Test your MATLS setup

Last updated Nov 2, 2020

This article describes how you can test your MATLS setup using ForgeRock ASPSP.


If you have been through the Security Profile chapter of the Open Banking standard, you will have noticed that the ASPSP-RS is protected by MATLS. This means that the ASPSP-RS will:

  • check that your client certificate is issued by Open Banking.
  • extract the software ID from the certificate and verify that you are an onboarded TPP.

If you don't pass these checks, you will receive a HTTP 403 error when consuming the RS endpoints.

To help you establish the current status of your MATLS setup, ForgeRock has implemented a basic endpoint, which authenticates you using MATLS. This article describes how to use this endpoint to debug your TPP instance.

Using this endpoint

This endpoint has been designed to be simple to use so that you can focus on setting up your SSL configuration.

You just need to make the following call:

GET /open-banking/mtlsTest HTTP/1.1 Host:

You should then see a response that corresponds to one of these meanings:

If you don't receive one of the expected responses, please check your SSL configuration. If you are using Java®, you can use the following option to debug your application:

Client certificate is not received

The following response means your client certificate has not been received:

{ "issuerId": "No-Cert", "authorities": [ { "authority": "ANONYMOUS" } ] }

You should ensure you are sending your client certificate.

Client certificate is not signed by Open Banking

The following response means you have misconfigured your application and it is not yet using the Open Banking transport certificate:

{ "issuerId": "Unknown-Cert: ',, O=ForgeRock, L=Bristol, ST=Avon, C=UK'", "authorities": [ { "authority": "UNKNOWN_CERTIFICATE" } ] }

You should verify which certificate has been used as the client certificate and ensure you are using the correct one. This response also shows the certificate subject being received, which can help you identify the certificate you are actually sending to the ASPSP-RS.


if you are using Postman, it is very easy to misconfigure it. Postman also has quite a few bugs around client certificates, such as caching them even when you have deleted the certificate configuration. You should use the Postman console to debug these Postman issues.

Client certificate is signed by Open Banking but you are not yet onboarded

The following response means the ASPSP-RS doesn't know you yet; it just knows that you have enrolled with the Open Banking directory and you have a valid certificate. This can happen if you have just started  your application with the transport certificate given by the Open Banking directory:

{ "issuerId": "8f5bb6fa-96b0-46a3-ac9e-36c611036326", "authorities": [ { "authority": "OB_CERTIFICATE" } ] }

You should complete your onboarding with ForgeRock ASPSP as described in Register your TPP with ForgeRock ASPSP.

Client certificate is signed by Open Banking and you are onboarded

Congratulations! You are now ready to go. You have set up your TPP to use the transport certificate and you have successfully onboarded with ForgeRock ASPSP.

The exact response will depend on what type of TPP you are as the ASPSP RS will return the authorities associated with your TPP. For example, if the TPP is allowed to use the PISP and AISP endpoints, you will see the following response:

{ "issuerId": "8f5bb6fa-96b0-46a3-ac9e-36c611036326", "authorities": [ { "authority": "AISP" }, { "authority": "OB_CERTIFICATE" }, { "authority": "PISP" } ] }

Copyright and Trademarks Copyright © 2020 ForgeRock, all rights reserved.