Versions Compared

Old Version 3

changes.mady.by.user Martin Lacher

Saved on

compared with

New Version 4

changes.mady.by.user Martin Lacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Table of Contents

Audience

This Document applies to TPPs that are fully licensed by their national supervisory authority as AISP and/or PISP and must thus use their own Certificates and Client Credentials to access the ASPSP APIs.

...

In order to use finAPI Access PSD2 services a Client MUST client who is a fully licenced TPP must have at least one global QWAC and/or QSeal Certificatecertificate. These Certificates certificates are required in order to access PSD2 APIs of ASPSPs (XS2A). Each Certificate (QWAC or QSeal) consists of a Private key, Certificate itself, a passphrase (optional) and valid from/until dates.

For each Bank each Client MAY also have Some banks may also require a set of Bank API specific Client Credentials to authenticate a TPP. Each set of Client Credentials includes at least one of the following attributes: Сlient Id, Сlient Secret, API key. Additionally valid from/until dates can be provided.

Licensed Clients Licenced TPPs can store their own TPP Certificates / Client Credentials to in finAPI Access in order to have a quick and secure access to XS2A of ASPSPs. finAPI Access allows Clients clients to easily manage their TPP Certificates / Client Credentials to certificates / client credentials for multiple ASPSPs: edit, delete, view existing and upload new TPP Certificates / Client Credentials.

Unlicensed Clients can use the built in finAPI TPP Certificates / Client Credentials.

Please note that Bankbank-specific Certificates certificates are not supported.

Audit logs can be requested by standard support channel. There is no Web service for this purpose.

...

From security perspective such data as QWAC and QSeal Certificates and Bank Credentials is sensible and must be protected.

HTTPS is used to insure ensure data is encrypted in transit from Client client to finAPI.

Within finAPI realm this data is treated with the same highest level of security as user's Bank Credentials. Having Data at Rest in already secure database reduces number of critical systems to keep secure.Thus, finAPI Access PSD2 already has multiple security measures for protecting extremely sensitive data (e.g. user's Bank Credentials) which is applied for Certificates too. Certificates and credentials are kept in the highly secure finAPI database and secured with double encryption. All access to the certificates and/or credentials is logged in audit logs.

Services

finAPI Access PSD2 supports the following services:

Certificate management services

  1. Submit a new Certificate

  2. Get Certificates list

  3. Get Certificate details

  4. Delete existing Certificate

Client credentials management services

  1. Submit new Client Credentials

  2. Get Certificates listGet Client Credentials list

  3. Get Certificate detailsGet Client Credentials details

  4. Update existing Client Credentials

  5. Delete existing CertificateDelete existing Client Credentials

A Client is identified by the token. Thus, Client access token is required in order to use any of mentioned services.

Each service writes events into an audit logAll services require the authentication of an admin /mandator client in finAPI.

1. Submit a new Certificate

...

Using POST /tppAuthentication/certificates endpoint you can submit a Certificate to finAPI Access PSD2 database. Response The response of the server will contain "certificateId" of the created Certificatecertificate, for example "93ea9700".

...