| Note |
|---|
WSO2 Open Banking 1.3.0 supports OpenID Functional Conformance suite v1.1.19. |
...
- Open the
open-banking.xmlfiles and do the following configurations:<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
Configure <
SigningConfiguration>under the<UK>tag as follows:Code Block language xml <UK> <SigningConfiguration> <!-- Enable Signing --> <Enable>true</Enable> <OBIE> <!-- Trusted Anchor Configuration openbanking.org.uk specific Trust Anchor definitions --> <TrustedAnchors> <!-- Trust Anchor used in signing JOSE --> <Signing>openbanking.org.uk</Signing> <!-- Multiple values supported with `|` delimiter IE - trustanchor.org|trustanchor.org.uk --> <Validation>openbanking.org.uk</Validation> </TrustedAnchors> <!-- OBIE Organization Id --> <OrganizationId>{org_id in the SSA or Organizational Unit of the certificate Owner}</OrganizationId> </OBIE> <!-- Default Singing Algorithm is PS256, to support others uncomment line below --> <!--<Algorithm>RS256</Algorithm>--> <!-- The following specified APIs will be mandated for message signing. --> <MandatedAPIs> <APIContext>/open-banking/v3.0/event-notification/</APIContext> <APIContext>/open-banking/v3.0/pisp/</APIContext> <APIContext>/open-banking/v3.1/event-notification/</APIContext> <APIContext>/open-banking/v3.1/pisp/</APIContext> </MandatedAPIs> </SigningConfiguration>Add the following configurations under the
<SigningConfiguration>tag:Code Block language xml <!-- The following specified APIs will be associated with response signing. --> <ResponseSignatureRequiredAPIs> <APIContext>/open-banking/v3.0/pisp/</APIContext> <APIContext>/open-banking/v3.1/pisp/</APIContext> </ResponseSignatureRequiredAPIs>
Find the following tags and define the alias and kid values for the primary signing certificates:
Code Block language xml <OBIdentityRetriever> <Server> <SigningCertificateAlias><production-key alias></SigningCertificateAlias> <SigningCertificateKid><production kid></SigningCertificateKid> </Server> </OBIdentityRetriever>- Follow the API Security - JSON Web Signature (JWS) documentation and configure JWS validation support for Waiver 007.
Combine the signing certificate and key to a pk12 format file using the command below:
Code Block language bash openssl pkcs12 -export -in <pem file> -inkey <key file> -name <alias> -out CertAndKey.p12
Create a new keystore file:
Code Block language bash keytool -genkey -alias <keystore alias> -keyalg RSA -keystore <keystore name>.jks -keysize 2048
Import the p12 files to the new keystore.
Code Block language bash keytool -importkeystore -deststorepass <keystore password> -destkeystore <keystore name>.jks -srckeystore CertAndKey.p12 -srcstoretype PKCS12
- Add the new keystore to the client-truststore.
- Go to the
<WSO2_OB_KM_HOME>/repository/resources/securitydirectory. Export the public certificate of the keystore to a
.pemfile.Code Block language bash keytool -export -alias <alias> -keystore <keystore_name>.jks -file <keystore_name>.pem
Import the
.pemfile toclient-truststore.jks.Code Block language bash keytool -import -alias <alias> -file <keystore name>.pem -keystore client-truststore.jks -storepass wso2carbon
- Go to the
<WSO2_OB_APIM_HOME>/repository/resources/securitydirectory and repeat the above steps.
- Go to the
- Duplicate and place the new keystore in the following locations:
<WSO2_OB_KM_HOME>/repository/resources/security<WSO2_OB_APIM_HOME>/repository/resources/security
- Configure the new keystore file in
carbon.xmlfiles:<WSO2_OB_KM_HOME>/repository/conf/carbon.xml<WSO2_OB_APIM_HOME>/repository/conf/carbon.xmlCode Block language xml <KeyStore> <!-- Keystore file location--> <Location><<WSO2_OB_KM_HOME>/repository/resources/security/<new_keystore.jks></Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password><new keystore password></Password> <!-- Private Key alias--> <KeyAlias><new private key alias></KeyAlias> <!-- Private Key password--> <KeyPassword><new private key password></KeyPassword> </KeyStore>
- Organization JWKS URL configuration:
- Open the
<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xmlfile. Update
<OAuth2JWKSPage>with the JWKS URL retrieved from the Open Banking directory:Code Block language xml <OAuth2JWKSPage><org_jwks_endpoint in the SSA></OAuth2JWKSPage>
- Open the
...
- Start WSO2 Open Banking Key Manager and API Manager servers.
Deploy Account API v3.1.0 and Payment API v3.1.0.
Anchor createAnApp createAnApp Tip If you’re using the Dynamic Client Registration v3.2 API, you may skip Setting up the test suite.
