Running the Security Conformance Suite for UK

WSO2 Open Banking 1.5.0 supports OpenID Conformance suite v4.1.10.

The conformance suite consists of security standards that are defined by the Open ID Foundation (OIDF). It maximises the security of the APIs, providing robust data flow in Open Banking. An advantage of using OIDF security standards is that the Account Servicing Payment Service Provider (ASPSP) can attest to the affiliated payment service providers through a self-certification process.

The WSO2 Open Banking solution supports users to comply with a conformance suite that can be configured by the ASPSP. The following configurations guide you to set up the WSO2 Open Banking solution to specification standards for conformance.

Self-certificate generation

Generate self-signed certificates for development purposes or when the Open Banking directory is not accessible.

This step is not necessary for Open Banking directory certificates.

Click here to see how it is done

Root certificate generation

Generate a root certificate by following the steps below. You can use a root certificate to sign client certificates instead of the Open Banking directory certificate.

Parameter Name	Description	Value
`<root_ca_name>`	Name for root Certification Authority (CA) certificate	`rootCA`

Generate a private key for the root certificate.

openssl genrsa -des3 -out <root_ca_name>.key 4096

Generate a public certificate for the root certificate.

openssl req -x509 -new -nodes -key <root_ca_name>.key -sha256 -days 1024 -out <root_ca_name>.crt

Client certificate generation

Follow the steps below to generate certificates for a client application, which are signed by the previously generated root certificate.

Parameter Name	Description	Value
`<client_name>`	Unique name for the client	`tpp.com`
`<root_ca_name>`	Name for root CA (generated in the prior step)	`rootCA`

Generate a private key for the client.

openssl genrsa -out <client_name>.key 2048

Create a Certificate Signing Request (CSR) for the client.

openssl req -new -key <client_name>.key -out <client_name>.csr

Generate a client certificate with a CSR.

openssl x509 -req -in <client_name>.csr -CA rootCA.crt -CAkey <root_ca_name>.key -CAcreateserial -out <client_signed_cert_name>.crt -days 50000 -sha256

This process can be repeated for any number of clients.

Open Banking API Manager configurations

Axis2 configurations

Open the <WSO2_OB_APIM_HOME>/repository/conf/axis2/axis2.xml file.

Add the following attributes under the <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> property.

<parameter name="HttpsProtocols">TLSv1.2</parameter> 
<parameter name="PreferredCiphers">TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</parameter>

Refer to Disabling weak ciphers in the WSO2 Administration Guide and disable weak ciphers.

Restart the API Manager server in order to reflect the changes.

Mutual TLS configuration

Configure the Mutual Transport Layer Security (MTLS) validation handlers in the synapse configurations. It ensures that the authenticated client uses the pre-registered transport certificate to communicate with the API.

Import the root/issuer certificate to the Open Banking Key Manager (WSO2 OB KM) and Open Banking API Manager (WSO2 OB APIM) client trust stores.
- Go to the following directories and run the command per certificate.
  1. <WSO2_OB_APIM_HOST>/repository/resources/security
  2. <WSO2_OB_KM_HOST>/repository/resources/security
    keytool -import -alias <unique alias> -file <certificate file> -keystore client-truststore.jks -storepass wso2carbon
In the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_TokenAPI_.xml file, add the MTLS validation handler to the token API.
```
<handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSValidationHandler"/>
```
When running the openbankinguk-private_key_jwt test plan, remove GatewayClientAuthenticationHandler from _TokenAPI_.xml.
Add MTLSClientTokenValidationHandler for each resource API (All read/write APIs) in the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api directory.
- Make sure to add MTLSClientTokenValidationHandler after APIAuthenticationHandler as follows:
```
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler">
<handler class="com.wso2.finance.open.banking.mtls.validator.handler.MTLSClientTokenValidationHandler"/>
```
  The above handlers can be added under the <handlers> property in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file. This automatically integrates the handlers into the APIs that are published afterwards.

Open Banking Key Manager configurations

identity.xml configurations

IDTokenBuilder configuration:
Open the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file and make sure the following ID token builder is configured:
```
<OpenIDConnect>
	<IDTokenBuilder>com.wso2.finance.open.banking.idtoken.builder.OBIDTokenBuilder</IDTokenBuilder>
</OpenIDConnect>
```
ID Token Signing Algorithm Configuration:
You can change the signing algorithm of the ID Token in the well-known configuration (id_token_signing_alg_values_supported).
Open the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file and update the <OpenIDConnect> <SignatureAlgorithm> element. The <SignatureAlgorithm> element value is an algorithm name. For example, SHA256withPS.
```
<OpenIDConnect>
	<SignatureAlgorithm>SHA256withPS</SignatureAlgorithm>
</OpenIDConnect>
```
IDTokenIssuerID configuration:
Open the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file and update the <OpenIDConnect> <IDTokenIssuerID> element with the issuer in .well-known config.
```
<OpenIDConnect>
	<IDTokenIssuerID><issuer in .well-known config></IDTokenIssuerID>
</OpenIDConnect>
```

SupportedGrantType configuration:

Add the refresh_token grant type with the following configurations under <SupportedGrantTypes> <SupportedGrantType> elements.

<SupportedGrantTypes>
	<SupportedGrantType>
		<GrantTypeName>refresh_token</GrantTypeName>
		<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBRefreshGrantHandler</GrantTypeHandlerImplClass>
	</SupportedGrantType>
</SupportedGrantTypes>

Organization JWKS URL configuration:

This step is not necessary if you are not integrating with an external trust anchor.
In the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file, change the JWKS URL retrieved from the Open Banking directory.
```
<OAuth2JWKSPage><org JWKS URL></OAuth2JWKSPage>
```

SupportedResponseType configuration:

Remove the SupportedResponseType code from <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml.

<SupportedResponseTypes>
	<SupportedResponseType>
		<ResponseTypeName>code</ResponseTypeName>
		<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass>
		<ResponseTypeValidatorImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.validators.OBCodeTokenResponseValidator</ResponseTypeValidatorImplClass>
	</SupportedResponseType>
</SupportedResponseTypes>

Add the following configurations to <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml, under the <JWKSEndpoint> tag.

<JWKSEndpoint>
	<UseInvalidClientErrorOnSignatureFailure>true</UseInvalidClientErrorOnSignatureFailure>
</JWKSEndpoint>

In <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml, enable the OBMutualTLSClientAuthenticator event listener configuration:

<!-- Open Banking Mutual TLS Authenticator -->
<EventListener enable="true" name="com.wso2.finance.open.banking.mtls.authenticator.OBMutualTLSClientAuthenticator" orderId="26" type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"/>

well-known endpoint configuration

Download and extract the well-known-config-resources.zip.
Copy servlet-1.0-SNAPSHOT.jar in to <WSO2_OB_KM_HOME>/repository/components/lib directory.
Copy openid-configuration.json file to <WSO2_OB_KM_HOME>/repository/conf/identity directory. Update the values in openid-configuration.json file according to your requirement.

A sample openid-configuration.json is available here .

Register the servlet in <WSO2_OB_KM_HOME>/repository/conf/tomcat/web.xml file. Add the following elements before the </webapp> tag.

<servlet>
  <servlet-name>Discovery</servlet-name>
  <servlet-class>myPackage.Discovery</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>Discovery</servlet-name>
  <url-pattern>/oidcdiscovery/.well-known/openid-configuration</url-pattern>
</servlet-mapping>

Open the <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api/_OIDCDiscoveryAPI.xml file and update the context value as follows:
```
<api xmlns="http://ws.apache.org/ns/synapse" name="_OIDC_Discovery_API_" context="/token/.well-known/openid-configuration">
```
Restart the Key Manager and API Manager servers.

Go to the following link and see the changes:

https://<WSO2_OB_APIM_HOST>:8243/.well-known/openid-configuration

Claim configurations

If you want the well-known configuration to reflect the claims_supported property with your claims, you should follow the steps below and configure the claims.

