Back-end components
- Erik Larsen
The COI (I) backend architecture is expanded in the following figure, also showing distributed components in terms of Client-components (M, B, C, D, E) in the User-Agent, Client proxy (L) and BankID Server (H). The two latter components are further described in section 8.
CSFE-JS (I.1) Central Server Front End – Java Script is a new BankID Web-client specific component playing a similar role of the CSFE for the legacy BankID Clients. The CSFE-JS terminates SSL and acts as a front-end for all requests from all BankID Web-client front-end components (Helper, Bootloader, Client), including the initial request from the merchant web page to retrieve the Helper. Requests that cannot be served directly by CSFE-JS are proxied either to Session Data Manager (I.3), Validator (I.5) or CS (I.4). CSFE-JS is also responsible for serving the pre-check component (M) that enables merchants to verify if the User-Agent supports the minimum requirements for the Web-client.
SDM-P - Session Data Manager Proxy (I.2) is a new BankID Web-client specific component acting as a SSL-terminator and proxy only. All requests are passed on to the Session Data Manager (I.3).
SDM - Session Data Manager (I.3) is a new BankID Web-client specific component at the heart of BankID Web-client session handling. One of its roles is similar to the legacy Tag-Server (not shown) by serving incoming request from BankID Server via SDM-P. Subsequently the SDM maintains the state of all pending sessions by matching requests from front-end components (Helper, Bootloader, Client) via CSFE-JS with the appropriate session object. The SDM plays a key role in securing the BankID Web-client startup phase, including the Bootloading stage
CS-JS – Central Signer JavaScript (I.4) and Validator-JS (I.5) are parallel to the existing CS and Validator components for the legacy BankID clients. These components are modified to support the Web-client specific protocol features (10) between COI and the Client. This includes support for obfuscated and randomized protocol parameters.
BankID ServiceHost (I.6) is an existing component that is extended to support the BankID Web-client specific feature for broadcast messages.
Fraud detection (I.7); There is no need to change the underlying architecture of the existing fraud detection engine. However, an additional fraud detection plugin will be developed to handle keyboard biometrics. Some existing plugins will be modified to handle useragentDNA (replacing HWDNA) and also internal and external pageDNA. Implementation of external pageDNA requires close collaboration with merchant banks to ensure that it does not conflict with any similar feature implemented directly in the Merchant Application. The details for new and/or modified fraud detection plugins are beyond the scope of this document. As a consequence of new and/or modified source data for fraud detection, new alarm configurations are implemented for the BankID Web-client.
SEFE and Validator-JS implements the new asynchronous protocol for HA2 Issuers. Validator-JS implements support for validating security elements via a HA2 Issuer in addition to the synchronous OTP protocol. Validator-JS is responsible for initializing the requests and SEFE implements the call-back feature where the HA2 Issuer will reply the response.