This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring the Open-Banking.xml File for UK

Owned by Former user (Deleted)
Last updated: Jun 11, 2021 by Former user (Deleted)
15 min read

Configure the repository/conf/finance/open-banking.xml file in both WSO2_OB_APIM and WSO2_OB_KM nodes based on the configurations listed below. 

Do the following configurations in both the wso2-obam and wso2-obkm nodes, and restart the servers.


Configuration
1

Define the specification that you plan to deploy.

Possible values: UK, BERLIN, STET

<DeployedSpecification>UK</DeployedSpecification>
2

If you want to enable the event notification feature, set the <isEnabled> to true, and define the following configurations:

  • <TokenIssuer>: The URL from where the token is issued.
  • <NotificationExpiryTime>: The expiry time of the notification, in seconds.
  • <NotificationAPIUrl>: The URL of the event-notification endpoint which is exposed from wso2-obam
<EventNotifications>
  <IsEnabled>false</IsEnabled>
  <TokenIssuer>www.openbank.com</TokenIssuer>
  <NotificationExpiryTime>180</NotificationExpiryTime>         
  <NotificationAPIUrl>https://OBAM_HOSTNAME:8243/open-banking/v3.1/event-notification</NotificationAPIUrl>
</EventNotifications>
3

<DaysToExpireRequest>: Defines the number of days after which the system considers the consent as expired if the required authorisation is not given.

<MultiAuthorization>
  <DaysToExpireRequest>3</DaysToExpireRequest>
</MultiAuthorization>
4
  • <PayableAccountsRetriveEndpoint>: Configures the endpoint to retrieve payable accounts that required to list on the consent page.
  • <SharableAccountsRetriveEndpoint>: Configures the endpoint to retrieve sharable accounts that required to list on the consent page.

Shareable accounts - accounts that are accessible online.

Payable accounts - accounts from which a PSU can make a payment.

<PayableAccountsRetriveEndpoint>http://OBAM_HOSTNAME:9763/open-banking/services/bankaccounts/bankaccountservice/payable-accounts</PayableAccountsRetriveEndpoint>

<SharableAccountsRetriveEndpoint>http://OBAM_HOSTNAME:9763/open-banking/services/bankaccounts/bankaccountservice/sharable-accounts</SharableAccountsRetriveEndpoint>

In some banks, some PSUs may have a certain number of accounts, but not all accounts have the ability to be shared externally or to make a payment online. In a bank, the shareable account list and the payable account list can either be the same or different.

In the default WSO2 Open Banking solution, at least two APIs are expected to return shareable and payable accounts when passing the user_id, and the given JSON response must be returned. Then it automatically loads the accounts list in the consent page.

{
 "data": [
  {
   "account_id": "1234-2345-3456-4567",
   "display_name": "1234-2345-3456-4567"
  },
  {
   "account_id": "9999-4345-8456-4567",
   "display_name": "9999-4345-8456-4567"
  }
 ]
}

By default, mock backend deployed in WSO2_OBAM is configured. Required parameters can be passed as query parameters to those endpoints. As an example:

http://OBAM_HOSTNAME:9763/open-banking/services/bankaccounts/bankaccountservice/payable-accounts?userId=john@gold.com&consentId=1234567890

If you plan to implement the multi-authorization feature for the PISP flow, the payable account retrieval endpoint should return the following JSON response.

{
 "data": [{
   "account_id": "30080098971337",
   "display_name": "30080098971337",
   "authorizationMethod": "multiple",
   "authorizationUsers": [{
     "customer_id": "123",
     "user_id": "psu1@wso2.com@carbon.super"
    },
    {
     "customer_id": "456",
     "user_id": "psu2@wso2.com@carbon.super"
    }
   ]
  }
 ]
}
5

Configure the role to identify the customer care officers, who are able to access the customer care portal, and revoke the consents on behalf of customers.

<UK>
...             
  <CustomerCareOfficerRole>Internal/CustomerCareOfficer</CustomerCareOfficerRole>
...
</UK>
6

The unique ID of the ASPSP to which the request is issued. The unique ID is issued by OBIE and corresponds to the Organization ID of the ASPSP in the Open Banking Directory. If the value does not match the expected value (based on the Client ID or network certificate of the caller), the ASPSP must reject the request with a 403 (Not Authorized) status code.

<UK>
...
  <XFAPIFinancialId>open-bank</XFAPIFinancialId>
...
</UK>
7

According to the openbanking.org.uk specification, the links to access the created resource must be returned, as follows.

"Links": {
   "Self": "https://api.alphabank.com/open-banking/v2.0/accounts/22289"
 },

In order to generate the self URL shown in the above JSON, configure the URLs of the exposed APIs, as shown in the below configuration.

<UK>
...
  <UK300AccountAPIURL>https://OBAM_HOSTNAME:8243/open-banking/v3.1/aisp/</UK300AccountAPIURL>
  <UK200AccountAPIURL>https://OBAM_HOSTNAME:8243/open-banking/v2.0/aisp/</UK200AccountAPIURL>
  <UK110PaymentAPIURL>https://OBAM_HOSTNAME:8243/open-banking/v1.1/pisp/</UK110PaymentAPIURL>
  <UK300PaymentAPIURL>https://OBAM_HOSTNAME:8243/open-banking/v3.1/pisp/</UK300PaymentAPIURL>
  <UK300FundsConfirmationAPIURL>https://OBAM_HOSTNAME:8243/open-banking/v3.1/cbpii</UK300FundsConfirmationAPIURL>
...
</UK>




8

In order to improve the performance of the API Gateway, the consent validation responses for account information retrieval calls are cached.

  • <EnableConsentValidationCache>: Determines whether or not the consent validation cache is enabled at the API Gateway.
  • <ConsentValidationCacheExpiry>: The expiry time for the consent validation info cache, in seconds.
  • <DefaultCacheTimeout>: The time in which the cache times out, in seconds.
<UK>
...
  <Cache>
    <EnableConsentValidationCache>true</EnableConsentValidationCache>
    <ConsentValidationCacheExpiry>900</ConsentValidationCacheExpiry>
    <DefaultCacheTimeout>120000</DefaultCacheTimeout>
  </Cache>
...
</UK>
9

In the AISP flow, when the TPP invokes the account retrieval APIs, they can either use the /accounts/{consentId} or /accounts/{accountId}.

If they want to use consentId, the UseConsentIdInPath must be changed to true. By default, it works with the accountId.

<UK>
...
  <UseConsentIdInPath>false</UseConsentIdInPath>
...
</UK>
10

The following configuration is used to handle release management of the deployed API specifications.

E.g. If the resource is created using the API specification version v2.0, that resource can only be accessible using API specifications v2.0 and above.
<UK200SupportedSpecsToRequest>UK200|UK300</UK200SupportedSpecsToRequest> 

<UK>
... 
  <UK110SupportedSpecsToRequest>UK110|UK200|UK300</UK110SupportedSpecsToRequest>
  <UK200SupportedSpecsToRequest>UK200|UK300</UK200SupportedSpecsToRequest>
  <UK300SupportedSpecsToRequest>UK300</UK300SupportedSpecsToRequest>
...
</UK>
11

Account permissions not supported by the ASPSP can be restricted for the TPP by specifying one or more permissions separated by a pipe (|). By default, no permissions are restricted.

E.g. ReadOffers|ReadPAN|ReadParty|ReadPartyPSU

<UK>
...
  <RestrictedPermissions></RestrictedPermissions>
...
</UK>
12
  • <TokenAuthentication>: The supported authentication methods for the token endpoint.
  • <ConnectionTimeout> and <ReadTimeout>: The time out values when connecting to the JWKS endpoint of the Open Banking directory to retrieve the JSON web keys related to the TPP.
  • <EndPointURL>: The endpoint URLs to access the REST APIs of the API Manager in order to create the application and service provider, and generate keys for the application.
  • <EnableURIValidation>: If true, validate the policy, client, terms of service, and logo URIs.
  • <EnableHostNameValidation>: True or false can be set as values to check the hostname of policy, client, terms of service, and logo uris against the hostname of redirect uri.
  • <APISubscriptions>: Specify the context of the APIs that need to subscribe when the TPP registers through DCR. 
<UK>
...
<DCR>
    <!--the supported authentication methods for the token endpoint -->
    <TokenAuthentication>
        <Method>private_key_jwt</Method>
        <Method>client_secret_basic</Method>
    </TokenAuthentication>
    <!--the connection and read time out values for retrieving the remote jwks to validate the ssa and
    request jwt signatures during tpp registration-->
    <ConnectionTimeout>0</ConnectionTimeout>
    <ReadTimeout>0</ReadTimeout>
    <!--The endpoint urls are to access the rest APIs of API manager in order to
    create the application, service provider and generate keys for the application.
     -->
    <EndPointURL>
        <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation>
        <Application>/api/am/store/v0.14/applications</Application>
        <Token>/token</Token>
        <KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration>
        <ApiSearch>/api/am/store/v0.14/apis</ApiSearch>
        <ApiSubscribe>/api/am/store/v0.14/subscriptions/multiple</ApiSubscribe>
    </EndPointURL>
    <!--if true validate the policy,client,terms of service,logo uris -->
    <EnableURIValidation>false</EnableURIValidation>
    <APISubscriptions>
        <PISP>
            <APIContext>/open-banking/v3.1/pisp</APIContext>
            <APIContext>/open-banking/v3.0/pisp</APIContext>
            <APIContext>/open-banking/v2.0/pisp</APIContext>
        </PISP>
        <AISP>
            <APIContext>/open-banking/v3.1/aisp</APIContext>
            <APIContext>/open-banking/v3.0/aisp</APIContext>
            <APIContext>/open-banking/v2.0/aisp</APIContext>
        </AISP>
    </APISubscriptions>
	<!--if true validate the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri-->
		<EnableHostNameValidation>false</EnableHostNameValidation>
</DCR>
...
</UK>
13

  • To validate the JTI claims in the DCR request JWT and the SSA, add the following configurations under the <UK><DCR> tags: 

    This is available only as a WUM update and is effective from March 03, 2019 (03-03-2019). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.


    • <EnableRequestJtiValidation>: Set this to true, to validate the JTI claim in request JWT.

    • <EnableSsaJtiValidation>: Set this to true, to validate the JTI claim in the SSA.

    • <JtiCacheExpiryTime>: Set the expiration time for JTI cache in minutes.

<UK>
	<DCR>
		<EnableRequestJtiValidation>true</EnableRequestJtiValidation>
		<EnableSsaJtiValidation>true</EnableSsaJtiValidation>
		<JtiCacheExpiryTime>60</JtiCacheExpiryTime>
14
  • <MaximumInstructedAmount>: The maximum instructed amount allowed.
  • <PermittedFrequencyPattern>: Frequency patterns that are supported by the ASPSP can be configured as a regex pattern separated by a pipe (|). By default, the ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:0[1-5]:0[1-7])$|^(IntrvlMnthDay:(0[1-6]|12|24):(-0[1-5]|0[1-9]|[12][0-9]|3[01]))$|^(QtrDay:(ENGLISH|SCOTTISH|RECEIVED))$ regex is supported. If you want to change the default pattern, configure the regex pattern.
  • <AllowedAmountPattern>: The allowed pattern for payment amount in domestic standing orders. Default pattern is ^\d{1,13}\.\d{1,5}$
  • <AllowedCurrencyPattern>: The allowed currency pattern for domestic standing orders. Default pattern is ^[A-Z]{3,3}$

  • <MaximumFuturePaymentDays>: The maximum future date of a scheduled payment.

<UK>
...
<PaymentRestrictions>
    <MaximumInstructedAmount>1000.00</MaximumInstructedAmount>

    <!--Frequency patterns that are supported by the ASPSP can be configured as a regex pattern separated by
    a pipe (|). By default, ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:0[1-5]:0[1-7])$|^(IntrvlMnthDay:(0[1-6]|12|24):(-0[1-5]|0[1-9]|[12][0-9]|3[01]))$|^(QtrDay:(ENGLISH|SCOTTISH|RECEIVED))$
    regex is supported. If you want to change the default pattern uncomment the following configuration
    and configure the regex pattern
    <PermittedFrequencyPattern></PermittedFrequencyPattern>
    before v1.3.0, there was a configuration to configure restricted frequency pattern.
    But it is now deprecated <RestrictedFrequencyPattern></RestrictedFrequencyPattern> -->

    <!--The allowed pattern for configuring the amount for domestic standing orders-->
   <!-- <AllowedAmountPattern></AllowedAmountPattern>-->

    <!--The allowed pattern for configuring the currency for domestic scheduled payments-->
    <!--<AllowedCurrencyPattern></AllowedCurrencyPattern>-->

    <MaximumFuturePaymentDays>90</MaximumFuturePaymentDays>
    ...
</PaymentRestrictions>
...
</UK>
15

<CutOffDateTime>.<Enabled>: Set to true if the bank wants to enforce the CutOffDateTime behaviour for the payments.

<CutOffDateTime>.<CutOffDateTimePolicy>: Specify the preferred approach to handle the CutOffDateTime behaviour

<CutOffDateTime>.<DailyCutOffTime>: The daily request cut off time.

<CutOffDateTime>.<ExpectedExecutionTime>: If the SelectedPolicy is set to ACCEPT, the expected execution time for the next day.

<CutOffDateTime>.<ExpectedSettlementTime>: If the SelectedPolicy is set to ACCEPT, the expected settlement time for the next day.

<UK>

...

<PaymentRestrictions>
...

    <!--
    Configurations regarding the handling of Payment requests after a cut off DateTime
    -->
    <CutOffDateTime>
        <!--IsEnabled denotes whether a CutOffDateTime is to be enforced by the ASPSP -->
        <Enabled>false</Enabled>
        <!--SelectedPolicy denotes the preferred Approach to handling requests past the CutOffDateTime.
         Allowed values are:
         1. REJECT - Reject all requests arriving past the DateTime value
         2. ACCEPT - Accept all requests arriving past the DateTime value and return ExpectedExecutionDateTime
         and ExpectedSettlementDateTime.
         -->
        <CutOffDateTimePolicy>REJECT</CutOffDateTimePolicy>
        <!--Expected format for all dates - hh:mm:ss.ffffff+|-hh:mm -->
        <!--The Daily time requests are to be cut off at -->
        <DailyCutOffTime>17:30:00+00:00</DailyCutOffTime>
        <!--Need to be set if the SelectedPolicy is set to ACCEPT.
            The ExpectedExecutionTime and the ExpectedSettlementTime for the next day -->
        <ExpectedExecutionTime>10:00:00+00:00</ExpectedExecutionTime>
        <ExpectedSettlementTime>11:00:00+00:00</ExpectedSettlementTime>
    </CutOffDateTime>
...

</PaymentRestrictions>
...

<UK>
16

The expiry time for the issuer certificate and the subject Domain Name of the sent transport certificate stored in the cache.

<UK>
...
  <CertificateValidationCacheExpiry>3600</CertificateValidationCacheExpiry>
...
</UK>
17

In consent re-authentication of the accounts flow, during authorisation, the PSU is allowed to change the selected account. If the <EnableAccountUpdateByPSU> property is set to true, the account bound to the consent is updated during re-authentication. If set to false, the account is not updated.

<UK>
...
  <ConsentReAuthentication>
    <EnableAccountUpdateByPSU>false</EnableAccountUpdateByPSU>
  </ConsentReAuthentication>
...
</UK>
18


If Mutual Transport Layer Security (MTLS) is terminated before the request reaches the Gateway, retrieve the TPP's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects ssl.client.auth.cert.X509 as the transport certificate header. Include the value for the transport certificate header in TransportCertificateHeader UK element. See the sample configuration below. 
<TransportCertificateHeader>ssl.client.auth.cert.X509</TransportCertificateHeader>

The load balancer should not allow the TPP to send its certificate as a transport certificate header that is configured in the open-banking.xml under <TransportCertificateHeader> element. 

If such header was found in the TPP’s request, it is mandatory to remove that header from the TPP’s request. This is applicable even when the MTLS session is not terminated at the load balancer.


When TLS is terminated before reaching the Gateway, to send the client certificate as a transport header, add the following configuration just above the <TransportCertificateHeader> tag:

<ClientTransportCertAsHeaderEnabled>true</ClientTransportCertAsHeaderEnabled>
19
  • <SigningConfiguration>: This configuration applies to request signing for x-jws-signature.
  • <Enable>: Determines whether or not to enable signing.
  • <TrustedAnchors>: The trusted anchor configuration. OBIE-specific trust anchor definitions.
  • <TrustedAnchors>.<Signing>: The trust anchor used in signing JOSE.
  • <TrustedAnchors>.<Validation>: Multiple values supported with the | delimiter. For example, trustanchor.org|trustanchor.org.uk
  • <OrganizationId>: The OBIE organization ID.
  • <Algorithm>: The default signing algorithm is RS256. To support other algorithms, uncomment this property and specify the value.
  • <MandatedAPIs> : Define the API contexts that require x-jws-signature verification
<UK>
...
<SigningConfiguration>
    <!-- Enable Signing -->
    <Enable>true</Enable>
    <OBIE>
        <!--
            Trusted Anchor Configuration
            openbanking.org.uk specific Trust Anchor definitions
        -->
        <TrustedAnchors>
            <!-- Trust Anchor used in signing JOSE -->
            <Signing>openbanking.org.uk</Signing>
            <!--
                Multiple values supported with `|` delimiter
                IE - trustanchor.org|trustanchor.org.uk
            -->
            <Validation>openbanking.org.uk</Validation>
        </TrustedAnchors>
        <!-- OBIE Organization Id -->
        <OrganizationId>ABC1234</OrganizationId>
    </OBIE>
    <!-- Default Singing Algorithm is PS256, to support others uncomment line below -->
    <!--<Algorithm>RS256</Algorithm>-->

    <!-- The following specified APIs will be mandated for message signing. -->
    <MandatedAPIs>
        <APIContext>/open-banking/v3.0/event-notification/</APIContext>
        <APIContext>/open-banking/v3.0/pisp/</APIContext>
        <APIContext>/open-banking/v3.1/event-notification/</APIContext>
        <APIContext>/open-banking/v3.1/pisp/</APIContext>
    </MandatedAPIs>
</SigningConfiguration>
...
<UK>
  • <SigningConfiguration>: This configuration applies to request signing for x-jws-signature.
  • <Enable>: Determines whether or not to enable signing.
  • <TrustedAnchors>: The trusted anchor configuration. OBIE-specific trust anchor definitions.
  • <TrustedAnchors>.<Signing>: The trust anchor used in signing JOSE.
  • <TrustedAnchors>.<Validation>: Multiple values supported with the | delimiter. For example, trustanchor.org|trustanchor.org.uk
  • <OrganizationId>: The OBIE organization ID.
  • <Algorithm>: The default signing algorithm is RS256. To support other algorithms, uncomment this property and specify the value.
  • <MandatedAPIs> : Define the API contexts that require x-jws-signature verification
<UK>
<SigningConfiguration>
    <!-- Enable Signing -->
    <Enable>true</Enable>
    <OBIE>
        <!--
            Trusted Anchor Configuration
            openbanking.org.uk specific Trust Anchor definitions
        -->
        <TrustedAnchors>
            <!-- Trust Anchor used in signing JOSE -->
            <Signing>openbanking.org.uk</Signing>
            <!--
                Multiple values supported with `|` delimiter
                IE - trustanchor.org|trustanchor.org.uk
            -->
            <Validation>openbanking.org.uk</Validation>
        </TrustedAnchors>
        <!-- OBIE Organization Id -->
        <OrganizationId>ABC1234</OrganizationId>
    </OBIE>
    <!-- Default Singing Algorithm is PS256, to support others uncomment line below -->
    <!--<Algorithm>RS256</Algorithm>-->

    <!-- The following specified APIs will be mandated for message signing. -->
    <MandatedAPIs>
        <APIContext>/open-banking/v3.0/event-notification/</APIContext>
        <APIContext>/open-banking/v3.0/pisp/</APIContext>
        <APIContext>/open-banking/v3.1/event-notification/</APIContext>
        <APIContext>/open-banking/v3.1/pisp/</APIContext>
    </MandatedAPIs>
</SigningConfiguration>
<UK>

This is available only as a WUM update and is effective from June 20, 2020 (06-20-2020). For more information on updating WSO2 Open Banking, see  Updating WSO2 Products .

  • Add the following configurations under the  <SigningConfiguration>  tag.  

    <!-- The following specified APIs will be associated with response signing. -->
<ResponseSignatureRequiredAPIs>
    <APIContext>/open-banking/v3.0/pisp/</APIContext>
    <APIContext>/open-banking/v3.1/pisp/</APIContext>
</ResponseSignatureRequiredAPIs>

  • Add the following configurations right below the </SigningConfiguration> tag and configure them.

    <OBIdentityRetriever>
    <!--
           Server Key configuration
           used for singing purposes IE - message signing
       -->
    <Server>
        <!-- alias the certificate used for signing (in repository/resources/security/wso2carbon.jks)-->
        <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>
        <!-- KID value for primary signing certificate that is exposed by the JWKS endpoint under OIDC well-known endpoint (by default https://localhost:8243/.well-known/openid-configuration) -->
        <SigningCertificateKid></SigningCertificateKid>
    </Server>
</OBIdentityRetriever>
  • See JSON Web Signature (JWS) to configure JWS validation support for Waiver 007.
20

Add the following configurations that specify the allowed signature algorithms in TPP requests. With this configuration, WSO2 Open Banking rejects the JWTs signed in algorithms that are not in the following list. If the configuration is not added, no validation occurs and any algorithm is passed through. Allowed value is PS256.

This is available only as a WUM update and is effective from March 26, 2019 (03-26-2020). For more information on updating WSO2 Open Banking, see  Updating WSO2 Products .

  <UK>
  <AllowedInboundSignatureAlgorithms>
  <Algorithm>PS256</Algorithm>
  </AllowedInboundSignatureAlgorithms>
  </UK>
21

By default, two factors (basic and SMS OTP) are configured to engage when a TPP creates an application and generates keys. If you want to configure a different authentication factor as the second authentication factor, configure that authenticator as a federated authentication in WSO2_OBKM and configure the name here.

<SCA>
  <IdpName>SMSAuthentication</IdpName>
</SCA>
22

Determines whether or not ACR is enabled.

<ACREnabled>false</ACREnabled>
23
  • <Server>: The server key configuration used for message signing purposes.

  • <Server>.<SigningCertificateAlias>: The certificate is under this alias.

  • <Server>.<SigningCertificateKid>: The KID value for signing the certificate.

  • <JWKS-Retriever>.<SizeLimit>: Maximum size limit for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ConnectionTimeout>: Connection timeout for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ReadTimeout>: Content read timeout for remote JWKSet retrieval.

  • <Cache>.<ModifiedExpiryMinutes>: JWKSet/Certificate cache after modification expiry time, in minutes.

  • <Cache>.<AccessedExpiryMinutes>: JWKSet/Certificate cache after accessed expiry time, in minutes.

<OBIdentityRetriever>
    <!--
        Server Key configuration
        used for singing purposes IE - message signing
    -->
    <Server>
        <!-- alias the certificate is under -->
        <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>
        <!-- KID value for signing certificate -->
        <SigningCertificateKid>1234</SigningCertificateKid>
    </Server>
    <JWKS-Retriever>
        <SizeLimit>51200</SizeLimit>
        <ConnectionTimeout>2000</ConnectionTimeout>
        <ReadTimeout>2000</ReadTimeout>
    </JWKS-Retriever>
    <!-- Cache Configuration for Identity Retriever Cache -->
    <Cache>
        <ModifiedExpiryMinutes>15</ModifiedExpiryMinutes>
        <AccessedExpiryMinutes>15</AccessedExpiryMinutes>
    </Cache>
</OBIdentityRetriever>
24

Debator account validation checks the debtor account for the PSU in the initiation request.

ParameterDescription
trueDisables the debtor account validation to check if the debtor account for the PSU that is  sent in the initiation request   is valid.
falseThe bank back end checks if a valid account is sent as the debtor account when initiating the consent. Returns only valid account when calling payable accounts endpoint during authentication to retrieve the endpoints.
<!-- Configuration to disable debtor account validation in payments -->
        <ValidateDebtorAccount>true</ValidateDebtorAccount>
25

ASPSP supports payment data permissions that give access to the TPP by specifying one or more permissions to access payment information, separated by a pipe(l).

By default, create permission is granted.

<DataPermission>Create</DataPermission>
26

In order to enable certificate revocation validation for API security, make sure that the following configurations are added under the server root element.

This is available only as a WUM update and is effective from February 06, 2020 (02-06-2020). For more information on updating WSO2 Open Banking, see  Updating WSO2 Products .

<CertificateManagement>
    <!-- Expiry time for the cache (in seconds) for storing the validation result of the certificates-->
    <ClientCertificateCacheExpiry>3600</ClientCertificateCacheExpiry>
    <!-- Enable certificate OCSP and CRL validation -->
    <CertificateRevocationValidationEnabled>true</CertificateRevocationValidationEnabled>
 
        <!-- Proxy server configuration to do TPP certificate revocation checks -->
        <CertificateRevocationProxy>
            <Enabled>false</Enabled>
            <ProxyHost>PROXY_HOSTNAME</ProxyHost>
            <ProxyPort>8080</ProxyPort>
        </CertificateRevocationProxy>
 
    <!--Manager class implementation responsible for verifying certificate revocation status-->
        <RevocationValidationManagerImplClass>com.wso2.finance.open.banking.gateway.common.mtls.cert.validation.service.CertRevocationValidationManagerImpl</RevocationValidationManagerImplClass>
 
        <!-- Retry count for validating certificate OCSP and CRL revocation status -->
    <CertificateRevocationValidationRetryCount>3</CertificateRevocationValidationRetryCount>
 
        <!-- List of issuer DNs whose issued certificates needs to be skipped from certificate revocation
        validation.
        e.g. <IssuerDN>CN=Test Pre-Production Issuing CA, O=Test, C=GB</IssuerDN>
        -->
        <RevocationValidationExcludedIssuers>
            <IssuerDN></IssuerDN>
        </RevocationValidationExcludedIssuers>
</CertificateManagement>
27

To enforce regulatory certificates for API invocations, add the following configuration under the <CertificateManagement> tag: 

This is available only as a WUM update and is effective from December 23, 2020 (12-23-2020). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

<EnforceRegulatoryCertificates>true</EnforceRegulatoryCertificates>

Once you add the configuration, you can add the eIDAS certificates to the client trust stores as described in eIDAS Implementation for PSD2 Compliance.