Version 6

26th March 2025

1. API Hub Documentation

• Updated API Hub Reports & Datasets with the following:

  • Added Payment Id to Raw API Log Data and Payment Logs.

  • Added TPP name to necessary reports that contained a TPP Id.

• Updated LFI Reports with the following:

  • Added TPP name to necessary reports that contained a TPP Id.

2. API Hub & Ozone Connect

• Admin Portal v3
  v3 of the Admin Portal has been enhanced to include:-

  • Performance & Availability Widgets - Widgets have been enhanced to show API Performance, Availability and Usage over the requested time period, including a Response Code & TPP Breakdown.

  • Audit Logs - Added the ability to track activity undertaken via the Admin Portal, with the ability to search on User, Operation, Description, Entity, Timestamp and Status.

  • Reports (Beta version) - The CBUAE Reports will be available to download from the portal, with the ability to filter based on the requested date range.

  • Outage - Added the ability to search on past outages and added enhanced information that the user can input when adding a new outage.

• Transactions API Date Filters

  • This release strengthened the validation logic within the Transactions API to ensure that date parameters provided in transaction requests align with the consented timeframe.

  • The API Hub now rigorously checks fromBookingDateTime and toBookingDateTime against the TransactionFromDateTime and TransactionToDateTime within the Consent record before processing requests.

• Refund Request Handling

  • A issue identified that the API Hub was rejecting refund account retrieval requests when the payment consent status was in the Consumed state.

  • This issue affected Third-Party Providers (TPPs) using the GET /payment-consents/{ConsentId}/refund endpoint.

• Decryption Algorithm Fix

  • This release addressed an issue related to the encryption and decryption of Personally Identifiable Information (PII).

  • Previously, the system defaulted to using the A128CBC-HS256 algorithm, which resulted in encryption and decryption failures. However, when using the A256GCM algorithm, encryption and decryption worked correctly.

3. Testing Tool

The following changes have been applied as a result service desk tickets raised by LFIs.

1. OF-819 Provided a provision in the config file to include different userIds as demanded by the test case.

2. OF-731 & OF-700 Provided a provision in the config file to include different userIds as demanded by the test case and added the suppressHeaders: [o3-psu-identifier] key-value pair in the YAML file for scenarios where we test failures if both accountId and o3-psu-identifier are missing

3. OF-848 & OF-849 Added validate and augment endpoint tests for single instant payment in validate and augment tests file and Added event (post/patch) endpoints for single instant payment

4. OF-640 Added an additional test for Single immediate payment to include mandatory and optional fields in the request payload and updated the field paymentPurposeCode to PaymentPurposeCode as per the schema. Also corrected CreditorReference's value in payload body for POST /payment (should not includes Merchant key-value)

5. OF-859 Updated the accountToTest for refund related tests

Mar 17, 2025 2025

API Hub & Ozone Connect

1. Enhancing Pagination for Bank Data Sharing APIs

   • Implemented pagination support using page & page-size query parameters.

2. Alignment of HTTP Status Code for File Payment

   • Updated to return 200 (OK) with No Content, ensuring consistency with CBUAE specifications.

3. Resolution of 500 Error for /{accountId}/parties Endpoint: OF-752

   • The /{accountId}/parties endpoint in Postman collection was previously returning a 500 error, where the evidence object was missing.

4. Alignment of Confirmation of Payee Request with Swagger: OF-600

   • The Confirmation of Payee (CoP) request was adjusted to ensure it aligns fully with the Swagger specifications.

5. JWT Auth: OF-798

   • Fixed JWT Auth configuration affecting LFIs with current implementation.

26th February 2025

1. API Hub Documentation

• Keys, Certificates & CSRs Various updates to provide more specific information and clarity about certificates.

• JWT Authorization Various updates to provide more specific information and clarity about JWT Authorization.

2. API Hub & Ozone Connect

1. API Enhancements & Standardization

   • Fixed status code inconsistency for POST /leads (should return 201 instead of 200).

   • x-fapi-* headers from TPP are now forwarded to LFI in event and action endpoints.

   • Fixed lowercase handling issue in POST/PATCH /consent/event/{operation}.

2. Consent & Authorization Improvements

   • directoryRecord field is returned in Consent Manager API responses.

3. Payment Processing & Validation Fixes

   • Resolved schema errors in POST payment requests for Ozone Connect PIS.

4. Insurance Scope Fixes

   • The Insurance Scope has been renamed from "Insurances" to "Insurance" as per OFTF.

3. Testing Tool

The following changes have been applied as a result service desk tickets raised by LFIs.

1. OF-472 Update the test scenario description in the test case documentation.

2. OF-520 Provided a provision in the config file to include different userIds as demanded by the test case.

3. OF-530 The test case AIS_A006 has been updated to accept both 200 and 400 as valid status codes. LFIs can now return a 200 response, providing details of valid accounts, or it can return a 400 status code to reject the request when it contains a mix of valid and invalid accounts. AIS_AA006 test case has been updated to accept 400 or 404 status code when accountId path param is missing in the request

4. OF-564 Updated the request payload in the test script to align with the specifications. Change "amount" to "Amount" and "currency" to "Currency."

5. SDT-763 & OF-567 Both issues pertain to schema errors. The latest schema has been integrated into the testing tools, which now adhere to ajv-strict validations supported by the testing tool.

4. Testing Tool Known Issues

The following issue was identified in Docker Scout after scanning the testing tool image. Patches from the OS and package maintainers is not yet available. While Docker Scout rates it as medium severity, its practical impact is significantly lower in the context of an isolated test environment used solely for testing purposes:

CVE-2025-22866 (Golang stdlib): Scalar bit leakage due to variable time instruction in ppc64le assembly implementation, but doesn't affect x86, AMD64, or ARM. Not enough leakage for practical key recovery. Impact: Very low

12th February 2025

1. API Hub Documentation

• The Product Data API has been updated to rename the root Data property to data and to make this property optional, to ensure compatibility with the API Hub. New YAMLs have been uploaded.

• Keys, Certificates & CSRs Various updates to provide more specific information and clarity about certificates.

• JWT Authorization Various updates to provide more specific information and clarity about JWT Authorization.

2. API Hub & Ozone Connect

• SDT-686 Resolved an issue where the GET /payments/{paymentId} API was failing with an HTTP 400 error due to a missing field in mandatory-optional scenarios.

• SDT-660 Fixed an issue where users were able to create consent with a past timestamp.

• SDT-674 Added support for Confirming the Payee (COP) before initiating a Single Instant Payment, with an additional Authorisation folder for COP.

  • Implemented /message-signature to sign the COP response.

  • Included the same data in the PII JSON.

  • When the POST/PAR endpoint is triggered and consent is created on Heimdall UI, a tick mark now appears in front of the Creditor details.

3. Testing Tool

• The Ozone Connect Test Cases have been updated to include the:

  • Product Data endpoints.

  • Client Credential Grant authorisation type.

• The Ozone Connect Testing Tool has been enhanced to run a wide variety of scenarios based on test ID and test names using the updated regex functionality Regular Expression for Ozone Connect Testing Tool .

The following changes have been applied as a result service desk tickets raised by LFIs.

1. SDT-749 - Removed Assertions from test cases AIS_P017, AIS_P018 and AIS_P019 which used to check whether the error code is a particular value. Now we check only if the field errorCode is present in the Output response.

2. SDT-724 - Enhanced the configuration file to allow multiple user IDs to handle different test scenarios.

3. SDT-767 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.

4. SDT-791 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.

5. SDT-618 - Included the JWT auth capability in the testing tool.

6. SDT-768 - Included “tppId” and “decodedSsa” mandatory fields in the POST /Payments request.

7. SDT2-74 - Updated test case AIS_AA007, with status code 400 and the test automation suite is also updated to reflect the change.

