PSS 5000

Application Note

TLS interface using Dynamic Password

Date May 26, 2011

Document number PSS5000/APNO/805055/00

Doms A/S Formervangen 28 Tel. +45 4329 9400 info@doms.dk

DK-2600 Glostrup Fax +45 4343 1012 www.doms.com
 PSS 5000, Application Note
TLS interface using Dynamic Password

Table of Contents
1 Scope ....................................................................................................................................................... 3
2 References................................................................................................................................................ 3
3 Functionality ............................................................................................................................................ 4
3.1 System overview ............................................................................................................................ 4
3.2 Veeder Root TLS ........................................................................................................................... 5
3.3 PSS dynamic password in the TLS communication ...................................................................... 5
3.4 PSS dynamic password in serial server.......................................................................................... 6
3.5 PSS dynamic password with Inform .............................................................................................. 6
4 Activation procedure for secured serial interface to TLS ........................................................................ 7
4.1 PSS and Site Info update sequence ................................................................................................ 7
4.2 PSS installation procedure ............................................................................................................. 7
4.2.1 Setup a secure TLS with unsealed DIP-switch ..................................................................... 7
4.2.2 Setup a secure TLS with sealed DIP-switch ......................................................................... 8
5 History ..................................................................................................................................................... 9

PSS5000/APNO/805055/00 Page 2 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

1 Scope
In the communication to a Veeder-Root Tank Level System (TLS) via a serial interface, it is possible to
use a security code to protect the TLS against unauthorized access. The security code used is normally a
fixed password, but to increase security a dynamic password has now been introduced.

The scope of this document is to describe the use of a dynamic password in the communication protocol
towards the Veeder-Root TLS and the activation procedure.

2 References
1. PSS Dynamic Password, Application Note, Algorithm and example - PSS5000/APNO/804401/--
2. TLS User Guide, Veeder Root Doc. Ref. : VEEDER – ROOT SERIAL INTERFACE MANUAL
for TLS-300 and TLS-350 UST Monitoring Systems and TLS-350R Environmental & Inventory
Management System through Software Versions 020/127/327/427/520 Manual Number
576013-635 Revision S
3. TLS-3XX Series Consoles – System Setup Manual Ref.: 576013-623
4. DOMS POS Protocol, Application Level Specification, Control Functions –
PROTOCOL/SPEC/804706/--

PSS5000/APNO/805055/00 Page 3 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

3 Functionality
3.1 System overview

Wetstock information is needed for a Back Office System (BOS) and a head office application such as
Site Info. The collection of wetstock information from the BOS is achieved through the PSS wetstock
controller, which means that the PSS handles the communication to the TLS. A head office application
can use a serial server in the PSS to communicate directly to the TLS.

Inserting a dynamic password in the communication between the PSS and the TLS will not affect the
BOS to PSS communication because the communication to the TLS is handled by PSS wetstock
controller. But a secure TLS communication will affect the accessibility for a Head office application
because of the direct communication. Therefore, the Head office application must also be able to
generate these dynamic passwords. The dynamic password used by the Head office application will be
validated by the PSS serial server before it is retransmitted to the TLS.

Head office Head office

application application

Security code
Security code
protected
protected

BOS
Network
BOS Network

Router
PSS 5000
TCP/IP
Doms POS Doms Host Serial
Protocol Protocol Server
PSS 5000

Wetstock
Controller

Router
Security code Serial
protected Driver
Security code
protected

PSS5000/APNO/805055/00 Page 4 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

3.2 Veeder Root TLS

The Veeder-Root TLS has an option that enables protection of the communication protocol with a 6
character “security code”. If the security option is activated (see TLS User Guide), the TLS will only
reply when the correct “security code” is provided in all the protocol messages. The security option is
activated by the DIP switch settings on the TLS CPU board.

Since the security code can be set using the TLS front panel, it is important to protect the TLS front
panel with a password. This front panel password is enabled by another DIP-switch on the TLS CPU
board. For the security code protected communication to make sense, these DIP switches should be
sealed.

3.3 PSS dynamic password in the TLS communication

When “Secure Veeder-Root Protocol” is selected in the PSS Protocol to Port assignment, the PSS will
automatically start using a Security Code based on PSS Dynamic Password in the TLS communication.

Please be aware that in order to activate changes in protocol-to-port assignment, the PSS needs a
“Master Reset” and must be configured / reconfigured afterwards.

The PSS has a dynamic password concept that consists of a 4 hex digit password, which is dependent on
the date and site. This makes it possible to issue passwords that provide access to a specific site on a
specific day.

The 6 character security code in the TLS will, therefore, have 2 leading characters set to „0‟ and the four
subsequent characters as the dynamic password of the day.

For example:

Protocol security code = “00XXXX”

Where XXXX is dynamic password of the day1

At the End Of Day (EOD), when the date changes, or when the “site number” is changed there will be a
new dynamic password and the PSS will:

set a new security code in the TLS using the old security code
use the new security code in subsequent commands sent to the TLS

last security code = “00YYYY” , the last used security code

new security code = “00XXXX” , XXXX is dynamic password of the day

The PSS will remember the last security code used, even if the TLS has been offline for several days.
However, if a Super Master Reset occurs, this stored security code is lost.

