This document discusses how WSO2 Open Banking has implemented the Electronic Identification and Trust Services (eIDAS) Regulation for the NextGen PSD2 XS2A Framework.
Before you begin:
In order to try out the flows with the eIDAS approach, Third-Party Providers(TPPs) have to be registered in a Qualified Trust Service Provider (QTSP).
If you are testing the WSO2 Open Banking solution for UK compliance, you can use either of the following:
- Original eIDAS certificates:
- Qualified Website Authentication Certificate (QWAC)
- Qualified e-Seal Certificate (QSealC)
- Original eIDAS certificates:
In order to support eIDAS certificates in WSO2 Open Banking, you need to update the client trust stores.
TPP validation service allows OBIE-registered Account Servicing Payment Service Providers (ASPSPs) to validate TPPs from the NCAs. This is done by validating QWAC or OBWAC. Follow the steps to enable this service: This is available only as a WUM update effective from January 03, 2021 (01-03-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products. Prerequisites: Open the Add the following configs under the The OBIE service-related endpoints are for the OBIE sandbox environment. Configure the Configure the Add the following handler as the first handler: Add the TPP validation handler after the If you want to integrate a custom validation service rather than OBIE, you can configure as follows: Implement the following interface for the required certificate validation service. Configure your TPP validation service using its Fully Qualified Name (FQN) as follows: Add the following tags below the Make sure you have the following handler as the first handler under the Add the WSO2 Open Banking supports Private Key JSON Web Token (JWT) and MTLS as token authentication methods. Sign JWT using QSealC. The signing certificate needs to be mentioned under Initiate the access token request using the QWAC certificate as the certificate for mutual authentication. In the request header, mention the path to the public and private keys of the transport certificate. To find the sample request for the user-access token, see Accounts Information Service Provider Flow v1.3.6. Thereby, the public key of the transport certificate provided for the token endpoint will be verified against the The following diagram describes how the token generation is implemented in WSO2 Open Banking with accordance to eIDAS: For more information about the token authentication methods used in WSO2 Open Banking, see API Security for Berlin. Account Information Service Provider, Payment Initiation Service Provider, and Card-Based Payment Instrument Issuer are roles for a TPP. This role is validated so that only a particular TPP is allowed to invoke an API. APIs are protected using MTLS, which uses the QWAC as the transport certificate in each of the requests. To see how MTLS affects in the API invocations, see API Security for Berlin.TPP Validation Service
<WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
<WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks
with the OBIE root, issuer certificates as mentioned here.wso2carbon-signing.jks.
<WSO2_OB_APIM_HOME>/repository/resources/security
directory.<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
file:<CertificateManagement>
section:SoftwareStatementId
value needs to be configured according to the OBWAC/QWAC that has been configured in the <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks
.<TPPValidationService>
<CacheExpiry>3600</CacheExpiry>
<TPPValidationImplClass>com.wso2.finance.open.banking.gateway.service.obie.OBIECertValidationServiceImpl</TPPValidationImplClass>
<OBIE>
<SoftwareStatementId>ykNOgWd2RgnuoLRRyWBkaY</SoftwareStatementId>
<Scopes>
<Scope>ASPSPReadAccess</Scope>
<Scope>TPPReadAccess</Scope>
<Scope>AuthoritiesReadAccess</Scope>
</Scopes>
<TokenEndpoint>https://matls-sso.openbankingtest.org.uk/as/token.oauth2</TokenEndpoint>
<ValidationEndpoint>https://matls-dirapi.openbankingtest.org.uk/certificate/validate</ValidationEndpoint>
<RedirectEndpoint>https://matls-api.openbankingtest.org.uk/scim/v2/OBAccountPaymentServiceProviders</RedirectEndpoint>
<MemberState>GB</MemberState>
</OBIE>
<ScopeRegexPatterns>
<AISP>accounts+</AISP>
<PISP>payments+</PISP>
<CBPII>fundsconfirmations+</CBPII>
</ScopeRegexPatterns>
</TPPValidationService>
<SigningKeystore>
tag with the file path of the JKS file that contains the OBSealC.<SigningCertificateAlias>
and the <SigningCertificateKid>
tags with the alias and KID value of the signing certificate (OBSealC):<Server>
<!-- alias the certificate is under -->
<SigningCertificateAlias>signing</SigningCertificateAlias>
<!-- KID value for primary signing certificate -->
<SigningCertificateKid>1pbTEt6v6_o0WpPFzmNXj6ediKw</SigningCertificateKid>
<SigningKeystore>
<Location>${carbon.home}/repository/resources/security/wso2carbon-signing.jks</Location>
<Password>wso2carbon</Password>
<KeyPassword>wso2carbon</KeyPassword>
</SigningKeystore>
</Server>
<WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml
file:<handler class="com.wso2.finance.open.banking.gateway.common.APIPropertiesHandler">
<property name="xWso2ApiSpec" value='$apiObj.additionalProperties.get("ob-spec")'/>
<property name="xWso2ApiVersion" value='$apiObj.additionalProperties.get("ob-api-version")'/>
<property name="xWso2ApiType" value='$apiObj.additionalProperties.get("ob-api-type")'/>
</handler>
#if($apiObj.additionalProperties.get("ob-spec") == "berlin")
configuration as follows:#if($apiObj.additionalProperties.get("ob-spec") == "berlin")
## TPP validation service handler
<handler class="com.wso2.finance.open.banking.gateway.common.TPPValidationHandler"/>
ob-spec,
ob-api-version,
and ob-api-type
properties. For more information, see Deploying APIs for Berlin.<WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api
and make sure that both APIPropertiesHandler
and TPPValidationHandler
are available.Integrating a Custom Certificate Validation Service
package com.wso2.finance.open.banking.gateway.service;
public interface TPPValidationService {
/**
* Validate the status of a TPP
*
* @param peerCertificate Certificate of the TPP
* @param requiredPSD2Roles Roles that are required to be validated with the TPP validation service according to
* the current flow
* @param metadata Metadata information
* @return
* @throws TPPValidationException
*/
boolean validate(X509Certificate peerCertificate, List < PSD2RoleEnum > requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;
/**
* Get the cache key used for the caching the response. Implementation should return an appropriate ID that is
* unique to the API flow.
*
* @param peerCertificate Certificate of the TPP
* @param requiredPSD2Roles Roles that are required to be validated with the TPP validation service according to
* the current flow
* @param metadata Metadata information
* @return
* @throws TPPValidationException
*/
String getCacheKey(X509Certificate peerCertificate, List < PSD2RoleEnum > requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;
}
<WSO2_OB_APIM_HOME>/repository/conf/deployment.toml
file and find the [open_banking.cert_mgt.tpp_validation_service]
tag.[open_banking.cert_mgt.tpp_validation_service]
cache_expiry=3600
tpp_validation_impl_class=""
[open_banking.cert_mgt.tpp_validation_service]
configurations:[open_banking.cert_mgt.tpp_validation_service.scope_regex_patterns]
aisp="accounts+"
pisp="payments+"
cbpii="fundsconfirmations+"
<Handlers>
section in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml
file. Otherwise add the handler.<handler class="com.wso2.finance.open.banking.gateway.common.APIPropertiesHandler">
<property name="xWso2ApiSpec" value='$apiObj.additionalProperties.get("ob-spec")'/>
<property name="xWso2ApiVersion" value='$apiObj.additionalProperties.get("ob-api-version")'/>
<property name="xWso2ApiType" value='$apiObj.additionalProperties.get("ob-api-type")'/>
</handler>
TPPValidationHandler
handler right after the #if($apiObj.additionalProperties.get("ob-spec") == "berlin")
configuration in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml
file.#if($apiObj.additionalProperties.get("ob-spec") == "berlin")
## TPP validation service handler
<handler class="com.wso2.finance.open.banking.gateway.common.TPPValidationHandler"/>
ob-spec, ob-api-version
and ob-api-type
properties before republishing the APIs.<WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api
directory and make sure that both APIPropertiesHandler
and TPPValidationHandler
are added under the <handlers>
section.Token generation
Authentication method Description Private Key JWT software_jwks_endpoint
of the SSA. MTLS software_jwks_endpoint
in the SSA.API invocation
Sources of Information