{"type":"doc","content":[{"type":"paragraph","content":[{"text":"This document discusses how WSO2 Open Banking has implemented the Electronic Identification and Trust Services (eIDAS) Regulation.","type":"text"}]},{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"paragraph","content":[{"text":"Before you begin:","type":"text","marks":[{"type":"strong"}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"In order to try out the flows with the eIDAS approach, Third-Party Providers(TPPs) have to be registered in a Qualified Trust Service Provider (QTSP). ","type":"text"}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"legacy-content","text":"","parameters":{"reason":"A note macro in a list item can't be created or edited in the new editor.","nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"If you are testing the WSO2 Open Banking solution for UK compliance, you can use either of the following:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Original eIDAS certificates:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Qualified Website Authentication Certificate (QWAC)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Qualified e-Seal Certificate (QSealC)","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open Banking (OB) certificates:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open Banking Web Authentication Certificate (OBWAC)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open Banking e-Seal Certificate (OBSealC)","type":"text"}]}]}]}]}]},{"type":"paragraph","content":[{"text":"OB certificates are issued by the Open Banking Directory upon ","type":"text"},{"text":"registering as a Third-Party Provider (TPP)","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.openbanking.org.uk/wp-content/uploads/Enrolling-Onto-Open-Banking-Guide.pdf"}}]},{"text":". Click ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"https://openbanking.atlassian.net/wiki/spaces/DZ/pages/1176930046/Open+Banking+Directory+Usage+-+eIDAS+release+Directory+Sandbox+-+v1.2#OpenBankingDirectoryUsage-eIDASrelease(DirectorySandbox)-v1.2-9.GenerateandmanageTransportandSigningCertificatesforOpenBankingETSIcertificates(OBWACandOBSeal)"}}]},{"text":" to find instructions on generating OBWAC and OBSealC. ","type":"text"}]}]}],"version":1},"cxhtml":"

If you are testing the WSO2 Open Banking solution for UK compliance, you can use either of the following:

Original eIDAS certificates:
- Qualified Website Authentication Certificate (QWAC)
- Qualified e-Seal Certificate (QSealC)
Open Banking (OB) certificates:
- Open Banking Web Authentication Certificate (OBWAC)
- Open Banking e-Seal Certificate (OBSealC)

OB certificates are issued by the Open Banking Directory upon registering as a Third-Party Provider (TPP). Click here to find instructions on generating OBWAC and OBSealC.

