Versions Compared

Old Version 16

changes.mady.by.user Former user

Saved on

compared with

New Version 17

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Multiexcerpt
MultiExcerptNameTPP_Validation

TPP Validation Service

TPP validation service allows OBIE-registered Account Servicing Payment Service Providers (ASPSPs) to validate TPPs from the NCAs. This is done by validating QWAC or OBWAC. Follow the steps to enable this service:

This is available only as a WUM update effective from January 03, 2021 (01-03-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

TPP_Validation_SupportINLINEPrerequisites:
  1. Make sure you have uploaded QWAC or OBWAC as the transport certificate in  <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks. 
  2. Update <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks with the OBIE root, issuer certificates as mentioned .
  1. Add the QSealC keypair corresponding to QWAC or OBSealC keypair corresponding to OBWAC  into a new JKS. For example, wso2carbon-signing.jks. 
  2. Place the JKS file in the <WSO2_OB_APIM_HOME>/repository/resources/security directory.

  3. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file:

    1. Add the following configs under the <CertificateManagement> section:

      • The SoftwareStatementId value needs to be configured according to the OBWAC/QWAC that has been configured in the <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.

      • The OBIE service-related endpoints are for the OBIE sandbox environment.

        xml

    2. Configure the <SigningKeystore> tag with the file path of the JKS file that contains the OBSealC.

    3. Configure the <SigningCertificateAlias> and the <SigningCertificateKid> tags with the alias and KID value of the signing certificate (OBSealC):

      xml
  4. Open the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file:

    1. Add the following handler as the first handler:

      xml

    2. Add the TPP validation handler after the #if($apiObj.additionalProperties.get("ob-spec") == "berlin") configuration as follows:

      xml
  5. Republish your Accounts, Payments, and CoF APIs with the ob-spec, ob-api-version, and ob-api-type properties. For more information, see Deploying APIs for Berlin.
  6. Open each API xml file(Accounts, Payments, and CoF APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api and make sure that both APIPropertiesHandler and TPPValidationHandler are available.
Custom_Certificate_ValidationINLINE
Integrating a Custom Certificate Validation Service

If you want to integrate a custom validation service rather than OBIE, you can configure as follows:

  1. Implement the following interface for the required certificate validation service.

    java
  2. Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and find the [open_banking.cert_mgt.tpp_validation_service] tag.

  3. Configure your TPP validation service using its Fully Qualified Name (FQN) as follows:

    xml

  4. Add the following tags below the [open_banking.cert_mgt.tpp_validation_service] configurations:

    xml

  5. Make sure you have the following handler as the first handler under the <Handlers> section in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file. Otherwise add the handler.

    xml

  6. Add the TPPValidationHandler handler right after the #if($apiObj.additionalProperties.get("ob-spec") == "berlin") configuration in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file.

    xml
  7. Republish your Accounts, Payments, and CoF APIs using publisher. Make sure that you have added the ob-spec, ob-api-version and ob-api-type properties before republishing the APIs.
  8. Open each API xml file (Accounts, Payments, and CoF APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api directory and make sure that both APIPropertiesHandler and TPPValidationHandler are added under the <handlers> section.
Table of Content Zonemultiexcerpt
locationtop
MultiExcerptNametoken-generation

Token generation

WSO2 Open Banking supports Private Key JSON Web Token (JWT) and MTLS as token authentication methods. 

Authentication methodDescription
Private Key JWT

Sign JWT using QSealC.

The signing certificate needs to be mentioned under software_jwks_endpoint of the SSA. 

MTLS

Initiate the access token request using the QWAC certificate as the certificate for mutual authentication. In the request header, mention the path to the public and private keys of the transport certificate. To find the sample request for the user-access token, see Accounts Information Service Provider Flow v1.3.6.

Thereby, the public key of the transport certificate provided for the token endpoint will be verified against the software_jwks_endpoint in the SSA.

The following diagram describes how the token generation is implemented in WSO2 Open Banking with accordance to eIDAS:Image Removed

For more information about the token authentication methods used in WSO2 Open Banking, see API Security for Berlin.

API invocation

Account Information Service Provider, Payment Initiation Service Provider, and Card-Based Payment Instrument Issuer are roles for a TPP. This role is validated so that only a particular TPP is allowed to invoke an API. APIs are protected using MTLS, which uses the QWAC as the transport certificate in each of the requests. To see how MTLS affects in the API invocations, see API Security for Berlin .

Sources of Information