Functional Conformance Suite
The Open Banking Implementation Entity (OBIE) Functional Conformance Certificate allows WSO2 Open Banking to demonstrate that the solution has successfully implemented all required functional elements of the OBIE Read/Write API specifications, passing all tests performed by the Functional Conformance Tool.
Before you begin:
Set up and prepare your servers to run WSO2 Open Banking UK Toolkit. Follow the Set up Toolkits documentation to set up the accelerators and toolkits.
Generate Locally Signed SSL Certificate¶
-
Install mkcert. mkcert is a simple tool for making locally-trusted development certificates.
Note
For more information on downloading and installing mkcert, refer to the mkcert installation guide.
-
Create and install a local Certificate Authority (CA) on your computer using the following command:
mkcert -install
-
View the root CA certificate location using the following command:
mkcert -CAROOT
-
Add mkcert root CA (self-signed root certificate) to both Identity Server and API Manager client truststores using the following command:
keytool -import -alias rootCA -file <MKCERT_CA_ROOT_CERT> -keystore client-truststore.jks -storepass <CLIENT_TRUSTSTORE_PASSWORD>
-
Generate server certificates using the mkcert tool as follows:
mkcert <trusted_domains> <server_hostname> <server_ip>
Given below is a sample configuration:
mkcert localhost 127.0.0.1 ::1
-
Copy the root CA certificate to the
/usr/local/share/ca-certificates/
directory and/etc/ssl/certs
directory and update the CA certificates.sudo update-ca-certificates
-
Create a new keystore with the generated certificate.
Note
Use the same keystore password (
KEYSTORE_PASSWORD
) that you used to configure the existing keystore.a. Convert the PEM file into PKCS12 format. The password should be same as the default
wso2carbon.jks
.openssl pkcs12 -export -in <server_cert>.pem -inkey <server_key>.pem -out certificate.p12 -name "wso2carbon"
b. Generate
wso2carbon.jks
from the PKCS12 file. The password should be same as the defaultwso2carbon.jks
.keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks
-
Back up the default keystore (
wso2carbon.jks
) residing in the security folder of both WSO2 Identity Server and WSO2 API Manager and replace it with the newly createdwso2carbon.jks
file. -
Import the generated server certificate (in Step 5) to the client truststore of both
<WSO2_OB_IAM_HOST>
and<WSO2_OB_APIM_HOST>
servers. The client truststores for the WSO2 Open Banking API Manager and Identity Server are located in the following locations:<WSO2_IS_HOME>/repository/resources/security/client-truststore.jks
<WSO2_APIM_HOME>/repository/resources/security/client-truststore.jks
.
Use the following command to add the certificates to the client truststores:
keytool -import -alias mkcert_server_cert -file <SERVER_CERT>.pem -keystore client-truststore.jks -storepass wso2carbon
Warning
Don’t import the keystore (
wso2carbon.jks
) to the truststore. Instead, directly import the server certificate to the truststore.Note
Exchange and trust the API Manager and Identity Server certificates, if the API Manager server and Identity Server are in different nodes.
-
Add the OBIE Root and Issuing Certificates to the
client-truststore.jks
. The client truststores for the WSO2 Open Banking API Manager and Identity Server are located in the following locations:<WSO2_IS_HOME>/repository/resources/security/client-truststore.jks
<WSO2_AM_HOME>/repository/resources/security/client-truststore.jks
Use the following commands to add the certificates to the client truststores:
-
Add Root Certificate:
keytool -import -alias <alias> -file <OB_ROOT_CERT> -keystore client-truststore.jks -storepass wso2carbon
-
Add Issuing Certificate:
keytool -import -alias <alias> -file <OB_ISSUING_CERT> -keystore client-truststore.jks -storepass wso2carbon
Configure the Well-known Endpoint and Keystore for JWS Validation¶
Use one of the following options to configure the well-known endpoint:
- Option 1: Update the well-known endpoint and JWKS endpoint
- Option 2: Configure the default well-known endpoint
- Option 3: Create a gist
Note
If you are running the functional conformance suite with JWS validations enabled, (with the DISABLE_JWS=FALSE
tag),
option 1 is recommended.
Option 1: Update the well-known endpoint and JWKS endpoint¶
Update the well-known endpoint and JWKS endpoint as instructed below according to your setup.
Click here to see how it is done:...
-
Download and extract the
well-known-config-resources.zip
. -
Go to the
well-known-config-resources
directory. -
Copy the
auth.server.info-1.0-SNAPSHOT.jar
file to the<IS_HOME>/repository/components/lib
directory. -
Download the sample
openid-configuration.json
available here. -
Update the values in
openid-configuration.json
according to your setup.a. Replace the
<IS_HOSTNAME>
placeholder with the Identity Server hostname.b. Update the
jwks_uri
value tohttps://is-sandbox-openbanking.wso2.com/oauth2/token/keystore
. -
Copy the
openid-configuration.json
file into the<IS_HOME>/repository/conf/identity
directory. -
Update the
keystore.json
file with the authorization server keys and client application keys generated for applications.Note
If you are manually updating the entries in the
keystore.json
file for testing purposes only, follow the guide available here to add the entry for your server keys to thekeystore.json
file. -
Copy the
keystore.json
file into the<IS_HOME>/repository/conf/identity
directory. -
Open the
<IS_HOME>repository/resources/conf/templates/repository/conf/tomcat/web.xml.j2
file and register the following servlets. Add the following elements before the</webapp>
tag.<servlet> <servlet-name>Discovery</servlet-name> <servlet-class>auth.server.info.Discovery</servlet-class> </servlet> <servlet-mapping> <servlet-name>Discovery</servlet-name> <url-pattern>/token/.well-known/openid-configuration</url-pattern> </servlet-mapping> <servlet> <servlet-name>Keystore</servlet-name> <servlet-class>auth.server.info.Keystore</servlet-class> </servlet> <servlet-mapping> <servlet-name>Keystore</servlet-name> <url-pattern>/token/keystore</url-pattern> </servlet-mapping>
-
Restart the Identity Server.
-
Restart the API Manager server.
-
Go to the following links and see the changes:
Option 2: Configure the default well-known endpoint¶
If you are running the functional conformance test suite without enabling JWS validations, you can configure the default well-known endpoint available at https://localhost:9446/oauth2/token/.well-known/openid-configuration.
Option 3: Create a gist¶
For testing purposes, you can host the well-known configuration file via Github Gist.
Click here to see how to create a gist:...
a. Sign in to GitHub.
b. Navigate to the GitHub Gist Homepage.
c. Create a gist.
Note
Provide the following details when creating the gist.
- Gist Description: openid-configuration
- File Name: openid-configuration
- Content: configurations exposed via well-known endpoints. A sample
openid-configuration.json
is available here.
d. Click Create Public Gist.
e. Go to Raw and copy the URL. This URL can be used as wellknown_endpoint
in the test suite and Key Manager.
Configure the Solution¶
-
Open the
<WSO2_IS_HOME>/repository/conf/deployment.toml
file. -
Locate the
[open_banking_uk.consent.payment_restrictions]
tag. -
Set the
MaximumFuturePaymentDays
value to 365 as shown below:[open_banking_uk.consent.payment_restrictions] max_instructed_amount = "365"
-
Locate the
[open_banking_uk.consent]
tag. -
Enable account id validation on account retrieval as follows:
[open_banking_uk.consent] validate_acc_id_on_retrieval_enabled = true
-
Open the
<WSO2_APIM_HOME>/repository/conf/deployment.toml
file. -
Repeat steps 4 and 5.
-
Open the
<WSO2_IS_HOME>/repository/conf/deployment.toml
file. -
Comment out the TokenFilter configuration as follows:
#[[tomcat.filter]] #name = "TokenFilter" #class = "com.wso2.openbanking.accelerator.identity.token.TokenFilter" #[[tomcat.filter_mapping]] #name = "TokenFilter" #url_pattern = "/token"
Configure JWS Validation¶
Enable JWS Validations in Open Banking Solution
Note
The following information is already available under steps 12 and 13 in the Configuring API Manager documentation. Refer to the above-mentioned documentation for any updates on configuring JWS validations.
To validate API requests:
-
Open the
<APIM_HOME>/repository/conf/deployment.toml
file. -
Configure the
UKJwsRequestHandlingExecutor
executor. The priority ofUKJwsRequestHandlingExecutor
must be higher thanConsentEnforcementExecutor
. For example:[[open_banking.gateway.openbanking_gateway_executors.type.executors]] name = "com.wso2.openbanking.uk.gateway.executors.jws.UKJwsRequestHandlingExecutor" priority = 4 [[open_banking.gateway.openbanking_gateway_executors.type.executors]] name = "com.wso2.openbanking.accelerator.gateway.executor.impl.consent.ConsentEnforcementExecutor" priority = 5
-
Enable validation and define the valid signing algorithms for the JWS sent in the request header:
[open_banking.jws_signature.signature_validation] enabled=true [[open_banking.jws_signature.signature_validation.allowed_algorithms]] algorithm="PS256" [[open_banking.jws_signature.signature_validation.allowed_algorithms]] algorithm="ES256"
-
The signing keys used for validation by an application are cached. The default expiration time for cache modification and access is 60 minutes. To change these values, add and configure the following:
[open_banking.common.identity.cache] cache_modified_expiry_minuites=30 cache_access_expiry_minuites=30
-
The default trust anchor used for the validation is
openbanking.org.uk
. To change this value, add and configure the following:[open_banking.uk.jws_signature.obie] org_id="0015800001HQQrZAAX" [open_banking.uk.jws_signature.obie.trusted_anchors] signature_validation="openbanking.org.uk"
-
By default, signature validation is enabled for the Payments API. Configure the API contexts of other APIs that require signature validation. For example:
[[open_banking.uk.jws_signature.signature_validation.mandated_apis]] api_context="/open-banking/v3.1/event"
To let the TPPs verify that the request wasn't tampered with, sign the responses:
-
Open the
<APIM_HOME>/repository/conf/deployment.toml
file. -
Configure the
UKJwsResponseHandlingExecutor
executor and set the priority to999
.[[open_banking.gateway.openbanking_gateway_executors.type.executors]] name = "com.wso2.openbanking.uk.gateway.executors.jws.UKJwsResponseHandlingExecutor" priority = 999
-
Enable signing and define the response signing algorithms.
[open_banking.jws_signature.response_signing] enabled=true allowed_algorithm="PS256"
-
Configure the alias and kid values of the signing certificates:
signing_cert_alias
: The alias of the signing certificate stored in the keystore. Used to sign responses in a production environment. Default value iswso2carbon
.sandbox_signing_cert_alias
: The alias of the signing certificate stored in the keystore. Used to sign responses in a sandbox environment. Default value iswso2carbon
.signing_cert_kid
: The kid value of the corresponding public key of the private key, which is used for signing in a production environment. Default value is1234
. This is a mandatory configuration.sandbox_signing_cert_kid
: The kid value of the corresponding public key of the private key, which is used for signing in a sandbox environment. Default value is5678
. This is a mandatory configuration.
[open_banking.ob_identity_retriever.server] signing_cert_alias="wso2carbon" sandbox_signing_cert_alias="wso2carbon" signing_cert_kid="1234" sandbox_signing_cert_kid="5678"
-
Configure the JWKS size limit and timeout and values.
[open_banking.ob_identity_retriever.jwks_retriever] size_limit=51200 connection_timeout=2000 read_timeout=2000
-
The default trust anchor used for the signing is
openbanking.org.uk
. To change this value, add and configure the following:[open_banking.uk.signing_config] obie.trusted_anchors.signing = "openbanking.org.uk" obie.org_id="0015800001HQQrZAAX"
trusted_anchors
should be the Trust Anchor to be used in signing JOSE.org_id
should be theorg_id
in the SSA or Organizational Unit of the certificate Owner.
-
Configure the API contexts of other APIs that require response signing. By default, response signing is enabled for the Payments API. For example:
[[open_banking.uk.signing_config.response_sig_required_apis]] api_context="/open-banking/v3.1/event"
Run the Solution¶
-
Start the WSO2 Identity Server.
-
Start the WSO2 API Manager Server.
-
Configure the users and roles by following the Configure Users and Roles documentation.
-
Publish and deploy DCR API and configure key manager by following the Dynamic Client Registration documentation.
-
Publish and deploy Account and Transaction API, Payment Initiation API, and Confirmation of Funds API.
-
Create a DCR Application.
Note
Use
https://<DOCKER-BRIDGE_SEVER_HOST/TEST_SUITE_HOST>:8443/conformancesuite/callback
as the redirect URL in SSA and DCR request JWT.Given below are sample modified redirect URL properties in SSA:
"software_client_uri": "https://127.0.0.1:8443/conformancesuite/callback", "software_redirect_uris": [ "https://127.0.0.1:8443/conformancesuite/callback" ],
Given below are sample modified redirect URL properties in DCR request JWT.
"redirect_uris": [ "https://127.0.0.1:8443/conformancesuite/callback" ],
Warning
Configure IS as Key Manager, only after updating keystores.
If you replace the existing keystores after setting up the Key Manager, you will have to delete the newly created key manager entry from DB level (from
openbank_apimgtdb.AM_KEY_MANAGER
) before starting servers again and you’d have to configure it again.
Run the UK Functional Conformance Suite¶
-
Run one of the following commands in a terminal to pull and run the image:
-
Use the following command to run the container by adding
<DOCKER-BRIDGE_SEVER_HOST>
:docker run --add-host=<DOCKER-BRIDGE_SEVER_HOST>:<docker0 ip> -it --name=fsuite -p 8443:8443 -e LOG_LEVEL=debug -e LOG_TRACER=true -e LOG_HTTP_TRACE=true -e DISABLE_JWS=FALSE "openbanking/conformance-suite:[TEST_SUITE_VERSION]"
-
Use the following command to run the container by binding host to it:
docker run --net=host -it --name=fsuite -p 8443:8443 -e LOG_LEVEL=debug -e LOG_TRACER=true -e LOG_HTTP_TRACE=true -e DISABLE_JWS=FALSE "openbanking/conformance-suite:[TEST_SUITE_VERSION]"
Given below is a sample for the above command:
docker run --net=host -it --name=fsuite -p 8443:8443 -e LOG_LEVEL=debug -e LOG_TRACER=true -e LOG_HTTP_TRACE=true -e DISABLE_JWS=FALSE "openbanking/conformance-suite:v1.7.1"
For more details, see UK Conformance Suite Setup Guide.
-
-
Add the server certificates and local root CA certificate to the following docker container locations using the below commands:
-
fsuite:/usr/local/share/ca-certificates/
docker cp <SERVER_CERT/HOST>.pem fsuite:/usr/local/share/ca-certificates/<SERVER_CERT/HOST>.pem
docker cp <ROOT_CA_CERT>.pem fsuite:/usr/local/share/ca-certificates/<ROOT_CA_CERT>.pem
Given below is a sample for the above commands:
docker cp localhost+2.pem fsuite:/usr/local/share/ca-certificates/localhost+2.pem
docker cp rootCA.pem fsuite:/usr/local/share/ca-certificates/rootCA.pem
-
fsuite:/etc/ssl/certs/
docker cp <SERVER_CERT/HOST>.pem fsuite:/etc/ssl/certs/<SERVER_CERT/HOST>.pem
docker cp <ROOT_CA_CERT>.pem fsuite:/etc/ssl/certs/<ROOT_CA_CERT>.pem
Given below is a sample for the above commands:
docker cp localhost+2.pem fsuite:/etc/ssl/certs/localhost+2.pem
docker cp rootCA.pem fsuite:/etc/ssl/certs/rootCA.pem
-
-
Log in to the docker container:
docker exec -it fsuite /bin/bash
-
Update the CA certificates using the following commands:
update-ca-certificates
-
Stop the container using the following command:
docker stop fsuite
-
Restart the container using the following command:
docker start -a fsuite
Note
If you encounter a test failure during the execution, restart the docker container and rerun the test suite from the step 5.
-
The conformance suite is now locally available at https://localhost:8443.
-
Select Open Banking test suite and start the test.
-
In the Discovery step, update the following values in the JSON file separately for each time the conformance suite runs for Account and Transaction API, Payment Initiation API, and Confirmation of Funds API.
a. Account and Transaction API:
Tip
A sample endpoint configuration for the Account and Transaction API is available here.
discoveryItems apiSpecification name Account and Transaction API Specification openidConfigurationUri The OpenID Connect discovery endpoint. For example: https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration
resourceBaseUri Production/Sandbox URL for the API. For example: https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/aisp
b. Payment Initiation API:
Tip
A sample endpoint configuration for the Payment Initiation API is available here.
discoveryItems apiSpecification name Payment Initiation API openidConfigurationUri The OpenID Connect discovery endpoint. For example: https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration
resourceBaseUri Production/Sandbox URL for the API. For example: https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/pisp
c. Confirmation of Funds API:
Tip
A sample endpoint configuration for the Confirmation of Funds API is available here.
discoveryItems apiSpecification name Confirmation of Funds API openidConfigurationUri The OpenID Connect discovery endpoint. For example: https://<DOCKER_SEVER_HOST>:8243/.well-known/openid-configuration
resourceBaseUri Production/Sandbox URL for the API. For example: https://<DOCKER_SEVER_HOST>:8243/open-banking/v3.1/cbpii
-
Click Next and proceed to the Configuration stage.
-
Add the following mandatory configurations in the form/JSON file.
Tip
A sample
TestData_Configure.json
is available here.Client Private Signing Key (.key): [signing_private]
The Private Signing Key certificate of the client/application created in the application creation step. Public Signing Certificate (.pem): [signing_public]
The Public Signing Certificate of the client/application created in the application creation step. Private Transport Key (.key): [transport_private]
The Private Transport Key certificate of the client/application created in the application creation step. Public Transport Certificate (.pem): [transport_public]
The Public Transport Certificate of the client/application created in the application creation step. Client (TPP) Signature KID: [tpp_signature_kid]
The KID value of the signing certificate. Client (TPP) Signature Issuer: [tpp_signature_issuer]
Certificate Owner (For example, CN=sgsMuc8ACBgBzinpr8oJ8B, OU=0015800001HQQrZAAX, O=OpenBanking, C=GB) Client (TPP) Signature Trust Anchor: [tpp_signature_tan]
Trust Anchor used in signing JOSE (For example, openbanking.org.uk) Account IDs: [account_ids]
The Account IDs of the account resources that the customer (PSU) has consented to provide to the client/application. Statement IDs: [statement_ids]
The Statement IDs of the statement resources that the customer (PSU) has consented to provide to the client/application. Transaction From Date: [transaction_from_date]
Specified start date and time for the transaction query period formatted as ISO 8601 date (For example: 2006-01-02T15:04:05-07:00)
Note: This should be a date before 2016-01-01.Transaction To Date: [transaction_to_date]
Specified end date and time for the transaction query period formatted as ISO 8601 date (For example: 2022-01-02T15:04:05-07:00). Client ID [client_id]
Consumer key of the client/application created in the application creation step. Client Secret [client_secret]
Consumer secret of the client/application created in the application creation step. x-fapi-financial-id: [x_fapi_financial_id]
The unique ID of the ASPSP to which the request is issued. The unique ID will be issued by OB. Send x-fapi-customer-ip-address
header[checkbox] Tick this check box to send x-fapi-customer-ip-address
header in API requests.Well-Known Token Endpoint: [token_endpoint]
The endpoint that issues the access tokens (For example: https://<WSO2_OB_IS_HOST>:9446/oauth2/token
)OAuth 2.0 response_type: [response_type]
A JSON array containing a list of the OAuth 2.0 response_type
values that this OP supports. Dynamic OpenID Providers MUST support thecode
,id_token
, and theid_token
Response Type values.Token Endpoint Auth Method: [token_endpoint_auth_method]
Registered client authentication method (For example: client_secret_basic
)Request object signing algorithm: [request_object_signing_alg]
The algorithm used to sign requests objects (For example: PS256) Authorization Endpoint: [authorization_endpoint]
The endpoint used to obtain an authorization grant from the resource owner via the user-agent redirection. (For example: https://<WSO2_OB_IS_HOST>:9446/oauth2/authorize)
Resource Base URL: [resource_base_url]
The base URL of the WSO2 OB APIM server (For example: https://<WSO2_OB_APIM_HOST>:8243
)Issuer: [issuer]
The issuer that consumes or validates access tokens (For example: https://<WSO2_OB_IS_HOST>:9446/oauth2/token
)Redirect URL: [redirect_url]
Client application redirect uri. This should be set to https://<DOCKER_SEVER_HOST>:8443/conformancesuite/callback
.Payments First Payment Date Time: [first_payment_date_time]
First Payment Date Time formatted as ISO 8601 date (For example: 2006-01-02T15:04:05-07:00). This should be a future date. Requested Execution Date Time: [requested_execution_date_time]
Requested Execution Date Time formatted as ISO 8601 date (For example: 2006-01-02T15:04:05-07:00). This should be a future date. CreditorAccount SchemeName: Name of the identification scheme of beneficiary account. Could be one of "UK.OBIE.BBAN", "UK.OBIE.IBAN", "UK.OBIE.PAN", "UK.OBIE.Paym", "UK.OBIE.SortCodeAccountNumber". Identification: Beneficiary account identification Name: Name of the account, as assigned by the account servicing institution.
Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.SchemeName: Name of the identification scheme of international beneficiary account. Could be one of "UK.OBIE.BBAN", "UK.OBIE.IBAN", "UK.OBIE.PAN", "UK.OBIE.Paym", "UK.OBIE.SortCodeAccountNumber" International Identification: The international beneficiary account identification International Name: International name of the account, as assigned by the account servicing institution.
Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account.Instructed Amount Value (Capped at 1.00): Value of the instructed amount Instructed Amount Currency: Instructed amount currency Currency Of Transfer For International Payments: [currency_of_transfer]
Currency of transfer Frequency Schedule Code: [payment_frequency]
[Drop down list] Frequency of the scheduled payments Confirmation of Funds Schema Name: Name of the identification scheme. Debtor Account Identification: Account identification, which is known by the account owner. Debtor Account Name: The name of the account, as assigned by the account servicing institution.
Usage: The account name is the name or names of the account owner(s) represented at an account level. The account name is not the product name or the nickname of the account. -
Click Next and run the suite upto the consent acquisition stage.
-
Click consent acquisition URLs and grant consent by logging into a PSU account and providing consent manually for each consent URL.
-
Click Run to run the test cases.
-
Once the test runs are over, results will be loaded, and you can export the test results.