Versions Compared

Version Old Version 3 New Version Current
Changes made by

David Plews

David Plews

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleMENU
Table of Contents
stylenone

1. Transport Certificates

...

Image Added

Cert Name

Description

Issuer

Private Key held by

CSR generated by

Certificate Generated by

Actions required by LFI

C1

Identifies the TPP to

...

API Hub

OFTF

TPP

TPP

TPP

None

S2

Identifies non mtls

...

API Hub endpoints to TPP

Lets Encrypt

...

API Hub

NA
(uses ACME protocol)

...

API Hub

None

S1

Identifies mtls

...

API Hub endpoints to TPP

OFTF

...

API Hub

...

API Hub

LFI

Yes

...

API Hub will provide a CSR

...

with the

...

SAN defined.
LFI must sign the CSR on the OFTF under the Organisation Certificates section

C4

Identifies

...

API Hub to LFI’s

...

API Hub Connect endpoint

OFTF

...

API Hub

...

API Hub

...

API Hub

None

S3

Identifies cm and hh endpoints to LFI

OFTF

...

API Hub

...

API Hub

LFI

Yes

...

API Hub will provide a CSR

...

LFI must sign the CSR on the OFTF

...

under the Organisation Certificates section

S4

Identifies LFI’s

...

API Hub Connect endpoint to

...

API Hub

OFTF

LFI

LFI

LFI

Yes

Scripts are available in the OFTF to assist with CSR generation

...

The subject of the C3 certificate should be provided to Ozone.

...

. Please note that a SAN must be included in this certificate to match the hostname of your Ozone Connect server.

C3

Identifies LFI to the cm and hh endpoints

OFTF

LFI

LFI

LFI

Yes

Scripts are available in the OFTF to assist with CSR generation.

LFI must create an application called

C3-hh-cm-client and sign the CSR as an Application certificate

Drawio
mVer2
zoom1
simple0
inComment0
custContentId146309209
pageId134938814
lbox1
diagramDisplayNameUntitled Diagram-1720473409295.drawio
contentVer1
revision2
baseUrlhttps://openfinanceuae.atlassian.net/wiki
diagramNameUntitled Diagram-1720473409295.drawio
pCenter0
width941
links
tbstyle
height579.5

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Sig1

Used by the TPP to sign requests sent to the

...

API Hub

(e.g. for signing the private-key-jwt, par request object etc)

...

API Hub will use the public key in the OFTF JWKS to verify the signature

OFTF

TPP

TPP

TPP

None

TPP’s JWKS identified by the jwks_url for the client.

Hosted in OFTF

Sig2

Used by the

...

API Hub to sign responses sent to the TPP

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature

OFTF

...

API Hub

...

API Hub

LFI

Yes

LFI’s JWKS identified by the jwks_url in the

...

API Hub’s well-known endpoint.

Hosted in OFTF

Sig3

Used by the

...

API Hub to sign requests sent to the the LFI

...

API Hub will use the public key in the JWKS to verify the signature

OFTF

...

API Hub

...

API Hub

...

API Hub

None

API Hub’s JWKS hosted in OFTF

Only required if one of these conditions is true:

  • The LFI requires JWT Auth for Application Layer Authentication to

...

  • API Hub Connect

  • The LFI uses Client Credentials Grant for Application Layer Authentication to

...

  • API Hub Connect and client authentication is set to private_key_jwt

Sig4

Used by the LFI to sign requests sent to

...

API Hub

LFI will use the public key in the JWKS to verify the signature

OFTF

LFI

...

API Hub (to assist LFI)

LFI

Yes

LFI’s JWKS hosted in OFTF

Only required if the LFI requires JWT Auth for Application Layer Authentication to CM and HH

LFI must create an application called

C3-hh-cm-client and sign the CSR as an Application certificate

2. Encryption Keys & Certs

Item

Description

Issuer

Private Key Held By

CSR Generated by

Certificate Generated by

Action required by LFI

JWKS

Enc1

Used by the TPP to encrypt PII sent to the

...

API Hub that can only be read by the LFI

The PII payloads are encrypted using the LFI’s public key in the JWKS

The LFI decrypts them using their private key

OFTF

LFI

LFI

LFI

Yes

LFI’s JWKS identified by the jwks_url in the

...

API Hub’s well-known endpoint

Hosted in LFI’s JWKS on OFTF

...

and is automatically created when certificates are signed.

LFI must sign the CSR on the OFTF under the Organisation Certificates section

3. Creating certificates

Info

Further information will be shared via the API Hub service desk, including CSRs. For more detailed information please see the example form Pre-Production Environment Specific Configuration

...

These steps are repeated for S1 S3 Sig2 - where the private keys is held by the API Hub

...

Environment Considerations

  • OFTF Sandbox is used to issue certificates in the pre-production environment.

  • OFTF Production is used to issue certificates in the production environment.

Certificate Generation for S1, S3 & Sig2 (Private Key Held by API Hub)

These certificates should be created under Organisation Certificates

  1. API Hub generates private keys for the certificates

...

Ozone to generate CSRs and hand over to LFI

...

LFI to generate certificates on the OFTF directory*

...

LFI to provide JWKS URL and KID

These steps are repeated for C3 S4 - where the private key is held by the LFI

  1. LFIto generate private key for the certificate

  2. LFI to generate CSR

  3. LFI to generate the certificate from the OFTF directory*

  4. LFIto provide JWKS URL and KID

These steps are repeated for Sig3 and C4-where the private keys is held by the API Hub

...

Ozone to generate private keys for the certificates

...

Ozone to generate CSRs

...

Ozone to generate certificates on OFTF directory*

...

  1. .

  2. API Hub generates Certificate Signing Requests (CSRs) and provides them to the LFI.

    1. S1 & S3 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.

  3. LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.

  4. LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.

Certificate Generation for S4 & Enc1 (Private Key Held by LFI)

These certificates should be created under Organisation Certificates

  1. LFI uses the appropriate OFTF directory (Sandbox or Prod) and generates the private key & CSR using the script provided on the OFTF

    1. S4 must contain the appropriate Subject Alternative Names (SANs) used for domain validation.

  2. LFI uses the appropriate OFTF directory (Sandbox or Prod) to generate the certificates under the Organisation Certificates section.

  3. LFI provides the JWKS URL and KID. The JWKS and KID is managed by the OFTF and will be automatically created when the certificates are signed.

Screenshot 2025-02-14 at 16.26.02.pngImage Added

Certificate Generation for C3 & Sig4 (Private Key Held by LFI)

These certificates are used by the LFI for communication to the API Hub.

  1. LFI uses the appropriate OFTF directory (Sandbox or Prod) and creates an Application called C3-hh-cm-client

  2. LFI generates the private key & CSR in the C3-hh-cm-client under App Certificates using the script provided on the OFTF

  3. LFI signs the CSRs in the C3-hh-cm-client under App Certificates

  4. LFI provides the JWKS URL and KID on the confluence form

Screenshot 2025-02-14 at 16.27.06.pngImage AddedScreenshot 2025-02-14 at 16.31.19.pngImage Added

*The OFTF Sandbox is used for signing certificates for the pre-production environment and the OFTF Production is used for signing certificates for the Production environment.