Configuring the Open-Banking.xml File for AU

Configure open-banking.xml files in both WSO2 Open Banking Key Manager (WSO2 OB KM) and WSO2 Open Banking API Manager (WSO2 OB APIM) components based on the configurations listed below.

The open-banking.xml files are in below locations:

<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml

Do the following configurations in both the Key Manager and API Manager components and restart the servers.

	Configuration
1	Define the specification that you plan to deploy. Possible values: `UK,` `BERLIN,` `AU,` `STET` <DeployedSpecification>AU</DeployedSpecification>
2	`Shareable accounts - accounts that are accessible online.` `<SharableAccountsRetreiveEndpoint>:` Configures the endpoint to retrieve sharable accounts that are required to list on the consent page. <SharableAccountsRetrieveEndpoint>http://<WSO2_OB_APIM_HOST>:9763/open-banking/services/bankaccounts/bankaccountservice/sharable-accounts</SharableAccountsRetreiveEndpoint> In the default WSO2 Open Banking solution, an API is exposed to return shareable accounts when the user_id is passed. The given JSON response must be returned and then it automatically loads the accounts list in the consent page. { "data": [ { "account_id": "1234-2345-3456-4567", "display_name": "1234-2345-3456-4567" }, { "account_id": "9999-4345-8456-4567", "display_name": "9999-4345-8456-4567" } ] } By default, mock back end deployed in `WSO2_OB_APIM` is configured. Required parameters can be passed as query parameters to those endpoints. An example of configuring the endpoint to retrieve sharable accounts: http://<WSO2_OB_APIM_HOST>:9443/as400/sharable-accounts/{userId}
3	Metadata management: ACCC does not support this feature yet. To try out the feature before the ACCC endpoints are available, create a mock back end and invoke the hosted services. Once ACCC creates its status discovery endpoints, the Data Holder should configure the following properties under `<AU><MetaDataCache>`: `<EnableMetaDataCache>` : To enable metadata caching, set the value to `true` . `<MetaDataCacheUpdatePeriod>` : Defines the fetch time for periodical cache update in minutes. `<DefaultCacheTimeout>` : The expiration time of base cache in minutes. `<DataRecipientsDiscoveryURL>` : The endpoint provided by ACCC for retrieving the statuses of Data Recipients. Click here to see a mock back end for Data Recipients Discovery endpoint { "dataRecipients":[ { "dataRecipientId":"TPP1", "dataRecipientStatus":"Active" }, { "dataRecipientId":"TPP2", "dataRecipientStatus":"Suspended" }, { "dataRecipientId":"TPP3", "dataRecipientStatus":"Revoked" }, { "dataRecipientId":"TPP4", "dataRecipientStatus":"Surrendered" }, { "dataRecipientId":"TPP5", "dataRecipientStatus":"Active" }, { "dataRecipientId":"TPP7", "dataRecipientStatus":"Suspended" }, { "dataRecipientId":"OI1", "dataRecipientStatus":"Active" }, { "dataRecipientId":"TPP8", "dataRecipientStatus":"Surrendered" }, { "dataRecipientId":"TPP9", "dataRecipientStatus":"Active" }, { "dataRecipientId":"TPP10", "dataRecipientStatus":"Suspended" }, { "dataRecipientId":"TPP11", "dataRecipientStatus":"Revoked" }, { "dataRecipientId":"TPP12", "dataRecipientStatus":"Surrendered" } ] } `<SoftwareProductsDiscoveryURL>` : The endpoint provided by ACCC for retrieving the statuses of software products. Click here to see a mock back end for Software Products Discovery endpoint { "softwareProducts":[ { "softwareProductId":"SP1", "softwareProductStatus":"Active" }, { "softwareProductId":"SP2", "softwareProductStatus":"Inactive" }, { "softwareProductId":"SP3", "softwareProductStatus":"Removed" }, { "softwareProductId":"SP4", "softwareProductStatus":"Active" }, { "softwareProductId":"SP5", "softwareProductStatus":"Inactive" }, { "softwareProductId":"SP6", "softwareProductStatus":"Removed" }, { "softwareProductId":"SP7", "softwareProductStatus":"Active" }, { "softwareProductId":"SI1", "softwareProductStatus":"Inactive" }, { "softwareProductId":"SP9", "softwareProductStatus":"Removed" }, { "softwareProductId":"SP10", "softwareProductStatus":"Active" }, { "softwareProductId":"SP11", "softwareProductStatus":"Inactive" }, { "softwareProductId":"SP12", "softwareProductStatus":"Removed" } ] } `<DCRInternalURL>` : The API Manager internal URL for accessing Dynamic Client Registration. <MetaDataCache> <EnableMetaDataCache>true</EnableMetaDataCache> <MetaDataCacheUpdatePeriod>5</MetaDataCacheUpdatePeriod> <DefaultCacheTimeout>1</DefaultCacheTimeout> <DataRecipientsDiscoveryURL><DR_DISCOVERY_MOCK_URL></DataRecipientsDiscoveryURL> <SoftwareProductsDiscoveryURL><SP_DISCOVERY_MOCK_URL></SoftwareProductsDiscoveryURL> <DCRInternalURL>https://<WSO2_OB_APIM_HOST>:9443/dynamic-client-registration/common/register/</DCRInternalURL> </MetaDataCache>
4	Support for extended endpoints and holder specific version handling: By default, the following resources are configured in the solution. To add additional resources to the Consumer Data Standards API, add an entry under `<ResourcePaths>` in WSO2 Open Banking Key Manager: <ResourcePaths> /banking/accounts, /banking/accounts/balances, /banking/accounts/direct-debits, /banking/accounts/{AccountId}/balance, /banking/accounts/{AccountId}, /banking/accounts/{AccountId}/transactions, /banking/accounts/{AccountId}/transactions/{transactionId}, /banking/accounts/{AccountId}/direct-debits, /banking/accounts/{AccountId}/payments/scheduled, /banking/payments/scheduled, /banking/payees, /banking/payees/{payeeId}, /banking/products, /banking/products/{productId}, /common/customer, /common/customer/detail, /discovery/status, /discovery/outages </ResourcePaths> To define a Data Holder specific identifier for extended API endpoints, configure the following in WSO2 Open Banking API Manager. For example, if the Data Holder is ABC-Bank. <HolderIdentifier> ABC-Bank </HolderIdentifier>
5	To cache the responses received for the CDS API requests, update the following configurations in WSO2 Open Banking API Manager: <Enforcement> <Cache> <CacheEnabled>true</CacheEnabled> <ModifiedExpiryMinutes>15</ModifiedExpiryMinutes> <AccessedExpiryMinutes>15</AccessedExpiryMinutes> </Cache> </Enforcement>
6	To configure Mutual Transport Later Security (MTLS) certificate bound access token, update the `open-banking.xml` file in WSO2 Open Banking Key Manager: Update the following configurations under `<APISecurity><EnableMTLSTokenBinding>`. <EnableMTLSTokenBinding>true</EnableMTLSTokenBinding> Configure the client certificate header name using the `<CertificateManagement><ClientAuthenticationHeader>` property: <ClientAuthenticationHeader>x-wso2-mutual-auth-cert</ClientAuthenticationHeader> See MTLS certificate bound access token, for more information.
7	If MTLS is terminated before the request reaches the Gateway, retrieve the Data Recipient's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects `ssl.client.auth.cert.X509` as the transport header. Include the value for the transport certificate header in `TransportCertificateHeader` under `CertificateManagement` element. See the sample configuration below. <CertificateManagement> <!-- In order to enable the client certificate validation feature (Certificate Expiry, Signature and Revocation validation during MTLS), the following module needs to be engaged under the "Global Engaged Modules" section in the axis2.xml file. <module ref="mtlscertvalidator"/> --> <!--Set the value of the transport certificate header sent in the request if MTLS is terminated before the gateway default value is ssl.client.auth.cert.X509--> <TransportCertificateHeader>ssl.client.auth.cert.X509</TransportCertificateHeader> </CertificateManagement> The load balancer should not allow the Data Recipient to send its certificate as a transport certificate header that is configured in the `open-banking.xml` under the `<TransportCertificateHeader>` element. If such header was found in the Data Recipient's request, it is mandatory to remove that header from the Data Recipient's request. This is applicable even when the MTLS session is not terminated at the load balancer. When TLS is terminated before reaching the Gateway, to send the client certificate as a transport header, use the following configuration, which is placed just above the `<TransportCertificateHeader>` tag: <ClientTransportCertAsHeaderEnabled>true</ClientTransportCertAsHeaderEnabled> In order to enable certificate revocation validation for API security, configure the following: <CertificateManagement> <!-- Expiry time for the cache (in seconds) for storing the validation result of the certificates--> <ClientCertificateCacheExpiry>3600</ClientCertificateCacheExpiry> <!-- Enable/Disable certificate OCSP and CRL validation. Default value has been set to true --> <CertificateRevocationValidationEnabled>true</CertificateRevocationValidationEnabled> </CertificateManagement>
8	This is for the Data Reporting feature, to enable data publishing set the `<Enabled>` property value to true. So, the WSO2 Open Banking Business Intelligence can capture and summarize data. Replace the `<WSO2_OB_BI_HOSTNAME>` placeholder with the hostname of Open Banking Business Intelligence server. <DataPublishing> <!-- Include all configurations related to Data publishing --> <!-- Enable data publishing in WSO2 Open Banking--> <Enabled>true</Enabled> <!-- Server URL of the remote BI server used to collect statistics. Must be specified in protocol://hostname:port/ format. --> <ServerURL>{tcp://<WSO2_OB_BI_HOST>:7612}</ServerURL> <!-- Administrator username to login to the BI server for data publishing. --> <Username>admin@wso2.com@carbon.super</Username> <!-- Administrator password to login to the BI server for data publishing. --> <Password>wso2123</Password> </DataPublishing>
9	By default, the Consent Management APIs are secured with basic authentication. To access the Consent Management APIs, use the default user or create a new user using the Key Manager Management Console. Open the `<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml` file. Update the credentials under `<APISecurity><Global>` with the created user details. By default, this is set to the username and password of the super admin. <APISecurity> <Global> <Username>admin@wso2.com</Username> <Password>wso2123</Password> </Global> </APISecurity> For more information, see configuring basic authentication for Consent Management APIs.
10	Dynamic Client Registration configurations under `<DCR>`: The only supported authentication method for the token endpoint is private_key_jwt. Make sure the `<DCR><TokenAuthentication>` configurations are as follows: <TokenAuthentication> <Method>private_key_jwt</Method> </TokenAuthentication> The connection and read time out values for retrieving the remote JWKS to validate the SSA and request JWT signatures during client registration. <ConnectionTimeout>0</ConnectionTimeout> <ReadTimeout>0</ReadTimeout> This property is to validate the policy, client, terms of service, logo URIs. By default, this is set to `false`. To validate the above, set this configuration to `true`. <EnableURIValidation>false</EnableURIValidation> This property is to validate the hostnames of policy, client, terms of service, logo URIs against the hostname of redirect URIs. By default, this is set to `false`. To validate the above, set this configuration to `true`. <EnableHostNameValidation>false</EnableHostNameValidation> Set the `<UseSoftwareIdAsApplicationName>` to `true`, to use `SoftwareID` in SSA as the name of the application. <UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName> Configure the JWKS URLs to validate the SSA: ACCC does not support this feature yet. To try out the feature before the ACCC endpoints are available, create a mock back end and invoke the hosted services. <JwksUrlSandbox><URL_FOR_SANDBOX></JwksUrlSandbox> <JwksUrlProduction><URL_FOR_PRODUCTION></JwksUrlProduction>