Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The WSO2 Open Banking validates roles of TPP (Third Party Providers) according to the PSD2. During an API call, this validation restricts TPPs accessing APIs if the roles are not mentioned in eiDAS QWAC (Transport layer certificate). The validation checks following aspects of the eiDAS QWAC.

1. If the certificate is technically correct and has not expired.

2. If the certificate is qualified. 

3. If the certificate contains the required PSD2 information. (i.e., PSD roles, Authorization Number, NCA etc.)

4. If the certificate has not been revoked since it was issued by using CRL or OCSP checks.

Steps below describes how to enable the eiDAS QWAC validations during API calls.

Step 1

Download the latest wum product for the WSO2 Open Banking API Manager instance. For WUM instructions, see /wiki/spaces/updates/pages/16318500.

Table of Content Zone
locationtop

PSP Certificate registration

An authorization of PSP has to be approved /rejected by National Competent Authority (NCA) that is responsible for payment services in their country. Following are the steps of PSP certificate registration.

  1. Anchor
    FirstStep
    FirstStep
    PSP submits a certificate that needs to be registered to Trusted Service Provider (TSP) with required documentation including the PSD2 specific attributes. For more information on the attributes that WSO2 Open Banking solution validates, refer PSD2 certificate specific attributes validation.

  2. The TSP performs an identity validation as required by its certificate policy.

  3. The TSP validates PSD2 specific attributes using information provided by NCA.

  4. The TSP issues the qualified certificate in compliance with the profile requirements given by the PSU.

  5. PSP receives the certificate that is now approved by NCA.

Certificate validation and revocation

WSO2 Open Banking solution uses two types of certificates. Namely, Certificates for Website Authentication (QWAC) and Certificates for Electronic Seals (QsealC) that are trusted certificates by ensuring the validity against certificate status services. Certificate status services are Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) provided by the TSP. Arevocation can happen through a qualified TSP or a revocation request can originate from the NCA, which has authorized or registered the payment service provider.

Below diagram shows how the TSP revokes certificate.


Certificates for Website Authentication (QWAC)

QWAC is used to secure communication by identifying and authenticating the communicating parties. Parties involved in the communication who are identified and authenticated by QWAC:

  • Payment initiation service providers
  • Account information service providers
  • Payment service providers issuing card-based payment instruments
  • Account servicing payment service providers

QWAC must be used to establish a secure TLS channel and protect the communication (in the transport layer) from potential attackers on the network. QWAC ensures the person or the system connecting to the website. But it cannot prove the legally assumed evidence of a transaction to the third party.

Anchor
wum_updatewum_update
Tip

This update is effective for the WSO2 Open Banking API Manager instance from 2.6.0 and onwards. To utilise for 1.2.0 version, download wso2ob-am-2.6.0.

Step 2

Add the following configurations to the velocity-template.xml file in <WSO2_OBAM_HOME>/repository/resources/api_templates/velocity_template.xml in order to enable ClientCertValidationHandler.

Code Block
<handler class="com.wso2.finance.open.banking.gateway.berlin.ClientCertValidationHandler">
         <property name="certificateAsHeader" value="true"/>
         <property name="psd2Role" value="$apiObj.additionalProperties.get('psd2Role')"/>
</handler>

Step 3

Go to the API Publisher at https://<WSO2_OBAM_HOST>:9443/publisher.

  • Click Edit on the existing API.

  • Go to the Manage tab.

  • Select API Propeties and enter values under property: psd2Role. See the table below to find the TPP roles for the respective APIs.

APIpsd2Role parameter value
Accounts and Transactions APIAISP
Payments Initiation APIPISP
Funds Confirmation APIPIISP

Step 4

Restart the WSO2 Open Banking API Manager instance and try API calls with the certificates.

Note

If you want to enable certificate revocation check, add the following configuration in the <WSO2_OBAM_HOME>/repository/conf/axis2/axis2.xml.

Code Block
<transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener">
...
  <parameter name="CertificateRevocationVerifier">true</parameter>
</transportReceiver>


Certificates for Electronic Seals (QsealC)

QsealCs is used to provide evidence with legal assumption of authenticity (including identification and authentication of the source) and integrity of a transaction. QsealC ensures the application layer security to protect the data or messages from potential attackers during or after the communication. The receiver of the sealed data can determine who sealed the data. This can also be proven to a third party even after the communication has ended. The evidence of the transaction can be provided by QsealC with legal assumption and can protect the authenticity and integrity of data when relayed through third parties.

A certificate can be either for website authentication or electronic seals, but not both. Therefore, these two types of certificates are not interchangeable. The following diagram elaborates on the flow followed by WSO2 on extracting the certificate through the request header and invoking the URLs provided in the certificate extension for CRL and OCSP. Confirm the validity of a certificateby analyzing the response status. The information about OCSP and CRL are included in the certificate as extensions.

...