Versions Compared

Version Old Version 3 New Version Current
Changes made by

David Plews

David Plews

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: draw.io diagram "Untitled Diagram-1720473013056.drawio" edited

...

1. Transport Certificates

Drawio
simple
mVer2
simple0
zoom1
0inComment0custContentId146899014
pageId134938814180781244
lboxcustContentId1240877573
diagramDisplayNameUntitled Diagram-1720473013056.drawio
lbox1
contentVer21
revision32
baseUrlhttps://openfinanceuae.atlassian.net/wiki
diagramNameUntitled Diagram-1720473013056.drawio
pCenter0
width1579.5
links
tbstyle
height596.5

Cert Name

Description

Issuer

Private Key held by

CSR generated by

Certificate Generated by

Actions required by LFI

C1

Identifies the TPP to OFP

OFTF

TPP

TPP

TPP

None

S2

Identifies non mtls OFP endpoints to TPP

Lets Encrypt

Ozone

NA
(uses ACME protocol)

Ozone

None

S1

Identifies mtls OFP endpoints to TPP

OFTF

Ozone

Ozone

LFI

Yes

Ozone will provide a CSR and the LFI should use the OFTF to produce the certificate

C4

Identifies OFP to LFI’s Ozone Connect endpoint

OFTF

Ozone

Ozone

LFI

Yes

S3

Identifies cm-pub and hh-pub endpoints to LFI

OFTF

Ozone

Ozone

LFI

Yes

S4

Identifies LFI’s Ozone Connect endpoint to Ozone

OFTF

LFI

LFI

LFI

Yes

Ozone will provide scripts to the LFI Scripts are available in the OFTF to assist with CSR generation if requested

The subject of the C3 certificate should be provided to Ozone.

Ozone will limit access to certificates issued by OFTF AND having that specific subject

C3

Identifies LFI to the cm-pub and hh-pub endpoints

OFTF

LFI

LFI

LFI

Yes

...

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Enc1

Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI

The PII payloads are encrypted using the LFI’s public key in the JWKS

The LFI decrypts them using their private key

OFTF

LFI

LFI

LFI

Yes

LFI’s JWKS identified by the jwks_url in the OFP’s well-known endpoint

Hosted in LFI’s JWKS on OFTF

Ozone can provide scripts to generate the CSR if requested by the LFI

3. Creating certificates

Info

Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration

These steps are repeated for S1 S3 C4 Sig2 Sig3 - where the private keys is held by the API Hub

...