Versions Compared

Version Old Version 2 New Version Current
Changes made by

Isla Humphreys

Isla Humphreys

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

This form is for information only. The information will be gathered using the API Hub Service Desk

Expand
titleMENU
Table of Contents
stylenone

1.0 Purpose

This form should be used to gather and share environment specific configuration details for the LFI’s Pre-Production environment.

...

Section

Certificate

Steps

Additional Information to be Supplied Ozone & LFI

Transport Server Certificate

S1

This is the certificates that is deployed onto the API Hub servers to identify an LFI's instance to the TPPs.

 

These steps are repeated for S1 S3 C4 Sig2 Sig3

  1. Ozone to generate private keys for the certificates

  2. Ozone to generate CSRs and hand over to LFI

  3. LFI to generate certificates on OFTF Sandbox directory

  4. LFI to provide JWKS URL and KID

Code Block
Ozone Insert CSR
Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Transport Server Certificate

S3

The certificate is used by Ozone’s cm and hh servers to identify themselves to the LFI

Code Block
Ozone Insert CSR
Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Transport Client Certificate

C4

This certificate is used by Ozone to identify itself to the LFI when it calls Ozone Connect APIs from the tenant

Code Block
Ozone Insert CSR
Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Signing Certificate

Sig2

Used by the API Hub to sign responses sent to the TPP.

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

Code Block
Ozone Insert CSR
Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Signing Certificate

Sig3

Used by the API Hub to sign requests and responses sent to the the LFI.

This is used to sign the jwt-auth header for:

  • Ozone Connect requests

  • hh-pub responses

  • cm-pub responses

API Hub will use the public key in the JWKS to verify the signature

Code Block
Ozone Insert CSR
Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Transport Server Certificate

S2

This certificate is used by Ozone servers that publish endpoints or pages that may be consumed in web browsers.

Process fully managed by Ozone

 

...

The table below sets out the steps for each certificate where the LFI holds the Transport & Signing Private keys.

Section

Certificate

Steps

Additional Information to be Supplied by LFI

Section

Certificate

Steps

Additional Information to be Supplied by LFI

Transport Client Certificate

C3

This certificate is used by Ozone to recognise the LFI when it calls the hh and cm

These steps are repeated for C3 S4 Sig3 Sig4

  1. LFIto generate private key for the certificate

  2. LFI to generate CSR

  3. LFI to generate the certificate from OFTF Sandbox directory

  4. LFIto provide JWKS URL and KID

Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Transport Server Certificate

S4

The certificate is used by the LFI to identify its Ozone Connect service to API Hub.

Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

Signing Certificate

Sig3Sig4

Used by the LFI to sign requests and responses sent to API Hub.

This is used to sign the jwt-auth header for:

  • Ozone Connect responses

  • hh-pub requests

  • cm-pub requests

LFI will use the public key in the JWKS to verify the signature.

Code Block
LFI to Insert JWKS URL 
LFI to Insert KID

...