Virtual host for bank API calls

  1. Configure a virtual host to expose the bank's PSD2 APIs to the TPP using an SSL server certificate.
  2. Enable "Client Certificate Verification"
    1. Set "SSL client certificate" to "Required"
    2. Configure all trusted QTSPs as CAs. Configure the corresponding CA chains where necessary. See also Getting issuer certificates for PSD2.
    3. Enable OCSP checking and configure PSD2 relevant CRLs*

CRL and OCSP Checking*

CRL and OCSP checking may be done on Airlock Gateway (WAF) and/or Airlock IAM:

  • Generally, we recommend to do CRL and OCSP checks on the Gateway (WAF) because it is then done as early as possible in the request flow
  • However, doing it in IAM may lead to less configuration redundancy and may therefore be easier to maintain. This is because you need to configure CRL and OCSP checking anyway to verify the HTTP signatures and OCSP/CRL endpoints may be the same.