1. Introduction

This document aims to explain the role of the Trust Framework in the Open Finance UAE Program and how technical users from LFIs and TPPs are expected to interact with it. Its content is derived from the https://docs.connect.raidiam.io/ Documentation, which is referenced multiple times within this document.

2. Role of the Trust Framework

The Trust Framework enables secure data sharing between LFIs and TPPs by providing functionalities around API discovery, client onboarding and client authentication. Key roles executed by the Trust Framework in the ecosystem include:

• Trust Anchors:

  • Provide a registry of authorized participants and their access scope within the ecosystem.

• API Portal:

  • Provide a registry of all the servers, clients, and APIs that are currently live within the ecosystem.

• Keystore:

  • Provide a registry of all active keys for each participant, allowing them to recover those keys and use them to validate each other's identity, enabling trust—a key requirement for data sharing.

• PKI:

  • A public key infrastructure that enables the issuance and management of TLS, signature, and encryption certificates.

  • Provides mechanisms to verify the certificates generated on the platform PKI.

It is important to note that no consumer data passes through the Trust Framework, with the platform serving as a facilitator for secure data exchange.

For more details, visit the https://docs.connect.raidiam.io/trust-framework-types#MonDi and the https://docs.connect.raidiam.io/centralized-directory on the Raidiam Connect Documentation.

3. LFIs Responsibilities

LFIs, or users acting on behalf of LFIs, need to execute the following actions on the Trust Framework:

• Ensure Server Certificates are Valid:

  • Generate transport, signing and encryption certificates on the Trust Framework; rotating them at least once every 12 months (certificate expiration is set at 13 months).

• Ensure Published APIs are Valid and Certified:

  • Publish the API endpoints and ensure the correct version is available before any defined ecosystem go-live date.

  • Ensure server metadata is always up to date, including server logo, server description and customer-facing name.

• Integrate with Directory for Onboarding:

  • Integrate with the Trust Framework registration endpoints, ensuring all clients registered are onboarded and validated following the ecosystem Registration Framework

• Integrate Authentication:

  • Integrate with the Trust Framework JWKS endpoints, recovering client public keys when validating message signatures and executing message encryption.

  • Integrate with the Directory OCSP/CRL services, verifying that used certificates are valid and up-to-date.

Points 1 and 2 are covered in this guide as they require active directory usage. Points 3 and 4 are programmatically done and are detailed in the Ecosystem API Security Documentation.

4. LFIs Quick Access Guide

This guide assumes that the LFI has been fully onboarded to the ecosystem, having submitted all required documentation and passed all necessary KYBs and KYC requirements for entry into the ecosystem.

4.1 Creating an Account

Once a user has been granted access to the Trust Framework (granted after being added as either an Organization Administrator or Organization User), the user will receive an email with a link to the Trust Framework. The user must create an account using the same email address added to the platform.

The image below presents the steps the user is expected to take when registering for the first time, or when logging in to the platform :

Open

4.2 Signing the Ecosystem Participation Document

< This section requires definitions around the Terms and Conditions that need to be signed during the Participant Onboarding Process - Currently under definition >

For details about Terms and Conditions and how they are handled by the Directory, check the documentation under https://docs.connect.raidiam.io/terms-and-conditions

4.3 Onboarding Additional Users

Organization Administrators and certain types of https://docs.connect.raidiam.io/users , such as PBCs and PTCs, can onboard other Organization Administrators and technical users. Newly added users have the same scope as existing users. Adding/removing users in the Trust Framework can be done using the platform UI following the instructions defined at https://docs.connect.raidiam.io/add-users .

4.4 Registering Servers and APIs

LFIs are expected to maintain an up-to-date registry ofhttps://docs.connect.raidiam.io/authorisation-servers and https://docs.connect.raidiam.io/api-resources they currently support on the Open Finance Schema. LFIs must ensure that only valid and accessible resources are included in the Trust Framework to ensure an interoperable data access journey by TPPs.

4.4.1 Registering an Authorization Server

The Authorization Server Resource allows organizations to register details of their OAuth 2.0 Authorization Servers (Open ID Providers), which manage access from clients to the participant-protected APIs. The rules on how clients interact with the Authorization Server endpoints are outlined in the CBUAE FAPI 2.0 Standards.

Once included in the Trust Framework, the Authorization Server and API data can be obtained using the Trust Framework APIs, notably the Participants Public API.

Instructions on how to include an Authorization Server in the Trust Framework can be found at https://docs.connect.raidiam.io/add-authorisation-server

4.4.2 Registering API Resources

The Trust Framework enables participants to include API Resources for the products and services they offer on the schema. Participants can add to the Trust Framework only API endpoints and respective versions approved for go-live in the ecosystem.

The same Participants Public API that provides information about servers can be used to obtain details about the API resources.

Instructions on how to add and maintain API resources can be found at https://docs.connect.raidiam.io/manage-apis-for-discovery-and-integration

4.5 Creating Server Certificates

There are three types of server certificates, each with different use cases. Details about the server certificates are defined in the Certificate Standard document at https://openfinanceuae.atlassian.net/wiki/x/9ICFBg .

Instructions on how to create server certificates can be found at https://docs.connect.raidiam.io/manage-certificates-for-organisation

Servers are required to use valid TLS certificates to protect the resources registered in the Trust Framework, and a policy for updating these certificates at least once every 12 months must be set in place.

5. TPPs Quick Access Guide

This guide assumes that the TPP has been fully onboarded to the ecosystem, having submitted all required documentation and passed all necessary KYBs and KYC requirements for entry into the ecosystem.

There is no logical difference between Organization Entries used by TPPs or LFIs. Therefore, details around creating accounts, signing documents, and onboarding for TPPs are the same as for LFIs.

5.1 Creating an Account

Please refer to Trust Framework User Documentation | 4.1 Creating an Account

5.2 Signing the Ecosystem Participation Document

Please refer to Trust Framework User Documentation | 4.2 Signing the Ecosystem Participation Document

5.3 Onboarding Additional Users

Please refer to https://openfinanceuae.atlassian.net/wiki/spaces/TFDocsv1/pages/117801029/Trust+Framework+User+Documentation#4.3-Onboarding-Additional-Users

5.4 Registering Clients

The Client Resource enables organizations to register details of their OpenID Relying Parties (Clients), which will interact with OAuth 2.0 Authorization Servers to access protected APIs. The interaction rules between clients and Authorization Server endpoints are outlined in the Security Profile - FAPI document at https://openfinanceuae.atlassian.net/wiki/x/TYCFBg

When a client is created in the Trust Framework, the participant can select which regulatory roles the client has. These roles will define what types of APIs the client can access and will be validated during the client authentication process by the server whenever it requests access to an API.

Instructions on how to add and maintain API resources can be found at https://docs.connect.raidiam.io/manage-apis-for-discovery-and-integration

5.5 Creating Client Certificates

There are three types of client certificates, each with different use cases. Details about the client certificates are defined in the Certificate Standard document at https://openfinanceuae.atlassian.net/wiki/x/9ICFBg

Instructions on how to create server certificates can be found at https://docs.connect.raidiam.io/manage-certificates-for-organisation

Servers are expected to validate the certificates and signatures used by clients on every new connection and authentication request. If a client uses a revoked or expired certificate, the server will promptly deny the incoming request.

5.6 Obtaining Data

Once the client certificates have been created, the TPP can start obtaining customer data/services by accessing the registered Authorization Servers and Resources Servers using the created credentials.

The first step in this journey is to discover all the resources registered by the LFIs in the Directory. This can be done using the Participants Public API, following the discovery guidelines defined in the Registration Framework at https://openfinanceuae.atlassian.net/wiki/x/roCFBg

Once all the resources have been retrieved, the client should be able to call the Authorization Server token and PAR endpoints, as outlined in the Security Profile - FAPI document at https://openfinanceuae.atlassian.net/wiki/x/TYCFBg

It’s worth noting that there is no need for an active registration step by the clients in the Registration Framework, meaning that servers are expected to accept all incoming valid requests from clients.