TPP validation service allows OBIE-registered Account Servicing Payment Service Providers (ASPSPs) to validate TPPs from the NCAs. This is done by validating QWAC or OBWAC. Follow the steps to enable this service:
This is available only as a WUM update effective from January 03, 2021 (01-03-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.
TPP_Validation_SupportINLINEPrerequisites:
Make sure you have uploaded QWAC or OBWAC as the transport certificate in <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
Update <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks with the OBIE root, issuer certificates as mentioned .
Add the QSealC keypair corresponding to QWAC or OBSealC keypair corresponding to OBWAC into a new JKS. For example, wso2carbon-signing.jks.
Place the JKS file in the <WSO2_OB_APIM_HOME>/repository/resources/security directory.
Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file:
Add the following configs under the <CertificateManagement> section:
The SoftwareStatementId value needs to be configured according to the OBWAC/QWAC that has been configured in the <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
The OBIE service-related endpoints are for the OBIE sandbox environment.
xml
Configure the <SigningKeystore> tag with the file path of the JKS file that contains the OBSealC.
Configure the <SigningCertificateAlias> and the <SigningCertificateKid> tags with the alias and KID value of the signing certificate (OBSealC):
xml
Open the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file:
Add the following handler as the first handler:
xml
Add the TPP validation handler after the #if($apiObj.additionalProperties.get("ob-spec") == "berlin") configuration as follows:
xml
Republish your Accounts, Payments, and CoF APIs with the ob-spec,ob-api-version, and ob-api-type properties. For more information, see Deploying APIs for Berlin.
Open each API xml file(Accounts, Payments, and CoF APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api and make sure that both APIPropertiesHandler and TPPValidationHandler are available.
Custom_Certificate_ValidationINLINE
Integrating a Custom Certificate Validation Service
If you want to integrate a custom validation service rather than OBIE, you can configure as follows:
Extend Implement the following interface and implement it for the required certificate validation service.
java
Add the following configurations in Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file under and find the [open_banking.cert_mgt.tpp_validation_service] and tag.
Configure your TPP validation service using its Fully Qualified Name (FQN) as follows:
xml
Add the following tags below the [open_banking.cert_mgt.tpp_validation_service.scope_regex_patterns], mentioning the fully qualified class name of the extended class under tpp_validation_impl_class.] configurations:
xml
Make sure you have the following handler as the first handler under the <Handlers> section in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file. Otherwise add the handler.
xml
Add the TPPValidationHandler handler right after the #if($apiObj.additionalProperties.get("ob-spec") == "berlin") configuration in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file.
xml
Republish your Accounts, Payments, and CoF and DCR APIs using publisher. Make sure that you have added the ob-spec, ob-api-version and ob-api-type properties before republishing the APIs.
Open each API xml file (Accounts, Payments, and CoF and DCR APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api directory and make sure that both APIPropertiesHandler and TPPValidationHandler are added under the <handlers> section.