================================================================================
KORENET RAILS — TENANT WELCOME PACK · CREDENTIALS
Tenant: Absa Bank Uganda Limited
Tenant Type: Commercial Bank
Subdomain: absa-uganda.korenet.cloud
Portal: https://korenet.cloud
Generated: May 27, 2026
Classification: SOVEREIGN · INSTITUTIONAL GRADE · LICK-SIGNED · FAIL-CLOSED
Admin Level: FULL ADMIN
Absa Bank Uganda Limited · KoreNet Sovereign Rails Tenant
Issued by: Kore Collective (Pty) Ltd · Registration: 2020/118214/07
================================================================================

SWIFT Code:       BARBUGKX
Branch Code:      020001
Jurisdiction:     BOU
Regulatory Tier:  TIER_1_INSTITUTIONAL
Weekly Limit:     300000000.00
Settlement CCY:   UGX

ENDPOINTS
---------
Portal:           https://korenet.cloud
Rails (tenant):   https://absa-uganda.korenet.cloud
KoreNet API:      https://api.korenet.cloud
OAuth 2.0:        https://auth.korenet.cloud
Token URL:        https://auth.korenet.cloud/oauth2/token
JWKS URL:         https://auth.korenet.cloud/.well-known/jwks.json

OAUTH 2.0 CLIENT (grant_type=client_credentials)
------------------------------------------------
client_id:     ab_e1eeb58612a3a58641332e96bc3c34a8
client_secret: REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT
audience:      https://api.korenet.cloud https://absa-uganda.korenet.cloud
scope:         rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read

ROLES & PERMISSIONS
-------------------
Roles:       tenant-admin, rails-operator, commercial-bank-officer
Permissions: rails.dispatch, rails.status, transfers.initiate, transfers.query, vault.query, ledger.query, sentinel.events.read, kip.submit, vault.pair, vault.pair_bank_account, transfers.bulk_dispatch, compliance.submit_report

JWT BEARER TOKEN (Valid until May 27, 2027)
------------------------------------------
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtvcmVuZXQtcmFpbHMtaHMyNTYtZzEifQ.eyJpc3MiOiJodHRwczovL2F1dGgua29yZW5ldC5jbG91ZCIsImF1ZCI6WyJodHRwczovL2FwaS5rb3JlbmV0LmNsb3VkIiwiaHR0cHM6Ly9hYnNhLXVnYW5kYS5rb3JlbmV0LmNsb3VkIl0sInN1YiI6InRlbmFudDphYnNhLXVnYW5kYSIsInRlbmFudCI6ImFic2EtdWdhbmRhIiwidGVuYW50X25hbWUiOiJBYnNhIEJhbmsgVWdhbmRhIExpbWl0ZWQiLCJ0ZW5hbnRfdHlwZSI6IkNvbW1lcmNpYWwgQmFuayIsInN1YmRvbWFpbiI6ImFic2EtdWdhbmRhLmtvcmVuZXQuY2xvdWQiLCJzd2lmdCI6IkJBUkJVR0tYIiwiYnJhbmNoX2NvZGUiOiIwMjAwMDEiLCJqdXJpc2RpY3Rpb24iOiJCT1UiLCJyZWd1bGF0b3J5X3RpZXIiOiJUSUVSXzFfSU5TVElUVVRJT05BTCIsIndlZWtseV9saW1pdCI6IjMwMDAwMDAwMC4wMCIsImlhdCI6MTc0ODA0NDgwMCwiZXhwIjoxNzc5NTgwODAwLCJqdGkiOiI1ZGFmYTE0MTQ3NzFhMTE0NTZlZDQ1ZTBlZjIzMTZlMCIsInNjb3BlIjoicmFpbHM6cmVhZCByYWlsczp3cml0ZSB0cmFuc2ZlcnM6cmVhZCB0cmFuc2ZlcnM6d3JpdGUgdmF1bHQ6cmVhZCBsZWRnZXI6cmVhZCBzZW50aW5lbDpyZWFkIGtpcDpzdWJtaXQgdmF1bHQ6d3JpdGUgdmF1bHQ6cGFpciB0cmFuc2ZlcnM6YnVsayBjb21wbGlhbmNlOnJlYWQiLCJyb2xlcyI6WyJ0ZW5hbnQtYWRtaW4iLCJyYWlscy1vcGVyYXRvciIsImNvbW1lcmNpYWwtYmFuay1vZmZpY2VyIl0sInBlcm1pc3Npb25zIjpbInJhaWxzLmRpc3BhdGNoIiwicmFpbHMuc3RhdHVzIiwidHJhbnNmZXJzLmluaXRpYXRlIiwidHJhbnNmZXJzLnF1ZXJ5IiwidmF1bHQucXVlcnkiLCJsZWRnZXIucXVlcnkiLCJzZW50aW5lbC5ldmVudHMucmVhZCIsImtpcC5zdWJtaXQiLCJ2YXVsdC5wYWlyIiwidmF1bHQucGFpcl9iYW5rX2FjY291bnQiLCJ0cmFuc2ZlcnMuYnVsa19kaXNwYXRjaCIsImNvbXBsaWFuY2Uuc3VibWl0X3JlcG9ydCJdLCJtdGxzX2NlcnRfc2hhMjU2IjoiMTk6RDQ6QUY6Qzg6OTQ6M0Y6QjQ6NkY6NTc6NkY6MzU6Nzk6MUE6Q0M6NDQ6Qzc6QzQ6RkM6RjM6RDc6Nzk6Njk6RUY6OTA6MDk6Mjk6MTI6Mzk6MDk6REI6MkY6MEQifQ.h1gDOpjXTvvbIugTjixqtxUx9GDxCPzD3REf69QPtMQ

JWT DETAILS
-----------
Algorithm: HS256
Key ID:    korenet-rails-hs256-g1
Issuer:    https://auth.korenet.cloud
Audience:  https://api.korenet.cloud, https://absa-uganda.korenet.cloud
Subject:   tenant:absa-uganda
Issued:    May 27, 2026
Expires:   May 27, 2027
jti:       5dafa1414771a11456ed45e0ef2316e0
HS256 secret (keep secret — do NOT commit):
REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

MTLS CLIENT CERTIFICATE
-----------------------
Common Name:         absa-uganda.korenet.cloud
Subject:             UG, ST = Kampala, L = Kampala, O = KoreNet Rails, OU = Absa Bank Uganda Limited, CN = absa-uganda.korenet.cloud, emailAddress = ops@absa-uganda.korenet.cloud
Organization:        KoreNet Rails
Organizational Unit: Absa Bank Uganda Limited
Valid From:          May 27, 2026
Valid Until:         May 27, 2027
Key Size:            4096-bit RSA
SHA-256 fingerprint: 19:D4:AF:C8:94:3F:B4:6F:57:6F:35:79:1A:CC:44:C7:C4:FC:F3:D7:79:69:EF:90:09:29:12:39:09:DB:2F:0D
SHA-1  fingerprint:  4A:1D:D1:4C:01:8A:3F:F9:4F:BC:D9:81:57:69:57:3C:59:96:59:6D
PFX passphrase:      REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

Issuing CA: KoreNet Issuing CA G1
CA SHA-256 fingerprint: 5A:6B:E3:CA:C9:E6:B9:98:FE:5D:0A:F3:43:7B:B9:8B:C8:5F:E2:09:D0:B2:76:6F:AB:0A:6F:48:7B:65:13:DA

Certificate files (in certificates/):
- absa-uganda-client.crt           · X.509 client certificate
- absa-uganda-client.key           · 4096-bit RSA private key
- absa-uganda-client.pem           · cert + key (for curl --cert)
- absa-uganda-client.fullchain.pem · client + CA (for server validation)
- absa-uganda-client.pfx           · PKCS12 bundle (PFX password above)
- korenet-issuing-ca.crt           · KoreNet Issuing CA G1 (public only)

ENVIRONMENT VARIABLES
---------------------
export ABSA_UGANDA_TENANT="absa-uganda"
export ABSA_UGANDA_SUBDOMAIN="absa-uganda.korenet.cloud"
export ABSA_UGANDA_PORTAL_URL="https://korenet.cloud"
export ABSA_UGANDA_RAILS_URL="https://absa-uganda.korenet.cloud"
export ABSA_UGANDA_API_URL="https://api.korenet.cloud"
export ABSA_UGANDA_OAUTH_URL="https://auth.korenet.cloud"
export ABSA_UGANDA_CLIENT_ID="ab_e1eeb58612a3a58641332e96bc3c34a8"
export ABSA_UGANDA_CLIENT_SECRET="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export ABSA_UGANDA_JWT="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export ABSA_UGANDA_JWT_SECRET="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export ABSA_UGANDA_CERT="certificates/absa-uganda-client.crt"
export ABSA_UGANDA_KEY="certificates/absa-uganda-client.key"
export ABSA_UGANDA_PFX="certificates/absa-uganda-client.pfx"
export ABSA_UGANDA_PFX_PASS="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export ABSA_UGANDA_CA="certificates/korenet-issuing-ca.crt"

QUICK TEST COMMANDS
-------------------
# 1. Mint an OAuth access token (production pattern)
curl -X POST "$ABSA_UGANDA_OAUTH_URL/oauth2/token" \
     --cert "$ABSA_UGANDA_CERT" --key "$ABSA_UGANDA_KEY" \
     --cacert "$ABSA_UGANDA_CA" \
     -u "$ABSA_UGANDA_CLIENT_ID:$ABSA_UGANDA_CLIENT_SECRET" \
     -d "grant_type=client_credentials&scope=rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read"

# 2. Call tenant rails (mTLS + Bearer JWT)
curl --cert "$ABSA_UGANDA_CERT" --key "$ABSA_UGANDA_KEY" --cacert "$ABSA_UGANDA_CA" \
     -H "Authorization: Bearer $ABSA_UGANDA_JWT" \
     "$ABSA_UGANDA_RAILS_URL/api/v1/rails/health"


SENTINEL & QUORUM
-----------------
Sentinel Tier-B monitoring
2-Signatory Quorum required for state-changing operations
LICK-signed audit trail via Kore Collective LICK G1

CLASSIFICATION REMINDER
-----------------------
This pack is SOVEREIGN · INSTITUTIONAL GRADE. Treat all secrets above as
HSM-protected material. Rotate via the KoreNet rotation workbench
(https://korenet.cloud/rotation) — never edit this file in place.
