Domain Names

TPP facing Domain Name

Ozone will allocate a domain name for your environment based on your BIC.

<Link TBC>

Ozone

Domain Names

LFI Facing Domain Name

Ozone will allocate a domain name for hh and cm for your environment based on your BIC.

<Link TBC>

Ozone

Domain Names

Ozone Connect Base URL

LFI to specify the base url on which Ozone Connect is hosted.

<Link TBC>

LFI

Domain Name

Authorisation URL

The OIDC auth URL for the LFI.

There can be only one auth URI for an instance.

The auth URI must follow the stipulations placed by FAPI 2.0 (e.g. HTTPS only, no query parameters).

<Link TBC>

LFI

Transport Server Certificate

S1

This is the certificates that is deployed onto the OFP servers to identify an LFI's instance to the TPPs.

These steps are repeated for S1 S3 C4 Sig2 Sig3.

1. Ozone to generate private keys for the certificates.

2. Ozone to generate CSRs and hand over to LFI.

3. LFI to generate certificates on OFTF directory.

4. Ozone to download certificates from OFTF JWKS.

5. Ozone to deploy complete certificates and chains.

Transport Server Certificate

S3

The certificate is used by Ozone’s cm and hh servers to identify themselves to the LFI.

Transport Client Certificate

C4

This certificate is used by Ozone to identify itself to the LFI when it calls Ozone Connect APIs from the tenant.

Signing Certificate

Sig2

Used by the OFP to sign responses sent to the TPP.

This includes signed messages from the resource server and the signature on the id_token.

The TPP will use the public key in the JWKS to verify the signature.

Signing Certificate

Sig3

Used by the OFP to sign requests and responses sent to the the LFI.

This is used to sign the jwt-auth header for:

• Ozone Connect requests.

• hh-pub responses.

• cm-pub responses.

OFP will use the public key in the JWKS to verify the signature.

Transport Server Certificate

S2

This certificate is used by Ozone servers that publish endpoints or pages that may be consumed in web browsers.

Process fully managed by Ozone.

Transport Client Certificate

C3

This certificate is used by Ozone to recognise the LFI when it calls the hh and cm.

These steps are repeated for C3 S4 Sig4.

1. LFIto generate private key for the server certificate.

2. Ozone will provide the subject for the certificate.

3. LFI to generate CSR with subject details as provided.

4. LFI will generate the certificate from OFTF directory.

5. Ozone to deploy.

Transport Server Certificate

S4

The certificate is used by the LFI to identify its Ozone Connect service to the OFP.

Signing Certificate

Sig4

Used by the LFI to sign requests and responses sent to OFP.

This is used to sign the jwt-auth header for:

• Ozone Connect responses.

• hh-pub requests.

• cm-pub requests.

LFI will use the public key in the JWKS to verify the signature.

Encryption Key

Enc1

Used by the TPP to encrypt PII sent to the OFP that can only be read by the LFI.

The PII payloads are signed using the LFI's public key in the JWKS..

The LFI decrypts them using their private key.

1. LFI to generate private key for the server certificate.

2. Ozonewill provide the subject for the certificate.

3. LFI to generate CSR with subject details as provided.

4. LFI will generate the certificate from OFTF directory.

5. Ozone to deploy.