Claim configuration exposes the correct Open ID Connect (OIDC) claims and scopes. For more information on claim management, see Claim Management in the WSO2 Identity Server documentation.

Log in to the Key Manager Management Console at https://<WSO2_OB_KM_HOST>/carbon.
In the Main menu, click Claims > Add > Add Local Claim.
Create the following local claims:

Claim URL Display Name
http://wso2.org/claims/open_banking_intent_id Open Banking Intent ID
http://wso2.org/claims/accounts Accounts
http://wso2.org/claims/payments Payments

The Mapped Attributes in the local claim configuration should be the Display Name in the camel case.

Display Name Open Banking Intent ID
Mapped Attribute OpenBankingIntentID
Click Claims > Add > Add External Claim to add an external OIDC claim.
Create the following external local claims.

State the dialect URI as http://wso2.org/oidc/claim

External Claim URL Mapped Local Claim
http://wso2.org/claims/open_banking_intent_id openbanking_intent_id
http://wso2.org/claims/accounts accounts
http://wso2.org/claims/payments payments
Click Home > Manage > OIDC Scopes > Add.
Add the following OIDC scopes:

Scope Name OIDC Claims
accounts accounts
payments payments

open-banking.xml configurations

To run the Security Conformance Suite, you need 2 different signing/transport certificates and corresponding SSAs.
- Combine the signing certificate and key to pk12 format using the command below. Repeat this step for both the certificate sets.
```
openssl pkcs12 -export -in <pem file> -inkey <key file> -name <alias> -out CertAndKey.p12
```

Create a new keystore file:

keytool -genkey -alias <keystore alias> -keyalg RSA -keystore <keystore name>.jks -keysize 2048

Import the p12 files to the new keystore. Repeat this step for both the p12 files.

keytool -importkeystore -deststorepass <keystore password> -destkeystore <keystore name>.jks -srckeystore CertAndKey.p12 -srcstoretype PKCS12

Duplicate and place the new keystore in the following locations:
- <WSO2_OB_KM_HOME>/repository⁩/⁨resources⁩/security
- <WSO2_OB_APIM_HOME>/repository⁩/⁨resources⁩/security
Add the new keystores to the client-truststores.
1. Go to the <WSO2_OB_IAM_HOME>/repository⁩/⁨resources⁩/security directory.
2. Export the public certificate of the keystore to a .pem file.
```
keytool -export -alias <alias> -keystore <keystore_name>.jks -file <keystore_name>.pem
```
3. Import the .pem file to client-truststore.jks.
```
keytool -import -alias <alias> -file <keystore name>.pem -keystore client-truststore.jks -storepass wso2carbon
```
4. Go to the <WSO2_OB_APIM_HOME>/repository⁩/⁨resources⁩/security directory and repeat the above steps.

Configure the new keystore file.

Open the <WSO2_OB_KM_HOME>/repository/conf/carbon.xml file and configure the new keystore file as follows:

<KeyStore>
	<!-- Keystore file location-->
	<Location><<WSO2_OB_KM_HOME>/repository⁩/⁨resources⁩/security/new_keystore.jks></Location>
	<!-- Keystore type (JKS/PKCS12 etc.)-->
	<Type>JKS</Type>
	<!-- Keystore password-->
	<Password><new keystore password</Password>
	<!-- Private Key alias-->
	<KeyAlias><new private key alias</KeyAlias>
	<!-- Private Key password-->
	<KeyPassword><new private key password</KeyPassword>
</KeyStore>

Open the <WSO2_OB_APIM_HOME> /repository/conf/carbon.xml file and configure the new keystore by following the step above.

Define the alias and kid values for the primary signing certificates in the following files:

<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml

<OBIdentityRetriever>
	<Server>
		<SigningCertificateAlias><production-key alias></SigningCertificateAlias> 
		<SigningCertificateKid><production kid></SigningCertificateKid> 
	</Server>
</OBIdentityRetriever>

Running the conformance suite

The test suite requires configuration in the form of a JSON document with two application details; resource and certificate files.

Configuring the Adaptive Authentication script

Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/common.auth.script.js file.

Remove the existing content and add the following:

var psuChannel = 'Online Banking';

function onLoginRequest(context) {
    reportingData(context, "AuthenticationAttempted", false, psuChannel);

    executeStep(1, {
        onSuccess: function (context) {
            var supportedAcrValues = ['urn:openbanking:psd2:sca', 'urn:openbanking:psd2:ca'];
            var selectedAcr = selectAcrFrom(context, supportedAcrValues);
		    context.selectedAcr = selectedAcr;
        },
        onFail: function (context) { //basic auth fail
            //retry
        }
    });
}

Restart the API Manager server.

Configuring the applications

The test suite has to run from the perspective of two clients. Therefore, two applications are required. Follow the steps and create applications:

Log in to the Open Banking API Manager Store (https://<WSO2_OB_APIM_HOME>9443/store).

Create two applications under the same Third Party Provider (TPP). Use the following configurations:

Field	Value
Callback URL	Application 1	`https://<TEST_SUITE_HOST>:<TEST_SUITE_PORT>/test/a/<ALIAS>/callback`
	Application 2	`https://<TEST_SUITE_HOST>:<TEST_SUITE_PORT>/test/a/<ALIAS>/callback?dummy1=lorem&dummy2=ipsum` For Application 2, avoid using regular expressions in the Callback URL.
Application Certificate	Client certificates (public key) that are signed by the root CA/Issuer CA (prior acquired or generated). For example, `tpp.com.crt`.

If you have integrated with OBIE, use the Dynamic Client Registration v3.2 API. If you're using Manual Client Registration, follow the given steps and create an application.

Generate production keys.
Take note of the generated consumer key and secret.

Configuring the test suite

This section describes how to build the test suite to identify the configuration and application settings of the solution.

Get the Skeleton JSON configuration from Open Banking Developer Zone.

A sample JSON configuration file is available here.
- The kid value should be the specific kid value of the corresponding signing certificate in the JWKS.
In the Server section, fill in the following values.

Key Value
discoveryURL https://<WSO2_OB_APIM_GATEWAY_HOST>:<WSO2_OB_APIM_GATEWAY_PORT>/.well-known/openid-configuration
Set the alias parameter as previously configured in the unique instance value.

Configure the resource section, with the following parameters.

Key	Value
`resourceUrl`	AccountsInfoAPI resource URL as shown in the API store
`institution_id`	`<XFAPIFinancialId>` specified in the `open-banking.xml` file (default value is `open-bank`)

Configure the client and MTLS by following the steps below:

Client and MTLS correspond to the first application, and client2 and mtls2 correspond to the second application.

Fill in the client and client2 sections with the following parameters:

Key	Value
`client_id`	The client ID for the application, as shown in the API Store.
`client_secret`	The client secret for the application, as shown in the API Store.
`scope`	OpenID accounts.
`jwks.keys`	The respective signing JWK set. This can be generated online using this tool.

Fill in the MTLS and MTLS2 sections with the following parameters:

For live environments with open banking transport certificates, the pre-filled CA should suffice.

An online tool is available for converting the transport certificate files to the required line breaks to literal \n format. Click here to try out the tool

Key	Value
key	Content of .key file of the transport certificate with line breaks replaced with literal \n
cert	Content of .crt file of the transport certificate with line breaks replaced with literal \n
ca	Content of rootCA .crt file of the transport certificate with line breaks replaced with literal \n

Starting the suite

Starting the suite locally

For more information on starting the suite locally, go to OpenID Foundation conformance-suite build and run.

Clone the repo https://gitlab.com/openid/conformance-suite, using the command below and build the latest version.
If you encounter a permission denied error during cloning, use HTTP cloning instead of ssh.
```
git clone https://gitlab.com/openid/conformance-suite.git
```
Stop all the running docker containers and ensure a clean state. The following command shows the container status.
```
docker ps
```
Execute the following commands to remove any local files.
```
git clean -x -f -d 
git reset --hard HEAD
```
If you are using a Linux environment:
- Add the hostname mapping using the extra_hosts: tag to the docker-compose.yml file in conformance-suite. Replace the given placeholders with the hostname and the IP address of the Docker bridge.
```
httpd:
  build:
    context: ./httpd
  ports:
   - "8443:8443"
  extra_hosts:
   - "<DOCKERBRIDGE_HOST>:<DOCKERBRIDGE_IP>"
  depends_on:
   - server
```
Run without installing JDK and Maven.
```
MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder
```
If you have a local Java development environment:
mvn clean package
Execute the following commands to build the docker image.
```
docker-compose build
```
Start the docker container.
```
docker-compose up
```
The test suite is now available locally at https://localhost:8443/

When running both the solution and the test suite locally, make sure to use the host machine's IP for Docker.
For an example: docker.for.mac.localhost

If you get these errors:

docker-compose: command not found error, execute the following commands.

sudo curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

sudo mv /usr/local/bin/docker-compose /usr/bin/docker-compose

sudo chmod +x /usr/bin/docker-compose

ERROR: Couldn't connect to Docker daemon at http+docker://localhost - is it running? If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.
Execute the command with superuser privileges.
```
sudo docker-compose up
```

Starting the suite online

If you're running WSO2 Open Banking in a local setup you are not able to use the online suite.

Go to https://www.certification.openid.net/ and start the conformance suite online.

Running the tests

Copy the sample JSON configurations here to a text editor.

A sample JSON file is available here .
Update the values according to the application you created in the step above. For example: the clientID, clientSecret, API URI, discoveryUrl etc.
Copy and paste the content of the private key (tpp.com.key) in https://kaveenr.github.io/cert-utils/ .
Copy the obtained JSON object. Update the value of the keys array element in the JSON configurations with the copied JSON object.
Navigate and log in to the test suite.
Select an appropriate Open Banking test plan and a client authentication type.
Copy the content in the modified JSON configuration file and paste the configuration into the JSON tab.
Click Start Test Plan.
Run each given test in sequence.
Follow the instructions and the suite will prompt if manual intervention is needed.

Troubleshooting

Use the suggested solutions below to solve these errors.

Error: The RSA JWK doesn't contain a private part
Solution: Use https://kaveenr.github.io/cert-utils/ to create keys, or if JWKS URI is used, make sure the tls key is included in the URI.

Error: HazelcastSerializationException
Solution: Disable the clustering deployment.

Error: {"error_description":"A valid OAuth client could not be found for client_id: qX1tXeIuYB5k4ixIVEtqiaL3DcY","error":"invalid_client"}
Solution: Make sure you use the correct clientID in configurations.

Error: getBoolean called on something that is not boolean
Solution: Update the string values in well-known endpoint by replacing them with boolean values. For example true not “true”.

Error: “The ExpirationDateTime value has to be a future date”
Solution: Change the timezone of the machine to UK timezone

Error: Redirect URL does not match with the provided one.
Solution: Change the hostname of the fintechlabs.base_url to the hostname of the Docker bridge in docker-compose.yml. For example:
```
java
-jar /server/fapi-test-suite.jar
--fintechlabs.base_url=https://<DOCKERBRIDGE_HOST>:8443
```

References

https://openid.net/certification/instructions/

Claim URL	Display Name
http://wso2.org/claims/open_banking_intent_id	Open Banking Intent ID
http://wso2.org/claims/accounts	Accounts
http://wso2.org/claims/payments	Payments

Display Name	Open Banking Intent ID
Mapped Attribute	OpenBankingIntentID

External Claim URL	Mapped Local Claim
http://wso2.org/claims/open_banking_intent_id	openbanking_intent_id
http://wso2.org/claims/accounts	accounts
http://wso2.org/claims/payments	payments