Table of Contents
The LibEuFin Nexus is a Web service that provides a JSON abstraction layer to access bank accounts. It does not itself offer banking services, but is a translator between JSON requests and other banking protocols (such as EBICS), that are offered by banks.
This document explains how to set up Nexus to access a bank account via the EBICS protocol.
In order to follow all the steps below, the reader should either have access to a bank account with EBICS support or follow the steps in “Setting up the Sandbox”.
LibEuFin does not yet ship with any systemd unit files.
There is an open bug report for this issue.
To install the GNU Taler Debian packages, first ensure that you have
the right Debian distribution. At this time, the packages are built for
Sid, which means you should use a system which at least includes
unstable packages in its source list. We recommend using APT pinning
to limit unstable packages to those explicitly requested. To do this,
/etc/apt/preferences as follows:
Package: * Pin: release a=stable Pin-Priority: 700 Package: * Pin: release a=testing Pin-Priority: 650 Package: * Pin: release a=unstable Pin-Priority: 600 Package: * Pin: release l=Debian-Security Pin-Priority: 1000
/etc/apt/sources.list file for this setup
would look like this:
deb http://ftp.ch.debian.org/debian/ buster main deb http://security.debian.org/debian-security buster/updates main deb http://ftp.ch.debian.org/debian/ testing main deb http://ftp.ch.debian.org/debian/ unstable main deb https://deb.taler.net/apt/debian sid main
The last line is crucial, as it adds the GNU Taler packages.
Next, you must import the Taler Systems SA public package signing key into your keyring and update the package lists:
# wget -O - https://taler.net/static/taler-systems.gpg.key | apt-key add - # apt update
You may want to verify the correctness of the Taler Systems key out-of-band.
Now your system is ready to install the official GNU Taler binary packages using apt.
To install LibEuFin, you can now simply run:
# apt install libeufin
LibEuFin has the following run-time dependencies:
pip3 install click)
pip3 install requests)
These dependencies only need to be installed manually when building from source or using the prebuilt binaries.
Pre-built packages can be obtained from the taler.net website.
libeufin-$version.zip file to
your desired location (typically
~/opt) and make sure that your
variable contains the
bin/ directory of the unpacked archive.
Nexus belongs to the LibEuFin project, and can be downloaded via Git:
$ git clone git://git.taler.net/libeufin
Note that Kotlin+Gradle should already work on the host system.
Navigate into the libeufin local repository, and from top-level run:
$ ./bootstrap $ ./configure --prefix=$PREFIX $ make install
If you don’t have access to a real bank account with an EBICS API, you can set up the sandbox. The sandbox is a simplistic and incomplete implementation of a core banking system with EBICS access to bank accounts.
For the following commands, the sandbox service must be running. The sandbox service is started with the following command:
$ libeufin-sandbox serve --port 5000
To reset the state of the sandbox, delete the database. By default,
the database is a SQLite3 file in
For invocations of the LibEuFin command line interface tool (
the following environment variable must be set to the URL of the sandbox
Verify that the sandbox is running:
$ libeufin-cli sandbox check
Now an EBICS host can be created:
$ libeufin-cli sandbox ebicshost create --host-id testhost
Note that most
libeufin-cli subcommands will ask for input interactively if
the respective value is not specified as a command line option.
Next, create an EBICS subscriber (identified by the partner ID and user ID) for the host:
$ libeufin-cli sandbox ebicssubscriber create \ --host-id testhost --partner-id partner01 --user-id user01
Create a bank account for the subscriber and add a sample transaction:
$ libeufin-cli sandbox ebicsbankaccount create \ --currency EUR \ --iban DE18500105172929531888 \ --bic INGDDEFFXXX \ --person-name "Jane Normal" \ --account-name "testacct01" \ --ebics-host-id testhost \ --ebics-user-id user01 \ --ebics-partner-id partner01
The account name “testacct01” is the unique identifier of the account within the sandbox. The EBICS parameters identify the subscriber that should have access to the bank account via EBICS.
To populate the account with some test transactions, run the following command (note that we use the bankaccount subcommand, because there is no need to rely on EBICS):
$ libeufin-cli sandbox bankaccount generate-transactions testacct01
Payments to a sandbox bank account can be listed as follows:
$ libeufin-cli sandbox bankaccount transactions testacct01
The sandbox is intended as a testing tool and thus not stable.
For more information on the available commands, use the built-in
The full functionality of the sandbox is available via the API. (FIXME(TTN): specify which API)
Use the following command to run the nexus service:
$ libeufin-nexus serve --port 5001
By default, the SQLite3 database
/tmp/libeufin-nexus.sqlite3 will be used.
The database can be specified as a JDBC connection URI with the
--db-conn-string=$DBCONN option. Only SQLite and PostgreSQL (only via
TCP) are supported right now.
For production-grade deployments of LibEuFin, we do not recommend specifying the secret database credentials via command line arguments, as can will expose those credentials to other users.
Instead, the DB connection string should be specified in an environment variable
(which can be set in the systemd unit via an
once LibEuFin supports this (see the corresponding
bug tracker entry).
$ libeufin-nexus serve --db-conn-string=jdbc:postgresql://127.0.0.1:5433/libeufindb?user=foo&password=secret
At this point a superuser account needs to be created:
$ libeufin-nexus superuser --db-conn-string=jdbc:postgresql://127.0.0.1:5433/libeufindb?user=foo&password=secret foo # Will interactively ask for password
For simplicity, a superuser can as well act as a normal user, but an API to create less privileged users is offered.
User and permissions management in LibEuFin is still under development. In particular, permissions for non-superusers are very limited at the moment.
The command line interface needs the following three values
to be defined in the environment:
LIBEUFIN_NEXUS_PASSWORD. In this example,
LIBEUFIN_NEXUS_USERNAME should be
LIBEUFIN_NEXUS_PASSWORD to the value given for its password
in step (2).
Next, we create a EBICS bank connection that nexus can use to communicate with the bank.
For the sandbox setup in this guide, the EBICS base URL
$ libeufin-cli \ connections \ new-ebics-connection \ --ebics-url $EBICS_BASE_URL \ --host-id $EBICS_HOST_ID \ --partner-id $EBICS_PARTNER_ID \ --ebics-user-id $EBICS_USER_ID \ $CONNECTION_NAME
If the step above executed correctly, Nexus created all the cryptographic material that is needed on the client side; in this EBICS example, it created the signature and identification keys. It is therefore advisable to (4) make a backup copy of such keys.
$ libeufin-cli \ connections \ export-backup \ --passphrase $SECRET \ --output-file $BACKUP_FILE \ $CONNECTION_NAME
At this point, Nexus needs to both communicate its keys to the bank, and download the bank’s. This syncronization happens through the INI, HIA, and finally HPB message types.
After the electronic synchronization, the subscriber must confirm their keys by sending a physical mail to the bank. The following command helps generating such letter:
$ libeufin-cli connections get-key-letter $CONNECTION_NAME out.pdf
When using the LibEuFin sandbox, subscribers are automatically activated after keys are received electronically.
$ libeufin-cli \ connections \ sync \ $CONNECTION_NAME
Once the connection is synchronized, Nexus needs to import locally the data
corresponding to the bank accounts offered by the bank connection just made.
The command below downloads the list of the bank accounts offered by
$ libeufin-cli \ connections \ download-bank-accounts \ $CONNECTION_NAME
It is now possible to list the accounts offered by the connection.
$ libeufin-cli \ connections \ list-offered-bank-accounts \ $CONNECTION_NAME
Nexus now needs an explicit import of the accounts it should manage. This step is needed to let the user pick a custom name for such accounts.
$ libeufin-cli connections \ import-bank-account \ --offered-account-id testacct01 \ --nexus-bank-account-id $LOCAL_ACCOUNT_NAME \ $CONNECTION_NAME
Once a Nexus user imported a bank account (
under a certain connection (
$CONNECTION_NAME), it is possible
to accomplish the usual operations for any bank account: asking for the
list of transactions, and making a payment.
The LibEuFin nexus keeps a local copy of the bank account’s transaction history. Before querying transactions locally, it is necessary to request transactions for the bank account via the bank connection.
This command asks Nexus to download the latest transaction reports/statements through the bank connection:
$ libeufin-cli accounts fetch-transactions $LOCAL_ACCOUNT_NAME
By default, the latest available transactions are fetched. It is also possible to specify a custom date range (or even all available transactions) and the type of transactions to fetch (inter-day statements or intra-day reports).
Once Nexus stored all the information in the database, the client can ask to actually see the transactions:
$ libeufin-cli accounts transactions $LOCAL_ACCOUNT_NAME
Payments pass through two phases: preparation and submission. The preparation phase assigns the payment initiation a unique ID, which prevents accidental double submissions of payments in case of network failures or other disruptions.
The following command prepares a payment:
$ libeufin-cli accounts prepare-payment \ --creditor-iban $IBAN_TO_SEND_MONEY_TO \ --creditor-bic $BIC_TO_SEND_MONEY_TO \ --creditor-name $CREDITOR_NAME \ --payment-amount $AMOUNT \ --payment-subject $SUBJECT \ $LOCAL_ACCOUNT_NAME
$AMOUNT value needs the format
X.Y:CURRENCY; for example
The previous command should return a value (
$UUID) that uniquely
identifies the prepared payment in the Nexus system. That is needed
in the next step, to send the payment instructions to the bank:
$ libeufin-cli accounts submit-payment \ --payment-uuid $UUID \ $LOCAL_ACCOUNT_NAME
With an EBICS bank connection, the LibEuFin nexus needs to regularly query for new transactions and (re-)submit prepared payments.
It is possible to schedule these tasks via an external task scheduler such as cron. However, the nexus also has an internal task scheduling mechanism for accounts.
The following three commands create a schedule for submitting payments hourly, fetching transactions (intra-day reports) every 5 minutes, and (inter-day statements) once at 11pm every day :
$ libeufin-cli accounts task-schedule myacct \ --task-type="submit" --task-name='submit-payments-hourly' --task-cronspec='0 0 *' $ libeufin-cli accounts task-schedule myacct \ --task-type="fetch" \ --task-name='fetch-5min' \ --task-cronspec='0 */5 *' \ --task-param-level=report \ --task-param-range-type=latest $ libeufin-cli accounts task-schedule myacct \ --task-type="fetch" \ --task-name='fetch-daily' \ --task-cronspec='0 0 23' \ --task-param-level=statement \ --task-param-range-type=latest
The cronspec has the following format, which is slightly non-standard due to
SECONDS MINUTES HOURS DAY-OF-MONTH[optional] MONTH[optional] DAY-OF-WEEK[optional]
The following command restores all the details associated with one bank connection subscription. For EBICS, this means that the INI and HIA secret keys will be restored for the requesting user.
$ libeufin-cli connection \ restore-backup --passphrase $SECRET \ --backup-file $BACKUP_FILE \ $CONNECTION_NAME
Facades are additional abstraction layers that can serve specific purposes. For example, one application might need a filtered version of the transaction history, or it might want to refuse payments that do not conform to certain rules.
At this moment, only the Taler facade type is implemented in the Nexus, and the command below instantiates one under a existing bank account / connection pair.
$ libeufin-cli facades new-facade \ --facade-name $FACADE_NAME \ $CONNECTION_NAME \ $LOCAL_ACCOUNT_NAME
At this point, the additional taler-wire-gateway (FIXME: link here to API here) API becomes offered by the Nexus. The purpose is to let a Taler exchange to rely on Nexus to manage its bank account.
This guide has so far assumed that a superuser is accessing the LibEuFin Nexus. However, it is advisable that the Nexus is accessed with users that only have a minimal set of permissions.
The Nexus currently only has support for giving non-superusers access to Taler wire gateway facades.
To create a new user, use the
users subcommand of the CLI:
$ libeufin-cli users list # [ ... shows available users ... ] $ libeufin-cli users create $USERNAME # [ ... will prompt for password ... ]
Permissions are managed with the
The following commands grant permissions to view the transaction history
and create payment initiations with a Taler wire gateway facade:
$ libeufin-cli permissions grant \ user $USERNAME \ facade $FACADENAME \ facade.talerWireGateway.history $ libeufin-cli permissions grant \ user $USERNAME \ facade $FACADENAME \ facade.talerWireGateway.transfer
The list of all granted permissions can be reviewed:
$ libeufin-cli permissions list