This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Try Local Setup

Owned by Former user (Deleted)
Last updated: Sept 05, 2022 by Former user (Deleted)
11 min read

This document provides you with instructions on how to configure and try out WSO2 Open Banking in your local environment.

The scripts for the below local setup in the Quick Start Guide are configured for a Linux and MySQL/MSSQL environment. Notice that WSO2 Open Banking solution is applicable to Windows/Linux and MySQL/MSSQL and Oracle environments.

Prerequisites

  1. Download OpenJDK 8 in all the nodes of the setup.

    • In the environment variables, update the JAVA_HOME and PATH variables. For instance, you can do this on a Mac/Linux server by adding the following to the ~/.bashrc file:

      export JAVA_HOME="<JDK_LOCATION>"

export PATH=$PATH:$JAVA_HOME/bin

  2. Download and unzip the following files:

    • wso2-obam-1.5.0.zip (WSO2 Open Banking API Manager) 

    • wso2-obkm-1.5.0.zip (WSO2 Open Banking Key Manager)

       Click here to see how to download the packs from WUM

      Set up the WSO2 Update Manager (WUM). 

      • WUM is a simple command-line tool that connects to the WSO2 update service, determines which updates are new and relevant, and downloads them. You can get the latest version of the WSO2 Open Banking product packs through WUM.

        License

        WSO2 Open Banking is not distributed under the Apache Community License and is only available under the WSO2 Software License. You need a WSO2 subscription to install and update the WSO2 Open Banking solution via WUM. Contact us to find out how you can access a free evaluation copy...

      • Follow the guidelines provided in the Download WUM page to download, and install WUM in your environment. For more information on how to use WUM, see the /wiki/spaces/updates/pages/16318500.

          1. Add the necessary product packs using the commands given below:

            wum add wso2-obam-1.5.0              		 	                	     
wum add wso2-obkm-1.5.0

          2. Update the product packs using the commands given below:

            wum update wso2-obam-1.5.0	                	     
wum update wso2-obkm-1.5.0

          3. Additionally, download and update the other instances of WSO2 Open Banking product.

            wum add wso2ei-6.4.0
wum update wso2ei-6.4.0

wum add wso2am-analytics-2.6.0    
wum update wso2am-analytics-2.6.0 
   
wum add wso2-obbi-1.5.0
wum update wso2-obbi-1.5.0

            WSO2 OB APIM Analytics(wso2am-analytics-2.6.0) provides the API analytics feature.

            WSO2 OB BI(wso2-obbi-1.5.0) provides the following features:

            • API Analytics

            • Transaction Risk Analysis

            • Fraud Detection

            • Data Reporting

      • The product packs reside in the <WUM_HOME>/products/<Product_Name>/<version>/full directory as <Product_name-<version>+<timestamp>.full.zip. Copy the product packs to a preferred location in each node, and extract them.


        WSO2 Updates Manager (WUM) is deprecated and will be unavailable from July 2021 onwards. WSO2 Updates is the new tool to include the solution and security improvements that are released by WSO2 Open Banking, on top of a released version. For more information, see WSO2 Updates.

         Click here to see how to update the solution via WSO2 Update tool...

        The WSO2 Update tool delivers hotfixes and updates seamlessly on top of products as WSO2 Updates. They include improvements that are released by WSO2. You need to update all the products using the relevant script.

        • Go to <PRODUCT_HOME>/bin and run the WSO2 Update tool: 

        • Repeat this step for all the products in the solution:
          • wso2-obkm-1.5.0 
          • wso2-obam-1.5.0 
          • wso2-obbi-1.5.0
          • wso2am-analytics-2.6.0

      This document refers to the file paths of the product packs for the Key Manager, API Manager, API Manager Analytics, and Enterprise Integrator as <WSO2_OB_KM_HOME>, <WSO2_OB_APIM_HOME>, <WSO2_AM_ANALYTICS_HOME>,<WSO2_OB_BI_HOME> and <WSO2_EI_HOME> respectively.



      WSO2 Updates Manager (WUM) is deprecated and will be unavailable from July 2021 onwards. WSO2 Updates is the new tool to include the solution and security improvements that are released by WSO2 Open Banking, on top of a released version. For more information, see WSO2 Updates.

       Click here to see how to update the solution via WSO2 Update tool...

      The WSO2 Update tool delivers hotfixes and updates seamlessly on top of products as WSO2 Updates. They include improvements that are released by WSO2. You need to update all the products using the relevant script.