When the “site number” is changed, it can take up to 60 seconds before the new security code is
updated.

1
for this purpose the ”user” parameter in the algorithm will be ”host”.

PSS5000/APNO/805055/00 Page 5 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

3.4 PSS dynamic password in serial server

A head office application (e.g. Site Info) can use the serial server interface (Doms POS Protocol) to
communicate to the TLS, so when the PSS is configured to use secure communication with the TLS, the
head office application must use the security code as well. The security code must be “DD” + “PSS
Dynamic Password”, where DD is day in month (range 01-31)

Used security code = “DDXXXX”, XXXX todays security code, DD monthly day

It could happen that the EOD at host level and site level are out of synchronization, resulting in the host
application and the PSS having different dynamic passwords. By providing the day in month, the PSS
knows for which day the host password is calculated; this should be either the same as in the PSS, one
day earlier or one day later.

Around EOD both yesterday‟s, today‟s and tomorrow‟s dynamic security code will be valid within the
time interval of ±2 hours from midnight (00:00)

To calculate the dynamic password the Head office application needs the date and site number. This
information can be retrieved from the non-password protected pss_info.xml file via the PSS.

Site number and date example from pss_info.xml:

<general site_no="51991016" date_time="2011-03-24T09:20:30"/>

Furthermore, the pss_info.xml file will also show the status of the installed secure Veeder-Root serial
server; here it is possible to retrieve the following information about the serial server:

TCP/IP port number (6000 + PSS port number)

Protocol in use with the serial server (e.g. Secure Veeder-Root)
If a secure protocol between the PSS and TLS is used
If the TLS is online

Example of a secure Veeder-Root serial server:

<serial_server tcp_port="6015">
<device protocol="veeder-root_TLS" secure="yes" online="yes"/>
</serial_server>

3.5 PSS dynamic password with Inform

When using Inform to communicate with the Veeder-Root TLS, it is necessary to know the current
dynamic password.

Inform can either use a serial server interface or a serial interface to communicate with the TLS. When
Inform uses a serial interface, the password described in section 3.3 is required. However, when using
the serial server interface, the password described in section 3.4 is required.

PSS5000/APNO/805055/00 Page 6 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

4 Activation procedure for secured serial interface to TLS

4.1 PSS and Site Info update sequence

As the use of dynamic passwords has an impact on the transparent interface used by Site Info, it cannot
be activated on the sites until both the PSS applications on the sites and Site Info installed in the HQ
have been updated to support this. The following describes the update sequence for both Site Info and
the PSS

Update Site Info to support Secure Veeder-Root protocol and disable the use of dynamic
password
Update PSS on site to support the “Secure Veeder-Root protocol”

4.2 PSS installation procedure

On site, the PSS Protocol to Port assignment “Secure Veeder-Root Protocol” must be selected. The PSS
will automatically start using a Security Code based on the PSS Dynamic Password in the TLS
communication.

Please be aware that in order to activate changes in protocol-to-port assignment, the PSS must be
“Master Reset” and configured / reconfigured afterwards.

When the TLS is connected to the PSS, there are two ways to initialize the TLS with a secure
connection. In both cases the PSS will automatically set the correct security code after it has detected the
TLS online.

Connecting the TLS to the PSS with the security DIP-switch OFF and afterwards enable
security option when a connection is established.
Set the “default security code” (000000) in the TLS with the security DIP-switch ON, and
afterwards connecting the TLS to the PSS.

4.2.1 Setup a secure TLS with unsealed DIP-switch

To get the TLS online in this situation, the security DIP-switch must be set to the “OFF” position until
the connection has been established.

When the “Secure Veeder-Root Protocol” is selected via Protocol to Port Assignment in the PSS, the
following must be done:

1. Connect the TLS to the assigned port

2. Wait for the Tank Gauge id #1 to come online in the PSS web online list. Note: This does not
indicate that the Tank Gauge is functional and running, but only that the PSS has set a security
code in the TLS
3. Power down the TLS and wait for the Tank Gauge id #1 to go offline in the PSS web online list
4. Set the security DIP-switch in the “ON” position
5. Power up the TLS and wait for all the connected Tank Gauges to come online in the PSS web
online list
6. Seal the security DIP-switch

PSS5000/APNO/805055/00 Page 7 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

4.2.2 Setup a secure TLS with sealed DIP-switch

To get the TLS online in this situation, the security DIP-switch must set in the “ON” position.

When the “Secure Veeder-Root Protocol” is selected via Protocol to Port Assignment in the PSS, the
following must be done:

1. Connect the TLS to the assigned port

2. Using the TLS front panel, set the used security code to the default (000000). The procedure for
setting the security code in the TLS can found in the Veeder-Root setup manual.
3. Wait for all the connected Tank Gauges to come online in the PSS web online list

PSS5000/APNO/805055/00 Page 8 of 9
 PSS 5000, Application Note
TLS interface using Dynamic Password

5 History
Date Rev. Init. Comments
2011-05-26 00 MKR First release

PSS5000/APNO/805055/00 Page 9 of 9