TPP Onboarding with WSO2 Open Banking

Third-Party Providers (TPPs) can create third-party applications to facilitate banking services exposed via Bank APIs. 

Before getting TPPs connected with the Banks and onboard, they are subjected to a thorough verification. This verification includes a comprehensive sign-up process at the API Store, the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP.

This tutorial lets you try out a sample TPP onboarding process by following the steps below: 

Step 01: Sign Up as a TPP User

Follow the steps below to sign up as a TPP user: 

1. Navigate to the API Store.

2. Click Sign Up and navigate to the sign-up screen.   

   

3. Provide the requested details as defined below: 
   

   1. Generic Details 

      Field	Description	Sample Value
      Username/Email	This is the username/email the TPP user uses to sign in to the API Store.	tony@fincom.com
      Password	This is the password the TPP user uses to sign in to the API Store.
      Re-type Password	This is to prevent the TPP user from accidentally setting an incorrect password.
      First Name	This is the first name of the TPP user.	Tony
      Last Name	This is the last name of the TPP user.	Paige

   2. Company details 

      Field	Description	Sample Value
      Legal Entity Name	This is the official name of the TPP.	FinCom
      Country of Registration	This is the country in which the TPP is registered in.	United Kingdom
      Legal Entity Identifier (LEI) Number	This identifies the TPP.	123400WSGIIACXF1P520
      Company Register	This is the organization that registered the TPP.
      Company Registration Number	This is the identifier issued at the TPP registration.
      Address Line 1	This is to provide the address of the TPP.
      Address Line 2	This is to provide the address of the TPP.
      City	This is the city in which the TPP is located in.
      Postal Code	This is the postal code of the geographical location of the TPP.
      Country	This is the country in which TPP is located in.

   3. Competent Authority registration details 

      Field	Description	Sample Value
      Competent Authority	This is the regulatory body that authorizes and supervises the open banking services delivered by the TPP.	Financial Conduct Authority
      Competent Authority Country	This is the country of the Competent Authority that authorized the TPP to provide open banking services.
      Competent Authority Registration Number	This is the registration number issued by the Competent Authority to the TPP.
      URL of the Competent Authority Register Page	This is the URL of the page that has the list of organizations authorized by the given competent authority.
      Open Banking Roles	This captures the open banking roles the TPP is willing to take up: Account Information Service Provider: An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account.  Payment Initiation Service Provider: A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer. Payment Instrument Issuer Service Provider:A Payment Instrument Issuer Service Provider (PIISP) is a PSP that verifies the coverage of a given payment amount of the PSU's account. Examples of PIISPs are the banks and credit card issuers that are obligated to verify whether the given payment amount can be covered by the PSU's account through APIs. After selecting the roles, indicate whether the TPP is authorized by a competent authority to provide the services of the selected roles or not. If the TPP has not registered yet to provide the services of the selected roles, indicate whether the TPP has applied for registration or not.

4. Agree to terms and conditions by checking the check box.

5. Click Sign Up. 

   

   A request to approve the user sign up is sent to the admin users. 

Step 02: Approve the TPP User Account

Follow the steps below to approve the newly created TPP user account:

1. Navigate to the Admin Portal.  

2. Locate the approval request and click Assign To Me.    

   

3. Click Start to start the approval process.
   
4. Select Approve and click Complete.
   
   The TPP user can now sign in to the API Store.

Step 03: Sign In as a TPP User

Follow the steps below to sign in to the API Store:

1. Navigate to the API Store.
2. Click Sign In and navigate to the sign in screen.
   
3. Enter the username and the password you entered at the user sign up.
4. Click Sign In.
   
   The API Store home screen with the APIs appears. Remain in the API Store to create an application.

Step 04: Create an Application

An application is an intermediary that sits between an API and its consumer. API consumers use applications to subscribe to APIs and consume them.

An API consumer can subscribe to multiple APIs using a single Application. Thus, it acts as a logical collection of API subscriptions and decouples the API consumer from the APIs. Each Application can be associated with different Service Level Agreement (SLA) levels. This is enabled by attaching an Application with throttling tiers that determine the maximum number of API calls allowed during a given duration.

Follow the steps below to create an application:

1. Click Applications on the API Store.
   
2. Click Add Application.
   

3. Enter application details. 

   Field	Description	Sample Value
   Name	This is the application name.	FinComApp
   Per Token Quota	This determines the maximum number of API requests accepted within a given duration.	Unlimited
   Description	This describes the purpose of the application.

   

4. Click Add to create the application.  
   
   Remain on the same page to generate application access tokens. 

Step 05: Create the Certificates

Follow the steps below to create a public key certificate and application certificate:

1. Update the place holders of the following command and run it in a command prompt to create a keystore, which is a repository of security certificates. 

   • alias: This is a preferred alias for the keystore.

   • preferred-filename: This is a preferred name for the keystore. You can even enter the location where you want the keystore to be generated.     

   keytool -genkey -alias <<alias>> -keyalg RSA -keystore <<filename>>.jks 

   Example:

   keytool -genkey -alias KeyStore -keyalg RSA -keystore tpp.jks

    Click here to see a single command to create the certificate and set certificate attributes

   keytool -genkey -alias <<alias>> -keyalg RSA -keysize 2048 -keystore <<filename>>.jks -dname "CN=<<Common Name>>,OU=<<Organization Unit>>,O=<<Organization>>,L=<<Locality>>,S=<<StateofProvice Name>>,C=<<Country Name>>" -storepass <<password>> -keypass <<password>>

2. Provide a password for the keystore and setup the hostname by providing the following certificate attributes for the newly created certificate when prompted:

   • Common Name (CN)

   • Organizational Unit (OU)
   • Organization (O)
   • Locality (L)
   • StateofProvince Name (S)

   • Country Name (C) 

3. Update the place holders of the following command and run it in a command prompt to extract the certificate from the generated keystore.  

   1. alias: This is the alias of the keystore.

   2. fileName: This is the name of the certificate.

   3. keyStoreName: This is the name of the keystore. 

   keytool -export -alias <<alias>> -file <<fileName>> -keystore <<keyStoreName>>.jks 

   Example:

   keytool -export -alias KeyStore -file cert -keystore tpp.jks

4. Provide the password you used for the keystore.
   The public key certificate is extracted to the same location where you ran the command.    

5. Update the placeholders of the following command and run in a command prompt to convert the keystore from the jks formatto PKCS12. 

   1. keyStoreName: This is the name of the keystore. 

   2. PKCS12FileName: This is the name of the keystore in the PKCS12 format. 

   keytool -importkeystore -srckeystore <keystoreStoreName>.jks -destkeystore <<PKCS12FileName>>.p12 -deststoretype PKCS12

   Example:

   keytool -importkeystore -srckeystore tpp.jks -destkeystore tpp.p12 -deststoretype PKCS12

6. Update the place holders of the following commands and run in a command prompt to create the application certificate (.pem) file using the keystore in PKCS12 format, e.g., tpp.p12.  

   1. PKCS12FileName: This is the name of the keystore in the PKCS12 format. 

   2. PEMFileName: This is the name of the application certificate that is created in the .pem format. 

   openssl pkcs12 -in <<PKCS12FileName>>.p12 -nokeys -out <<PEMFileName>>.pem

   Example:

   openssl pkcs12 -in tpp.p12 -nokeys -out tpp.pem 

Step 06: Request Access Tokens

Follow the steps below to generate access keys, i.e., consumer key and consumer secret:

1. Click Production Keys on the application details page.

2. Provide the requested details as defined below: 

   Field	Description
   Grant Types	These determine the credentials that are used to generate the access token. There are six types of grant types available in WSO2 Open Banking: Refresh Token: This is to renew an expired access token. SAML2: This is to exchange a SAML access token with an OAuth access token. Password: This is to obtain an access token by providing the resource owner's username and password. Client Credential: This relates to the client credentials grant type and is applicable when consuming the API as an application. IWA-NTLM: This is useful to obtain an access token for an API in a WSO2 Open Banking instance running on Windows. Code: This relates to the authorization code grant type and is applicable when consuming the API as a user. For more information on grant types, see Key Concepts.
   Callback URL	This is the URL used by the AISP/PISP to receive the authorization code sent from the Account Servicing Payment Service Provider (ASPSP), e.g., bank. The authorization code can later be used to generate an OAuth2 access token. Sample URL: https://openbanking.wso2.com/authenticationendpoint/authorize_callback.do
   Application Certificate	This is the content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----  strings of the Application Certificate (.PEM) that you created above.

   

3. Click Request Access.
   A request to approve the token generation is sent to the admin user.  

Step 07: Approve the Access Key Generation

Follow the steps below to approve the access key generation:

1. Navigate to the Admin Portal.
2. Click Tasks > Application Registration.
   
3. Locate the approval request and click Assign To Me.
   
4. Click Start to start the approval process.
   
5. Select Approve and click Complete.
   
6. Navigate back to the API Store and click Applications. 
   
7. Click View of the application that you created in Step 04, e.g., FinComApp to navigate to the application details page.
   
8. Click Production Keys tab.
   
   Observe the generated keys. 
   
   Next, you can subscribe to APIs available in the API Store and invoke them.