================================================================================
KORENET RAILS — TENANT WELCOME PACK · CREDENTIALS
Tenant: BancABC Zimbabwe Limited
Tenant Type: Commercial Bank
Subdomain: bankabc-zimbabwe.korenet.cloud
Portal: https://korenet.cloud
Generated: May 27, 2026
Classification: SOVEREIGN · INSTITUTIONAL GRADE · LICK-SIGNED · FAIL-CLOSED
Admin Level: FULL ADMIN
BancABC Zimbabwe Limited · KoreNet Sovereign Rails Tenant
Issued by: Kore Collective (Pty) Ltd · Registration: 2020/118214/07
================================================================================

SWIFT Code:       BACZZWHA
Branch Code:      040001
Jurisdiction:     RBZ
Regulatory Tier:  TIER_1_INSTITUTIONAL
Weekly Limit:     200000000.00
Settlement CCY:   USD

ENDPOINTS
---------
Portal:           https://korenet.cloud
Rails (tenant):   https://bankabc-zimbabwe.korenet.cloud
KoreNet API:      https://api.korenet.cloud
OAuth 2.0:        https://auth.korenet.cloud
Token URL:        https://auth.korenet.cloud/oauth2/token
JWKS URL:         https://auth.korenet.cloud/.well-known/jwks.json

OAUTH 2.0 CLIENT (grant_type=client_credentials)
------------------------------------------------
client_id:     ba_4dc436b2c5ec3d8784fc55a84587f90b
client_secret: REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT
audience:      https://api.korenet.cloud https://bankabc-zimbabwe.korenet.cloud
scope:         rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read

ROLES & PERMISSIONS
-------------------
Roles:       tenant-admin, rails-operator, commercial-bank-officer
Permissions: rails.dispatch, rails.status, transfers.initiate, transfers.query, vault.query, ledger.query, sentinel.events.read, kip.submit, vault.pair, vault.pair_bank_account, transfers.bulk_dispatch, compliance.submit_report

JWT BEARER TOKEN (Valid until May 27, 2027)
------------------------------------------
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtvcmVuZXQtcmFpbHMtaHMyNTYtZzEifQ.eyJpc3MiOiJodHRwczovL2F1dGgua29yZW5ldC5jbG91ZCIsImF1ZCI6WyJodHRwczovL2FwaS5rb3JlbmV0LmNsb3VkIiwiaHR0cHM6Ly9iYW5rYWJjLXppbWJhYndlLmtvcmVuZXQuY2xvdWQiXSwic3ViIjoidGVuYW50OmJhbmthYmMtemltYmFid2UiLCJ0ZW5hbnQiOiJiYW5rYWJjLXppbWJhYndlIiwidGVuYW50X25hbWUiOiJCYW5jQUJDIFppbWJhYndlIExpbWl0ZWQiLCJ0ZW5hbnRfdHlwZSI6IkNvbW1lcmNpYWwgQmFuayIsInN1YmRvbWFpbiI6ImJhbmthYmMtemltYmFid2Uua29yZW5ldC5jbG91ZCIsInN3aWZ0IjoiQkFDWlpXSEEiLCJicmFuY2hfY29kZSI6IjA0MDAwMSIsImp1cmlzZGljdGlvbiI6IlJCWiIsInJlZ3VsYXRvcnlfdGllciI6IlRJRVJfMV9JTlNUSVRVVElPTkFMIiwid2Vla2x5X2xpbWl0IjoiMjAwMDAwMDAwLjAwIiwiaWF0IjoxNzQ4MDQ0ODAwLCJleHAiOjE3Nzk1ODA4MDAsImp0aSI6ImYwYzBkYjc0ZjEwNGRmNmQwMGI3Y2NjZmQ2ODYzZDI0Iiwic2NvcGUiOiJyYWlsczpyZWFkIHJhaWxzOndyaXRlIHRyYW5zZmVyczpyZWFkIHRyYW5zZmVyczp3cml0ZSB2YXVsdDpyZWFkIGxlZGdlcjpyZWFkIHNlbnRpbmVsOnJlYWQga2lwOnN1Ym1pdCB2YXVsdDp3cml0ZSB2YXVsdDpwYWlyIHRyYW5zZmVyczpidWxrIGNvbXBsaWFuY2U6cmVhZCIsInJvbGVzIjpbInRlbmFudC1hZG1pbiIsInJhaWxzLW9wZXJhdG9yIiwiY29tbWVyY2lhbC1iYW5rLW9mZmljZXIiXSwicGVybWlzc2lvbnMiOlsicmFpbHMuZGlzcGF0Y2giLCJyYWlscy5zdGF0dXMiLCJ0cmFuc2ZlcnMuaW5pdGlhdGUiLCJ0cmFuc2ZlcnMucXVlcnkiLCJ2YXVsdC5xdWVyeSIsImxlZGdlci5xdWVyeSIsInNlbnRpbmVsLmV2ZW50cy5yZWFkIiwia2lwLnN1Ym1pdCIsInZhdWx0LnBhaXIiLCJ2YXVsdC5wYWlyX2JhbmtfYWNjb3VudCIsInRyYW5zZmVycy5idWxrX2Rpc3BhdGNoIiwiY29tcGxpYW5jZS5zdWJtaXRfcmVwb3J0Il0sIm10bHNfY2VydF9zaGEyNTYiOiI0OTo2ODpGQjpCNTo1RDo4NzoxMjowQzo2ODpBOToyNToxMzo4Mzo0NjpCOTo1RTo2ODo4NTo2NTpBQjo1NjpCNjpDRDo2QTo0OTo0NzpFNTo5RDpGMDo4QzpGQzozQSJ9.d6hw5buiWwhBUIDtJsv1oxncVUDV17SAgrTq04FWJDM

