This documentation is for WSO2 Open Banking version 1.5.0. View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

Third-Party Providers (TPPs) can create third-party applications to facilitate banking services exposed via banking APIs. A TPP can play the role of a PISP/AISP/CBPII or a combination of those roles.

The TPPs are subject to thorough verification before connecting them with the banks/ASPSPs. This verification includes a comprehensive sign-up process at the API Store; the developer portal of WSO2 Open Banking. For a TPP to start providing open banking services, it has to be registered under a Competent Authority, which is a regulatory body that authorizes and supervises the open banking services delivered by the TPP

This tutorial lets you try out a sample TPP onboarding process.

Prerequisites

  1. Download WSO2 EI 6.4.0 and unzip the file.
  2. Set the path and hostname to EI in the <WSO2_OB_APIM_HOME>/repository/resources/finance/script/startup.properties file.

    If you are using Microsoft SQL Server or Oracle, create the bpsdb and bps_configdb databases.

  3. Go to the <WSO2_OB_APIM_HOME>/repository/resources/finance/scripts/wso2ei-bps directory and give execution permissions to the configure-bps.sh file.

  4. Run configure-bps.sh

  5. Add the following artifacts to the given locations:
    1. Download the ApplicationRegistrationWorkflowProcess_1.0.0.zip and UserSignupApprovalProcess_1.0.0.zip BPEL artifcats and place them in the <WSO2_EI_HOME>/repository/deployment/server/bpel directory.
    2. Download the UserApprovalTask-1.0.0.zip and ApplicationRegistrationTask-1.0.0.zip human task artifacts and place them in the <WSO2_EI_HOME>/repository/deployment/server/humantask directory.
  6. Navigate to the wso2ei-6.4.0/wso2/business-process/bin directory, and execute the following command:

    ./wso2server.sh -Dsetup
  7. Sign in to the API management console https://<WSO2_OB_APIM_HOST>:9443/carbon.

    Sign in as a super admin. Default credentials are: - Username: admin@wso2.com - Password: wso2123

  8. On the Main tab, click Resources > Browse.

  9. Navigate to the /_system/governance/apimgt/applicationdata/workflow-extensions.xml registry file.

  10. In the workflow-extensions.xml registry file, navigate to Content and click Edit as text.

  11. Add the following configurations under ProductApplicationRegisteration and  UserSignup  in the registry file:

    <ProductionApplicationRegistration executor="com.wso2.finance.tpp.prodaccess.impl.TPPProdAccessWorkFlow">
    	<Property name="serviceEndpoint">http://localhost:9765/services/ApplicationRegistrationWorkFlowProcess/</Property>
    	<Property name="username">admin@wso2.com@carbon.super</Property>
    	<Property name="password">wso2123</Property>
    	<Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
    </ProductionApplicationRegistration>
    <UserSignUp executor="com.wso2.finance.tpp.signup.impl.TPPSignUpWorkFlow">
    <Property name="serviceEndpoint">http://localhost:9765/services/UserSignupProcess/</Property>
    <Property name="username">admin@wso2.com@carbon.super</Property>
    <Property name="password">wso2123</Property>
    <Property name="callbackURL">https://localhost:8243/services/WorkflowCallbackService</Property>
    <Property name="aispRole">internal/aispRole</Property>
    <Property name="pispRole">internal/pispRole</Property>
    <Property name="piispRole">internal/piispRole</Property>
    </UserSignUp>
  12. Click  Save Content.
  1. Access the WSO2 Open Banking API Store using either of the following URLs:

    ProtocolURL
    HTTPhttp://<HTTP_OB_HOST>:9763/store
    HTTPShttps://<HTTPS_OB_HOST>:9443/store
  2. Access the WSO2 Open Banking Admin Portal using either of the following URLs:


    ProtocolURL
    HTTPhttp://<HTTP_OB_HOST>:9763/admin
    HTTPShttps://<HTTPS_OB_HOST>:9443/admin


    1. Click Sign In and navigate to the sign-in screen.
    2. Enter the username and the password and click Sign In.

Let's get started!



Step 01 Sign up as a TPP user

Follow the steps below to sign up as a TPP user

  1. Navigate to the API Store.

  2. Click Sign Up and navigate to the sign-up screen.   

  3. Provide the requested details as defined below: 
    1. Generic Details 

      FieldDescriptionSample Value
      Username/EmailThe username/email the TPP user uses to sign in to the API Store.tony@fincom.com
      PasswordThe password the TPP user uses to sign in to the API Store.
      Re-type PasswordRe-type the password to prevent an incorrect password being set accidentally.
      First NameThe first name of the TPP user.Tony
      Last NameThe last name of the TPP user.Paige
    2. Company details 

      FieldDescriptionSample Value
      Legal Entity NameThe official name of the TPP.FinCom
      Country of RegistrationThe country in which the TPP is registered.United Kingdom
      Legal Entity Identifier (LEI) NumberThe legal entity number that identifies the TPP.123400WSGIIACXF1P520
      Company RegisterThe organization that registered the TPP.
      Company Registration NumberThe identifier issued at the TPP registration.
      Address Line 1The address of the TPP.
      Address Line 2The address of the TPP.
      CityThe city in which the TPP is located.
      Postal CodeThe postal code of the geographical location of the TPP.
      CountryThe country in which the TPP is located.
    3. Competent Authority registration details 

      FieldDescriptionSample Value
      Competent AuthorityThe regulatory body that authorizes and supervises the open banking services delivered by the TPP.Financial Conduct Authority
      Competent Authority CountryThe country of the Competent Authority that authorized the TPP to provide open banking services.
      Competent Authority Registration NumberThe registration number issued by the Competent Authority to the TPP.
      URL of the Competent Authority Register PageThe URL of the page that has the list of organizations authorized by the given competent authority.
      Open Banking Roles

      The open banking roles the TPP is willing to take up:

      • Account Information Service Provider:
        An Account Information Service Provider (AISP) provides an aggregated view of all the accounts and past transactions that a customer has with different banks. To provide this view to the customer, the AISP should have authorization from the customer to view the corresponding transaction and balance information of all the payment accounts. The AISPs can also provide the facility to analyze the customer's spending patterns, expenses, and financial needs. Unlike a PISP, an AISP cannot transfer funds from a payment account. 
      • Payment Initiation Service Provider: A Payment Initiation Service Provider (PISP) initiates credit transfers on behalf of a bank's customer.
      • Payment Instrument Issuer Service Provider:

        A Payment Instrument Issuer Service Provider (PIISP) is a PSP that verifies the coverage of a given payment amount of the PSU's account. Examples of PIISPs are the banks and credit card issuers that are obligated to verify whether the given payment amount can be covered by the PSU's account through APIs.


      After selecting the roles, indicate whether or not the TPP is authorized by a competent authority to provide the services of the selected roles.

      If the TPP has not yet registered to provide the services of the selected roles, indicate whether or not the TPP has applied for registration.


  4. Agree to the terms and conditions by selecting the check box.

  5. Click Sign Up

    A request to approve the user sign up is sent to the admin users


Step 02 Approve the TPP user account

Follow the steps below to approve the newly created TPP user account:

It is not mandatory to include the approval step for the TPP user to become PSD2-compliant. In order to add this step, you need to configure workflows in the WSO2 Open Banking solution. For more information on configuring workflows, see here.

  1. Navigate to the Admin Portal.  

  2. Locate the approval request and click Assign To Me.    

  3. Click Start to start the approval process.
  4. Select Approve and click Complete.

    The TPP user can now sign in to the API Store.

Step 03 Sign in as a TPP user

Follow the steps below to sign in to the API Store:

  1. Navigate to the API Store.
  2. Click Sign In and navigate to the sign in screen.
  3. Enter the username and the password you entered at the user sign up.
  4. Click Sign In.

    The API Store home screen with the APIs appears. Remain in the API Store to create an application.

Step 04 Create an application

An application is an intermediary that sits between an API and its consumer. API consumers use applications to subscribe to APIs and consume them.

An API consumer can subscribe to multiple APIs using a single application. Thus, it acts as a logical collection of API subscriptions and decouples the API consumer from the APIs. Each application can be associated with different Service Level Agreement (SLA) levels. This is enabled by attaching an application with throttling tiers that determine the maximum number of API calls allowed during a given duration.

Follow the steps below to create an application:

  1. In the API Store, click Applications.
  2. Click Add Application.
  3. Enter the application details. 

    FieldDescriptionSample Value
    NameThe application name.FinComApp
    Per Token QuotaDetermines the maximum number of API requests accepted within a given duration.Unlimited
    DescriptionDescribes the purpose of the application.

  4. Click Add to create the application.  

    Remain on the same page to generate application access tokens. 

Step 05 Create and upload certificates

The TPP user needs to obtain an eIDAS certificate from a Qualified Trust Service Provider (QTSP) that validates whether the TPP is registered in a governing entity. It is verified in the TPP Onboarding process. For more information on how WSO2 Open Banking supports the eIDAS implementation, see eIDAS Implementation for PSD2 Compliance.

For testing purposes, WSO2 Open Banking provides a sample eIDAS certificate. To download the sample eIDAS certificate, click here

Upload the downloaded sample eIDAS certificate to the client trust stores of WSO2 OB APIM and WSO2 OB KM.

    • Locate the client trust stores in WSO2 OB APIM and WSO2 OB KM in the following directory paths:
      • <WSO2_OB_APIM>/repository/resources/security/client-truststore.jks
      • <WSO2_OB_KM>/repository/resources/security/client-truststore.jks
  • Use the following command to upload the certificate:

    keytool -import -trustcacerts -alias <<alias>> -file <<path_to_sample_eIDAS_cert>> -keystore <<path_to_truststore>> -storepass wso2carbon -noprompt

Step 06 Request access tokens

Follow the steps below to generate access keys, i.e., consumer key and consumer secret:

  1. Click Production Keys on the application details page.
  2. Provide the requested details, as defined below: 

    FieldDescription
    Grant Types

    Determines the credentials used to generate the access token. There are six different grant types available in WSO2 Open Banking:

    • Refresh Token: Renews an expired access token.
    • SAML2: Used to exchange a SAML access token with an OAuth access token.
    • Password: Used to obtain an access token by providing the resource owner's username and password.
    • Client Credential: Relates to the client credentials grant type, and is applicable when consuming the API as an application.
    • IWA-NTLM: Used to obtain an access token for an API in a WSO2 Open Banking instance running on Windows.
    • Code: Relates to the authorization code grant type and is applicable when consuming the API as a user.

    For more information on grant types, see Key Concepts.

    Callback URLThe URL used by the AISP/PISP to receive the authorization code sent from the Account Servicing Payment Service Provider (ASPSP), e.g., bank. The authorization code can be used later to generate an OAuth2 access token. Sample URL: https://openbanking.wso2.com/authenticationendpoint/authorize_callback.do
    Application CertificateThe content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----  strings of the Application Certificate (.PEM) that you created above.

  3. Click Request Access.
    A request to approve the token generation is sent to the admin user.

Sandbox keys can be used to proceed without admin approval.

Following are the steps on how to generate a sandbox key:

  1. Click Production Keys on the application details page.
  2. Provide the requested details as defined below: 

    FieldDescription
    Grant Types

    Determines the credentials used to generate the access token. There are six different grant types available in WSO2 Open Banking:

    • Refresh Token: Renews an expired access token.
    • SAML2: Used to exchange a SAML access token with an OAuth access token.
    • Password: Used to obtain an access token by providing the resource owner's username and password.
    • Client Credential: Relates to the client credentials grant type, and is applicable when consuming the API as an application.
    • IWA-NTLM: Used to obtain an access token for an API in a WSO2 Open Banking instance running on Windows.
    • Code: Relates to the authorization code grant type and is applicable when consuming the API as a user.

    For more information on grant types, see Key Concepts.

    Callback URLThis is the URL used by the AISP/PISP to receive the authorization code sent from the Account Servicing Payment Service Provider (ASPSP), e.g., bank. The authorization code can be used to generate an OAuth2 access token later. Sample URL: https://openbanking.wso2.com/authenticationendpoint/authorize_callback.do
    Application CertificateThis is the content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----  strings of the Application Certificate (.PEM) that you created above.

  3. Click Request Access.
    A request to approve the token generation is sent to the admin user.  

Step 07 Approve the access key generation

Follow the steps below to approve the access key generation:

  1. Navigate to the Admin Portal.
  2. Click Tasks > Application Registration.
  3. Locate the approval request and click Assign To Me.
  4. Click Start to start the approval process.
  5. Select Approve and then click Complete.
  6. Navigate back to the API Store and click Applications
  7. Click View of the application that you created in Step 04, e.g., FinComApp to navigate to the application details page.
  8. Click Production Keys tab.

    Observe the generated keys. 

    Next, you can subscribe to APIs available in the API Store and invoke them. 

  • No labels