In order to ensure that we have the correct information and that we can trust the certificates that are used for TPP authentication and message sealing, we need to perform an enrollment of TPP. This will be a 1 step process, where the TPP sends a signed request, in the same form as expected from Berlin Group, to an enrollment API. This process will ensure:
- That we receive all the required certificates, including root and intermediary certificates, in a sealed and authenticated request, minimizing the risk of TPP Spoofing.
- That the TPP can confirm that they are able to communicate with BEC, in the manner presented by Berlin Group.
The enrollment is performed programmatically through the TPP Enrollment API , which is also documented below. Onboarding needs to be done per bank. Please follow link to find a list of providing banks and production urls. Specifically, the enrollment endpoints to use when onboarding are:
etc etc ...
Each enrollment will typically succeed in less than 5 seconds.
If you need to undo/revoke an enrollment, enroll with a new certificate for same TPP, change status as a TPP or similar, please submit a support tickets to get guidance on how to proceed.
Refer to API documentation at TPP Enrollment API for latest specification of interface.