JWS signature validation changes after waiver 007 expiry

[kasundharmadasa]

Description:

1. Add the following handler as the first handler at the section in the /repository/resources/api_templates/velocity_template.xml

   ## API properties handler to add the required properties to the message context
   <handler class="com.wso2.finance.open.banking.gateway.common.APIPropertiesHandler">
   <property name="xWso2ApiSpec" value='$apiObj.additionalProperties.get("ob-spec")'/>
   <property name="xWso2ApiVersion" value='$apiObj.additionalProperties.get("ob-api-version")'/>
   <property name="xWso2ApiType" value='$apiObj.additionalProperties.get("ob-api-type")'/>
   </handler>

2. Make sure that the following handler is uncommented in velocity_template.xml and available in all the Accounts, Payments an CoF APIs.

    <handler class="com.wso2.finance.open.banking.gateway.jws.UKJwsSignatureHandler"/>

3. Add the following handler in the /repository/conf/synapse-handlers.xml file as the last handler.

   <handler name = "UkJwsResponseSignatureHandler" class="com.wso2.finance.open.banking.gateway.jws.UkJwsResponseSignatureHandler">
   </handler>

4. Login to WSO2 OB API Manager Publisher portal (https://localhost:9443/publisher)

5. Edit the existing Accounts, Payments and COF APIs to include the following API Property. Edit API -> Manage -> API Properties

   Property Name : ob-api-version Property Value : 3.1.1 (or the specification version that have been currently implemented)

6. Save and Publish to redeploy all the Accounts, Payments and COF APIs.

7. The signature validation related configuration can be found under the and in /repository/conf/finance/open-banking.xml

   
   <SigningConfiguration>
           <!-- Enable Response Signing -->
           <Enable>true</Enable>
           <OBIE>
               <!--
                   Trusted Anchor Configuration
               -->
               <TrustedAnchors>
                   <!-- Domain name that is registered to and identifies the Trust Anchor that hosts the public counter-part of the key used for signing the response. Included in the claim http://openbanking.org.uk/tan -->
                   <Signing>openbanking.org.uk</Signing>
                   <!--
                  Trusted domain names that are registered to and identifies the Trust Anchor that hosts the public counter-part of the key used for request signing by the TPP. The value included in the claim http://openbanking.org.uk/tan of the TPP's JOSE header will be validated against the following list of domain names.
                       Multiple values supported with `|` delimiter
                       IE - trustanchor.org|trustanchor.org.uk
                   -->
                   <Validation>openbanking.org.uk</Validation>
               </TrustedAnchors>
               <!-- Organization Id of the ASPSP. This value is used as the http://openbanking.org.uk/iss claim during response signing -->
               <OrganizationId>ABC1234</OrganizationId>
           </OBIE>
           <!-- Default Singing Algorithm is PS256, to support others uncomment line below -->
           <!--<Algorithm>RS256</Algorithm>-->
   
           <!-- By default the UK specification mandates the Payment and Even Notification APIs to have request/response message signing. Hence, the following specified APIs will be mandated for message signing. -->
           <MandatedAPIs>
               <APIContext>/open-banking/v3.0/event-notification/</APIContext>
               <APIContext>/open-banking/v3.0/pisp/</APIContext>
               <APIContext>/open-banking/v3.1/event-notification/</APIContext>
               <APIContext>/open-banking/v3.1/pisp/</APIContext>
           </MandatedAPIs>

