AQBanking with a Deutsche Bank WebSign Card

AQBanking with a Deutsche Bank WebSign Card

When I opened an account with the Deutsche Bank I requested a WebSign card. This card has been mostly unused until yesterday when I decided it is time to try it. In theory AQBanking should support this card and everything should work flawlessly but in practice I had to spent several hours in the setup.

Basics

The biggest issue is that most of the available documentation is for older aqbanking versions and I couldn’t find a changelog describing how to do the old thing with the new software. So whenever you see a guide using aqhbci-tool you can stop reading as this is for an old version and the commands do not exist in the new one. I understand that the 3rd party documentation is outside of the control of the developer of aqbanking but it would be nice if he could just provide the documentation himself.
I am doing this on Debian Unstable as of the 2.3.2013 and the aqbanking libraries are of version 5.0.24-3 and the libchipcard is version 5.0.3beta-2. I am getting to the exact plugins in a second.

The other part is that the WebSign card is fully configured. There is no requirement for you to download a key into the card or such.

IniLetter

The Deutsche Bank might send you a Ini-Letter, I have done this almost two years ago so I do not remember the details. The AQBanking manual appears to have well described in chapter 6.3.2. I think I followed these instructions back then.

Installation 

The WebSign card is a starcoscard token for AQBanking. To be able to use it you will need to install the libchipcard library. If you only do this you will be greeted with a meaningless error message in the UI asking you to install the libchipcard library. What you actually need are the plugins. In Debian Unstable the package is called libchipcard-libgwenhywfar60-plugins. I have also installed the libchipcard-tools and you should do so too.
The next thing you should do is to check that you have the right card and that you installed everything. I am using a OmniKey card reader and I issued the following command:

$ pcsc_scan
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau
Compiled with PC/SC lite version: 1.8.7
Using reader plug’n play mechanism
Scanning present readers…
0: OMNIKEY AG CardMan 3021 00 00
Sat Mar  2 10:27:23 2013
Reader 0: OMNIKEY AG CardMan 3021 00 00
  Card state: Card inserted,
  ATR: 3B B7 94 00 81 31 FE 65 53 50 4B 32 33 90 00 D1

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B B7 94 00 81 31 FE 65 53 50 4B 32 33 90 00 D1
Giesecke & Devrient Starcos 2.3
Deutsche Bank WebSign (RSA-Card)
G&D StarSign Token

The output shows that the card reader and the card were detected. This means we can continue and check if the libchipcard installation is complete. I am using the gct-tool to show me my user credentials. These include the User-Id and the IP address to use for the Deutsche Bank. I used the following command:

$ gct-tool showuser -t starcoscard
===== Enter Password =====
Please enter the access password for
CARD_ID
You must only enter numbers, not letters.
Input: ENTER_PIN
————————————————-
Context 1
Service        : BLZ
User Id        : USER_ID
Peer Id        : PEER_ID
Address        : IP
Port           : 3000
System Id      :
Sign Key Id    : A
Verify Key Id  : B
Encipher Key Id: C
Decipher Key Id: D
….

In case you enter the wrong PIN code you have 7 more attempts to enter the right one before the card will be blocked. You will need to use the –forcepin to enter it again. Some other utilities of aqhbci-tool4 appear to become unusable once you have entered the wrong pin. If you do not get the above you are most likely missing the starcoscard plugin.

Configuration

Now that the card is known to work one needs to configure the AQBanking. With the qbankmanager and gnucash I had the issue that no dialogue was presented. So we are going to do this from the console. With the information from above and some knowledge about your bank account (other banking software is capable to take everything from the card) you can use the aqhbci-tool4 to add your user.

$ aqhbci-tool4 adduser -t starcoscard –context=1 -b BLZ  -c ACCOUNT_NR -N YOUR_NAME –hbciversion=300

This will add a new user that will use context #1 of a starcoscard. By default aqhbci-tool4 would select a lower version of HBCI and would use the USER_ID for the customer name. You can verify that the setup is working by importing the accounts and getting the sysid.

$ aqhbci-tool4 getsysid
Locking users
Locking user USER
Executing HBCI jobs
AqHBCI started
Connecting to bank…
Connecting to “IP”
Connected to “IP”
Connected.
There are no tan method descriptions (yet), trying One-Step TAN.
Encoding queue
===== Enter Password =====
Please enter the access password for
CARD_NR
You must only enter numbers, not letters.
Input: ENTER_PIN
Sending queue
Waiting for response
Response received
HBCI: 0010 – Nachricht entgegengenommen. (M)
HBCI: 0020 – Dialogintialisierung erfolgreich. (M)
HBCI: 0020 – Auftrag ausgeführt. (S)
HBCI: 1050 – UPD nicht mehr aktuell. Aktuelle Version folgt. (S)
HBCI: 0020 – Information fehlerfrei entgegengenommen. (S)
Encoding queue
Sending queue
Waiting for response
Response received
HBCI: 0010 – Nachricht entgegengenommen. (M)
HBCI: 0100 – Dialog beendet. (S)
Disconnecting from bank…
Disconnected.
AqHBCI finished.

 If the above fails something is still wrong with your setup. But if it looks like the above you can use the qbankmanager to initiate bank transfers. I hope the above saves someone else the time I had to spent reading the outdated information. In the end it is quite easy to setup.

Comments are closed.