For each type of bank API call (e.g. "/accounts", "/payments", "/consents"/) a mapping with the following PSD2-specific settings must be configured and connected to the just created virtual host.
- Define a mapping matching the corresponding API calls (e.g. "/accounts")
- Configure all security rules (Allow Rules, Deny Rules, API Security, etc.), "Request Actions" and "Response Actions" required by the bank's APIs.
- Define (and use) an allow rule allowing HTTP methods "GET", "POST", "PUT", and "DELETE". The default "Allow all" only allows "GET" and "POST".
- In addition to the headers in the "(default) Request header whitelist" "
|Digest|Signature|ASPSP-SCA-Approach|Consent-ID
". - Restrict access to the mapping based on the TPP roles (exactly as in the TPP's client certificate). The following table lists the typical access restriction settings:
- Select Authentication Flow "One-Shot with body" (the body is required for IAM to be able to verify the HTTP request signatures)
- Define the "Denied access URL" such that it points to Airlock IAM's one-shot endpoint. Typically: "/auth/login-oneshot".
- The "Session handling" setting must be set to "Sessionless"
- Ensure that "SSL client certificate" is set to "Inherit from Virtual Host"
- Add the following "Apache Expert Setting" to the mapping:
RequestHeader set AL_ENV_REQUEST_LINE expr=%{THE_REQUEST}
- Enable "Send environment cookies" (this is also required for IAM to be able to verify the HTTP request signatures.)
- Create a HTTP Header whitelist to allow non-standard HTTP headers required by NextGenPSD2 (for HTTP signature verification):
- Copy the "(default) Request header whitelist" (click on "customize this action")
- Add the following headers to the customized action (initially called "Copy of (default) ..."):
|Date|X-Request-Id|PSU-.*|TPP-.*
- Enable the new whitelist
- Disable the "(default) Request header whitelist"
- To allow the "Signature" and the "TTP-Signature-Certificate" headers, you need to add the following deny rule exceptions:
Consider the following settings - they have proven to work in practice. It does not claim to be complete.
Mapping Name | Entry Path | Typically restricted to roles |
---|---|---|
xs2a-accounts | /v1/accounts | PSP_AI |
xs2a-card-accounts | /v1/card-accounts | PSP_AI |
xs2a-consents | /v1/consents | PSP_AI |
xs2a-payments | /v1/payments | PSP_PI |
xs2a-bulk-payments | /v1/bulk-payments | PSP_PI |
xs2a-periodic-payments | /v1/periodic-payments | PSP_PI |
xs2a-funds-confirmations | /v1/funds-confirmations | PSP_IC |
xs2a-signing-baskets | /v1/signing-baskets | PSP_AI, PSP_IC |
This is required for IAM to be able to verify the HTTP request signatures.
for Airlock Gateway Versions | with deny rule "Security Level" | add exception to "Deny Rule" | using "Header Name Pattern" |
---|---|---|---|
all | Strict (recommended) | (default HTML_003b) HTML attribute in quoted context in HTTP header value |
|
Standard | (default HTML_004b) Known HTML attribute in quoted context in HTTP header value | ||
>= 7.1 | Strict | (default SAN_060b) Header value longer than 300 characters |
|
|