This documentation is for WSO2 Open Banking version 1.4.0. View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

Preparing the servers

Start the server for each machine where an instance of WSO2 Open Banking is running. Follow the steps below to prepare, and start the servers.

  1. Install JDK 1.8 or later in all nodes used for the setup.
  2. In the environment variables, update the JAVA_HOME and PATH variables. For instance, you can do this by adding the following to the ~/.bashrc file in Linux or Mac:

    export JAVA_HOME="<JDK_LOCATION>"
    
    export PATH=$PATH:$JAVA_HOME/bin
  3. Set up the WSO2 Update Manager (WUM). 

    • WUM is a simple command-line tool that connects to the WSO2 update service, determines which updates are new and relevant, and downloads them. You can get the latest version of the WSO2 Open Banking product packs through WUM.

      License

      WSO2 Open Banking is not distributed under the Apache Community License and is only available under the WSO2 Software License. You need a WSO2 subscription to install and update the WSO2 Open Banking solution via WUM. Contact us to find out how you can access a free evaluation copy...

    • Follow the guidelines provided on the Download WUM page to download, and install WUM in your environment. For more information on how to use WUM, see the WUM documentation.

        1. Add the necessary product packs using the commands given below:

          wum add wso2-obam-1.4.0              		 	                	     
          wum add wso2-obkm-1.4.0 
        2. Update the product packs using the commands given below:

          wum update wso2-obam-1.4.0	                	     
          wum update wso2-obkm-1.4.0               	     
        3. Additionally, download and update the other instances of WSO2 Open Banking product.

          wum add wso2ei-6.4.0
          wum update wso2ei-6.4.0
          
          wum add wso2am-analytics-2.6.0    
          wum update wso2am-analytics-2.6.0 
             
          wum add wso2-obbi-1.4.0
          wum update wso2-obbi-1.4.0

          WSO2 OB APIM Analytics(wso2am-analytics-2.6.0) provides the API analytics feature.

          WSO2 OB BI(wso2-obbi-1.4.0) provides the following features:

          • API Analytics

          • Transaction Risk Analysis

          • Fraud Detection

          • Data Reporting

    • The product packs reside in the <WUM_HOME>/products/<Product_Name>/<version>/full directory as <Product_name-<version>+<timestamp>.full.zip. Copy the product packs to a preferred location in each node, and extract them.

    WSO2 Updates Manager (WUM) is deprecated and will be unavailable from July 2021 onwards. WSO2 Updates is the new tool to include the solution and security improvements that are released by WSO2 Open Banking, on top of a released version. For more information, see WSO2 Updates.

     Click here to see how to update the solution via WSO2 Update tool...

    The WSO2 Update tool delivers hotfixes and updates seamlessly on top of products as WSO2 Updates. They include improvements that are released by WSO2. You need to update all the products using the relevant script.

    • Go to <PRODUCT_HOME>/bin and run the WSO2 Update tool: 

      ./wso2update_linux 
      ./wso2update_darwin
      ./wso2update_windows.exe
    • Repeat this step for all the products in the solution:
      • wso2-obkm-1.4.0 
      • wso2-obam-1.4.0 
      • wso2-obbi-1.4.0
      • wso2am-analytics-2.6.0

    This document refers to the file paths of the product packs for the Key Manager, API Manager, API Manager Analytics, and Enterprise Integrator as <WSO2_OB_KM_HOME>, <WSO2_OB_APIM_HOME>, <WSO2_AM_ANALYTICS_HOME>,<WSO2_OB_BI_HOME> and <WSO2_EI_HOME> respectively.

  4. Open the ports, as described below.
    WSO2 Open Banking consists of six instances that run in different machines/servers. It is mandatory to open the ports of each server to allow a successful data flow. The six instances mentioned below specify the ports that need to be opened.

    Instance/ProductPortUsage
    WSO2_OBAM9443

    HTTPS servlet transport

    (The default URL of the management console is  https://WSO2_OB_APIM_HOST:9443/carbon )

    8243

    NIO/PT transport HTTPS port

    WSO2_OBKM9446

    HTTPS servlet transport

    (The default URL of the management console is https://WSO2_OB_KM_HOST:9446/carbon )

    WSO2_AM_Analytics9444HTTPS servlet transport
    7612Thrift TCP port to receive events from clients
    7712Thrift SSL port for secure transport where the client is authenticated
    WSO2_EI_Integrator9447HTTPS servlet transport
    8247NIO/PT transport HTTPS port.
    WSO2_EI_BPS9445

    HTTPS servlet transport

    (The default URL of the management console is  https://WSO2_BPS_HOST:9445/carbon )

    WSO2_OBBI_Worker9444HTTPS netty transport
    7612

    Thrift TCP port to receive events from clients

    7712Thrift SSL port for secure transport where the client is authenticated
    WSO2_OBBI_Dashboard9449HTTPS netty transport

Exchanging the certificates

Updating keystore:

If you are using the default keystores available in the solution, update them by removing any unnecessary or expired Root CA Certificates.

  • The keystores are available in <WSO2_OB_KM_HOME>/repository/resources/security/wso2carbon.jks and <WSO2_OB_APIM_HOME>/repository/resources/security/wso2carbon.jks.
  • List and identify problematic certificates:

    keytool -list -v -keystore wso2carbon.jks
  • Remove the certificates using the alias: 

    keytool -delete -alias <alias_to_remove> -keystore wso2carbon.jks
  • For Open Banking UK and Open Banking Berlin:
    • For the eIDAS regulation, remove all the existing Root CA Certificates as you only need the qualified certificates from the eIDAS Qualified Trusted Service Providers (QTSPs). See eIDAS Implementation for PSD2 Compliance, for more information.
  • For Open Banking Berlin:
    • An improvement to the certificate revocation validation is sent via WUM to extend the revocation validation. This is effective from September 3, 2019 (09-03-2019). Apply the following configurations in order to update the solution.

      • Add the following configurations under the <CertificateManagement> element in the <WSO2_OB_APIM_HOME>repository/conf/finance/open-banking.xml file.

        <ClientTransportCertAsHeaderEnabled>true</ClientTransportCertAsHeaderEnabled>
        
        <!-- Validate the issuer of the certificate when the client cert is received as a transport header -->
        <TransportCertIssuerValidationEnabled>true</TransportCertIssuerValidationEnabled>
        
        
        <!--Manager class implementation responsible for verifying certificate revocation status-->
        <RevocationValidationManagerImplClass>com.wso2.finance.open.banking.mtlscert.validator.service.CertRevocationValidationManagerImpl</RevocationValidationManagerImplClass>
        
        
        <!-- Retry count for validating certificate OCSP and CRL revocation status -->
        <CertificateRevocationValidationRetryCount>3</CertificateRevocationValidationRetryCount>
        
        
        <!-- List of issuer DNs whose issued certificates needs to be skipped from certificate revocation
            validation.
            e.g. <IssuerDN>CN=Test Pre-Production Issuing CA, O=Test, C=GB</IssuerDN>
            -->
        <RevocationValidationExcludedIssuers>
        	<IssuerDN></IssuerDN>
        </RevocationValidationExcludedIssuers>
        
        <!--Truststore dynamic loading interval (in seconds). Default value has been set to 86400 seconds-->
        <TrustStoreDynamicLoadingInterval>86400</TrustStoreDynamicLoadingInterval>

In order to enable secure communication, we need to install the certificates of each component in others. This will facilitate a Secure Socket Layer (SSL). Follow the steps below to implement this.

  1. Generate a key against the keystore of a particular server. For example, server A with an alias and common name that is equal to the hostname.

    keytool -genkey -alias <<keystore_alias>> -keyalg RSA -keysize 2048 -validity 3650 -keystore <<keystore_path>> -storepass <<keystore_password>> -keypass <<key password>> -noprompt
  2. Export the public cert of the newly generated key pair.  

    keytool -export -alias <<cert_alias>> -file <<certificate_path>> -keystore <<keystore path>>
  3. Import the public cert of Server A to the client truststores of all the servers including Server A.

    keytool -import -trustcacerts -alias <<cert_alias>> -file <<certificate_path>> -keystore <<trustore_path>> -storepass <<keystore_password>> -noprompt
  4. Repeat the above steps for all the servers.

    • If there is an Active Directory/LDAP configured in your deployment, add the AD certificate to the client-truststore of all the servers.
    • If there is an enterprise integrator (EI) instance in your deployment, and if it is connected to a backend, i.e., core banking system (CBS) through a secure connection (ex: SSL), add your backend's certificate to the client-truststore of the EI server.
  • No labels