JWT Auth Validation
Fixed an issue where JWT authentication validations failed when the client's CN contained a comma.
Admin Portal Enhancements
Enabled LFI Reporting on Admin Portal.
Introduced Single Sign On (SSO) for the Admin Portal.
OF-1287 - Updated test case ID AIS_C022 to include accountToTest and fixed schema related error for AIS_C001.
OF-904:
GET /accounts/{accountId}: Corrected schema for AIS_AA003.
GET /accounts: Added validation for 400 responses to check for errorCode; otherwise, schema validation is applied.
GET /accounts/{accountId}/transactions: Updated expectedFromBookingDateTime and expectedToBookingDateTime to be within the last 60 days.
Payment Consent Refund: Corrected schema paths for PIS_PR004, PIS_PR005, and PIS_PR006.
OF-1287:GET /customer: Added CustomerType to test configuration.
OF-1505:
POST /customers/action/cop-query: Fixed suppress header value for AIS_COPQ014.
Dereference schema files for validating response data of APIs have been aligned with latest API Hub Specifications (v7).
OF-1377:
Add Proxy Authentication Support via CLI Flag
Updated all API descriptions for v2.0 of the Open Finance Framework standards: Ozone API Hub Specifications
Changes are described on each page.
A diff report of the change from Version 6 is attached to each page, as applicable.
Added web sequence diagrams for CAAP Ozone Connect operations.
Added more clarifying notes to JWT Authorization page
Added two additional sections, 4.1 and 4.2 to the Integration Overview and updated section 4.6.
Added video guidance to multiple LFI Integration pages.
Added more clarifying notes to the https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv7/pages/379191347/Integration+Overview#3.5-Key-API-Hub-Components section for Health Checks API.
Added guidance on how and when Personal Identifiable Information (PII) is sent for payment scenarios: Payment Personal Identifiable Information Guide
Updated LFI Consent Management Interface Guide to include guidance on the CMI for Insurance.
Added video guidance for LFIs to create and onboard a TPP TPP Onboarding API Guide
OF-876: Fix for Payment-Log Records with 'Rejected' Status. Fixed the GET /payment-log endpoint to correctly return payment records that have been updated to a Rejected status.
OF-1246 OF-1077: Fixed validation and error handling for the page and pageSize query parameters in the GET /consent-groups/{consentGroupId}/consents endpoint when invalid values are provided.
OF-731: Resolved issues with AIS_BA017 and AIS_BA018 by assigning the correct accounts for testing, i.e., SampleAccountBadID and SampleAccountBadJSON respectively.
OF-904:
Corrected GET/transactions – In happy path cases, schema validation was failing in the new release due to invalid formats in fromBookingDateTime and toBookingDateTime fields.
Both 200 and 400 responses are now accepted for the GET /accounts API when non-comma-separated accountIds are provided.
For GET /account by accountId, the Status 'inactive' test case has been updated to return 400, as per the guidelines mentioned in Ozone Connect Implementation Guide.
The GET /account endpoint will now return a 200 response irrespective of the account status, with the correct status and other details populated in the payload, as specified in the Ozone Connect Implementation Guide.
Page size and page number have been added as query parameters for AIS_T010, AIS_COPQ008, and PIS_SIP019.
Removed PIS_SIP011, PIS_SIP012, PIS_SIP013, and PIS_SIP014 test cases for GET /payments that were checking different statuses. Instead, a generic test case now validates if the payment status is among the allowed enum values.
Schema validation has been corrected for GET /refund APIs (PI_PR004, PIS_PR005, PIS_PR006).
OF-1044 & OF-1045: Expiration date and time have been corrected.
OF-1084:ToBookingDateTime field has been added in AIS_T007.
OF-1089 & OF-1090: Schema validation is enhanced to make valid error codes and error messages mandatory. Code corrections have been made to ensure the correct response message is received for status 400.
OF-1142: New test cases have been added to validate different statuses like Closed, Dormant, etc., for GET /accounts/{accountId}. Also, Corrected GET /accounts/{accountId} to return 400 error code when account status is "Inactive".
OF-1154: A new test case, AIS_COPQ018, has been added (Negative Test – A request for a Retail user in dormant status should return 200 with an empty response using accountToTest: confirmation-of-payee-dormant-account).
OF-1179 New PaymentToTest configurations been added to test mandatory and mandatory plus optional fields.
OF-1251: Test cases PIS_SIP011, PIS_SIP012, PIS_SIP013, and PIS_SIP014 have been removed, and validations for different PaymentStatus values are now handled through PIS_SIP006, PIS_SIP008, and PIS_SIP010.
OF-1268: Page number and page size have been added to PIS_SIP015.
Consolidated config file changes are listed below for quick reference:
Corporate_Savings_Inactive : error code is added
Corporate_Savings_Suspended
Corporate_Savings_Closed
invalid-consentId-payment-refund
no-consentId-payment-refund
Retail_Savings_Closed
single-instant-payment-for-retail-mandatory
single-instant-payment-for-retail-allFields
Please find attached for reference in section 7.1.1 Sample config.yaml file Testing Tool User Guide
All outstanding CVEs are removed from the image.
Updated API Hub Reports & Datasets with the following:
Added Payment Id to Raw API Log Data and Payment Logs.
Added TPP name to necessary reports that contained a TPP Id.
Updated LFI Reports with the following:
Added TPP name to necessary reports that contained a TPP Id.
Admin Portal v3
v3 of the Admin Portal has been enhanced to include:-
Performance & Availability Widgets - Widgets have been enhanced to show API Performance, Availability and Usage over the requested time period, including a Response Code & TPP Breakdown.
Audit Logs - Added the ability to track activity undertaken via the Admin Portal, with the ability to search on User, Operation, Description, Entity, Timestamp and Status.
Reports (Beta version) - The CBUAE Reports will be available to download from the portal, with the ability to filter based on the requested date range.
Outage - Added the ability to search on past outages and added enhanced information that the user can input when adding a new outage.
Transactions API Date Filters
This release strengthened the validation logic within the Transactions API to ensure that date parameters provided in transaction requests align with the consented timeframe.
The API Hub now rigorously checks fromBookingDateTime and toBookingDateTime against the TransactionFromDateTime and TransactionToDateTime within the Consent record before processing requests.
Refund Request Handling
A issue identified that the API Hub was rejecting refund account retrieval requests when the payment consent status was in the Consumed state.
This issue affected Third-Party Providers (TPPs) using the GET /payment-consents/{ConsentId}/refund endpoint.
Decryption Algorithm Fix
This release addressed an issue related to the encryption and decryption of Personally Identifiable Information (PII).
Previously, the system defaulted to using the A128CBC-HS256 algorithm, which resulted in encryption and decryption failures. However, when using the A256GCM algorithm, encryption and decryption worked correctly.
The following changes have been applied as a result service desk tickets raised by LFIs.
OF-819 Provided a provision in the config file to include different userIds as demanded by the test case.
OF-731 & OF-700 Provided a provision in the config file to include different userIds as demanded by the test case and added the suppressHeaders: [o3-psu-identifier] key-value pair in the YAML file for scenarios where we test failures if both accountId and o3-psu-identifier are missing
OF-848 & OF-849 Added validate and augment endpoint tests for single instant payment in validate and augment tests file and Added event (post/patch) endpoints for single instant payment
OF-640 Added an additional test for Single immediate payment to include mandatory and optional fields in the request payload and updated the field paymentPurposeCode to PaymentPurposeCode as per the schema. Also corrected CreditorReference's value in payload body for POST /payment (should not includes Merchant key-value)
OF-859 Updated the accountToTest for refund related tests
Enhancing Pagination for Bank Data Sharing APIs
Implemented pagination support using page & page-size query parameters.
Alignment of HTTP Status Code for File Payment
Updated to return 200 (OK) with No Content, ensuring consistency with CBUAE specifications.
Resolution of 500 Error for /{accountId}/parties Endpoint: OF-752
The /{accountId}/parties endpoint in Postman collection was previously returning a 500 error, where the evidence object was missing.
Alignment of Confirmation of Payee Request with Swagger: OF-600
The Confirmation of Payee (CoP) request was adjusted to ensure it aligns fully with the Swagger specifications.
JWT Auth: OF-798
Fixed JWT Auth configuration affecting LFIs with current implementation.
Keys, CSRs & Certificates Various updates to provide more specific information and clarity about certificates.
JWT Authorization Various updates to provide more specific information and clarity about JWT Authorization.
API Enhancements & Standardization
Fixed status code inconsistency for POST /leads (should return 201 instead of 200).
x-fapi-* headers from TPP are now forwarded to LFI in event and action endpoints.
Fixed lowercase handling issue in POST/PATCH /consent/event/{operation}.
Consent & Authorization Improvements
directoryRecord field is returned in Consent Manager API responses.
Payment Processing & Validation Fixes
Resolved schema errors in POST payment requests for Ozone Connect PIS.
Insurance Scope Fixes
The Insurance Scope has been renamed from "Insurances" to "Insurance" as per OFTF.
The following changes have been applied as a result service desk tickets raised by LFIs.
OF-472 Update the test scenario description in the test case documentation.
OF-520 Provided a provision in the config file to include different userIds as demanded by the test case.
OF-530 The test case AIS_A006 has been updated to accept both 200 and 400 as valid status codes. LFIs can now return a 200 response, providing details of valid accounts, or it can return a 400 status code to reject the request when it contains a mix of valid and invalid accounts. AIS_AA006 test case has been updated to accept 400 or 404 status code when accountId path param is missing in the request
OF-564 Updated the request payload in the test script to align with the specifications. Change "amount" to "Amount" and "currency" to "Currency."
SDT-763 & OF-567 Both issues pertain to schema errors. The latest schema has been integrated into the testing tools, which now adhere to ajv-strict validations supported by the testing tool.
The following issue was identified in Docker Scout after scanning the testing tool image. Patches from the OS and package maintainers is not yet available. While Docker Scout rates it as medium severity, its practical impact is significantly lower in the context of an isolated test environment used solely for testing purposes:
CVE-2025-22866 (Golang stdlib): Scalar bit leakage due to variable time instruction in ppc64le assembly implementation, but doesn't affect x86, AMD64, or ARM. Not enough leakage for practical key recovery. Impact: Very low
The Product Data API has been updated to rename the root Data property to data and to make this property optional, to ensure compatibility with the API Hub. New YAMLs have been uploaded.
Keys, CSRs & Certificates Various updates to provide more specific information and clarity about certificates.
JWT Authorization Various updates to provide more specific information and clarity about JWT Authorization.
SDT-686 Resolved an issue where the GET /payments/{paymentId} API was failing with an HTTP 400 error due to a missing field in mandatory-optional scenarios.
SDT-660 Fixed an issue where users were able to create consent with a past timestamp.
SDT-674 Added support for Confirming the Payee (COP) before initiating a Single Instant Payment, with an additional Authorisation folder for COP.
Implemented /message-signature to sign the COP response.
Included the same data in the PII JSON.
When the POST/PAR endpoint is triggered and consent is created on Heimdall UI, a tick mark now appears in front of the Creditor details.
The Ozone Connect Test Cases have been updated to include the:
Product Data endpoints.
Client Credential Grant authorisation type.
The Ozone Connect Testing Tool has been enhanced to run a wide variety of scenarios based on test ID and test names using the updated regex functionality Regular Expression for Ozone Connect Testing Tool .
The following changes have been applied as a result service desk tickets raised by LFIs.
SDT-749 - Removed Assertions from test cases AIS_P017, AIS_P018 and AIS_P019 which used to check whether the error code is a particular value. Now we check only if the field errorCode is present in the Output response.
SDT-724 - Enhanced the configuration file to allow multiple user IDs to handle different test scenarios.
SDT-767 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.
SDT-791 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.
SDT-618 - Included the JWT auth capability in the testing tool.
SDT-768 - Included “tppId” and “decodedSsa” mandatory fields in the POST /Payments request.
SDT2-74 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.
The following issues were identified in Docker Scout after scanning the testing tool image. These were recently published, and patches from the OS and package maintainers are not yet available. While Docker Scout rates them as medium severity, their practical impact is significantly lower in the context of an isolated test environment used solely for testing purposes:
CVE-2024-13176 (OpenSSL on Alpine): A timing side-channel vulnerability in ECDSA signature computation could allow private key recovery but requires local access or very low latency. Not concerning for test environments. Impact: Very low
CVE-2024-12797 (OpenSSL in cryptography): Vulnerability in OpenSSL versions used by pyca/cryptography wheels, but Alpine's OpenSSL is unaffected. Low impact unless Raw Public Keys (RPKs) are explicitly enabled. Low impact considering testing tool execution in isolated environment. Impact: Very low
CVE-2025-22866 (Golang stdlib): Scalar bit leakage due to variable time instruction in ppc64le assembly implementation, but doesn't affect x86, AMD64, or ARM. Not enough leakage for practical key recovery. Impact: Very low
The following changes have been applied as a result service desk tickets raised by LFIs.
SDT-287 Corrected the status code for POST /auth/{interactionId}/doConfirm and /auth/{interactionId}/doFail from 302 to 303, aligning with the standard.
SDT-442 Enhanced API security by incorporating JWT token validation for incoming requests and signing outgoing responses.
SDT-446 JWT authentication now supports PEM and JWE formats, enhancing compatibility and enabling encrypted JWTs.
SDT-570 PAR now has an expiration time of 600 seconds, enhancing security and data freshness.
SDT-589 Improved SIP consent status handling by transitioning to a "Consumed" status upon payment failure, aligning with expected behaviour and enhancing CMI UI functionality.
SDT-597 Fixed null value issue in consent event endpoint, ensuring presence of required data for successful patching.
SDT-611 Resolved /parties endpoint behaviour for consents with only ReadPartyUserIdentity permission, aligning with Customer Data Statement and eliminating the need for account ID during patching.
SDT-615 Enhanced event notifications to include PATCH events for all consent statuses, including Revoked, Expired, Consumed, and Suspended.
SDT-627 We have implemented a new cron job, ConsentExpiryCronJob, to proactively identify and process expired consents. This ensures that short-lived consents are correctly deactivated after their expiration time, aligning with user expectations and privacy requirements.
SDT-643 Corrected the error response for the PATCH /consents/{consentId} API to return a 400 Bad Request status code when an invalid consent ID is provided, aligning with the API Hub documentation.
SDT2-25 The problem where dates in the correct ISO 8601 format were causing errors has been fixed. Dates are now accepted and processed properly.
The Ozone Connect Test Cases have been updated to include a comprehensive list of implemented test cases. Additionally, a Test Scenario ID has been introduced to serve as the parent test case for better organization and traceability.
Key updates include:
New Test Cases Added:
International Payments
Get Refunds
Insurance Endpoints
Updated Response Code:
The response code for missing the accountId path parameter has been revised from 401 to 400.
Header Validation Tests:
These tests have been refined and are now restricted to a limited subset of headers. Invalid header tests are removed except for o3-psu-identifier.
SDT-538 The documentation for the testing tool has been updated to include Test Scenario IDs, which serve as links to groups of related test cases. These IDs are independent of the Open API Specification, as test case IDs will no longer be maintained there. Moving forward, the testing tool documentation will act as the single source of truth for all test case references. The Open API Specifications have been updated to reflect this change.
SDT-574 This is a schema related issue and there is no fix required from test tool , with updated schema the test case should now work as expected.
SDT-575 Guidance on negative test cases has been detailed in the ticket, and the test suite has been updated accordingly. The updated test suite now focuses on retaining the necessary header validations required for testing.
SDT-606 Fix includes updating the url of get /accounts in the correct format.
SDT-618 Included the provision of the JWT auth header.
SDT-619 The duplicate test case descriptions have been resolved, and the issue related to expect and assert have also been fixed. The testing report now distinguishes between an assertion and expectation.
SDT-696 Tests validating the o3-api-uri for invalid values have been removed from the test suite.
SDT-721 The test suite is updated to exclude unsupported sub-types. It now includes tests only for Savings and CurrentAccount. Regarding Account Types, the currently supported types are Retail, Corporate, and SME. Please ensure that you execute the combinations supported by your LFI. Achieving 100% coverage means that all tests relevant to your specific line of business must be thoroughly executed.
SDT-750 Removed mandatory header validation o3-consent-id for GET /customer endpoint.
SDT-648 Added pagination properties to Consent Manager API description.
Added PSU ID for 1.7.4 Payment Logs
Added PSU ID for 1.1 Raw API Log Data
Added Sum of TTLB (Time to Last Byte) for 1.4.1 OFP Performance
Added Sum of TTLB (Time to Last Byte) for 1.4.2 LFI Performance
Added the following to Pre-Production Environment Specific Configuration:
A section for OFTF SB Org ID and Org Name.
A section for Admin Portal URL and IP Address.
Added the following to Production Environment Specific Configuration
A section for OFTF SB Org ID and Org Name.
A section for Admin Portal URL and IP Address.
Introduced a command-line script to simplify adding configurations to the test suite, allowing users to update config.yaml with paymentTypes, account types, and other parameters effortlessly.https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv7/pages/379192644/Testing+Tool+User+Guide#7.-Detailed-Steps-to-run-the-Testing-Tool
Extended the number of test cases for CoP and Multi Payments.https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases
Added a comprehensive UI to display logs, assertions, inputs, and outputs for endpoints, improving visibility and debugging capabilitiesTesting Tool User Guide
Removed the mounting of config and logs files in the docker run command for streamlined execution Testing Tool User Guide
Indicated the test cases implemented in the current version of the test framework. Implemented Test Cases
Added the Products Data OpenAPI API description that defines the Ozone Connect requirements for supporting product data APIs.
Updated certificates generated section for C4 and Sig3 certs Keys, CSRs & Certificates. In addition to updating section 3 generating certificate steps for C4 and Sig3.
Updated steps for C4 and Sig3 certs Pre-Production Environment Specific Configuration
Updated steps for C4 and Sig3 certs Production Environment Specific Configuration
Updated Pre Requisites Questionnaire to remove questions that are no longer required and added more detail to the questions and answers where needed.
Updated https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1963950120/Testing+Tool+User+Guide#6.1.2-Generating-the-SSL-certificates. to provide more details on SSL certificates generation.
Changed Bank Data Sharing OpenAPI:
Changed finalPaymentDateTime, numberOfPayments and finalPaymentAmount to optional in standing order response.
Removed balanceType query parameter on get /accounts/{accountId}/balances API operation as not supported at API Hub.
Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.
Changed Insurance Data Sharing OpenAPI:
Changed Customer to optional in policy data to correctly support data clusters.
Removed PolicyType as no longer required as now identified by the API operation URL.
Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.
Changed Consent Manager OpenAPI :
Changed account access and insurance permissions from string to array of string values.
Changed Consent Event & Actions OpenAPI :
Changed account access and insurance permissions from string to array of string values.
Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.
Changed Authorization Server OpenAPI :
Changed interactionId to optional for 400 responses to get /auth API operation.
Changed Health Checks OpenAPI :
Added Security Requirements and default responses.
Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.
6 Sept 2024
https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv1