Note
This form is for information only. The information will be gathered using the API Hub Service Desk

Expand

title	MENU

Table of Contents

style	none

1.0 Purpose

This form should be used to gather and share environment specific configuration details for the LFI’s Pre-Production environment.

2.0 Pre-Production Domain Names

Section	Question	Answer	Provided by
Domain Names	TPP facing Domain Name Ozone will allocate a domain name for your pre-production environment based on your BIC.	<Link TBC>	`Ozone`
Domain Names	LFI Facing Domain Name Ozone will allocate a domain name for `hh` and `cm` for your pre-production environment based on your BIC.	<Link TBC>	`Ozone`
Domain Names	Ozone Connect Base URL LFI to specify the base url on which Ozone Connect is hosted	<Link TBC>	`LFI`
Domain Name	Authorisation URL The OIDC `auth` URL for the LFI. There can be only one auth URI for an instance. The auth uri must follow the stipulations placed by FAPI 2.0 (e.g. https only, no query parameters)	<Link TBC>	`LFI`

3.0 Pre-Production Certificates

...

The table below sets out the steps for each certificate where Ozone holds the Transport & Signing Private keys.

Section

Certificate

Steps

Additional Information to be Supplied Ozone & LFI

Transport Server Certificate

S1

This is the certificates that is deployed onto the

OFP

API Hub servers to identify an LFI's instance to the TPPs.

These steps are repeated for S1 S3 C4 Sig2 Sig3

Ozone to generate private keys for the certificates
Ozone to generate CSRs and hand over to LFI
LFI to generate certificates on OFTF Sandbox directory

Ozone to download certificates from OFTF JWKS

Ozone to deploy complete certificates and chains

LFI to provide JWKS URL and KID

Code Block
Ozone Insert CSR

Code Block
LFI to Insert

Certificate

JWKS URL 
LFI to Insert KID

Transport Server Certificate

S3

The certificate is used by Ozone’s cm and hh servers to identify themselves to the LFI

Code Block
Ozone Insert CSR

Code Block
LFI to Insert JWKS URL LFI to Insert

Certificate

KID

Transport Client Certificate

C4

This certificate is used by Ozone to identify itself to the LFI when it calls Ozone Connect APIs from the tenant

Code Block
Ozone Insert CSR

Code Block
LFI to Insert JWKS URL LFI to Insert

Certificate

KID

Signing Certificate

Sig2

Used by the

OFP

API Hub to sign responses sent to the TPP.

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

Code Block
Ozone Insert CSR

Code Block
LFI to Insert

Certificate

JWKS URL 
LFI to Insert KID

Signing Certificate

Sig3

Used by the

OFP

API Hub to sign requests and responses sent to the the LFI.

This is used to sign the jwt-auth header for:

Ozone Connect requests
hh

-pub

responses
cm

-pub

responses

OFP

API Hub will use the public key in the JWKS to verify the signature

Code Block
Ozone Insert CSR

Code Block
LFI to Insert

Certificate

 JWKS URL 
LFI to Insert KID

Transport Server Certificate

S2

This certificate is used by Ozone servers that publish endpoints or pages that may be consumed in web browsers.

Process fully managed by Ozone

3.2 Pre-Production LFI Held Transport & Signing Private keys

The table below sets out the steps for each certificate where the LFI holds the Transport & Signing Private keys.

Section

Certificate

Steps

Additional Information to be Supplied by LFI

Transport Client Certificate

C3

This certificate is used by Ozone to recognise the LFI when it calls the hh and cm

These steps are repeated for C3 S4

Sig3

Sig4

LFIto generate private key

for the server certificate. Ozone will provide the subject

for the certificate

.

LFI to generate CSR

with subject details as provided.

LFI

will

to generate the certificate from OFTF Sandbox directory

.

Ozone to deploy. Code Block

LFIto provide JWKS URL and KID

Code Block

Cert Subject

LFI to Insert JWKS URL 
LFI to Insert KID

Transport Server Certificate

S4

The certificate is used by the LFI to identify its Ozone Connect service to

OFP Code Block

API Hub.

Code Block

Cert Subject

LFI to Insert JWKS URL 
LFI to Insert KID

Signing Certificate

Sig3

Sig4

Used by the LFI to sign requests and responses sent to

OFP

API Hub.

This is used to sign the jwt-auth header for:

Ozone Connect responses
hh

-pub

requests
cm

-pub Code Block

requests

LFI will use the public key in the JWKS to verify the signature.

Code Block

Cert Subject

LFI to Insert JWKS URL 
LFI to Insert KID

3.3 Pre-Production LFI Held Encryption Private key

The table below sets out the steps for LFI to generate the encryption private key.

Section

Certificate

Steps

Additional Information to be Supplied by LFI

Encryption Key

Enc1

Used by the TPP to encrypt PII sent to the

OFP

API Hub that can only be read by the LFI

The PII payloads are signed using the LFI's public key in the JWKS

The LFI decrypts them using their private key

LFI to generate private key for the

server

certificate

.

Ozonewill provide the subject for the certificate.

LFI to generate CSR

with subject details as provided.

LFI will generate the certificate from OFTF Sandbox directory

.

Ozone to deploy. Code Block

LFIto provide JWKS URL and KID

Code Block

Cert Subject

LFI to Insert JWKS URL 
LFI to Insert KID

Version	Old Version 1	New Version Current
Changes made by	Chris Michael	Isla Humphreys
Saved on	07 Sept 2024	15 Oct 2024

Page Comparison

Versions Compared

Key

1.0 Purpose

2.0 Pre-Production Domain Names

3.0 Pre-Production Certificates

3.2 Pre-Production LFI Held Transport & Signing Private keys

3.3 Pre-Production LFI Held Encryption Private key