SEB GATEWAY Customer to bank online integration. specification v1.04

Transcription

1 SEB GATEWAY Customer to bank online integration specification v1.04

2 Document versions Version Date Comments Initial version of the document Added part about supported qualified certificates, text clarifications (P.Kriščiūnas) Updated Security section. Added links to online specifications. Other small text changes. (A. Chmelevskis) Updated Figure 1. (A. Chmelevskis) Updated Section 3 Validation of SignableDocument type document. Added XML field name which must be signed. (A. Chmelevskis) Version / 9

3 Content 1. Introduction Security Validation of SignableDocument type document Interface specification SEB Gateway client s web services Functions and parameters SEB bank s web services Functions and parameters Container Message data formats Summary of SEB Gateway standards and patterns Additional documents... 9 Version / 9

4 1. Introduction SEB Gateway service is used to exchange data/financial messages between IT Systems of the Company and SEB bank. This document contains technical description of the service: technology used, available services, procedures, data format. This document is to be used by external users, i.e. enterprises (further referred to as the SEB Gateway client) willing to integrate their and SEB bank s IT systems. Web services will be used to exchange data between SEB and the SEB Gateway client. Web services are available on SEB s server and also on the SEB Gateway client s server. When sending data to SEB, the SEB Gateway client will use SEB's web service. When sending data to the SEB Gateway client, SEB will use the client s web service. In this data exchange scheme, the active party is the one which is sending data. Secure, encoded connection channel COMPANY B2B interface Notification Account Balance Payments Account balance request B2B interface Payment processing report Statement Bank s IS Company s ERP Version / 9

5 2. Security The system security between SEB and the SEB Gateway client is ensured by HTTP communication protocol via a dedicated VPN (Virtual Private Network) connection. Communication and data transfer security is ensured by SSL certificates and web services security standards. Message exchange security uses: data integrity pattern to verify that a message has not changed in transit; data origin authentication pattern to identify and validate the origin of a message; data confidentiality pattern to encrypt message data so that unauthorized entities cannot view the contents of the message. In all cases asymmetric cryptography is used. With asymmetric cryptography (also known as public key cryptography), the sender encrypts data with one key, and the recipient uses a different key to decrypt cipher text. The encryption key and its matching decryption key are often referred to as a public/private key pair. Figure 1: Message exchange security More information about Web Service Security Patterns can be found here Version / 9

6 3. Validation of SignableDocument type document Payment initiation orders sent from the SEB Gateway client to SEB Bank must be signed with at least one (although multiple are supported) qualified certificates of the representatives of the SEB Gateway client. SignableDocument type document is to be used. The SignableDocument type document contains the document section (element Document) and signature section (element Signature). The document section contains pain type document, which is validated using specific scheme (XSD files will be provided to the SEB Gateway client). The signature section contains one or more digital signatures, which are formed according to the XAdES-BES standard. More information about XAdES-BES standard can be found here 2 and here 3. Signatures are formed by generating required digests from document section of the SignableDocument type document and performing other signature-related actions, which enable to identify which part of the document, was signed. Currently SEB bank is prepared to validate digital signatures created with qualified certificates of the following Certificate Authorities: CA Resident Register Service under the Ministry of Interior of the Republic of Lithuania ( Secure Signature Creation Device example Lithuanian national identity cards VĮ Registrų centras ( Crypto USB key Smartcard Version / 9

7 4. Interface specification All WSDL files will be provided to the SEB Gateway client SEB Gateway client s web services WSDL file lba-unifi-cashmanagement-customer-v01.wsdl lba-unifi-paymentsinitiation-customer-v01.wsdl Functions and parameters SEB Bank may call these functions: banktocustomerstatementv02 banktocustomerdebitcreditnotificationv02 customerpaymentstatusreportv03 Function description and parameters: Function Parameters Input Output Description lba-unifi-cashmanagement-customer-v01.wsdl banktocustomerstatement V02 banktocustomerdebitcredi tnotificationv02 document:iso.std.iso._ tech.xsd.camt_053_001.D ocument document:iso.std.iso._ tech.xsd.camt_054_001.D ocument lba-unifi-paymentsinitiation-customer-v01.wsdl Document passed: account statement Document passed: notification on account debit or credit transaction customerpaymentstatusre portv03 Document:iso.std.iso._ tech.xsd.pain_002_001.D ocument Document passed: payment status Version / 9

8 4.2. SEB bank s web services WSDL file lba-unifi-cashmanagement-bank-v01.wsdl lba-unifi-paymentsinitiation-bank-v01.wsdl Functions and parameters SEB Gateway client may call these service functions on the SEB bank side: customercredittransferinitiationv03 accountreportingrequestv02 Function description and parameters: Function Parameters Input Output Description lba-unifi-paymentsinitiation-bank-v01.wsdl customercredittransf erinitiationv03 document: lt.lba.xmlns._2011._01.u nifi.customercredittrans ferinitiation.v03.signabl edocumenttype lba-unifi-cashmanagement-bank-v01.wsdl iso.std.iso._20022.tech.x sd.pain_002_001.docum ent Document passed: payment order in xml format, signed with certificates. Response received: payment status document accountreportingreq uestv02 document:iso.std.iso._ tech.xsd.camt_06 0_001.Document iso.std.iso._20022.tech.x sd.camt_052_001.docu ment Document passed: request for account balance Response received: account balance xml 4.3. Container To ensure the security of data exchange via web services, ws-security standards will be used (detailed descriptions available here 4 ). Security policies are attached or detached in the WSDL file. 4 Version / 9

9 Each WSDL file on SEB bank side and the SEB Gateway client side will specify the security policy file, which describes security instruments used for data exchange between SEB bank and the SEB Gateway client. 5. Message data formats Message data formats are provided in the document ISO20022_formats_mapping_B2B.xls 6. Summary of SEB Gateway standards and patterns ISO20022 UNIFI XML WSDL 1.1 WS-Policy 1.2 WS-I Basic Profile 1.1 WS-I Basic Security Profile 1.1 WS-Address WS-Addressing Idempotency pattern 7. Additional documents Universal financial industry message (document) Web Services Definition Language Web Services Policy for formal contract establishment in relation to Non-Functional characteristics (i.e. Security, Asynchronous Intercommunication) Basic Profile for Web Service Definition Interoperability Basic Profile for Web Service Security Interoperability Web Services Signature and Encryption for message Security for Asynchronous intercommunication (i.e. safe resend of the same message) is used to establish reliability Additional documents will be provided by the bank to the SEB Gateway client: XML Schema Definition (XSD) files, Web Services Description Language (WSDL) files. Version / 9