Follow the steps below to deploy the Open Banking Key Manager.
Do the following configurations in Key Manager and restart the server.
Go to the <WSO2_OB_KM_HOME>/bin
directory and execute the following command:
./wso2server.sh
Configuring datasources
Configure the
<WSO2_OB_KM_HOME>/repository/conf/datasources/master-datasources.xml
file with the following configurations.Update the
URL
,username
,password
, anddriverClassName
with the database credentials, and relevant database driver name in the following datasources.If you are using Oracle, update the
validationQuery
in each datasource with the value below.<validationQuery>SELECT 1 FROM DUAL</validationQuery>
<datasource> <name>WSO2AM_DB</name> <description>The datasource used for API Manager database</description> <jndiConfig> <name>jdbc/WSO2AM_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/uk130_openbank_apimgtdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> <datasource> <name>WSO2CONFIG_DB</name> <description>The datasource used by the registry</description> <jndiConfig> <name>jdbc/WSO2Config_DB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/uk130_openbank_iskm_configdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> <datasource> <name>REGISTRY_DB</name> <description>The datasource used for registry- config/governance</description> <jndiConfig> <name>jdbc/WSO2RegistryDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/uk130_openbank_govdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource> <datasource> <name>WSO2_USER_DB</name> <description>The datasource used for registry and user manager</description> <jndiConfig> <name>jdbc/WSO2UMDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/uk130_openbank_userdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource>
Update the
WSO2_OPEN_BANKING_DB
datasource in the<WSO2_OB_KM_HOME>/repository/conf/datasources/open-banking-datasources.xml
file with the following configurations.If you are using Oracle, update the
validationQuery
in each datasource with the value below.<validationQuery>SELECT 1 FROM DUAL</validationQuery>
<datasource> <name>WSO2_OPEN_BANKING_DB</name> <description>The datasource used for registry and user manager</description> <jndiConfig> <name>jdbc/WSO2OpenBankingDB</name> </jndiConfig> <definition type="RDBMS"> <configuration> <url>jdbc:mysql://localhost:3306/openbank_openbankingdb?autoReconnect=true&useSSL=false</url> <username>root</username> <password>root</password> <driverClassName>com.mysql.jdbc.Driver</driverClassName> <maxActive>150</maxActive> <maxWait>60000</maxWait> <testOnBorrow>true</testOnBorrow> <validationQuery>SELECT 1</validationQuery> <!--Use below for oracle--> <!-- <validationQuery>SELECT 1 FROM DUAL</validationQuery> --> <validationInterval>30000</validationInterval> <defaultAutoCommit>false</defaultAutoCommit> </configuration> </definition> </datasource>
In the
<WSO2_OB_KM_HOME>/repository/conf/registry.xml
file, update the properties given below.<dbConfig name="configRegistry"> <dataSource>jdbc/WSO2Config_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registry"> <id>configInstance</id> <dbConfig>configRegistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/config" overwrite="true"> <instanceId>configInstance</instanceId> <targetPath>/_system/config</targetPath> </mount> <dbConfig name="governanceRegistry"> <dataSource>jdbc/WSO2REG_DB</dataSource> </dbConfig> <remoteInstance url="https://localhost:9443/registry"> <id>governanceInstance</id> <dbConfig>governanceRegistry</dbConfig> <readOnly>false</readOnly> <enableCache>true</enableCache> <registryRoot>/</registryRoot> </remoteInstance> <mount path="/_system/governance" overwrite="true"> <instanceId>governanceInstance</instanceId> <targetPath>/_system/governance</targetPath> </mount>
In the
<WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml
file, update the datasource property to point to theWSO2UM_DB
.<Property name="dataSource">jdbc/WSO2UM_DB</Property>
Enable the internal JDBC user store in the
<WSO2_OB_KM_HOME>/repository/conf/user-mgt.xml
file. Update theUsernameJavaRegEx
,UsernameJavaScriptRegEx
,CaseInsensitiveUsername
, andUsernameWithEmailJavaScriptRegEx
properties. Follow the sample configuration given below:<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager"> <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property> <Property name="ReadOnly">false</Property> <Property name="ReadGroups">true</Property> <Property name="WriteGroups">true</Property> <Property name="UsernameJavaRegEx">[email protected]_-{3,30}$</Property> <Property name="UsernameJavaScriptRegEx">^[a-zA-Z0-9._-][email protected][a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$</Property> <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property> <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property> <Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property> <Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property> <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property> <Property name="CaseInsensitiveUsername">true</Property> <Property name="SCIMEnabled">false</Property> <Property name="IsBulkImportSupported">false</Property> <Property name="PasswordDigest">SHA-256</Property> <Property name="StoreSaltedPassword">true</Property> <Property name="MultiAttributeSeparator">,</Property> <Property name="MaxUserNameListLength">100</Property> <Property name="MaxRoleNameListLength">100</Property> <Property name="UserRolesCacheEnabled">true</Property> <Property name="UserNameUniqueAcrossTenants">false</Property> <Property name="UsernameWithEmailJavaScriptRegEx">^[\S]{3,30}$</Property> </UserStoreManager>
Configuring the carbon.xml file
Apply the following changes in the
<WSO2_OB_KM_HOME>/repository/conf/carbon.xml
file:Update the <
HostName>
and <MgtHostName>
with the IP addresses of the Key Manager server(s).- Update the <
KeyAlias>
under<KeyStore>
to match with the alias provided during the KeyStore creation for the Key Manager server.
Configuring the api-manager.xml file
Disable the
<PolicyDeployer>
property as false inside the<ThrottlingConfigurations>
section in<WSO2_OB_KM_HOME>/repository/conf/api-manager.xml
file as below.<PolicyDeployer> <Enabled>false</Enabled> </PolicyDeployer>
Update the <
ScopeWhitelist>
property inside the <OAuthConfigurations>
section in<WSO2_OB_KM_HOME>/repository/conf/api-manager.xml
file and replace the <Scope>
elements as shown below.<ScopeWhitelist> <Scope>openid</Scope> <Scope>extended_transaction_history</Scope> <Scope>^OB_.*</Scope> <Scope>^TIME_.*</Scope> </ScopeWhitelist>
Configuring the application-authentication.xml file
- Update the
<WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml
file with the following configurations.Update the <
AuthenticationEndpointURL>
and <AuthenticationEndpointRetryURL>
attributes with the URLs of the authentication web application, as shown below.<AuthenticationEndpointURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/login.do</AuthenticationEndpointURL> <AuthenticationEndpointRetryURL>https://<WSO2_OB_KM_HOST>:9446/ob/authenticationendpoint/retry.do</AuthenticationEndpointRetryURL>
Add the
include
action to the <AutheticationEndpointRedirectParams>
request parameter in the<WSO2_OB_KM_HOME>/repository/conf/identity/application-authentication.xml
file. When the action is set toinclude
, the defined parameters will be sent to theAuthenticationEndpoint
as query parameters.<AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true"> <AuthenticationEndpointRedirectParam name="sessionDataKeyConsent"/> <AuthenticationEndpointRedirectParam name="relyingParty"/> <AuthenticationEndpointRedirectParam name="authenticators"/> <AuthenticationEndpointRedirectParam name="authFailureMsg"/> <AuthenticationEndpointRedirectParam name="authFailure"/> </AuthenticationEndpointRedirectParams>
Configuring the identity.xml file
Update the <WSO2_OB_KM_HOME>/repository/conf/identity/identity.xml
file with the following configurations.
Define the Open Banking specific Request Object Validator under the <
OpenIDConnect>
as follows:<RequestObjectValidator>com.wso2.finance.request.object.validator.OBRequestObjectValidatorImpl</RequestObjectValidator>
Update the following configurations under the
<OAuth>
property with the hostname of the Open Banking API Manager Gateway.<OAuth2AuthzEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/authorize</OAuth2AuthzEPUrl> <OAuth2TokenEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/token</OAuth2TokenEPUrl> <OAuth2UserInfoEPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/userinfo</OAuth2UserInfoEPUrl> <OAuth2DCREPUrl>${carbon.protocol}://<WSO2_OB_APIM_HOST>:8243/register</OAuth2DCREPUrl> <IDTokenIssuerID>https://<WSO2_OB_APIM_HOST>:8243/token</IDTokenIssuerID>
Make sure the
RenewRefreshTokenForRefreshGrant
value set to false. With this configuration, the refresh token that is received by the refresh token grant type is not renewed. This is used to enforce consent re-authorization.<RenewRefreshTokenForRefreshGrant>false</RenewRefreshTokenForRefreshGrant>
Configure the ReceiverURL of the
<EventPublisher>
under<AdaptiveAuth>
with the hostname of the Open Banking Business Intelligence Server. By default, the relevant Siddhi Apps are configured to listen to port 8006.<ReceiverURL>http://<WSO2_OB_BI_HOST>:8006/</ReceiverURL>
Make sure the following Open Banking specific response type handlers are added under the
<SupportedResponseTypes>.
<SupportedResponseType> <ResponseTypeName>code</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBCodeResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType> <SupportedResponseType> <ResponseTypeName>code id_token</ResponseTypeName> <ResponseTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.response.type.handlers.OBHybridResponseTypeHandler</ResponseTypeHandlerImplClass> </SupportedResponseType>
The following Open Banking specific grant types should be there under <
SupportedGrantTypes>
property.<SupportedGrantType> <GrantTypeName>authorization_code</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass> </SupportedGrantType> <SupportedGrantType> <GrantTypeName>client_credentials</GrantTypeName> <GrantTypeHandlerImplClass>com.wso2.finance.open.banking.identity.extensions.grant.type.handlers.OBClientCredentialsGrantHandler</GrantTypeHandlerImplClass> <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed> <IdTokenAllowed>false</IdTokenAllowed> </SupportedGrantType>
The cache configurations are available in
<CacheConfig>
under<CacheManager>
element. You can update the configurations according to your requirements.The ID Token Builder and the algorithm that signs the ID Token Builder can be configured.
By default,
<IDTokenBuilder>
is set toorg.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder
. For example, to sign the <IDTokenBuilder>
with theSHA256withPS
algorithm the configurations are as follows:<OpenIDConnect> <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder> <SignatureAlgorithm>SHA256withPS</SignatureAlgorithm> </OpenIDConnect>
By default, the Consent Management APIs are secured with basic authentication.
Each API resource is secured using a
<Resource>
element under<ResourceAccessControl>
.- Use the default user or create a new user in the Key Manager Management Console to access the Consent Management APIs.
- Update the
<Permissions>
element under<Resource>
with the role assigned to the user. This role is used to restrict access to the APIs Update the credentials in Open Banking API Manager with the created user details.
To disable basic authentication for an API, set the
secured
property tofalse
in the corresponding<Resource>
element. For example, to disable basic authentication foruk300
resources, update the configurations as follows:<ResourceAccessControl> <!-- Configuration for protecting consent management APIs. If not required, set secured to false. The credentials of the basic auth are from the registered user role with the permission as specified in the Permission tag. --> <Resource context="(.*)/uk300/(.*)" http-method="all" secured="false" allowed-auth-handlers="BasicAuthentication"> <Permissions>/permission/admin</Permissions> </Resource> <!-- END OF Configuration for protecting consent management APIs --> </ResourceAccessControl>
sha256withPS