With the Ping Identity environment configured, I can now obtain a software statement and generate a registration request.
To obtain a software statement, a TPP must be registered at the Open Banking Directory and a TPP technical contact must be able to access the Directory Front End Interface in order to register the application and receive the software statement. (The OB directory also enables TPPs to request software statements via APIs and I will cover the API approach in another blog post.)
Let’s see how a technical contact can register a new TPP application. The following screenshots are taken from the Open Banking test environment (the MIT environment) where I have the “Ping Bank TPP - AISP” TPP registered.
Search for the TPP on the “Search directory participants screen” and copy the Organisation ID that will be needed later to generate the CSRs for that TPP.
In the TPP page, locate the “Software Statements” section (at the bottom of the page) and select “Add new statement.”
A form that allows me to input the new software data is displayed; input the TPP application data and submit. This data will be included in the Software Statement that Open Banking generates for this client. Pay particular attention to the Redirect URI value to ensure this is correct.
The new software statement is created and the UI shows the details: A software statement ID is generated and a new client ID is generated and assigned to the software statement. At the moment, no certificates are assigned to the statement.
I can start generating the software statement and upload the necessary CSR files later by selecting the “Generate” button. The directory provides the encoded JWT and the decoded JWT. From the decoded JWT I can see that the statement was issued by Open Banking Ltd; I can identify the key ID of the key that was used to sign the software statement and I can see the software_jwks_endpoint claim that points to JWKS that must be used to validate the request JWT.
The statement cannot be used yet, as the certificates have not been attached to it. The final step is to bind a network certificate (used to establish MTLS connections between the TPP and the ASPSP) and a signing certificate (used by the TPP to sign the various tokens sent to the ASPSP). To do that I need to generate private / public key pairs and the signing requests to be uploaded with the OB Directory Front End Interface.
I am going to use OpenSSL for the generation of the keys and CSRs. The only aspect to notice here is that the certificate cn must have the following structure:
To generate the CSRs for the network and signing certificates, I am going to use the following commands:
The commands above will produce two private keys and the CSR files that can be uploaded using the Open Banking UI.
If the upload is successful, Open Banking binds the certificates to the software statement, makes the certificates available for download (in PEM format) and publishes the keys at the correct JWKS endpoints.
The TPP can now download the network certificate for establishing the MTLS channel with the ASPSP and the signing certificate to sign the JWT registration request. I select “Download PEM File” on the network (Transport) certificate and then combine it with the private key to obtain a .p12 file using OpenSSL: