This documentation is for WSO2 Open Banking version 1.5.0. View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: dcr uri host validation false

...


Configuration
1

Define the specification that you plan to deploy.

Possible values: UK, BERLIN, AU, STET

Code Block
languagexml
<DeployedSpecification>AU</DeployedSpecification> 
2
  • Shareable accounts - accounts that are accessible online.

<SharableAccountsRetreiveEndpoint>: Configures the endpoint to retrieve sharable accounts that are required to list on the consent page.

Code Block
languagexml
<SharableAccountsRetrieveEndpoint>http://<WSO2_OB_APIM_HOST>:9763/open-banking/services/bankaccounts/bankaccountservice/sharable-accounts</SharableAccountsRetreiveEndpoint>

In the default WSO2 Open Banking solution, an API is exposed to return shareable accounts when the user_id is passed. The given JSON response must be returned and then it automatically loads the accounts list in the consent page.

Code Block
{
 "data": [
  {
   "account_id": "1234-2345-3456-4567",
   "display_name": "1234-2345-3456-4567"
  },
  {
   "account_id": "9999-4345-8456-4567",
   "display_name": "9999-4345-8456-4567"
  }
 ]
}

By default, mock back end deployed in WSO2_OB_APIM is configured. Required parameters can be passed as query parameters to those endpoints. An example of configuring the endpoint to retrieve sharable accounts:

Code Block
http://<WSO2_OB_APIM_HOST>:9443/as400/sharable-accounts/{userId}
3

Metadata management: 

Note

ACCC does not support this feature yet. To try out the feature before the ACCC endpoints are available, create a mock back end and invoke the hosted services.

Once ACCC creates its status discovery endpoints, the Data Holder should configure the following properties under <AU><MetaDataCache>:

Multiexcerpt
MultiExcerptNameMetadataMgmt
  • <EnableMetaDataCache> : To enable metadata caching, set the value to true .
  • <MetaDataCacheUpdatePeriod> : Defines the fetch time for periodical cache update in minutes.
  • <DefaultCacheTimeout> :  The expiration time of base cache in minutes.  
  • <DataRecipientsDiscoveryURL> :  The endpoint provided by ACCC for retrieving the statuses of Data Recipients.

    Expand
    titleClick here to see a mock back end for Data Recipients Discovery endpoint
    Code Block
    languagexml
    {
       "dataRecipients":[
          {
             "dataRecipientId":"TPP1",
             "dataRecipientStatus":"Active"
          },
          {
             "dataRecipientId":"TPP2",
             "dataRecipientStatus":"Suspended"
          },
          {
             "dataRecipientId":"TPP3",
             "dataRecipientStatus":"Revoked"
          },
          {
             "dataRecipientId":"TPP4",
             "dataRecipientStatus":"Surrendered"
          },
          {
             "dataRecipientId":"TPP5",
             "dataRecipientStatus":"Active"
          },
          {
             "dataRecipientId":"TPP7",
             "dataRecipientStatus":"Suspended"
          },
          {
             "dataRecipientId":"OI1",
             "dataRecipientStatus":"Active"
          },
          {
             "dataRecipientId":"TPP8",
             "dataRecipientStatus":"Surrendered"
          },
          {
             "dataRecipientId":"TPP9",
             "dataRecipientStatus":"Active"
          },
          {
             "dataRecipientId":"TPP10",
             "dataRecipientStatus":"Suspended"
          },
          {
             "dataRecipientId":"TPP11",
             "dataRecipientStatus":"Revoked"
          },
          {
             "dataRecipientId":"TPP12",
             "dataRecipientStatus":"Surrendered"
          }
       ]
    }
  • <SoftwareProductsDiscoveryURL> :  The endpoint provided by ACCC for retrieving the statuses of software products.

    Expand
    titleClick here to see a mock back end for Software Products Discovery endpoint
    Code Block
    {
       "softwareProducts":[
          {
             "softwareProductId":"SP1",
             "softwareProductStatus":"Active"
          },
          {
             "softwareProductId":"SP2",
             "softwareProductStatus":"Inactive"
          },
          {
             "softwareProductId":"SP3",
             "softwareProductStatus":"Removed"
          },
          {
             "softwareProductId":"SP4",
             "softwareProductStatus":"Active"
          },
          {
             "softwareProductId":"SP5",
             "softwareProductStatus":"Inactive"
          },
          {
             "softwareProductId":"SP6",
             "softwareProductStatus":"Removed"
          },
          {
             "softwareProductId":"SP7",
             "softwareProductStatus":"Active"
          },
          {
             "softwareProductId":"SI1",
             "softwareProductStatus":"Inactive"
          },
          {
             "softwareProductId":"SP9",
             "softwareProductStatus":"Removed"
          },
          {
             "softwareProductId":"SP10",
             "softwareProductStatus":"Active"
          },
          {
             "softwareProductId":"SP11",
             "softwareProductStatus":"Inactive"
          },
          {
             "softwareProductId":"SP12",
             "softwareProductStatus":"Removed"
          }
       ]
    }
  • <DCRInternalURL> The API Manager internal URL for accessing Dynamic Client Registration.
Code Block
languagexml
<MetaDataCache>
	<EnableMetaDataCache>true</EnableMetaDataCache>
	<MetaDataCacheUpdatePeriod>5</MetaDataCacheUpdatePeriod>
	<DefaultCacheTimeout>1</DefaultCacheTimeout>
	<DataRecipientsDiscoveryURL><DR_DISCOVERY_MOCK_URL></DataRecipientsDiscoveryURL>
	<SoftwareProductsDiscoveryURL><SP_DISCOVERY_MOCK_URL></SoftwareProductsDiscoveryURL>
	<DCRInternalURL>https://<WSO2_OB_APIM_HOST>:9443/dynamic-client-registration/common/register/</DCRInternalURL>
</MetaDataCache>
4
Multiexcerpt
MultiExcerptNameHolderIdentifier

Support for extended endpoints and holder specific version handling:

  • By default, the following resources are configured in the solution. To add additional resources to the Consumer Data Standards API, add an entry under  <ResourcePaths> in WSO2 Open Banking Key Manager:

    Code Block
    languagexml
    <ResourcePaths>
    	/banking/accounts, 
    	/banking/accounts/balances, 
    	/banking/accounts/direct-debits, 
    	/banking/accounts/{AccountId}/balance, 
    	/banking/accounts/{AccountId}, 	
    	/banking/accounts/{AccountId}/transactions, 
    	/banking/accounts/{AccountId}/transactions/{transactionId}, 
    	/banking/accounts/{AccountId}/direct-debits, 
    	/banking/accounts/{AccountId}/payments/scheduled, 
    	/banking/payments/scheduled, /banking/payees, 
    	/banking/payees/{payeeId}, /banking/products, 
    	/banking/products/{productId}, 
    	/common/customer, 	
    	/common/customer/detail, 
    	/discovery/status, 
    	/discovery/outages
    </ResourcePaths>
  • To define a Data Holder specific identifier for extended API endpoints, configure the following in WSO2 Open Banking API Manager. For example, if the Data Holder is ABC-Bank. 

    Code Block
    languagexml
    <HolderIdentifier>
    	ABC-Bank
    </HolderIdentifier>
5

To cache the responses received for the CDS API requests, update the following configurations in WSO2 Open Banking API Manager:

Code Block
languagexml
<Enforcement>
	<Cache>
		<CacheEnabled>true</CacheEnabled>
		<ModifiedExpiryMinutes>15</ModifiedExpiryMinutes>
		<AccessedExpiryMinutes>15</AccessedExpiryMinutes>
	</Cache>
</Enforcement>
6

To configure Mutual Transport Later Security (MTLS) certificate bound access token, update the open-banking.xml file in WSO2 Open Banking Key Manager:

  1. Update the following configurations under <APISecurity><EnableMTLSTokenBinding>

    Code Block
    languagexml
    <EnableMTLSTokenBinding>true</EnableMTLSTokenBinding>
  2. Configure the client certificate header name using the <CertificateManagement><ClientAuthenticationHeader> property: 

    Code Block
    languagexml
    <ClientAuthenticationHeader>x-wso2-mutual-auth-cert</ClientAuthenticationHeader>

See MTLS certificate bound access token, for more information.

7
Multiexcerpt
MultiExcerptNameEnablingMTLSIntro

If MTLS  is terminated before the request reaches the Gateway, retrieve the Data Recipient's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects ssl.client.auth.cert.X509 as the transport header. Include the value for the transport certificate header in TransportCertificateHeader under CertificateManagement element. See the sample configuration below.

Multiexcerpt
MultiExcerptNameEnablingMTLSconfigs
Code Block
languagexml
 <CertificateManagement>
        <!-- In order to enable the client certificate validation feature (Certificate Expiry, Signature and
        Revocation validation during MTLS), the following module needs to be engaged under the "Global Engaged
        Modules" section in the axis2.xml file.

        <module ref="mtlscertvalidator"/>
        -->

        <!--Set the value of the transport certificate header sent in the request if MTLS is terminated before the
        gateway default value is ssl.client.auth.cert.X509-->
        <TransportCertificateHeader>ssl.client.auth.cert.X509</TransportCertificateHeader>
</CertificateManagement>
Warning

The load balancer should not allow the Data Recipient to send its certificate as a transport certificate header that is configured in the open-banking.xml under the <TransportCertificateHeader> element. 

If such header was found in the Data Recipient's request, it is mandatory to remove that header from the Data Recipient's request. This is applicable even when the MTLS session is not terminated at the load balancer.

In order to enable certificate revocation validation for API security, configure the following:


Code Block
languagexml
<CertificateManagement>
	<!-- Expiry time for the cache (in seconds) for storing the validation result of the certificates-->
	<ClientCertificateCacheExpiry>3600</ClientCertificateCacheExpiry>
	<!-- Enable/Disable certificate OCSP and CRL validation. Default value has been set to true -->
	<CertificateRevocationValidationEnabled>true</CertificateRevocationValidationEnabled>
</CertificateManagement>
8

This is for the Data Reporting feature, to enable data publishing set the <Enabled> property value to true. So, the WSO2 Open Banking Business Intelligence can capture and summarize data. Replace the <WSO2_OB_BI_HOSTNAME> placeholder with the hostname of Open Banking Business Intelligence server.

Code Block
languagexml
<DataPublishing>
	<!-- Include all configurations related to Data publishing -->
	<!-- Enable data publishing in WSO2 Open Banking-->
	<Enabled>true</Enabled>
	<!-- Server URL of the remote BI server used to collect statistics. Must
            be specified in protocol://hostname:port/ format. -->
	<ServerURL>{tcp://<WSO2_OB_BI_HOST>:7612}</ServerURL>
	<!-- Administrator username to login to the BI server for data publishing. -->
	<Username>admin@wso2.com@carbon.super</Username>
	<!-- Administrator password to login to the BI server for data publishing. -->
	<Password>wso2123</Password>
</DataPublishing>
9

By default, the Consent Management APIs are secured with basic authentication. To access the Consent Management APIs, use the default user or create a new user using the Key Manager Management Console.

  1. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file.
  2. Update the credentials under <APISecurity><Global> with the created user details.

    By default, this is set to the username and password of the super admin.

    Code Block
    languagexml
    <APISecurity>
    	<Global>
    		<Username>admin@wso2.com</Username>
    		<Password>wso2123</Password>
    	</Global>
    </APISecurity>

For more information, see configuring basic authentication for Consent Management APIs.

10

Dynamic Client Registration configurations under <DCR>

Multiexcerpt
MultiExcerptNameDCRConfigs
  1. The only supported authentication method for the token endpoint is private_key_jwt. Make sure the <DCR><TokenAuthentication> configurations are as follows: 

    Code Block
    languagexml
    <TokenAuthentication>
    	<Method>private_key_jwt</Method>
    </TokenAuthentication>
  2. The connection and read time out values for retrieving the remote JWKS to validate the SSA and request JWT signatures during client registration. 

    Code Block
    languagexml
    <ConnectionTimeout>0</ConnectionTimeout>
    <ReadTimeout>0</ReadTimeout>
  3. This property is to validate the policy, client, terms of service, logo URIs. By default, this is set to false. To validate the above, set this configuration to true.

    Code Block
    languagexml
    <EnableURIValidation>true<<EnableURIValidation>false</EnableURIValidation>
  4. This property is to validate the hostnames of policy, client, terms of service, logo URIs against the hostname of redirect URIs. By default, this is set to false. To validate the above, set this configuration to true.

    Code Block
    languagexml
    <EnableHostNameValidation>true<<EnableHostNameValidation>false</EnableHostNameValidation>
  5. Set the <UseSoftwareIdAsApplicationName> to true, to use SoftwareID in SSA as the name of the application.

    Code Block
    languagexml
    <UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>
    Multiexcerpt
    hiddentrue
    MultiExcerptNameDCRKWKSURLs

    Configure the JWKS URLs to validate the SSA: 

    Note

    ACCC does not support this feature yet. To try out the feature before the ACCC endpoints are available, create a mock back end and invoke the hosted services.

    Code Block
    languagexml
    <JwksUrlSandbox><URL_FOR_SANDBOX></JwksUrlSandbox>
    <JwksUrlProduction><URL_FOR_PRODUCTION></JwksUrlProduction>

...