Running the Functional Conformance Suite for UK

WSO2 Open Banking 1.5.0 supports Functional conformance suite v1.6.7.

The Open Banking Implementation Entity ( OBIE) Functional Conformance Certificate allows WSO2 Open Banking to demonstrate that the solution has successfully implemented all required functional elements of the OBIE Read/Write API specifications, passing all tests performed by the Functional Conformance Tool.

This document contains the following topics:

Before you begin:

Download and unzip the following:
- wso2-obam-1.5.0.zip (WSO2 Open Banking API Management)
- wso2-obiam-1.5.0.zip (WSO2 Open Banking Identity and Access Management)
Click here to see how to download the packs from WUM
Set up the WSO2 Update Manager (WUM).
- WUM is a simple command-line tool that connects to the WSO2 update service, determines which updates are new and relevant, and downloads them. You can get the latest version of the WSO2 Open Banking product packs through WUM.
  License
  
  WSO2 Open Banking is not distributed under the Apache Community License and is only available under the WSO2 Software License. You need a WSO2 subscription to install and update the WSO2 Open Banking solution via WUM. Contact us to find out how you can access a free evaluation copy...
- Follow the guidelines provided in the Download WUM page to download, and install WUM in your environment. For more information on how to use WUM, see the /wiki/spaces/updates/pages/16318500.
  1. Add the necessary product packs using the commands given below:
    
    wum add wso2-obam-1.5.0 wum add wso2-obkm-1.5.0
    
    Update the product packs using the commands given below:
    
    wum update wso2-obam-1.5.0 wum update wso2-obkm-1.5.0
    
    Additionally, download and update the other instances of WSO2 Open Banking product.
    
    wum add wso2ei-6.4.0 wum update wso2ei-6.4.0 wum add wso2am-analytics-2.6.0 wum update wso2am-analytics-2.6.0 wum add wso2-obbi-1.5.0 wum update wso2-obbi-1.5.0
    
    WSO2 OB APIM Analytics(wso2am-analytics-2.6.0) provides the API analytics feature.
    WSO2 OB BI(wso2-obbi-1.5.0) provides the following features:
    API Analytics
    Transaction Risk Analysis
    Fraud Detection
    Data Reporting
- The product packs reside in the <WUM_HOME>/products/<Product_Name>/<version>/full directory as <Product_name-<version>+<timestamp>.full.zip. Copy the product packs to a preferred location in each node, and extract them.
  WSO2 Updates Manager (WUM) is deprecated and will be unavailable from July 2021 onwards. WSO2 Updates is the new tool to include the solution and security improvements that are released by WSO2 Open Banking, on top of a released version. For more information, see WSO2 Updates.
  Click here to see how to update the solution via WSO2 Update tool...
  The WSO2 Update tool delivers hotfixes and updates seamlessly on top of products as WSO2 Updates. They include improvements that are released by WSO2. You need to update all the products using the relevant script.
  Go to <PRODUCT_HOME>/bin and run the WSO2 Update tool:
  
  Repeat this step for all the products in the solution:
  wso2-obkm-1.5.0
  wso2-obam-1.5.0
  wso2-obbi-1.5.0
  wso2am-analytics-2.6.0
This document refers to the file paths of the product packs for the Key Manager, API Manager, API Manager Analytics, and Enterprise Integrator as <WSO2_OB_KM_HOME>, <WSO2_OB_APIM_HOME>, <WSO2_AM_ANALYTICS_HOME>,<WSO2_OB_BI_HOME> and <WSO2_EI_HOME> respectively.
Configure the databases and set up the solution.
- To set up the solution locally, see Try Local Setup
- To set up a production deployment, follow the Deployment Guide