4. Testing Tool Known Issues

The following issues were identified in Docker Scout after scanning the testing tool image. These were recently published, and patches from the OS and package maintainers are not yet available. While Docker Scout rates them as medium severity, their practical impact is significantly lower in the context of an isolated test environment used solely for testing purposes:

CVE-2024-13176 (OpenSSL on Alpine): A timing side-channel vulnerability in ECDSA signature computation could allow private key recovery but requires local access or very low latency. Not concerning for test environments. Impact: Very low

CVE-2024-12797 (OpenSSL in cryptography): Vulnerability in OpenSSL versions used by pyca/cryptography wheels, but Alpine's OpenSSL is unaffected. Low impact unless Raw Public Keys (RPKs) are explicitly enabled. Low impact considering testing tool execution in isolated environment. Impact: Very low

CVE-2025-22866 (Golang stdlib): Scalar bit leakage due to variable time instruction in ppc64le assembly implementation, but doesn't affect x86, AMD64, or ARM. Not enough leakage for practical key recovery. Impact: Very low

23rd January 2025

The following changes have been applied as a result service desk tickets raised by LFIs.

1. API Hub

1. SDT-287 Corrected the status code for POST /auth/{interactionId}/doConfirm and /auth/{interactionId}/doFail from 302 to 303, aligning with the standard.

2. SDT-442 Enhanced API security by incorporating JWT token validation for incoming requests and signing outgoing responses.

3. SDT-446 JWT authentication now supports PEM and JWE formats, enhancing compatibility and enabling encrypted JWTs.

4. SDT-570 PAR now has an expiration time of 600 seconds, enhancing security and data freshness.

5. SDT-589 Improved SIP consent status handling by transitioning to a "Consumed" status upon payment failure, aligning with expected behaviour and enhancing CMI UI functionality.

6. SDT-597 Fixed null value issue in consent event endpoint, ensuring presence of required data for successful patching.

7. SDT-611 Resolved /parties endpoint behaviour for consents with only ReadPartyUserIdentity permission, aligning with Customer Data Statement and eliminating the need for account ID during patching.

8. SDT-615 Enhanced event notifications to include PATCH events for all consent statuses, including Revoked, Expired, Consumed, and Suspended.

9. SDT-627 We have implemented a new cron job, ConsentExpiryCronJob, to proactively identify and process expired consents. This ensures that short-lived consents are correctly deactivated after their expiration time, aligning with user expectations and privacy requirements.

10. SDT-643 Corrected the error response for the PATCH /consents/{consentId} API to return a 400 Bad Request status code when an invalid consent ID is provided, aligning with the API Hub documentation.

11. SDT2-25 The problem where dates in the correct ISO 8601 format were causing errors has been fixed. Dates are now accepted and processed properly.

2. Testing tool & documentation

The Ozone Connect Test Cases have been updated to include a comprehensive list of implemented test cases. Additionally, a Test Scenario ID has been introduced to serve as the parent test case for better organization and traceability.
Key updates include:

1. New Test Cases Added:

   • International Payments

   • Get Refunds

   • Insurance Endpoints

2. Updated Response Code:

   • The response code for missing the accountId path parameter has been revised from 401 to 400.

3. Header Validation Tests:

   • These tests have been refined and are now restricted to a limited subset of headers. Invalid header tests are removed except for o3-psu-identifier.

4. SDT-538 The documentation for the testing tool has been updated to include Test Scenario IDs, which serve as links to groups of related test cases. These IDs are independent of the Open API Specification, as test case IDs will no longer be maintained there. Moving forward, the testing tool documentation will act as the single source of truth for all test case references. The Open API Specifications have been updated to reflect this change.

5. SDT-574 This is a schema related issue and there is no fix required from test tool , with updated schema the test case should now work as expected.

6. SDT-575 Guidance on negative test cases has been detailed in the ticket, and the test suite has been updated accordingly. The updated test suite now focuses on retaining the necessary header validations required for testing.

7. SDT-606 Fix includes updating the url of get /accounts in the correct format.

8. SDT-618 Included the provision of the JWT auth header.

9. SDT-619 The duplicate test case descriptions have been resolved, and the issue related to expect and assert have also been fixed. The testing report now distinguishes between an assertion and expectation.

10. SDT-696 Tests validating the o3-api-uri for invalid values have been removed from the test suite.

11. SDT-721 The test suite is updated to exclude unsupported sub-types. It now includes tests only for Savings and CurrentAccount. Regarding Account Types, the currently supported types are Retail, Corporate, and SME. Please ensure that you execute the combinations supported by your LFI. Achieving 100% coverage means that all tests relevant to your specific line of business must be thoroughly executed.

12. SDT-750 Removed mandatory header validation o3-consent-id for GET /customer endpoint.

13. SDT-648 Added pagination properties to Consent Manager API description.

17th December 2024

1. What’s new?

• Added PSU ID for 1.7.4 Payment Logs

• Added PSU ID for 1.1 Raw API Log Data

• Added Sum of TTLB (Time to Last Byte) for 1.4.1 OFP Performance

• Added Sum of TTLB (Time to Last Byte) for 1.4.2 LFI Performance

• Added the following to Pre-Production Environment Specific Configuration:

  • A section for OFTF SB Org ID and Org Name.

  • A section for Admin Portal URL and IP Address.

• Added the following to Production Environment Specific Configuration

  • A section for OFTF SB Org ID and Org Name.

  • A section for Admin Portal URL and IP Address.

• Introduced a command-line script to simplify adding configurations to the test suite, allowing users to update config.yaml with paymentTypes, account types, and other parameters effortlessly.Testing Tool User Guide | 7. Detailed Steps to run the Testing Tool

• Extended the number of test cases for CoP and Multi Payments.https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases

• Added a comprehensive UI to display logs, assertions, inputs, and outputs for endpoints, improving visibility and debugging capabilitiesTesting Tool User Guide

• Removed the mounting of config and logs files in the docker run command for streamlined execution Testing Tool User Guide

• Indicated the test cases implemented in the current version of the test framework. Implemented Test Casesarchived

• Added the Products Data OpenAPI API description that defines the Ozone Connect requirements for supporting product data APIs.

2. What’s changed?

• Updated certificates generated section for C4 and Sig3 certs Keys, Certificates & CSRs. In addition to updating section 3 generating certificate steps for C4 and Sig3.

• Updated steps for C4 and Sig3 certs Pre-Production Environment Specific Configuration

• Updated steps for C4 and Sig3 certs Production Environment Specific Configuration

• Updated https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253434 to remove questions that are no longer required and added more detail to the questions and answers where needed.

• Updated https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1963950120/Testing+Tool+User+Guide#6.1.2-Generating-the-SSL-certificates. to provide more details on SSL certificates generation.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253084:

  • Changed finalPaymentDateTime, numberOfPayments and finalPaymentAmount to optional in standing order response.

  • Removed balanceType query parameter on get /accounts/{accountId}/balances API operation as not supported at API Hub.

  • Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253112:

  • Changed Customer to optional in policy data to correctly support data clusters.

  • Removed PolicyType as no longer required as now identified by the API operation URL.

  • Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253140 :

  • Changed account access and insurance permissions from string to array of string values.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253224 :

  • Changed account access and insurance permissions from string to array of string values.

  • Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253168 :

  • Changed interactionId to optional for 400 responses to get /auth API operation.

• Changed https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv6/pages/244253196 :

  • Added Security Requirements and default responses.

  • Removed test case references and notes on test cases. Test case information is now managed separately: https://ozoneapi.atlassian.net/wiki/spaces/OT/pages/1975419042/Ozone+Connect+Test+Cases.

Version 5

https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv5/pages/180782389

Version 4

6 Sept 2024

https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv4/pages/168265259

Version 3

Aug 5, 2024

https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3/pages/134939470

Version 2

Jul 9, 2024

https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv2/pages/124322189

Version 1

Jun 28, 2024

https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv1