docs: fix openbanking docs

automation/janssen_helm_chart/non_janssen.yaml

@@ -10,7 +10,7 @@ global:
   cnObExtSigningJwksCrt: None
   cnObExtSigningJwksKey: None
   cnObExtSigningJwksKeyPassPhrase: None
-  cnObExtSigningAlias: None
+  cnObInternalSigningAlias: None
   cnObStaticSigningKeyKid: None
   cnObTransportCrt: None
   cnObTransportKey: None

automation/rancher-partner-charts/questions.yaml

@@ -47,20 +47,20 @@ questions:
     type: password
     label: Open banking external signing jwks AS key passphrase
     min_length: 6
-  - variable: global.cnObExtSigningAlias
+  - variable: global.cnObInternalSigningAlias
     default: "XkwIzWy44xWSlcWnMiEc8iq9s2G"
     required: true
     group: "OpenBanking Distribution"
-    description: "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G"
+    description: "Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your cnObStaticSigningKeyKid"
     type: string
-    label: Open banking external signing AS Alias
+    label: Open banking internal signing AS Alias
 - variable: global.cnObStaticSigningKeyKid
-  default: "Wy44xWSlcWnMiEc8iq9s2G"
+  default: "XkwIzWy44xWSlcWnMiEc8iq9s2G"
   required: true
   group: "OpenBanking Distribution"
-  description: "Open banking  signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G"
+  description: "External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature."
   type: string
-  label: Open banking  signing AS kid
+  label: Open banking signing AS kid
   show_if: "global.distribution=openbanking"
 - variable: global.cnObTransportAlias
   default: ""

charts/gluu/charts/config/templates/configmaps.yaml

@@ -27,7 +27,7 @@ data:
   {{ if .Values.global.cnObExtSigningJwksUri }}
   CN_OB_EXT_SIGNING_JWKS_URI: {{ .Values.global.cnObExtSigningJwksUri | quote }}
   CN_OB_AS_TRANSPORT_ALIAS: {{ .Values.global.cnObTransportAlias | quote }}
-  CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObExtSigningAlias | quote }}
+  CN_OB_EXT_SIGNING_ALIAS: {{ .Values.global.cnObInternalSigningAlias | quote }}
   # force the AS to use a specific signing key
   CN_OB_STATIC_KID: {{ .Values.global.cnObStaticSigningKeyKid | quote }}
   {{- end }}

charts/gluu/openbanking-values.yaml

@@ -377,17 +377,17 @@ global:
   # -- Persistence backend to run Gluu with hybrid|sql.
   cnPersistenceType: sql
   # -- Open banking external signing jwks uri. Used in SSA Validation.
-  cnObExtSigningJwksUri: ""
-  # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.
+  cnObExtSigningJwksUri: "https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks"
+  # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksCrt: ""
   # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksKey: ""
   # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksKeyPassPhrase: ""
-  # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G
-  cnObExtSigningAlias: ""
-  # -- Open banking  signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G
-  cnObStaticSigningKeyKid: ""
+  # -- External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature.
+  cnObStaticSigningKeyKid: "XkwIzWy44xWSlcWnMiEc8iq9s2G"        
+  # -- Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your "cnObStaticSigningKeyKid".
+  cnObInternalSigningAlias: "XkwIzWy44xWSlcWnMiEc8iq9s2G"
   # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.
   cnObTransportCrt: ""
   # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.

charts/gluu/values.schema.json

@@ -667,12 +667,12 @@
                     "type": "string",
                     "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$"
                 },
-                "cnObExtSigningAlias": {
-                    "description": "Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G",
+                "cnObInternalSigningAlias": {
+                    "description": "Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your cnObStaticSigningKeyKid",
                     "type": "string"
                 },
                 "cnObStaticSigningKeyKid": {
-                    "description": "Open banking  signing AS kid to force the AS to use a specific signing key. i.e Wy44xWSlcWnMiEc8iq9s2G",
+                    "description": "External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature.",
                     "type": "string"
                 },
                 "cnObTransportCrt": {

charts/gluu/values.yaml

@@ -1116,17 +1116,17 @@ global:
   # -- Persistence backend to run Gluu with hybrid|sql.
   cnPersistenceType: sql
   # -- Open banking external signing jwks uri. Used in SSA Validation.
-  cnObExtSigningJwksUri: ""
-  # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.
+  cnObExtSigningJwksUri: "https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks"
+  # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksCrt: ""
   # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksKey: ""
   # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
   cnObExtSigningJwksKeyPassPhrase: ""
-  # -- Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G
-  cnObExtSigningAlias: ""
-  # -- Open banking  signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G
-  cnObStaticSigningKeyKid: ""
+  # -- External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature.
+  cnObStaticSigningKeyKid: "XkwIzWy44xWSlcWnMiEc8iq9s2G"        
+  # -- Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your "cnObStaticSigningKeyKid".
+  cnObInternalSigningAlias: "XkwIzWy44xWSlcWnMiEc8iq9s2G"
   # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.
   cnObTransportCrt: ""
   # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.

demos/terraform-gluu-flex-eks-fargate/variables.tf

@@ -487,16 +487,16 @@ variable "ob_ext_signing_jwks_key_passphrase" {
   description = "External signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set."
 }
 
-variable "ob_ext_signing_alias" {
+variable "ob_internal_signing_alias" {
   type        = string
   default     = ""
-  description = "External signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G"
+  description = "Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your "cnObStaticSigningKeyKid"."
 }
 
 variable "ob_static_signing_key_kid" {
   type        = string
   default     = ""
-  description = "Signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G"
+  description = "External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature"
 }
 
 variable "ob_transport_crt" {

docs/openbanking/install-cn.md

@@ -19,18 +19,18 @@ Use the listing below for a detailed estimation of the minimum required resource
 
 ### Install using Helm(production-ready)
 
-  -  The below certificates and keys are needed to complete the installation.
+  -  To complete this installation in a production environment, you must obtain official Open Banking certificates. This requires generating private keys locally and submitting a Certificate Signing Request (CSR) to your Open Banking Directory (e.g., OBIE) to receive the corresponding signed certificates. Self-signed certificates should only be used for testing. Ensure you have the following files ready:
 
     | Certificate / key                | Description                                                                             |
     |----------------------------------|-----------------------------------------------------------------------------------------|
     |OB Issuing CA                     | Used in nginx as a certificate authority                                                |
     |OB Root CA                        | Used in nginx as a certificate authority                                                |
     |OB Signing CA                     | Used in nginx as a certificate authority                                                |
-    |OB AS Transport key               | Used for mTLS. This will also be added to the JVM                                       |
-    |OB AS Transport crt               | Used for mTLS. This will also be added to the JVM                                       |
-    |OB AS signing crt                 | Added to the JVM. Used in SSA Validation                                                | 
-    |OB AS signing key                 | Added to the JVM. Used in SSA Validation                                                |
-    |OB transport truststore           | Used in SSA Validation. Generated from OB Root CA nd Issuing CA                         |
+    |OB AS Transport key `obtransport.key`              | Used for mTLS. This will also be added to the JVM                                       |
+    |OB AS Transport crt `obtransport.pem`              | Used for mTLS. This will also be added to the JVM                                       |
+    |OB AS signing crt `obsigning.pem`            | Added to the JVM. Used in SSA Validation                                                | 
+    |OB AS signing key `obsigning.key`                | Added to the JVM. Used in SSA Validation                                                |
+    |OB transport truststore `ob-transport-truststore.p12`       | Used in SSA Validation. Generated from OB Root CA and Issuing CA                        |
 
   - Based on the provider/platform you're using, you can follow the [docs](../install/helm-install/README.md) to install your platform prerequistes, nginx-ingress, and the yaml changes needed in `override.yaml` based on the Gluu persistence choosed.
 
@@ -86,20 +86,18 @@ Use the listing below for a detailed estimation of the minimum required resource
     kubectl get secret cn -n gluu --template={{.data.ssl_cert}} | base64 -d > server.crt
     kubectl get secret cn -n gluu --template={{.data.ssl_key}} | base64 -d > server.key
 
-    kubectl create secret generic ca-secret -n gluu --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
+    kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
     ```
 
 1.  Inject OBIE signed certs, keys and uri: 
 
-    1.  When using OBIE signed certificates and keys, there are  many objects that can be injected. The certificate signing pem file i.e `obsigning.pem`, the signing key i.e `obsigning-oajsdij8927123.key`, the certificate transport pem file i.e `obtransport.pem`, the transport key i.e `obtransport-sdfe4234234.key`, the transport truststore p12 i.e `ob-transport-truststore.p12`, and the jwks uri `https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks`.
-
-    1.  base64 encrypt all `.pem` and `.key` files.
+    1.  base64 encode all `.pem` and `.key` files.
 
         ```bash
         cat obsigning.pem | base64 | tr -d '\n' > obsigningbase64.pem
-        cat obsigning-oajsdij8927123.key | base64 | tr -d '\n' > obsigningbase64.key
+        cat obsigning.key | base64 | tr -d '\n' > obsigningbase64.key
         cat obtransport.pem | base64 | tr -d '\n' > obtransportbase64.pem
-        cat obtransport-sdfe4234234.key | base64 | tr -d '\n' > obtransportbase64.key
+        cat obtransport.key | base64 | tr -d '\n' > obtransportbase64.key
         ```
 
 
@@ -110,30 +108,34 @@ Use the listing below for a detailed estimation of the minimum required resource
         keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore
         ```
 
-    1.  base64 encrypt the `ob-transport-truststore.p12`
+    1.  base64 encode the `ob-transport-truststore.p12`
 
         ```bash
         cat ob-transport-truststore.p12 | base64 | tr -d '\n' > obtransporttruststorebase64.pem
         ```
 
 
-    1.  Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint.
+    1.  Configure your Signing Key IDs: You must define both the external identifier for your signing key and its internal Java Keystore label. To ensure the system correctly maps the outgoing signature to the internal private key, these two values must be identical:
+
+        - `cnObStaticSigningKeyKid` (External ID): This is the unique Key ID (kid) provided by your Open Banking Directory (e.g., `XkwIzWy44xWSlcWnMiEc8iq9s2G`). Gluu stamps this ID onto the header of outgoing JWTs so receiving parties know which public key to fetch from your JWKS URI. This exact kid must exist at your published JWKS endpoint.
+
+        - `cnObInternalSigningAlias` (Internal Label): This is the internal label ("alias") used by the Authorization Server to locate your private key inside its local Java Keystore (.jks). Set this to match your kid value exactly(`cnObStaticSigningKeyKid`).
 
     1. Add those values to `override.yaml`:
     ```yaml
       global:
         # -- Open banking external signing jwks uri. Used in SSA Validation.
-        cnObExtSigningJwksUri: "<JWKS URI>"
-        # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set.
+        cnObExtSigningJwksUri: "https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks"
+        # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
         cnObExtSigningJwksCrt: <base64 string in obsigningbase64.pem>
         # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
         cnObExtSigningJwksKey: <base64 string in obsigningbase64.key>
         # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set.
         cnObExtSigningJwksKeyPassPhrase: <base64 string passphrase of obsigningbase64.key>
-        # -- Open banking external signing AS Alias. This is a kid value. Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G
-        cnObExtSigningAlias: <Alias of the entry inside the keystore ob-ext-signing.jks>
-        # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G
-        cnObStaticSigningKeyKid: <Alias of the entry inside the keystore ob-ext-signing.jks>
+        # -- External Key ID (kid) stamped onto the header of outgoing JWTs. This tells receiving parties which public key to fetch from your JWKS URI to verify the signature.
+        cnObStaticSigningKeyKid: "XkwIzWy44xWSlcWnMiEc8iq9s2G"        
+        # -- Internal Java Keystore (JKS) alias used to locate the Open Banking private signing key. To ensure correct internal mapping, this string must identically match your `cnObStaticSigningKeyKid`.
+        cnObInternalSigningAlias: "XkwIzWy44xWSlcWnMiEc8iq9s2G"
         # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64.
         cnObTransportCrt: <base64 string in obtransportbase64.pem>
         # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64.
@@ -178,7 +180,7 @@ After running the script, you can go ahead and [test the setup](#testing-the-set
 After successful installation, you can access and test the Gluu Open Banking Platform using either [curl](https://docs.gluu.org/head/openbanking/curl/) or [Jans-CLI](https://docs.gluu.org/head/openbanking/jans-cli/).
 
 
-## Changing the  signing key kid for the AS dynamically
+## Changing the signing key kid for the AS dynamically
 
 
 1.  Get a client id and its associated password. We will use the jans-config-api client id and secret
@@ -234,8 +236,8 @@ After successful installation, you can access and test the Gluu Open Banking Pla
 					name: custom-scopes
 		volumeMounts:
 			- name: custom-scopes
-				mountPath: "/app/templates/scopes.ob.ldif"
-				subPath: scopes.ob.ldif
+              mountPath: "/app/templates/scopes.ob.ldif"
+              subPath: scopes.ob.ldif
 	```