Raidiam Logo

Raidiam Connect Gateway

Introduction

Open banking is a transformative new concept affecting digital banking, that takes effect across Europe in 2019. The revised Payment Services Directive, better known as PSD2, is a regulatory mandate that seeks to promote innovation and competition by enabling new Third-Party Providers (TPPs) access to accounts (XS2A). Through lowering the barriers for TPPs to enter the market, Fintechs can stimulate the development of new business models and value chains unlocking a potentially limitless number of new use cases.

The Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) specifies that eIDAS digital certificates must be used for all purposes of identification to an Account Servicing Payment Service Provider (ASPSP) such as a Bank. As such, Banks need to ensure they are ready to accept eIDAS certificates presented by TPPs to achieve regulatory compliance before the deadline, currently, with agreed extension in March 2020. In addition to accepting eIDAS Certificates from appropriately Qualified Trust Service Providers (QTSP), ASPSPs must only accept certificates that conform to the European Telecommunication Standards Institute (ETSI) specification: ETSI-TS 119 495 with is a specific profile of eIDAS certificate that conveys PSD2 Authorization Information as well as PSP Identification.

The most common way to achieve electronic identification between a TTP wishing to access a dedicated interface (API-based) or a fall-back/contingent interface is through the use of Transport Layer Security (TLS). TLS enables the Bank to require a connecting TPP to present a digital certificate that identifies itself and establish a mutually-authenticated and secure connection between the two communicating parties, TPP and ASPSP. Through our extensive Open Banking experience, Raidiam Connect Gateway addresses the challenge so that eIDAS certificates presented by TPPs can be verified and validated before being accepted and exchanging sensitive customer payment account data.

What challenges do you face?

With all of the regulatory demands that organisations and Fintechs are bound by, there are a number of challenges that arise. These challenges are not just related to becoming compliant with the regulations. The challenge for most is how to make the most of the investment required to achieve compliance and how to determine tertiary benefits such as opening new markets and monetising APIs to increase returns.

For those commiting to the regulatory demands, and for those that have stalled or have difficulties finding a cost effective solution there are common questions and challenges that arise. These questions require a solution to enable technology meet demands and increase revenue streams. Questions such as:

  1. Do you have problems with the testing facility?
  2. Have you delayed filing for an FCA exemption?
  3. Are you looking for a way to hedge your investment?
  4. Do you look like you are going to miss the PSD2 deadline?
  5. Are you struggling to implement a compliant API based interface?
  6. Is your legacy technology stack preventing or limiting progress towards your goals?
  7. Are your contigent measures in danger of revocation?
  8. Are you struggling to implement a fallback mechanism?

If these problems are causing concern, then Raidiam Connect Gateway maybe just the solution you are looking for to accelerate your compliance journey and provide hassle free integrations that allow you to maximise the monetisation potential of your API estate.

How can Raidiam Connect Gateway help?

Raidiam Connect Gateway is in simple terms a secure HTTP server that is optimised for regulated PSD2 access to accounts by Third Party Providers (TPPs). When a TPP connects to an ASPSP, Raidiam Connect Gateway challenges the TPP to present an ETSI-conformant PSD2 eIDAS QWAC (Qualified Website Authentication Certificate) X.509 v3 digital certificate. The Connect Gateway will validate the certificate to ensure it is well-formed, non-expired, issued by a valid QTSP and not revoked by performing real-time Online Certificate Status Protocol (OCSP) checks. Once all checks have been performed, it will complete the handshake and establish a secure mutually-authenticated TLS connection with the TPP. Thereafter, API requests and responses and/or online banking-based customer account data can be securely communicated between the two parties.

As an enabler, Raidiam Connect Gateway provides CISO, CIO and other strategists the option to realise further benefits alongside achieving regulatory compliance.

The 'Light Touch' integration with various technology stacks provides the flexibility to be compatible with whatever technology choices and implementation decisions that have been made.

Generic Chain of Trust Diagram

Above: The generic structure of validation using Hierarchical Chain of Certificates

Features and Benefits

In short, Raidiam Connect Gateway is an accelerator that enables organisations to maximise the return on their compliance investment. As an agnostic solution, Raidiam Connect Gateway is fully flexible to integrate seemlessly into your infrastructure; irrespective of your technology choices.

More specifically, and related to regulatory compliance Raidiam Connect gateway provides the following benefits:

  • Achieve compliance with PSD2 RTS
  • Secure your PSD2 APIs with PSD2 eIDAS certificates
  • High performance eIDAS Gateway
  • Secure & Standards-compliant
  • Lightweight and scalable
  • Easily configurable and customized
  • eIDAS-conformant PKI certificate issuing bundle and test suite available separately
  • Co-exists with your existing technology stack

As a solution that is applicable across multi-channels, Raidiam Connect Gateway can assist with Digital initiatives, focussing on the customer journey and experience as well as becoming the 'glue' between legacy and new technology implemented to achieve compliance.

Technical Specifications

Certificate Validation

The Raidiam Connect Gateway has been designed to support the maximum amount of certificate providers and to be compliant with the the latest versions of transport layers. In addition, the FAPI specifications have been referenced to provide assurances that any changes over time maintain or enhance the performance and compliance of the solution against recognised standards.

  • X.509 v3 (RFC 5280) Digital certificate support.
  • Open ID Foundation FAPI RW Supported TLS Ciphers
  • ETSI-TS 119 495 profile validation
  • AIA / CDP attribute support for validation service discovery
  • PSD2-profile eIDAS certificate support from all EU QTSPs
  • ETSI-TS conformance validation – QWAC
  • EU Trusted List Validation for all EU member states.
  • Full SSL/TLS support including TLS 1.3*
  • OCSP and CRL** certificate validation support

Installation Instructions

Overview

The Raidiam Connect Gateway is made available via Redhat Package Manager (RPM) packages that includes both the core solution and all of the necessary updates to dependent packages. All required RPM's are available however the majority of supporting services will generally be available on the existing services.

Infrastructure Design

Minimum System Requirements

  • RHEL 7 or RHEL 8 *
Profile Size Typical Requests Per Second Estimated Hardware Requirements
Small Up to 5 requests per/sec 1 x 2 Core 2.8 GHZ 4GB Memory
Medium Up to 10 requests per/sec 1 x 4 Core 2.8 GHZ 4GB Memory
Large up to 100 requests per/sec 2 x 8 Core 2.8 GHZ 8GB Memory

Performance results will vary based on OCSP response times. Additional performance profiling can be performed on request.

  • Required for TLS1.3 Support

Installation Instructions

- Source the RPMs for Raidiam Connect Gateway. Contact info@raidiam.com
- Copy source RPMs to a working folder on the target machine
- Install Packages:
- yum install httpd-tools-2.*.rpm apr-1.6.3-1.x86_64.rpm apr-util-1.6.1-1.x86_64.rpm httpd-2.*.rpm mod_ssl-2.*.rpm -y

Configuration Instructions

The Raidiam Connect Gateway has the following configuration properties that need to be specified.

Environment
Parmater Description Example
ENVIRONMENT A free text field describing the configuration environment. dev
SERVERNAME hostname srvparsg103.fr.frenchbanklcom
SERVERALIAS hostname srvparsg103.fr.frenchbanklcom
HTTPSPORT Gateway listening port 443
SSLCERTFILE File path containing pem formatted certificate that the server presents to clients /pki/matls.pem
SSLCERTKEYFILE File path containing pem formatted key file for the cert that the server presents to clients /pki/matls-key.pem
SSLCERTCHAINFILE File path containing pem formatted chain of certiicates for the certificate the server presents to clients /ca/bundle.pem
SSLCATRUSTFILE File path containing pem formatted collection of root and intermediate certificates that the server will trust /ca/ca_combined_bundle.pem
UPSTREAMENDPOINT Target location which the server will route requests if they pass validation http://api.frenchbank.internal/
SSLSTRICTSNI Require client to support SNI - required by the FAPI RW Profile on
SSLLOGLEVEL Loglevel for the RCGW debug
SSLOCSP Mandate OCSP checking for certificate validation on
SSLUSESTAPLING Support TLS stapling for connections on

These environment variables can be set in a systemd start script or as part of a start script shown below

    (
        export ENVIRONMENT=dev
        export SERVERNAME=`hostname`
        export SERVERALIASNAME=`hostname`
        export HTTPSPORT=443
        export SSLCERTFILE=/pki/matls.pem
        export SSLCERTKEYFILE=/pki/matls-key.pem
        export SSLCERTCHAINFILE=/ca/bundle.pem
        export SSLCATRUSTFILE=/pki/ca_combined_bundle.pem
        export UPSTREAMENDPOINT=http://localhost/
        export SSLSTRICTSNI=on
        export SSLLOGLEVEL=debug
        export SSLOCSP=on
        export SSLUSESTAPLING=on

        apachectl -D FOREGROUND
    )
Trusted Root Certificate Authorities

The Raidiam Connect Gateway comes packaged with two pre configured 'httpd-ssl.conf' settings for clients to choose from

  • Open Banking Implementation Entity CA and combined PSD2 eIDAS CA support (httpd-ssl.conf.obie)
  • PSD2 eIDAS CA support only (httpd-ssl.conf.eidas)
Configure trust for OBIE and EU QTSP certificate authorities

The public certificates of the Open Banking Production CA are added to the trusted list of acceptable root and intermediate certificate authorities.

(
    Require: Extended Key Attribute TLS Web Client Authentication ("2.5.29.37")
    Require: Certificate OK OCSP Response
)
AND
(
    (
        Require: Qualified Certificate Statement Present
        Require: QWAC Qualified Certificate Statement Present
        Require: At least one PSD2 Payment Service Provider Authorization
    )
    OR
    (
        Require: OBIE OBTransport Certificate presented
    )
)
  • Delete httpd-ssl.conf
  • Copy httpd-ssl.conf.obie to httpd-ssl.conf
  • Restart Raidiam Connect Gateway
Configure trust for EU QTSP certificate authorities only

Only appropriately authorized QTSP Root and Intermediate certificates will be trusted. The Open Banking Implementation Entities certificates will not be included

(
    Require: Extended Key Attribute TLS Web Client Authentication ("2.5.29.37")
    Require: Certificate OK OCSP Response
)
AND
(
    Require: Qualified Certificate Statement Present
    Require: QWAC Qualified Certificate Statement Present
    Require: At least one PSD2 Payment Service Provider Authorization
)
  • Delete httpd-ssl.conf
  • Copy httpd-ssl.conf.eidas to httpd-ssl.conf
  • Restart Raidiam Connect Gateway

Logging

As the Raidiam Connect Gateway is based on Apache 2.4.39 - all capabilities including very flexible log configuration are available. For more information please refer to: https://httpd.apache.org/docs/2.4/logs.html

General

Retrieve Certificate Authorities for authorized QTSPs

Open Banking UK publishes a list of all authorized QTSP root and intermediate certificates daily (or more frequently based on updates). URLs for Directory Sandbox

Environment QWAC QSealC
Sandbox https://s3-eu-west-1.amazonaws.com/prdtst-obdqtspkeystore /artefacts/QTSP/EU/latest/qwac/data.jks https://s3-eu-west-1.amazonaws.com/prdtst-obdqtspkeystore /artefacts/QTSP/EU/latest/qseal/data.jk
Production https://s3-eu-west-1.amazonaws.com/prd-obdqtspkeystore /artefacts/QTSP/EU/latest/qwac/data.jks https://s3-eu-west-1.amazonaws.com/prd-obdqtspkeystore /artefacts/QTSP/EU/latest/qseal/data.jks

Conversion

Convert the data.jks files into Privacy Enhanced Mail PEM encoded DER encoded certificate format:

JKSFILE=https://s3-eu-west-1.amazonaws.com/prd-obdqtspkeystore/artefacts/QTSP/EU/latest/qwac/data.jks

keytool -importkeystore \ -srckeystore ${JKSFILE} \ -destkeystore ${JKSFILE}.p12 \ -srcstoretype jks \ -deststoretype pkcs12

openssl pkcs12 \ -in ${JKSFILE}.p12 \ -out ${JKSFILE}.pem

Deployment

Certificate Authorities and the Chain of Trust

The Raidiam Connect Gateway performs a number of validations on the X.509 certificate provided by the TPP. To establish the TLS handshake, the public key of Root CA is validated with the hash of the Intermediate Certificate. The public key of the Intermediate Certificate is used to validate the hash of the Account Servicing Payment Service Provider Certificate and the hash of the Third Party Provider.

The Raidiam Connect Gateway will validate the certificate to ensure it is well-formed, non-expired, issued by a valid QTSP and not revoked by performing real-time Online Certificate Status Protocol (OCSP) checks.

Based on this validation passing, the Third Party Provider generates a symmetric key, encrypts this symmetric key with the public key of the ASPSP Certificate. This key is then sent to the ASPSP where it is decrypted with the ASPSP's private key. The symmetric key is then used in requests and responses between the TPP and the ASPSP over the established secure mutually-authenticated TLS connection.

Chain of Trust Diagram

Above: Raidiam Connect Gateway validation using Hierarchical Chain of Certificates

Performance

As part of the release preparations of Raidiam Connect Gateway a set of performance tests have been conducted using Apache Bench. The following summarisies the set-up and key measures that were collated during the performance test

Machine Type Detail
MATLS Host Machine t3a.micro 2 core, 1GB memory
Test Machine M5xLarge
Details of test environment:
Area Details
Server Software: Apache
Server Hostname: matls-auth.tecban.poc.raidiam.io
Server Port: 443
SSL/TLS Protocol: TLSv1.2,DHE-RSA-AES256-GCM-SHA384,2048,256
Server Temp Key: DH 2048 bits
TLS Server Name: matls-auth.tecban.poc.raidiam.io
Document Path: /
Document Length: 1561 bytes
Request Performance / Measures
Measure Response
Concurrency Level: 200
Time taken for tests: 19.882 secs
Complete Requests: 2000
Failed Requests: 0
Non-2xx Responses: 2000
Total Transferred: 3722000 bytes
HTML Transferred: 3122000 bytes
Requests per Second: 100.60 [#/sec] (mean)
Time per Request: 1988.163 [ms] (mean)
Time per Request: 9.941 ms
Transfer rate: 182.82 [Kbytes/sec] received
Connection Times
Min Mean [+/- sd] Median Max
Connect: 194 1092 471.4 959 3296
Processing: 23 808 292.9 826 1992
Waiting: 18 806 293.9 825 1992
Total: 217 1900 500.4 1842 4353
Percentagde of requests served within a certain time (ms)
Percentile Number of Requests
50% 1842
66% 2059
75% 2188
80% 2288
90% 2519
95% 2735
98% 3150
99% 3447
100% 4353

Contact Us

If you'd like to organise a demonstration of Raidiam Connect Gateway or would like to discuss how it can enable your regulatory compliance through our simple license agreements, please contact us info@raidiam.com

Release Cadence and Support

As part of our commitment to contiunual improvement and providing an ease of service, we do offer a portal service where basic requests can be made. There are a number of service types that are covered as part of your agreement, these include:

  1. Technical Support - covering installation, configuration and trobleshooting
  2. Licensing and Billing Questions - Any questions relating to renewals and bills
  3. Product Trial Questions - Trying out the product and need more information
  4. Report a bug - We hope you don't need to use this too often, but if something is not quite right then let us know
  5. Suggest a new feature - can find what you are looking for? Let us know and we will review and where necessary add these fature requests to our product development roadmap.
  6. Suggest Improvement - Any comments on the available functions? let us know and we'll see what we can do

We intend to provide quarterly releases, and we will advise which new features, bugs or enhancements will be included as part of the forthcoming release.

Access to the portal is based on a subscription, with specified users added on set-up with the ability to add others in your organisation on an as and when basis. The portal is accessible through the following URL:

https://raidiam.atlassian.net/servicedesk/customer/portal/9

This will bring you to the Raidiam Connect Gateway portal, where there are links to the documentation and release note information. Selecting the "Need to raise a request? Contact us." button takes you to the request screen where the six types of request (listed above) can be found.

Additional Services

In the event that the support desk and roadmap cadence does not fulfil your delivery needs, we are more than happy to discuss a support model that is more aligned to your needs. This would be covered by either a seperate or extension to your existing agreement with Raidiam.

Where appropriate we are happy to discuss a Service Level approach based on severity of problems.

If support agreements are not the main focus, we are also happy to discuss how to support wider Identity matters, such as High level Strategy and design services, implementation support (inc. Testing frameworks) as well as the support frameworks already outlined. For more information please ask your Raidiam representative or drop an email to info@raidiam.com

About Us

Raidiam are Digital identity specialists that provide digital transformation services focussed on customer and IoT identity. Raidiam helps customers solve real business problems and provide innovative ways of interacting with customers, partners and suppliers.

Our mission is to help companies:

  1. Transition to a modern, interoperable process of identity and authentication management
  2. Adopt an identity-centric approach and build the right reference architecture to support it
  3. Create a single customer view, to manage permissions and privileges efficiently and securely
  4. Deliver a rich consumer digital experience that is both seamless and secure.
  5. Pursue a digital transformation that creates value for everyone

Founded by the leading architects who conceived the first platform to address Open Banking in the UK as well as key players in developing the OpenID Foundation Financial Grade API (FAPI) standard. Raidiam will find the right technologies and the right strategy for your business goals, across your entire value chain. With Identity at our core, we traverse the historical divide between business need and IT capability. Our accelerators; such as Raidiam Connect Gateway are designed to provide optimised routes of passage to meet your regulatory challenges such as the digital certificate challenge under PSD2.