      • Go to <PRODUCT_HOME>/bin and run the WSO2 Update tool: 

      • Repeat this step for both the wso2-obkm-1.5.0 and wso2-obam-1.5.0 products.

  3. Setup a database server using MySQL 5.7, Microsoft SQL Server 2016 or, Oracle 12c.

Setting up the databases and starting the servers

In order to start the servers, configure the databases in both the API Manager (APIM) and the Key Manager (KM) according to the open banking specification, as follows:

  1. Open the <WSO2_OB_KM_HOME>/repository/resources/finance/scripts/startup.properties  file and configure the following:

    • Specify the hostnames for the API Manager and Key Manager servers.

      # Specify the hostname you want to configure
APIM_HOSTNAME=localhost
IAM_HOSTNAME=localhost

    • Configure the databases related properties.

      Database PropertyDescription
      DB_TYPE

      Type of the database you installed

      DB_USER Database user
      DB_PASS Password set for the database connection
      DB_HOST Name of the database server
      DB_DRIVER

      Configure DB_DRIVER according to the database installed:

      - Mysql JDBC Driver = com.mysql.jdbc.Driver 
      - MSSQL JDBC Driver = com.microsoft.sqlserver.jdbc.SQLServerDriver
      - Oracle JDBC Driver = oracle.jdbc.driver.OracleDriver

      If you are using an MS SQL, Oracle, or a PostgreSQL database, see the following topics and configure the databases.

      If you're setting up Open Banking for Berlin and using an Oracle database, update the data type of the given field:  

       Click here to see the field to be updated...
      Databaseopenbank_apimgtdb
      TableAM_APPLICATION_REGISTRATION
      FieldINPUTS
      Data typeCLOB

  2. Run the <WSO2_OB_KM_HOME>/repository/resources/finance/scripts/configure-km.sh file according to your specification:

  3. Go to the <WSO2_OB_APIM_HOME>/repository/resources/finance/scripts directory and configure the database properties in the startup.properties file, similar to Step 1.

  4. Run the <WSO2_OB_APIM_HOME>/repository/resources/finance/scripts/configure-am.sh file.

    You have configured databases in step 1. By running the configure.sh files, you set the database credentials with reference to the configuration files.  

     Click here for more information

    The configure.sh scripts configure the solution according to the given specification:

    By default, values are set for the UK specification. Other supported specifications include:

    The <DeployedSpecification> value in the following files are updated according to your specification at runtime. Possible values for the DeployedSpecification tag are UK, BERLIN, AU, and STET

    • <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml 
    • <WSO2_OB_APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json
    • <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
    • <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/ccportal/configs/conf.json
    • <WSO2_OB_KM_HOME>/repository/deployment/server/jaggeryapps/consentmgt/configs/conf.json
  5. This step is required only if you're setting up Open Banking for AU:

    1. According to Consumer Data Standards , an access token must expire between 2 minutes to 10 minutes after issuing it.  To configure the validity period of the access token in seconds, update the following configurations in the  <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file. 

      <UserAccessTokenDefaultValidityPeriod>120</UserAccessTokenDefaultValidityPeriod>

    2. To enable Request-URI validation during the account retrieval process; validate the account ID against the account ID in the consent, open the <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml file and set <ValidateAccountIdOnRetrieval> to true: 

      <ValidateAccountIdOnRetrieval>true</ValidateAccountIdOnRetrieval>

    3. To revoke the consent with the access token, open <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml and add the following under the <EventListener> tag:

      <EventListener enable="true" name="com.wso2.finance.open.banking.identity.extensions.listeners.TokenRevocationListener" orderId="100" type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"/>

    4. To obtain a Mutual Transport Layer Security (MTLS) certificate bound access token, open the <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml file and configure the following: 

      1. Open the <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml file and do the following:

        1. Update the following configuration under <APISecurity><EnableMTLSTokenBinding> to enable this feature.

          <EnableMTLSTokenBinding>true</EnableMTLSTokenBinding>

        2. Configure the client certificate header name using the <CertificateManagement><ClientAuthenticationHeader> property as follows: 

          <ClientAuthenticationHeader>x-wso2-mutual-auth-cert</ClientAuthenticationHeader>

      2. Add the following handler to the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file. 

        <handler class="com.wso2.finance.open.banking.mtls.validator.handler.GatewayClientAuthenticationHandler"/>

    5. To use Identifier-first as the primary authenticator:

      1. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file and add the following under the <Server> <SCA> tags: 

        <!--Configure the primary authenticator / 1st step authenticator-->
<PrimaryAuthenticator>
	<Name>IdentifierExecutor</Name>
	<DisplayName>identifier-first</DisplayName>
</PrimaryAuthenticator>

      2. To configure SMS OTP as an identity provider for Identifier-first, update the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file by adding the following. 

