WSO2 Open Banking for Australia currently supports only evaluation purposes. This is available only as a WUM update and is effective from December 02, 2019 (12-02-2019). For more information on updating WSO2 Open Banking, see /wiki/spaces/updates/pages/16318500.
WSO2 Open Banking now supports the Consumer Data Standard (CDS). This document guides you through the configurations and troubleshooting that you need to set up the solution in your local environment.
The scripts for the below local setup in the Quick Start Guide are configured for a Linux and MySQL/MSSQL environment. Notice that WSO2 Open Banking solution is applicable to Windows/Linux and MySQL/MSSQL and Oracle environments.
Prerequisites
- Download Oracle JDK 1.8 in all the nodes of the setup.
In the environment variables, update the
JAVA_HOME
andPATH
variables. For instance, you can do this on a Mac/Linux server by adding the following to the~/.bashrc file:
export JAVA_HOME="<JDK_LOCATION>" export PATH=$PATH:$JAVA_HOME/bin
Download and unzip the following files:
wso2-obam-1.4.0.zip (WSO2 Open Banking API Manager)
wso2-obkm-1.4.0.zip (WSO2 Open Banking Key Manager)
"WSO2 Updates Manager (WUM) is deprecated and will be unavailable from August 2021 onwards. WSO2 Updates is the new tool to include the solution and security improvements that are released by WSO2 Open Banking, on top of a released version. For more information, see WSO2 Updates."
Setup a database server using MySQL 5.7+, Microsoft SQL Server 2016+ or, Oracle 12c.
Setting up the databases
To start the servers, configure the databases in both the API Manager (WSO2 OB APIM) and the Key Manager (WSO2 OB KM) according to the open banking specification, as follows:
Open the
<WSO2_OB_KM_HOME>/repository/resources/finance/scripts/
file and configure the following:startup.properties
Specify the hostnames for the APIM and KM servers.
# Specify the hostname you want to configure APIM_HOSTNAME=localhost IAM_HOSTNAME=localhost
Configure the databases related properties.
Database Property Description DB_TYPE
Type of the database you installed
DB_TYPE=mysql
DB_USER
Database user DB_PASS
Password set for the database connection DB_HOST
Name of the database server DB_DRIVER
Configure
DB_DRIVER
according to the database installed:- Mysql JDBC Driver :
com.mysql.jdbc.Driver
- MSSQL JDBC Driver :
com.microsoft.sqlserver.jdbc.SQLServerDriver
- Oracle JDBC Driver :
oracle.jdbc.driver.OracleDriver
If you are using MSSQL or Oracle, create the following databases before executing the
configure-km.sh
file.openbank_am_configdb
openbank_apimgt_statsdb
openbank_apimgtdb
openbank_openbankingdb
openbank_govdb
openbank_iskm_configdb
openbank_mbstoredb
openbank_userdb
- Mysql JDBC Driver :
Go to the
<WSO2_OB_KM_HOME>/repository/resources/finance/scripts
directory and execute the following command:./configure-km.sh
Go to the
<WSO2_OB_APIM_HOME>/repository/resources/finance/scripts
directory and configure the database properties in thestartup.properties
file, similar to Step 1.Go to the
<WSO2_OB_APIM_HOME>/repository/resources/finance/scripts
directory and execute the following command:./configure-am.sh
You have configured the databases in step 1. By running the
configure.sh
files, you set the database credentials with reference to the configuration files.
Setting up the servers
Configure the open-banking specification to deploy the solution according to the AU specification.
The
<DeployedSpecification>
configuration is used to define the deployed specification at runtime. In the following files, update the<DeployedSpecification>
value asAU
.<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
Configure the authentication web app.
Update the
<WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml
file with the following configurations:<AuthenticationEndpointURL>https://localhost:9446/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://localhost:9446/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL> <AuthenticationEndpointMissingClaimsURL>/authenticationendpoint/claims.do</AuthenticationEndpointMissingClaimsURL>
<AuthenticatorConfig name="FIDOAuthenticator" enabled="true"> <Parameter name="FidoAuth">/authenticationendpoint/fido-auth.jsp</Parameter> <!--Please uncomment the following property and define AppID if you are using proxy configurations--> <!--<Parameter name="AppID">https://localhost</Parameter>--> </AuthenticatorConfig>
Update the
<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file with the following configurations:<OpenID> <OpenIDLoginUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/openid_login.do </OpenIDLoginUrl> </OpenID>
<OAuth> <OAuth2ConsentPage>${carbon.protocol}://localhost:${carbon.management.port}/ob/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> <OAuth2ErrorPage>${carbon.protocol}://localhost:${carbon.management.port}/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> <OIDCConsentPage>${carbon.protocol}://localhost:${carbon.management.port}/ob/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> <OIDCLogoutConsentPage>${carbon.protocol}://localhost:${carbon.management.port}/authenticationendpoint/oauth2_logout_consent.do</OIDCLogoutConsentPage> <OIDCLogoutPage>${carbon.protocol}://localhost:${carbon.management.port}/authenticationendpoint/oauth2_logout.do</OIDCLogoutPage> </OAuth>
<SSOService> <DefaultLogoutEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> <NotificationEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> </SSOService>
<PassiveSTS> <RetryURL>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/retry.do</RetryURL> </PassiveSTS>
Configure the
IDTokenBuilder
in the<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file as follows:<OpenIDConnect> <IDTokenBuilder>com.wso2.finance.open.banking.idtoken.builder.AUIDTokeBuilder</IDTokenBuilder> </OpenIDConnect>
According to CDS, an Access Token must expire between 2 minutes to 10 minutes after the Data Holder issues it. To configure the validity period of the Access Token in seconds, update the following configurations in the
<WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file.<OAuth> <UserAccessTokenDefaultValidityPeriod>120</UserAccessTokenDefaultValidityPeriod> </OAuth>
To enable Request-URI validation, open the
<WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml
file and add the following configurations under the<UK>
tag:<!-- Validate AccountID with consented accountID in account retrieval --> <ValidateAccountIdOnRetrieval>true</ValidateAccountIdOnRetrieval>
By default,
Enforcement
caching is enabled in the solution. To customize them, open the<WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml
file and add the following under the<Server>
tag:<AU> <Enforcement> <Cache> <CacheEnabled>true</CacheEnabled> <ModifiedExpiryMinutes>15</ModifiedExpiryMinutes> <AccessedExpiryMinutes>15</AccessedExpiryMinutes> </Cache> </Enforcement> </AU>
Add the following
Consent
Enforcement
handler configurations to the<WSO2_OB_APIM_HOME>/repository/resources/api_templates/velocity_template.xml
file, below the#if($handler.className == "org.wso2.carbon.apimgt.gateway.handlers.ext.APIManagerExtensionHandler")
line.## ## Start of AU Specification Handlers ## #if($apiObj.additionalProperties.get("ob-spec") == "au") <handler class="com.wso2.finance.open.banking.gateway.api.schema.validation.RequestSchemaValidationHandler"/> <handler class="com.wso2.finance.open.banking.au.consent.enforcement.AUConsentEnforcementHandler"> <property name="validationBaseUrl" value="https://localhost:9446/consent/au100"/> </handler> #end ## ## End of AU Specific Handlers ##
You are now ready to start the Key Manager and API Manager servers. To start the WSO2 OB KM server, go to the
<WSO2_OB_KM_HOME>/bin
directory and execute the following command:./wso2server.sh -Dsetup
Run the following command from the
<WSO2_OB_APIM_HOME>/bin
directory to start the WSO2 OB APIM server:./wso2server.sh -Dsetup
Execute the following command against the
openbank_openbankingdb
database:ALTER TABLE OB_CONSENT_METADATA DROP FOREIGN KEY FK_CONSENT_ID_UK_INITIATION;
Configuring consumer authentication
By default, WSO2 Open Banking comes with basic authentication configured. For CX guideline aligned experience, you can configure Identifier-first authentication paired with a secondary identity provider. In this section, we configure SMS OTP as the secondary identity provider.
Configuring Identifier-first authentication
The Identifier-first login enables identifying the individuals prior to authenticating them. It retrieves the identity of the user without using authentication information and uses that identity to control the authentication flow. For more information, see Identifier-first Flow Handler.
The Identifier-first is a handler that can be configured at any step in the authentication flow. However, it is not an authenticator by itself and needs to be configured along with another authenticator in order for the authentication process to be successful.
To enable the Identifier-first authenticator in WSO2 OB KM, add the following configurations to the
<WSO2_OB_KM>/repository/conf/identity/application-authentication.xml
file under the<AuthenticatorConfigs>
tag.<AuthenticatorConfig name="IdentifierExecutor" enabled="true"> <Parameter name="ValidateUsername">false</Parameter> </AuthenticatorConfig>
Configure the Key Manager Extension to use Identifier-first as the primary authenticator.
Open the<WSO2_OB_APIM>/repository/conf/finance/open-banking.xml
file and add the following under the<SCA>
configurations.<SCA> <!--Configure the primary authenticator / 1st step authenticator--> <PrimaryAuthenticator> <Name>IdentifierExecutor</Name> <DisplayName>identifier-first</DisplayName> </PrimaryAuthenticator> </SCA>
Configuring SMS OTP as an identity provider for Identifier-first
The standard SMS OTP endpoint provided by WSO2 OB KM should NOT be used in a production environment with the Identifier-first authentication as it may cause an OTP collision, therefore this is only for testing purposes. In a production environment, you can use a custom authenticator or follow the Authenticators and Connectors documentation and use a connector.
<WSO2_OB_KM>/repository/conf/identity/application-authentication.xml
as follows:<AuthenticatorConfig name="SMSOTP" enabled="true"> <Parameter name="usecase">subjectUri</Parameter> <Parameter name="secondaryUserstore">primary</Parameter> </AuthenticatorConfig>
Configuring users
Sign in to the Identity and Access Management console (
https://localhost:9446/carbon
). Use the default super admin credentials as follows:Username: admin@wso2.com
Password: wso2123
The above mentioned username and password credentials are used for demo purposes only. It is recommended to change the credentials in a production environment.
Create the necessary user accounts as follows:
On the Main tab, click Identity > Users and Roles > Add > Add New User.
Create the following user:
User Roles mark@gold.com Internal/creator
,Internal/publisher
Click Next > and assign roles.
Click Finish.
Now that you’ve added some users to the system, you can log in as one of them to see how a typical user might work with the WSO2 Open Banking solution.
Configuring APIs
You can configure APIs through the API Publisher by signing in as a user whose role includes Internal/publisher
. Follow the steps given below:
Sign in to the API Publisher (
https://
) with the credentials for mark@gold.com.localhost
:9443/publisherClick ADD NEW API > I have an existing API.
Select the Swagger definition in the
<WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/1.0.0/consumer-data-standards.yaml
file and configure the properties according to the open-banking specification.
Click Start Creating.- Click Next: Implement to navigate to the next level.
- Expand Managed API, and use the table below to select the relevant Endpoint Type from the drop down list.
- Check Select a message mediation policy to be executed in the message flow under Message Mediation Policies.
Click Upload In Flow and select the
<WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/1.0.0/cds-dynamic-endpoint-insequence-1.0.0.xml
file.Click Next: Manage to navigate to the next level.
- Expand Throttling Settings. Under Subscription Tiers, check the option as Unlimited : Allows unlimited requests unless you want to limit the requests.
Expand API Properties and add the following values as Additional properties:
Property Name
ob-spec Property Value
au Click the + button to save the above values as follows:
- To publish the API click Save & Publish.
Summarized information for configuring APIs
API | Implement tab | Manage tab | ||||
---|---|---|---|---|---|---|
Endpoint type | Endpoint | Enable Message mediation | In flow | API property name | API property value | |
Consumer Data Standards API v1.0.0 | Dynamic | N/A | Mark as checked | <WSO2_OB_APIM_HOME>/repository/resources/finance/apis/consumerdatastandards.org.au/1.0.0/cds-dynamic-endpoint-insequence-1.0.0.xml | ob-spec | au |
What's Next
Now that you have created the APIs that allow you to initiate payments and access account information, let's try out the flows in WSO2 Open Banking: