Versions Compared

Version Old Version 4 New Version 5
Changes made by

David Plews

David Plews

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Transport Certificates

Drawio
mVer2
zoom1
simple0
zoominComment10
inCommentcustContentId0146899014
pageId134938814
custContentIdlbox1468990141
diagramDisplayNameUntitled Diagram-1720473013056.drawiolbox1
contentVer2
revision3
baseUrlhttps://openfinanceuae.atlassian.net/wiki
diagramNameUntitled Diagram-1720473013056.drawio
pCenter0
width1579.5
links
tbstyle
height596.5

Cert Name

Description

Issuer

Private Key held by

CSR generated by

Certificate Generated by

Actions required by LFI

C1

Identifies the TPP to OFP

OFTF

TPP

TPP

TPP

None

S2

Identifies non mtls OFP endpoints to TPP

Lets Encrypt

Ozone

NA
(uses ACME protocol)

Ozone

None

S1

Identifies mtls OFP endpoints to TPP

OFTF

Ozone

Ozone

LFI

Yes

Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate

C4

Identifies OFP to LFI’s Ozone Connect endpoint

OFTF

Ozone

Ozone

LFI

Yes

S3

Identifies cm-pub and hh-pub endpoints to LFI

OFTF

Ozone

Ozone

LFI

Yes

S4

Identifies LFI’s Ozone Connect endpoint to Ozone

OFTF

LFI

LFI

LFI

Yes

Ozone will provide scripts to the LFI to assist with CSR generation if requested

The subject of the C3 certificate should be provided to Ozone.

Ozone will limit access to certificates issued by OFTF AND having that specific subject

C3

Identifies LFI to the cm-pub and hh-pub endpoints

OFTF

LFI

LFI

LFI

Yes

Drawio
mVer2
simple0
zoom1simple0
inComment0
custContentId127795513
pageId127795365134938814
lboxcustContentId1146309209
diagramDisplayNameUntitled Diagram-1720473409295.drawio
lbox1
contentVer31
revision32
baseUrlhttps://openfinanceuae.atlassian.net/wiki
diagramNameUntitled Diagram-1720473409295.drawio
pCenter0
width941
links
tbstyle
height481579.5

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Sig1

Used by the TPP to sign requests sent to the OFP

(e.g. for signing the private-key-jwt, par request object etc)

OFP will use the public key in the OFTF JWKS to verify the signature

OFTF

TPP

TPP

TPP

None

TPP’s JWKS identified by the jwks_url for the client.

Hosted in OFTF

Sig2

Used by the OFP to sign responses sent to the TPP

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint.

Hosted in OFTF

Sig3

Used by the OFP to sign requests sent to the the LFI

OFP will use the public key in the JWKS to verify the signature

OFTF

Ozone

Ozone

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if one of these conditions is true:

  • The LFI requires JWT Auth for Application Layer Authentication to Ozone Connect

  • The LFI uses Client Credentials Grant for Application Layer Authentication to Ozone Connect and client authentication is set to private_key_jwt

Sig4

Used by the LFI to sign requests sent to OFP

LFI will use the public key in the JWKS to verify the signature

OFTF

LFI

Ozone (to assist LFI)

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH

...