Using Spring Cloud Zuul Proxy as an Open Banking SSL Gateway

Key Takeaways

  1. PSD2 & Open Banking standards has shaken the banking industry since EBA published its PSD2 RTS final paper on SCA in Feb 2017 particularly RTS mandating the requirements to identity a TPP (Third Party Providers) using their eIDAS certificates (QWAC or QSeal). eIDAS certificates is issues by a QTSP (Qualified Trust providers) to a TPP or an ASPSP.
  2. We can use Spring cloud Zuul with very few lines of custom code combined with cloud native components such as AWS WAF (Web Application Firewall) to build a low cost, secure, scalable and flexible Open Banking SSL gateway
  3. Java 9 onwards included native support for  OCSP stapling and certificate path validation using OCSP / CRLs. We can use these features in Spring cloud Zuul proxy to build a secure SSL proxy that is capable of terminating TLS MA / non MA connection, validates the certificate using OCSP / CRLs and pass on the certificate chain as an http header to downstream systems such as AWS application load balancer (AWS ALB currently does not support TLS MA)
  4. TPP authentication can be done in two ways either using certificate based mutual TLS authentication or using signed (TPP sends the request signed by their QSeal certificates) request over TLS transport without MA
  5. EBA has provided a list of QTSPs on their website and a trust list which can be used to build a Java trust store that can be used to validate the incoming TPP certificate in case TLS MA is used at the gateway endpoint

If you ask anybody working in banking and financial industry about the most talk about hot topic within the organization? I am sure the answer would be related to “Open banking & PSD2”.  PSD2 & Open Banking standards has shaken the financial industry since EBA published its PSD2 RTS final paper on SCA in Feb 2017 particularly RTS mandating the requirements to identity a TPP (Third Party Providers) using their eIDAS certificates (QWAC or QSeal). eIDAS certificates is issues by a QTSP (Ququalified Trust providers) to a TPP or an ASPSP

Let’s look at Spot pricing history to get an idea of Spot prices.

zuul

Picture - 1 : Spot pricing history

High Level Architecture

The code is available at Github repository. You can also reach out to us If you need any technical support.

Setup SSL gateway

Prerequisites

  • OpenJDK 11 or Oracle JDK 11 or higher
  • Maven 3.5 or higher
  • Spring STS 4.0 optional if you want to play around the code
  • Clone the git repository 

Step 1 – Configure Keystore and trust Store

You can use caman tool to build your private CA or use tool of your choice to create Keystore and Trust store. Name the trust store as trust.jks and place the file in either resource folder or the classpath. Configure keystore properties in application.properties located in resource folder.

If you have SSL certificate from Certificate Authority then import the root CAs and certificates in your trust store and key pair in keystore and place the file in resource folder

Step 2 – Configure certificate path validation properties

The key component of the SSL Gateway is the Zuul proxy “pre” filter(CertificateCheckingBean class)  which retrieves the certificate chain from the HttpRequest object and performs the certificate path validation. Following properties controls the certificate path validation behavior

server.ssl.client-auth – Use this property to enable TLS Mutual Authentication. The supported values are NONE,WANT, NEED. 

NONE – disable TLS MA, WANT – Client certificate is mandatory, NEED – Client certificate is optional

server.ssl.fwdclientcertifiate – If true then forward client certificate chain to the load balancer URL as x-client-cert- HTTP header. The number x is 0 for leaf certificate and x will be 1…n for all the rest of the certificates in the chain

server.ssl.enableocspcheck – If true OCSP check will be performed on the certificates chain

server.ssl.validateleafcertonly – Set it to true to validate the leaf certificate only. If true the OCSP check and the trust validation will be performed on leaf certificate only

server.ssl.ignoreocspcheckresults – Set this to either true or false. If true then OCSP results will be ignored otherwise the gateway will respond with HTTP status code as per server.ssl.failurestatuscode and server.ssl.failuremessage property

Step 3 – Configure load balancer URL

Change the zuul.routes.elb.url property in application.yml to point to your load balancer to forward  the incoming traffic to your application

Step 4 – Build and run

Run following command form the folder where you checkout the code

clean install spring-boot:run -Docsp.enable=true -Dexec.args=”initocsp”