Versions Compared

Version Old Version 12 New Version Current
Changes made by

Anthony Jones

Anthony Jones

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleMENU
Table of Contents
stylenone

1. Introduction

This document aims to explain the role of the Trust Framework in the Open Finance UAE Program and how technical users from LFIs and TPPs are expected to interact with it. Its content is derived from the https://docs.connect.raidiam.io/ Documentation, which is referenced multiple times within this document.

The Sandbox Trust Framework can be accessed at the following link:

...

  • Sign Participation Documents

    • To fully onboard on the Ecosystem all participants - LFIs, TPPs and VASPs, are expected to issue and sign the Ecosystem participation Document on Docusign.

  • Ensure Server Certificates are Valid:

    • Generate transport, signing and encryption certificates on the Trust Framework; rotating them at least once every 12 months (certificate expiration is set at 13 months).

  • Ensure Published APIs are Valid and Certified:

    • Publish the API endpoints and ensure the correct version is available before any defined ecosystem go-live date.

    • Ensure server metadata is always up to date, including server logo, server description and customer-facing name.

  • Integrate with Directory for Onboarding:

    • Integrate with the Trust Framework registration endpoints, ensuring all clients registered are onboarded and validated following the ecosystem Registration Framework

  • Integrate Authentication:

    • Integrate with the Trust Framework JWKS endpoints, recovering client public keys when validating message signatures and executing message encryption.

    • Integrate with the Directory OCSP/CRL services, verifying that used certificates are valid and up-to-date.

...

Participants can register https://docs.connect.raidiam.io/xwL5-api-resources for the products and services they offer on the schema. Only approved API endpoints and versions for go-live should be added to the Trust Framework.

...

There are three types of server certificates, each serving different purposes. Detailed information about server certificates can be found in the Certificate Standard https://openfinanceuae.atlassian.net/wiki/x/1ICQD .

Instructions on creating server certificates are available at https://docs.connect.raidiam.io/manage-certificates-for-organisation

...

5.1 Creating an Account

Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.1-Creating-an-Account section.

5.2 Signing the Terms & Conditions Document

...

Access to the Production Environment will be granted once the document is signed and reviewed by the AlTareq team.

Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.2-Signing-the-Terms-%26-Conditions-Document section for more details.

5.3 Onboarding Additional Users

Refer to the https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.3-Onboarding-Additional-Users section.

5.4 Registering Applications

The Applications Resource allows Organisations to register details of their OpenID Relying Parties (Clients), which interact with OAuth 2.0 Authorization Servers to access protected APIs. The interaction rules are outlined in the Security Profile - FAPI https://openfinanceuae.atlassian.net/wiki/x/TYCQD document.

When creating an Application in the Trust Framework, participants can select the regulatory roles for the client, which define the types of APIs the client can access. The instructions on how to create new Applications Can be found on https://docs.connect.raidiam.io/add-and-manage-applications

...

Field Name

Field Description

Example

Client Name

The name of the application as it will appear to end users

Finance Tracker Pro

Description

A detailed description of the application, highlighting its key features, functionalities, and benefit

Finance Tracker Pro helps users manage their personal finances by tracking income, expenses, and savings goals. Features include budget planning, expense categorization, and financial reporting

Client Info URI

The URL pointing to the application’s webpage. This should direct users to a webpage where they can find more detailed information about the application, including its features, pricing, and support.

https://www.financetrackerpro.com

Logo URI

The URL pointing to the application’s logo in PNG or JPEG format. This logo will be displayed alongside the application name and description on the platform, providing a visual identifier for users.

https://www.financetrackerpro.com/logo.png

5.4.

...

5 Shari’ah compliance flag

When registering/editing an Application a Field called “Flags” is available to be edited by the User.

...

Details about how the Shari'ah compliance will be informed to the end users can be seen on : https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1finalstandardsv1dot1final/pages/151850813210800446/Common+Rules+and+Guidelines#21.-Shari%E2%80%99ah-compliance-of-TPP

5.4.

...

6 Registering Certifications

Clients are only authorized to Operate on the Ecosystem once they have passed their full set of certifications defined on the Certification Framework, including their FAPI 2.0 UAE Relying Party Certification.

...

There are three types of client certificates, each with specific use cases. Detailed information about client certificates can be found in the Certificate Standard https://openfinanceuae.atlassian.net/wiki/x/1ICQD

Instructions on creating server certificates are available at https://docs.connect.raidiam.io/manage-certificates-for-organisationapplication

Servers must validate the certificates and signatures used by clients on each new connection and authentication request. If a client uses a revoked or expired certificate, the server will deny the request.

...

The Technical Requirements around API and Server discovery are outlined on the security standards, on the Registration Framework https://openfinanceuae.atlassian.net/wiki/x/i4CQD

5.6.2 Establishing Connection with Servers

After retrieving all the resources, clients can call the Authorization Server token and PAR endpoints, as outlined in the Security Profile - FAPI https://openfinanceuae.atlassian.net/wiki/x/TYCQD document.

Note: Clients are not required to undergo an active registration step in the Registration Framework; servers will accept all incoming valid requests from clients.

...

In essence, Organisation Flags outline the expected products or services that an LFI should share, while https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#4183468280#4.4.24-Registering-API-Resources reflect what they are currently sharing.

...

API Name

Endpoint

Usage

Instructions / Swagger

Participants

Sandbox : https://data.sandbox.directory.openfinance.ae/participants

Production : https://data.directory.openfinance.ae/participants

Provides details about all the Servers that have been registered on the Trust Framework, including :

  • Organisation Metadata

  • Registered Server API Resources

  • Server General Details

https://docs.connect.raidiam.io/find-data-providers-via-public-api

https://docs.connect.raidiam.io/participants-api

Keystores

Sandbox :

https://keystore.sandbox.directory.openfinance.ae/<org_id>/<app_id>/application.jwks

Production :

https://keystore.directory.openfinance.ae/<org_id>/<app_id>/application.jwks

Provides details about the certificates generated by the Trust Framework PKI.

To verify details about client certificates, replace the <org_id> with the value of the Organisation UUID of the participant on the TF and the <app_id> with the value of the Client UUID

To verify details about server certificates, remove the <app_id> from the URI path and provide only the the <org_id> with the value of the Organisation UUID of the participant

https://docs.connect.raidiam.io/public-and-private-keys#bz_0v

PKI Chain

Sandbox : https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151847123/Certificate+Standard#4.2-Sandbox-Environment

Production : https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151847123/Certificate+Standard#4.1-Production-Environment

Provides the issuer and root certificates in .pem format for configuring mTLS

https://docs.connect.raidiam.io/public-key-infrastructure#lwJo2

API Resources

Sandbox : https://web.sandbox.directory.openfinance.ae/config/apiresources

Production : https://web.directory.openfinance.ae/config/apiresources

Provides the list of API Families that can be published on the TF.

This API returns a JSON file which includes:

  • The API Families that can be published

  • The expected endpoint regular expression

  • The Allowed version types

  • The Certification Expectation if any

https://docs.connect.raidiam.io/xwL5-api-resources

6.2.2 mTLS Protected APIs

...

Instructions on how to generate an Application are described on https://openfinanceuae.atlassian.net/wiki/spaces/TFDocv3TFDocsv4/pages/edit-v2/168263702#5183468280#5.4-Registering-Applications

To access these protected APIs, the participant must first generate an access token with the directory: software scope by calling the token endpoint using the client_credentials grant type. Instructions for obtaining the token can be found on https://docs.connect.raidiam.io/client-credentials-flow-obtain-access-token#YzDfh

...