This documentation is for WSO2 Open Banking version 1.4.0. View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Follow the steps below to deploy the Open Banking Key Manager.

Table of Contents

Tip

Do the following configurations in Key Manager and restart the server.

Go to the <WSO2_OB_KM_HOME>/bin directory and execute the following command:

Code Block
languagebash
./wso2server.sh

Configuring datasources

  1. Configure the <WSO2_OB_KM_HOME>/repository/conf/datasources/master-datasources.xml file with the following configurations.

    1. Update the URLusernamepassword, and driverClassName with the database credentials, and relevant database driver name in the following datasources.

      NoteIf you are using Oracle, update

       WSO2AM_DB, WSO2CONFIG_DB, WSO2REG_DB, and WSO2UM_DB datasources. Given below is a sample of MySQL configurations. 

      Note

      If you are using Oracle, update the validationQuery in each datasource with the value below.

      Code Block
      <validationQuery>SELECT 1 FROM DUAL</validationQuery>
      Code Block
      languagexml
      <datasource>
         		<name>WSO2AM_DB</name>
          
         <description>The datasource used for API Manager database</description>
          
         <jndiConfig>
       
            		<name>jdbc/WSO2AM_DB</name>
          
         </jndiConfig>
              <definition type=<definition type="RDBMS">
           
            	<configuration>
                
               <url>jdbc:mysql://localhost:3306/uk130_openbank_apimgtdb?autoReconnect=true&amp;useSSL=false</url>
               <username>root</username>
               <password>root</password>
       <username>root</username>        <driverClassName>com.mysql.jdbc.Driver</driverClassName>
               <maxActive>150</maxActive>
        <password>root</password>       <maxWait>60000</maxWait>
               <testOnBorrow>true</testOnBorrow>
         <driverClassName>com.mysql.jdbc.Driver</driverClassName>      <validationQuery>SELECT 1</validationQuery>
                   <maxActive>150</maxActive><validationInterval>30000</validationInterval>
               <defaultAutoCommit>false</defaultAutoCommit>
            </configuration>
         <maxWait>60000<</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
      	            </configuration>
              </definition>
      </datasource>
      <datasource>
                  <name>WSO2CONFIG_DB</name>
                  <description>The datasource used by the registry</description>
                  <jndiConfig>
                      <name>jdbc/WSO2Config_DB</name>
                  </jndiConfig>
                  definition>
      </datasource>
  2. Copy the <WSO2_OB_KM_HOME>/repository/resources/finance/scripts/wso2-obcommon-conf/open-banking-datasources.xml file into the <WSO2_OB_KM_HOME>/repository/conf/datasources directory.

    Open <WSO2_OB_KM_HOME>/repository/conf/datasources/open-banking-datasources.xml and update the WSO2_OPEN_BANKING_DB datasource with the following configurations:

    Note

    If you are using Oracle, update the validationQuery in each datasource with the value below.

    Code Block
    <validationQuery>SELECT 1 FROM DUAL</validationQuery>
    Code Block
    languagexml
    <datasource>
    	<name>WSO2_OPEN_BANKING_DB</name>
    	<description>The datasource used for registry and user manager</description>
    	<jndiConfig>
    		<name>jdbc/WSO2OpenBankingDB</name>
    	</jndiConfig>
    	<definition type="RDBMS">
    
    <configuration>
    		<configuration>
    			<url>jdbc:mysql://localhost:3306/
    uk130_
    openbank_
    iskm_configdb
    openbankingdb?autoReconnect=true&
    amp;
    useSSL=false</url>
    			<username>root</username>
    
    <username>root</username>
    			<password>root</password>
    			<driverClassName>com.mysql.jdbc.Driver</driverClassName>
    			<maxActive>150</maxActive>
    			<maxWait>60000</maxWait>
    			<testOnBorrow>true</testOnBorrow>
    			<validationQuery>SELECT 1</validationQuery>
    			<validationInterval>30000</validationInterval>
    			<defaultAutoCommit>false</defaultAutoCommit>
    		</configuration>
    	</definition>
    </datasource>
  3. In the <WSO2_OB_KM_HOME>/repository/conf/registry.xml file, update the properties given below.

    Code Block
    languagexml
    <dbConfig name="configRegistry">
        <dataSource>jdbc/WSO2Config_DB</dataSource>
    </dbConfig>
     
    
    <remoteInstance url="https://<WSO2_OB_KM_HOST>:9443/registry">
        
    <password>root<
    <id>configInstance</
    password>
    id>
        <dbConfig>configRegistry</dbConfig>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        
    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
    <registryRoot>/</registryRoot>
    </remoteInstance>
     
    <mount path="/_system/config" overwrite="true">
        <instanceId>configInstance</instanceId>
        
    <targetPath>/_system/config</targetPath>
    </mount>
     
    
    <maxActive>150</maxActive>
    <dbConfig name="governanceRegistry">
        <dataSource>jdbc/WSO2REG_DB</dataSource>
    </dbConfig>
     
    <remoteInstance url="https://<WSO2_OB_KM_HOST>:9443/registry">
        <id>governanceInstance</id>
        
    <maxWait>60000<
    <dbConfig>governanceRegistry</
    maxWait>
    dbConfig>
        <readOnly>false</readOnly>
        
    <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
    </remoteInstance>
     
    
    <testOnBorrow>true</testOnBorrow>
    <mount path="/_system/governance" overwrite="true">
        <instanceId>governanceInstance</instanceId>
        
    <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> <datasource> <name>REGISTRY_DB</name> <description>The datasource used for registry- config/governance</description> <jndiConfig> <name>jdbc/WSO2RegistryDB</name> </jndiConfig> <definition type="RDBMS
    <targetPath>/_system/governance</targetPath>
    </mount>
  4. In the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file, update the datasource property to point to the WSO2UM_DB.

    Code Block
    languagexml
    <Property name="dataSource">jdbc/WSO2UM_DB</Property>
    1. Enable the internal JDBC user store in the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file. Update the UsernameJavaRegEx, UsernameJavaScriptRegEx, CaseInsensitiveUsername, and UsernameWithEmailJavaScriptRegEx properties. Follow the sample configuration given below:

      Code Block
      languagexml
      <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
                  <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
       <configuration>                 	<url>jdbc:mysql://localhost:3306/uk130_openbank_govdb?autoReconnect=true&amp;useSSL=false</url><Property name="ReadOnly">false</Property>
                  <Property name="ReadGroups">true</Property>
            <username>root</username>      <Property name="WriteGroups">true</Property>
                   <password>root</password><Property name="UsernameJavaRegEx">[email protected]_-{3,30}$</Property>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName><Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-][email protected][a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
                  <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy     <maxActive>150</maxActive>violated</Property>
                          <maxWait>60000</maxWait><Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
                          <testOnBorrow>true</testOnBorrow><Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
                  <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to <validationQuery>SELECT30 1<characters</validationQuery>Property>
                  <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
            <validationInterval>30000</validationInterval>      <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                   <defaultAutoCommit>false</defaultAutoCommit><Property name="CaseInsensitiveUsername">true</Property>
                   	</configuration>
      <Property name="SCIMEnabled">false</Property>
             </definition> </datasource> <datasource> 		<name>WSO2_USER_DB</name> 		<description>The datasource used for registry and user manager</description>
      		<jndiConfig><Property name="IsBulkImportSupported">false</Property>
                  <Property name="PasswordDigest">SHA-256</Property>
                <name>jdbc/WSO2UMDB</name> 		</jndiConfig>
      		<definition type <Property name="RDBMS">
      				<configuration>StoreSaltedPassword">true</Property>
                      	<url>jdbc:mysql://localhost:3306/uk130_openbank_userdb?autoReconnect=true&amp;useSSL=false</url><Property name="MultiAttributeSeparator">,</Property>
                  <Property name="MaxUserNameListLength">100</Property>
            <username>root</username>      <Property name="MaxRoleNameListLength">100</Property>
                   <password>root</password><Property name="UserRolesCacheEnabled">true</Property>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName>
      <Property name="UserNameUniqueAcrossTenants">false</Property>
      	        <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property>
                <maxActive>150</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
                      </configuration>
              </definition>
      </datasource>

    Update the WSO2_CONSENT_DB datasource in the <WSO2_OB_KM_HOME>/repository/conf/datasources/open-banking-datasources.xml file with the following configurations.

    Note

    If you are using Oracle, update the validationQuery in each datasource with the value below.

    Code Block<validationQuery>SELECT 1 FROM DUAL</validationQuery>
    1. </UserStoreManager>

Configuring the carbon.xml file

  1. Apply the following changes in the <WSO2_OB_KM_HOME>/repository/conf/carbon.xml file:

    1. Update the <HostName> and <MgtHostName> with the IP addresses of the Key Manager server(s).

    2. Update the <KeyAlias> under <KeyStore> to match with the alias provided during the KeyStore creation for the Key Manager server. 

Configuring the application-authentication.xml file

  1. Update the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file with the following configurations. 
    1. Update the <AuthenticationEndpointURL> and <AuthenticationEndpointRetryURL> attributes with the URLs of the authentication web application, as shown below.

      Code Block
      languagexml
      <AuthenticationEndpointURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/login.do</AuthenticationEndpointURL>
      <AuthenticationEndpointRetryURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL>
    2. Add the include action to the <AutheticationEndpointRedirectParams> request parameter in the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file. When the action is set to include, the defined parameters will be sent to the AuthenticationEndpoint as query parameters.

      Code Block
      languagexml
    <datasources>
    1. <AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true">
            
    <datasource>
    1.   <AuthenticationEndpointRedirectParam name="sessionDataKeyConsent"/>
              
    <name>WSO2_CONSENT_DB</name>
    1. <AuthenticationEndpointRedirectParam name="relyingParty"/>
              <AuthenticationEndpointRedirectParam name="authenticators"/>
        
    <description>The
    1.  
    datasource
    1.  
    used
    1.  
    for
    1.  
    registry
    1.  
    and
    1.  
    user manager</description>
    1. <AuthenticationEndpointRedirectParam name="authFailureMsg"/>
              <AuthenticationEndpointRedirectParam 
    <jndiConfig> <name>jdbc/WSO2ConsentDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/uk130_openbank_consentdb?autoReconnect=true&amp;useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> </datasources>
  2. In the <WSO2_OB_KM_HOME>/repository/conf/registry.xml file, update the properties given below.

    Code Block
    languagexml
    <dbConfig name="configRegistry">
            <dataSource>jdbc/WSO2Config_DB</dataSource>
        </dbConfig>
    
        <remoteInstance url="https://localhost:9443/registry">
            <id>configInstance</id>
            <dbConfig>configRegistry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
        </remoteInstance>
    
        <mount path="/_system/config" overwrite="true">
            <instanceId>configInstance</instanceId>
            <targetPath>/_system/config</targetPath>
        </mount>
    
    
        <dbConfig name="governanceRegistry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
        </dbConfig>
    
        <remoteInstance url="https://localhost:9443/registry">
            <id>governanceInstance</id>
            <dbConfig>governanceRegistry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
        </remoteInstance>
    
        <mount path="/_system/governance" overwrite="true">
            <instanceId>governanceInstance</instanceId>
            <targetPath>/_system/governance</targetPath>
        </mount>
  3. In the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file, update the datasource property to point to the WSO2UM_DB.

    Code Block
    languagexml
    <Property name="dataSource">jdbc/WSO2UM_DB</Property>
    1. Enable the internal JDBC user store in the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file. Update the UsernameJavaRegEx, UsernameJavaScriptRegEx, CaseInsensitiveUsername, and UsernameWithEmailJavaScriptRegEx properties. Follow the sample configuration given below:

      Code Block
      languagexml
      <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
                  <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
                  <Property name="ReadOnly">false</Property>
                  <Property name="ReadGroups">true</Property>
                  <Property name="WriteGroups">true</Property>
                  <Property name="UsernameJavaRegEx">[email protected]_-{3,30}$</Property>
                  <Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-][email protected][a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
                  <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
                  <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
                  <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
                  <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
                  <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
                  <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                  <Property name="CaseInsensitiveUsername">true</Property>
                  <Property name="SCIMEnabled">false</Property>
                  <Property name="IsBulkImportSupported">false</Property>
                  <Property name="PasswordDigest">SHA-256</Property>
                  <Property name="StoreSaltedPassword">true</Property>
                  <Property name="MultiAttributeSeparator">,</Property>
                  <Property name="MaxUserNameListLength">100</Property>
                  <Property name="MaxRoleNameListLength">100</Property>
                  <Property name="UserRolesCacheEnabled">true</Property>
                  <Property name="UserNameUniqueAcrossTenants">false</Property>
      	        <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property>
              </UserStoreManager>

Configuring the carbon.xml file

  1. Apply the following changes in the <WSO2_OB_KM_HOME>/repository/conf/carbon.xml file:

    1. Update the <HostName> and <MgtHostName> with the IP addresses of the API Manager server(s).

    2. Update the <KeyAlias> under <KeyStore> to match with the alias provided during the KeyStore creation for the Key Manager server. 

Configuring the api-manager.xml file

  1. Disable the <PolicyDeployer> property as false inside the <ThrottlingConfigurations> section in <WSO2_OB_KM_HOME>/repository/conf/api-manager.xml file as below.

    Code Block
    languagexml
    <PolicyDeployer>
        <Enabled>false</Enabled>
    </PolicyDeployer>
  2. Update the <ScopeWhitelist> property inside the <OAuthConfigurations> section in <WSO2_OB_KM_HOME>/repository/conf/api-manager.xml file and replace the <Scope> elements as shown below.

    Code Block
    languagexml
    <ScopeWhitelist>
                <Scope>openid</Scope>
                <Scope>extended_transaction_history</Scope>
                <Scope>^OB_.*</Scope>
                <Scope>^TIME_.*</Scope>
    </ScopeWhitelist>

Configuring the application-authentication.xml file

  1. Update the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file with the following configurations. 
    1. Update the <AuthenticationEndpointURL> and <AuthenticationEndpointRetryURL> attributes with the URLs of the authentication web application, as shown below.

      Code Block
      languagexml
      <AuthenticationEndpointURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/login.do</AuthenticationEndpointURL>
      <AuthenticationEndpointRetryURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL>
    2. Add the include action to the <AutheticationEndpointRedirectParams> request parameter in the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file. When the action is set to include, the defined parameters will be sent to the AuthenticationEndpoint as query parameters.

      Code Block
      languagexml
      <AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true">
              <AuthenticationEndpointRedirectParam name="sessionDataKeyConsent"/>
              <AuthenticationEndpointRedirectParam name="relyingParty"/>
              <AuthenticationEndpointRedirectParam name="authenticators"/>
              <AuthenticationEndpointRedirectParam name="authFailureMsg"/>
              <AuthenticationEndpointRedirectParam name="authFailure"/>
      </AuthenticationEndpointRedirectParams>

Configuring the identity.xml file

  1. Update identity.xml file in <WSO2_OB_KM_HOME>/repository/conf/identity with the following configurations.

    1. Define the Open Banking specific Request Object Validator under the <OpenIDConnect> as follows:

      Code Block
      languagexml
      <RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
    2. Update the following configurations under the <OAuth> property with the hostname of the Open Banking API Manager Gateway.

      Code Block
      languagexml
      <OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl>      
      <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl>
      
      <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl>
      
      
      <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl>
      
      <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
    3. Update the RenewRefreshTokenForRefreshGrant as false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.

      Code Block
      languagexml
      <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
    4. Add RenewTokenPerRequest and set the value to true. This configuration enforces a new token per each request, which will revoke any active tokens for the same application and user. This configuration is used to revoke previous tokens bound to the PSU during consent re-authentication.

      Code Block
      languagexml
      <RenewTokenPerRequest>true</RenewTokenPerRequest>
    5. Configure the ReceiverURL of the <EventPublisher> under <AdaptiveAuth> with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.

      Code Block
      languagexml
      <ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
    6. Add Open Banking specific response type handlers under <SupportedResponseTypes> as follows:

      Code Block
      languagexml
      <SupportedResponseType>
      	<ResponseTypeName>code</ResponseTypeName>
      	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass>
      </SupportedResponseType>
      <SupportedResponseType>
      	<ResponseTypeName>code id_token</ResponseTypeName>
      	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass>
      </SupportedResponseType>
    7. Add the Open Banking specific grant types under <SupportedGrantTypes> as follows.

      Code Block
      languagexml
      <SupportedGrantType>
      	<GrantTypeName>authorization_code</GrantTypeName>
      	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
      </SupportedGrantType>
      
      <SupportedGrantType>
      	<GrantTypeName>client_credentials</GrantTypeName>
      	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
      	<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
      	<IdTokenAllowed>false</IdTokenAllowed>
      </SupportedGrantType>
    8. Update the cache configurations by adding the Open Banking specific PrivateKeyJWT cache.

      Code Block
      languagexml
      <CacheConfig>
      	<CacheManager name="IdentityApplicationManagementCacheManager">
      		<Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/>
      	</CacheManager>
      </CacheConfig>
    9. Update the <IDTokenBuilder> under <OpenIDConnect> to specify Open Banking specific ID Token Builder.

      Code Block
      languagexml
      <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
    10. name="authFailure"/>
      </AuthenticationEndpointRedirectParams>
      Tip

      If you're using a customized authentication web app, you can access the hidden parameters using the sessionDataKeyConsent parameter. For more information, see Authentication Data API.

Configuring the identity.xml file

Update the  <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file with the following configurations.

  1. Define the Open Banking specific Request Object Validator under the <OpenIDConnect> as follows:

    Code Block
    languagexml
    <RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
  2. Update the following configurations under the <OAuth> property with the hostname of the Open Banking API Manager Gateway.

    Code Block
    languagexml
    <OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl>      
    <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl>
    
    <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl>
    
    
    <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl>
  3. Update the following configuration under the <OpenIDConnect> tag with the hostname of the Open Banking API Manager server. 

    Code Block
    languagexml
    <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
  4. Make sure the RenewRefreshTokenForRefreshGrant value set to false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.

    Code Block
    languagexml
    <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
  5. Configure the ReceiverURL of the <EventPublisher> under <AdaptiveAuth> with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.

    Code Block
    languagexml
    <ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
  6. Make sure the following Open Banking specific response type handlers are added under the <SupportedResponseTypes>.

    Code Block
    languagexml
    <SupportedResponseType>
    	<ResponseTypeName>code</ResponseTypeName>
    	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass>
    </SupportedResponseType>
    <SupportedResponseType>
    	<ResponseTypeName>code id_token</ResponseTypeName>
    	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass>
    </SupportedResponseType>
    Note

    In order to bind the MTLS certificate of the TPP that is sent in the requests to the user access token, update the  <GrantTypeHandlerImplClass> parameter under <GrantTypeName>authorization_code</GrantTypeName> as follows:

    Code Block
    <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.MTLSTokenBindingAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>

    Add the following event listener under <EventListeners> and enable it as follows:

    Code Block
    <EventListener enable="true" name="com.wso2.finance.open.banking.identity.extensions.listeners.OBIntrospectionResponseInterceptor" orderId="27" type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"/>
  7. The following Open Banking specific grant types should be there under <SupportedGrantTypes> property.

    Code Block
    languagexml
    <SupportedGrantType>
    	<GrantTypeName>authorization_code</GrantTypeName>
    	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
    </SupportedGrantType>
    
    <SupportedGrantType>
    	<GrantTypeName>client_credentials</GrantTypeName>
    	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
    	<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
    	<IdTokenAllowed>false</IdTokenAllowed>
    </SupportedGrantType>
  8. The cache configurations are available in <CacheConfig> under <CacheManager> element. You can update the configurations according to your requirements.

  9. The ID Token Builder and the algorithm that signs the ID Token Builder are configurable.

    By default, <IDTokenBuilder> is set to org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder. For example, to sign the <IDTokenBuilder> with the SHA256withPS algorithm the configurations are as follows:

    Code Block
    languagexml
    <OpenIDConnect>
    	<IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
    	<SignatureAlgorithm>SHA256withPS</SignatureAlgorithm>
    </OpenIDConnect>

    Anchor
    BasicAuthConsentMgt
    BasicAuthConsentMgt

  10. By default, the Consent Management APIs are secured with basic authentication. 

    1. Each API resource is secured using a <Resource> element under <ResourceAccessControl>

    2. Use the default user or create a new user in the Key Manager Management Console to access the Consent Management APIs.
    3. Update the <Permissions> element under <Resource> with the permissions. These permissions are used to restrict access to the APIs. For more information, see Configuring Roles and Permissions.
    4. Update the credentials in Open Banking API Manager with the created user details.

      Expand
      titleClick here to see how it is done
      1. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file.
      2. Update the credentials under <APISecurity><Global> with the created user details.

        By default, this is set to the username and password of the super admin.

        Code Block
        languagexml
        <APISecurity>
        	<Global>
        		<Username>[email protected]</Username>
        		<Password>wso2123</Password>
        	</Global>
        </APISecurity>
    5. To disable basic authentication for an API, set the secured property to false in the corresponding <Resource> element. For example, to disable basic authentication for uk300 resources, update the configurations in the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml file as follows:

      Code Block
      languagexml
      <ResourceAccessControl>
      	<!--
      
                  Configuration for protecting consent management APIs.
                  If not required, set secured to false. The credentials of the basic auth are
                  from the registered user role with the permission as specified in the Permission tag.
              
          -->
      	<Resource context="(.*)/uk300/(.*)" http-method="all" secured="false" allowed-auth-handlers="BasicAuthentication">
      		<Permissions>/permission/admin</Permissions>
      	</Resource>
      	<!--
                 END OF Configuration for protecting consent management APIs 
          -->
      </ResourceAccessControl>

Disabling weak ciphers

A cipher is an algorithm for performing encryption or decryption. When you set the SSL protocol of your server to TLS, the TLS and the default ciphers get enabled without considering the strength of the ciphers. This is a security risk as weak ciphers, also known as EXPORT ciphers, can make your system vulnerable to attacks. To prevent these types of security attacks, it is encouraged to disable the weak ciphers. 

Refer to Disabling weak ciphers in the WSO2 Administration Guide and disable weak ciphers.