"}}}]},{"type":"listItem","content":[{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"legacy-content","text":"","parameters":{"nestedContent":{"type":"doc","content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"multiexcerpt","parameters":{"macroParams":{"MultiExcerptName":{"value":"instructions_to_add_certs_to_the_client_trust_stores"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"2350ca13-5f4e-41f3-94a3-40c163d9e77c"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://raw.githubusercontent.com/fuegokit/appfire-design-systems-brand-svg/main/single-color-brand-icons/af-logo-multi-excerpt-24.svg"}}],"title":"MultiExcerpt (legacy)"}}},"content":[{"type":"paragraph","content":[{"text":"In order to support eIDAS or OB certificates in WSO2 Open Banking, you need to update the client trust stores. ","type":"text"}]},{"type":"expand","attrs":{"title":"Click here to see how it is done..."},"content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"multiexcerpt","parameters":{"macroParams":{"MultiExcerptName":{"value":"ConfiguringCerts"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"f11890a6-3534-48ed-8e4b-94b187f7380f"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://raw.githubusercontent.com/fuegokit/appfire-design-systems-brand-svg/main/single-color-brand-icons/af-logo-multi-excerpt-24.svg"}}],"title":"MultiExcerpt (legacy)"}}},"content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"localtabgroup","parameters":{"macroParams":{},"macroMetadata":{"macroId":{"value":"4e4ff488-b832-4f40-809f-908a54afc224"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://us.navitabs-static-assets.aws.bitvoodoo.cloud/static/4.0.7/images/macro-icon.png"}}],"title":"Tab Group"}}},"content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"localtab","parameters":{"macroParams":{"title":{"value":"OB certificates"}},"macroMetadata":{"macroId":{"value":"1e71e1a2-7a55-4849-8a1f-d075a7963240"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://us.navitabs-static-assets.aws.bitvoodoo.cloud/static/4.0.7/images/macro-icon.png"}}],"title":"Tab (Deprecated)"}}},"content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"bgcolor","parameters":{"macroParams":{"color":{"value":"#fdfdfd"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"63a6e294-dc32-44e8-a071-54ced5e0e512"},"schemaVersion":{"value":"1"},"title":"Background Color"}}},"content":[{"type":"paragraph","content":[{"text":"In order to support OB certificates in WSO2 Open Banking, upload the OB root and issuer certificates to the client trust stores as follows:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The client trust stores for the ","type":"text"},{"text":"WSO2 Open Banking API Management ","type":"text"},{"text":"(WSO2_OB_APIM)","type":"text","marks":[{"type":"code"}]},{"text":" and Identity and Access Management ","type":"text"},{"text":"(WSO2_OB_IAM)","type":"text","marks":[{"type":"code"}]},{"text":" modules are","type":"text"},{"text":" located in the following locations:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"/repository/resources/security/client-truststore.jks","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"/repository/resources/security/client-truststore.jks","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Use the following commands to add the certificate to the client trust store:","type":"text"}]},{"type":"paragraph","content":[{"text":"Add root certificate ","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"keytool -import -alias obroot -file -keystore client-truststore.jks -storepass wso2carbon","type":"text"}]},{"type":"paragraph","content":[{"text":"Add issuer certificate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"shell"},"content":[{"text":"keytool -import -alias obissuer -file -keystore client-truststore.jks -storepass wso2carbon","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart the API Management and Identity and Access Management servers.","type":"text"}]}]}]}]}]},{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"localtab","parameters":{"macroParams":{"title":{"value":"eIDAS certificates"}},"macroMetadata":{"macroId":{"value":"1ed5d01b-fce5-4e42-8400-4f8ba23ee4d9"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://us.navitabs-static-assets.aws.bitvoodoo.cloud/static/4.0.7/images/macro-icon.png"}}],"title":"Tab (Deprecated)"}}},"content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"bgcolor","parameters":{"macroParams":{"color":{"value":"#fdfdfd"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"b59426d5-9e79-4d8b-9b60-635f83356597"},"schemaVersion":{"value":"1"},"title":"Background Color"}}},"content":[{"type":"paragraph","content":[{"text":"In order to support QWAC and QSealC in WSO2 Open Banking, the client trust store must contain all the root certificates of the QTSPs in the UK and the EU region.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"National Competent Authorities (NCAs) of each region maintains a list of QTSPs and QTSP certificates in their regions. The QTSP list and links to their QTSP certificates are aggregated to a single list named as List of Trust Lists (LoTL). ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"You need to download all the QTSP certificates from LoTL and update the client trust store of WSO2 OB APIM. WSO2 Open Banking provides LoTL integrator, which is a separate tool to achieve this task. To get the LoTL integrator, you can contact the WSO2 Open Banking Support team via your support account or through the ","type":"text"},{"text":"contact us form.","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2.com/contact/"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Once downloaded, follow the steps given below to run LoTL integrator:","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"LoTL integrator requires a connection to each of the national trust lists hosted by NCAs in the EU region. Please make sure that the environment that you are running the tool has the required network-level access for each of the trust lists in the EU region.","type":"text"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a copy of the client trust store in ","type":"text"},{"text":"/repository/resources/security/client-truststore.jks","type":"text","marks":[{"type":"code"}]},{"text":". When the tool asks for the path of the client trust store, provide the location to the copied client trust store.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Extract the LoTL integrator and run the below command inside the directory of the LoTL integrator:","type":"text"}]},{"type":"codeBlock","content":[{"text":"java -jar custom-lotl-integrator-jar-with-dependencies.jar","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Provide the correct information when the tool asks for the path and password to the client trust store.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Once you set up the client trust store successfully, replace the copy with the original client trust store. We encourage you to backup the original client trust store before the replacement.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Restart the ","type":"text"},{"text":"WSO2 OB APIM","type":"text","marks":[{"type":"code"}]},{"text":" server.","type":"text"}]}]}]}]}]}]}]}]}]}]}]}],"version":1},"cxhtml":"instructions_to_add_certs_to_the_client_trust_storesINLINE

In order to support eIDAS or OB certificates in WSO2 Open Banking, you need to update the client trust stores.

Click here to see how it is done...

ConfiguringCertsINLINE

OB certificates

#fdfdfdINLINE

In order to support OB certificates in WSO2 Open Banking, upload the OB root and issuer certificates to the client trust stores as follows:

The client trust stores for the WSO2 Open Banking API Management (WSO2_OB_APIM) and Identity and Access Management (WSO2_OB_IAM) modules are located in the following locations:
- <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks
- <WSO2_OB_IAM_HOME>/repository/resources/security/client-truststore.jks
Use the following commands to add the certificate to the client trust store:
bashAdd root certificate -keystore client-truststore.jks -storepass wso2carbon]]>bashAdd issuer certificate -keystore client-truststore.jks -storepass wso2carbon]]>
Restart the API Management and Identity and Access Management servers.

eIDAS certificates

#fdfdfdINLINE

In order to support QWAC and QSealC in WSO2 Open Banking, the client trust store must contain all the root certificates of the QTSPs in the UK and the EU region.

National Competent Authorities (NCAs) of each region maintains a list of QTSPs and QTSP certificates in their regions. The QTSP list and links to their QTSP certificates are aggregated to a single list named as List of Trust Lists (LoTL).
You need to download all the QTSP certificates from LoTL and update the client trust store of WSO2 OB APIM. WSO2 Open Banking provides LoTL integrator, which is a separate tool to achieve this task. To get the LoTL integrator, you can contact the WSO2 Open Banking Support team via your support account or through the contact us form.
Once downloaded, follow the steps given below to run LoTL integrator:
LoTL integrator requires a connection to each of the national trust lists hosted by NCAs in the EU region. Please make sure that the environment that you are running the tool has the required network-level access for each of the trust lists in the EU region.
1. Create a copy of the client trust store in <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks. When the tool asks for the path of the client trust store, provide the location to the copied client trust store.
2. Extract the LoTL integrator and run the below command inside the directory of the LoTL integrator:
3. Provide the correct information when the tool asks for the path and password to the client trust store.
4. Once you set up the client trust store successfully, replace the copy with the original client trust store. We encourage you to backup the original client trust store before the replacement.
5. Restart the WSO2 OB APIM server.

"}}}]}]}]},{"type":"paragraph","content":[{"text":"In WSO2 Open Banking, eIDAS approach can be categorised into 3 flows:","type":"text"}]},{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc-zone","parameters":{"macroParams":{"location":{"value":"top"}},"macroMetadata":{"macroId":{"value":"b5c57901-3ae9-4f5e-9dee-dc8c5f742463"},"schemaVersion":{"value":"1"},"title":"Table of Content Zone"}}},"content":[{"type":"heading","attrs":{"level":3},"content":[{"text":"Client registration","type":"text"}]},{"type":"paragraph","content":[{"text":"WSO2 Open Banking provides eIDAS support for Dynamic Client Registration (DCR) and Manual Client Registration (MCR). For client registration, the following certificates must be used:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A website authentication certificate to secure the transport layer (QWAC or OBWAC)","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"An e-seal certificate to secure the application layer (QSealC or OBSealC)","type":"text"}]}]}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"legacy-content","text":"","parameters":{"nestedContent":{"type":"doc","content":[{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"multiexcerpt","parameters":{"macroParams":{"MultiExcerptName":{"value":"TPP_Validation"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"096d1801-39e1-47ea-aee8-9bc27e4b2e5d"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://raw.githubusercontent.com/fuegokit/appfire-design-systems-brand-svg/main/single-color-brand-icons/af-logo-multi-excerpt-24.svg"}}],"title":"MultiExcerpt (legacy)"}}},"content":[{"type":"heading","attrs":{"level":4},"content":[{"text":"TPP Validation Service","type":"text"}]},{"type":"paragraph","content":[{"text":"TPP validation service allows OBIE-registered Account Servicing Payment Service Providers (ASPSPs) to validate TPPs from the NCAs. This is done by validating QWAC or OBWAC. Follow the steps to enable this service:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This is available only as a WUM update effective from January 03, 2021 (01-03-2021). For more information on updating WSO2 Open Banking, see ","type":"text"},{"text":"Updating WSO2 Products","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.wso2.com/display/updates/Using+WSO2+Update+Manager"}}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#333333"}}]}]}]},{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"multiexcerpt","parameters":{"macroParams":{"MultiExcerptName":{"value":"TPP_Validation_Support"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"4f956de4-cfdb-415f-b742-beb5b29bc865"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://raw.githubusercontent.com/fuegokit/appfire-design-systems-brand-svg/main/single-color-brand-icons/af-logo-multi-excerpt-24.svg"}}],"title":"MultiExcerpt (legacy)"}}},"content":[{"type":"panel","attrs":{"panelType":"success"},"content":[{"type":"paragraph","content":[{"text":"Prerequisites:","type":"text","marks":[{"type":"strong"}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Make sure you have uploaded QWAC or OBWAC as the transport certificate in ","type":"text"},{"text":"/repository/resources/security/wso2carbon.jks. ","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Update ","type":"text"},{"text":"/repository/resources/security/client-truststore.jks","type":"text","marks":[{"type":"code"}]},{"text":" with the OBIE root, issuer certificates as mentioned ","type":"text"},{"text":"here","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2docs.atlassian.net/wiki/spaces/OB140/pages/29395093/Dynamic+Client+Registration+v3.2#DynamicClientRegistrationv3.2-DynamicClientRegistrationv3.2-Uploadingcertificatetotheclienttruststore"}}]},{"text":".","type":"text"}]}]}]}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the QSealC keypair corresponding to QWAC or OBSealC keypair corresponding to OBWAC into a new JKS. For example, ","type":"text"},{"text":"wso2carbon-signing.jks. ","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Place the JKS file in the ","type":"text"},{"text":"/repository/resources/security","type":"text","marks":[{"type":"code"}]},{"text":" directory.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open the ","type":"text"},{"text":"/repository/conf/finance/open-banking.xml","type":"text","marks":[{"type":"code"}]},{"text":" file:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following configs under the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" section:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"SoftwareStatementId","type":"text","marks":[{"type":"code"}]},{"text":" value needs to be configured according to the OBWAC/QWAC that has been configured in the ","type":"text"},{"text":"/repository/resources/security/wso2carbon.jks","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The OBIE service-related endpoints are for the OBIE sandbox environment.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t3600\n\tcom.wso2.finance.open.banking.gateway.service.obie.OBIECertValidationServiceImpl\n\t\n\t\tykNOgWd2RgnuoLRRyWBkaY\n\t\t\n\t\t\tASPSPReadAccess\n\t\t\tTPPReadAccess\n\t\t\tAuthoritiesReadAccess\n\t\t\n\t\thttps://matls-sso.openbankingtest.org.uk/as/token.oauth2\n\t\thttps://matls-dirapi.openbankingtest.org.uk/certificate/validate\n\t\thttps://matls-api.openbankingtest.org.uk/scim/v2/OBAccountPaymentServiceProviders\n\t\tGB\n\t\n\t\n\t\taccounts+\n\t\tpayments+\n\t\tfundsconfirmations+\n\t\n","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the ","type":"text"},{"text":"<","type":"text","marks":[{"type":"code"}]},{"text":"SigningKeystore","type":"text","marks":[{"type":"code"}]},{"text":">","type":"text","marks":[{"type":"code"}]},{"text":" tag with the file path of the JKS file that contains the OBSealC.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" and the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" tags with the alias and KID value of the signing certificate (OBSealC):","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\tsigning\n\t\n\t1pbTEt6v6_o0WpPFzmNXj6ediKw\n\t\n\t\t${carbon.home}/repository/resources/security/wso2carbon-signing.jks\n\t\twso2carbon\n\t\twso2carbon\n\t\n","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open the ","type":"text"},{"text":"/repository/resources/api_templates/velocity_template.xml","type":"text","marks":[{"type":"code"}]},{"text":" file:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following handler as the first handler:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\n\t\n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the TPP validation handler after the ","type":"text"},{"text":"#if($apiObj.additionalProperties.get(\"ob-spec\") == \"uk\")","type":"text","marks":[{"type":"code"}]},{"text":" configuration as