This documentation is for WSO2 Open Banking version 1.4.0. View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Follow the steps below to deploy the Open Banking Key Manager.

Configuring datasources

  1. Configure the <WSO2_OB_KM_HOME>/repository/conf/datasources/master-datasources.xml file with the following configurations.

    1. Update the URLusernamepassword, and driverClassName with the database credentials, and relevant database driver name in the following datasources.

      If you are using Oracle, update the validationQuery in each datasource with the value below.

      <validationQuery>SELECT 1 FROM DUAL</validationQuery>
      <datasource>
      		<name>WSO2AM_DB</name>
              <description>The datasource used for API Manager database</description>
              <jndiConfig>
              		<name>jdbc/WSO2AM_DB</name>
              </jndiConfig>
              <definition type="RDBMS">
                  	<configuration>
                          <url>jdbc:mysql://localhost:3306/uk130_openbank_apimgtdb?autoReconnect=true&amp;useSSL=false</url>
                          <username>root</username>
                          <password>root</password>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                          <maxActive>150</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
      	            </configuration>
              </definition>
      </datasource>
      <datasource>
                  <name>WSO2CONFIG_DB</name>
                  <description>The datasource used by the registry</description>
                  <jndiConfig>
                      <name>jdbc/WSO2Config_DB</name>
                  </jndiConfig>
                  <definition type="RDBMS">
                      <configuration>
                          <url>jdbc:mysql://localhost:3306/uk130_openbank_iskm_configdb?autoReconnect=true&amp;useSSL=false</url>
                          <username>root</username>
                          <password>root</password>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                          <maxActive>150</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
                      </configuration>
                  </definition>
      </datasource>
      <datasource>
      		<name>REGISTRY_DB</name>
      		<description>The datasource used for registry- config/governance</description>
      		<jndiConfig>
      				<name>jdbc/WSO2RegistryDB</name>
      		</jndiConfig>
      		<definition type="RDBMS">
                     <configuration>
                      	<url>jdbc:mysql://localhost:3306/uk130_openbank_govdb?autoReconnect=true&amp;useSSL=false</url>
                          <username>root</username>
                          <password>root</password>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                          <maxActive>150</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
                  	</configuration>
              </definition>
      </datasource>
      <datasource>
      		<name>WSO2_USER_DB</name>
      		<description>The datasource used for registry and user manager</description>
      		<jndiConfig>
                     <name>jdbc/WSO2UMDB</name>
      		</jndiConfig>
      		<definition type="RDBMS">
      				<configuration>
                      	<url>jdbc:mysql://localhost:3306/uk130_openbank_userdb?autoReconnect=true&amp;useSSL=false</url>
                          <username>root</username>
                          <password>root</password>
                          <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                          <maxActive>150</maxActive>
                          <maxWait>60000</maxWait>
                          <testOnBorrow>true</testOnBorrow>
                          <validationQuery>SELECT 1</validationQuery>
                          <validationInterval>30000</validationInterval>
                          <defaultAutoCommit>false</defaultAutoCommit>
                      </configuration>
              </definition>
      </datasource>
  2. Update the WSO2_CONSENT_DB datasource in the <WSO2_OB_KM_HOME>/repository/conf/datasources/open-banking-datasources.xml file with the following configurations.

    If you are using Oracle, update the validationQuery in each datasource with the value below.

    <validationQuery>SELECT 1 FROM DUAL</validationQuery>
    <datasource>
    	<name>WSO2_OPEN_BANKING_DB</name>
    	<description>The datasource used for registry and user manager</description>
    	<jndiConfig>
    		<name>jdbc/WSO2OpenBankingDB</name>
    	</jndiConfig>
    	<definition type="RDBMS">
    		<configuration>
    			<url>jdbc:mysql://localhost:3306/openbank_openbankingdb?autoReconnect=true&useSSL=false</url>
    			<username>root</username>
    			<password>root</password>
    			<driverClassName>com.mysql.jdbc.Driver</driverClassName>
    			<maxActive>150</maxActive>
    			<maxWait>60000</maxWait>
    			<testOnBorrow>true</testOnBorrow>
    			<validationQuery>SELECT 1</validationQuery>
    			<!--Use below for oracle-->
    			<!--
    <validationQuery>SELECT 1 FROM DUAL</validationQuery>
    -->
    			<validationInterval>30000</validationInterval>
    			<defaultAutoCommit>false</defaultAutoCommit>
    		</configuration>
    	</definition>
    </datasource>
  3. In the <WSO2_OB_KM_HOME>/repository/conf/registry.xml file, update the properties given below.

    <dbConfig name="configRegistry">
            <dataSource>jdbc/WSO2Config_DB</dataSource>
        </dbConfig>
    
        <remoteInstance url="https://localhost:9443/registry">
            <id>configInstance</id>
            <dbConfig>configRegistry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
        </remoteInstance>
    
        <mount path="/_system/config" overwrite="true">
            <instanceId>configInstance</instanceId>
            <targetPath>/_system/config</targetPath>
        </mount>
    
    
        <dbConfig name="governanceRegistry">
            <dataSource>jdbc/WSO2REG_DB</dataSource>
        </dbConfig>
    
        <remoteInstance url="https://localhost:9443/registry">
            <id>governanceInstance</id>
            <dbConfig>governanceRegistry</dbConfig>
            <readOnly>false</readOnly>
            <enableCache>true</enableCache>
            <registryRoot>/</registryRoot>
        </remoteInstance>
    
        <mount path="/_system/governance" overwrite="true">
            <instanceId>governanceInstance</instanceId>
            <targetPath>/_system/governance</targetPath>
        </mount>
  4. In the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file, update the datasource property to point to the WSO2UM_DB.

    <Property name="dataSource">jdbc/WSO2UM_DB</Property>
    1. Enable the internal JDBC user store in the <WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml file. Update the UsernameJavaRegEx, UsernameJavaScriptRegEx, CaseInsensitiveUsername, and UsernameWithEmailJavaScriptRegEx properties. Follow the sample configuration given below:

      <UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
                  <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
                  <Property name="ReadOnly">false</Property>
                  <Property name="ReadGroups">true</Property>
                  <Property name="WriteGroups">true</Property>
                  <Property name="UsernameJavaRegEx">[email protected]_-{3,30}$</Property>
                  <Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-][email protected][a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property>
                  <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
                  <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
                  <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
                  <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
                  <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
                  <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
                  <Property name="CaseInsensitiveUsername">true</Property>
                  <Property name="SCIMEnabled">false</Property>
                  <Property name="IsBulkImportSupported">false</Property>
                  <Property name="PasswordDigest">SHA-256</Property>
                  <Property name="StoreSaltedPassword">true</Property>
                  <Property name="MultiAttributeSeparator">,</Property>
                  <Property name="MaxUserNameListLength">100</Property>
                  <Property name="MaxRoleNameListLength">100</Property>
                  <Property name="UserRolesCacheEnabled">true</Property>
                  <Property name="UserNameUniqueAcrossTenants">false</Property>
      	        <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property>
              </UserStoreManager>

Configuring the carbon.xml file

  1. Apply the following changes in the <WSO2_OB_KM_HOME>/repository/conf/carbon.xml file:

    1. Update the <HostName> and <MgtHostName> with the IP addresses of the API Manager server(s).

    2. Update the <KeyAlias> under <KeyStore> to match with the alias provided during the KeyStore creation for the Key Manager server. 

Configuring the api-manager.xml file

  1. Disable the <PolicyDeployer> property as false inside the <ThrottlingConfigurations> section in <WSO2_OB_KM_HOME>/repository/conf/api-manager.xml file as below.

    <PolicyDeployer>
        <Enabled>false</Enabled>
    </PolicyDeployer>
  2. Update the <ScopeWhitelist> property inside the <OAuthConfigurations> section in <WSO2_OB_KM_HOME>/repository/conf/api-manager.xml file and replace the <Scope> elements as shown below.

    <ScopeWhitelist>
                <Scope>openid</Scope>
                <Scope>extended_transaction_history</Scope>
                <Scope>^OB_.*</Scope>
                <Scope>^TIME_.*</Scope>
    </ScopeWhitelist>

Configuring the application-authentication.xml file

  1. Update the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file with the following configurations. 
    1. Update the <AuthenticationEndpointURL> and <AuthenticationEndpointRetryURL> attributes with the URLs of the authentication web application, as shown below.

      <AuthenticationEndpointURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/login.do</AuthenticationEndpointURL>
      <AuthenticationEndpointRetryURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL>
    2. Add the include action to the <AutheticationEndpointRedirectParams> request parameter in the <WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml file. When the action is set to include, the defined parameters will be sent to the AuthenticationEndpoint as query parameters.

      <AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true">
              <AuthenticationEndpointRedirectParam name="sessionDataKeyConsent"/>
              <AuthenticationEndpointRedirectParam name="relyingParty"/>
              <AuthenticationEndpointRedirectParam name="authenticators"/>
              <AuthenticationEndpointRedirectParam name="authFailureMsg"/>
              <AuthenticationEndpointRedirectParam name="authFailure"/>
      </AuthenticationEndpointRedirectParams>

Configuring the identity.xml file

  1. Update identity.xml file in <WSO2_OB_KM_HOME>/repository/conf/identity with the following configurations.

      1. Define the Open Banking specific Request Object Validator under the <OpenIDConnect> as follows:

        <RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
      2. Update the following configurations under the <OAuth> property with the hostname of the Open Banking API Manager Gateway.

        <OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl>      
        <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl>
        
        <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl>
        
        
        <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl>
        
        <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
      3. Update the RenewRefreshTokenForRefreshGrant as false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.

        <RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
      4. Add RenewTokenPerRequest and set the value to true. This configuration enforces a new token per each request, which will revoke any active tokens for the same application and user. This configuration is used to revoke previous tokens bound to the PSU during consent re-authentication.

        <RenewTokenPerRequest>true</RenewTokenPerRequest>
      5. Configure the ReceiverURL of the <EventPublisher> under <AdaptiveAuth> with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.

        <ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
      6. Add Open Banking specific response type handlers under <SupportedResponseTypes> as follows:

        <SupportedResponseType>
        	<ResponseTypeName>code</ResponseTypeName>
        	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass>
        </SupportedResponseType>
        <SupportedResponseType>
        	<ResponseTypeName>code id_token</ResponseTypeName>
        	<ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass>
        </SupportedResponseType>
      7. Add the Open Banking specific grant types under <SupportedGrantTypes> as follows.

        <SupportedGrantType>
        	<GrantTypeName>authorization_code</GrantTypeName>
        	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
        </SupportedGrantType>
        
        <SupportedGrantType>
        	<GrantTypeName>client_credentials</GrantTypeName>
        	<GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
        	<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
        	<IdTokenAllowed>false</IdTokenAllowed>
        </SupportedGrantType>
      8. Update the cache configurations by adding the Open Banking specific PrivateKeyJWT cache.

        <CacheConfig>
        	<CacheManager name="IdentityApplicationManagementCacheManager">
        		<Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/>
        	</CacheManager>
        </CacheConfig>
      9. Update the <IDTokenBuilder> under <OpenIDConnect> to specify Open Banking specific ID Token Builder.

        <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
  • No labels