This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Using the Signup Workflow for Berlin

Owned by Former user (Deleted)
Last updated: Aug 30, 2021Version comment
13 min read

Third-Party Providers (/wiki/spaces/OB200/pages/48629460) can create third-party applications to facilitate banking services exposed via Bank APIs. 

Before getting TPPs connected with the Banks and onboard, they are subjected to thorough verification. This verification includes a comprehensive sign-up process at the API Store, the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.

This page instructs you how to try out a sample TPP onboarding process.

Prerequisites

  1. Download WSO2 Enterprise Integrator (WSO2 EI) 6.6.0 and unzip the file.

  2. Set the path (WSO2EI_PATH) and hostname (EI_HOSTNAME) to WSO2 EI in the <WSO2_OB_APIM_HOME>/repository/resources/finance/script/startup.properties file.

    If you are using Microsoft SQL Server or Oracle, create the bpsdb and bps_configdb databases.

  3. Go to the <WSO2_OB_APIM_HOME>/repository/resources/finance/scripts/wso2ei-bps directory and give execution permissions to the configure-bps.sh file.

  4. Run configure-bps.sh

  5. Add Business Process Execution Langauage and humantask workflows using the web interface:

    1. Log into https://<<WSO2_EI_HOSTNAME>>:9445/carbon

      Sign in as a super admin. Default credentials are: - Username: admin@wso2.com - Password: wso2123

    2. Click Main → Manage → Processes → Add BPEL and select Upload to upload the BPEL workflows:
      1.  ApplicationRegistrationWorkflowProcess_1.0.0.zip
      2. UserSignupApprovalProcess_1.0.0.zip 
    3. Click Main → Manage → Human Tasks → Add and select Upload to upload the BPEL workflows
      1. UserApprovalTask-1.0.0.zip
      2. ApplicationRegistrationTask-1.0.0.zip

  6.  Change the URL of WSO2CARBON_DB in <WSO2_EI_HOME>/wso2/business-process/conf/datasources/master-datasources.xml to an explicit relative path.

     Click here to see a sample configuration...
    <url>jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE;LOCK_TIMEOUT=60000</url>
  7. Add the jdbc drivers to <WSO2_EI_HOME>/lib.

  8. Navigate to the <WSO2_EI_HOME>/wso2/business-process/bin directory, and execute the following command:

    ./wso2server.sh -Dsetup

  9. Sign in to the API management console https://<WSO2_OB_APIM_HOST>:9443/carbon.

    Sign in as a super admin. Default credentials are: - Username: admin@wso2.com - Password: wso2123

  10. Click  Main → Resources  Browse.

  11. Navigate to the /_system/governance/apimgt/applicationdata/workflow-extensions.xml registry file.

  12. In the workflow-extensions.xml registry file, navigate to Content  and click Edit as text.

  13. Add the following configurations under ProductApplicationRegisteration and  UserSignup  in the registry file:

    <ProductionApplicationRegistration executor="com.wso2.finance.tpp.prodaccess.impl.TPPProdAccessWorkFlow">
	<Property name="serviceEndpoint">http://localhost:9765/services/ApplicationRegistrationWorkFlowProcess/</Property>
	<Property name="username">admin@wso2.com@carbon.super</Property>
	<Property name="password">wso2123</Property>
	<Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
</ProductionApplicationRegistration>
    <UserSignUp executor="com.wso2.finance.tpp.signup.impl.TPPSignUpWorkFlow">
<Property name="serviceEndpoint">http://localhost:9765/services/UserSignupProcess/</Property>
<Property name="username">admin@wso2.com@carbon.super</Property>
<Property name="password">wso2123</Property>
<Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
<Property name="aispRole">internal/aispRole</Property>
<Property name="pispRole">internal/pispRole</Property>
<Property name="piispRole">internal/piispRole</Property>
</UserSignUp>
  14. Click  Save Content.

  15. Add claim configurations:

    If you are starting the WSO2 OB IAM and WSO2 OB APIM servers for the first time or for a newly created tenant, follow the instructions given below. Otherwise, you need to add the claim configurations as external claims via the web interfaces as instructed in here.

     Click here to find how you can add claim configurations if you are starting the WSO2 OB IAM and WSO2 OB APIM servers for the first time or for a newly created tenant...