Configuring the solution

Set the RenewTokenPerRequest property to false in <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml as follows:
```
<RenewTokenPerRequest>false</RenewTokenPerRequest>
```
In <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml, update the <WSO2_OB_APIM_HOST> placeholder with the hostname of the API Manager server for IDTokenIsuuerID:
```
<IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
```
Change the MaximumFuturePaymentDays value to 365 in <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml as follows:
```
<PaymentRestrictions>
	<MaximumFuturePaymentDays>365</MaximumFuturePaymentDays>
</PaymentRestrictions>
```
Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml and <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml files and set the following configuration to false:
```
<ValidateAccountIdOnRetrieval>true</ValidateAccountIdOnRetrieval>
```
The Functional conformance suite invokes the endpoints exposed by the host machine. Therefore, you need to add a hostname to the Docker-bridge interface. Thereby, both WSO2 Open Banking Identity and Access Management (WSO2_OB_KM_HOST) and WSO2 Open Banking API Management (WSO2_OB_APIM_HOST) servers can be accessed via the server hostnames and Docker-bridge hostname (DOCKER_SEVER_HOST).
1. Create a new server key and a certificate including the following parameters:
  1. server hostname as Common Name (CN).
  2. DOCKER-BRIDGE_SEVER_HOST as Subject Alternative Name (SAN). See the sample given below:
    [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = <WSO2_OB_APIM_HOST> [v3_req] keyUsage = keyEncipherment, dataEncipherment, digitalSignature extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = <DOCKER-BRIDGE_SEVER_HOST>
    openssl req -x509 -nodes -days 3560 -newkey rsa:4096 -keyout wso2carbon.key -out wso2carbon.crt -config req.conf -extensions 'v3_req'
2. Create a new keystore with the generated certificate. Please use the same keystore password (KEYSTORE_PASSWORD) that you have already configured for the existing keystore:
```
openssl pkcs12 -export -in wso2carbon.crt -inkey wso2carbon.key -name <KEYSTORE_PASSWORD> -out <WSO2_OB_APIM_HOST>.p12
```
3. Import the generated server certificate (step a) to client truststore of both WSO2_OB_KM_HOST and WSO2_OB_APIM_HOST servers:
```
 keytool -importcert -file wso2carbon.crt -keystore client-truststore.jks -alias "<WSO2_OB_APIM_HOST>"
```

Configuring JWS validation

Open the open-banking.xml files and do the following configurations:
- <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
- <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml

Configure <SigningConfiguration> under the <UK> tag as follows:

<UK>
	<SigningConfiguration>
		<!-- Enable Signing -->
		<Enable>true</Enable>
		<OBIE>
			<!--
            Trusted Anchor Configuration
            openbanking.org.uk specific Trust Anchor definitions
            -->
			<TrustedAnchors>
				<!-- Trust Anchor used in signing JOSE -->
				<Signing>openbanking.org.uk</Signing>
				<!--
                Multiple values supported with `|` delimiter
                IE - trustanchor.org|trustanchor.org.uk
                -->
				<Validation>openbanking.org.uk</Validation>
			</TrustedAnchors>
			<!-- OBIE Organization Id -->
			<OrganizationId>{org_id in the SSA or Organizational Unit of the certificate Owner}</OrganizationId>
		</OBIE>
		<!-- Default Singing Algorithm is PS256, to support others uncomment line below -->
		<!--<Algorithm>RS256</Algorithm>-->
		<!-- The following specified APIs will be mandated for message signing. -->
		<MandatedAPIs>
			<APIContext>/open-banking/v3.0/event-notification/</APIContext>
			<APIContext>/open-banking/v3.0/pisp/</APIContext>
			<APIContext>/open-banking/v3.1/event-notification/</APIContext>
			<APIContext>/open-banking/v3.1/pisp/</APIContext>
		</MandatedAPIs>
	</SigningConfiguration>

Add the following configurations under the <SigningConfiguration> tag:

<!-- The following specified APIs will be associated with response signing. -->
<ResponseSignatureRequiredAPIs>
	<APIContext>/open-banking/v3.0/pisp/</APIContext>
	<APIContext>/open-banking/v3.1/pisp/</APIContext>
</ResponseSignatureRequiredAPIs>

Find the following tags and define the alias and kid values for the primary signing certificates:

<OBIdentityRetriever>
    <Server>
        <SigningCertificateAlias><production-key alias></SigningCertificateAlias>
        <SigningCertificateKid><production kid></SigningCertificateKid>
    </Server>
</OBIdentityRetriever>

Follow the API Security - JSON Web Signature (JWS) documentation and configure JWS validation support for Waiver 007.

Combine the signing certificate and key to a pk12 format file using the command below:

openssl pkcs12 -export -in <pem file> -inkey <key file> -name <alias> -out CertAndKey.p12

Create a new keystore file:

keytool -genkey -alias <keystore alias> -keyalg RSA -keystore <keystore name>.jks -keysize 2048

Import the p12 files to the new keystore.

keytool -importkeystore -deststorepass <keystore password> -destkeystore <keystore name>.jks -srckeystore CertAndKey.p12 -srcstoretype PKCS12

Add the new keystore to the client-truststore.
1. Go to the <WSO2_OB_KM_HOME>/repository⁩/⁨resources⁩/security directory.
2. Export the public certificate of the keystore to a .pem file.
```
keytool -export -alias <alias> -keystore <keystore_name>.jks -file <keystore_name>.pem
```
3. Import the .pem file to client-truststore.jks.
```
keytool -import -alias <alias> -file <keystore name>.pem -keystore client-truststore.jks -storepass wso2carbon
```
4. Go to the <WSO2_OB_APIM_HOME>/repository⁩/⁨resources⁩/security directory and repeat the above steps.
Duplicate and place the new keystore in the following locations:
- <WSO2_OB_KM_HOME>/repository⁩/⁨resources⁩/security
- <WSO2_OB_APIM_HOME>/repository⁩/⁨resources⁩/security

Configure the new keystore file in carbon.xml files:

<WSO2_OB_KM_HOME>/repository/conf/carbon.xml

<WSO2_OB_APIM_HOME>/repository/conf/carbon.xml

<KeyStore>
    <!-- Keystore file location-->
    <Location><<WSO2_OB_KM_HOME>/repository⁩/⁨resources⁩/security/<new_keystore.jks></Location>
    <!-- Keystore type (JKS/PKCS12 etc.)-->
    <Type>JKS</Type>
    <!-- Keystore password-->
    <Password><new keystore password></Password>
    <!-- Private Key alias-->
    <KeyAlias><new private key alias></KeyAlias>
    <!-- Private Key password-->
    <KeyPassword><new private key password></KeyPassword>
</KeyStore>

Organization JWKS URL configuration:
1. Open the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file.
2. Update <OAuth2JWKSPage> with the JWKS URL retrieved from the Open Banking directory:
```
<OAuth2JWKSPage><org_jwks_endpoint in the SSA></OAuth2JWKSPage>
```

Running the solution

Start WSO2 Open Banking API Manager and WSO2 Identity Access Management servers.
Deploy Account and Transaction API v3.1.2, Payment Initiation API v3.1.2, and Confirmation of Funds API v3.1.1.

If you’re using the Dynamic Client Registration v3.2 API, skip to Setting up the test suite.
Sign in to the API Developer Portal as a TPP at https://<WSO2_OB_APIM_HOST>:9443/store.
Change the redirect URL of the application to “https://< DOCKER-BRIDGE_SEVER_HOST>:8443/conformancesuite/callback”.

Setting up the test suite

If you encounter a test failure during the execution, restart the docker container and rerun the test suite from step 1.

To restart the docker container, use the below command:
```
docker start -a fsuite
```

Run the following command in a terminal to pull and run the image:

docker run --add-host=<DOCKER-BRIDGE_SEVER_HOST>:<docker0 ip> -it --name=fsuite -p 8443:8443 -e LOG_LEVEL=debug -e LOG_TRACER=true -e LOG_HTTP_TRACE=true -e DISABLE_JWS=FALSE "openbanking/conformance-suite:[TEST_SUITE_VERSION]"

