Skip to main content
This page describes the prerequisites and configuration steps you need to integrate the connector.

Prerequisites

Before you begin, ensure you have the following credentials and connectivity in place:
  • Tietoevry access: An active account in the Tietoevry environment.
  • Network connectivity: Confirmed routing between Tietoevry and the Grand Central (GC) iPaaS.
  • Device Administration Connector and the Card Authorization Connector require a secret file containing the Tietoevry private key shared by Tietoevry. This private key is mandatory for authenticating and invoking the Tietoevry APIs.
  • Namespace: gc-tietoevry to deploy connectors.
  • Environment details: The following environment variables are needed from Tietoevry to configure the connector:
KeyDescription
X-EVRY-ORIGINSpecifies the source platform of the request (for example, Mobile or Web).
X-EVRY-USERORGIDDefines the institution that the user (X-EVRY-USERID) belongs to. Typically used in combination with X-EVRY-DATAOWNERORGID to manage access control to institution data.
X-EVRY-CLIENT-CLIENTNAMEIdentifies the source sending the request. Used to separate different service consumers. The name should identify the institution and consumer application.
X-EVRY-DATAOWNERORGIDIdentifies the organization that owns the requested data. Used to ensure that the authenticated institution has access to the requested institution’s data. Financial institution registered in the banking infrastructure.
Private KeyTietoevry private key used for generating signature and digest.
The logic for generating signature and digest is pre-configured in the Tietoevry SDK. See GenerateDigestAndSignatureProcessor.java.

Configuration guide

Follow these steps to initialize and authorize your Tietoevry connector. 1. Establish connectivity Share the following details with the Grand Central team to establish secure connectivity between Grand Central and Tietoevry:
  • Environment details: The baseUrl and IP address of the Tietoevry application.
2. Configure the environment Define your environment variables in the gc-applications-live repository within the device-administration-v2.values.yaml file. Configure the following parameters:
  • device-administration-v2.values.yaml and card-authorization-v1.values.yaml
    KeyDescription
    tietoevry.baseUrlBase URL of Tietoevry.
    tietoevry.client.clientnameIdentifies the source sending the request. Used to separate different service consumers. The name should identify the institution and consumer application.
    tietoevry.dataownerorgidData owner InstId. Identifies the organization that owns the requested data. Used to ensure that the authenticated institution has access to the requested institution’s data. Financial institution registered in the banking infrastructure.
    tietoevry.client.ismobileIndicates whether the request is coming from the mobile channel. Values: true or false.
    tietoevry.originOrigin. Used to distinguish request origins from Open Banking (third parties), Open Banking under PSD2 (third parties), and the bank’s internal use.
    tietoevry.userorgidUser OrgId. Defines the institution that the user (X-EVRY-USERID) belongs to. Typically used in combination with X-EVRY-DATAOWNERORGID to manage access control to institution data.
    tietoevry.channelUsed to differentiate business logic based on which channel was the origin of the request.
    tietoevry.user.ipaddressClient IP address or DNS address from the device sending the request. Used to separate requests from different devices.
    signature.algorithmAlgorithm used for generating the signature. Default: rsa-sha256.
  • card-ecommerce-gateway-webhooks-v1.values.yaml
    KeyDescription
    ebp.baseUrlBase URL of the EBP.
    ebp.challenge.endpointRelative path of the authentication challenge endpoint. This endpoint initiates the authentication flow and generates a challenge for the user or client.
    ebp.completion.endpointRelative path of the authentication completion endpoint. This endpoint completes or validates the authentication challenge and finalizes the authentication process.
The following is a sample configuration: 
# Sample for device-administration-v2 yaml tietoevry environment configuration
connector:
  existingSecretName: tietoevry-secret
  properties:
    tietoevry.baseUrl: "https://api.tst.wb.gcservices.io"
    tietoevry.client.clientname: "weatherbys-backbase-s2s-client"
    tietoevry.dataownerorgid: "44609303"
    tietoevry.client.ismobile: "true"
    tietoevry.origin: "Mobile"
    tietoevry.userorgid: "44609303"
    tietoevry.channel: "MOB"
    tietoevry.user.ipaddress: "10.200.0.20"
    api.cardSearch.pageSize: "10"

    tietoevry.sourceApplication: "weatherbys-backbase-s2s-client"
    tietoevry.destinationApplication: "CAS"
    tietoevry.CardBlockfunction: "DCSSCardBlock_V3_0"
    tietoevry.cardActivateFunction: "DCSSCardUpdate_V3_0"
    tietoevry.version: "3.0.0"
    tietoevry.soapchannel: "NBA"
    tietoevry.locale: "en_GB"
    tietoevry.selfService: "true"
    tietoevry.pcimask: "true"
    tietoevry.orgunit: "44609303"
    tietoevry.orgid: "44609303"
    tietoevry.instId: "44609303"

    tietoevry.timestamp.zoneid: "+01:00"
    tietoevry.timestamp.pattern: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"
    tieto.blockCard: "secesb-epa/soap/DCSSCardBlock_V3_0Service"
    tieto.activateCard: "secesb-epa/soap/DCSSCardUpdate_V3_0Service"
    cxf.loggingFeatureEnabled: "false"

    signature.algorithm: "rsa-sha256"

# Sample for card-authorization-v1.values.yaml tietoevry environment configuration
connector:
  existingSecretName: tietoevry-secret
  properties:
    tietoevry.baseUrl: "https://api.tst.wb.gcservices.io"
    tietoevry.client.clientname: "weatherbys-backbase-s2s-client"
    tietoevry.dataownerorgid: "44609303"
    tietoevry.client.ismobile: "true"
    tietoevry.origin: "Mobile"
    tietoevry.userorgid: "44609303"
    tietoevry.channel: "MOB"
    tietoevry.user.ipaddress: "10.200.0.20"
    signature.algorithm: "rsa-sha256"
 
#Sample for card-ecommerce-gateway-webhooks-v1.values.yaml tietoevry environment configuration
 connector:
  properties:
    ebp.baseUrl: "http://wiremock-tietoevry-cards.gc-tietoevry.svc.cluster.local:9021"
    ebp.challenge.endpoint: "/authentication/challenge"
    ebp.completion.endpoint: "/authentication/completion"
Place the configuration file in the following path: 
# Sample path for placing the {domain-name}.values.yaml
├── iPaaS
└── azure/runtimes
    ├── dev
    └── test
        └── values
            ├── gc-tietoevry
              └── device-administration-v2.values.yaml
              └── card-authorization-v1.values.yaml
              └── card-ecommerce-gateway-webhooks-v1.values.yaml
For 3DS Secure integration (card-ecommerce-gateway-webhooks-v1.values.yaml), configure the following:
  • Inbound configuration (Tietoevry to Grand Central):
  • Outbound configuration (Grand Central to EBP):

Test your integration

To access the Cards Unified API, include your Grand Central subscription key in the request header. If you don’t have a key, contact the Grand Central Support Team to have one provisioned.
KeyValue
api-key<your_subscription_key>
Test the API using the Device Administration V2 Postman Collection.

Troubleshooting

If your connector isn’t responding as expected, review the following common scenarios.
Cause: The Grand Central (GC) gateway cannot establish a handshake with the Tietoevry Cardbase endpoint. This typically indicates an upstream service outage at Tietoevry or a network routing failure.Solution: Verify the operational status of the Tietoevry Cardbase environment with Tietoevry. If the service is operational, contact the GC Support team.
Cause: The Grand Central (GC) gateway cannot establish a handshake with the Tietoevry Cardbase endpoint. This typically indicates an upstream service outage at Tietoevry or a network routing failure.Solution: Verify the operational status of the Tietoevry Cardbase environment with Tietoevry. If the service is operational, contact the GC Support team.

Cause

Request authentication failed due to an invalid or mismatched HTTP signature or digest. This can occur if one or more of the following conditions are met:
  • The RSA signature does not match the signed headers or request payload.
  • The digest value was calculated on a request body that differs (even by whitespace or encoding) from the body sent to Tietoevry.
  • One or more mandatory X-EVRY-* headers are missing, incorrectly populated, or not included in the signature.
  • The keyId used in the Signature header does not match the public key registered with Tietoevry.
  • The (request-target) or (created) values used during signature generation do not align with the actual request.
  • Clock skew between client and Tietoevry systems causes the created timestamp to fall outside the accepted window.

Solution

  • Regenerate the HTTP signature, ensuring that:
    • All required headers (X-EVRY-*, (request-target), (created), and digest) are included and signed in the correct order.
    • The digest is computed using the exact request body bytes sent over the wire (no formatting or whitespace differences).
    • The keyId corresponds to the RSA key pair registered with Tietoevry.
  • Verify that the request body encoding is UTF-8 and that the Content-Type header is correctly set.
  • Ensure system clocks are synchronized to avoid timestamp validation issues.
  • If the issue persists, verify the encryption and signing logic with Tietoevry. Tietoevry will provide or validate the expected signature and digest generation logic as part of the integration support process.
Cause: The number of incoming requests has exceeded the defined threshold for your subscription tier. This 429 Too Many Requests response is a protective measure to ensure the stability of the Grand Central and core banking infrastructure.Solution: Review your application’s request patterns to identify unexpected spikes. If your business requirements have evolved and you require higher throughput, contact the Grand Central team to request an adjustment to your APIM rate limit policy.

Need help?

Contact Support

Reach out to the Grand Central team for assistance with environment setup or rate limit increases.