This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Running the Security Conformance Suite for Australia

Owned by Former user (Deleted)
Last updated: Nov 03, 2020
4 min read

WSO2 Open Banking 2.0 supports OpenID Conformance suite v4.1.1. 

The conformance suite consists of security standards that are defined by the Open ID Foundation (OIDF). It maximises the security of the APIs, providing robust data flow in Open Banking. An advantage of using OIDF security standards is that the Data Holder can attest the affiliated payment service providers through a self-certification process.

The WSO2 Open Banking solution supports users to comply with a conformance suite that can be configured by the Data Holder. The following configurations guide you to set up the WSO2 Open Banking solution to specification standards for conformance.

Prerequisites

  1. Set up the WSO2 Open Banking solution for Australia following the instructions given in Try Local Setup.
  2. Once you register the application, enable ID token encryption as follows:
    1. Log in to the Management Console of WSO2 Open Banking Identity and Access Management at https://<WSO2_OB_IAM_HOST>:9446/carbon.  

    2. Navigate to Service Provider → Lists on the left pane menu.

    3. Select Service Provider → Inbound Authentication Configuration and expand OAuth/OpenID Connect Configuration. Then, click Configure.

    4. Click Enable ID Token Encryption to enable id token encryption.

      Once you enable id_token encryption, two select boxes will be visible to choose your preferred encryption algorithm and encryption method.

      • Encryption Algorithm: Asymmetric encryption algorithm that is used to encrypt the Content Encryption Key (CEK), using the public key of the service provider.

      • Encryption Method: Symmetric encryption algorithm that is used to encrypt the JWT claims set using the CEK.

Running the conformance suite

In order to run the conformance suite, follow the instructions under the following topics:

Configuring the applications

The test suite has to run in the perspective of two clients. Therefore, two applications are required. Follow the steps and create applications:

  1. Log in to the Open Banking API Manager Store (https://<WSO2_OB_APIM_HOME>:9443/store).

  2. Create two applications under the same Data Recipient. Use the following configurations:

    FieldValue
    Callback URLApplication 1

    https://<TEST_SUITE_HOST>:<TEST_SUITE_PORT>/test/a/<ALIAS>/callback

    Note: <ALIAS> can have any preferred value.


    		Application 2

    https://<TEST_SUITE_HOST>:<TEST_SUITE_PORT>/test/a/<ALIAS>/callback?dummy1=lorem&dummy2=ipsum

    Note: <ALIAS> can have any preferred value.

    Application CertificateClient certificates (public key) that are signed by the root Issuer (prior-acquired or generated). 
  3. Generate production keys.

  4. Take note of the generated consumer key and secret.

Configuring the test suite

This section describes how to build the test suite to identify the configuration and application settings of the solution.

  1. Get the Skeleton JSON configuration, which is available here.

  2. In the Server section, fill the following values.

    KeyValue
    discoveryURLhttps://<WSO2_OB_APIM_GATEWAY_HOST>:<WSO2_OB_APIM_GATEWAY_PORT>/.well-known/openid-configuration

  3. Set the alias parameter as previously configured in the unique instance value.

  4. Configure the client and MTLS by following the steps below:

    Client and MTLS correspond to the first application, and client2 and mtls2 correspond to the second application.

    1. Fill in the client and client2 sections with the following parameters:

      KeyValue
      client_id The client ID for the application, as shown in the API Store.
      client_secret The client secret for the application, as shown in the API Store.
      scope OpenID accounts.
      jwks.keys The respective signing JWK set. This can be generated online using utility https://kaveenr.github.io/cert-utils/

    2. Fill in the MTLS and MTLS2 sections with the following parameters:

      For live environments with the open banking transport certificates, the pre-filled client assertion should suffice.

      An online tool is available for converting the transport certificate files to the required line breaks to literal \n format. https://kaveenr.github.io/cert-utils/

      KeyValue
      keyContent of .key file of the transport certificate with line breaks replaced with literal \n
      certContent of .crt file of the transport certificate with line breaks replaced with literal \n
      caContent of rootCA .crt file of the transport certificate with line breaks replaced with literal \n

Starting the suite

Starting the suite locally

For more information on starting the suite locally, go to OpenID Foundation conformance-suite build and run.

  1. Clone the repo https://gitlab.com/openid/conformance-suite, using the command below and build the latest version. 

    If you encounter a permission denied error during cloning, use HTTP cloning instead of ssh.

    git clone https://gitlab.com/openid/conformance-suite.git

  2. Stop all the running docker containers and ensure a clean state. The following command shows the container status. 

    docker ps

  3. Execute the following commands to remove any local files.

    git clean -x -f -d 
git reset --hard HEAD

  4. Run without installing JDK and Maven.

    MAVEN_CACHE=./m2 docker-compose -f builder-compose.yml run builder

    If you have a local Java development environment:

    mvn clean package

  5. Execute the following commands to build the docker image. 

    docker-compose build

  6. Start the docker container.

    docker-compose up

  7. The test suite is now available locally at  https://localhost:8443/

    When running both the solution and the test suite locally, make sure to use the host machine's IP for Docker.

    For an example: docker.for.mac.localhost


If you get these errors:

  • docker-compose: command not found error, execute the following commands.

    sudo curl -L "https://github.com/docker/compose/releases/download/1.22.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

sudo mv /usr/local/bin/docker-compose /usr/bin/docker-compose

sudo chmod +x /usr/bin/docker-compose

  • ERROR: Couldn't connect to Docker daemon at http+docker://localhost - is it running? If it's at a non-standard location, specify the URL with the DOCKER_HOST environment variable.

    Execute the command with superuser privileges.

    sudo docker-compose up
Starting the suite online

If you're running WSO2 Open Banking in a local setup you are not able to use the online suite.

Go to https://www.certification.openid.net/ and start the conformance suite online.

Running the tests

  1. Copy the sample JSON configurations in https://gist.github.com/kaveenr/7e0e50b2cbd30f2fd7a592e0d992b86e to a text editor

    A sample JSON file is available here.

    Update the values according to the application you created in the step above. For example, clientID, clientSecret, API URI, discoveryUrl etc.

  2. Copy and paste the content of the private key in https://kaveenr.github.io/cert-utils/.
  3. Copy the obtained JSON object. Update the value of the keys array element in the JSON configurations with the copied JSON object.
  4. Navigate and log in to the test suite.
  5. Select an appropriate Open Banking test plan and a client authentication type.

  6. Copy the content in the modified JSON configuration file and paste the configuration into the JSON tab. 

  7. Click Start Test Plan.

  8. Run each given test in sequence. Follow the instructions and the suite will prompt if manual intervention is needed.

References