This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring Open Banking Key Manager
Follow the steps below to deploy the Open Banking Key Manager.
Do the following configurations in Key Manager and restart the server.
Go to the <WSO2_OB_KM_HOME>/bin
directory and execute the following command:
./wso2server.sh
Configuring datasources
Configure theÂ
<WSO2_OB_KM_HOME>/repository/conf/datasources/master-datasources.xml
 file with the following configurations.Update theÂ
URL
,Âusername
,Âpassword
, andÂdriverClassName
 with the database credentials, and relevant database driver name in theÂWSO2AM_DB
,ÂWSO2CONFIG_DB
,ÂWSO2REG_DB
, andÂWSO2UM_DB
 datasources. Given below is a sample of MySQL configurations.ÂIf you are using Oracle, update the
validationQuery
in each datasource with the value below.<validationQuery>SELECT 1 FROM DUAL</validationQuery>
<datasource> <name>WSO2AM_DB</name> <description>The datasource used for API Manager database</description> <jndiConfig> <name>jdbc/WSO2AM_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/openbank_apimgtdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource>
Update the
WSO2_CONSENT_DB
datasource in theÂ<WSO2_OBKM_HOME>/repository/conf/datasources/open-banking-datasources.xml
 file with the following configurations.<datasources> <datasource> <name>WSO2_CONSENT_DB</name> <description>The datasource used for registry and user manager</description> <jndiConfig> <name>jdbc/WSO2ConsentDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/openbank_consentdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> </datasources>
In theÂ
<WSO2_OBKM_HOME>/repository/conf/registry.xml
 file, update the properties given below.<dbConfig name="configRegistry"> <dataSource>jdbc/WSO2Config_DB</dataSource> </dbConfig> <remoteInstance url="https://<WSO2_OB_KM_HOST>:9443/registry"> <id>configInstance</id> <dbConfig>configRegistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/config" overwrite="true"> <instanceId>configInstance</instanceId> <targetPath>/_system/config</targetPath> </mount> <dbConfig name="governanceRegistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://<WSO2_OB_KM_HOST>:9443/registry"> <id>governanceInstance</id> <dbConfig>governanceRegistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>governanceInstance</instanceId> <targetPath>/_system/governance</targetPath> </mount>
In theÂ
<WSO2_OBKM_HOME>/repository/conf/user-mgt.xml
 file, update the datasource property to point to theÂWSO2UM_DB
.<Property name="dataSource">jdbc/WSO2UM_DB</Property>
Enable the internal JDBC user store in the
<WSO2_OBKM_HOME>/repository/conf/user-mgt.xml
 file. Update theUsernameJavaRegEx
,UsernameJavaScriptRegEx
,CaseInsensitiveUsername
, andÂUsernameWithEmailJavaScriptRegEx
properties. Follow the sample configuration given below:<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property> <Property name="ReadOnly">false</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">true</Property> <Property name="UsernameJavaRegEx">a-zA-Z0-9@._-{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property> <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="CaseInsensitiveUsername">true</Property> <Property name="SCIMEnabled">false</Property> <Property name="IsBulkImportSupported">false</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="MultiAttributeSeparator">,</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property> </UserStoreManager>
Configuring the carbon.xml file
Apply the following changes in theÂ
<WSO2_OBKM_HOME>/repository/conf/carbon.xml
 file:Update the <
HostName>
 and <MgtHostName>
 with the IP addresses of the Key Manager server(s).- Update the <
KeyAlias>
 under<KeyStore>
 to match with the alias provided during the KeyStore creation for the Key Manager server.Â
Configuring the application-authentication.xml file
- Update theÂ
<WSO2_OBKM_HOME>/repository/conf/identity/application-authentication.xml
 file with the following configurations.ÂUpdate the <
AuthenticationEndpointURL>
 and <AuthenticationEndpointRetryURL>
 attributes with the URLs of the authentication web application, as shown below.<AuthenticationEndpointURL>https://<OBKM_HOSTNAME>/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://<OBKM_HOSTNAME>/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL>
Add theÂ
include
 action to the <AutheticationEndpointRedirectParams>
 request parameter in theÂ<WSO2_OBKM_HOME>/repository/conf/identity/application-authentication.xml
 file. When the action is set toÂinclude
, the defined parameters will be sent to theÂAuthenticationEndpoint
 as query parameters.<AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true"> <AuthenticationEndpointRedirectParam name="sessionDataKeyConsent"/> <AuthenticationEndpointRedirectParam name="relyingParty"/> <AuthenticationEndpointRedirectParam name="authenticators"/> </AuthenticationEndpointRedirectParams>
If you're using a customized authentication web app, you can access the hidden parameters using theÂ
sessionDataKeyConsent
 parameter. For more information, see Authentication Data API.
Configuring the identity.xml file
Update the <WSO2_OBKM_HOME>/repository/conf/identity/identity.xmlÂ
file with the following configurations.
Define the Open Banking specific Request Object Validator under the <
OpenIDConnect>
 as follows:<RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
Update the following configurations under theÂ
<OAuth>
 property with the URL of the Open Banking API Manager Gateway.<OAuth2AuthzEPUrl>${carbon.protocol}://<OBAM_HOSTNAME>:8243/authorize</OAuth2AuthzEPUrl> <OAuth2TokenEPUrl>${carbon.protocol}://<OBAM_HOSTNAME>:8243/token</OAuth2TokenEPUrl> <OAuth2UserInfoEPUrl>${carbon.protocol}://<OBAM_HOSTNAME>:8243/userinfo</OAuth2UserInfoEPUrl> <OAuth2DCREPUrl>${carbon.protocol}://<OBAM_HOSTNAME>:8243/register</OAuth2DCREPUrl>
Update the following configuration under the
<OpenIDConnect>
tag with the hostname of the Open Banking API Manager server.Â<IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
Make sure the
RenewRefreshTokenForRefreshGrant
value set to false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.<RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
Add RenewTokenPerRequest and set the value to true. This configuration enforces a new token per each request, which will revoke any active tokens for the same application and user. This configuration is used to revoke previous tokens bound to the PSU during consent re-authentication.
<RenewTokenPerRequest>true</RenewTokenPerRequest>
Configure the Receiver URL of theÂ
<EventPublisher>
 underÂ<AdaptiveAuth>
 with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.<ReceiverURL>http://<WSO2_OB_BI_HOSTNAME>:8006/</ReceiverURL>
Add Open Banking specific response type handlers underÂ
<SupportedResponseTypes>
 as follows:<SupportedResponseType> <ResponseTypeName>code</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType> <SupportedResponseType> <ResponseTypeName>code id_token</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType>
Add the Open Banking specific grant types under <
SupportedGrantTypes>
 as follows:<SupportedGrantType> <GrantTypeName>authorization_code</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>client_credentials</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass> </SupportedGrantType>
The cache configurations are available in
<CacheConfig>
under<CacheManager>
element. You can update the configurations according to your requirements.The ID Token Builder and the algorithm that signs the ID Token Builder are configurable.
By default,Â
<IDTokenBuilder>Â
is set toÂorg.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder
. For example, to sign the <IDTokenBuilder>
 with theÂSHA256withPS
 algorithm the configurations are as follows:<OpenIDConnect> <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder> <SignatureAlgorithm>SHA256withPS</SignatureAlgorithm> </OpenIDConnect>
Disabling weak ciphers
A cipher is an algorithm for performing encryption or decryption. When you set the SSL protocol of your server to TLS, the TLS and the default ciphers get enabled without considering the strength of the ciphers. This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks. To prevent these types of security attacks, it is encouraged to disable the weak ciphers.Â
Refer to Disabling weak ciphers in the WSO2 Administration Guide and disable weak ciphers.