    Add the following claim configurations to the <WSO2_OB_IAM_HOME>/repository/conf/claim-config.xml and <WSO2_OB_APIM_HOME>/repository/conf/claim-config.xml files:

    <Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicName</ClaimURI>
    <DisplayName>Legal entity name</DisplayName>
    <AttributeID>pspName</AttributeID>
    <Description>Payment Service Providers name</Description>
    <DisplayOrder>11</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicCountryRegistration</ClaimURI>
    <DisplayName>Country of registration</DisplayName>
    <AttributeID>pspCountry</AttributeID>
    <Description>Country of registration</Description>
    <DisplayOrder>12</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAuthorizedNumber</ClaimURI>
    <DisplayName>Legal Entity Identifier (LEI) number</DisplayName>
    <AttributeID>pspAuthorizedNumber</AttributeID>
    <Description>Legal Entity Identifier (LEI) number</Description>
    <DisplayOrder>13</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterName</ClaimURI>
    <DisplayName>Company register</DisplayName>
    <AttributeID>pspRegisterCompany</AttributeID>
    <Description>Company register</Description>
    <Required />
    <DisplayOrder>14</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterNumber</ClaimURI>
    <DisplayName>Company registration number</DisplayName>
    <AttributeID>pspRegisterNumber</AttributeID>
    <Description>Company registration number</Description>
    <Required />
    <DisplayOrder>15</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAddressLine1</ClaimURI>
    <DisplayName>Address line 1</DisplayName>
    <AttributeID>pspRegisterAddressLine1</AttributeID>
    <Description>Address line 1</Description>
    <DisplayOrder>16</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterAddressLine2</ClaimURI>
    <DisplayName>Address line 2</DisplayName>
    <AttributeID>pspRegisterAddressLine2</AttributeID>
    <Description>Address line 2</Description>
    <DisplayOrder>17</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterCity</ClaimURI>
    <DisplayName>City</DisplayName>
    <AttributeID>pspRegisterCity</AttributeID>
    <Description>City</Description>
    <DisplayOrder>18</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterPostalCode</ClaimURI>
    <DisplayName>Postal code</DisplayName>
    <AttributeID>pspRegisterPostalCode</AttributeID>
    <Description>Postal code</Description>
    <DisplayOrder>19</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspBasicRegisterCountry</ClaimURI>
    <DisplayName>Country</DisplayName>
    <AttributeID>pspRegisterCountry</AttributeID>
    <Description>Country</Description>
    <Required />
    <DisplayOrder>20</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityCountry</ClaimURI>
    <DisplayName>Competent authority country</DisplayName>
    <AttributeID>pspCompetentAuthorityCountry</AttributeID>
    <Description>Competent authority country</Description>
    <DisplayOrder>21</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthority</ClaimURI>
    <DisplayName>Competent authority</DisplayName>
    <AttributeID>pspCompetentAuthority</AttributeID>
    <Description>Competent authority</Description>
    <Required />
    <DisplayOrder>22</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRegisistrationNumber</ClaimURI>
    <DisplayName>Competent authority registration number</DisplayName>
    <AttributeID>pspCompetentAuthorityRegistrationNumber</AttributeID>
    <Description>Competent authority registration number</Description>
    <Required />
    <DisplayOrder>23</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityUrl</ClaimURI>
    <DisplayName>URL of the competent authority register page showing the entity</DisplayName>
    <AttributeID>pspCompetentAuthorityUrl</AttributeID>
    <Description>Competent authority url</Description>
    <Required />
    <DisplayOrder>24</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRole</ClaimURI>
    <DisplayName>Please select the Open Banking role(s) you wish to enrol for</DisplayName>
    <AttributeID>pspCompetentAuthorityRole</AttributeID>
    <Description>Please select the Open Banking role(s) you wish to enrol for</Description>
    <DisplayOrder>25</DisplayOrder>
    <Required />
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRoleVerify</ClaimURI>
    <DisplayName>Are you registered to provide the services for all the role(s) you have selected?</DisplayName>
    <AttributeID>pspCompetentAuthorityRoleVerify</AttributeID>
    <Description>Are you registered to provide the services for all the role(s) you have selected?</Description>
    <Required />
    <DisplayOrder>26</DisplayOrder>
    <SupportedByDefault />
</Claim>
<Claim>
    <ClaimURI>http://wso2.org/claims/pspCompetentAuthorityRoleVerify2</ClaimURI>
    <DisplayName>Have you applied for registration to provide the services for the role(s) you have selected?</DisplayName>
    <AttributeID>pspCompetentAuthorityRoleVerify2</AttributeID>
    <Description>Have yoy applied for registration to provide the services for the role(s) you have selected?</Description>
    <DisplayOrder>27</DisplayOrder>
    <SupportedByDefault />
</Claim>
  16. Configure e-mail sending module:

    1. Add the following properties to the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml file:

      [output_adapter.email]
from_address= "<mail address from where you want to send the notification>"
username= "<username of the the mail you have provide in from_address>"
password= "<password of the the mail you have provide in from_address>"
hostname= "<hostname of the SMTP server to connect to>"
port= <port of the SMTP server port to connect to, if the connect() method does not explicitly specify on, default is set to 25>
enable_start_tls= <If true, enables the use of the STARTTLS` command. Default is set to false>
enable_authentication= <If true, attempt to authenticate the user using the AUTH command. Default. is set to false>

      If you are using a Google mail account, note that Google has restricted third-party apps and less secure apps from sending emails by default. Therefore, you need to configure your account to disable this restriction when sending emails to confirm user registrations.

      1. Navigate to  https://myaccount.google.com/security.
      2. Click  Signing in to Google  on the left menu and make sure that the  2-step Verification  is disabled or off.
      3. Click  Connected apps and sites  on the left menu and enable  Allow less secure apps .
      4. Click  Connected apps and sites  on the left menu and enable  Allow less secure apps .

Before you begin,

Before you try out the signup workflow, make sure to create the following users and roles:

  • internal/aispRole
  • internal/pispRole
  • internal/piispRole
  • internal/approverRole

For instructions to create users and roles, see Configuring Users and Roles.

Step 1 - Sign up as a TPP

  1. Navigate to the WSO2 Open Banking Developer portal at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Go to the Applications tab in the Developer Portal.

  3. In the Sign-in form, click Create Account.
  4. Provide a username and click Proceed Self Register.
  5. Fill the Create New Account form to complete registration.

  6. Read terms and conditions. Click the checkbox to agree to the terms and conditions.

  7. Click Register.

If you have configured workflows to WSO2 Open Banking that is described under Prerequisites, a request to approve the user sign up is sent to the admin users

Step 02 Approve the TPP user account

Follow the steps below to approve the newly created TPP user account:

It is not mandatory to include the approval step for the TPP user. In order to add this step, make sure you configured WSO2 OB EI, WSO2 OB IAM, and WSO2 OB APIM instances as explained under Prerequisites .

  1. Navigate to the Admin Portal at  https://<WSO2_OB_APIM_HOST>:9443/admin .  

  2. Locate the approval request and click Assign To Me.    

  3. Click Start to start the approval process.
  4. Select Approve and click Complete.

    The TPP user can now sign in to the API Store.

Step 03 Sign in as a TPP user

  1. Sign in to the Developer portal as the TPP at https://<WSO2_OB_APIM_HOST>:9443/devportal.

  2. Enter the username and the password you entered when signing up as a TPP.  
  3. Click Continue

The homepage of the Developer portal is now displayed along with the published APIs.

Step 04 Create an application

  1. Go to the Applications tab in the Developer Portal.

  2. Click ADD NEW APPLICATION.


  3. Enter application details.

    • WSO2 Open Banking currently authenticates the TPP applications using the Reference (Opaque) method.
    • For the Application Certificate, you need to upload the QSealC certificate obtained from a Qualified Trust Service Provider (QTSP). For testing purposes, WSO2 Open Banking provides a sample eIDAS certificate. 

      To download the sample eIDAS certificate, click here

      You can validate the Organization Identifier field according to  a custom regex you provide:

      This is available only as a WSO2 Update and is effective from August 11, 2021 (08-11-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

       Click here to see how it done...
      1. Open the <WSO2_OB_APIM_HOME>/repository/deployment/jaggeryapps/devportal/site/public/theme/settings.js file.

      2. Inside the openbanking element, add the orgIdRegex and maxAllowedInputLength tags as follows: 

        openbanking: {
        spec: 'BERLIN',
        grantTypes: {
            authorization_code: 'Code',
            implicit: 'Implicit',
            refresh_token: 'Refresh Token',
            client_credentials: 'Client Credentials',
        },
        orgIdRegex: '^OB:[A-Z]{2}-[A-Z]{3}-[a-zA-Z0-9]*$',
        maxAllowedInputLength: 20
}
        1. orgIdRegex: Organization Identifier is validated against this regex value.
        2. maxAllowedInputLength: The maximum length allowed for an Organization Identifier.

      3. orgIdRegex and maxAllowedInputLength are optional configurations and if they are not configured, the default regex value will be used without input length validation. the default regex value is as follows:

        ^PSD[A-Z]{2}-[A-Z]{2,8}-[[a-zA-Z0-9]*$
      4. You can customize the error message that is displayed when the above validation fails. 
        1. Open the <WSO2_OB_APIM_HOME>/repository/deployment/jaggeryapps/devportal/site/public/locales/en.js file.
        2. Update the following fields as required:
          • Shared.AppsAndKeys.OBConfiguration.org.id.content.helper
          • Shared.AppsAndKeys.OBConfiguration.org.id.content.helper.error

  4. Click SAVE

    An application can be used to subscribe to multiple APIs. See Subscribe to an API for the instructions.