To add the certificates to the container, go to < WSO2_OB_APIM_HOME>/repository/resources/security and execute the below command to generate the pem file for <WSO2_OB_APIM_HOST>.crt:
```
openssl x509 -inform DER -in wso2carbon.crt -out <WSO2_OB_APIM_HOST>.pem -outform PEM
```
Log in to the container:
```
docker exec -it fsuite /bin/bash
```
Add the <WSO2_OB_APIM_HOST>.pem certificate to the following locations using the below command:
1. /usr/local/share/ca-certificates/<WSO2_OB_APIM_HOST>.pem
```
docker cp <WSO2_OB_APIM_HOST>.pem fsuite:/usr/local/share/ca-certificates/<WSO2_OB_APIM_HOST>.pem
```
2. etc/ssl/certs/<WSO2_OB_APIM_HOST>.pem
```
docker cp <WSO2_OB_APIM_HOST>.pem fsuite:/etc/ssl/certs/<WSO2_OB_APIM_HOST>.pem
```
Copy wso2carbon.jks to the same locations as in step 4.
Run the following command:
```
update-ca-certificates
```
Stop the container using the following command:
```
docker stop fsuite
```
Restart the container:
```
docker start -a fsuite
```
Access the test suite at https://localhost:8443 .
Select Open Banking test suite and start the test.

In the Discovery step, update the following values in the JSON file separately for each time the conformance suite runs for Account and Transaction API, Payment Initiation API, and Confirmation of Funds API.

Account and Transaction API:

A sample endpoint configuration for the Account and Transaction API is available here.

discoveryItems

apiSpecification name Account and Transaction API Specification

openidConfigurationUri

The OpenID Connect discovery endpoint. For example:

https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration

resourceBaseUri

Production/Sandbox URL for the API. For example:

https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/aisp

Payment Initiation API:

A sample endpoint configuration for the Payment Initiation API is available here.

discoveryItems

apiSpecification name Payment Initiation API

openidConfigurationUri

The OpenID Connect discovery endpoint. For example:

https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration

resourceBaseUri

Production/Sandbox URL for the API. For example:

https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/pisp

Confirmation of Funds API:

A sample endpoint configuration for the Confirmation of Funds API is available here.

discoveryItems

apiSpecification name Confirmation of Funds API

openidConfigurationUri

The OpenID Connect discovery endpoint. For example:

https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration

resourceBaseUri

Production/Sandbox URL for the API. For example:

https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/cbpii

Click Next and proceed to the Configuration stage.

Add the following mandatory configurations in the form/JSON file.

A sample TestData_Configure.json is available here.

Client
Private Signing Key (.key):	The Private Signing Key certificate of the client/application created in the section above .
Public Signing Certificate (.pem):	The Public Signing Certificate of the client/application created in the section above.
Private Transport Key (.key):	The Private Transport Key certificate of the client/application created in the section above.
Public Transport Certificate (.pem):	The Public Transport Certificate of the client/application created in the section above.
Account IDs	The Account IDs of the account resources that the customer (PSU) has consented to provide to the client/application.
Statement IDs	The Statement IDs of the statement resources that the customer (PSU) has consented to provide to the client/application.
Client ID	Consumer key of the client/application created in the section above.
Client Secret	Consumer secret of the client/application created in the section above.
tpp_signature_kid	The KID value of the signing certificate.
tpp_signature_issuer	Certificate Owner (Eg: CN=sgsMuc8ACBgBzinpr8oJ8B, OU=0015800001HQQrZAAX, O=OpenBanking, C=GB)
tpp_signature_tan	Trust Anchor used in signing JOSE (Eg: openbanking.org.uk)

Well-Known
OAuth 2.0 response_type	A JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values
Request object signing algorithm	The algorithm used to sign requests objects
Resource Base URL	The base URL of the WSO2 OB APIM server. For example: `https://<WSO2_OB_APIM_HOST>:8243`

Payments
Identification	Beneficiary account identification
Name	Name of the account, as assigned by the account servicing institution. Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.
International Identification	The international beneficiary account identification
International Name	International name of the account, as assigned by the account servicing institution. Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.

Confirmation of Funds

Schema Name

Name of the identification scheme.

Identification

Account identification, which is known by the account owner.

Name

The name of the account, as assigned by the account servicing institution.

Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.

Click Next and run the suite.