Using Spring Cloud Zuul Proxy as an Open Banking SSL Gateway
- PSD2 & Open Banking standards has shaken the banking industry since EBA published its PSD2 RTS final paper on SCA in Feb 2017 particularly RTS mandating the requirements to identity a TPP (Third Party Providers) using their eIDAS certificates (QWAC or QSeal). eIDAS certificates is issues by a QTSP (Qualified Trust providers) to a TPP or an ASPSP.
- We can use Spring cloud Zuul with very few lines of custom code combined with cloud native components such as AWS WAF (Web Application Firewall) to build a low cost, secure, scalable and flexible Open Banking SSL gateway
- Java 9 onwards included native support for OCSP stapling and certificate path validation using OCSP / CRLs. We can use these features in Spring cloud Zuul proxy to build a secure SSL proxy that is capable of terminating TLS MA / non MA connection, validates the certificate using OCSP / CRLs and pass on the certificate chain as an http header to downstream systems such as AWS application load balancer (AWS ALB currently does not support TLS MA)
- TPP authentication can be done in two ways either using certificate based mutual TLS authentication or using signed (TPP sends the request signed by their QSeal certificates) request over TLS transport without MA
- EBA has provided a list of QTSPs on their website and a trust list which can be used to build a Java trust store that can be used to validate the incoming TPP certificate in case TLS MA is used at the gateway endpoint
If you ask anybody working in banking and financial industry about the most talk about hot topic within the organization? I am sure the answer would be related to “Open banking & PSD2”. PSD2 & Open Banking standards has shaken the financial industry since EBA published its PSD2 RTS final paper on SCA in Feb 2017 particularly RTS mandating the requirements to identity a TPP (Third Party Providers) using their eIDAS certificates (QWAC or QSeal). eIDAS certificates is issues by a QTSP (Ququalified Trust providers) to a TPP or an ASPSP
Let’s look at Spot pricing history to get an idea of Spot prices.
Picture - 1 : Spot pricing history
High Level Architecture
Setup SSL gateway
- OpenJDK 11 or Oracle JDK 11 or higher
- Maven 3.5 or higher
- Spring STS 4.0 optional if you want to play around the code
- Clone the git repository
Step 1 – Configure Keystore and trust Store
You can use caman tool to build your private CA or use tool of your choice to create Keystore and Trust store. Name the trust store as trust.jks and place the file in either resource folder or the classpath. Configure keystore properties in application.properties located in resource folder.
If you have SSL certificate from Certificate Authority then import the root CAs and certificates in your trust store and key pair in keystore and place the file in resource folder
Step 2 – Configure certificate path validation properties
The key component of the SSL Gateway is the Zuul proxy “pre” filter(CertificateCheckingBean class) which retrieves the certificate chain from the HttpRequest object and performs the certificate path validation. Following properties controls the certificate path validation behavior
server.ssl.client-auth – Use this property to enable TLS Mutual Authentication. The supported values are NONE,WANT, NEED.
NONE – disable TLS MA, WANT – Client certificate is mandatory, NEED – Client certificate is optional
server.ssl.fwdclientcertifiate – If true then forward client certificate chain to the load balancer URL as x-client-cert- HTTP header. The number x is 0 for leaf certificate and x will be 1…n for all the rest of the certificates in the chain
server.ssl.enableocspcheck – If true OCSP check will be performed on the certificates chain
server.ssl.validateleafcertonly – Set it to true to validate the leaf certificate only. If true the OCSP check and the trust validation will be performed on leaf certificate only
server.ssl.ignoreocspcheckresults – Set this to either true or false. If true then OCSP results will be ignored otherwise the gateway will respond with HTTP status code as per server.ssl.failurestatuscode and server.ssl.failuremessage property
Step 3 – Configure load balancer URL
Change the zuul.routes.elb.url property in application.yml to point to your load balancer to forward the incoming traffic to your application
Step 4 – Build and run
Run following command form the folder where you checkout the code
clean install spring-boot:run -Docsp.enable=true -Dexec.args=”initocsp”