        <ResponseSignatureRequiredAPIs>
            <APIContext>/open-banking/v3.0/pisp/</APIContext>
            <APIContext>/open-banking/v3.1/pisp/</APIContext>
        </ResponseSignatureRequiredAPIs>
    </SigningConfiguration>

 ```xml
 <OBIdentityRetriever>
        <!--
            Server Key configuration
            used for singing purposes IE - message signing
        -->
        <Server>
            <!-- alias the certificate used for signing (in repository/resources/security/wso2carbon.jks)-->
            <SigningCertificateAlias>wso2carbon</SigningCertificateAlias>

            <!-- KID value for primary signing certificate that is exposed by the JWKS endpoint under OIDC well-known endpoint (by default https://localhost:8243/.well-known/openid-configuration) -->
            <SigningCertificateKid></SigningCertificateKid>
        </Server>
    </OBIdentityRetriever>

[isharailanga]

Updated the following pages:

• https://docs.wso2.com/display/OB130/API+Security#APISecurity-JWSvalidationsupportforWaiver007
• https://docs.wso2.com/display/OB140/API+Security#APISecurity-JWSvalidationsupportforWaiver007

The WUM update note contains the live sync date as ' June 25, 2020 (06-25-2020)' which is a dummy date. @ashi1993. Please keep us updated with the correct live sync date.

[isharailanga]

Updated the notes with the released date as today.

[kasundharmadasa]

@isharailanga I added some additional content by updating the point 7. Appreciate if you can update the docs with the newly updated content in point 7.

[isharailanga]

Updated the configs please review. @kasundharmadasa

[Ashi1993]

@isharailanga Patch release date for 130 is 20th June and please get an update from Akila for 140 patch.

We have to include this in 150 as well since the front porting patch is in progress now.

[isharailanga]

@akila94 please keep us updated with the 140 wum live date for this.

[isharailanga]

https://docs.wso2.com/display/OB130/API+Security#APISecurity-JWSvalidationsupportforWaiver007 https://docs.wso2.com/display/OB140/API+Security+for+UK#APISecurity-JWSvalidationsupportforWaiver007 https://docs.wso2.com/display/OB150/API+Security+for+UK#APISecurity-JWSvalidationsupportforWaiver007

Updated the instructions given in the above sections. Please review.

[Akila94]

Hi @isharailanga , the wum update for 140 is now live. So the date is 06/07/2020 which is today.

[isharailanga]

Thanks @Akila94. @Ashi1993 Please update me with the 150 wum live date as well.

[Ashi1993]

@isharailanga Release date for 150 wum is 6th July

[isharailanga]

Updated the API Security pages and Configuring the open-banking.xml file pages.

API Security for UK

• https://docs.wso2.com/display/OB130/API+Security#APISecurity-JWSvalidationsupportforWaiver007
• https://docs.wso2.com/display/OB140/API+Security+for+UK#APISecurity-JWSvalidationsupportforWaiver007
• https://docs.wso2.com/display/OB150/API+Security+for+UK#APISecurity-JWSvalidationsupportforWaiver007

Configuring the Open-Banking.xml File for UK

• https://docs.wso2.com/display/OB130/Configuring+the+Open-Banking.xml+File+for+UK
• https://docs.wso2.com/display/OB140/Configuring+the+Open-Banking.xml+File+for+UK
• https://docs.wso2.com/display/OB150/Configuring+the+Open-Banking.xml+File+for+UK

[isharailanga]

Updated API security pages with Republish API step.

[kasundharmadasa]

We need to mention the configs according to the deployment.toml format as well for OB 2.0.0

[SSParamee]

2.0 UK docs are updated as follows:

Therefore, closing the issue.

[kasundharmadasa]

Due to recent experience from the patch team, it would be better if we show the existing configs as well in the open-banking.xml and advice the user to merge the configs appropriately. For e.g. by default in the pack the is set to false. Hence by looking at the doc page the user doesn't see the previous configs that needed changing.

[SSParamee]

Updated: https://docs.wso2.com/display/OB200/API+Security+for+UK#APISecurityforUK-JSONWebSignature(JWS)

[kasundharmadasa]

For 200 we have yet to add the TOML config equivalent to the following handler in the synapse-handlers.xml

The TOML equivalent configs are as follows

Add the below configurations as the top of the deployment.toml file

enabled_global_handlers= ["jws", "externalCallLogger", "open_tracing"] [synapse_handlers.jws] name= "jws" class= "com.wso2.finance.open.banking.gateway.jws.UkJwsResponseSignatureHandler"

[synapse_handlers.externalCallLogger] name= "externalCallLogger" class= "org.wso2.carbon.apimgt.gateway.handlers.LogsHandler"

[synapse_handlers.open_tracing] name= "open_tracing" class= "org.wso2.carbon.apimgt.gateway.handlers.common.APIMgtLatencySynapseHandler"

[SSParamee]

both the synapse-handlers.xml and open-banking.xml configurations and relevant mapping TOML configs are added as follows:

doc link: https://docs.wso2.com/display/OB200/API+Security+for+UK#APISecurityforUK-JSONWebSignature(JWS)

Please verify and close the issue.