Sign in to the API Store as the TPP at
https://<WSO2_OB_APIM_HOST>:9443/storeSubscribe to the APIs deployed in step 4.
Create the public certificate of the signing certificate and generate keys.
Setting up the test suite
Execute the following command in a terminal to pull and run the image.
Code Block docker run --add-host=<DOCKER-BRIDGE_SEVER_HOST>:<docker0 ip> -it --name=fsuite -p 8443:8443 -e LOG_LEVEL=debug -e LOG_TRACER=true -e LOG_HTTP_TRACE=true -e DISABLE_JWS=FALSE "openbanking/conformance-suite:[TEST_SUITE_VERSION]"
- Add the certificates to the container.
Go to <
WSO2_OB_APIM_HOME>/repository/resources/securityand execute the command below to generate thepemfile for<WSO2_OB_APIM_HOST>.crtCode Block openssl x509 -inform der -in <WSO2_OB_APIM_HOST>.crt -out <WSO2_OB_APIM_HOST>.pem
Log in to the container
Code Block docker exec -it fsuite /bin/bash
Add the
<WSO2_OB_APIM_HOST>.pemcertificate to the following locations:- /usr/local/share/ca-certificates/<WSO2_OB_APIM_HOST>.pem- /etc/ssl/certs/<WSO2_OB_APIM_HOST>.pemRun the following command.
Code Block update-ca-certificates
Stop the container.
Code Block docker stop fsuite
Restart the container
Code Block docker start -a fsuite
- Access the test suite at
https://<WSO2_OB_APIM_HOST>:8443 - Select Open Banking test suite and start the test.
In the Discovery step, update the following values in the JSON file.
Tip A sample configure.json is available here.
discoveryItems apiSpecification name Account and Transaction API Specification openidConfigurationUri
The OpenID Connect discovery endpoint. For example:
https://10.100.0.3:8243/.well-known/openid-configurationresourceBaseUri Production/Sandbox URL for the API. For example:
https://10.100.0.3:8243/open-banking/v3.1/aispdiscoveryItems apiSpecification name Payment Initiation API openidConfigurationUri
The OpenID Connect discovery endpoint. For example:
https://10.100.0.3:8243/.well-known/openid-configurationresourceBaseUri Production/Sandbox URL for the API. For example:
https://10.100.0.3:8243/open-banking/v3.1/pispClick Next and proceed to the Configuration stage.
Add the following mandatory configurations in the form/JSON file.
Payments
Identification
Beneficiary account identification
Name
Tip A sample configure.json is available here.
Client
Private Signing Key (.key):
The Private Signing Key certificate of the client/application created in the section above . Public Signing Certificate (.pem):
The Public Signing Certificate of the client/application created in the section above. Private Transport Key (.key):
The Private Transport Key certificate of the client/application created in the section above. Public Transport Certificate (.pem):
The Public Transport Certificate of the client/application created in the section above. Account IDs
The Account IDs of the account resources that the customer (PSU) has consented to provide to the client/application. Statement IDs
The Statement IDs of the statement resources that the customer (PSU) has consented to provide to the client/application. Client ID
Consumer key of the client/application created in the section above. Client Secret
Consumer secret of the client/application created in the section above. x-fapi-financial-id
The unique id of the ASPSP to which the request is issued. The unique id will be issued by OB.
For example:
open-bankWell-Known
OAuth 2.0 response_type
A JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values
Request object signing algorithm
The algorithm used to sign requests objects
Resource Base URL
The base URL of the WSO2 OB APIM server. For example: https://<WSO2_OB_APIM_HOST>:8243tpp_signature_kid
The KID value of the signing certificate.
tpp_signature_issuer
Certificate Owner (Eg: CN=sgsMuc8ACBgBzinpr8oJ8B, OU=0015800001HQQrZAAX, O=OpenBanking, C=GB)
tpp_signature_tan
Trust Anchor used in signing JOSE (Eg: openbanking.org.uk)
Well-Known
OAuth 2.0 response_type
A JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values
Request object signing algorithm
The algorithm used to sign requests objects
Resource Base URL
The base URL of the WSO2 OB APIM server. For example: https://<WSO2_OB_APIM_HOST>:8243Payments
Identification
Beneficiary account identification
Name
Name of the account, as assigned by the account servicing institution.
Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.
International Identification
The international beneficiary account identification
International Name
International name of the account, as assigned by the account servicing institution.
Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.
tpp_signature_kid
The KID value of the signing certificate.
tpp_signature_issuer
Certificate Owner (Eg: CN=sgsMuc8ACBgBzinpr8oJ8B, OU=0015800001HQQrZAAX, O=OpenBanking, C=GB)
tpp_signature_tan
uk).
Click Next and run the suite.
