Versions Compared

Version Old Version 1 New Version 2
Changes made by

Chris Michael

Isla Humphreys

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2.0 Pre-Production Domain Names

Section

Question

Answer

Additional Information to be Supplied to Ozone

Provided by

Domain Names

TPP facing Domain Name

Ozone will allocate a domain name for your pre-production environment based on your BIC.

<Link TBC>

 

Ozone

Domain Names

LFI Facing Domain Name

Ozone will allocate a domain name for hh and cm for your pre-production environment based on your BIC.

<Link TBC>

 

Ozone

Domain Names

Ozone Connect Base URL

LFI to specify the base url on which Ozone Connect is hosted

<Link TBC>

 

LFI

Domain Name

Authorisation URL

The OIDC auth URL for the LFI.

There can be only one auth URI for an instance.

The auth uri must follow the stipulations placed by FAPI 2.0 (e.g. https only, no query parameters)

<Link TBC>

 

LFI

 

 

3.0 Pre-Production Certificates

...

The table below sets out the steps for each certificate where Ozone holds the Transport & Signing Private keys.

Section

Certificate

Steps

Additional Information to be Supplied Ozone & LFI

Transport Server Certificate

S1

This is the certificates that is deployed onto the

OFP

API Hub servers to identify an LFI's instance to the TPPs.

 

These steps are repeated for S1 S3 C4 Sig2 Sig3

  1. Ozone to generate private keys for the certificates

  2. Ozone to generate CSRs and hand over to LFI

  3. LFI to generate certificates on OFTF Sandbox directory

  • Ozone to download certificates from OFTF JWKS

    • Ozone to deploy complete certificates and chains

    1. LFI to provide JWKS URL and KID

    Code Block
    Ozone Insert CSR
    Code Block
    LFI to Insert
    Certificate
    JWKS URL 
LFI to Insert KID

    Transport Server Certificate

    S3

    The certificate is used by Ozone’s cm and hh servers to identify themselves to the LFI

    Code Block
    Ozone Insert CSR
    Code Block
    LFI to Insert
    Certificate
     JWKS URL 
LFI to Insert KID

    Transport Client Certificate

    C4

    This certificate is used by Ozone to identify itself to the LFI when it calls Ozone Connect APIs from the tenant

    Code Block
    Ozone Insert CSR
    Code Block
    LFI to Insert
    Certificate
     JWKS URL 
LFI to Insert KID

    Signing Certificate

    Sig2

    Used by the

    OFP

    API Hub to sign responses sent to the TPP.

    This includes signed messages from the resource server and the signature on the id_token.

    The TPP will use the public key in the JWKS to verify the signature

    Code Block
    Ozone Insert CSR
    Code Block
    LFI to Insert
    Certificate
    JWKS URL 
LFI to Insert KID

    Signing Certificate

    Sig3

    Used by the

    OFP

    API Hub to sign requests and responses sent to the the LFI.

    This is used to sign the jwt-auth header for:

    • Ozone Connect requests

    • hh-pub responses

    • cm-pub responses

    OFP

    API Hub will use the public key in the JWKS to verify the signature

    Code Block
    Ozone Insert CSR
    Code Block
    LFI to Insert JWKS URL 
LFI to Insert
    Certificate
    KID

    Transport Server Certificate

    S2

    This certificate is used by Ozone servers that publish endpoints or pages that may be consumed in web browsers.

    Process fully managed by Ozone

     

    3.2 Pre-Production LFI Held Transport & Signing Private keys

    The table below sets out the steps for each certificate where the LFI holds the Transport & Signing Private keys.

    Section

    Certificate

    Steps

    Additional Information to be Supplied by LFI

    Section

    Certificate

    Steps

    Additional Information to be Supplied by LFI

    Transport Client Certificate

    C3

    This certificate is used by Ozone to recognise the LFI when it calls the hh and cm

    These steps are repeated for C3 S4 Sig3

    1. LFIto generate private key for the

    server

    1. certificate

    .

  • Ozone will provide the subject for the certificate.

    1. LFI to generate CSR

    with subject details as provided.

    2. LFI

    will

    1. to generate the certificate from OFTF Sandbox directory

    .

    Ozone to deploy. Code Block

    1. LFIto provide JWKS URL and KID

    Code Block
    Cert Subject
    LFI to Insert JWKS URL 
LFI to Insert KID

    Transport Server Certificate

    S4

    The certificate is used by the LFI to identify its Ozone Connect service to

    OFP Code Block

    API Hub.

    Code Block
    Cert Subject
    LFI to Insert JWKS URL 
LFI to Insert KID

    Signing Certificate

    Sig3

    Used by the LFI to sign requests and responses sent to

    OFP Code Block

    API Hub.

    This is used to sign the jwt-auth header for:

    • Ozone Connect responses

    • hh-pub requests

    • cm-pub requests

    LFI will use the public key in the JWKS to verify the signature.

    Code Block
    Cert Subject
    LFI to Insert JWKS URL 
LFI to Insert KID

    3.3 Pre-Production LFI Held Encryption Private key

    The table below sets out the steps for LFI to generate the encryption private key.

    Section

    Certificate

    Steps

    Additional Information to be Supplied by LFI

    Encryption Key

    Enc1

    Used by the TPP to encrypt PII sent to the

    OFP

    API Hub that can only be read by the LFI

    The PII payloads are signed using the LFI's public key in the JWKS

    The LFI decrypts them using their private key

    1. LFI to generate private key for the

    server

    1. certificate

    .

  • Ozonewill provide the subject for the certificate.

    1. LFI to generate CSR

    with subject details as provided.

    2. LFI will generate the certificate from OFTF Sandbox directory

    .

    Ozone to deploy. Code Block

    1. LFIto provide JWKS URL and KID

    Code Block
    Cert Subject
    LFI to Insert JWKS URL 
LFI to Insert KID