15.2. The EBICS Bank Transport

An EBICS bank transport in LibEuFin conceptually corresponds to the “EBICS Subscriber” in EBICS terminology.

15.2.1. Bank Transport Setup

The following steps are required to set up an EBICS bank transport:

  1. The bank must set up the EBICS access for the user. The bank will notify the user of the following parameters:
    • the URL of the EBICS server used by the bank
    • the HostID of the bank within the EBICS server (sometimes one EBICS server hosts multiple banks)
    • the PartnerID (typically identifies the owner of the bank account within the banking system)
    • the UserID (typically identifies the person that accesses the bank account, can be different from the owner)
    • the SystemID (optional and rarely used, basically a “sub-identity” of a subscriber when multiple technical systems have access to the account via EBICS)
  2. The user enters the information from the list above in the setup dialog in the LibEuFin nexus (UI/CLI).
  3. The LibEuFin nexus generates cryptographic key material (3 RSA key pairs).
  4. The nexus sends the public keys electronically to the bank’s EBICS server, together with the information identifying the subscriber (PartnerID, UserID, SystemID).
  5. The user prints a document that contains the public key and hashes for all three key pairs. The user then signs this document and sends it to the bank (physically/scanned).
  6. The bank receives the letter and verifies that the keys from the letter correspond to the electronically sent keys. If they match, the bank sets the state of the subscriber to “ready”.
  7. The user now has to wait until the bank has set the EBICS subscriber state to “ready”. There is no in-band notification for this, but the Nexus can try downloading the bank’s cryptographic parameters. This will only succeed once the EBICS subscriber is set to “ready” by the bank.
  8. The user should confirm the public keys of the bank received in the previous step. Typically the bank gives the value of these public keys in an out-of-band channel.
  9. Now the user can finally use the EBICS bank transport. The first step after finishing the setup should be to import the bank accounts accessible for this EBICS subscriber.

Alternative ways of setting up the EBICS bank transport are:

  • Importing from a backup. The backup contains metadata (EBICS URL, HostID, UserId, …) and the three passphrase-protected subscriber keys.
  • Certificate-based setup (currently not supported by LibEuFin, only used in France)