This documentation is for WSO2 Open Banking version 1.5.0. View documentation for the latest release.
WSO2 Open Banking 1.5.0

Versions Compared

Old Version 15

changes.mady.by.user Ishara Ilangasinghe

Saved on

compared with

New Version Current

changes.mady.by.user Ishara Ilangasinghe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Remove 90 days reauthentication

...

  • Shareable accounts - accounts that are accessible online.
<SharableAccountsRetreiveEndpoint>: Configures the endpoint to retrieve sharable <UK200SupportedSpecsToRequest>UK200|UK300</UK200SupportedSpecsToRequest>

 


Configuration
1

Define the specification that you plan to deploy.

Possible values: UK, BERLIN, AU, STET

Code Block
languagexml
<DeployedSpecification>UK</DeployedSpecification>
2

If you want to enable the event notification feature, set the <isEnabled> to true, and define the following configurations: 

Multiexcerpt
MultiExcerptNameEventNotificationConfigs
  • <TokenIssuer>: The URL from where the token is issued.
  • <NotificationExpiryTime>: The expiry time of the notification, in seconds.
  • <NotificationAPIUrl>: The URL of the event-notification endpoint which is exposed from API Manager.
  • <NumberOfSetsToReturn>: The maxEvents parameter in the polling request informs the ASPSP how many notifications the TPP wants to retrieve at a moment. When the maxEvents parameter is absent in the polling request,  NumberOfSetsToReturn defines this value.
  •  <SigningAlias>: The alias of the certificate that signs the notifications sent from ASPSP to TPP.  
Code Block
languagexml
<EventNotifications>
<IsEnabled>false<
<IsEnabled>true</IsEnabled>
	<TokenIssuer>www.openbank.com</TokenIssuer>
	<NotificationExpiryTime>180</NotificationExpiryTime>
	<NotificationAPIUrl>https://<WSO2_OB_APIM_HOST>:8243/open-banking/v3.1/event-notification</NotificationAPIUrl>
	<NumberOfSetsToReturn>5</NumberOfSetsToReturn>
<SigningAlias>1<
<SigningAlias>wso2carbon</SigningAlias>
</EventNotifications>
3

To log the Consent Management API calls in JSON format:

Multiexcerpt
MultiExcerptNameConsentMgtLog

  1. Set the LogConsentInformation configuration to true in <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml.

    Code Block
    languagexml
    <LogConsentInformation>true</LogConsentInformation>
    Add the following properties to the <WSO2_OB_KM_HOME>/repository/conf/log4j.properties file. 
    This is to save the log entries in the <WSO2_OB_KM_HOME>/repository/logs/transaction.log file in JSON format.
45

<DaysToExpireRequest>: In Multiple Authorisation, this parameter defines the number of days after which the system considers the consent as expired if the required authorisation is not given.

Code Block
languagexml
log4j.logger.TRANSACTION_LOGGER=INFO, TRANSACTION_LOGGER
log4j.appender.TRANSACTION_LOGGER=org.apache.log4j.FileAppender
log4j.appender.TRANSACTION_LOGGER.File=${carbon.home}/repository/logs/transaction.log
log4j.appender.TRANSACTION_LOGGER.Append=true
log4j.appender.TRANSACTION_LOGGER.layout=org.apache.log4j.PatternLayout
log4j.appender.TRANSACTION_LOGGER.layout.ConversionPattern=[%d] - %m %n
log4j.appender.TRANSACTION_LOGGER.threshold=INFO
log4j.additivity.TRANSACTION_LOGGER=false
4

<DaysToExpireRequest>: Defines the number of days after which the system considers the consent as expired if the required authorisation is not given.

Code Block
languagexml
<MultiAuthorization>
  <DaysToExpireRequest>3</DaysToExpireRequest>
</MultiAuthorization>
<MultiAuthorization>
  <DaysToExpireRequest>3</DaysToExpireRequest>
</MultiAuthorization>
5
  • Shareable accounts - accounts that are accessible online.

<SharableAccountsRetrieveEndpoint>: Configures the endpoint to retrieve sharable accounts that required to list on the consent page.

Code Block
languagexml
<SharableAccountsRetrieveEndpoint>http://<WSO2_OB_APIM_HOST>:9763/open-banking/services/bankaccounts/bankaccountservice/sharable-accounts</SharableAccountsRetrieveEndpoint>
  • Payable accounts - accounts from which a PSU can make a payment.

<PayableAccountsRetrieveEndpoint>: Configures the endpoint to retrieve payable accounts that required to list on the consent page.

Code Block
languagexml
<SharableAccountsRetrieveEndpoint>http<PayableAccountsRetrieveEndpoint>http://<WSO2_OB_APIM_HOST>:9763/open-banking/services/bankaccounts/bankaccountservice/sharablepayable-accounts</SharableAccountsRetreiveEndpoint>
  • Payable accounts - accounts from which a PSU can make a payment.
<PayableAccountsRetrieveEndpoint>: Configures the endpoint to retrieve payable accounts that required to list on the consent page.
Code Block
languagexml
<PayableAccountsRetrieveEndpoint>http://<WSO2_OB_APIM_HOST>:9763/open-banking/services/bankaccounts/bankaccountservice/payable-accounts</PayableAccountsRetrieveEndpoint>
In some 
PayableAccountsRetrieveEndpoint>

In some banks, some PSUs may have a certain number of accounts, but not all accounts have the ability to be shared externally or to make a payment online. In a bank, the shareable account list and the payable account list can either be the same or different.

In the default WSO2 Open Banking solution, at least two APIs are expected to return shareable and payable accounts when passing the user_id, and the given JSON response must be returned. Then it automatically loads the accounts list in the consent page.

Code Block
{
 "data": [
  {
   "account_id": "1234-2345-3456-4567",
   "display_name": "1234-2345-3456-4567"
  },
  {
   "account_id": "9999-4345-8456-4567",
   "display_name": "9999-4345-8456-4567"
  }
 ]
}

By default, mock backend deployed in WSO2_OB_APIM is configured. Required parameters can be passed as query parameters to those endpoints. An example of configuring the endpoint to retrieve payable accounts:

Code Block
languagexml
http://<WSO2_OB_APIM_HOST>:9443/as400/payable-accounts/{userId}

If you plan to implement the multi-authorization feature for the PISP flow, the payable account retrieval endpoint should return the following JSON response.

Code Block
{
 "data": [{
   "account_id": "30080098971337",
   "display_name": "30080098971337",
   "authorizationMethod": "multiple",
   "authorizationUsers": [{
     "customer_id": "123",
     "user_id": "[email protected]@carbon.super"
    },
    {
     "customer_id": "456",
     "user_id": "[email protected]@carbon.super"
    }
   ]
  }
 ]
}


An example of configuring the endpoint to retrieve sharable accounts:

Code Block
http://<WSO2_OB_APIM_HOST>:9443/as400/sharable-accounts/{userId}
6

Enable Request-URI validation:

Info

This is available only as a WUM update and is effective from December 02, 2019 (12-02-2019). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

During account retrieval to validate AccountID against the AccountID During account retrieval to validate AccountID against the AccountID in consent, add the following configurations under the <UK> element:

Code Block
languagexml
<!-- Validate AccountID with consented accountID in account retrieval -->
<ValidateAccountIdOnRetrieval>true</ValidateAccountIdOnRetrieval>
7

Configure the role to identify the customer care officers, who are able to access the customer care portal, and revoke the consents on behalf of customers.

Code Block
languagexml
<UK>          
  <CustomerCareOfficerRole>Internal/CustomerCareOfficer</CustomerCareOfficerRole>
</UK>
8

The unique ID of the ASPSP to which the request is issued. The unique ID is issued by OBIE and corresponds to the Organization ID of the ASPSP in the Open Banking Directory. If the value does not match the expected value (based on the Client ID or network certificate of the caller), the ASPSP must reject the request with a 403 (Not AuthorizedForbidden) status code.

Code Block
languagexml
<UK>
  <XFAPIFinancialId>open-bank</XFAPIFinancialId>
</UK>
9

According to the openbanking.org.uk specification, the links to access the created resource must be returned, as follows.

Code Block
languagexml
"Links": {
   "Self": "https://api.alphabank.com/open-banking/v2v3.0/accounts/222891/pisp/domestic-payment-consents/58923"
 },

In order to generate the self URL shown in the above JSON, configure the URLs of the exposed APIs, as shown in the below configuration.

Code Block
languagexml
<UK>
   <PaymentAPIURL>https://<WSO2_OB_APIM_HOST>:8243/open-banking/{version}/pisp/</PaymentAPIURL>
   <AccountAPIURL>https://<WSO2_OB_APIM_HOST>:8243/open-banking/{version}/aisp/</AccountAPIURL>
   <FundsConfirmationAPIURL>https://APIM_HOSTNAME:8243/open-banking/{version}/cbpii/</FundsConfirmationAPIURL>
   
   <!--configure the url to get details about the error-->
   <ErrorURL></ErrorURL>
</UK>
10

In order to improve the performance of the API Gateway, the consent validation responses for account information retrieval calls are cached.

  • <EnableConsentValidationCache>: Determines whether or not the consent validation cache is enabled at the API Gateway.
  • <ConsentValidationCacheExpiry>: The expiry time for the consent validation info cache, in seconds.
  • <DefaultCacheTimeout>: The time in which the cache times out, in seconds.
Code Block
languagexml
<UK>
  <Cache>
    <EnableConsentValidationCache>true</EnableConsentValidationCache>
    <ConsentValidationCacheExpiry>900</ConsentValidationCacheExpiry>
    <DefaultCacheTimeout>120000</DefaultCacheTimeout>
  </Cache>
</UK>
11

In the AISP flow, when the TPP invokes the account retrieval APIs, they can either use the /accounts/{consentId} or /accounts/{accountId}.

If they want to use consentId, the UseConsentIdInPath must be changed to true. By default, it works with the accountId.

Code Block
languagexml
<UK>
  <UseConsentIdInPath>false</UseConsentIdInPath>
</UK>
12

The following configuration is used to handle release management of the deployed API specifications.

E.g., If the resource is created using the API specification version v2.0, that resource can only be accessible accessed using API specifications v2.0 and above.

Code Block
Code Block
languagexml
<UK>
  <UK110SupportedSpecsToRequest>UK110<UK200SupportedSpecsToRequest>UK200|UK200|UK300</UK110SupportedSpecsToRequest>
  <UK200SupportedSpecsToRequest>UK200|UK300</UK200SupportedSpecsToRequest>
  <UK300SupportedSpecsToRequest>UK300</UK300SupportedSpecsToRequest>
</UK200SupportedSpecsToRequest>
</UK>
13

Account permissions not supported by the ASPSP can be restricted for the TPP by specifying one or more permissions separated by a pipe (|). By default, no permissions are restricted.

E.g. ReadOffers|ReadPAN|ReadParty|ReadPartyPSU

Code Block
languagexml
<UK>
  <RestrictedPermissions><<RestrictedPermissions>ReadOffers</RestrictedPermissions>
</UK>
14
  • <TokenAuthentication>: The supported authentication methods for the token endpoint.
  • <ConnectionTimeout> and <ReadTimeout>: The time out values when connecting to the JWKS endpoint of the Open Banking directory to retrieve the JSON web keys related to the TPP.
  • <EndPointURL>: The endpoint URLs to access the REST APIs of the API Manager in order to create the application and service provider, and generate keys for the application.
  • <EnableURIValidation>: If true, validate the policy, client, terms of service, and logo URIs.
  • <EnableHostNameValidation>: True or false can be set as values to check the hostname of policy, client, terms of service, and logo uris against the hostname of redirect uri.
  • <APISubscriptions>: Specify the context of the APIs that need to subscribe when the TPP registers through DCR. 
Code Block
languagexml
<UK> <DCR> <!--the supported authentication methods for the token endpoint --> <TokenAuthentication>

WSO2 Open Banking supports Dynamic Client Registration (DCR) v1.0.0 and v3.2. According to the DCR version you run, configure the following under the <Server> element:

Localtab Group
Localtab
titlev1.0.0
Multiexcerpt
MultiExcerptNameDCRv1.0.0
Code Block
languagexml
<DCR>
	<TokenAuthentication>
		<Method>private_key_jwt</Method>
<Method>client
<Method>tls_
secret
client_
basic<
auth</Method>
	
</TokenAuthentication>
<!--the connection and read time out values for retrieving the remote jwks to validate the ssa and request jwt signatures during tpp registration--> <ConnectionTimeout>0<
<ConnectionTimeout>0</ConnectionTimeout>
	
<ReadTimeout>0</ReadTimeout>
<!--The endpoint urls are to access the rest APIs of API manager in order to create the application, service provider and generate keys for the application. --> <EndPointURL> <ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation> <Application>/api/
<EndPointURL>
		<ServiceProviderCreation>/client-registration/v0.14/register</ServiceProviderCreation>
		<Application>/api/am/store/v0.14/applications</Application>
		
<Token>/token</Token>
		
<KeyGeneration>/api/am/store/v0.14/applications/generate-keys</KeyGeneration>
		
<ApiSearch>/api/am/store/v0.14/apis</ApiSearch>

		<ApiSubscribe>/api/am/store/v0.14/subscriptions/multiple</ApiSubscribe>

	</EndPointURL>
<!--if true validate the policy,client,terms of service,logo uris --> 
<EnableURIValidation>false</EnableURIValidation>
	<EnableHostNameValidation>false</EnableHostNameValidation>
	<APISubscriptions>
		
<PISP>
			
<APIContext>/open-banking/v3.1/pisp</APIContext>
			
<APIContext>/open-banking/v3.0/pisp</APIContext>
			
<APIContext>/open-banking/v2.0/pisp</APIContext>
		
</PISP>
		
<AISP>

			<APIContext>/open-banking/v3.1/aisp</APIContext>

			<APIContext>/open-banking/v3.0/aisp</APIContext>
			
<APIContext>/open-banking/v2.0/aisp</APIContext>
		
</AISP>
	
</APISubscriptions>
<!--if true validate the hostnames of policy,client,terms of service, logo uris match with the hostname of redirect uri--> <EnableHostNameValidation>false</EnableHostNameValidation> </DCR> </UK>
15
  • <MaximumInstructedAmount>: The maximum instructed amount allowed.
  • <PermittedFrequencyPattern>: Frequency patterns that are supported by the ASPSP can be configured as a regex pattern separated by a pipe (|). By default, the ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:0[1-5]:0[1-7])$|^(IntrvlMnthDay:(0[1-6]|12|24):(-0[1-5]|0[1-9]|[12][0-9]|3[01]))$|^(QtrDay:(ENGLISH|SCOTTISH|RECEIVED))$ regex is supported. If you want to change the default pattern, configure the regex pattern.
  • <AllowedAmountPattern>: The allowed pattern for payment amount in domestic stading orders. Default pattern is ^\d{1,13}\.\d{1,5}$
  • <AllowedCurrencyPattern>: The allowed currency pattern for domestic standing orders. Default pattern is ^[A-Z]{3,3}$

  • <MaximumFuturePaymentDays>: The maximum future date of a scheduled-payment.

Code Block
languagexml
<UK> <PaymentRestrictions> <MaximumInstructedAmount>1000.00</MaximumInstructedAmount> <!--Frequency patterns that are supported by the ASPSP can be configured as a regex pattern separated by a pipe (|). By default, ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:
<UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>
	<JwksUrlSandbox>https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks</JwksUrlSandbox>
	<JwksUrlProduction>https://keystore.openbanking.org.uk/keystore/openbanking.jwks</JwksUrlProduction>
</DCR>
Localtab
titlev3.2
Multiexcerpt
MultiExcerptNameDCRV3.2
Code Block
languagexml
<DCR>
	<TokenAuthentication>
		<Method>private_key_jwt</Method>
		<Method>tls_client_auth</Method>
	</TokenAuthentication>
	<ConnectionTimeout>0</ConnectionTimeout>
	<ReadTimeout>0</ReadTimeout>
	<EnableURIValidation>false</EnableURIValidation>
	<EnableHostNameValidation>false</EnableHostNameValidation>
	<UseSoftwareIdAsApplicationName>true</UseSoftwareIdAsApplicationName>
	<JwksUrlSandbox>https://keystore.openbankingtest.org.uk/keystore/openbanking.jwks</JwksUrlSandbox>
	<JwksUrlProduction>https://keystore.openbanking.org.uk/keystore/openbanking.jwks</JwksUrlProduction>
</DCR>
Multiexcerpt
MultiExcerptNameDCRparameterDescriptions
Expand
titleClick here to see the parameter descriptions for the above-mentioned parameters...
  • <TokenAuthentication>: The supported authentication methods for the token endpoint. Possible values are private_key_jwt and tls_client_auth .
  • <ConnectionTimeout> and <ReadTimeout>: The time out values when connecting to the JWKS endpoint of the Open Banking directory to retrieve the JSON web keys related to the TPP.
  • <EndPointURL>: The endpoint URLs to access the REST APIs of the API Manager in order to create the application and service provider, and generate keys for the application.
  • <EnableURIValidation>: If true, validate the policy, client, terms of service, and logo URIs.
  • <EnableHostNameValidation>: True or false can be set as values to check the hostname of policy, client, terms of service, and logo URIs against the hostname of redirect URI.
  • <APISubscriptions>: Specify the context of the APIs that need to subscribe when the TPP registers through DCR. 
  • <UseSoftwareIdAsApplicationName>: Set the  <UseSoftwareIdAsApplicationName>  to  true  to use  SoftwareID  in SSA as the name of the application.
15
  • <MaximumInstructedAmount>: The maximum instructed amount allowed.
  • <PermittedFrequencyPattern>: Frequency patterns that are supported by the ASPSP can be configured as a regex pattern separated by a pipe (|). By default, the ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:0[1-5]:0[1-7])$|^(IntrvlMnthDay:(0[1-6]|12|24):(-0[1-5]|0[1-9]|[12][0-9]|3[01]))$|^(QtrDay:(ENGLISH|SCOTTISH|RECEIVED))$
  • regex
  • is
  • supported.
  • If
  • you
  • want
  • to
  • change
  • the
  • default
pattern uncomment the following configuration and configure the regex pattern <PermittedFrequencyPattern></PermittedFrequencyPattern> before v1.3.0, there was a configuration to configure restricted frequency pattern. But it is now deprecated <RestrictedFrequencyPattern></RestrictedFrequencyPattern> -->
  • pattern, configure the regex pattern.
  • <AllowedAmountPattern>: The allowed pattern for payment amount in domestic stading orders. Default pattern is ^\d{1,13}\.\d{1,5}$
  • <AllowedCurrencyPattern>: The allowed currency pattern for domestic standing orders. Default pattern is ^[A-Z]{3,3}$

  • <MaximumFuturePaymentDays>: The maximum future date of a scheduled-payment.

Code Block
languagexml
<UK>
<PaymentRestrictions>
    <MaximumInstructedAmount>1000.00</MaximumInstructedAmount>

    <!--TheFrequency patterns allowedthat patternare forsupported configuringby the amountASPSP forcan domesticbe standing orders-->
   <!-- <AllowedAmountPattern></AllowedAmountPattern>-->

    <!--The allowed pattern for configuring the currency for domestic scheduled payments-->
    <!--<AllowedCurrencyPattern></AllowedCurrencyPattern>-->

    <MaximumFuturePaymentDays>90</MaximumFuturePaymentDays>
    ...
</PaymentRestrictions>
</UK>
16

<CutOffDateTime>.<Enabled>: Set to true if the bank wants to enforce the CutOffDateTime behaviour for the payments.

<CutOffDateTime>.<CutOffDateTimePolicy>: Specify the preferred approach to handle the CutOffDateTime behaviour

<CutOffDateTime>.<DailyCutOffTime>: The daily request cut off time.

<CutOffDateTime>.<ExpectedExecutionTime>: If the SelectedPolicy is set to ACCEPT, the expected execution time for the next day.

<CutOffDateTime>.<ExpectedSettlementTime>: If the SelectedPolicy is set to ACCEPT, the expected settlement time for the next day.

Code Block
languagexml
<UK>
<PaymentRestrictions>
    <!--
    Configurations regarding the handling of Payment requests after a cut off DateTime
    -->
    <CutOffDateTime>
    configured as a regex pattern separated by
    a pipe (|). By default, ^(EvryDay)$|^(EvryWorkgDay)$|^(IntrvlWkDay:0[1-9]:0[1-7])$|^(WkInMnthDay:0[1-5]:0[1-7])$|^(IntrvlMnthDay:(0[1-6]|12|24):(-0[1-5]|0[1-9]|[12][0-9]|3[01]))$|^(QtrDay:(ENGLISH|SCOTTISH|RECEIVED))$
    regex is supported. If you want to change the default pattern uncomment the following configuration
    and configure the regex pattern
    <PermittedFrequencyPattern></PermittedFrequencyPattern>
    before v1.3.0, there was a configuration to configure restricted frequency pattern.
    But it is now deprecated <RestrictedFrequencyPattern></RestrictedFrequencyPattern> -->

    <!--The allowed pattern for configuring the amount for domestic standing orders-->
   <!--IsEnabled denotes whether a CutOffDateTime is to be enforced by the ASPSP -->
        <Enabled>false</Enabled>
 <AllowedAmountPattern></AllowedAmountPattern>-->

    <!--The allowed pattern for configuring the currency for domestic scheduled payments-->
       <!--SelectedPolicy denotes the preferred Approach to handling requests past the CutOffDateTime.
         Allowed values are:
         1. REJECT - Reject all requests arriving past the DateTime value
         2. ACCEPT - Accept all requests arriving past the DateTime value and return ExpectedExecutionDateTime
         and ExpectedSettlementDateTime.
         <AllowedCurrencyPattern></AllowedCurrencyPattern>-->

    <MaximumFuturePaymentDays>90</MaximumFuturePaymentDays>
    ...
</PaymentRestrictions>
</UK>
16

<CutOffDateTime>.<Enabled>: Set to true if the bank wants to enforce the CutOffDateTime behaviour for the payments.

<CutOffDateTime>.<CutOffDateTimePolicy>: Specify the preferred approach to handle the CutOffDateTime behaviour

<CutOffDateTime>.<DailyCutOffTime>: The daily request cut off time.

<CutOffDateTime>.<ExpectedExecutionTime>: If the SelectedPolicy is set to ACCEPT, the expected execution time for the next day.

<CutOffDateTime>.<ExpectedSettlementTime>: If the SelectedPolicy is set to ACCEPT, the expected settlement time for the next day.

Code Block
languagexml
<UK>
<PaymentRestrictions>
    <!--
    Configurations regarding the handling of Payment requests after a cut off DateTime
    -->
    <CutOffDateTime>
        <!--IsEnabled denotes whether a CutOffDateTime is to be enforced by the ASPSP -->
        <CutOffDateTimePolicy>REJECT<<Enabled>true</CutOffDateTimePolicy>Enabled>
        <!--ExpectedSelectedPolicy formatdenotes forthe allpreferred datesApproach - hh:mm:ss.ffffff+|-hh:mm -->
  to handling requests past the CutOffDateTime.
     <!--The Daily time requests areAllowed tovalues beare:
cut off at -->      1. REJECT  <DailyCutOffTime>17:30:00+00:00</DailyCutOffTime>
        <!--Need to be set if the SelectedPolicy is set to ACCEPT.
            The ExpectedExecutionTime and the ExpectedSettlementTime for the next day - Reject all requests arriving past the DateTime value
         2. ACCEPT - Accept all requests arriving past the DateTime value and return ExpectedExecutionDateTime
         and ExpectedSettlementDateTime.
         -->
        <ExpectedExecutionTime>10:00:00+00:00</ExpectedExecutionTime><CutOffDateTimePolicy>REJECT</CutOffDateTimePolicy>
        <!--Expected format for all dates - <ExpectedSettlementTime>11hh:00mm:00+00:00</ExpectedSettlementTime>ss.ffffff+|-hh:mm -->
        </CutOffDateTime>
</PaymentRestrictions>
<UK>
17

The expiry time for the issuer certificate and the subjectDN of the sent transport certificate stored in cache.

Code Block
languagexml
<UK>
  <CertificateValidationCacheExpiry>3600</CertificateValidationCacheExpiry>
</UK>
18

In consent re-authentication of the accounts flow, during authorisation, the PSU is allowed to change the selected account. If the <EnableAccountUpdateByPSU> property is set to true, the account bound to the consent is updated during re-authentication. If set to false, the account is not updated.

Code Block
languagexml
<UK>
  <ConsentReAuthentication>
    <EnableAccountUpdateByPSU>false</EnableAccountUpdateByPSU>
  </ConsentReAuthentication>
</UK>
19
If Mutual Transport Layer Security (MTLS) is terminated before the request reaches the Gateway, retrieve the TPP's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects ssl.client.auth.cert.X509 as the transport header. Include the value for the transport certificate header in TransportCertificateHeader under CertificateManagement element. See the sample configuration below. <CertificateManagement> <!-- In order to enable the client certificate validation feature (Certificate Expiry, Signature and Revocation validation during MTLS), the following module needs to be engaged under the "Global Engaged Modules" section in the axis2.xml file. 
!--The Daily time requests are to be cut off at -->
        <DailyCutOffTime>17:30:00+00:00</DailyCutOffTime>
        <!--Need to be set if the SelectedPolicy is set to ACCEPT.
            The ExpectedExecutionTime and the ExpectedSettlementTime for the next day -->
        <ExpectedExecutionTime>10:00:00+00:00</ExpectedExecutionTime>
        <ExpectedSettlementTime>11:00:00+00:00</ExpectedSettlementTime>
    </CutOffDateTime>
</PaymentRestrictions>
<UK>
Multiexcerpt
MultiExcerptNameEnablingMTLSIntro
Multiexcerpt
MultiExcerptNameEnablingMTLSconfigs
Code Block
languagexml
17

The expiry time for the issuer certificate and the subjectDN of the sent transport certificate stored in cache.

Code Block
languagexml
<UK>
  <CertificateValidationCacheExpiry>3600</CertificateValidationCacheExpiry>
</UK>
18

In consent re-authentication of the accounts flow, during authorisation, the PSU is allowed to change the selected account. If the <EnableAccountUpdateByPSU> property is set to true, the account bound to the consent is updated during re-authentication. If set to false, the account is not updated.

Code Block
languagexml
<UK>
  <ConsentReAuthentication>
    <EnableAccountUpdateByPSU>false</EnableAccountUpdateByPSU>
  </ConsentReAuthentication>
</UK>
19
Multiexcerpt
MultiExcerptNameEnablingMTLSIntro

If Mutual Transport Layer Security (MTLS) is terminated before the request reaches the Gateway, retrieve the TPP's certificate from the MTLS session and include as a transport certificate header. By default, the gateway expects ssl.client.auth.cert.X509 as the transport header. Include the value for the transport certificate header in TransportCertificateHeader under CertificateManagement element. See the sample configuration below.

Multiexcerpt
MultiExcerptNameEnablingMTLSconfigs
Code Block
languagexml
 <CertificateManagement>
       <module ref="mtlscertvalidator"/>
        -->

   <!-- In order to enable the client certificate validation feature (Certificate Expiry, Signature and
     <!--Set the value ofRevocation thevalidation transport certificate header sentduring MTLS), the following module needs to be engaged under the "Global Engaged
        Modules" section in the request if MTLS is terminated before theaxis2.xml file.

        <module ref="mtlscertvalidator"/>
    gateway default value is ssl.client.auth.cert.X509-->

       <TransportCertificateHeader>ssl.client.auth.cert.X509</TransportCertificateHeader>
</CertificateManagement> <!--Set the value of the transport certificate header sent in the request if MTLS is terminated before the
        gateway default value is ssl.client.auth.cert.X509-->
        <TransportCertificateHeader>ssl.client.auth.cert.X509</TransportCertificateHeader>
</CertificateManagement>
Warning

The load balancer should not allow the TPP to send its certificate as a transport certificate header that is configured in the open-banking.xml under <TransportCertificateHeader> element. 

If such header was found in the TPP’s request, it is mandatory to remove that header from the TPP’s request. This is applicable even when the MTLS session is not terminated at the load balancer.

When TLS is terminated before reaching the Gateway, to send the client certificate as a transport header, use the following configuration, which is placed just above the <TransportCertificateHeader> tag:

Code Block
languagexml
<ClientTransportCertAsHeaderEnabled>true</ClientTransportCertAsHeaderEnabled>
20

In order to enable certificate revocation validation for API security, make sure that the following configurations are added under the server root element.

Code Block
languagexml
<CertificateManagement>
	<!-- Expiry time for the cache (in seconds) for storing the validation result of the certificates-->
	<ClientCertificateCacheExpiry>3600</ClientCertificateCacheExpiry>
	<!-- Enable/Disable certificate OCSP and CRL validation. Default value has been set to true -->
	<CertificateRevocationValidationEnabled>true</CertificateRevocationValidationEnabled>
</CertificateManagement>
21
  • <SigningConfiguration>: This configuration applies to request signing for x-jws-signature.
  • <Enable>: Determines whether or not to enable signing.
  • <TrustedAnchors>: The trusted anchor configuration. OBIE-specific trust anchor definitions.
  • <TrustedAnchors>.<Signing>: The trust anchor used in signing JOSE.
  • <TrustedAnchors>.<Validation>: Multiple values supported with the | delimiter. For example, trustanchor.org|trustanchor.org.uk
  • <OrganizationId>: The OBIE organization ID.
  • <Algorithm>: The default signing algorithm is RS256. To support other algorithms, uncomment this property and specify the value.
  • <MandatedAPIs> : Define the API contexts that require x-jws-signature verification
Code Block
languagexml
<UK>
<SigningConfiguration>
    <!-- Enable Signing -->
    <Enable>true</Enable>
    <OBIE>
        <!--
            Trusted Anchor Configuration
  -->
	<CertificateRevocationValidationEnabled>true</CertificateRevocationValidationEnabled>

        <!-- Proxy server configuration to do TPP certificate revocation checks -->
        <CertificateRevocationProxy>
            <Enabled>false</Enabled>
            <ProxyHost>PROXY_HOSTNAME</ProxyHost>
            <ProxyPort>8080</ProxyPort>
        </CertificateRevocationProxy>

	<!--Manager class implementation responsible for verifying certificate revocation status-->
        <RevocationValidationManagerImplClass>com.wso2.finance.open.banking.gateway.common.mtls.cert.validation.service.CertRevocationValidationManagerImpl</RevocationValidationManagerImplClass>

         openbanking.org.uk specific Trust Anchor definitions
        -->
        <TrustedAnchors><!-- Retry count for validating certificate OCSP and CRL revocation status -->
	<CertificateRevocationValidationRetryCount>3</CertificateRevocationValidationRetryCount>

           <!-- TrustList Anchorof usedissuer inDNs signingwhose JOSEissued -->certificates needs to be skipped from certificate revocation
     <Signing>openbanking.org.uk</Signing>   validation.
         <!--
   e.g. <IssuerDN>CN=Test Pre-Production Issuing CA, O=Test, C=GB</IssuerDN>
        -->
   Multiple values supported with `|` delimiter
<RevocationValidationExcludedIssuers>
			<IssuerDN></IssuerDN>
               IE - </RevocationValidationExcludedIssuers>
</CertificateManagement>
21


  • <SigningConfiguration>: This configuration applies to request signing for x-jws-signature.
  • <Enable>: Determines whether or not to enable signing.
  • <TrustedAnchors>: The trusted anchor configuration. OBIE-specific trust anchor definitions.
  • <TrustedAnchors>.<Signing>: The trust anchor used in signing JOSE.
  • <TrustedAnchors>.<Validation>: Multiple values supported with the | delimiter. For example, trustanchor.org|trustanchor.org.uk
  • <OrganizationId>: The OBIE organization ID.
  • <Algorithm>: The default signing algorithm is RS256. To support other algorithms, uncomment this property and specify the value.
  • <MandatedAPIs> : Define the API contexts that require x-jws-signature verification
Code Block
languagexml
<UK>
<SigningConfiguration>
    <!-- Enable Signing    -->
    <Enable>false</Enable>
    <OBIE>
  <Validation>openbanking.org.uk</Validation>      <!--
  </TrustedAnchors>         <!-- OBIETrusted Organization Id -->Anchor Configuration
            <OrganizationId>ABC1234</OrganizationId>
openbanking.org.uk specific Trust Anchor definitions
   </OBIE>     <!-->
     Default Singing Algorithm is<TrustedAnchors>
PS256, to support others uncomment line below -->     <!--<Algorithm>RS256</Algorithm>-->

    <!-- The following specified APIs will be mandated for message signing. -->
 Trust Anchor used in signing JOSE -->
            <Signing>openbanking.org.uk</Signing>
   <MandatedAPIs>         <APIContext>/open-banking/v3.0/event-notification/</APIContext><!--
             <APIContext>/open-banking/v3.0/pisp/</APIContext>   Multiple values supported with `|`  <APIContext>/open-banking/v3.1/event-notification/</APIContext>delimiter
         <APIContext>/open-banking/v3.1/pisp/</APIContext>     </MandatedAPIs> </SigningConfiguration>
<UK>
AnchorsigningCertificateConfigssigningCertificateConfigs
22

Add the following configurations that specify the allowed signature algorithms in TPP requests. With this configuration, WSO2 Open Banking rejects the JWTs signed in algorithms that are not in the following list. If the configuration is not added, no validation occurs and any algorithm is passed through. Allowed values are;

  • PS256
Code Block
languagexml
<UK>
	<AllowedInboundSignatureAlgorithms>
		<Algorithm>PS256</Algorithm>
	</AllowedInboundSignatureAlgorithms>
</UK>
23
To use a custom value for the LocalInstrument attribute in Payment API:
  • By default, the following configurations are disabled. To enable, uncomment the following and add relevant custom values. These custom values represent a local instrument or a local clearing option.

  • The <CustomValue> tag supports default local instrument values as well as defined custom values. 

    Code Block
    languagexml
    <CustomLocalInstrumentValues>
	<Enabled>true</Enabled>
	<CustomValues>
		<CustomValue>CustomLocalInstrument1</CustomValue>
		<CustomValue>CustomLocalInstrument2</CustomValue>
	</CustomValues>
</CustomLocalInstrumentValues>
24

By default, two factors (basic, and smsotp) are configured to engage when a TPP creates an application and generates keys. If you want to configure a different authentication factor as the second authentication factor, configure that authenticator as a federated authentication in WSO2_OB_KM and configure the name here.

Code Block
languagexml
<SCA>
  <IdpName>SMSAuthentication</IdpName>
</SCA>
25

Determines whether or not ACR is enabled.

Code Block
languagexml
<ACREnabled>false</ACREnabled>
26
  • <Server>: The server key configuration used for message signing purposes.

  • <Server>.<SigningCertificateAlias>: The certificate is under this alias.

  • <Server>.<SigningCertificateKid>: The KID value for signing the certificate.

  • <JWKS-Retriever>.<SizeLimit>: Maximum size limit for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ConnectionTimeout>: Connection timeout for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ReadTimeout>: Content read timeout for remote JWKSet retrieval.

  • <Cache>.<ModifiedExpiryMinutes>: JWKSet/Certificate cache after modification expiry time, in minutes.

  • <Cache>.<AccessedExpiryMinutes>: JWKSet/Certificate cache after accessed expiry time, in minutes.

AnchorOBIdentityRetrieverOBIdentityRetriever
Code Block
languagexml
<OBIdentityRetriever>
    <!--
        Server Key configuration
        used for singing purposes IE - message signing
    -->
    <Server>
        <!-- alias the certificate is under -->
        <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>
        <!-- KID value for signing certificate -->
        <SigningCertificateKid>1234</SigningCertificateKid>
    </Server>
    <JWKS-Retriever>
        <SizeLimit>51200</SizeLimit>
        <ConnectionTimeout>2000</ConnectionTimeout>
        <ReadTimeout>2000</ReadTimeout>
    </JWKS-Retriever>
    <!-- Cache Configuration for Identity Retriever Cache -->
    <Cache>
        <ModifiedExpiryMinutes>15</ModifiedExpiryMinutes>
        <AccessedExpiryMinutes>15</AccessedExpiryMinutes>
    </Cache>
</OBIdentityRetriever>
27

Debitor account validation checks the debitor account for the PSU in the initiation request.

ParameterDescription
trueDisables the debtor account validation to check if the debtor account for the PSU that is sent in the initiation request is valid.
falseThe bank back end checks if a valid account is sent as the debtor account when initiating the consent. Returns only valid account when calling payable accounts endpoint during authentication to retrieve the endpoints.
Code Block
languagexml
<!-- Configuration to disable debtor account validation in payments -->
<ValidateDebtorAccount>true</ValidateDebtorAccount>
28

ASPSP supports payment data permissions that give access to the TPP by specifying one or more permissions to access payment information, separated by a pipe(l).

By default, create permission is granted.

Code Block
languagexml
<DataPermission>Create</DataPermission>
29

This is for the Data Reporting feature, to enable data publishing set the <Enabled> property value to true. So, the WSO2 Open Banking Business Intelligence can capture and summarize data. Replace the <WSO2_OB_BI_HOSTNAME> placeholder with the hostname of Open Banking Business Intelligence server.

Code Block
languagexml
<DataPublishing> IE - trustanchor.org|trustanchor.org.uk
            -->
            <Validation>openbanking.org.uk</Validation>
        </TrustedAnchors>
        <!-- OBIE Organization Id -->
        <OrganizationId>ABC1234</OrganizationId>
    </OBIE>
    <!-- Default Singing Algorithm is PS256, to support others uncomment line below -->
    <!--<Algorithm>RS256</Algorithm>-->

    <!-- The following specified APIs will be mandated for message signing. -->
    <MandatedAPIs>
        <APIContext>/open-banking/v3.0/event-notification/</APIContext>
        <APIContext>/open-banking/v3.0/pisp/</APIContext>
        <APIContext>/open-banking/v3.1/event-notification/</APIContext>
        <APIContext>/open-banking/v3.1/pisp/</APIContext>
    </MandatedAPIs>
</SigningConfiguration>
<UK>

Anchor
signingCertificateConfigs
signingCertificateConfigs

Info
titleJWS validation support for Waiver 007 

This is available only as a WUM update and is effective from July 06, 2020 (07-06-2020). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

  • Add the following configurations under the  <SigningConfiguration>  tag.  

    Code Block
    languagexml
    <!-- The following specified APIs will be associated with response signing. -->
<ResponseSignatureRequiredAPIs>
    <APIContext>/open-banking/v3.0/pisp/</APIContext>
    <APIContext>/open-banking/v3.1/pisp/</APIContext>
</ResponseSignatureRequiredAPIs>

  • Configure the following <OBIdentityRetriever> properties.

    Code Block
    languagexml
    <OBIdentityRetriever>
    <!--
           Server Key configuration
           used for singing purposes IE - message signing
       -->
    <Server>
        <!-- alias the certificate used for signing (in repository/resources/security/wso2carbon.jks)-->
        <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>
        <!-- KID value for primary signing certificate that is exposed by the JWKS endpoint under OIDC well-known endpoint (by default https://localhost:8243/.well-known/openid-configuration) -->
        <SigningCertificateKid></SigningCertificateKid>
    </Server>
</OBIdentityRetriever>
  • See JSON Web Signature (JWS)  to configure JWS validation support for Waiver 007.
22

Add the following configurations that specify the allowed signature algorithms in TPP requests. With this configuration, WSO2 Open Banking rejects the JWTs signed in algorithms that are not in the following list. If the configuration is not added, no validation occurs and any algorithm is passed through. Allowed values are;

  • PS256
Code Block
languagexml
<UK>
	<AllowedInboundSignatureAlgorithms>
		<Algorithm>PS256</Algorithm>
	</AllowedInboundSignatureAlgorithms>
</UK>
23
To use a custom value for the LocalInstrument attribute in Payment API:
  • By default, the following configurations are disabled. To enable, uncomment the following and add relevant custom values. These custom values represent a local instrument or a local clearing option.

  • The <CustomValue> tag supports default local instrument values as well as defined custom values. 

    Code Block
    languagexml
    <CustomLocalInstrumentValues>
	<Enabled>true</Enabled>
	<CustomValues>
		<CustomValue>CustomLocalInstrument1</CustomValue>
		<CustomValue>CustomLocalInstrument2</CustomValue>
	</CustomValues>
</CustomLocalInstrumentValues>
24

By default, two factors (basic, and smsotp) are configured to engage when a TPP creates an application and generates keys. If you want to configure a different authentication factor as the second authentication factor, configure that authenticator as a federated authentication in WSO2_OB_KM and configure the name here.

Code Block
languagexml
<SCA>
  <IdpName>SMSAuthentication</IdpName>
</SCA>
25

Determines whether or not ACR is enabled.

Code Block
languagexml
<ACREnabled>false</ACREnabled>
26
  • <Server>: The server key configuration used for message signing purposes.

  • <Server>.<SigningCertificateAlias>: The certificate is under this alias.

  • <Server>.<SigningCertificateKid>: The KID value for signing the certificate.

  • <JWKS-Retriever>.<SizeLimit>: Maximum size limit for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ConnectionTimeout>: Connection timeout for remote JWKSet retrieval.

  • <JWKS-Retriever>.<ReadTimeout>: Content read timeout for remote JWKSet retrieval.

  • <Cache>.<ModifiedExpiryMinutes>: JWKSet/Certificate cache after modification expiry time, in minutes.

  • <Cache>.<AccessedExpiryMinutes>: JWKSet/Certificate cache after accessed expiry time, in minutes.

Anchor
OBIdentityRetriever
OBIdentityRetriever

Code Block
languagexml
<OBIdentityRetriever>
    <!--
        Server Key configuration
        used for singing purposes IE - message signing
    -->
    <Server>
        <!-- alias the certificate is under -->
        <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>
        <!-- KID value for signing certificate -->
        <SigningCertificateKid>1234</SigningCertificateKid>
    </Server>
    <JWKS-Retriever>
        <SizeLimit>51200</SizeLimit>
        <ConnectionTimeout>2000</ConnectionTimeout>
        <ReadTimeout>2000</ReadTimeout>
    </JWKS-Retriever>
    <!-- Cache Configuration for Identity Retriever Cache -->
    <Cache>
        <ModifiedExpiryMinutes>15</ModifiedExpiryMinutes>
        <AccessedExpiryMinutes>15</AccessedExpiryMinutes>
    </Cache>
</OBIdentityRetriever>
27

Debitor account validation checks the debitor account for the PSU in the initiation request.

ParameterDescription
trueDisables the debtor account validation to check if the debtor account for   the PSU that is sent   in the initiation request is   valid.
falseThe bank back end checks if a valid account is sent as the debtor account when initiating the consent. Returns only valid account when calling payable accounts endpoint during authentication to retrieve the endpoints.
Code Block
languagexml
<!-- Configuration to disable debtor account validation in payments -->
<ValidateDebtorAccount>true</ValidateDebtorAccount>
28

ASPSP supports payment data permissions that give access to the TPP by specifying one or more permissions to access payment information, separated by a pipe(l).

By default, create permission is granted.

Code Block
languagexml
<DataPermission>Create</DataPermission>
29

This is for the Data Reporting feature, to enable data publishing set the <Enabled> property value to true. So, the WSO2 Open Banking Business Intelligence can capture and summarize data. Replace the <WSO2_OB_BI_HOSTNAME> placeholder with the hostname of Open Banking Business Intelligence server.

Code Block
languagexml
<DataPublishing>
	<!-- Include all configurations related to Data publishing -->
	<!-- Enable data publishing in WSO2 Open Banking-->
	<Enabled>true</Enabled>
	<!-- Server URL of the remote BI server used to collect statistics. Must
            be specified in protocol://hostname:port/ format. -->
	<ServerURL>{tcp://<WSO2_OB_BI_HOST>:7612}</ServerURL>
	<!-- Administrator username to login to the BI server for data publishing. -->
	<Username>[email protected]@carbon.super</Username>
	<!-- Administrator password to login to the BI server for data publishing. -->
	<Password>wso2123</Password>
</DataPublishing>
30

To enable Transaction Risk Analysis, set the <IsEnabled> property under <TRA> to true. Replace the <WSO2_OB_BI_HOST> place holder with the hostname of Open Banking Business Intelligence server. Use the <AccountValidationEnabled> and <PaymentValidationEnabled> properties to enable TRA for Accounts and Payments respectively.

Code Block
languagexml
<TRA>
	<!-- Include all configurations related to Transaction DataRisk publishingAnalysis -->
	<!-- Enable data publishingTRA in WSO2 Open Banking-->
	<Enabled>true<<IsEnabled>true</Enabled>IsEnabled>
	<!-- Serverfollowing URLconfigurations ofare theused remoteto BIenable serverTRA usedfor tospecific collect statistics. Must
            be specified in protocol://hostname:port/ format. -->
	<ServerURL>{tcp://<WSO2_OB_BI_HOST>:7612}</ServerURL>
	flows only-->
	<!-- Enable TRA for Payments-->
	<PaymentValidationEnabled>true</PaymentValidationEnabled>
	<!-- Enable TRA for Accounts-->
	<AccountValidationEnabled>true</AccountValidationEnabled>
	<!-- Configurations related to TRA Receivers-->
	<Receivers>
		<!-- Administrator username to login to the remote BI server for data publishing. -->
		<Username>[email protected]@carbon.super</Username>
		<!-- Administrator password to login to the remote BI server. -->
for data publishing. -->
	<Password>wso2123</Password>
</DataPublishing>
30

To enable Transaction Risk Analysis, set the <IsEnabled> property under <TRA> to true. Replace the <WSO2_OB_BI_HOST> place holder with the hostname of Open Banking Business Intelligence server. Use the <AccountValidationEnabled> and <PaymentValidationEnabled> properties to enable TRA for Accounts and Payments respectively.

Code Block
languagexml
<TRA>
	<!-- Include all configurations related to Transaction Risk Analysis -->
	<!-- Enable TRA in WSO2 Open Banking-->
	<IsEnabled>true</IsEnabled>
	<!-- following configurations are used to enable TRA for specific flows only-->
	<!-- Enable TRA for Payments-->
	<PaymentValidationEnabled>true</PaymentValidationEnabled>
	<!-- Enable TRA for Accounts-->
	<AccountValidationEnabled>true</AccountValidationEnabled>
	<!-- Configurations related to TRA Receivers-->
	<Receivers>
		<!-- Administrator username to login to the remote BI server. -->
		<Username>[email protected]@carbon.super</Username>
		<!-- Administrator password to login to the remote BI server. -->
		<Password>wso2123</Password>		<Password>wso2123</Password>
		<!-- Receiver URLs of the Siddhi Apps used to validate for TRA.-->
		<TRAAccountValidationURL>http://<WSO2_OB_BI_HOST>:8007/TRAAccountValidationApp/TRAValidationStream</TRAAccountValidationURL>
		<TRAPaymentValidationURL>http://<WSO2_OB_BI_HOST>:8007/TRAPaymentValidationApp/TRAValidationStream</TRAPaymentValidationURL>
	</Receivers>
	<TimePeriodOfRecurringPayment>90</TimePeriodOfRecurringPayment>
	<MaxFrequencyOfTransactionsWithoutSCA>5</MaxFrequencyOfTransactionsWithoutSCA>
	<TotalAmountLimitOfTransactionsWithoutSCA>100</TotalAmountLimitOfTransactionsWithoutSCA>
	<LastSCATimeLimit>90</LastSCATimeLimit>
	<TransactionAmountLimit>30</TransactionAmountLimit>
    <!-- Number of maximum days of transaction history that can be accessed with the first-time consent use for Berlin.-->
    <FirstAccessHistoryLimit>90</FirstAccessHistoryLimit>
</TRA>
31

You can enable the Fraud Detection feature by setting the <IsEnabled> value to true. Replace the <WSO2_OB_BI_HOST> placeholder with the hostname of WSO2 Open Banking Business Intelligence server.

Code Block
languagexml
<FraudDetection>
	<!-- Include all configurations related to Fraud Detection -->
	<!-- Enable FD in WSO2 Open Banking-->
	<IsEnabled>true</IsEnabled>
	<!-- Configurations related to FD Receivers-->
	<Receivers>
		<!-- ReceiverAdministrator URLs of the Siddhi Apps used to validate for TRA.username to login to the remote BI server. -->
		<TRAAccountValidationURL>http://<WSO2_OB_BI_HOST>:8007/TRAAccountValidationApp/TRAValidationStream</TRAAccountValidationURL>
		<TRAPaymentValidationURL>http://<WSO2_OB_BI_HOST>:8007/TRAPaymentValidationApp/TRAValidationStream</TRAPaymentValidationURL>
	</Receivers>
	<TimePeriodOfRecurringPayment>90</TimePeriodOfRecurringPayment>
	<MaxFrequencyOfTransactionsWithoutSCA>5</MaxFrequencyOfTransactionsWithoutSCA>
	<TotalAmountLimitOfTransactionsWithoutSCA>100</TotalAmountLimitOfTransactionsWithoutSCA>
	<LastSCATimeLimit>90</LastSCATimeLimit>
	<TransactionAmountLimit>30</TransactionAmountLimit>
    <Username>[email protected]@carbon.super</Username>
		<!-- Administrator password to login to the remote BI server. -->
		<Password>wso2123</Password>
		<!-- NumberReceiver ofURLs maximum days of transactionthe historySiddhi thatApps canused beto accessedvalidate with the first-time consent use for Berlin.-->
    <FirstAccessHistoryLimit>90</FirstAccessHistoryLimit>
</TRA>
31
You can enable the Fraud Detection feature by setting the <IsEnabled> value to true. Replace the <WSO2_OB_BI_HOST> placeholder with the hostname of WSO2 Open Banking Business Intelligence server
for FD.-->
		<FraudDetectionURL>http://<WSO2_OB_BI_HOST>:8007/FraudDetectionApp/FraudDetectionStream</FraudDetectionURL>
		<InvalidSubmissionURL>http://<WSO2_OB_BI_HOST>:8006/InvalidSubmissionsApp/InvalidSubmissionsStream</InvalidSubmissionURL>
	</Receivers>
</FraudDetection>
32

By default, the Consent Management APIs are secured with basic authentication. To access the Consent Management APIs, use the default user or create a new user using the Key Manager Management Console.

  1. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file.

  2. Update the credentials under <APISecurity><Global> with the created user details.

    By default, this is set to the username and password of the super admin.

    Code Block
    languagexml
<FraudDetection>
  1. <APISecurity>
<!-- Include all configurations related to Fraud Detection --> <!-- Enable FD in WSO2 Open Banking--> <IsEnabled>true</IsEnabled> <!-- Configurations related to FD Receivers--> <Receivers> <!-- Administrator username to login to the remote BI server. --> <Username>[email protected]@carbon.super</Username> <!-- Administrator password to login to the remote BI server. --> <Password>wso2123</Password> <!-- Receiver URLs of the Siddhi Apps used to validate for FD.--> <FraudDetectionURL>http://<WSO2_OB_BI_HOST>:8007/FraudDetectionApp/FraudDetectionStream</FraudDetectionURL> <InvalidSubmissionURL>http://<WSO2_OB_BI_HOST>:8006/InvalidSubmissionsApp/InvalidSubmissionsStream</InvalidSubmissionURL> </Receivers> </FraudDetection>
32

By default, the Consent Management APIs are secured with basic authentication. To access the Consent Management APIs, use the default user or create a new user using the Key Manager Management Console.

  1. Open the <WSO2_OB_APIM_HOME>/repository/conf/finance/open-banking.xml file.

  2. Update the credentials under <APISecurity><Global> with the created user details.

    By default, this is set to the username and password of the super admin.

    Code Block
    languagexml
    <APISecurity>
	<Global>
		<Username>[email protected]</Username>
		<Password>wso2123</Password>
	</Global>
</APISecurity>

For more information, see configuring basic authentication for Consent Management APIs.

33
For Confirmation of Payee API v1.1.2, you can define the number of seconds to wait before resending the request after a Service Unavailable (503) or Too Many Requests (429) response. Set the <RetryAfterSeconds> value in seconds. Code Block
languagexml
<PayUK> <RetryAfterSeconds>60</RetryAfterSeconds> </PayUK>
  1. <Global>
		<Username>[email protected]</Username>
		<Password>wso2123</Password>
	</Global>
</APISecurity>

For more information, see configuring basic authentication for Consent Management APIs .

33

Anchor
EnableMTLSaccesstoken
EnableMTLSaccesstoken
By default, MTLS token binding is disabled in WSO2 Open Banking. To enable, locate <WSO2_OB_KM_HOME>/repository/conf/finance/open-banking.xml and change the <EnableMTLSTokenBinding> parameter value to true as follows:

Code Block
languagexml
<APISecurity>
     <EnableMTLSTokenBinding>true</EnableMTLSTokenBinding>
</APISecurity>

Upon enabling the feature, you need to configure the client certificate header name in the <ClientAuthenticationHeader> parameter under <CertificateManagement>:

Code Block
languagexml
<CertificateManagement>
         <!--Mutual TLS Authenticator Certificate header-->
      <ClientAuthenticationHeader>x-wso2-mutual-auth-cert</ClientAuthenticationHeader>
 </CertificateManagement>
In addition to the above steps, follow the instructions described under MTLS bound access token .
34

To enforce regulatory certificates for API invocations, add the following configuration under the  <CertificateManagement>  tag:

Info

This is available only as a WUM update and is effective from February 11, 2021 (02-11-2021). For more information on updating WSO2 Open Banking, see Updating WSO2 Products.

Code Block
languagexml
<EnforceRegulatoryCertificates>true</EnforceRegulatoryCertificates>
Once you add the configuration, you can add the eIDAS certificates to the client trust stores as described in  eIDAS Implementation for PSD2 Compliance .
35

For Open Banking Standard v3.1.10:

Previously the Open Banking Standard required the re-authentication of refresh tokens issued for Account and Transaction API when the token issue date has passed 90 days. With v3.1.10 this mandate has been removed.

Info

This is only available as a WSO2 Update from WSO2 Open Banking API Manager Level 1.5.0.100 and WSO2 Open Banking Key Manager Level 1.5.0.83 onwards. For more information on updating WSO2 Open Banking, see Updating WSO2 Products .

  1. Open the <OB_KM_HOME>/repository/conf/identity/identity.xml file.

  2. Add the UKAccountRefreshTokenValidityPeriod and UKAccountRefreshTokenLastAuthorizedDateLimit tags to configure the validity and authorisation date limit for refresh tokens: 

    Code Block
    languagexml
    <UK>
	...
    <UKAccountRefreshTokenValidityPeriod>15552000</UKAccountRefreshTokenValidityPeriod>
    <UKAccountRefreshTokenLastAuthorizedDateLimit>90</UKAccountRefreshTokenLastAuthorizedDateLimit>
    ...
<UK>