        <AuthenticatorConfig name="SMSOTP" enabled="true">
    <Parameter name="usecase">subjectUri</Parameter>
    <Parameter name="secondaryUserstore">primary</Parameter>

      3. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file. Update the value of the <IdpName> parameter with the name of your identity provider. See Configuring consumer authentication, for more information. 

        <SCA>
    <IdpName>SMSAuthentication</IdpName>

  6. You are now ready to start the servers. In the command line, navigate to the <WSO2_OB_KM_HOME>/bin directory, and run the following command to start the Key Manager server:

    ./wso2server.sh -Dsetup

  7. Run the following command from the <WSO2_OB_APIM_HOME>/bin directory to start the API Manager server:

    ./wso2server.sh -Dsetup

If you're setting up Open Banking for AU:

Configuring consumer authentication

By default, WSO2 Open Banking comes with basic authentication configured. For CX guideline aligned experience, you can configure Identifier-first authentication paired with a secondary identity provider. In the section above, we configured SMS OTP as the secondary identity provider.

 Click here to see how it is done

Configuring Identifier-first authentication

The Identifier-first login enables identifying the individuals prior to authenticating them. It retrieves the identity of the user without using authentication information and uses that identity to control the authentication flow. For more information, see Identifier-first Flow Handler.

The Identifier-first is a handler that can be configured at any step in the authentication flow. However, it is not an authenticator by itself and needs to be configured along with another authenticator for the authentication process to be successful.

Configuring SMS OTP Authenticator

Follow the steps below to configure SMS OTP Authenticator.
  1. Start the WSO2 Open Banking Key Manager (WSO2 OB KM) server. Sign in to the Management Console (https://localhost:9446/carbon) as an administrator.
  2. Navigate to the Main menu to access the Identity menu. Click Add under Identity Providers.
  3. Fill the Basic Information section and name this identity provider SMSAuthentication.
  4. Expand the Federated Authenticators > SMS OTP Configuration section.

  5. Select both the Enable and Default checkboxes. This is to enable and make the SMSAuthentication authenticator the default one.

    Based on your SMS provider, fill out the SMS OTP configurations.

    If Twilio is used as the SMS provider,

    • Go to https://www.twilio.com/try-twilio and create an account.

    • While registering the account, verify your mobile number and click on console home https://www.twilio.com/console to get free credits (Account SID and Auth Token).

    • Twilio uses a POST method with headers and the text message and phone number are sent as the payload. So the fields would be as follows.

      SMS URLhttps://api.twilio.com/2010-04-01/Accounts/{AccountSID}/SMS/Messages.json
      HTTP MethodPOST
      HTTP HeadersAuthorization: Basic base64{AccountSID:AuthToken}
      HTTP PayloadBody=$ctx.msg&To=$ctx.num&From=urlencode{TrialNumber}

      If you pass the text message and the phone number in any field, you have to replace them with $ctx.num and $ctx.msg respectively.
      E.g., Body=$ctx.msg&To=$ctx.num&From=+12345678

    Currently, the WSO2 OB KM supports only the following SMS providers.

  6. Click Register to add the Identity Provider. 

  7. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file.  Update the value of the <IdpName> parameter under the <SCA> element with the identity provider name.

    <SCA>
	<IdpName>SMSAuthentication</IdpName>
</SCA>

To verify the SMSAuthentication authenticator:

Now that you have enabled SMS OTP authentication for identifier-first authentication, let's verify whether the second-factor authentication is properly configured.

  1. Log in to the Management Console ( https://localhost:9446/carbon ) using the following credentials:
  2. In the Main menu under the Identity section, click List under Service Providers. You can find a list of service providers that were created for the applications in the API store.
  3. Select the service provider with the application name you created in step A. The service provider name is in the following format:

    <WSO2_OB_APIM_ USERNAME>_<APPLICATION_NAME>_<ENVIRONMENT>

  4. Click on the corresponding Edit link.

  5. Expand Local & Outbound Authentication Configuration. Select Advanced Configuration. You can configure additional authentication steps and additional authentication options.

    1. If you have successfully configured the above, you will see how the identifier-first and SMSAuthentication are configured under Authentication Step Configuration > Step 1 and Step 2 .