Step 05 Subscribe to API

  1. Go to the APIs tab in the Developer portal.

  2. Select the NextGenPSD2XS2A Framework API. 
  3. Go to Subscriptions at the bottom of the API and select SUBSCRIBE.
  4. Select an Application from the drop-down list, set the Throttling Policy and click SUBSCRIBE.
  5. Once you subscribe, you can find the list of subscriptions in the bottom.

Now that you have subscribed to the API, generate access tokens and invoke the API.

Step 06 - Create and upload certificates

In order to use self-signed certificates as mentioned in the below steps, disable the certificate revocation validation in the <WSO2_OB_IAM_HOME>/repository/conf/deployment.toml and <WSO2_OB_APIM_HOME>/repository/conf/deployment.toml files as follows:

[open_banking.cert_mgt.cert_revocation_proxy]
enable = false
 Click here to see a self-signed certificate is created...


  1. A keystore file is used to store the trusted certificates of the TPP in the WSO2 Open Banking solution. Use the commands given below in a command-line interface in order to create a keystore file as a TPP.

    Make sure to update the following placeholders:

    <alias>A preferred alias for the keystore file.
    <filename>A preferred name for the keystore file.
    keytool -genkey -alias <alias> -keyalg RSA -keystore <filename>.jks

    During the command execution, the TPP user requires to;

    1. Set a password for the keystore.
    2. Provide information, acquired when registering with a governing entity.
    3. Set a password for user-defined alias (<alias>).

  2. Convert the keystore from the .jks format to .PKCS12.  Make sure to update the following placeholders:

    <keyStoreName>This is the name of the <filename>, given above.
    <PKCS12FileName>This is the name of the keystore in the .PKCS12 format.
    keytool -importkeystore -srckeystore <keystoreStoreName>.jks -destkeystore <PKCS12FileName>.p12 -deststoretype PKCS12

    During the command execution, the TPP user requires to;

    1. Set a password for the destination keystore.
    2. Enter the source keystore password, as defined in the above step .

  3. Create the application certificate (.pem) file in the PKCS12 format using the keystore. e.g: tpp.p12.

    Make sure to update the following placeholders:

    <PKCS12FileName>This is the name of the keystore in the PKCS12 format, as mentioned above for the <PKCS12FileName>.
    <PEMFileName>This is the name of the application certificate that is created in the .pem format. 
    openssl pkcs12 -in <PKCS12FileName>.p12 -nokeys -out <PEMFileName>.pem

    During the command execution, the TPP user requires to;

    1. Set a password to import the .pem file.

Once you create a self-signed root certificate, upload it to the client trust stores of WSO2 OB APIM and WSO2 OB IAM. 

  • Locate the client trust stores in WSO2 OB APIM and WSO2 OB KM in the following directory paths:
    • <WSO2_OB_APIM_HOME>/repository/resources/security/client-truststore.jks
    • <WSO2_OB_IAM_HOME>/repository/resources/security/client-truststore.jks

  • Use the following command to upload the self-signed certificate:

    keytool -import -alias <alias> -keystore cacerts -file <PEMFileName>.pem

Step 07  Generate keys

  1. Sign in to WSO2 Open Banking Developer portal as a TPP user.

  2. Go to the Applications tab and select the application you used to subscribe to the Confirmation of Funds API.

  3. Scroll down and select either of the following types of keys:

    1. Production Keys: Generates access tokens in the production environment.

    2. Sandbox Keys: Generates access tokens in the sandbox environment.

  4. Click Manage at the bottom of the application.

  5. Provide the requested information as defined below:

    Field

    Description

    Grant Types

    These determine the credentials that are used to generate the access token.

    • Code: This relates to the authorisation code grant type and is applicable when consuming the API as a user.
    • Implicit: This is similar to the code grant type, but instead of generating code, this directly provides the access token.
    • Refresh Token: This is to renew an expired access token.
    • Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application.

    Callback URL

    This is the URL used by the TPP to receive the authorisation code sent from the Account Servicing Payment Service Provider (ASPSP), e.g: bank. The authorisation code can be used later to generate an OAuth2 access token.

    Application Certificate

    This is the content between the BEGIN CERTIFICATE and END CERTIFICATE strings of the application certificate (.PEM) that you created above. 

    For testing purposes, you may use the here to download a sample application certificate, if you have configured the OB certificates.




  6. Click GENERATE KEYS to generate production or sandbox keys. It generates consumer key and consumer secret.

Step 08 Approve key generation

Follow the steps below to approve the access key generation:

  1. Navigate to the Admin Portal.
  2. Click Tasks > Application Registration.
  3. Locate the approval request and click Assign To Me.
  4. Click Start to start the approval process.
  5. Select Approve and then click Complete.

Next, you can create an application access token to invoke the APIs. For more information, see: