE variable. This is because MSYS sets a new HOME that isn't know to any other (normal) windows program that is started outside MSYS. In particular, if you start gnucash outside of msys, it will look for the configuration and also for aqbanking's configuration in $USERPROFILE, but in msys, it will look in HOME. So you always have to gnucash as HOME="$USERPROFILE" gnucash

Create/register a new security medium in AqBanking

aqhbci-tool addmedium -t pintan

Find out the index number of the newly created security medium

aqhbci-tool listmedia

The output will be something like

Medium 0: "PINTAN-20070216-214030" (pintan)

and the important part is the first number, here: 0.

Create a HBCI user

aqhbci-tool adduser -m N -s SERVERURL -b BANKCODE -u USERID

where N is the medium number (0), SERVERURL is the full URL of the server application, BANKCODE is the bank code, and USERID is the identification string of the user that is allowed to access this account. For the test account, we have the following:

aqhbci-tool adduser -m 0 -s www.hora-obscura.de/pintan/PinTanServlet -b 80007777 -u gnucash

There is an optional argument of the CUSTOMERID, but this concerns you only if your bank explicitly said you have to use some extra customer id that is different from the user id.

Connect HBCI user to account

To assign an account to a hbci user you might have problems using the AQBanking Assistant from GnuCash. For manual change you have to change the variable in the File

/home/computer/.aqbanking/settings/accounts/uid%234a%234a00000001.conf
int  user="XXX"

In XXX the UserID has to be inserted.

Retrieve a system identification number

This system identification is necessary for the HBCI protocol to identify you and your software; if this step is forgotten or fails, nothing else will work.

aqhbci-tool getsysid -b BANKCODE

This command will ask you several questions. First it retrieves the server certificate and asks you whether you accept it. Then it asks whether you want to accept the certificate only this session or forever. Eventually, you have to enter the PIN number (password) of your online banking account. (For the gnucash test account, this is 12345.) The full output looks e.g. like this:

aqhbci-tool getsysid -b 80007777
===== Certificate Received =====
The following certificate has been received:
Name        : www.hora-obscura.de
Organisation: www.hora-obscura.de
Department  : GT90185227
Country     : DE
City        : unknown
State       : unknown
Valid after : 2007/02/15 14:28:06
Valid until : 2008/05/17 14:28:06
Hash        : 69:CF:A0:D9:EA:1F:4B:DA:5F:FA:7D:EE:75:87:C9:FF
Status      : Certificate is valid
Do you wish to accept this certificate?
(1) Yes  (2) No
Please enter your choice: 1
===== Certificate =====
Do you want to accept this certificate permanently?
(1) Permanently  (2) This session only  (3) Abort
Please enter your choice: 1
===== Enter Password =====
Please enter the password for 
PINTAN-20070216-215639
Input: *****

Any additional (error) messages can be ignored for now; just continue to work.

List the resulting accounts

aqhbci-tool listaccounts

The bank server should have sent a list of accounts in the last step already. If this is the case, you can view the list of accessible accounts now. The output for the gnucash test should look like this:

Account 0: Bank: 80007777 Account Number: 2501111538
Account 1: Bank: 80007777 Account Number: 2501111539
Account 2: Bank: 80007777 Account Number: 2501111540

If you've come this far, then congratulations: Your online access works!

Match the HBCI accounts in gnucash

In order to access the accounts from gnucash, you need to match a HBCI account to one of your gnucash accounts each. The next time you start gnucash, press "Tools -> Online Banking Setup" to use the online banking setup wizard. Press "Next" there. Ignore the text that says you should start the external program "AqBanking setup wizard", because you've already set up aqbanking by the command line. Because of this, press "Next" again.

You will now arrive at the "Match HBCI accounts with GnuCash accounts" window. You should see the three accounts mentioned above in the left column of the wizard window.

Click on an account name on the left (the account defined in the AqBanking setup wizard configuration), and select the GnuCash account that should be associated with it.

Click the Forward button.

In the next window, click the Apply button.

Using HBCI accounts in GnuCash

You're now ready to use the HBCI accounts from the respective GnuCash register windows. See Setting_up_OFXDirectConnect_in_GnuCash_2#Using_Gnucash_to_download_transactions_directly_to_an_account_register on how to do this.

Using the test account

As mentioned above, the gnucash developers can use a test account to test some of the aqbanking/HBCI features. Here's a step-by-step instruction of what you can do:

  • Setup the accounts as described above.
  • In gnucash, match one of your gnucash accounts with the first test account (bank code 80007777, account number 2501111538); press "Next" and "Finish" in the wizard.

Testing "Get Balance"

  • Open the gnucash register of the account that you've matched with hbci above
  • Press "Actions -> Online actions -> Get balance"
  • When asked for the password/PIN, enter 12345
  • If things run successfully, you are being told a balance and asked whether you want to reconcile your account. The balance value changes by the other test users anyway, so you don't have to care about the actual balance.

Testing "Get Transactions"

  • Open the gnucash register of the account that you've matched with hbci above
  • Press "Actions -> Online actions -> Get transactions"
  • When asked for the date, enter "From: 2007-02-15", but the To-date can be left at "now".
  • When asked for the password/PIN, enter 12345
  • If things run successfully, you see the "transaction matcher window" with the downloaded transactions. You can select "New" for all of them. At subsequent downloads, those transactions that are downloaded again should automatically be marked as "Reconcile" instead.

Testing "Issue Transaction"

  • Open the gnucash register of the account that you've matched with hbci above
  • Press "Actions -> Online actions -> Issue transaction"
  • Enter the following values:
    • Recipient account number 2501111539 , recipient bank code 80007777
    • All other fields can contain whatever values you like; if they are not allowed to be empty, you will be told so when clicking "Ok".
  • Click "Ok". Now select a destination account in gnucash, then click "Ok".
  • When asked for the password/PIN, enter 12345
  • When asked for a TAN and specifically for TAN number 1 (or another number of 2 through 9), enter 11111111 (or 22222222...), i.e. exactly eight times the number in the question.
    • It seems like the test account does not give out any TANs anymore. The server asks for TAN number 'no_more_free_user_tans'.
  • If things run successfully, you only see the transaction in the gnucash register now. If the transmission didn't work, the transaction in the register should have been deleted again. If things worked ok, your next statement download should download that transaction that you've just sent to the bank, and the next balance download should have changed by that amount as well.

Debugging

If there are any problems during the HBCI or OFX connection, here are further options for debugging:

  • Keep in mind that there are many many many different bank servers on this world, and every one of them might behave slightly differently. Hence, if you report a bug, please also state which bank server you are using (IP address and bank name).
  • If there is a crash, it would be good to provide a stack trace of the crash, see Stack Trace and Windows#Debugging with gdb.
  • To see much more log messages of aqbanking, you can set several environment variables either before starting gnucash or in the shell script gnucash or gnucash.bat. For example, in a Unix shell you would type
export GWEN_LOGLEVEL=info
export AQBANKING_LOGLEVEL=info
export AQOFXCONNECT_LOGLEVEL=info
export AQHBCI_LOGLEVEL=info
Other possible values to all of these variables are
  • debug (more verbose) or
  • warn (less verbose) or
  • error (even less verbose, default value).

However, these log messages are all sent to stdout or stderr, which on Windows by default isn't available. To make these available on Windows, you need to change the exetype of gnucash-bin.exe from "Windows" to "Console", see Windows#Console output and exetype.

From the german mailing list in 2011: AqBanking stores log files for HBCI in ~/.aqbanking/backends/aqhbci/data/banks/<country code>/<Bank ID>/logs/*

To enable logging of the OFX communication to /tmp/ofx.log (with warnings about revealing passwords), see Setting up OFXDirectConnect in GnuCash 2#Enabling the OFX Log.

Known Issues

  • from 2.1.1 until before 2.2.5: http://bugzilla.gnome.org/show_bug.cgi?id=439654 AqBanking on Windows cannot download balance/transactions via HBCI - there is a "Unable to send (network error)" instead. The bugreport contains a patch for the gwenhywfar DLL which must be recompiled. If someone confirms that this patch fixes the problem, the patch will be included in a new gwenhywfar release, but currently the gwenhywfar maintainers are waiting for such feedback.

References

Git Repositories

AqBanking Git repositories of source code can be found here (mirrored at ):

git clone https://git.aquamaniac.de/git/aqbanking   # the library
git clone https://git.aquamaniac.de/git/gwenhywfar  # a dependency
git clone https://git.aquamaniac.de/git/libchipcard # optional for the use of chipcard readers

There are also gitweb browser interfaces at http://git.aqbanking.de/gitweb/?p=gwenhywfar.git , http://git.aqbanking.de/gitweb/?p=aqbanking.git

(unofficial) github mirrors

Some community members set up (unofficial) github mirrors:

Christian Stimmig

There is also a continuous integration build test of gwenhywfar here: https://travis-ci.org/cstim/gwenhywfar


Felix Schwarz, Lukas Matt

A bot script updates the "github.com/aqbanking" mirror on a daily basis so it should always be up-to-date.