Restart the Key Manager and API Manager servers after the configuration changes.


You have started the servers. Next, configure users, roles, and APIs.

Configuring users and roles

Configuring APIs

You can configure APIs through the API Publisher by signing in as a user whose role includes Internal/publisher.  Follow the steps given below:

  1. Sign in to the API Publisher (https:// localhost:9443/publisher) with the credentials for mark@gold.com.

  2. Click ADD NEW API > I have an existing API

  3. Select the Swagger definition from <WSO2_OB_APIM_HOME>/repository/resources/finance/apis and configure the properties according to the open-banking specification. Find more information from the table given below.


    Click Start Creating.
  4. Click Next: Implement to navigate to the next level.
  5. Expand Managed API, and use the table below to select the relevant Endpoint Type from the drop-down list.
  6. Check Select a message mediation policy to be executed in the message flow under Message Mediation Policies.

  7. Click Upload In Flow and select the corresponding In sequence file from <WSO2_OB_APIM_HOME>/repository/resources/finance/apis.

  8. Click Next: Manage to navigate to the next level.

  9. Expand Throttling Settings. Under Subscription Tiers, check the option as Unlimited : Allows unlimited requests unless you want to limit the requests.

  10. Expand API Properties and add the Additional properties according to the API you're publishing. For more information, see the summarized information table.

  11. Click the + button to save the properties.

  12. Click Save & Publish.

Summarized information for configuring APIs



Configuring a consent management application

A consent management application is configured in order to manage consents granted to an application.

  1. Go to the Identity and Access Management Console at https://localhost:9446/carbon.
  2. On the Main tab, click Home > Identity > Service Providers> Add.
  3. Enter consentmgt as the Service Provider’s name. 
  4. Click Register.
  5. Click Inbound Authentication configuration > OAuth/OpenID Connect configuration > Configure.

  6. Set the values for the following parameters and keep the default value for the other parameters.

    ParameterValue
    OAuth Version2.0
    Allowed Grant Type

    code

    Callback URL

    regexp=(https://localhost:9446/consentmgt|https://localhost:9446/consentmgt)

    The first and second URLs are respectively; redirect and logout URLs.

    Regex-based consumer URLs are supported when defining the callback URL. This enables you to configure multiple callback URLs for one application by entering a regex pattern as the value for the callback URL field.

    You must have the prefix regexp= before your regex pattern. To define a normal URL, you can specify the callback URL without this prefix.

  7. Click Add.

    The OAuth client key/client ID and OAuth client secret are generated. Those are used in Configuring consent management jaggery application.

  8. Open the < WSO2_OB_KM_HOME> /repository/deployment/server/jaggeryapps/consentmgt/configs/conf.json file. Modify the apimHostapplicationIdauthCredentialredirectUrl, and logoutUrl parameters as follows. 

    In authCredential, be sure to encode the CLIENT_ID:CLIENT_SECRET with BASE64ENCODE encoding. 

    {
	"app" : "consentmgt",
	"applicationType" : "oauth2",
	"tenantDomain": "carbon.super",
	"apimHost":"http://localhost",
	"apimNioPort":"8280",
	"apimHttpPort":"9763",
	"kmHost" : "https://localhost",
	"kmPort" : "9446",
	"kmTokenAPI" : "oauth2/token",
	"kmAuthorizeAPI" : "oauth2/authorize",
	"applicationId":"<CLIENT_ID>",
	"authCredential":"<BASE64ENCODED CLIENT CREDENTIALS>",
	"redirectUrl":"https://localhost:9446/consentmgt",
	"logoutUrl": "https://localhost:9446/consentmgt",
	"tokenApiName" : "token",
	"tokenApiVersion" : "",
	"authorizeApiName" : "authorize",
	"authorizeApiVersion" : "",
	"pagination" : {
		"limit" : 11,
		"actualLimit" : 10,
		"offset": 0
	},
	"DeployedSpecification" : "UK"
}

    Important

    Update the specification under DeployedSpecification parameter appropriately. Possible values are UK, BERLIN, AU, and STET. By default, the value is set to UK.

Try out the Customer Care Portal at  https://localhost:9446/ccportal. Sign in to the Customer Care Portal with the credentials for ann@gold.com Internal/CustomerCareOfficer.

Try out the consent revocation apps in WSO2 Open Banking.

What's Next

Now that you have created the APIs that allow you to initiate payments and access account information, let's try out the flows in WSO2 Open Banking: