Web Services

What’s new with Web Services.

OP renews its certificates – Please ensure online banking software status

OP will renew the bank test certificates used by the Web Services channel in spring 2022 and bank production certificates in autumn 2022.

The certificates of certification sub-authorities serving the WS channel (OP-Pohjola WS CA & OP-Pohjola Services CA) will expire on 12 September 2024. In practice, the certification authority certificates have to be renewed no later than on 25 August 2022 in order for the certification authorities to be able to issue two-year customer certificates. The root certificate authority does not change in this renewal.

The certificates used by customers to verify their identity in bank connections will change in accordance with the normal expiration cycles during these two years and there are no special measures related to them. Bank connection programs usually renew these certificates automatically before their expiration. New certificates are made available to customers before their implementation.

Most bank connection programs form a certificate trust chain by means of a root certificate authority. Please ensure that your bank connection program can automatically acknowledge the change in certification sub-authorities and that you make any required changes in the program that might be necessary. If needed, OP can assist in informing the customers because we are able to identify the bank connection program used by our customers and its version details if the information is transmitted in messages.

Schedule

  • The new certificates of certification sub-authorities for the customer test systems are available starting from 21 January 2022 at https://op.fi/varmennepalvelu
  • The new certification authorities and bank service certificates will be implemented in the customer test environment on 24 February 2022.
  • The new certificates of certification authorities for production are available starting from 25 February 2022 at https://op.fi/varmennepalvelu
  • The new certification authorities and bank service certificates are implemented in production on 25 August 2022.

Technical details

The new certificates of certification authorities are distributed at https://op.fi/varmennepalvelu.

All issued end-user certificates also include an "Authority Information Access" extension and from the address indicated certificates of certification authorities can be retrieved automatically. The AIA service is the same as with the old certification authorities, whereby there is no need for new firewall rules. The certificates of certification authorities are also retrievable by a WS channel service call.

There will be no changes in the root certificate authority.

Changes in customer test environment

The currently available trust chains of Customer test certificates are:

Purpose of use Root certificate authority Certificate sub-authority End-user certificates
Customer identity verification in Web Services channel TEST OP-Pohjola Root CA CUSTOMER TEST OP WS CA V2 Bank connection customer’s certificate
Bank identity verification in Web Services channel TEST OP-Pohjola Root CA CUSTOMER TEST OP Services CA V2 XML signature certificates used by bank
Web Services channel’s SSL certificate (connection identification and encryption) Publicly trusted root certificate authority Publicly trusted certificate sub-authority
(https://wsk.asiakastesti.op.fi)
Bank connection channel’s SSL certificates (HTTPS)

The new trust chains of the customer test are (changes in blue):

Purpose of use Root certificate authority Certificate sub-authority End-user certificates
Customer identity verification in Web Services channel TEST OP-Pohjola Root CA CUSTOMER TEST OP WS CA V3 Bank connection customer’s certificate (issued from the new certification authority in connection with normal renewal at the interval of two years)
Bank identity verification in Web Services channel TEST OP-Pohjola Root CA CUSTOMER TEST OP Services CA V3 XML signature certificates used by bank
Web Services channel’s SSL certificate (connection identification and encryption) Publicly trusted root certificate authority Publicly trusted certificate sub-authority
(https://wsk.asiakastesti.op.fi)
Bank connection channel’s SSL certificates (HTTPS)

The certification issued by the new certification authorities have a new URL for the re-trieval of revocation lists (CRL). The URL is included in the end-user certificates’ CRL Dis-tribution Point (CDP) extension. The distribution server does not change so the change requires no new firewall rules. The revocation lists of the new certificates are available at the following addresses:

CUSTOMER TEST OP WS CA V3: 

http://test-crl.op-palvelut.fi/crl/test/subca/Customer_Test_OP_WS_CA_V3.crl
http://test2-crl.op-palvelut.fi/crl/test/subca/Customer_Test_OP_WS_CA_V3.crl

CUSTOMER TEST OP Services CA V3:

http://test-crl.op-palvelut.fi/crl/test/subca/Customer_Test_OP _Services_CA_V3.crl
http://test2-crl.op-palve-lut.fi/crl/test/subca/Customer_Test_OP _Services_CA_V3.crl
Changes in production environment

Changes in production environment

The currently used trust chains of certificates in the production environment are:

Purpose of use Root certificate authority Certificate sub-authority End-user certificates
Customer identity verification in Web Services channel OP-Pohjola Root CA OP WS CA V2 Bank connection customer’s certificate
Bank identity verification in Web Services channel OP-Pohjola Root CA OP Services CA V2 XML signature certificates used by bank
Web Services channel’s SSL certificate (connection identification and encryption) Publicly trusted root certificate authority Publicly trusted certificate sub-authority
(https.//wsk.op.fi)
Bank connection channel’s SSL certificates (HTTPS)

 

The new trust chains of production environment are (changes in blue):

Purpose of use Root certificate authority Certificate sub-authority End-user certificates
Customer identity verification in Web Services channel OP-Pohjola Root CA OP WS CA V3 Bank connection customer’s certificate (issued from the new certification authority in connection with normal renewal at the interval of two years)
Bank identity verification in Web Services channel OP-Pohjola Root CA OP Services CA V3 XML signature certificates used by bank
Web Services channel’s SSL certificate (connection identification and encryption) Publicly trusted root certificate authority Publicly trusted certificate sub-authority
(https://wsk.op.fi)
Bank connection channel’s SSL certificates (HTTPS)

 

The certification issued by the new certification authorities have a new URL for the re-trieval of revocation lists (CRL). The URL is included in the end-user certificates’ CRL Dis-tribution Point (CDP) extension. The distribution server does not change so the change requires no new firewall rules. The revocation lists of the new certificates are available at the following addresses:

OP WS CA V3: 

http://crl.op-palvelut.fi/crl/subca/OP_WS_CA_V3.crl
http://crl2.op-palvelut.fi/crl/subca/OP_WS_CA_V3.crl

OP Services CA V3:

http://crl.op-palvelut.fi/crl/subca/OP_Services_CA_V3.crl 
http://crl2.op-palvelut.fi/crl/subca/OP_Services_CA_V3.crl

Company’s online banking security

OP’s Web Services has stopped supporting old versions of the TLS cryptographic protocol in May 2021. You have not been able to transmit your company’s data to banks using the old TLS versions 1.0 and 1.1 after 20 May 2021. 

Limiting support to the latest versions is designed to increase the level of data security. The Finnish Transport and Communications Agency’s regulation on electronic identification and trust services recommends primarily using TLS version 1.2 or later to encrypt and decrypt data transmissions.

What is Transport Layer Security (TLS)?

TLS is a data security protocol that ensures the protection and integrity of data between two communicating applications. It is widely used in web browsers and other applications requiring secure transfer of data over a computer network.

Supported cipher suites

Several old cipher suites is not supported.

OP supports the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

What is a cipher suite?

TLS uses so-called cipher suites to encrypt and decrypt transmitted data. A cipher suite is a set of algorithms that help to secure network connections that rely on TLS.

Web Services -kanava

Web Services –kanava on pääasiallinen kanava yritysten lasku- ja maksuaineistojen lähetykseen, saapuvien maksujen täsmäytysaineistojen sekä tiliotteiden noutoon. 

OP Ryhmässä Web Services -yhteyskäytännön aineistokohtainen kokorajoite on 100 megatavua pakkaamattomana. OP Ryhmä edellyttää kuitenkin, että aineisto pakataan ennen pankkiin lähetystä. Pakkausalgoritmi on RFC1952:n mukainen GZIP. Pakatun aineiston maksimikoko on 10 megatavua yhtä lähetettyä aineistoerää kohden.​​

Yrityksen Pankkiyhteys (Web Services) -kanavan ajantasaiset varmenteet ovat aina saatavilla Varmennepalvelun sivustolla.​

Uusien aineistomuotojen ja ohjelmistoversioiden käyttöönoton yhteydessä suosittelemme näiden testaamista ennen käyttöönottoa. OP:ssa on oma asiakastestiympäristö, jonka käyttö on toistaiseksi maksutonta. Testiympäristöä voi käyttää, kun ohjelmistotoimittajan tai asiakkaan pankkiyhteysohjelmisto tukee testattavia aineistoja ja niiden palautteita.​

​Asiakastestiympäristön käyttö edellyttää, että asiakkaalla on pankin kanssa sopimukset niistä palveluista, joita asiakas aikoo testata, esim. C2B-maksaminen, -sopimus ja e-laskujen lähetyssopimus. Osapuolella, joka lähettää aineistot pankkiyhteydellä pankkiin, on oltava Yrityksen pankkiyhteys (Web Services) -sopimus.​


​Asiakastestiympäristön käyttö vaatii oman erillisen WS-kanavan testivarmenteen. Tuotantovarmenne ei toimi asiakastestiympäristössä. Testiympäristöä varten käytettävät siirtoavaimet asiakas voi pyytää Yrityksen pankkiyhteys –kanavan sopimuksen teon yhteydessä tai tarvittaessa erikseen tilikonttorista tai Yritys- ja maksuliikepalveluiden puhelinpalvelusta. Testiympäristön varmenteen voi noutaa siirtoavaimella WS-kanavan sovellusohjeessa kuvatulla tavalla. Aineistojen lähettämisen testiympäristöön voi aloittaa vuorokauden kuluttua varmenteen noutamisesta. Testiympäristöön lähetettävässä aineistossa käytetään sopimusten mukaisia asiakastunnusta, maksatustunnusta ja maksutilejä.​

Web Services (WS)-kanavassa on käytössä aineistotyyppi, INFO, jonka avulla tiedotamme esimerkiksi poikkeuksellisista maksuaineistojen vastaanottoajankohdista WS-kanavassa, ja mahdollisista huoltokatkoista ja häiriöistä. Aineisto on UTF-8 -enkoodattu merkkijono eli teksti. Tiedote voidaan kohdentaa joko kaikille WS-kanavan käyttäjille tai tietyille pankkiyhteysohjelmille tai niiden tietyille versioille. INFO-aineisto näkyy getFileList:llä, kuten mikä tahansa noudettava aineisto.