JWT DETAILS
-----------
Algorithm: HS256
Key ID:    korenet-rails-hs256-g1
Issuer:    https://auth.korenet.cloud
Audience:  https://api.korenet.cloud, https://bankabc-zimbabwe.korenet.cloud
Subject:   tenant:bankabc-zimbabwe
Issued:    May 27, 2026
Expires:   May 27, 2027
jti:       f0c0db74f104df6d00b7cccfd6863d24
HS256 secret (keep secret — do NOT commit):
REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

MTLS CLIENT CERTIFICATE
-----------------------
Common Name:         bankabc-zimbabwe.korenet.cloud
Subject:             ZW, ST = Harare, L = Harare, O = KoreNet Rails, OU = BancABC Zimbabwe Limited, CN = bankabc-zimbabwe.korenet.cloud, emailAddress = ops@bankabc-zimbabwe.korenet.cloud
Organization:        KoreNet Rails
Organizational Unit: BancABC Zimbabwe Limited
Valid From:          May 27, 2026
Valid Until:         May 27, 2027
Key Size:            4096-bit RSA
SHA-256 fingerprint: 49:68:FB:B5:5D:87:12:0C:68:A9:25:13:83:46:B9:5E:68:85:65:AB:56:B6:CD:6A:49:47:E5:9D:F0:8C:FC:3A
SHA-1  fingerprint:  80:FB:2F:61:95:EB:41:35:6E:1D:AF:A7:B2:D1:61:4B:A0:07:E2:0E
PFX passphrase:      REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

Issuing CA: KoreNet Issuing CA G1
CA SHA-256 fingerprint: 5A:6B:E3:CA:C9:E6:B9:98:FE:5D:0A:F3:43:7B:B9:8B:C8:5F:E2:09:D0:B2:76:6F:AB:0A:6F:48:7B:65:13:DA

Certificate files (in certificates/):
- bankabc-zimbabwe-client.crt           · X.509 client certificate
- bankabc-zimbabwe-client.key           · 4096-bit RSA private key
- bankabc-zimbabwe-client.pem           · cert + key (for curl --cert)
- bankabc-zimbabwe-client.fullchain.pem · client + CA (for server validation)
- bankabc-zimbabwe-client.pfx           · PKCS12 bundle (PFX password above)
- korenet-issuing-ca.crt           · KoreNet Issuing CA G1 (public only)

ENVIRONMENT VARIABLES
---------------------
export BANKABC_ZIMBABWE_TENANT="bankabc-zimbabwe"
export BANKABC_ZIMBABWE_SUBDOMAIN="bankabc-zimbabwe.korenet.cloud"
export BANKABC_ZIMBABWE_PORTAL_URL="https://korenet.cloud"
export BANKABC_ZIMBABWE_RAILS_URL="https://bankabc-zimbabwe.korenet.cloud"
export BANKABC_ZIMBABWE_API_URL="https://api.korenet.cloud"
export BANKABC_ZIMBABWE_OAUTH_URL="https://auth.korenet.cloud"
export BANKABC_ZIMBABWE_CLIENT_ID="ba_4dc436b2c5ec3d8784fc55a84587f90b"
export BANKABC_ZIMBABWE_CLIENT_SECRET="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export BANKABC_ZIMBABWE_JWT="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export BANKABC_ZIMBABWE_JWT_SECRET="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export BANKABC_ZIMBABWE_CERT="certificates/bankabc-zimbabwe-client.crt"
export BANKABC_ZIMBABWE_KEY="certificates/bankabc-zimbabwe-client.key"
export BANKABC_ZIMBABWE_PFX="certificates/bankabc-zimbabwe-client.pfx"
export BANKABC_ZIMBABWE_PFX_PASS="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export BANKABC_ZIMBABWE_CA="certificates/korenet-issuing-ca.crt"

QUICK TEST COMMANDS
-------------------
# 1. Mint an OAuth access token (production pattern)
curl -X POST "$BANKABC_ZIMBABWE_OAUTH_URL/oauth2/token" \
     --cert "$BANKABC_ZIMBABWE_CERT" --key "$BANKABC_ZIMBABWE_KEY" \
     --cacert "$BANKABC_ZIMBABWE_CA" \
     -u "$BANKABC_ZIMBABWE_CLIENT_ID:$BANKABC_ZIMBABWE_CLIENT_SECRET" \
     -d "grant_type=client_credentials&scope=rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read"

# 2. Call tenant rails (mTLS + Bearer JWT)
curl --cert "$BANKABC_ZIMBABWE_CERT" --key "$BANKABC_ZIMBABWE_KEY" --cacert "$BANKABC_ZIMBABWE_CA" \
     -H "Authorization: Bearer $BANKABC_ZIMBABWE_JWT" \
     "$BANKABC_ZIMBABWE_RAILS_URL/api/v1/rails/health"


SENTINEL & QUORUM
-----------------
Sentinel Tier-B monitoring
2-Signatory Quorum required for state-changing operations
LICK-signed audit trail via Kore Collective LICK G1

CLASSIFICATION REMINDER
-----------------------
This pack is SOVEREIGN · INSTITUTIONAL GRADE. Treat all secrets above as
HSM-protected material. Rotate via the KoreNet rotation workbench
(https://korenet.cloud/rotation) — never edit this file in place.