follows:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"#if($apiObj.additionalProperties.get(\"ob-spec\") == \"uk\")\n ## TPP validation service handler\n ","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Republish your Accounts, Payments, CoF, and DCR APIs with the ","type":"text"},{"text":"ob-spec, ob-api-version,","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"ob-api-type","type":"text","marks":[{"type":"code"}]},{"text":" properties. For more information see, ","type":"text"},{"text":"Deploying APIs for UK","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.wso2.com/display/OB200/Deploying+APIs+for+UK#DeployingAPIsforUK-CreateandpublishanAPI"}}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open each API xml file(Accounts, Payments, CoF, and DCR APIs) in ","type":"text"},{"text":"/repository/deployment/server/synapse-configs/default/api","type":"text","marks":[{"type":"code"}]},{"text":" and make sure that both ","type":"text"},{"text":"APIPropertiesHandler","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"TPPValidationHandler","type":"text","marks":[{"type":"code"}]},{"text":" are available.","type":"text"}]}]}]}]},{"type":"bodiedExtension","attrs":{"extensionType":"com.atlassian.confluence.macro.core","extensionKey":"multiexcerpt","parameters":{"macroParams":{"MultiExcerptName":{"value":"Custom_Certificate_Validation"},"atlassian-macro-output-type":{"value":"INLINE"}},"macroMetadata":{"macroId":{"value":"1c7d7a0f-1bf1-4b8b-a07a-e533621a4770"},"schemaVersion":{"value":"1"},"placeholder":[{"type":"icon","data":{"url":"https://raw.githubusercontent.com/fuegokit/appfire-design-systems-brand-svg/main/single-color-brand-icons/af-logo-multi-excerpt-24.svg"}}],"title":"MultiExcerpt (legacy)"}}},"content":[{"type":"heading","attrs":{"level":5},"content":[{"text":"Integrating a Custom Certificate Validation Service","type":"text"}]},{"type":"paragraph","content":[{"text":"If you want to integrate a custom validation service rather than OBIE, you can configure as follows:","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Implement the following interface for the required certificate validation service.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"java"},"content":[{"text":"package com.wso2.finance.open.banking.gateway.service;\npublic interface TPPValidationService {\n /**\n * Validate the status of a TPP\n *\n * @param peerCertificate Certificate of the TPP\n * @param requiredPSD2Roles Roles that are required to be validated with the TPP validation service according to\n * the current flow\n * @param metadata Metadata information\n * @return\n * @throws TPPValidationException\n */\n boolean validate(X509Certificate peerCertificate, List < PSD2RoleEnum > requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;\n\n /**\n * Get the cache key used for the caching the response. Implementation should return an appropriate ID that is\n * unique to the API flow.\n *\n * @param peerCertificate Certificate of the TPP\n * @param requiredPSD2Roles Roles that are required to be validated with the TPP validation service according to\n * the current flow\n * @param metadata Metadata information\n * @return\n * @throws TPPValidationException\n */\n String getCacheKey(X509Certificate peerCertificate, List < PSD2RoleEnum > requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;\n\n}","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Once implemented, build a JAR file for your custom certificate validation service.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Place the above-created JAR file in the ","type":"text"},{"text":"/repository/components/dropins","type":"text","marks":[{"type":"code"}]},{"text":" directory.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open the ","type":"text"},{"text":"/repository/conf/deployment.toml","type":"text","marks":[{"type":"code"}]},{"text":" file and find the ","type":"text"},{"text":"[open_banking.cert_mgt.tpp_validation_service] tag","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configure your TPP validation service using its ","type":"text"},{"text":"Fully Qualified Name (FQN)","type":"text"},{"text":" as follows:","type":"text"}]},{"type":"paragraph","content":[{"type":"hardBreak"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"[open_banking.cert_mgt.tpp_validation_service]\ncache_expiry=3600\ntpp_validation_impl_class=\"\"","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the following tags below the ","type":"text"},{"text":"[open_banking.cert_mgt.tpp_validation_service]","type":"text","marks":[{"type":"code"}]},{"text":" configurations:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"[open_banking.cert_mgt.tpp_validation_service.scope_regex_patterns]\naisp=\"accounts+\"\npisp=\"payments+\"\ncbpii=\"fundsconfirmations+\"","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Make sure you have the following handler as the first handler under the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" section in the ","type":"text"},{"text":"/repository/resources/api_templates/velocity_template.xml","type":"text","marks":[{"type":"code"}]},{"text":" file. Otherwise add the handler.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\t\n\t\n\t\n","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Add the ","type":"text"},{"text":"TPPValidationHandler","type":"text","marks":[{"type":"code"}]},{"text":" handler right after the ","type":"text"},{"text":"#if($apiObj.additionalProperties.get(\"ob-spec\") == \"uk\")","type":"text","marks":[{"type":"code"}]},{"text":" configuration in the ","type":"text"},{"text":"/repository/resources/api_templates/velocity_template.xml","type":"text","marks":[{"type":"code"}]},{"text":" file.","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"#if($apiObj.additionalProperties.get(\"ob-spec\") == \"uk\")\n ## TPP validation service handler\n ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Republish your Accounts, Payments, CoF and DCR APIs using publisher. Make sure that you have added the ","type":"text"},{"text":"ob-spec, ob-api-version","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"ob-api-type","type":"text","marks":[{"type":"code"}]},{"text":" properties before republishing the APIs.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Open each API xml file (Accounts, Payments, CoF and DCR APIs) in ","type":"text"},{"text":"/repository/deployment/server/synapse-configs/default/api","type":"text","marks":[{"type":"code"}]},{"text":" directory and make sure that both ","type":"text"},{"text":"APIPropertiesHandler","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"TPPValidationHandler","type":"text","marks":[{"type":"code"}]},{"text":" are added under the ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" section.","type":"text"}]}]}]}]}]}],"version":1},"cxhtml":"TPP_ValidationINLINE

TPP Validation Service

TPP validation service allows OBIE-registered Account Servicing Payment Service Providers (ASPSPs) to validate TPPs from the NCAs. This is done by validating QWAC or OBWAC. Follow the steps to enable this service:

This is available only as a WUM update effective from January 03, 2021 (01-03-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

TPP_Validation_SupportINLINE

Prerequisites:

Make sure you have uploaded QWAC or OBWAC as the transport certificate in <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
Update <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks with the OBIE root, issuer certificates as mentioned .

Add the QSealC keypair corresponding to QWAC or OBSealC keypair corresponding to OBWAC into a new JKS. For example, wso2carbon-signing.jks.
Place the JKS file in the <WSO2_OB_APIM_HOME>/repository/resources/security directory.
Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file:
1. Add the following configs under the <CertificateManagement> section:
  - The SoftwareStatementId value needs to be configured according to the OBWAC/QWAC that has been configured in the <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
  - The OBIE service-related endpoints are for the OBIE sandbox environment.
    xml\n\t3600\n\tcom.wso2.finance.open.banking.gateway.service.obie.OBIECertValidationServiceImpl\n\t\n\t\tykNOgWd2RgnuoLRRyWBkaY\n\t\t\n\t\t\tASPSPReadAccess\n\t\t\tTPPReadAccess\n\t\t\tAuthoritiesReadAccess\n\t\t\n\t\thttps://matls-sso.openbankingtest.org.uk/as/token.oauth2\n\t\thttps://matls-dirapi.openbankingtest.org.uk/certificate/validate\n\t\thttps://matls-api.openbankingtest.org.uk/scim/v2/OBAccountPaymentServiceProviders\n\t\tGB\n\t\n\t\n\t\taccounts+\n\t\tpayments+\n\t\tfundsconfirmations+\n\t\n]]>
2. Configure the <SigningKeystore> tag with the file path of the JKS file that contains the OBSealC.
3. Configure the <SigningCertificateAlias> and the <SigningCertificateKid> tags with the alias and KID value of the signing certificate (OBSealC):
  xml\n\t\n\tsigning\n\t\n\t1pbTEt6v6_o0WpPFzmNXj6ediKw\n\t\n\t\t${carbon.home}/repository/resources/security/wso2carbon-signing.jks\n\t\twso2carbon\n\t\twso2carbon\n\t\n]]>
Open the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file:
1. Add the following handler as the first handler:
  xml\n\t\n\t\n\t\n]]>
2. Add the TPP validation handler after the #if($apiObj.additionalProperties.get("ob-spec") == "uk") configuration as follows:
  xml]]>
Republish your Accounts, Payments, CoF, and DCR APIs with the ob-spec, ob-api-version, and ob-api-type properties. For more information see, Deploying APIs for UK.
Open each API xml file(Accounts, Payments, CoF, and DCR APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api and make sure that both APIPropertiesHandler and TPPValidationHandler are available.

Custom_Certificate_ValidationINLINE

Integrating a Custom Certificate Validation Service

If you want to integrate a custom validation service rather than OBIE, you can configure as follows:

Implement the following interface for the required certificate validation service.
java requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;\n\n /**\n * Get the cache key used for the caching the response. Implementation should return an appropriate ID that is\n * unique to the API flow.\n *\n * @param peerCertificate Certificate of the TPP\n * @param requiredPSD2Roles Roles that are required to be validated with the TPP validation service according to\n * the current flow\n * @param metadata Metadata information\n * @return\n * @throws TPPValidationException\n */\n String getCacheKey(X509Certificate peerCertificate, List < PSD2RoleEnum > requiredPSD2Roles, Map < String, Object > metadata) throws TPPValidationException;\n\n}]]>
Once implemented, build a JAR file for your custom certificate validation service.
Place the above-created JAR file in the <WSO2_OB_APIM_HOME>/repository/components/dropins directory.
Open the <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml file and find the [open_banking.cert_mgt.tpp_validation_service] tag.
Configure your TPP validation service using its Fully Qualified Name (FQN) as follows:

xml
Add the following tags below the [open_banking.cert_mgt.tpp_validation_service] configurations:
xml
Make sure you have the following handler as the first handler under the <Handlers> section in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file. Otherwise add the handler.
xml\n\t\n\t\n\t\n]]>
Add the TPPValidationHandler handler right after the #if($apiObj.additionalProperties.get("ob-spec") == "uk") configuration in the <WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml file.
xml]]>
Republish your Accounts, Payments, CoF and DCR APIs using publisher. Make sure that you have added the ob-spec, ob-api-version and ob-api-type properties before republishing the APIs.
Open each API xml file (Accounts, Payments, CoF and DCR APIs) in <WSO2_OB_APIM_HOME>/repository/deployment/server/synapse-configs/default/api directory and make sure that both APIPropertiesHandler and TPPValidationHandler are added under the <handlers> section.

"}}},{"type":"heading","attrs":{"level":4},"content":[{"text":"Dynamic Client Registration (DCR)","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The TPP must generate a Software Statement Assertion (SSA) in the OB Directory.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The TPP must associate transport and application layer certificates with the Software Statement.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Once associated, the certificates are available in the SSA under the","type":"text"},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#24292e"}}]},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":" parameter.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#24292e"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Invoke the DCR endpoint using the QWAC/OBWAC as the transport certificate in the request header. ","type":"text"},{"text":"To find sample request and response for the API invocation, see ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#24292e"}}]},{"text":"Registering an application","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.wso2.com/display/OB140/Dynamic+Client+Registration+v3.2#DynamicClientRegistrationv3.2-Registeringanapplication"}},{"type":"textColor","attrs":{"color":"#24292e"}}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#24292e"}}]}]},{"type":"extension","attrs":{"extensionType":"com.atlassian.confluence.migration","extensionKey":"legacy-content","text":"","parameters":{"reason":"An info macro in a list item can't be created or edited in the new editor.","nestedContent":{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The application registration request relies on Mutual Transport Layer Security (MTLS) authentication for TPP authentication to validate the TPP. Thereby, the Account Servicing Payment Service Provider (ASPSP) extracts:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":" from the SSA and validates whether the transport certificate that is used to initiate the MTLS connection contains in the ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":" from the SSA and stores in the application for future validations during token generation and API invocations.","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]}]}]}]}],"version":1},"cxhtml":"

The application registration request relies on Mutual Transport Layer Security (MTLS) authentication for TPP authentication to validate the TPP. Thereby, the Account Servicing Payment Service Provider (ASPSP) extracts:

software_jwks_endpoint from the SSA and validates whether the transport certificate that is used to initiate the MTLS connection contains in the software_jwks_endpoint.
software_jwks_endpoint from the SSA and stores in the application for future validations during token generation and API invocations.

"}}},{"type":"paragraph","content":[{"text":"The following diagram describes how the ASPSP validates the TPP in the DCR flow:","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":500,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1078,"id":"e6599a31-d8ca-4bc7-9135-8d277d8bf48d","collection":"contentId-48629571","type":"file","height":507}}]}]}]},{"type":"paragraph","content":[{"text":"Following document explains how to configure DCR in WSO2 Open Banking:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Dynamic Client Registration v3.2","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2docs.atlassian.net/wiki/spaces/OB200/pages/48629830"}}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Token generation","type":"text"}]},{"type":"paragraph","content":[{"text":"WSO2 Open Banking supports Private Key JSON Web Token (JWT) and MTLS as token authentication methods. ","type":"text"}]},{"type":"table","attrs":{"layout":"align-start"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Authentication method","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text","marks":[{"type":"strong"}]}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Private Key JWT","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Sign JWT using QSealC or OBSealC.","type":"text"}]},{"type":"paragraph","content":[{"text":"The signing certificate needs to be mentioned under ","type":"text"},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":" of the SSA. ","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"MTLS","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1},"content":[{"type":"paragraph","content":[{"text":"Initiate the access token request using the QWAC or OBWAC certificate as the certificate for mutual authentication. In the request header, mention the path to the public and private keys of the transport certificate. To find the sample request for the user-access token, see ","type":"text"},{"text":"Account and Transaction API","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2docs.atlassian.net/wiki/spaces/OB200/pages/48630778/Account+and+Transaction+API+v3.1.5#AccountandTransactionAPIv3.1.5-Step12-Generateuseraccesstoken"}}]},{"text":".","type":"text"}]},{"type":"paragraph","content":[{"text":"Thereby, the public key of the transport certificate provided for the token endpoint will be verified against the ","type":"text"},{"text":"software_jwks_endpoint","type":"text","marks":[{"type":"code"}]},{"text":" in the SSA.","type":"text"}]}]}]}]},{"type":"paragraph","content":[{"text":"The following diagram describes how the token generation is implemented in WSO2 Open Banking with accordance to eIDAS:","type":"text"}]},{"type":"mediaSingle","attrs":{"layout":"align-start","width":800,"widthType":"pixel"},"content":[{"type":"media","attrs":{"width":1280,"id":"7718a4b1-5a5b-44b8-a6a6-9a02c2be0904","collection":"contentId-48629571","type":"file","height":879}}]},{"type":"paragraph","content":[{"text":"For more information about the token authentication methods used in WSO2 Open Banking, see ","type":"text"},{"text":"API Security","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2docs.atlassian.net/wiki/spaces/OB200/pages/48629558/API+Security+for+UK#APISecurityforUK-Tokenendpointsecurity"}}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"API invocation","type":"text"}]},{"type":"paragraph","content":[{"text":"Account Information Service Provider, Payment Initiation Service Provider, and Card-Based Payment Instrument Issuer are roles for a TPP. This role is validated so that only a particular TPP is allowed to invoke an API. APIs are protected using MTLS, which uses the QWAC as the transport certificate in each of the requests. To see how MTLS affects in the API invocations, see","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"API Security for Berlin","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.wso2.com/display/OB200/API+Security+for+Berlin#APISecurityforBerlin-MutualTransportLayerSecurity(MTLS)"}}]},{"text":".","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]},{"text":"APIs are protected using MTLS, which uses the QWAC or OBWAC as the transport certificate in each of the requests. To enable to MTLS in the API invocations, see ","type":"text"},{"text":"Mutual Transport Layer Security","type":"text","marks":[{"type":"link","attrs":{"href":"https://wso2docs.atlassian.net/wiki/spaces/OB200/pages/48629558/API+Security+for+UK#APISecurityforUK-MutualTransportLayerSecurity(MTLS)"}}]},{"text":".","type":"text"}]},{"type":"paragraph"}]}],"version":1}

eIDAS Implementation for UK