Stay organized with collections Save and categorize content based on your preferences.

Set up your issuer switch instance

This page explains the overall process for an issuer bank to set up an instance of the issuer switch.

Before you begin

  • Select a Google Cloud project in your organization that you will use to set up the issuer switch. See Creating and managing projects.
  • Set up the bank adapter and the egress to NPCI in your project and create the required service attachments. Note the service attachment identifiers. See Publish managed services using Private Service Connect.

    • Create the required keys using Cloud KMS:

    • A symmetric key for customer-managed encryption keys (CMEK).

    • An asymmetric encryption key for encrypting M-PIN credentials.

    • An asymmetric signing key for signing the XML payload.

    • An asymmetric signing key for signing the mandate XML.

    See Create key rings and keys.

  • Retrieve the public key used for the encryption of M-PIN credentials.

  • Get the certificates for the keys created for signing the XML payload and for signing the mandate XML.

To set up the issuer switch, the bank and Google must work together to complete the following process:

  1. Create the following Cloud Storage buckets in your Google Cloud project. See Create storage buckets.

    • A storage bucket for holding exported data from the issuer switch.
    • A storage bucket for holding the certificates and public key associated with the keys that you created in an earlier step.
  2. Upload the certificates and the public key into the storage bucket that you created for this purpose. See Upload objects.

  3. Share the following information with Google:

    Information required Description
    The project number of your Google Cloud project. An automatically generated unique identifier for your project. You can find this project number on your Google Cloud console after you select your project.

    Go to the Google Cloud console

    The project ID of your Google Cloud project. A globally unique identifier for your project. You can use an automatically generated project ID or specify a project ID when you create a project. You can find this project ID on your Google Cloud console after you select your project.

    Go to the Google Cloud console

    The identifier of the CMEK key.

    The CMEK key identifier is similar to the following example:

    projects/PROJECT_ID/locations/asia-south1/keyRings/cmek-key-ring-1/cryptoKeys/cmek-key-1/cryptoKeyVersions/1

    The identifier of the M-PIN encryption key.

    The M-PIN encryption key identifier is similar to the following example:

    projects/PROJECT_ID/locations/asia-south1/keyRings/creds-key-ring-1/cryptoKeys/creds-key-1/cryptoKeyVersions/1

    The identifier of the XML payload key.

    The XML payload key identifier is similar to the following example:

    projects/PROJECT_ID/locations/asia-south1/keyRings/issuer-switch-signing-key-ring-1/cryptoKeys/issuer-switch-signing-key-1/cryptoKeyVersions/1

    The identifier of the mandate XML key.

    The mandate XML signing key identifier is similar to the following example:

    projects/PROJECT_ID/locations/asia-south1/keyRings/mandate-key-ring-1/cryptoKeys/mandate-key-1/cryptoKeyVersions/1

    The identifier of the Cloud Storage bucket for exported data. The Cloud Storage bucket identifier has the following format:

    PROJECT_ID/bucket_name

    The identifiers of the Cloud Storage bucket for the certificates and public key. The Cloud Storage bucket identifier has the following format:

    PROJECT_ID/bucket_name

    The filenames of the public key and certificate files in the storage bucket. Public key files and certificate files are saved as .pem files and contain data in the standard PEM format. For example:

    • creds-key-1-pub.pem
    • issuer-switch-signing-cert.pem
    • mandate-cert.pem
    The identifier of the service attachment for the bank adapter.

    The service attachment identifier is similar to the following example:

    projects/PROJECT_ID/regions/asia-south1/serviceAttachments/bank-adapter-service-psc-1

    The identifier of the service attachment for the egress to NPCI.

    The service attachment identifier is similar to the following example:

    projects/PROJECT_ID/regions/asia-south1/serviceAttachments/egress-psc-1

  4. Wait for Google to share the following information with you:

    • The required IAM service account identifiers.
    • The service attachment for the issuer switch UPI API endpoint.
    • The service attachment for the issuer switch API endpoint.
  5. Grant permissions on specific resources in your Google Cloud project to the specified service accounts, based on instructions provided by Google.

  6. Create a Private Service Connect (PSC) connected endpoint to both the service attachments shared by Google.

  7. Provision an L7 internal load balancer (ILB) in your project to route requests from NPCI to the UPI API connected endpoint.

  8. Provision an L4 internal load balancer (ILB) in your project to route the issuer switch API requests from within your network to the issuer switch API endpoint.