1 of 100

MOSIP Docs 1.1.5

Home

The MOSIP Program

The MOSIP program was conceived to help build global digital public goods in the space of digital governance. The flagship of the program is the MOSIP platform which provides the core for a foundational identity system that can be used by countries to build their national identity programs. Anchored at the International Institute of Information Technology, Bangalore (IIIT-B), MOSIP harnesses the power of open source and embraces the best practices of scalability, security and privacy. Learn more >>

About MOSIP

The Modular Open Source Identity Platform is an open-source, open standards-based foundational identity platform. MOSIP is an API-first platform that can be used by countries to build their own national id platform. MOSIP offers id life-cycle management features and identity verification capabilities out of the box.

The key objectives of MOSIP are to:

Provide the basic framework to create a fully functional foundational identity system
Provide flexibility for a country to choose and customize the features from the basic framework according to their requirements
Maintain privacy, security and confidentiality of an individual's data
Provide a scalable and accessible solution to cater to a wide range of population (a few thousand to several hundreds of millions)

Releases

The latest release of MOSIP, version 1.1.5 is here! We have added many interesting features as part of this release and also incorporated some software infrastructure changes as part of paring the technical debt. Check out the exciting new services and enhancements in the documentation.

Current Release Version: 1.1.5 Release Date: March 23, 2021 You can find the release notes here.

Previous Release Version: 1.1.4 Release Date: February 12, 2021 You can find the release notes here.

To view the summary of our releases, click here.

MOSIP Resources

Source Code: GitHub Repositories Containers: Docker Repository Maven Repository: Nexus Repository Presentations: mosip.io Learning Videos: YouTube Channel Community: Gitter Channel

Roadmap

The MOSIP roadmap in the short term is the release of our Long Term Support Version. Our medium-term focus is to enable reference implementations of identity usage, integrations and interoperability. The long-term focus is to offer a set of core components for digital governance. Check out our roadmap and call for contribution to see how you can be part of the MOSIP journey.

Architecture

Note on documentation: Information on the MOSIP architecture and design is distributed between MOSIP Documentation and the design folders of the various repositories.

As the world races towards a fully digital economy, foundational IDs and ID systems become an essential building block in establishing digital trust. They are also an essential part of Government to People (G2P) initiatives. MOSIP as a foundational ID platform delivers a key ingredient of the fabric of digital governance systems.

Pillars of a Digital Future

Digital Identity and Trust
Interoperability and Standards
Transparency and Audit-ability The above allows systems to enact digital transactions which are essentially a flow of all forms of data or money. These transactions will need to factor in identity assurance, consent, user privacy, and information security. MOSIP offers identity assurance to such transactions.

Building a National ID System using MOSIP

National ID systems can leverage MOSIP as the base platform and configure, customize, and extend it to build their systems just the way they need it. The picture below depicts how mosip is visualized as a national id platform.

Guiding Principles

The MOSIP philosophy is to provide a "Good ID". As part of this MOSIP embraces a core set of design and architecture principles that allow the platform to offer best practices for a Good ID system. MOSIP is built on the following architectural principles

MOSIP must follow a platform-based approach so that all common features are abstracted as reusable components and frameworks into a common layer
MOSIP must follow API first approach and expose the business functions as RESTful services
MOSIP must not use proprietary or commercial license frameworks. Where deemed essential, such components must be encapsulated to enable their replacement if necessary (to avoid vendor lock-in)
MOSIP must use open standards to expose its functionality (to avoid technology lock-in)
Each MOSIP component must be independently scalable (scale out) to meet varying load requirements
MOSIP must use commodity computing hardware & software to build the platform
Data must be encrypted in flight and at rest. All requests must be authenticated and authorized. Privacy of Identity Data is an absolute must in MOSIP
MOSIP must follow the following manageability principles – Auditability & monitor ability of every event in the system, testability of every feature of the platform & easy upgradeability of the platform
MOSIP must follow the principles of Zero-Knowledge which means that the services know nothing about the Personally Identifiable Information (PII) data stored.
MOSIP components must be loosely coupled so that they can be composed to build the identity solution as per the requirements of a country
MOSIP should work with different locales so that ID systems can be localized for languages and cultures easily.
All modules of MOSIP should be resilient such that the solution as a whole is fault tolerant
The key sub-systems of MOSIP should be designed for extensibility. For example, if an external system has to be integrated for fingerprint data, it should be easy to do so.

The key design aspects considered for MOSIP are

Ecosystem approach

The MOSIP platform is a framework and an end-to-end solution that needs additional components. For example, biometric devices and ABIS solutions are key to processing an individual's data and proving uniqueness. Through a well-defined set of standard interfaces, MOSIP allows for the integration of such components and offers a choice of providers for the same. MOSIP also needs to cater to a diverse set of institutions wanting to authenticate an Individual against the data stored in MOSIP. So, the key parameters are

All public/external facing interfaces of MOSIP must be standards-based for interoperability.
3rd party components should be integrated via standard interfaces and offer a provider model where needed.

Configurability

MOSIP should be flexible for countries to configure the base platform according to their specific requirements. Some examples of configurations in MOSIP are

A country should be able to choose the features required. For example, it must be possible for a country to turn off Finger Print capture
A country should be able to configure the attributes of an ID Object
A country should be able to define the length of the UIN number

Extensibility

MOSIP should be flexible to extend functionality on top of the basic platform. Some examples of extensibility are

A country should be able to introduce a new step in processing data
Integrate MOSIP with other ID systems and include it as part of the MOSIP data processing flow

Modularity

All components in MOSIP should be modular and their features exposed via interfaces such that the implementation behind the interface can be changed without affecting other modules. Some examples of modularity are

The UIN generator algorithm provided by the platform can be replaced by a country with their own implementation
The default demographic de-duplication algorithm provided by MOSIP can be changed to a different one without impacting the process flow

MOSIP Architecture

Design choices

The MOSIP architecture decisions have been based on the Guiding Principles defined in the charter. The design choices are in line with the need for modularity, loose coupling and scalability of its components, and being API first.

Micro-service based architecture for all platform services for modularity and scalability.
Staged Event Driven Architecture (SEDA) for processing Registration data for extensibility.
Thick client architecture for the registration client to support offline operations as well as process security.

The sections below provide different views of the logical architecture of MOSIP.

Functional Architecture

From a MOSIP perspective, several actors are involved in the ID system.

The Individual or the Resident is at the centre of it all. It is their identity that the system deals with.
The Officer is a representative of the ID issuer. There are several specialized roles for the officer.
- The Operator assists the individual during registration.
- The Supervisor verifies and attests exceptional cases in registration.
- The Adjudicator carries out manual verification or comparison of an individual's data in the ID issue process.
- The Auditor performs an audit or forensic analysis of specific enrollments.
- The Administrator is a super user who manages the configuration data of the system.
The Partner represents a 3rd party service or application that interacts with MOSIP. There are specialized partners in the ecosystem.
- The Relying Party is an Authentication Partner who relies on the ID system for their business transaction. This could be a social scheme for benefits disbursement or a bank for opening accounts.
- The Credential Provider is a print service provider for the credential issue.
- The Device Provider is a partner who provides biometric devices.
- The FTM Provider is a partner that provides foundational trust modules for devices.
- The Partner Application is a system that relies on mosip or one that mosip relies on. This could be a CRVS system or a Functional ID system such as a Passport or a driver's License.
- The ID System is a system that mosip integrates with for inter-operable ID

The diagram shows the functional architecture of mosip with the actors.

Modular Architecture

Mosip has several modules that offer related functionality. These include the core modules of

Pre-registration
Registration client
Registration processor
ID Repository
Authentication
Resident Services

and the support modules

Partner Management
Administration
Reporting

Note: All user interface modules are reference implementations and can be used as is, refactored or customized or replaced with alternative implementations in the actual deployment.

The diagram below shows the various modules of mosip with their respective service bouquets and their interaction.

MOSIP and Data

Data Architecture Principles

MOSIP deals with sensitive information pertaining to the identity of people. It is a central repository of identity data and extra attention is paid to ensure the security and privacy of this data. MOSIP advocates minimalism in the data collected and incorporates features to minimise the interpretation of this data as information. A low-to-zero knowledge design paradigm is used to achieve this.

Data Sets in MOSIP

Master Data - This includes lookups, locations, centres, devices, zones etc. This is not sensitive information
Configuration Manager Data - This includes system configuration information and must be protected. It does not contain any personal information.
Registration Client Database - This is a local database in the registration client. This contains local copies of the relevant master data, downloaded pre-registration information and some transactional information. The pre-registration information is sensitive and encrypted and stored.
Registration Packets - Registration packets are created and encrypted in memory on the registration client and then persisted in the encrypted form. The sync process moves these packets to the server for processing. These packets are the source of truth and are digitally signed.
Registration Processor Database - The registration processor contains transactional information about the RIDs being processed and does not contain any personal information.
ID Repository Entries - The ID Repository contains the identity data. This includes biographic/demographic information and biometric information. The actual storage of these is distributed between RDBMS and object storage.
Authentication Entries - It has encrypted records with one-way linkage to the ID using cryptography. The information can be decrypted for return as part of the KYC response. Biometrics stored here are only non-reversible extracts. A low-resolution photograph can be stored for KYC purposes.
Partner Management Data - This contains protected information such as the API Key and Public Key of the partner. There is no personal information here.
Audit Trail - This does not contain any personal information. It does contain a transaction id for traceability.
Application Logs - These logs do not contain any personal information.
Resident Services Data - This has a transaction history with ID numbers but does not contain any personal information.
Pre-Registration Data - This has personal information and is stored in an encrypted form.
IAM Data - The mosip system user list is present here and this is protected information as it controls access to the system.

Data Storage Guidelines

PII of an individual like name, age, gender, address etc... and other sensitive information must be signed and stored in an encrypted form.
Documents and images must not be stored in a database table. They must be stored in an object store and referenced in DB.
Object Store should have only encrypted data present in it with access control.
No business logic is applied at the database level, only Primary, Unique, foreign keys and not-null are applied. Foreign keys are applied within the same database, if a table is referenced in another database then no FK is applied.
Database-specific features like triggers, DB functions like sequence generators etc.… must not be used in MOSIP. This avoids vendor lock-in
The surrogate key, wherever used, must be a random number and not be generated based on the record data or sequence number.
Direct queries on the database by a human must not be made. Database administrators must ensure this control during database configuration setup
The database is setup in UTF-8*** file format to support multiple languages
The following data types are used
- Character Varying
- Timestamp
- Date
- Integer
- Number
- Bytea/blob
- Boolean

Logical view of MOSIP data system

Access Control to Data

In MOSIP, the following users are defined to perform various activities and have control over the DB objects that are defined

sysadmin: sysadmin user is a super administrator role, who will have all the privileges to perform any task within the database. Currently, all the objects are owned by the sysadmin.
dbadmin: dbadmin user is created to handle all the database administration activities like monitoring, performance tuning, backups, restore, replication setup, etc.
appadmin: appadmin user is used to performing all the DDL tasks. All the DB objects that are created in these databases will be owned by appadmin user.
Application User: Each module will have a user created to perform DML tasks like CRUD operations. Will have masteruser, prereguser, idauser, idrepouser, idmapuser, kerneluser, audituser, regprcuser, keymgruser, regdeviceuser, authdeviceuser to perform tasks in respective modules.

From the above set of roles, only the application user is specific to a module. The other users are common and need to be created per PostgreSQL DB instance.

Multi-Language

The MOSIP platform is being built for multiple countries, there is a need to support multiple languages. So as per the requirements, MOSIP will support multiple languages as configured by the country-level administrator. Multi-language support is needed for the following datasets.

Master Data
ID data of an individual
Transaction comments
Labels used in UI
Messages and notifications

From the database side, the data will support the UTF-8 Unicode character set to store data entered in multiple languages.

There will not be any in-built support to translate data at the database level. Any translation or transliteration will be handled at API or UI layer. Internationalization support is available to handle multiple language needs in the user interface and communication templates. For master data, the information can be stored in multiple languages. For user data, MOSIP supports the storage of data in two languages.

Performance

To support performance, the following database design features are to be considered

Database sharding: By default, the sharding algorithm is not applied in the MOSIP system. SI can define the sharding algorithm based on the deployment setup
All tables will have a primary key index on the primary key field. This will help in faster retrievals and joins
All foreign keys will have indexes defined so that they will help in faster joins
No referential integrity is applied on tables across databases
Partitioning: Partitioning design is database-specific. Depending upon the chosen database, the country may employ the partitioning approach as prescribed by the database engine"
Data in object stores should be easily addressable with hierarchical path conventions

Data Model Consideration

Meaningful Naming: DB objects that are being created will have meaningful naming.
Flexible model: No business rules are set at the database level other than a few mapping data. Most of the business logic is applied at the application layer.
Database-specific features: The use of DB-specific features like defaults, DB sequences, identify fields are not used.
No business logic at DB: No business logic implemented at the database level other than PK, UK, and FKs.
Data Security: Individual and security-related information is encrypted.

Cryptography in MOSIP

Background

The data level encryption is handled in the DTO layer in the application.

Solution

The key solution considerations are

Following are the key considerations of the encryption in the DTO layer,
- The data are classified into,
  - Sensitive
  - Non-Sensitive
- The Sensitive data is encrypted in the DTO layer.
- AES-256 algorithm is used for the encryption.
- The data are classified and kept in the configuration file. The application layer reads this configuration and the sensitivity property is injected into the DTO layer.
- Hibernate interceptors are used to intercept the fields in the DTO layer.
- During the reading of these fields, once again Hibernate interceptors are called to decrypt the data.
  - The key expiration is in-built into the key store.
Following are the various components in the system,
- Keys are stored in the "Key Store". This is a database table in which the keys are maintained along with the index.
- Indexes are persisted in a separate store. When a request comes to a system to encrypt, the current index is retrieved and using this index, the key for encryption is taken. Indexes are stored along with the encrypted data as the prefix separated by a colon. For example, 4:sdf*)(8S@#YFLSJ&*hfdlkj23h
- The scheduler runs a job at some specific time when the necessity for re-encryption arises.
- HSM devices are used to store the Master keys. These master keys are used to encrypt the keys in the Key store.
Encryption:
- The properties in the entities which are supposed to be encrypted are configured in the config server.
- During the encryption, a listener is installed in the DAO layer to intercept the incoming entity objects. If those properties are supposed to be, encrypted or not, are received from the config server.
- The data is encrypted and prefixed with the index of the key, which is used for the encryption and stored in the data store.
- The key itself is encrypted with the master key from HSM and stored in a separate data store.
- The index is incremented if the old index is expired.

Encryption

Decryption:
- When a request is received, the DTO fields are checked for sensitivity, from the config server.
- If the DTO field is sensitive, the decryption() method is called.
- During the decryption, the index is calculated by the delimiter. This index is used to find the Key, which was used for the encryption.
- The Key itself has to be decrypted by the master key from HSM, before decrypting the content.

Decryption

Key rotation
- On-Demand:
  - The keys are stored with the expiry date.
  - When a request comes to the system, the key is checked for expiry.
  - If the old key had expired, then a new index is generated and persisted in the Indexes. If there is no key exists in the Key store, a new key is created for the encryption. And the new key is used for further encryptions.
- Bulk:
  - There are times, that the total encrypted data are re-encrypted again. A scheduler is maintained to oversee this. During the scheduled time, the encrypted data is read and re-encrypted once again and saved. The newly encrypted data will have the new index in front of the encrypted content separated by a delimiter.
  - Bulk mode is used to remove the expired keys and data is encrypted with the new key.
TODO: How do we handle failures during the bulk re-encryption?
TODO: How to handle the load, if it is extremely high?

Anonymous Profiling Support

Overview

When a country is implementing and running the ID program, people at the forefront like policymakers and other executives will need to monitor the progress. Progress can be measured with the help of various attributes like:

total enrollment count
gender profile for enrollment
age group profile
enrollment numbers and profile per registration centre
quality of biometric data captured

Information like this will allow policymakers to take corrective measures as and when required.

Some examples are given below:

Example 1: If registration centres are set up for enrolling residents and if they see that the number of women enrolling in a particular area is less because of cultural factors, they can introduce a door-to-door enrollment process to increase coverage.

Example 2: The quality of biometrics captured for a particular registration centre or region can be monitored. And if it is found to be unacceptable, they can proceed to replace the biometric devices in that centre.

Example 3: They can compare the total number of enrollments against the total number of UINs issued. If there is a big gap, they can then address this by increasing the capacity of the registration processor module to handle and process more packets.

Design

In order to achieve this, we have published a fixed anonymized profile of the users and ensured the same is accessible to a search engine such as elastic search so that it can be used for analytics. The basic guideline followed to create these profiles is that the limited dataset should not violate the privacy of the person or point to specific individuals. These JSON profiles are not configurable in the current design and a code change is required to change them.
This dataset is called an anonymous profile and is captured during the ID issuance stage.
As a part of this implementation, a new anonymous_profile table is created for the ID issuance module and is populated as per the JSON structure given below.

Module

Table name

Profile name

Note: New DB tables are added for the anonymous profile because data in existing tables (except the pre-registration module) are encrypted and cannot be used to create reports and dashboards.

Anonymous Identity issuance profile

This profile data will be captured during the identity issuance process when an entry is made in the ID repository.
The profile data is captured in a anonymous_profile table under the mosip_idrepo schema.

The profile will be available from 1.1.5.5 and above.

JSON structure of the identity issuance profile is given below:

Below is the image for the Anonymous profile table created in the ID repository schema

Modules

Pre-Registration

Overview

This module enables a resident to:

Enter demographic data & upload supporting documents
Book an appointment for one or many users for registration by choosing a suitable registration center and time slot
Receive appointment notifications
Reschedule and cancel appointments

Resident data is sent to the designated registration center before appointment that can be used during the registration process.

Detailed functionality

For detailed functionality of Pre-registration features please view our page, Pre-registration Functionality.

Process flow

Process flow diagram for create and update flows in Pre-registration.

Process flow diagram for cancel and discard flows in Pre-registration.

Services

For detailed description of Pre-registration services refer to pre-registration repo.

Logical View

Below is the diagram depicts the logical architecture of Pre-registration,

Build and deploy

Refer to the build and deploy instructions in the pre-registration repo.

APIs

For detailed functionality of Pre-registration APIs please view our page, Pre-registration APIs

UI Reference Implementation

MOSIP provides a reference implementation of the Pre-registration UI that may be customized as per country needs. The implementation is is available on ref impl repo.

Pre-Registration Configuration

Configurations in Pre-Registration Properties files

File Name: pre-registration-mz.properties

Templates used by Pre-Registration

Email Acknowledgment

This template is used in email notification sent to the applicants when they completes their pre-registration appointment booking. This email is sent to the applicant's email id which is collected as part of pre-registration data collection.

Template type code: Email-Acknowledgement

Sample template:

Dear $name,

Your Pre-Registration for UIN is Completed Successfully on $Date at $Time. Your ID is #$PRID.
Appointment is scheduled for $Appointmentdate at $Appointmenttime.
you will also receive the details on your registered Mobile Number

Attributes:

$name - Name of the applicant
$date - Date when pre-registration was done
$time - Time when pre-registration was done
$PRID - Pre-registration ID of the applicant
$Appointmentdate - Appointment date
$Appointmenttime - Appointment time

SMS Acknowledgement

This template is used in sms notification sent to the applicants when they completes their pre-registration appointment booking. This sms is sent to the applicant's mobile number which is collected as part of pre-registration data collection.

Template type code: SMS-Acknowledgement

Sample template:

Your Pre-Registration for UIN is Completed Successfully on $Date at $Time. 
Your ID is #$PRID.
Appointment is scheduled for $Appointmentdate at $Appointmenttime.
You will also receive the details on your registered email address.

Attributes:

$date - Date when pre-registration was done
$time - Time when pre-registration was done
$PRID - Pre-registration ID of the applicant
$Appointmentdate - Appointment date
$Appointmenttime - Appointment time

Subject for Email Acknowledgement

This template is used to set the subject of the email notification sent to the resident.

Template type code: Acknowledgement-email-subject

Sample template:

Pre-Registration $PRID: Acknowledgement

Attributes:

$PRID - Pre-registration ID of the applicant

This is a template for taking consent of the applicant before he/she provides his/her demographic details.

Template Type Code:

Sample Template: consent

I understand that the data collected about me during pre-registration by the said authority includes my -  
  • Name
  • Date of birth
  • Gender
  • Address
  • Contact details
  • Documents
I also understand that this information will be stored and processed for the purpose of verifying my identity in order to access various services, or to comply with a legal obligation. I give my consent for the collection of this data for this purpose.

Attributes: This template doesn't support any attributes.

Cancel Appointment

This template is used in the SMS or Email notification sent to resident when their appointment is cancelled.

Template type code:

Sample template:

Dear $name,

Your appointment for pre-registration id, $PRID and appointment date and time, $Appointmentdate $Appointmenttime has been canceled due to a government emergency/holiday. Please re-book another slot for Registration.

Thanks

Attributes:

$name - Name of the applicant
$PRID - Pre-registration ID of the applicant
$Appointmentdate - Appointment date of the applicant
$Appointmenttime - Appointment time of the applicant

Onscreen Acknowledgement

Template type code: Onscreen-Acknowledgement

Sample template:

1. Guideline 1
2. Guideline 2
3. Guideline 3
4. Guideline 4
5. Guideline 5
6. Guideline 6
7. Guideline 7
8. Guideline 8
9. Guideline 9
10. Guideline 10

Attributes: This template doesn't support any attributes.

Pre-Registration UI Specification

File Name: pre-registration-demographic.json

For details about the pre-registration UI specification, please go through this page.

Pre-Registration Mapping JSON

This is a mapping file for the Pre-registration ID object. The fields name, proofOfAddress, and postalCode are the only attributes that are used internally in Pre-registration.

name - Name of the applicant. It is used in notification templates & the Pre-registration dashboard screen.
proofOfAddress - Document containing Proof of Address. It is used in the document upload screen to fetch the address document from another applicant.
postalCode - Postal Code in the Address. To fetch the list of centers for the postal code provided by the individual while providing the demographic details.

File Name: pre-registration-identity-mapping.json

{
	"identity": {
		"name": {
			"value": "fullName",
			"isMandatory" : true
		},
		"proofOfAddress": {
			"value" : "proofOfAddress"
		},
		"postalCode": {
			"value" : "postalCode"
		}
	}
}

Registration

Overview

The registration client is a thick Java-based client where the resident's demographic and biometric details are captured along with the supporting documents in online or offline mode. The captured information is packaged in a secure tamper-proof way and send to the server for processing.

Registration client must provide the following :

Secure way of capturing an individual's demographic and biometric data. The captured data must be cryptographically secure such that the data cannot be tampered with. This is called a registration packet.
Interfaces to biometric devices that comply to industry standards. This ensure that any device manufactured as per standards will work with MOSIP.
Works in online and offline mode. In remote areas where internet connectivity is a challenge, the registration client must work in offline mode.
Remote software update capability. There must be a way to self-update to latest patches/upgrades (bug fixes/enhancements) in a remote way. There could be hundreds of client instances running on laptops/desktops. Updates on all of them must be controlled a central server.
Tamper-proof client software. The registration client must have an ability to validate the structure of the information captured so that it could detect any anomoly due to a possible manual tampering and reject the captured packet.

Detailed functionality

Registration Functionality

Process flow

Registration officer Onboarding

Registration preparation

Individual registration

Packet upload

End of day (EOD) process

UIN update

Lost UIN

Software update

Logical view

Component architecture

Registration packet structure

All the registration information is zipped and encrypted in a packet and sent to the server. The structure of the packet is given here.

Registration client reference application

MOSIP provides an Windows-based reference implementation of the client that has a UI and the business logic to perform the above process flows. The code, design, App setup, build documentation is available in registration client repo. The App may be modified according to a country's need.

Registation client setup guide

First user on-boarding

TBD

Registration Packet

This document describes the registration packet structure and the packet encryption procedure.

Registration Packet

Once a resident visits the registration center and provides their demographic & biometric details an encrypted zip file is created which is called a "Packet". This packet can only be decrypted by the registration processor using a private key available in the Kernel Key Manager.

The below diagram depicts the packet creation flow using the packet manager.

Packet Structure

The packet is created using the Commons Packet Manager, which creates a packet in the below structure using the .

Encrypted ZIP File

The packet name here is also the request ID that is generated for a request created when a resident enrolls into MOSIP, requests for updating data or request for finding his/her lost id. The request ID is a 29 digit number derived from the Center ID (5 digits), Machine ID (5 digits), sequence number (5 digits), timestamp (14 digits).

Folder Structure

Container: The container is the base folder in which the sub-packets are stored with their respective JSON files containing meta information.
Sub-Packets: Inside the container we ideally have three packets named as ID Packet, Evidence Packet and Optional Packet. Data inside each packet is stored based on a property in ID Schema called "Field Category".
Packet JSON: Each sub packet has a JSON file associated with it which contains the meta information of the respective sub-packet.

ID Object: Each packet has an ID JSON attached with it which has basic demographic data of the resident, document names that were uploaded, information about the introducers or guardians, biometrics file names (of applicant, introducer, guardians) and the version of the ID schema used. Data for each ID JSON is populated based on the ID Schema property, "Field Category".

You can find the more about ID Object in our document.

Biometric Files: The biometric data of the resident, officer, supervisor, intorducer or guardian is stored in respective and in respective folders as driven by ID schema.
Documents: The documents uploaded by the resident during registration or pre-registration is stored in respective folders as driven by ID schema.
Packet Meta Information: A bunch of meta data is generated during the registration process like the officer's or supervisor's id, machine details, device details, gps location, etc. which is stored in the Packet Meta Info file in JSON format.
Audit: The audit trails created during packet creation is logged and sent to registration processor to be uploaded in the audit database for analytics.

No PII (Personally Identifiable Information) data is captured in the audit logs.

Packet Hash: During the packet creation a hash of the data being collected is stored in these files so that the data can be verified when the packet reaches the server. We have two types of hash file, Packet Data Hash file & Packet Operation Hash file.

Packet Encryption Procedure

Before writing the packet into the local disk, the zipped content should be encrypted using Session and RSA public key (center specific) to secure the data. The same data can only be decrypted at server end where the private key is available.

Session Key Encryption:
- Session key generation is a randomly generated and sent to client as part of sync from server.
- Pass the created Zip object [in-memory] through the AES-256 bit encryption.
- Pass the Random Session Key as a seed to this AES encryption.
- Get the Registration Officer Id from user context object.
RSA Public Key Encryption:
- AES Session key bytes pass through the RSA public key encryption.
Use the "#KEY_SPLITTER#" as a key separator for the AES encrypted bytes and the RSA Public key encrypted Session key seed.
Append the RSA Public key Encrypted Session Key, Key Separator to the AES encrypted bytes.
Append the EO and machine information as a META-INFO JSON file and create another ZIP out of it. [Packet Zip + META-INFO JSON]
Save the encrypted data as a ZIP in local file system under the defined location in configuration file.

First User Registration and Onboarding

Steps to generate the first User in MOSIP eco-system, refer below for the process:

1. Creating the First User in KeyCloak

First the role "Default" need to be created in KeyCloak with all other roles.
A User say 'X' has to be created in KeyCloak and the role “Default” needs to be mapped to it.

2. Creating the Relevant Master Data

All data required as part of ID Object, for example, Gender, Location hierarchy, templates, etc. should be setup in the database through the CSV Utility
Master data of user, machine, device and center should be created and uploaded through the CSV Utility (Note - the user id for the User 'X' should be present in Master data of User)
All necessary center-machine-device-user mappings should be completed through the CSV Utility for the first user.

3. Creating the First User in MOSIP

The User 'X' should now download the latest Registration Client and login with the credentials set in KeyCloak.
The User will automatically skip Operator/Supervisor On-boarding and will reach the home page of Registration Client.
The User authentication method for User 'X' will be always User ID and Password as it is the default user.
The User now can register himself/herself in MOSIP and will get an RID and UIN.

4. Allocating the RID to the User Created in KeyCloak

The RID created for the User 'X' needs to be updated in KeyCloak.

5. User On-boarding

The role for the User 'X' needs to be changed to Registration_Officer or Registration_Supervisor.
The role "Default" needs to be removed from KeyCloak so that no other user has the role Default.
The User 'X' can now login to Registration Client (from the mapped Machine/Centre) with the above Username/Password.
The User now would need to On-board as his/her role would be changed.
Once on-boarding is completed User 'X' can register the subsequent Officers and Supervisors.
The User details of the subsequent Officers and Supervisor must be created in KeyCloak with appropriate roles assigned (as per Step 1) and their RIDs should be mapped in KeyCloak (as per Step 4) so that they can login to Registration Client.

Flow chart describing first user onboarding

Guide to Configure MOSIP for Biometrics

MOSIP can be configured to work with proxy implementation and multiple biometric modalities (fingerprint, iris and face). Below are configurations to enable biometrics in MOSIP.

Registration Client

Adding SDK in classpath

Biometric Windows SDK (jar file) should be placed in lib folder after extracting Registration-Client zip file, and then execute run.bat file.

Enabling MDS integration

The below property should updated to enable MDS integration. This property is present in registration-env.properties file.

mosip.mdm.enabled=Y

Registering biometric devices for registration

Register Device Provider - Device Provider can be registered with MOSIP using Register Device Provider API
Register MDS - MDS can be registered with MOSIP using Register MDS API
Whitelist Device - Biometric Devices can be white-listed using below steps:
- Add Device Specification (like model, make, etc.) using Device Specification API
- Map Biometric Devices to Device Specifications using Device API
- Map White-listed Device to a Center ID to which Registration Client is tagged using Registration Centre Device API
Register Device - Biometric device can be registered using MOSIP using Register Device API

Enabling biometric for officer and supervisor

Biometric authentication for officer and supervisor can be enabled by updating the is_active column to true in mosip_master.app_authentication_method table. List of processes for which biometric authentication can be enabled in registration client

packet_auth (Authentication when packet is created)
login_auth (Login to registration client)
exception_auth (Authentication when an exception packet is created)
eod_auth (Authentication for apporoving EOD packets)

By default, username password based authentication is enabled for all the above processes.

Enabling local de-duplication

Below properties should be enabled for performing local de-duplication. These properties are present in config file registration-env.properties

mosip.registration.mds.fingerprint.dedup.enable.flag=Y    
mosip.registration.mds.iris.dedup.enable.flag=Y    
mosip.registration.mds.face.dedup.enable.flag=Y

Registration Processor

Configuring ABIS queue

ABIS queue can be configured in RegistrationProcessorAbis-env.json file. registration-processor-abis-middleware-stage communicates to ABIS through queue configured. It sends request to inbound queue address and receives response from outbound queue address. If there are multiple ABIS, then it can be added in same file.

ID Authentication

Adding SDK in classpath

Below properties should be set in id-authentication-{env}.properties. The classes configured below will be loaded in classpath during application initialization.

ida.fingerprint.provider=<fully qualified classname of Biometric SDK>
ida.face.provider=<fully qualified classname of Biometric SDK>  
ida.iris.provider=<fully qualified classname of Biometric SDK>
ida.composite.biometric.provider=<fully qualified classname of Biometric SDK>

Registering biometric devices for authentication

Register Device Provider - Device Provider can be registered with MOSIP using Register Device Provider API
Register MDS - MDS can be registered with MOSIP using Register MDS API
Register Device - Biometric device can be registered using MOSIP using Register Device API
Update the code of the registered device to the serial number of the device in register_device_master and register_device_master_h table.

Encrypting biometric data from MDS

In order to capture encrypted biometrics from MDS, MDS should use Mosip Public Key. This key should be generated in MOSIP with IDA-FIR as reference-ID for Parter-based Individual Authentication and 'INTERNAL' as reference-ID for Internal Authentication.

Device Integration Specifications

This document detailed out the design approach to integrate with the list of devices used in the MOSIP platform.

Interface approach has been taken to implement the integration with external devices. The interface should have the required method to communicate with the external devices. An Abstract class has been defined to implement the common functionality and it should be extended by Vendor specific implementation class. The device vendor's specific implementation class should extend the Abstract class and implement the required methods using available libraries.

Devices:

Scanner
Printer
GPS

Scanner:

Interface: IMosipDocumentScannerService

public Boolean isConnected() - to check the scanner connection availability.
public BufferedImage scan() - to scan the document from the scanner device.

Abstract Class: DocumentScannerService

public byte[] asPDF(List bufferedImages) - to convert the captured scanned document files into pdf format.
public byte[] asImage(List bufferedImages) - to convert the captured scanned document files into image format.
public byte[] getImageBytesFromBufferedImage(BufferedImage bufferedImage) - to get the byte[] from BuffredImage object.
public List pdfToImages(byte[] pdfBytes) - to convert the pdf document to image format in order to show in the document preview.

Printer:

Use the JavaFx provided print functionality to interact with printer directly from UI layer. No additional interface is required. javafx.scene.web.WebView.getEngine().print(PrinterJob)

GPS:

Interface:IMosipGPSService

public String getComPortGPSData (String comPortNo, int portReadWaitTime) - it returns GPS signal in standard format.

Abstract Class:IMosipGPSServiceImpl

public GPSPosition sigalParser(String line) Inputs: gps signal (Ex: $GPRMC,055218.000,A,1259.4845,N,08014.7602,E,0.07,120.70,171018,,,A*64)
- returns the latitude and longitude from the GPS signal.

Registration Processor

Overview

Registration Processor processes the data (demographic and biometric) of an Individual for quality and uniqueness and then issues a Unique Identification Number (UIN). It also provides functionality to update demographic and biometric data and issue a new UIN if lost. The source of data are primarily from

MOSIP Registration Client
Existing ID system(s) of a country

Important considerations are as follows:

Once the packet is received on the server packets should not be lost.
MOSIP defines and implement the basic registration packet processing flow. However, every country will have their own processing requirements like integration with their existing ID system and fetch data for validation. Registration processor provides options to add such stages.
Registration processor has the capability to integrate with multiple ABIS providers.
Each processing stage is scalable independently based on the load.
Each stage in the processor is independent of other stages such that logic of a stage can be changed to improve efficiency without affecting the overall flow.

Detailed functionality

Registration Processor Functionality

Process flow

Packet Pre-Processing

New Packet Processing

Update Packet Processsing

Lost UIN Packet Processing

Activate/De-Activate Packet Processing

Logical View

Services

For detailed description of Registration Processor Services refer to registration processor repo.

For high level and low level design refer to registration processor repo

Build and deploy

Refer to build and deploy instructions in registration processor repo.

APIs

Registration Processor APIs

Deduplication and Manual Adjudication

Providing unique identity for a resident is one of key features of any identity platform. Hence, in MOSIP, we provide features like demographic and biometric de-duplication followed by manual adjudication to identify the uniqueness of a resident's demographic and biometric details.

De-Duplication

De-duplication is the process to find a duplicate by comparing the individual’s details (biometric and demographic data) with the data stored in the system.

Demographic De-Duplication

In demographic de-duplication the MOSIP system compares some of the demographic data (i.e. Name, Date of Birth and Gender) of the resident against the data present in MOSIP System (the resident's those who have already registered in MOSIP). If any potential match is found, the MOSIP system sends the resident's biometrics to the ABIS system to confirm if the biometrics are also matching.

Process Flow

MOSIP System receives a request to perform demographic de-duplication for Person A.
MOSIP System performs demographic de-duplication for Person A by, i. Adding Person A's hashed demographic details (i.e. name, date of birth and gender) in the database. ii. Comparing Person's details against all the records in the database.
Let's say the MOSIP System find duplicates against three records - Person B, Person C and Person D. i. If Person B's registration has failed we consider Person B not to be a potential match for Person A. ii. If Person C's registration process in not complete, i.e. UIN is not generated for person C yet, we do not consider Person C to be a potential match for Person A in Demo Deduplication. iii. If Person D's registration is completed and a UIN is associated then we consider Person D to be a potential match for Person A.
Now the list of Potential Matches for Person A (here, we only have Person D as the only potential match, there can be a scenario where there are multiple potential matches for Person A) are sent to ABIS to perform de-duplication against the potential matches.
Here, we ask ABIS to just perform match of Person A's biometrics with Person D's biometrics, we call this process a Gallery Match in ABIS. As we are asking ABIS to perform biometric de-duplication of Person A against the gallery that we have sent. i. If the ABIS confirms that Person D's biometrics matches with Person A's biometrics, MOSIP would REJECT Person A's packet. ii. If the ABIS says that Person A's and Person D's biometrics are different, we move the packet for biometric deduplication.

Biometric De-Duplication

In biometric de-duplication the MOSIP system sends the biometrics of the resident to an ABIS System (Automated Biometrics Identification System). Here, the expectation from the ABIS system is to perform biometric de-duplication (1:N match) against all the records that it has stored earlier.

Any Packet irrespective of it has gone through demographic de-duplication or ABIS gallery match, will have to go through the biometric de-duplication stage.

Process Flow

MOSIP system receives a request to perform biometric de-duplication for Person A.
MOSIP system sends an insert request to the ABIS system to insert Person A's biometrics in ABIS via. MOSIP-to-ABIS queue.
ABIS system processes the request sent by MOSIP and sends a response back to MOSIP via. ABIS-to-MOSIP queue.
MOSIP system now sends a identify request to the ABIS system to perform de-duplication for Person A in ABIS via. MOSIP-to-ABIS queue.
ABIS System processes the request and sends the list of potential matches back to MOSIP via. a ABIS-to-MOSIP queue.
Let's say the ABIS system has found duplicates against three records - Person B, Person C and Person D. i. If Person B's registration has been REJECTED, we consider Person B not to be a potential match for Person A. ii. If Person C's registration is under processing, we consider Person C to be a potential match for Person A. iii. If Person D's registration is completed and a UIN is associated, we consider Person D to be a potential match for Person A.
Now the list of Potential Matches for Person A (here, we have Person C and Person D as the potential matches) are sent to Manual Adjudication System to take the final decision.

Manual Adjudication

When biometric duplicates are found in ABIS, MOSIP system sends a request for Manual Adjudication to the Manual Adjudication System via. a queue. The system integrator can build the Manual Adjudication System, which would be listening to the MOSIP-to-ManualAdjudication queue for any Manual Adjudication requests and send a response back in the ManualAdjudication-to-MOSIP system after verifying the data.

The data sent to the Manual Adjudication system is driven by a policy defined in MOSIP and the specification is similar to ABIS identify request.

Request sent to Manual Adjudication System

{
  "id": "mosip.manual.adjudication.adjudicate",
  "version": "1.0",
  "requestId": "4d4f27d3-ec73-41c4-a384-bf87fce4969e",
  "referenceId": "10002100741000320210107125533",
  "requesttime": "2021-01-19T07:16:22.930Z",
  "referenceURL": "http://datashare-service/v1/datashare/get/mpolicy-default-adjudication/mpartner-default-adjudication/mpartner-default-adjudicationmpolicy-default-adjudication202011110619201EpLEjvD",
  "addtional": null,
  "gallery": {
    "referenceIds": [
      {
        "referenceId": "10002100741000120210107111325",
        "referenceURL": "http://datashare-service/v1/datashare/get/mpolicy-default-adjudication/mpartner-default-adjudication/mpartner-default-adjudicationmpolicy-default-adjudication202137493575474iefnvvsD"
      }
    ]
  }
}

Response received from Manual Adjudication System

{
  "id": "mosip.manual.adjudication.adjudicate",
  "requestId": "4d4f27d3-ec73-41c4-a384-bf87fce4969e",
  "responsetime": "2021-01-19T13:16:22.930Z",
  "returnValue": "1",
  "candidateList": {
    "count": "1",
    "candidates": [
      {
        "referenceId": "10002100741000120210107111325",
        "analytics": { //This section is optional and can be decided by the System Integrator.
          "primaryOperatorID": "110011",
          "primaryOperatorComments": "<comments provided by operator>",
          "secondaryOperatorID": "110012",
          "secondaryOperatorComments": "<comments provided by operator>",
          "key1": "value1",
          "key2": "value2"
        }
      }
    ],
    "analytics": { //This section is optional and can be decided by the System Integrator. This is used when there is no match found.
      "key1": "value1",
      "key2": "value2"
    }
  }
}

Process Flow for Biometric Deduplication

ID Repository

Overview

ID Repository contains the record of identity for an individual, and provides API based mechanism to store, retrieve and update identity details by other MOSIP modules. ID Repository is used by:

Registration Processor
ID Authentication
Resident services

Key Features

Store identity information for a given UIN.
Update identity information partially or status of UIN.
Read identity Information associated with a valid UIN.
Read identity Information for a given RID.
Check status of UIN for validating a UIN.

The identity data stored inside the ID Repository is encrypted. This is the most critical storage repository and is configured keeping the following non-functional aspects in mind:

Scalability
Performance
High availability

ID Repository functionality

Store identity data and documents

Upon receiving the request to store identity details of an individual, the system validates input ID attributes in the request against MOSIP ID defined for the country.

Stores ID JSON, biometric documents, proof documents of an individual generated during registration.
On successful storage of identity for an individual, status of UIN of the individual by default is marked as 'ACTIVATED'.

Retrieve stored identity details by UIN or RID

Upon receiving a request to retrieve identity details of an individual based on input UIN or RID and type as an optional parameter, the system performs the following steps:

Validates if input UIN is 'ACTIVATED'.
Retrieves latest ID attributes of the individual.
The system retrieves and sends demographic or biometric details or both.

Update identity data and documents

Upon receiving a request to update identity details of an individual, the system performs the following steps:

Validates if input UIN is 'ACTIVATED'
Updates input ID attributes of the individual.
Updates demographic/biometric/both
Updates status of UIN as 'DEACTIVATED' or 'BLOCKED' if requested.
Sends the response with updated ID details of the individual.

De-activate/re-activate UIN and its associated VIDs

An individual's UIN/VIDS can be de-activated or re-activated.

Lock/Unlock of authentication types

An individual can lock or unlock a particular authentication type using resident services, for example, locking demographic and/or biometric authentication, the system locks the requested authentication type after certain validations. After the requested authentication type is locked for the individual, then he/she will not be able to authenticate himself/herself by using locked authentication type. Similarly, the individual can choose to unlock these authentication types.

Process flow

Identity service - Store identity data and documents

Identity service - Retrieve stored identity details by UIN or RID

Identity service - Update identity data and documents

VID service

Logical view

Services

The services, code, design and documentation are available in

Build and Deploy

Refer to build and deploy instructions in

APIs

ID Authentication

Overview

ID Authentication (ID Auth) provides an API based authentication mechanism for entities to validate individuals. ID Authentication is the primary mode for entities to validate an individual before providing any service.

Following are the pre-requisites for an entity to do authentication of an individual

ID Authentication requests must come to MOSIP only via trusted parties who are white listed in MOSIP. The trusted parties are referred to as partners in MOSIP.
The biometric devices used for authentication must be registered with MOSIP.

ID Auth allows only partners to make authentication requests. The requests are cryptographically secured and verified. A partner that captures data from a biometric device must conform to standards to ensure interoperability.

An individual is authenticated based on the following:

Demographic data
- name
- date of birth
- gender
- address
Biometrics
- fingerprint
- iris
- face

To enhance security a second factor of authentication is supported:

OTP based
Static pin based
Challenge response

To analyze and generate authentication patterns, all authentication requests are audited. These audit logs may be used to determine any frauds during authentication process.

Detailed functionality

ID Authentication Functionality

Process flow

Demographic authentication

Biometric authentication

Multifactor authentication

OTP authentication

Partner and MISP authentication

eKYC authentication

Logical View

Services

For detailed description of ID Auth services, code and design refer to ID authentication repo.

Build and deploy

Refer to build and deploy instructions in ID authentication repo.

APIs

ID Authentication APIs

ID Authentication Functionality

Authentication is the process of verifying an identity claim against the registered identity information. Such information could be a personal identification information (PII) such as demographic details, biometric data such as a fingerprint, iris or face and OTP on the registered email or phone number. MOSIP provides APIs using which an individual can perform such authentications after registering in MOSIP.

Authentication can be performed in MOSIP by a registered authentication partner over a secure network provided by MOSIP Infrastructure Service Provider (MISP). You can know more about these MOSIP partners on MOISP's Partner Management.

Authentication Service

MOSIP's authentication service allows a registered MOSIP authentication partner to perform various types of authentications. The types of authentications that can are currently allowed are mentioned below and the API specification for services is available in ID Authentication API Specification document.

Biometric Authentication

Using the MOSIP's authentication service a registered authentication partner can request for biometric authentication. Currently, we support biometrics authentication using face, finger and iris. MOSIP adopters can choose to add more biometric types to perform biometric authentication.

MOSIP connects with a biometric SDK, to perform biometric authentication. Refer our page on Biometric SDK for various interfaces using which adopters can connect their biometric SDKs with MOSIP.

Demographic Authentication

Using the MOSIP's authentication service a registered authentication partner can request for demographic authentication. Currently, we support demographic authentication for the following id attributes - Name, DOB, Age, Gender, Address and FullAddress.

Name - the name received in authentication request is compared with the individual's name saved in the authentication database
DOB - the DOB received in authentication request is compared with the individual's date of birth saved in the authentication database
Age - the age received in authentication request is compared with the age of the individual which is derived from the date of birth stored in the authentication database
Gender - the gender received in authentication request is compared with the individual's gender saved in the authentication database
Address - the address attributes received in authentication request is compared with the individual's address attributes saved in the authentication database

MOSIP supports only exact match for the demographic authentication of the individual and does not perform any validations related to partial match and phonetics match. No error messages related to partial match and phonetics match are triggered.

The address attributes are generalized as location 1, location 2 and location 3
The adopter has to define and map the address specific attributes against addressLine2, addressLine3, and location specific attributes against location1, location2, location3 of a country. For example: addrLine1 means House No, addrLine2 means Street No, and addrLine3 means Locality; similarly loc1 means Local Administrative Authority, loc2 means Province and loc3 means Region.

OTP Based Authentication

Using the MOSIP's authentication service a registered authentication partner can request for OTP authentication. Before performing OTP based authentication the Partner needs to request for an OTP using the individual's ID and use it for OTP based authentication.

For details about the OTP request service go through the OTP request API specification.

Multi-factor Authentication

Using various combination of above authentication modalities (fingerprint, face, iris, demographics or OTP based authentication) we can also perform authentication using the same authentication service.

The partner who is requesting for these authentications must make sure that all the below mentioned rules are taken into account before sending an authentication request to MOSIP.

Rules for using MOSIP's Authentication API

The authentication request should have a defined set of parameters as mentioned in the Authentication API Specification.
The authentication request should have signature of the request in the header signed by the authentication partner.
The biometric data should be sent in as a JWT token where the payload base64URL encoded and the signature is signed using the device key. More details of the biometric data block is available in the Secure Biometric Interface document.
The request should be sent to the authentication server, within a set time period in the configurations (i.e. time period between the current time stamp and the request time stamp is <= time period set in configurations).

e-KYC Service

Based on the policy linked to a MOSIP authentication partner, a partner can be eligible to perform e-KYC. In an e-KYC request, the MOSIP authentication partner can request to fetch the KYC details of the individual based on a pre-defined policy. KYC details in MOSIP is only provided to the partners after the individual's consent using OTP or biometric authentication.

The request for e-KYC service is similar to that of authentication service, you can view the details about the API specification in our ID Authentication API Specification document.

Internal Authentication Service

Various internal MOSIP modules for need to use the authentication services. The scenarios where authentication of biometrics are needed are,

Authenticating an officer or supervisor when they on-board into the registration client.
Processing of packets in registration processor where,
1. The officer or supervisor has performed biometric authentication.
2. The introducer's biometrics are collected for authentication in the server side.
3. The individual's biometrics are collected for authentication when he/she is trying to update his/her demographic details.

The internal authentication service supports authentication for all the modalities mentioned as part of authentication service but is only accessible bby the internal modules post authorization. The details about the internal authentication API specification is available in our ID Authentication API Specification document.

Common Features in Authentication

Validations in MOSIP's Authentication API

Below are the various validations that are performed in the authentication server when MOSIP's authentication service receives an authentication or e-KYC request from a Partner.

Verify if the Partner ID, MISP ID and Partner API Key is valid
Verify if the signature of the request is valid
Verify if the request has reached the authentication server with in the time period configured
Verify if the environment details, domain URI & consent token is valid
Verify if the authentication request has data as per the authentication mode selected
Verify if the partner is eligible for performing the authentication as per the partner's policy linked to the Partner API key
Verify if the VID or UIN details received is valid
In case of biometric data,
1. Verify if the biometric block is signed using the device key
2. Verify if the digital ID block is signed using the foundational trust module's key
3. Verify if the timestamp in the digital ID block has reached the authentication server within the configured time period
4. Once all the above validations are completed the biometrics are sent to the SDK for finding the match

Generation of Authentication Token

After every authentication performed in MOSIP, an authentication token is generated in MOSIP. This token is generated based on policy defined for the partner. The token is basically a random id which can be unique per authentication transaction, unique per partner and individual or unique per partner policy group and individual.

Trigger of Notification

After every authentication a notification is trigger to the registered email id or phone number of the individual based on the configuration defined for mode of communication. The notification to be sent to the individual can also be single or bi-lingual based on the configurations and template used.

Resident Services

Overview

Resident services are the self services which is used by the resident themselves via a portal. Functionalities such as lock/unlock authentication types, reprint UIN, view authentication history etc. are available. The services use OTP method of authentication.

The back-end is a set of services with REST API interface (provided by MOSIP) and front end is a portal to be developed by the adopter according to their requirements.

Detailed functionality

Process flow

Logical view

Services

For detailed description of Resident Services, code and design refer to .

Build and deploy

Refer to build and deploy instructions in .

APIs

Resident Services Functionality

The Resident Service module will provide a host of services to an individual which can be availed after the creation of their Unique Identity Number (UIN). The list of services are as follows:

Update of Demographic Data (UIN update)
Track Request Status
Lock/Unlock AUTH types
Download e-UIN
Retrieve Lost Request ID(RID)/UIN
Reprint UIN
View Authentication Transaction History
Generate/revoke Virtual ID (VID).

All these features are detailed in the following features section.

Features

Track status of UIN Generation

This feature will allow an individual to track status of his/her UIN generation. The individual needs to provide the RID (Request ID received during UIN registration) as input. The system will validate this RID. On successful validation, the system will send the status of UIN generation to the individual's registered mobile number and/or email ID. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Download e-UIN

This feature will allow an individual to download his/her electronic UIN. The individual needs to provide the UIN/VID, full name, postal code, and security code as input. The system will validate the provided data, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, system will send a link to the individual's registered mobile number and/or email ID to download his/her password-protected e-UIN in PDF format. The system will also trigger a notification message to the individual's registered mobile number and/or email id after the transaction or appropriate error message if the transaction was not successful.

Retrieve Lost RID

After the UIN application is submitted by an individual providing the required demographic, biometrics and supporting documents and filling up the enrollment form by visiting a registration center, the system generates a unique RID (Request ID) as an acknowledgment number. If the individual misplaces this RID, this feature will allow an individual to retrieve his/her lost RID to subsequently trace the associated UIN. The individual needs to provide his/her Full Name, Mobile Number and/or E-Mail ID, Postal Code that was provided during registration as input. The system will first validate the individual's provided data, trigger an OTP, and perform OTP validation on the given mobile number and/or email ID. On successful validation, the system will send a link to password protected PDF containing the RID to individual's registered mobile number and/or email ID. The system will also trigger a notification message to the registered mobile number/email ID after a successful transaction or appropriate error message if the transaction was not successful.

This feature is not yet developed in MOSIP.

Retrieve Lost UIN

This feature will allow an individual to retrieve his/her lost UIN. The individual needs to provide the Full Name, Mobile Number and/or E-Mail ID, Postal Code as input. The system will first validate the individual's provided data, trigger an OTP, and perform OTP validation on the given mobile number and/or email ID. On successful validation, the system will send a link to the individual's registered mobile number and/or email ID to download his/her password-protected UIN in pdf format. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

This feature is not yet developed in MOSIP.

Re-print Request of UIN

This feature will allow an individual to raise reprint request of his/her UIN. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will take the UIN reprint request and acknowledge the request with a Request ID (RID) to the individual. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Initiate UIN Update

This feature will allow an individual to initiate update of his/her demographic details. Currently, an individual can initiate an update of the address associated to the provided UIN/VID. However, this service can be extended to further update any other aspect of the demographic data (EG: Mobile, Email, etc). The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will generate and send a Request ID (RID) for UIN update to individual's registered mobile number and/or email ID. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Track Status of UIN Update

This feature will allow an individual to track status of his/her UIN update. The individual needs to provide the RID ( Request ID for UIN Update) as input. The system will first validate the RID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will send the status of UIN Update to individual's registered mobile number and/or email ID. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

View History of Authentication Requests

This feature will allow an individual to view history of the authentication request(s) associated to his/her UIN. The individual needs to provide the UIN/VID as input. The system will first validate the UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will send unarchived Authentication History data of the individual associated to the provided UIN and all its associated VIDs. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Lock/Unlock Authentication

An individual can decide to lock specific Authentication Types (Demographic/Biometrics) of his/her UIN/VID for security reasons. It can be for one or more Authentication types. The locked Authentication Type(s) cannot be used for any future authentication request. Similarly at any point he/she may also request to unlock one or more locked Authentication types which was locked earlier.

Lock the UIN

This feature will allow an individual to lock the requested Authentication Type (Demographic, Biometrics (FP/Iris/Face/All)) associated with his/her UIN/VID. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will first send the details of all Authentication Types to the individual. The individual will then select which Authentication Type(s) will need to be locked. The system takes the request, locks the specified Authentication Type(s) and then notifies the individual. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Unlock the UIN

This feature will allow an individual to unlock requested Authentication Types (Demographic, Biometrics (FP/Iris/Face/All)) which is/are in locked status associated with his/her UIN/VID. Once unlocked, the individual can again use these Authentication Type(s) for any future authentication purpose. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will first send the details of all Authentication Type(s) to the individual which is/are in locked status. The individual will then select which Authentication Type(s) need to be unlocked. The system takes the request and accordingly unlocks the Authentication Type(s) and notifies the individual. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

VID Service

To safeguard the confidentiality of a UIN and for its security, Virtual ID (VID) service is provided. Based on the VID policy (defined by Country), an individual will be provided a VID during UIN registration and also he/she can create this using 'Resident Services'. The VID policy attributes defines the type of the VID, Country can name the VID as desired. VID policy constitutes time validity, no of instances, no of transactions, regeneration mode.

VID services comprise of the below.

Generate a VID

An individual can request to generate a Virtual ID via Resident Service by providing his/her UIN. The system will first validate the individual's UIN, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication the VID is generated based on the VID policy of the respective Country. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Maintain the status of a VID

This feature allows the system to maintain the status of all VIDs from the perspective of Time Validity, Transactions, and VID Revocation. The feature will be used by system's authentication module (called IDA - ID Authentication) whenever a VID is used for an authentication transaction (VID status will change to ‘USED’). Also when Resident Services is used for VID Revoke feature the status of VID changes to ‘REVOKED'.

Revoke a VID

To prevent misuse of VID, an individual can request to revoke his/her VID using Resident Service if the individual feels his/her VID has been compromised. The individual provides the VID as input. The system will then validate the individual's VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system revokes the provided VID. Based on the VID policy of the Country a new VID will be generated during revocation and provided to the individual on the registered mobile number and/or email ID. If validation fails, the system triggers the appropriate error message.

Auto-restore a VID on Revocation and with Auto-restore Policy

This feature allows for a VID to be auto regenerated and given to an individual after he/she requests for an existing VID to be revoked. The VID regeneration happens based on the VID policy defined by Country (the regeneration policy for the revoked VID should be "Auto-restore").

List of Configurable Parameters and Processes

All the configurations related to resident services are available

Resident Services API

Process View

Partner Management Functionality

Common Functionality

Self Registration

Partners in MOSIP are created in a self-service mode. The partner visit the MOSIP partner management portal and requests for collaborating with MOSIP by providing basic details such as organization name & email id, purpose of registration (how they want to collaborate with MOSIP - as a device provider, authentication partner, print partner, etc), basic credentials and performing an OTP based verification.

Once these details are filled by the partner and a request is sent to MOSIP, the Partner Admin verifies the details of the partners and allows the partner to integrate with MOSIP.

User Management

Once the partner is registered in MOSIP and is able to login to the partner management portal, MOSIP provides basic features such as,

Adding more contact information
Viewing user details
Managing credentials

Device Provider

The device providers is one who partners with MOSIP to provide MOSIP complaint devices for authentication and registration.

Upload & Download of Device Certificate

A device provider needs to upload his/her certificate using which he/she would be generating their device keys. These certificates are verified by MOSIP. Once the verification is done the root for these certificates are changed to MOSIP and can be downloaded back by the partner.

A device provider needs to upload a single certificate for all his/her devices.

This certificate needs to be upto date in MOSIP system before anyone performs any authentication using the device. During authentication, MOSIP would verify the device certificate using which the device info in authentication request is signed.

Manage Device Make and Model

Using the partner management portal a device provider can add, update or view their device model details. Once the device provider registers the model details a request is sent to the partner admin for approval of the model.

During device registration MOSIP verifies the make and model detials. If a model details for a device is not available or approved by the partner admin, then registration for that device would fail.

Manage Secure Biometric Interface

Using the partner management portal a device provider can add, update or view their device model details. Once the device provider registers the SBI details a request is sent to the partner admin for approval of the SBI.

Foundational Trust Provider

The foundational trust providers is one who partners with MOSIP to provide MOSIP complaint foundational trust modules (chips) for authentication devices.

Manage Chip Make and Model

Using the partner management portal a foundational trust provider can add, update or view their chip model details. Once the partner registers the model details a request is sent to the partner admin for approval of the model. As part of registration of the chip model, the partner needs to upload an associated certificate which would be used to generate keys for the particular type of chip.

The chip key will be used to sign the digital id in the authentication request. So, when the auth request reaches MOSIP, MOSIP would verify the certificate using which the digital id is signed.

Authentication Partner

The authentication partner is one who partners with MOSIP to provide authentication services to individuals.

Upload & Download of Signature & Encryption Certificates

An authentication partner need to upload an encryption & a signatire certificates using the partner management poratl. The signature certificate will be used in MOSIP to verify the signature when any request is received from the partner; where as, the encryption certificate would be used when any PII data is sent to the partner during e-KYC.

Manage API Keys

The authentication partner can view associated API keys and request for an API key for against a policy which is available for his/her policy group. Once a requeste is initiated a request is generated but a request is also sent for approval to the partner admin. The partner admin needs to approve the request before it can be used in MOSIP. This API key is one of the manadatory attributes in the authentication request using which MOSIP verifies the partner and policy mapping.

Credential Partners

Upload & Download of Signature & Encryption Certificates

An credential partner need to upload an encryption & a signatire certificates using the partner management poratl. The signature certificate will be used in MOSIP to verify the signature when any request is received from the partner; where as, the encryption certificate would be used when any PII data is sent to the partner based on policy to issue a credential.

Manage API Keys

MISP (MOSIP Infrastructure Provider)

View Transaction Logs

A MISP would be providing services to multiple authentication partners. The audit trails on which partner & when used MISP's licence key to perform authentication would be avaialable for the MISP to monitor.

Partner Admin

Approvals

The partner admin receives approval requests for various scenarios. The list of scenarios are mentioned below:

When a partner registers in MOSIP.
When a device model is registered by a device provider.
When a secure biometric interface is registered by a device provider.
When a chip model is registered by a foundational trust provider.
When an authentication partner requests for an API key.
When a credential partner requests for an API key.

Activation or Deactivation

The partner can choose to activate or deactivate various entities in the partner management portal.

Activation or deactivation of partner.
Activation or deactivation of device model.
Activation or deactivation of chip model.
Activation or deactivation of SBI.
Activition or deactivation of API Keys.

Hotlisting of Devices

The partner admin can choose to hotlist a device by marking a device as hotlisted.

Create or Update Partners

The partner admin can create a new partner or update details of a partner in the Partner Management portal.

Associate & Re-Issue API Keys

The partner admin can associate new API keys to an authentication or crential partner and re-issue their API keys.

Policy Admin

Create Policy Group

In order to create a policy we must have a policy group first. The policy admin needs to first create a policy group using the partner management portal.

Create and Publish Policies

Once the policy group is created the policy admin can create policies and associate these policies to various policy groups. After these policies are created, they would be in draft state. These policies need to be published by the policy admin. Once published these policies can be used by the partners.

Activate or Deactivate a Policy

The policy can be activated or de-activated anytime by the policy admin.

Update a Policy

A policy can be updated multiple times when it is in draft state. Only the validity date can be updated once the policy is published.

MOSIP Partner Secure Communication

Introduction

MOSIP and Partners communicate with each other when indviduals avail services of Partners. The communication must to be executed safely and securely.

Confidential: The communication should be confidential and no other parties should be able to eaves drop the communicated details.
Integrity: The integrity of the communication should be maintained.

Security at various levels

Network Layer

All communication from Partners to MOSIP is routed via the MISP.
The communication is protected via the secured network protocol suite of IPSec.

Presentation Layer

Process flow for communication at Presentation Layer:

Partner pings MOSIP.
Partner gets the MOSIP certificate which is signed by the Root CA.
Partner then verifies the MOSIP certificate with the Root CA.
Once validated, the Partner shares its SSL certificate to the MOSIP. This SSL certificate is already signed by MOSIP as Root CA.
MOSIP verifies the SSL certificate.
Once both the SSL certificates are validated, the communication channel is established and communication happens.

Application Layer - Encryption

The data is encrypted in the Application Layer itself before it gets into the Presentation Layer.
The Encryption certificate is shared across by both the parties (MOSIP & Partners) to decrypt the content.

Application Layer - Digital signature

Both the parties (MOSIP and Partner) have to sign the request and response in the communication.
Partner signs request and response using Partner's signature certificate. MOSIP can verify the signature using Partner's public key.
MOSIP signs request and response using MOSIP signature certificate. Partner can verify signature using MOSIP's public key.

Certificates used

Altogether, 3 certificates are used in the communication:

SSL certificate: Used in the Presentation Layer
Encryption certificate: Used in the Application Layer
Signature certificate: Used in the Application Layer

Administration

Overview

The MOSIP platform is configured via the Admin application. This application can be accessed only by the privileged group of administration personnel. When the MOSIP platform gets initialized, there are default configurations and seed data are setup. Post installation, following operations can be done using the Admin application:

Master data management
User management
Mapping of the master data to various resources

The module provides a single user interface to administer the MOSIP platform. On initial platform installation, data and configurations may be uploaded from CSV files.

Admin application contains UI layer and Service layer. All the components in both Services and UI are secure and authenticated. Every component should be defined with the authorization module plugged in. For example, if a component's data is not supposed to be viewed except authorized personnel, no user will be able to view it. So is for creating, editing and deleting functionalities.

Detailed functionality

Admin Services Functionality

Logical view

Backend Services

The administrator uses many services available as part of Kernel in commons repository. There are a few administrator specific services available in admin repository. The code and design documentation is available in the repositories.

Frontend - Admin portal

Reference implementation of Admin portal is available in ref impl repo

Build and Deploy

Build and deploy instructions available in the above repositories.

APIs

APIs from multiple services are used for Admin as follows:

Kernel

Overview

Kernel is on which MOSIP services are built. Kernel is a platform to build higher-level services as well as a secure sandbox within which the higher-level service functions. Kernel provides a bedrock to build and run the services by providing several significant necessary technical functions so that individual services are concerned with specific business functions.

Kernel is not a distinct module but a bunch of services and libraries that are shared across different modules.

Components

Refer to commons repo/kernel for all components of Kernel.

Detailed functionality

Kernel has many services and functions. Details of some of them are mentioned below:

Common Services
UIN & VID Generation Service
Data Services
Master Data Services
Key Manager
Audit Manager
Authentication and Authorization
Packet Manager
Web Sub

Services and libraries

Details of all services and libraries along with code, design are available in commons repo/kernel.

Build and deploy

Refer to build and deploy instructions in commons repo/kernel.

APIs

Kernel APIs

Audit Manager Functionality

The Audit Manager in MOSIP captures all the information about the actions performed by various MOSIP applications. This information can further be used for data analysis which will help in inspecting, cleansing, transforming, and modeling data to discovering useful information, informing conclusions, and decision-making.

Audit Log Parameters

The following parameters are captured as a part of the audit service,

Parameters

Description

Example

Application-Specific Audit Details

Abbreviations

Abbreviation

Definition

ID Authentication Audits

ID Authentication Service

User Event Type

The following events are triggered as part of User Event Type in ID Authentication Service module

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

System Event Type

The following events are triggered as part of System Event Type in ID Authentication Service module

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

Authentication and Authorization Functionality

In MOSIP, Authentication largely falls into the below categories:

Authentication via web channel (for Pre-Registration web application, Admin web application and Resident portal)
Authentication via local system i.e., offline authentication (for Registration client)

In MOSIP, Authorization falls into the below categories:

Authorization of API's accessed via web channel
Authorization to access specific data

A country will have its own hierarchy of system users especially the Registration staff and system administration staff. So, instead of defining a fixed hierarchy, by default MOSIP will depend on an LDAP implementation to manage users, organizational hierarchy and roles for users in the hierarchy. MOSIP will use an open source LDAP server as the LDAP implementation. Administrators can create hierarchy and users using Apache Directory Studio.

MOSIP system can handle Authorization across core services and restricts access to Web-services as per the roles defined.

For details on the APIs for authentication and authorization please view our documentation on .

Auth Adapter

Auth adapter is a package that needs to be injected into Mosip's applications exposing REST API's inorder to secure them.

Auth Adapter includes following class definitions:

SecurityConfig

Holds the main configuration for authentication and authorization using spring security.

Inclusions:

AuthenticationManager bean configuration:
- This is assigned an that we implemented.
- RETURNS an instance of the ProviderManager.
bean configuration:
- This extends AbstractAuthenticationProcessingFilter.
- Instance of the is created.
- This filter comes in line after the .
- Binds the AuthenticationManager instance created with the filter.
- Binds the created with the filter.
- RETURNS an instance of the .
RestTemplate bean configuration:
- Binds the instance with the RestTemplate instance created.
- RETURNS an instance of the RestTemplate.
Secures endpoints using antMatchers and adds filters in a sequence for execution.

AuthFilter

AuthFilter is bound with AuthenticationManager to attempt authentication.

Attempt Authentication tasks:

Receives "Authorization" Header from request headers.
Use the assigned Authentication manager to authenticate with the token.

AuthHeadersFilter

This filter is going to act as a CORS filter. It is assigned before in the filter chain.

Tasks:

Sets headers to allow cross origin requests.
Sets header to allow and expose "Authorization" header.

AuthProvider

Contacts auth server to verify token validity.

Tasks:

Contacts auth server to verify token validity.
Stores the response body in an instance of .
Updates token into SecurityContext.
Bind instance details with the that extends Spring Security's UserDetails.

AuthSuccessHandler

Handles successful authentication. If any action needs to be done after successful authentication, this is where you have to do it.

AuthEntryPoint

Captures and sends "UnAuthorized" error.

AuthToken

Used in for token details.
This extends UsernamePasswordAuthenticationToken class.

AuthUserDetails

Used by spring security to store user details like roles and use this across the application for Authorization purpose.

ClientInterceptor

It is used to intercept any http calls made using rest template from this application.

Config:

This is added to the list of interceptors in the RestTemplate bean created in the .

Tasks:

Intercept all the requests from the application and do the below tasks.
Intercept a request to add auth token to the "Authorization" header.
Intercept a response to modify the stored token with the "Authorization" header of the response.

MosipUser

Mosip user is the standard spec that will be tuned based on the details stored in ldap for a user.

AuthControllerAdvice

Adds latest token to the response headers before it is committed.

Auth Implementation

Please find below the sequence diagrams for auth flows.

Login flow:

Resource request flow:

Service to Service communication:

Documentations for the Auth Implementations

Auth Adapter Documentation
Auth Angular User Guide
Auth SpringBoot User Guide

UIN and VID Generation Service Functionality

UIN Generation

MOSIP generates a pool of UINs before the registration process and stores them. The UIN generation policies can be defined or modified by country as per their requirement.

The UINs generated for the current implementation, follow the following policies:

UIN should not contain any alphanumeric characters
UIN should not contain any repeating numbers for 2 or more than 2 digits
UIN should not contain any sequential number for 3 or more than 3 digits
UIN should not be generated sequentially
UIN should not have repeated block of numbers for 2 or more than 2 digits
The last digit in the number should be reserved for a checksum
The number should not contain '0' or '1' as the first digit.
First 5 digits should be different from the last 5 digits (example - 4345643456)
First 5 digits should be different to the last 5 digits reversed (example - 4345665434)
UIN should not be a cyclic figure (example - 4567890123, 6543210987)
UIN should be different from the repetition of the first two digits 5 times (example - 3434343434)
UIN should not contain three even adjacent digits (example - 3948613752)
UIN should not contain admin defined restricted number

Note: The number of UINs to be generated in a pool depends on a configuration to be done by the country depending on the peak registration requirements. UIN generation service will receive a request by Registration Processor to get a UIN. The service responds with an un-allocated UIN from the generated pool. When the pool reaches a configured number of minimum UINs, MOSIP generates another pool of UIN.

VID Generation

MOSIP will generate a pool of VIDs through a Batch Job. The number of VIDs generated will be configurable by the country. All the VIDs generated will be assigned a status “Available” which means that the VID is available for allocation to a UIN. Any request for VID allocation will pick up VIDs which have this status. The Batch Job to generate the pool will run every time the number of VIDs in the pool reduces to a configured number.

VID generation will happen according to the below logic:

VID generated should contain the number of digits as configured.
A generated VID should follow the below logic a. The number should not contain any alphanumeric characters b. The number should not contain any repeating numbers for 2 or more than 2 digits c. The number should not contain any sequential number for 3 or more than 3 digits d. The numbers should not be generated sequentially e. The number should not have repeated block of numbers for 2 or more than 2 digits f. The number should not contain the restricted numbers defined by the ADMIN g. The last digit in the number should be reserved for a checksum h. The number should not contain '0' or '1' as the first digit.

MOSIP has a VID generator service which will receive a call to generate a VID. The service will also support receiving an expiry period (optional Parameter). This service when called will pick up a VID from the pre-generated pool and respond it to the source. The Service will also mark that VID in the pool as “Assigned” and attach the expiry period to the VID if received. The service will also make an asynchronous call to the batch job to check the remaining VIDs and generate the pool if needed.

MOSIP also has a VID revoke service which will receive a VID and expire it. When received a request along with the VID, the service will change the status of the VID as “Expired”.

MOSIP also has a batch Job to auto-expire VIDs and mark expired VIDs as to be available to be allocated again.

All the VIDs will be marked as ‘Expired’ through the batch job based on the expiry period assigned to them
All the VIDs which are in expired state for a configured amount of days should be marked as ‘Available’ through a daily batch job thus enabling re-usability of them

VID Generator

Background

A virtual ID can be requested by an Indivudual against his UIN. The request is received to fetch a VID, which is unallocated yet at the time of request. There are many types of VIDs such as Perpetual VIDs, Transactional, Long term, short term.

Solution

The key solution considerations are

A pool of the VIDs are maintained for the faster dispatch of the VIDs to the requestor.

Vert.x REST Services: Following are the services which are available for the VID generator component,

VID Fetcher Service
- This service requests for an unassigned VIDs.
- Expiry days is passed as a parameter to this service. So, the VID pool knows when to expire this VID.
- In case of perpetual VIDs, the expiry days is not passed. So that, the expiry of the VIDs have to be called back specifically.
- Each time when this service is called, a call is triggered to the "VID pool size checker"
- Once the VID assigned, the status is changed to ASSIGNED

Flowchart diagram for fetcher

VID Revoke Service
- This service revokes the VID and allocates the VID in the free pool.
- This service accepts the VID as input.
- The requested VID status is changed to EXPIRED
- The expired VID can be reallocated after the configured cool-off period

Flowchart diagram for revoker

Vert.x Verticles: Following are the various verticles which are available,

VID pool size checker
- This vertical checks whether the pool has the available sufficient VIDs.
- The configuration for the Shrink pool size, number of VIDs to be generated etc., are retrieved from the config server.
- If the pool had shrunk below the configured size, the next "VID Pool Populator" vertical is notified.
- The "VID pool size checker" vertical is called whenever a request is received for the VID generator.
VID Pool Populator
- When the notification is received from the "VID pool size checker", this vertical is notified to generate the next set of VIDs are generated and placed in the pool.
- When this vertical runs, it creates a lock. So that no multiple populator runs.
- The worker verticle size is double as "VID Genertor Service".
- The status of the new generated VIDs is AVAILABLE

Vert.x expirer:
- The expired VIDs status' have to be changed back to available. This scheduler runs at night when the traffic is minimal. The entire database have to be scanned for the expired VIDs.
- The VID's status is changed back to AVAILABLE, if the VID is expired and crossed the cool-off period.

Flowchart diagram for expirer

Database:

A separate schema is needed for the VID.
VID Statuses are maintained in the database.

Module diagram

Biometrics

ABIS

Overview

Providing unique identity for a resident is one of key features of any identity platform. To achieve this, MOSIP interfaces with an Automated Biometric Identification System (ABIS) to perform de-duplication of a resident's biometric data.

MOSIP is designed to integrate with multiple ABISs to leverage expertise of different ABIS providers. A country may use one ABIS for fingerprint and another for Iris or use multiple ABISs for the same biometric data and evaluate the best ABIS based on de-duplication quality.

The ABIS system never comes to know about resident's identity. Any Personally Identifiable Information (PII) such as demographic details or RID (Request ID for Registration) is not shared with the ABIS system. Internally, MOSIP maintains a mapping between the ABIS specific referenceID and RID of the resident.

ABIS is used for 1:N de-duplication. For 1:1 authentication is used. MOSIP does not recommend using an ABIS for 1:1 authentication.

ABIS middle-ware

MOSIP's ABIS middle-ware has the following components

MOSIP ABIS request handler
Request router (based on routing policy, an ABIS request is routed to the correct ABIS system)
ABIS response handler

Below is the MOSIP ABIS middle-ware process flow,

MOSIP-ABIS interface

MOSIP interacts with ABIS only via message queues. JSON format is used for all control messages in the queue. MOSIP ABIS middle-ware sends requests to inbound queue address and receives responses from outbound queue address. For details refer to the .

ABIS must support the following types of biometric images:

Individual fingerprint images (segmented)
Iris images (left, right)
Face image

Biometrics data in MOSIP is exchanged as per formats defined in .

ABIS deployment

ABIS must comply to .
The queues can be configured in file.
ABIS system connects to the queues using a pre-defined user id and password.
It is recommended that ABIS is deployed in a secure zone (military zone).
ABIS system is not recommended to connect to any external network.

Biometric SDK

Introduction

MOSIP uses biometrics - fingerprint, iris, face - in registration and authentication processes. This requires specialized processing of biometrics data for biometric quality check and matching two biometric images. Biometric SDK consists of software libaries that provide these functions. Note that MOSIP platform does not include such an SDK.

Biometric SDK is primarily used for 1:1 authentication and quality check while [ABIS](Automated-Biometric-Identification-System-ABIS.md) is used for 1:N deduplication. MOSIP does not recommend using an ABIS system for 1:1 authentication.

Biometric SDK Functions

SDK Initialization

Shares information about the SDK and performs any one time activities including initialization of internal variables and algorithms.

Quality Checker

Checks the quality of input biometrics and returns quality score for the same.

Use Cases

When a biometric image is received by MOSIP in the registration client using a forced capture, this method is used to check the quality of the image
Server side validation of quality of biometric images uses this method
When external biometric images are received to be put on record this method is used to determine the quality of the received biometric image

Matcher

Matches the captured biometric record or a list of biometric records (based on single match or composite match), matches it against list of stored biometric records. It then returns a matching score against each stored biometric record or a composite matching score for the list of input biometric records.

Use Cases

Used for matching one or multiple modes of biometric received in an auth transaction with a list of biometrics record
Used for authentication of operators in offline mode
Used for prevention of erroneous submission of operator biometrics in place of registrant’s biometric on registration client
Match is expected to be capable of image-image, extract-extract and extract-image comparisons

Extractor

Extracts salient features and patterns of input biometric record to use in fast comparison. It returns the extracted biometric record.

Use Cases

Used to extract salient features and patterns of a biometric to use in fast comparison
In case of fingerprints this is called Minutiae and a standard representation of minutiae is an ISO template for FMR

Segmenter

Segments single biometric record into multiple biometric records and returns list of segmented biometric records. Eg: Split thumb slab into multiple fingers and eyes into left and right eye.

Use Cases

Used to split images into individual biometric segments when received from external sources

Converter

Converts images in all segments in the biometric record.

Biometric SDK integration points

Biometric SDK API Specification

The SDK needs to comply to

Biometric Specification

For details about biometric specifications in MOSIP please view the page .

Build & Deploy

Deployment Architectures

Introduction

Running a national ID system is no mean task and involves numerous challenging aspects. The software system at the core is a critical infrastructure and needs to address high availability, reliability, scalability, security, resilience, and manageability. Choosing the right deployment architecture plays an important role in helping achieving architectural goals while also catering to the law of the land. Cost of implementing such an architecture also matters.

Mosip has a micro-services architecture that organizes functionality into myriad small services and execution units. Each of these can be scaled separately as well as replaced / upgraded. This makes the platform powerful and provides plenty of flexibility and configurability in the hands of the implementor. There is also the corresponding complexity of dealing with a higher number of components in the system in the areas of configuration, security, deployment, dependency management, monitoring and testing.

Deployment architecture choices

In order to get the best out of mosip and keep manageability high the deployment architecture plays a crucial role. Let us take a look at a few of the common deployment architecture options available based on various perspectives.

Packaging choices
- Option 'Jar' - Spring boot services in Virtual Machines|
- Option 'Docker' - Dockers on a Kubernetes container management setup
Infrastructure choices
- Option 'On-Premise' - Deploy in a private or own data center
- Option 'Cloud' - Deploy in a cloud
- Option 'Hybrid' - Cloud + On Premises
Platform choices
- Option 'Open Source' - Proven community favored platforms
- Option 'Cloud Native' - Cutting edge supported cloud technologies from AWS, Azure, GCP et al
- Option 'Commercial' - Established and well supported priced packages

Security: Deployment with secure zones

The architecture proposed may be deployed on-premise or cloud. Here, all MOSIP modules are installed with clear separation between militarised and demilitarised zones.

Scalability: Cell based architecture

For linear scaling of capacity and provisioning of hardware, a cell based architecture (along with secure zones) may be preferred.

Rapid deployment: Hybrid architecture

A hybrid architecture may be considered where benefits of cloud and on-premise are leveraged. While cloud provides rapid deployment and ease of management, on-premise can facilitate data localization and any other policy requirements.

An example of hybrid architecture is given below:

Cell Based Deployment Architecture

Context

Scalability of complex systems is non-trivial especially when there are multiple running components like microservices, databases, storage clusters etc. with complex interactions. End-to-end performance modelling of such a system poses significant challenges as the performance of the 'whole' does not have a straight-forward linear relationship to its 'parts'.

MOSIP recommends a cell architecture where hardware and software within a cell is fixed (canned), and the cell is benchmarked for input/output capacity. Such cells, then, may be replicated to scale up capacity in a production depolyment with traffic diverted to them via a load balancer. Ideally, each cell must be islolated from each other without any cross-dependencies. Practically, however, they may share certain resources. Scalabilty of such common resources needs to addressed separately.

This document presents cell architecture for all major MOSIP modules for production deployment.

Registration Processor Cell

The following resources are shared across cells:

ABIS
ABIS Queue
Registration Process DB
ID Repository HDFS/CEPH cluster
ID Repository DB

The communication between Demilitrized Zone (DMZ) and Militarized Zone (MZ) is strictly via a firewall.

The encrypted packets from registration client first land into Packet Landing Zone in the DMZ. Some of the Registration Processor stages run in the DMZ for initial packet handling.

Hardware Security Module HSM Specifications

HSM stands for Hardware Security Module and is an incredibly secure physical device specifically designed and used for crypto processing and strong authentication. It can encrypt, decrypt, create, store and manage digital keys, and be used for signing and authentication. The purpose is to safeguard and protect keys.

MOSIP highly recommends the following specifications for HSM:

Must support cryptographic offloading and acceleration.
Should provide Authenticated multi-role access control.
Must have strong separation of administration and operator roles.
Capability to support client authentication.
Must have secure key wrapping, backup, replication and recovery.
Must support 2048, 4096 bit RSA Private Keys, 256 bit AES keys on FIPS 140-2 Level 3 Certified Memory of Cryptographic Module.
Must support at least 10000+ 2048 RSA Private Keys on FIPS 140-2 Level 3 Certified Memory of Cryptographic Module.
Must support clustering and load balancing.
Should support cryptographic separation of application keys using logical Partitions.
Must support M of N multi-factor authentication.
PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI and CNG.
Minimum Dual Gigabit Ethernet ports (to service two network segments) and 10G Fibre port should be available.
Asymmetric public key algorithms: RSA, DiffieHellman, DSA, KCDSA, ECDSA, ECDH, ECIES.
Symmetric algorithms: AES, ARIA, CAST, HMAC, SEED, Triple DES, DUKPT, BIP32.
Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit).
Full Suite B implementation with fully licensed ECC including Brainpool, custom curves and safe curves.
Safety and environmental compliance
Compliance to UL, CE, FCC part 15 class B.
Compliance to RoHS2, WEEE.
Management and monitoring
Support Remote Administration —including adding applications, updating firmware, and checking the status— from NoC.
Syslog diagnostics support.
Command line interface (CLI)/graphical user interface (GUI).
Support SNMP monitoring agent.
Physical characteristics
Standard 1U 19in. rack mount with integrated PIN ENTRY Device.
Performance
RSA 2048 Signing performance – 10000 per second.
RSA 2048 Key generation performance – 10+ per second.
RSA 2048 encryption/decryption performance - 20000+.
RSA 4096 Signing performance - 5000 per second.
RSA 4096 Key generation performance - 2+ per second.
RSA 4096 encryption/decryption performance - 20000+.
Should have the ability to backup keys, replicate keys, store keys in offline locker facilities for DR. The total capacity is inline with the total number of keys prescribed.
Clustering minimum of 20 HSMs.
Less than 30 seconds for key replication across the cluster.
A minimum of 30 logical partitions and their license should be included in the cost.

Hardware Sizing

The hardware compute and storage requirements for MOSIP core platform are estimated as below.

Production

Compute

Compute hardware estimates for a production deployment:

Module

Capacity

Servers

Configuration

* Average throughput

** VCPU: Virtual CPU

We estimate 30% (approx) additional compute capacitiy for administration, monitoring and maintenance. This may be optimized by the System Integrator.

Notes

High availability is taken into consideration with assumed replication factor of 2 per service pod/docker
The above estimates do not include compute servers needed for
1. Database
2. HDFS/CEPH
6. Virus scan
7. Load balancers
8. External IAM
9. Disaster recovery

Storage

Storage estimates for production deployment:

Database and HDFS/CEPH

Appication and system logs

Application logs

Module

Unit

Raw log size

The above estimates are approximate, and may inflate if, for example, there are too many exception traces.

The logs may be compressed and archived after a week or so. The compression ratio achieved with tar+gz utility is 15-20.

System logs

To be estimated by System Integrator according to the deployment

Dev, QA, Staging, Preprod

Additional compute and storage is needed for the following setups.

Environment

Setup

n Servers

Configuration

Storage

* To be decided by the country/System Integrator.

Other Installation Guides

Steps to Install Clam AntiVirus Version 0.101.0

ClamAV is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses.

Steps to install ClamAV in RHEL-7.5

To install clamAV first we need to install EPEL Repository:

After that we need to install ClamAV and its related tools.

After completion of above steps, we need to configure installed ClamAV. This can be done via editing /etc/clamd.d/scan.conf. In this file we have to remove Example lines. So that ClamAV can use this file's configurations. We can easily do it via running following command -

Another thing we need to do in this file is to define our TCP server type. Open this file using -

here this we need to uncomment line with #LocalSocket /var/run/clamd.scan/clamd.sock. Just remove # symbol from the beginning of the line.

Now we need to configure FreshClam so that it can update ClamAV db automatically. For doing that follow below steps -

First create a backup of original FreshClam Configuration file -

In this freshclam.conf file, Here also we need to remove Example line from the file. Run following command to delete all Example lines-

Test freshclam via running-

After running above command you should see an output similar to this -

We will create a service of freshclam so that freshclam will run in the daemon mode and periodically check for updates throughout the day. To do that we will create a service file for freshclam -

And add below content -

Now save and quit. Also reload the systemd daemon to refresh the changes -

Next start and enable the freshclam service -

Now freshclam setup is complete and our ClamAV db is upto date. We can continue setting up ClamAV. Now we will copy ClamAV service file to system service folder.

Since we have changed the name, we need to change it at the file that uses this service as well -

Remove @ symbol from .include /lib/systemd/system/[email protected] line and save the file.

We will edit Clamd service file now -

Add following lines at the end of clamd.service file.

And also remove %i symbol from various locations (ex: Description and ExecStart options). Note that at the end of the editing the service file should look something like this -

Now finally start the ClamAV service.

If it works fine, then enable this service and test the status of ClamAV service -

Now in MOSIP we require ClamAV to be available on Port 3310. To expose ClamAV service on Port 3310, edit scan.conf

and Uncomment #TCPSocket 3310 by removing #. After that restart the clamd@scan service -

Since we are exposing ClamAV on 3310 port, we need to allow incoming traffic through this port. In RHEL 7 run below command to add firewall rule -

Reference link:

Glossary

The MOSIP narrative and documentation uses terminology which can be hackneyed, cryptic or loaded at times. The ID industry also uses this terminology in different contexts will different shades of meaning. Here we provide a set of such terms and their interpretation in the context of mosip.

Note: This document is work in progress.

A Assurance Level

Authentication

AuthN and AuthZ

C Consent

D Demographic Auth

I Identity Verification

Contribute

Contributor's Guide

Where to start?

Refer to 'What is a foundational ID system' for a comprehensive overview of foundational ID systems and MOSIP.
Get to know the Technology Stack
Get to know the MOSIP github repo structure
If you do not have a GitHub account, create one here.
Deploy and try MOSIP using the MOSIP deployer for developers.
The code of conduct has some basic ethics that must while operating within the MOSIP community. Make sure you read it completely. If you have any queries/suggestions, direct them to [email protected].
If you are a developer willing to contribute to MOSIP, take a look at MOSIP Java coding standards.

Congratulations! You've successfully bootstrapped yourself into the world of MOSIP. Welcome aboard!

Areas of contribution?

Curious about where you can contribute? There are plenty of ways to get involved with MOSIP :

Requirements and Design

Share new requirements and ideas
Review and provide feedback on design and architecture

Coding

Fix issues and enhance features
Review code contributions
Triage and resolve bugs

Testing

Run tests on unstable builds
Create and add new tests
Fix test scripts and generate test data

Documentation

Correct and improve documentation
Test documentation and report any issues
Fix documentation issues
Localize documents (French, Arabic, and Spanish are currently in high demand!)

Ready to fix an issue?

Fantastic! Submit a pull request by following our code submission guidelines.

Found an Issue or Have an Enhancement Request?

Fantastic! We'd love to hear your feedback. If you've discovered an issue or have an idea for an enhancement, please submit it to our issues repository. Be sure to follow the issue reporting guidelines to help us address it efficiently. Your contributions are invaluable in helping us improve!

Running and enhancing tests

For the quality gurus and the testing geeks! Join the MOSIP testers group where you get to contribute towards improving the quality of MOSIP releases making it stable and better adoptable. Lots of material about the MOSIP functional test rig such as building and running the test rig, documentation to modify code, test scripts, and test data generation have been made available.

Getting in touch

We're here to assist you every step of the way!

Join the Developer Mailing List: Stay up-to-date with the latest announcements, discussions, and support from the MOSIP developer community.
Join Our Community Room via : Connect with fellow community members, ask questions, and get support from experienced developers. It's a great place to collaborate and learn from others!

Code of Conduct

Our Pledge

In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.

Our Standards

Examples of behaviour that contributes to creating a positive environment include:

Using welcoming and inclusive language
Being respectful of differing viewpoints and experiences
Gracefully accepting constructive criticism
Focusing on what is best for the community
Showing empathy towards other community members

Examples of unacceptable behaviour by participants include:

The use of sexualised language or imagery and unwelcome sexual attention or advances
Trolling, insulting/derogatory comments, and personal or political attacks
Public or private harassment
Publishing others' private information, such as a physical or electronic address, without explicit permission
Other conduct which could reasonably be considered inappropriate in a professional setting

Our Responsibilities

Project maintainers are responsible for clarifying the standards of acceptable behaviour and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behaviour.

Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviours that they deem inappropriate, threatening, offensive, or harmful.

Scope

This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.

Enforcement

Instances of abusive, harassing, or otherwise unacceptable behaviour may be reported by contacting the project team at [email protected]. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.

Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.

Attribution

This Code of Conduct is adapted from the , version 1.4, available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html

For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq

Issue Reporting Guideline

Pre-requisite

MOSIP issues are maintained in Github. File the issue against the right repository.

Reporting Issues

Check if the issue is already reported.
Check if the issue is already fixed.
If not, just go and file the issue
Template for filing new issues

Describe the issue A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Actual behavior A clear and concise description of what you see.

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information): Hardware and software details such as client OS, Server OS, Browser details etc

Attach logs Helps in faster resolution of data

Additional context Add any other context about the problem here.

Features/Enhancement request guidelines

Check if the feature is already reported.
Check if the feature is already fixed.
If not, just go and file the feature request
Template for filing new feature request

What is the current limitation without the feature

Describe the feature request

What would the key benefits of this feature

Do you have any recommendations and solutions that are existing in the field

Any technology/solution recommendation would be highly appreciated

Coding Standards

Auth Angular User Guide

Guidelines to implement Authorization and Authentication techniques in the Angular application are detailed in this document.

Before going in to the components let us discuss the following flows of Authorization and Authentication.

Authentication flow:

Initially a login request is made passing user credentials to a REST API as specified in the SPECS of that API.
In the response of a successful authentication you will receive user details and an auth_token as the value of the header "Authorization".
Now the received auth token has to be stored and re-used. For example let us use sessionStorage to store the auth_token under the key "TOKEN".
Now any kind of HTTP/HTTPS requests we make from the application has to be sent by adding a header "Authorization" and value of auth_token stored in sessionStorage with key by name "Token" for the purpose of authentication.
If the response comes back with a new token which might be because of previous token getting expired or refresh token mechanisms that happen in the backend, we need to replace the old token with the new one in the session storage.

Authorization flow:

After successful login the user details are sent to the client(Angular application/ Browser).
Now store the userDetails in the sessionStorage for example under the key "UserDetails".
Now we need to hide some pages/components/user action elements etc. based on the roles that the user possess.

Implementation of above flows:

To implement the Authentication and Authorization flows mentioned above, all we need to do is implement an Interceptor and a Directive which were mentioned above and detailed below.

Http Interceptor

Tasks to be implemented in a Client/UI Http interceptor are:

Append "Authorization" header to the request using the token value stored in the session storage.
Replace/Add the session storage token value with the one received in the response "Authorization" headers.

Below code implements the requirements mentioned above:

import { Injectable } from '@angular/core';
import { HttpInterceptor, HttpRequest, HttpHandler, HttpResponse, HttpEvent, HttpEventType } from '@angular/common/http';
import { Observable } from 'rxjs';
import { map, catchError, tap } from 'rxjs/operators';

@Injectable({
  providedIn: 'root'
})

export class InterceptService implements HttpInterceptor {
  constructor() { }

  intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
    const token = sessionStorage.getItem('TOKEN');
    if (token) {
      request = request.clone({
        setHeaders: {
          'Authorization': token
        }
      });
    }

    return next.handle(request).pipe(tap(event => {
      if (event instanceof HttpResponse) {
        const receivedToken = event.headers.get('Authorization');
        if (receivedToken) {
          sessionStorage.setItem('TOKEN', receivedToken);
        }
      }
    }, err => {
      console.log(err);
    }));
  }
}

Roles Directive

Role of the Roles directive is to fetch roles from UserDetails stored in the session storage and verify if the user has required roles to perform some action or read some details and restrict access accordingly.

Below code implements the requirements mentioned above:

import { Directive, TemplateRef, ViewContainerRef, Input, ElementRef } from '@angular/core';

@Directive({
  selector: '[appRole]'
})

export class RoleDirective {
  userRolesString: any;
  userRoles: Array<string>;
  shouldDisplay = false;
  requiredRoles: Array<string>;

  constructor(private element: ElementRef) { }

  @Input() set appRole(roles: string) {
    this.element.nativeElement.hidden = true;
    const userSessionData = sessionStorage.getItem('UserDetails');
    this.userRolesString = JSON.parse(userSessionData).role;
    this.userRoles = this.userRolesString.split(',');
    this.requiredRoles = roles.split(',');
    this.shouldDisplay = this.userRoles.some(v => this.requiredRoles.indexOf(v) !== -1);
    if (this.shouldDisplay) {
      this.element.nativeElement.hidden = false;
    }
  }
}

Now inject the above interceptor and directive in the app.module.ts as follows

@NgModule({
  declarations: [ RoleDirective, ...],
  imports: [...],
  providers: [{
    provide: HTTP_INTERCEPTORS,
    useClass: InterceptService,
    multi: true
  }, ...],
  bootstrap: [AppComponent]
})

To activate/deactivate => show/hide element all we need to do is add the appRole attribute to the HTML element as shown below:

<button class="btn btn-success" appRole="DIVISION_ADMIN,SUPERVISOR">Add</button>

In the above sample, the add button will only be visible for users with DIVISION_ADMIN or SUPERVISOR role.

Note: Above mentioned code snippets are not the final implementations. Based on the API specs and a few other factors the method implementations might change a bit. However, the component structures remain the same.

Auth SpringBoot User Guide

This document lists out the instructions on how to use the in a Spring Boot application.

Step 1:
Step 2:
Step 3:

Inject required libraries

Add the Auth Adapter module to your project as a maven dependency

Add ComponentScan annotation as shown below to your project. This is to create auth adapter bean.

Attach annotations to authorize endpoints

To restrict access to your endpoints, you need to add the @PreAuthorize annotation. Look at the below example for reference.

There are few more methods available apart from hasAnyRole like hasRole. Look in to the documentation for more details.

Note: Now we support only hasRole and hasAnyRole methods.

Use restTemplate for Http calls

To make any kind of HTTP or HTTPS calls to a mosip's micro service that also injected the Auth Adapter, use the standard RestTemplate capabilities as shown below.

Intially autowire the RestTemplate in the class where you are going to make an API call.

Now make the call using the autowired restTemplate as shown in the sample below:

Note: Do not create a new instance of the RestTemplate instead use the autowired one.

Gitub Workflow

Purpose

The recommended Github work flow here is for developers to submit code and documentation contributions to MOSIP open source repositories.

Setup

Fork MOSIP repository of interest from https://github.com/mosip/

Clone the fork to your local machine. Eg:

$ git clone https://github.com/<your_github_id>/commons.git

Set upstream project as the original from where you forked. Eg:

$ cd commons
$ git remote add upstream https://github.com/mosip/commons.git

Make sure you never directly push to upstream.
```
$ git remote set-url --push upstream no_push
```
Confirm the origin and upstream.
```
$ git remote -v
```

Code changes

Create a new issue in MOSIP Jira.
You may work on master, switch to a branch (like Release branch) or create a new branch.
Make sure you are up-to-date with upstream repo.
```
$ git pull upstream <branch> 
```
Once you are done with the work, commit your changes referring to Jira number in the commit message. Eg:
```
$ git commit -m "[MOS-2346] Adding new upload feature in Pre registration module for POA documents"
```
Once again ensure that you are up-to-date with upstream repo as it may have moved forward.
```
$ git pull upstream <branch> 
```
Build and test your code. Make sure it follows the coding guidelines.
Push to your forked repo (origin).
```
$ git push 
```
Create a pull-request on your forked repo. Direct the pull-request to master or any specific branch on upstream (like a Release branch).
Make sure the automatic tests on Github for your pull-request pass.
The pull-request shall be reviewed by reviewers.

Security Tools

Product Name

Description

Purpose

Com/Open Source

find_sec_bugs

Scans source code for vulnerable code, Has the abilty to integrate into developer machine. Effective with Java

SAST

Open Source

Yes

A SASS based source code review platform. Its free for open source projects. Can do both Java and javascript

SAST

Free

Yes

OWASP Zap proxy

This is the best we have and we should use the ZAP and automate all tests

DAST

Open Source

Yes

MS Baseline security Analyzer

In case we use a windows infrastructure then this tool is usefull.

Hardening

Free

Open Scap

We will need to create a custom profile and should be able to scan for hardened OS

Hardening

Free

Yes

Open Scap

Docker scanning

Docker scan

Free

Yes

Nessus Vulnerability Scanner

Vulnerability Scanning

Commercial

Kali linux

OS with all the necessary tools to perform a pentest. This would be a lab setup and would be used as part of UAT testing

Penetration Testing

Open Source

Skipfish

Hacking tool set from google.

DAST

Open Source

Burp suite

A web proxy used for penetration testing of web applications

DAST

Commercial

Courtesy : Sasikumar Ganesan

Testing

Test Rig Design

Table Of Content

Test Rig Definition

Test Rig represents a one click automation to build, deploy and test a software module. Successful execution of test rig would ascertain complete setup of the MOSIP platform.

Test-Rig comprises of multiple components starting from:

Kubernetes env setup
Pulling the source code from the GIT repository
Running sonarqube tests for static code analysis
Building the application using maven
Automated application deployment using Kubernetes
Running automated unit tests
Running automated tests to verify and validate the application build against the given requirements.

Test Automation

MOSIP platform architecture is mainly based on Micro services and SEDA architecture. Therefore it predominantly comprises of Rest & JAVA APIs. Therefore test automation best serves the purpose of detailed API level testing. Test automation is the key to the successful testing of individual APIs and their interrelation with interdependent APIs. It ensures comprehensive test coverage and test data.

Automation deliverables mainly comprises of individual module level suites for the individual MOSIP modules:

Pre-Registration
Registration Client
Registration Processor
IDA
Kernel

Additionally there will be an end to end, system level test suite that will cut across all modules covering the functionality

Module Level Automation Suites

The below diagram depicts the various building blocks of the module level suite.

Salient features

The automation suite is configurable to selectively execute tests such as Sanity or/and Regression
Each module level suite covers API and inter API automation

The individual module level test suites and the end to end suite are triggered via the CI/CD pipeline and run post application deployment

The user guides listed below detail the usage of individual module level automation suites

System Level or E2E Automation Suite (Test Rig)

End to end system level Test Rig covers the functionality across the modules starting with Pre-Registration and ending in Registration Processor or IDA.

The below diagram depicts the overall design of the end to end suite.

Testing Attachments Kernel

APIs

Admin Services Functionality

The admin portal integrates with the key cloak IAM to store users and provides login functionality. When an administrator accesses the homepage or any page on the admin portal through a browser, the portal detects if the administrator is already logged-in or not. If not, the system re-directs the administrator to the key cloak login user interface which requests the administrator for his/her username and password. After getting the credentials, key cloak verifies the administrator’s credentials and role. It also validates whether the administrator is not deactivated. After successful validation of the credentials, the system then re-directs the administrator to the page he/she initially landed on.

Logout

Manual logout

If an administrator wishes to logout of the admin portal, he/she can opt to select the logout option from the profile menu on the administrator UI. The system logs out the administrator.

Auto logout

If the user is inactive for 'X' minutes (where 'X' is configurable), the system logs out the user automatically. In such case, the system will not save any user’s data.

Account management

Using the portal, user will manage his/her profile. The portal users are central admin, central approver, zonal admin, zonal approver, registration center head, registration supervisor, and registration officer.

Resource management

Center management

Admin portal allows an administrator to manage registration centers, setup by the country for taking registrations of the residents. Center management includes functionalities like viewing, creating, editing, activating, deactivating and decommission of centers. An administrator should have the role of a zonal admin/global admin to do this. A zonal admin/global admin can manage only centers under his/her administrative zone.

View center

The admin portal allows an admin to view the list of all registration centers available in the jurisdiction of his/her administrative zone. The system does not fetch the details of decommissioned registration centers but only active and inactive centers. Admin portal UI shows the list of registration centers in only the country configured primary language.

The administrator can filter the list of registration centers based on following parameters:

Center name
Center type
Status
Location hierarchy (all location levels)

Besides the list view, an administrator can also view the detail of a registration center by clinking on a center name in the list view. This detail view shows all the details of a registration center in all the country configured languages.

The registration center list view screen is built using a templatized approach.

Create center

An admin can create a center by providing necessary mandatory details. A center needs to be created in both configured primary and secondary language. Although the portal will allow creation of a center in only primary language but will not allow activation of that center until data for that center is not updated for all the languages.

A center is created with the following attributes:

Center name, center type, address, latitude, longitude, location, contact phone, contact person, working hours, no. of kiosk, center start time, center end time, lunch start time, lunch end time, time zone, holiday zone and administrative zone the center belongs to. A center can only be mapped to the administrative zone at the lowest zonal hierarchy. While defining centers, An admin can also define the working days of the week for a center and any exceptional holidays that might be applicable for a particular center.

While entering data through UI in multiple languages, the dropdown values and numeric values entered in primary language gets automatically captured in all language. But the text fields (e.g., center name) needs to be manually input in all the languages.

Update center

Once a center is created, an admin can edit a center later if required. The update can include adding the details in another required language that were missed during creation of the center or changing the details of a center itself.

All the attributes mentioned in the 'Create center' section can be updated for a center.

Activate/Deactivate/Decommission center

An admin can deactivate or decommission a center through the admin portal.

Deactivation refers to a temporary shut down while decommission refers to a permanent shut down of the center. Decommissioning a center also automatically deactivates the center. In cases, where a center has some resources mapped to it (e.g. machines, devices or users), the portal won't allow the admin to decommission such a center.

Difference between deactivated and decommissioned center is that a deactivated center can later be activated later through admin portal as required by the country. But a decommissioned center cannot be bought into commission again as decommission refers to a permanent shutdown. To reactivate such a center (if decommissioned by mistake), the admin must directly update the database through the back-end scripts.

Machine management

Admin portal allows an administrator to manage machines the country will use for taking registration of the residents. The definition of machine is the device on which the registration client is installed. Machine management includes viewing, creating, editing, activating, deactivating and decommission of machines. An administrator should have the role of a zonal admin/global admin to do this. An admin can manage only machines under his/her administrative zone.

View Machine

The Admin portal allows an admin to view the list of all machines available in the jurisdiction of his/her administrative zone. The system does not fetch the details of decommissioned machines but only active and inactive machines. Admin portal UI shows the list of machines in only the country configured primary language.

The admin can filter the list of machine based on following parameters:

Machine name
Mac address
Serial number
Status
Map status
Machine type

Besides the list view, an administrator can also view the detail of a machine by clinking on a machine name in the list view. This detail view shows all the details of a machine in all the country configured languages.

Create machine

An admin can create a machine by providing necessary mandatory details. A machine needs to be created in both configured primary and secondary language. Although the portal will allow creation of the machine in only primary language but will not allow activation of that machine until data for that machine is not updated for all the languages.

A machine is created with the following attributes:

Machine ID, machine name, mac address, serial number, machine spec ID and administrative zone the machine belongs to.

While entering data through UI in multiple languages, the dropdown values and numeric values entered in primary language gets automatically captured in all language. But the text fields (e.g., machine name) needs to be manually input in all the languages. A machine can be mapped to the administrative zone which is at the any zonal hierarchy.

Update machine

Once a machine is created, an admin can edit a machine later if required. The update can include adding the details in another required language that were missed during creation of the machine or changing the details of a machine itself. All the attributes mentioned in the 'Create machine' section can be updated for a machine.

Activate/Deactivate/Decommission machine

An admin can deactivate or decommission a machine through the admin portal.

Deactivation refers to a temporary shut down while decommission refers to a permanent shut down of the machine. Decommissioning a machine also automatically deactivates the machine. In cases, where a machine is mapped to any center, the portal won't allow the admin to decommission such a machine.

Difference between deactivated and decommissioned machine is that a deactivated machine can later be activated through admin portal after a period as required by the country. But a decommissioned machine cannot be bought into commission again as decommission refers to a permanent shutdown. To reactivate such a machine (if decommissioned by mistake), the admin must directly update the database through the back-end scripts.

Map/Un-map/Re-map Machine to a Center

Admin portal allows an admin to map machines to a center. This mapping specifies as to which center the machine will be used in. A machine can only be mapped to a center which belongs under the machine's administrative zone.

A machine can later be un-mapped from the center in cases where a machine is needed to be moved to another center. In such cases, the machine will later need to be mapped to the new center. In case the machine is required to be mapped to a registration center outside the administrative zonal restriction, the administrative zone of the machine must be changed.

Device Management

Admin Portal allows an Administrator to manage Devices the Country will use for taking Registration of the Residents. These includes Device for bio-metric capture (Fingerprint, Iris, Web camera etc.) Device management includes Viewing, Creating, Editing, Activating, Deactivating and Decommission of Devices. An Administrator should have the role of a Zonal Admin/Global Admin to do this. A Zonal Admin can manage only Devices under his/her administrative zone.

View Device

The Admin portal allows an Admin to view the list of all Devices available in the jurisdiction of his/her administrative zone. The system does not fetch the details of Decommissioned Devices but only Active and Inactive Devices. Admin portal UI shows the list of Devices in only the country configured Primary Language.

The Admin can filter the list of Registration Centers based on following parameters:

Device Name
Mac Address
Serial Number
Status
Map Status
Device Type
Device Spec ID

Besides the list view, an Administrator can also view the detail of a Device by clinking on a Device Name in the List view. This Detail view shows all the details of a Device in all the country configured languages.

Create Device

An Admin can create a Device by providing necessary mandatory details. A Device needs to be created in both configured Primary and Secondary languages. Although the Portal will allow creation of the Device in only primary language but will not allow activation of that Device until data for that Device is not updated for all the languages.

A Device is created with the following attributes:

Device ID, Device Name, Mac Address, Serial Number, Device Spec ID and Administrative Zone the Device belongs to. A Machine can be mapped to the Administrative Zone which is at the any Zonal hierarchy.

While entering data through UI in multiple languages, the dropdown values and numeric values entered in primary language gets automatically captured in all language. But the text fields (e.g., Device Name) needs to be manually input in all the languages.

Update Device

Once a Device is created, an Admin can edit a Device later if required. The Update can include adding the details in another required language that were missed during creation of the Device or changing the details of a Device itself.

All the attributes mentioned in the 'Create Machine' section can be updated for a Machine.

Activate/Deactivate/Decommission Device

An Admin can Deactivate or Decommission a Device through the Admin Portal.

Deactivation refers to a temporary shut down while Decommission refers to a permanent shut down of the Device. Decommissioning a Machine also automatically deactivates the Machine. In cases, where a Device is mapped to any Center, the portal won't allow the Admin to decommission such a Device.

Difference between Deactivated and Decommissioned Device is that a Deactivated Device can later be Activated through Admin Portal after a period as required by the country. But a Decommissioned Device cannot be bought into commission again as decommission refers to a permanent shutdown. To reactivate such a Device (if decommissioned by mistake), the Admin must directly update the database through the back-end scripts.

Map/Un-map/Re-map Device to a Center

Admin portal allows an Admin to map each Device to a Center. This mapping specifies as to which Center the Device will be used in. A Device can only be mapped to a Center which belongs under the Device’s Administrative Zone.

A Device can later be un-mapped from the Center in cases where a Device is needed to be moved to another Center. In such cases, the Device will later need to be mapped to the new Center. In case the Device is required to be mapped to a Registration Center outside the Administrative Zonal Restriction, the Administrative Zone of the Device must be changed.

Refer to section on more details of CRUD APIs used in above mentioned features.

User Management

MOSIP uses Keycloak as an IAM (Identity access management tool) for managing Users. These users are internal users of MOSIP including Registration Officers, Registration Supervisors, Zonal Admins, Global Admins etc.

User Management includes Viewing, Creating, Editing, Activating, Deactivating and Blacklisting of Users.

Map/Un-map User to a Registration Center

Admin portal allows an Admin to map Users to a Center. This mapping specifies as to which Center the User will be used in. A User can only be mapped to a Center which belongs under the User’s Administrative Zone.

A User can later be un-mapped from the Center in cases where a User is needed to be moved to another Center. In such cases, the User will later need to be mapped to the new Center. In case the User is required to be mapped to a Registration Center outside the Administrative Zonal Restriction, the Administrative Zone of the User must be changed.

Administrative Zone Management

Administrative Zones are virtual boundaries which a country can define to better manage their resources which are used during registrations. These resources includes Centers, Users, Machines and Devices. These zones can be defined in a hierarchical fashion and a country can allocate resources to such zones based on their requirements.

Resources under each zone is managed by a Zonal Admin. This is done by assigning an Administrative zone to the Zonal Admin during user creation. These Zonal Admins can exist at any zonal hierarchy. (For e.g, a Zonal Admin can directly be mapped to the whole country as a Zone or can be mapped to a significantly smaller zone such as a city). Thus these resources when mapped to an Administrative Zone can only be managed by the Admin of that Zone.

Master Data Management

Admin Portal allows an Administrator to manage Masterdata applicable for a Country. These data includes list of Genders, list of Holidays, Templates etc. This data is used by all the modules across MOSIP which includes Pre-Registration, Registration Client, Registration processor and ID-Authentication. An Administrator should have the role of a Global Admin to manage Masterdata.

View Master Data Types

The portal allows a Global Admin to view the list of Masterdata types. Through this list, the global admin can click on any of them and can view the data for that particular Masterdata table.

View Master Data for Each Table

The portal allows the Global Admin to view the data of any Masterdata which are applicable to a country. The Administrator can access these list views by clicking on a type of Masterdata in the Masterdata Types Screen.

Each of these List views consumes the same UI template and allows following features:

List view shows data of a Masterdata Type only in the country configured Primary Language.
The Global Admin can access pagination features on each list screens. These includes selecting no. of rows to be displayed on the list view and options to jump to next or previous set of records.
The Global Admin can sort the data by any column on the list view
The List view also allows the Global Admin to directly activate or deactivate a Masterdata record from list view itself
The List view also supports filtering by multiple attributes. The attribute can either have a drop-down or a search box which an Admin can use to input values for filtering the values. The search box supports wildcard search as listed below
- text*: implies "Starts with" search
- *text: implies "Contains in" search
- text: implies exact match search

Since not all the attributes for a Masterdata record will be shown on the list view, the Global Admin can them all on the Masterdata detail view page. This view can be accessed by clicking on a record in the list view. The detail view will show all the details of a Masterdata record in all the languages configured by the country. The Global Admin can also activate/deactivate the record from detail view page.

Manage Master Data

Manage Document Type (View, Create, Update, Activate, Deactivate)

Document types is the list of Documents a country will configure for the users to give during registrations.

View Document Types

The Global Admin can view list of all the available Document Types on the Admin UI portal. The portal shows both activated or deactivated Document Types. The Admin can filter the list of Document Types based on Document Name(Search box) and Status (Drop-down).

Create/Update Document Types

Using the portal, the Global Admin can create the document type providing the Document name and description if applicable. A Document type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Document type in only primary language but will not allow activation of that Document type until data for that Type is not updated for all the languages. A deactivated document type will not show up on the Pre-Registration/Registration Client UI. While entering the data, the text fields (e.g., Document Type Name) needs to be manually input in all the languages. After successful creation, a Document type code will be generated.

Admin Portal also allows modification of any detail of a Document type. The modification includes either adding the details in another language that were missed during creation of the Document type or changing the details of a Document Type itself including name, description etc.

Activate/Deactivate Document types

The portal allows Zonal Admin to activate or deactivate a document type. Deactivation of a document type can be done if the country feels the document type is not applicable anymore. Thus, deactivated documents does now show up on the Pre-Registration and Registration Client UI. The Activation/Deactivation functionality can be accessed from both the list view or the detail view page of Document Types

View Document Categories

The Global Admin can view list of all the available Document Categories as created by the Country in Masterdata. The portal shows both activated or deactivated Document Categories. The Admin can filter the list of Document Categories based on Status (Drop-down).

Create/Update Document Categories

Using the portal, the Global Admin can create the document category providing the Document Category name and description if applicable. A Document category needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Document category in only primary language but will not allow activation of that Document category until data for that Cateagory is not updated for all the languages. A deactivated document category will not show up on the Pre-Registration/Registration Client UI. While entering the data, the text fields (e.g., Document category Name) needs to be manually input in all the languages. After successful creation, a Document category code will be generated.

Admin Portal also allows modification of any detail of a Document category . The modification includes either adding the details in another language that were missed during creation of the Document category or changing the details of a Document category itself including name, description etc.

View mappings of Document Categories and Document Types

The portal allows an Global Admin to view Document Categories along with its mapped and un-mapped Document Types. From the view screen itself, the Global Admin can map or un-map the Documents from a Document Category.

Map/Un-map Document Type to Document Category

The portal allows the Global Admin to map the available Document types to a Document category. This feature helps the country define as to which document falls under which category. Each Document can be mapped to multiple categories depending on the country's requirement.

View Location Data

The Global Admin can view list of all the Locations created by the country on the Admin UI portal. This list of locations defined shows up on the Pre-Registration and Registration UI while typing the address. The portal shows both activated or deactivated Locations Types. The Admin can filter the list of Locations based on Status (Drop-down) and each Location level (Search Box).

Create/Update Location Data

Using the portal, Global Admin can create/update the location data by providing location name and the parent hierarchy of that location. A location needs

A Location needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Location in only primary language but will not allow activation of that Location until data for that Location is not updated for all the languages. A deactivated Location will not show up on the Pre-Registration/Registration Client UI. While entering the data, the text fields (e.g., Document Type Name) needs to be manually input in all the languages. After successful creation, a Location code will be generated.

Admin Portal also allows modification of any detail of a Location. The modification includes either adding the details in another language that were missed during creation of the Location or changing the details of a Location itself including name, parent hierarchy etc.

Activate/Deactivate Location data

The portal allows activation or deactivation of a Location. Deactivation of a Location can be done if the country feels the Location is not applicable anymore. Thus, deactivated locations does now show up on the Pre-Registration and Registration Client UI. The Portal won't allow deactivation of a Location if any child of that location is still active. The Admin will have to first deactivate all the child locations before deactivating a parent location. The Activation/Deactivation functionality can be accessed from both the list view or the detail view page of Location data.

View Blacklisted Words

The Global Admin can view list of all the available Blacklisted words on the Admin UI portal. The portal shows both activated or deactivated Blacklisted words. Blacklisted words in the only Masterdata which is language independent and will show the data in all the languages unlike the rest of the Masterdata tables which will show data only in primary language. The Admin can filter the list of Blacklisted Words based on Status (Drop-down), Word (Search Box) and Language (Drop-Down).

Create/Update Blacklisted Word

Using the portal, the Global Admin can create the Blacklisted Word providing the Word, Description (if applicable) and Language in which the blacklisted word in being added. While entering the data, the text fields (e.g., Word, Description) needs to be manually input in all the languages. Admin Portal also allows modification of any detail of a Blacklisted Word. The modification includes either changing the word altogether or changing the description itself.

Activate/Deactivate Blacklisted Word

The portal allows activation or deactivation of a Blacklisted Word. Deactivation of a Blacklisted Word can be done if the country feels the Blacklisted Word is not applicable anymore. The Activation/Deactivation functionality can be accessed from both the list view or the detail view page of Blacklisted Word.

View Registration Center Types

Registration Center Type indicates the type of Centers a country can have. Some examples can be Regular, Mobile, temporary etc. The Global Admin can view list of all the available Registration Center Types on the Admin UI portal. A Registration Center while creation, can be assigned to a Center Type as defined by the country. The portal shows both activated or deactivated Center Types. The Admin can filter the list of Center Types based on Status (Drop-down).

Create/Update Registration Center Types

Using the portal, the Global Admin can create the Registration Center Type providing the Registration Center Type name and description if applicable. A Registration Center Type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Registration Center Type in only primary language but will not allow activation of that Registration Center Type until data for that Type is not updated for all the languages. While entering the data, the text fields (e.g., Registration Center Type Name) needs to be manually input in all the languages. After successful creation, a Registration Center Type code will be generated.

Admin Portal also allows modification of any detail of a Registration Center Type. The modification includes either adding the details in another language that were missed during creation of the Registration Center Type or changing the details of a Registration Center Type itself including name, description etc.

View Machine Types

Machine Type indicates the type of Machines a country uses to take registrations. The Global Admin can view list of all the Machine Types on the Admin UI portal. A Machine while creation, can be assigned to a Machine Types as defined by the country. The portal shows both activated or deactivated Machine Types.

Create/Update Machine Types

Using the portal, the Global Admin can create a Machine type providing the Machine type name and description if applicable. A Machine type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Machine type in only primary language but will not allow activation of that Machine type until data for that Type is not updated for all the languages. While entering the data, the text fields (e.g., Machine type Name) needs to be manually input in all the languages. After successful creation, a Machine type code will be generated.

Admin Portal also allows modification of any detail of a Machine Type. The modification includes either adding the details in another language that were missed during creation of the Machine Type or changing the details of a Machine Type itself including name, description etc.

View Machine Specifications

Machine specification indicates the Brand, Make and Model of a Machine a country uses to take registrations. The Global Admin can view list of all the Machine Specifications on the Admin UI portal. A Machine while creation, can be assigned to a Machine Specification as required by the country. The portal shows both activated or deactivated Machine Specification. The Admin can filter the list of Machine Specifications based on Status (Drop-down), Name (Search Box), Brand (Search Box), Model (Search Box), and Machine type (Search Box).

Create/Update Machine Specifications

Using the portal, the Global Admin can create the Machine Specification providing the Machine Specification name, brand, make and model. A Machine Specification needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Machine Specification in only primary language but will not allow activation of that Machine Specification until data for that Specification is not updated for all the languages. While entering the data, the text fields (e.g., Machine Specification Name) needs to be manually input in all the languages. After successful creation, a Machine Specification ID will be generated.

Admin Portal also allows modification of any detail of a Machine Specification. The modification includes either adding the details in another language that were missed during creation of the Machine Specification or changing the details of a Machine Specification itself including name, brand etc.

View Device Types

Device Type indicates the type of Devices a country uses to take registrations. This device types includes Fingerprint scanner, Iris Scanner, Web camera, Document scanner etc. The Global Admin can view list of all the Device Types on the Admin UI portal. A Device while creation, can be assigned to a Device Types as defined by the country.

The portal shows both activated or deactivated Device Types. The Admin can filter the list of Device types based on Status (Drop-down) and Name (Search Box).

Create/Update Device Types

Using the portal, the Global Admin can create a Device type providing the Device type name and description if applicable. A Device type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Device type in only primary language but will not allow activation of that Device type until data for that Type is not updated for all the languages. While entering the data, the text fields (e.g., Device type Name) needs to be manually input in all the languages. After successful creation, a Device type code will be generated.

Admin Portal also allows modification of any detail of a Device Type. The modification includes either adding the details in another language that were missed during creation of the Device Type or changing the details of a Device Type itself including name, description etc.

View Device Specifications

Device specification indicates the Brand, Make and Model of a Device a country uses to take registrations. The Global Admin can view list of all the Device Specifications on the Admin UI portal. A Device while creation, can be assigned to a Device Specification as required by the country. The portal shows both activated or deactivated Device Specification. The Admin can filter the list of Device Specifications based on Status (Drop-down), Name (Search Box) and Device type (Search Box).

Create/Update Device Specifications

Using the portal, the Global Admin can create the Device Specification providing the Device Specification name, brand, make and model. A Device Specification needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Device Specification in only primary language but will not allow activation of that Device Specification until data for that Specification is not updated for all the languages. While entering the data, the text fields (e.g., Device Specification Name) needs to be manually input in all the languages. After successful creation, a Device Specification ID will be generated.

Admin Portal also allows modification of any detail of a Device Specification. The modification includes either adding the details in another language that were missed during creation of the Device Specification or changing the details of a Device Specification itself including name, brand etc.

View Individual Types

Individual Type indicates the category in which a country might want to categorize residents in. Foreigner, Non-Foreigner, Immigrant are some examples of Individual Types. These can be defined by the country in Masterdata are required by them. The Global Admin can view list of all the defined Individual Types on the Admin UI portal. The portal shows both activated or deactivated Individual Types.

Create/Update Individual Types

Using the portal, the Global Admin can create the Individual Type providing the Individual Type name and description if applicable. A Individual Type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Individual Type in only primary language but will not allow activation of that Individual Type until data for that Type is not updated for all the languages. A deactivated Individual Type will not show up on the Pre-Registration/Registration Client UI. While entering the data, the text fields (e.g., Individual Type Name) needs to be manually input in all the languages. After successful creation, a Individual Type code will be generated.

View List of Holidays

List of Holiday defines all the public holiday a applicable for a country. These holidays are on of the criteria for Pre-Registration to generate appointments. The holidays only define the public holidays and not the week-end days for the country. The Global Admin can view list of all the defined Holidays on the Admin UI portal. The portal shows both activated or deactivated Holidays. The Admin can filter the list of Holidays based on Status (Drop-down), Date Range (Search Box) and Name (Search Box).

Create/Update Holidays

Using the portal, the Global Admin can create a Holiday providing the Document Category name, date, location, and description if applicable. A Holiday needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Holiday in only primary language but will not allow activation of that Holiday until data for that Holiday is not updated for all the languages. A deactivated Holiday will not be considered for appointment generation in Pre-Registration While entering the data, the text fields (e.g., Holiday Name) needs to be manually input in all the languages. After successful creation, a Holiday ID will be generated.

Admin Portal also allows modification of any detail of a Holiday. The modification includes either adding the details in another language that were missed during creation of the Holiday or changing the details of a Holiday itself including name, description etc.

View List of Templates

List of Templates contains all the notification templates used by MOSIP to send notifications to the Users or Residents. This notification includes OTP notification, Acknowledgment Notifications etc. Even acknowledgement shown on the Pre-Registration UI is defined in the template Masterdata. Each template in the Masterdata has a description defined for it which indicates as to where the template is being used in MOSIP. The Global Admin can view list of all the defined Holidays on the Admin UI portal. The portal shows both Activated or Deactivated Templates. The Admin can filter the list of Templates based on Status (Drop-down), Name (Search Box), Module Name (Drop-down) and Module ID (Drop-down).

Create/Update Templates

Using the portal, the Global Admin can create a Template providing the Template name, Template Text, Template type and description if applicable. A Template needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Template in only primary language but will not allow activation of that Template until data for that Template is not updated for all the languages. A deactivated Template will not be used thorughout MOSIP. While entering the data, the text fields (e.g., Template Name) needs to be manually input in all the languages. After successful creation, a Template ID will be generated.

Admin Portal also allows modification of any detail of a Template. The modification includes either adding the details in another language that were missed during creation of the Template or changing the details of a Template itself including name, description etc.

View Titles

List of Titles contains all the salutations defined by a country in all the country defined languages. The Global Admin can view list of all the defined Holidays on the Admin UI portal. The portal shows both Activated or Deactivated Titles. The Admin can filter the list of Titles based on Status (Drop-down).

Create/Update a Title

Using the portal, the Global Admin can create the Title providing the Title name and description if applicable. A Title needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Title in only primary language but will not allow activation of that Title until data for that Title is not updated for all the languages. While entering the data, the text fields (e.g., Title Name) needs to be manually input in all the languages. After successful creation, a Title code will be generated.

Admin Portal also allows modification of any detail of a Title . The modification includes either adding the details in another language that were missed during creation of the Title or changing the details of a Title itself including name, description etc.

View Gender Types

List of Gender Types contains all the Gender types defined by a country. The Global Admin can view list of all the defined Genders on the Admin UI portal. The portal shows both Activated or Deactivated Gender types.

Create/Update Gender Types

Using the portal, the Global Admin can create a Gender Type providing the Gender Type nameand description if applicable. A Gender Type needs to be created in both configured Primary and Secondary language. Although the Portal will allow creation of a Gender Type in only primary language but will not allow activation of that Gender Type until data for that Gender Type is not updated for all the languages. A deactivated Gender Type will not show up on the Pre-Registration/Registration Client UI. While entering the data, the text fields (e.g., Gender Type Name) needs to be manually input in all the languages. After successful creation, a Gender Type code will be generated.

Admin Portal also allows modification of any detail of a Gender Type. The modification includes either adding the details in another language that were missed during creation of the Gender Type or changing the details of a Gender Type itself including name, description etc.

Packet Status Check (based on RID)

A Registration packet generated in Registration Client is sent to Registration Processor for further processing and UIN generation. Using the Portal, A Zonal Admin can view the status of a packet by giving the RID of the packet. The packet status will contain all the stages the packet has passed through along with the last stage the packet is in. In case the packet has not been processed or is marked for Re-Send/Re-Register, the admin will be able to view specific comments indicating the reason for that particular status.

Device Provider Management

All the bio-metric devices which will be used for Authentication and Registration needs to be registered with MOSIP. Unless these devices are not registered, they cannot be used for capturing resident Bio-metrics for registrations or authentication.

For managing these devices, MOSIP needs to store details of following four entities:

Device Provider
Foundational Trust Providers
MOSIP Complaint MDS services
Biometric Devices (Registered and White-listed)

Device Providers (Create/Update)

Device Providers are the vendors supplying devices for Registration or Authentication. This device provides are needed to be registered before the devices of this providers are getting registered.

An MOSIP Administrator can register each Device Provider with MOSIP by storing the attributes Vendor Name, Vendor Address, Contact Number, Email, Status (Active/Inactive) and Certificate Alias. The status of a Device Provider is automatically marked as ‘Active’ during the creation. After successful registration, a unique Device Provider ID is generated by MOSIP for each device provider. In case a device provider is getting registered with an already existing name and address, Admin portal won’t allow the creation of such a Provider.

Admin portal will also allow an Admin to update details of the Device Provider including the Name, Address, Contact Details and Status. Changing the status from Active to Inactive will render that provider inactive and any biometric received from a device of such a provider will fail the validation checks and thus rejecting the Auth/Registration request. Any creation and modification in the details of a Device Providers is maintained in a history table to future references.

Foundational Trust Providers (Create/Update)

MOSIP will use two types of devices. L0 devices (encryption is done on the host machine device driver or the MOSIP device service) and L1 (capable of performing encryption in device’s trusted module). A Foundational Trust Provider provides this module which is then put in the L1 devices during manufacturing. These Foundational Trust Providers are identified before-hand and are registered with MOSIP.

An MOSIP Administrator can register each Foundational Trust Provider with MOSIP by storing the attributes Trust Providers Name, Trust Providers Address, Contact Number, Email, Status (Active/Inactive) and Certificate Alias. The status of a Foundational Trust Provider is automatically marked as ‘Active’ during the creation. After successful registration, a unique Foundational Trust Provider ID is generated by MOSIP for each Foundational Trust Provider. In case a Foundational Trust Provider is getting registered with an already existing name and address, Admin portal won’t allow the creation of such a Trust Provider.

Admin portal will also allow an Admin to update details of the Foundational Trust Provider including the Name, Address, Contact Details and Status. Any creation and modification in the details of a Foundational Trust Providers is maintained in a history table to future references.

MOSIP Complaint MDS services (Create/Update)

Every Registration/Auth Device needs to use a MDS (MOSIP Device Service) to communicate with MOSIP. Each MDS needs to be registered before-hand with the MOSIP. A MOSIP Administrator can register each MDS with MOSIP by storing the attributes Software Version, Provider ID, Device Type Code, Device Sub-Type, Make, Model, Software Created Date, Software Expiry Date and Software’s Binary hash. The status of a MDS is automatically marked as ‘Active’ during the creation. After successful registration, a unique Service ID is generated by MOSIP for each MDS.

There will always be a unique service ID of an MDS against a unique combination of a Software Version, Provider ID, Device Type, Device Sub Type, Make and Model. Thus, no two MDS can exist with same above-mentioned combination. Admin portal will also allow an Admin to update details of an MDS. Any creation and modification in the details of a MDS is maintained in a history table to future references.

Devices (Register/De-Register)

Devices are categorized in two types based on the usage. Registration Devices (used during registrations in Registration Client) and Auth Devices (used during authentication through Partners). Before being used, these devices are needed to be registered in MOSIP using the Register/De-Register API.

The Device is needed to be registered with the following attributes.

Device ID – Mandatory
Purpose – [Registration or Auth]
Device Sub Ids - (optional)
Signed Digital ID
Firmware
Device Expiry - (optional)
Certification Level – L0 or L1
Timestamp - ISO format date time with time-zone
Foundational Trust provider ID - Required only if certification level received is L1

Digital ID will be a signed base64 encoded Json Object. It will be decoded and stored in the Registered Device Table once the signature is validated with the root certificate issued to each Device Provider (for L0 devices) or Foundational Trust Provider (for L1 devices).

Registration Device can only be registered if they exist in the list of white-listed devices. Once a device is registered, a unique device code is generated for each device. For Registration devices, the code comes from the white-list table.

Once the device is registered, there details should not be changed. However, an Admin can change the status of the device. The device can have three different statuses: Registered, Retired, and Revoked. Once retired, a device can be re-registered by updating the its status, although same is not the case of Revoked devices as they cannot be re-registered once revoked. Any creation and modification in the details of a Device is maintained in a history table to future references.

Device Detail Validation

Device Provider Management also provides an API to validate device details during Authentication in IDA or during packet validation in Registration Processor.

The API receives Device Code, Digital ID, and MDS Service Version and validates the following conditions.

The Device exist and is ‘Registered’ and ‘Active’
The Device is not Revoked or Retired
The Device Provider exist and is 'Active’
The MDS service against he software version is in the list and is marked ‘Active’
The MDS Software version matches against the Device Type, Device Sub Type, Make, Model and Provider ID of the device as received in input as part of Digital ID
The Device Code received matches against the Make, Model, Device Type, Device Sub Type, Serial Number, Provider Name and Provider ID of the device which received as part of Digital ID

For validation in IDA, the API checks the current status of the details, But for validation in Registration processor, API checks the status of details as on the packet generation date and time. For this, the API additionally receives packet generation timestamp.

Multi-language Support

i18N

Admin portal provides support for multiple languages which can be configured by a country. The portal can support two languages one of which will be primary and another a secondary language. Both can be configured as per the Country’s requirements. The portal will render all the functionalities (View, Create and Update) in two languages thus allowing the Admin to access these functionality in both the languages simultaneously. Although the Home page, Labels and certain functionalities like ‘Viewing Packet Status based on RID’ will only be rendered in the primary language.

If a Country wants to use only one language in MOSIP, both primary and secondary language must be configured as the same language. If configured, the portal will render the screens in only one configured language. Although to be noted, both the primary and secondary languages must be configured. If not, The portal won’t allow the Admin to login and will be shown a message saying “The system has encountered a technical error. Administrator to setup the necessary language configuration(s)".

Registration Functionality

Operators in MOSIP

The operators is the one who can login to the registration client application and perform various activities. The roles associated to an operator in MOSIP can be of a Supervisor or an Officer. Below are features accessed by a supervisor and an officer in the registration client.

The list given above corresponds to the default configuration and can be changed by the MOSIP adoptor.

Operator on-boarding

When an operator tries to login to his/her registration client for the very first time they need to be online and would be re-directed automatically to the on-boarding page. During on-boarding the operator needs to provide his/her biometrics, which would be stored and mapped to the client machine locally post authentication.

Operator's biometrics are captured during on-boarding to support login using biometrics, local duplicate checks, and registration submission via. biometric authentication in registration client.

On-boarding is successful for an operator if and only if,

The operator should be active.
The operator should not be blacklisted.
The operator & the machine should belong to the same center.
The operator's User ID should be mapped to his/her UIN.
The operator's biometric authentication should be successful during on-boarding.
The system should online during on-boarding.

When an operator whats to login to the registration client for the first time, he/she needs to have the registration client in online mode. The first time login for any user in registration client is mandated to be using user name and and password based login. After the first login and successful on-boarding; the registration client would mandate the operator to login with the configured mode decided by the administrator.

Any number of officers or supervisors can login to a registration client but,

They need to be mapped to the same center where the machine is registered.
They should have on-boarded to the registration client successfully.

MOSIP supports single factor and multi factor login including password, OTP, iris, fingerprint, and face authentication for registration client. An administrative configuration setting determines the mode of login.

The registration client can authenticate an operator in offline mode using the locally stored biometrics (face/finger/iris) & password, but it has to be online to authentication an operator using OTP.

While a operator attempts to login to registration client, the system will match the user name with the locally stored user names using a case-insensitive logic.

Temporarily lock the operator

The registration client temporarily locks the operator’s account in case he/she provides an invalid password, fingerprint, iris, face for five times continuously to login. The temporarily account lock lasts for 30 minutes (which is configurable).

Logout

An Operator can logout of the registration client by just,

Clicking the logout button,
Closing the registration client, or
Being in-active on the registration client for configured amount of time after which he/she is automatically logged out.

Upon logout, any unsaved data will be lost. Data will not be automatically saved in the database and will not be retained in memory though transaction details which is used for auditing will be captured & stored (except for PII data).

Registration client provides an alerts to the operator, ‘x’ minutes before reaching the auto logout time limit. Registration client displays a countdown timer in the alert. The operator can choose to dismiss the alert and continue working. This will also reset the timer to zero.

Data Sync

Master data sync

In order to run the registration client application in online or offline mode it need some master data. When the client machine is switching from offline to online mode, the locally saved data can be synced with the server & changes from server can be synced backed to client. The data sync can happen through an automated process at a set frequency or an operator can manually initiate a sync.

Configuration sync

When an operator performs data sync the configurations related to registration client also gets synced. Based on the configuration (turn on or turn off), the system allows the operator to capture applicable biometrics, authenticates, and completes the registration activities.

Client to server sync

Registration Client syncs back some information back to the server whenever a sync is triggered:

Operator on-boarding details such as mapping of user, machine & center.
List of registration packets that are newly created.
The registration packets are also uploaded to the registration processor.

Only the additions, deletions, and modifications made since the last sync are sent to the server.

Packet status sync

During the sync operation the registration client request for the registration server for the status of some of the packets that it has already synced in the server. Knowing the status of the packets helps the registration client to,

Delete the packets from it's local file system based on the countries policy.
Re-Upload the packet if it is missing in the server.
Inform the resident to re-register if packet processing fails in server.

Pre-registration data download

An Operator can download the pre-registration data of his/her center for a date range (current date - end date) while being online (where the date range is configurable) and store it locally in the registration machine for offline use. Now when the system is offline and the pre-registration data is already downloaded; the operator can enter the pre-registration id to auto-populate the registration form with the demographic details of the resident.

Now if the registration machine is online the operator can enter the resident's pre-registration data in real time irrespective of the center selected by the resident while filling the pre-registration form.

Date Range of pre-registration data to be downloaded and storage location of pre-registration data in the registration machine is configurable.

Health check

Peripherals check

The registration client has the provision to show if the registration machine has internet connectivity or not.

Disk space check

Upon receiving a request to create a registration packet at the end of data capture and authentication steps, registration client validates if the disk space available on the registration machine to store the registration packet is sufficient or not. If disk space is insufficient, registration client displays an error message and data entered by registration officer is not saved. Then registration officer needs to clean up the registration machine to make sufficient space and try the registering the resident again.

Virus scan/Security scan

When the registration client application is open, the application scans the registration packets at a configured frequency for viruses. If the registration client application is not open at the configured time, the scan will be queued up and will run when the client application is open.

Registration services

New registration

An operator can initiate the process of registering an new applicant in the MOSIP ecosystem by filling the new registration form with the resident. Below are few of the processes needed to complete a new registration.

Enter demographic data and upload documents of a resident

If the resident has a pre-registration id, the operator can auto-populate the demographic data and the documents by entering the pre-registration id.

If the resident doesn't have a pre-registration id, the operator can enter the resident’s demographic details (such as Name, Gender, DOB, Residential Address, etc.) & upload the documents (such as Proof of Address, Proof of Identity, Proof of Birth) based on the ID Object defined by the country.

After the demographic details are entered the registration client validates the entered demographic data as per the Id validation rules defined in the ID Object UI Specification and appropriate error messages are shown in case the validation fails.

Capture biometrics of a resident

The capture of biometrics is governed by the country, i.e. capture of each modality (fingerprint, iris or face) can be controlled by the country using the global configuration to turning on or off, capture of a particular biometrics.

When the operator clicks on the capture button and tries to capture the biometrics of the resident, the device needs to make the capture when the quality of the biometrics is more than the threshold configured by the country. The device will try to capture the biometrics until the quality threshold has crossed or the device capture timeout has crossed which is also configurable.

Post the timeout has occurred and the captured quality of biometrics is less than the threshold, registration client provide an option to the operator to retry capture of biometrics but for a particular number of times which is also configurable.

If the resident has a biometric exception (resident is missing a finger/iris or quality of finger/iris is very poor) the resident can mark that particular biometrics as exception but the resident has provide an exception photo after providing the biometrics.

Device validation

The biometric devices connected to the registration machine to perform registration needs to registered devices and hence device validation is a very important process. The devices are validated using the master data that is received from the server during sync. Once the validation is successful and the device is connected to the registration machine a three way mapping of the center, machine & device is created and synced back to the server.

For every registration, the registration client provides an option for the operator to mark an individual's consent as Yes or No. The operator marks consent after confirming with the resident. Whether the consent is marked as Yes or No, it will not have any impact on issuance of UIN for that resident and the registration processor will not execute any validations in this regard during packet processing.

New registration for an infant

The registration flow for an infant is slightly different from that of registering an adult. The categorization of normal resident and infant is determined based on the age calculated by when the resident provides the date of birth. The age of infant is a configurable parameter (in the current configuration age of infant is set to 5 years).

For an infant registration client doesn't collect the biometrics (except for photo) but it collects the parent/guardian UIN or RID and biometrics for authentication in the server side. Apart from parent/guardian details the resident need to provide a Proof of Relationship document defined by the country.

Update resident's details

When a resident visits the registration center to update his/her demographic or biometrics details, the operator captures the updated data as provided by the resident in the registration client.

Process Flow using which data gets captured by registration client for updating a resident's data:

The UIN update feature is configurable by a country. The Admin can turn ON or OFF, the UIN update feature using the configuration.

Find a lost UIN

There might be a situation when a resident might have lost his UIN and visits the registration center for retrieving the same, the operator then captures the biometrics and demographic details of the individual and processes a request to retrieve the lost UIN. The system sends a notification to the individual upon successful creation of the UIN retrieval request.

Acknowledgement and Notifications

Printing the registration receipt

Once the registration process (new registration, UIN update or lost UIN) is completed, the registration client generates an unique request id and a registration receipt which contains labels & data in configured language. This data also contains a QR code of the RID, photograph of the resident and ranking of each finger from 1 to 10 (1 being the finger with the best quality). This receipt is print friendly and can be used for printing using any printer.

Sending email and SMS notifications

Once a registration process is completed, a notification is sent to the resident using the email ID and mobile number that was provided as part of demographic data. This notification sent is driven by a template created as part of master data and the language selected (primary, secondary or both) & notification mode (SMS, Email or none) is driven by configurations.

Registration Client also provides an option to send SMS and email notifications to additional recipient\s (other than the individual’s primary email ID and mobile number).

Use of biometric SDKs in registration client

Local biometric authentication for operators

Registration client perform authentication for registration officers and supervisors during various scenarios in registration client. In order to perform authentication using biometrics in such scenarios registration client need to integrate with a biometric SDK. The scenarios where biometric authentication is performed in registration client are:

When operator wants to login to registration client
When operator creates a packet
When an exception packet is created we need to perform supervisor authentication
When supervisor performs end of day verification
When supervisor performs resident about re-registration

For performing all the above mentioned authentication scenarios, registration client uses the operator's biometrics captured during on-boarding. The match threshold for authentication is a configurable parameter.

Local biometric de-duplication

There could be a scenario where an operator in-order to show a demonstration to the resident might capture his/her own biometrics, which could let to packet processing failure in the server side. Hence, in order to avoid such cases we perform de-duplication of biometrics of the resident against the operator's biometrics who have on-boarded to that registration machine.

Registration officer and supervisor approvals

Approval for packet creation

An operator needs authenticate himself/herself when the registration process is completed. After successful authentication an encrypted packet is created in registration client. During this process if biometrics is used as the mode of authentication, the operator's biometrics is sent to server as part of the packet for verification in the server side.

Approval of exception packet

If a packet is created for a resident who has marked his/her biometrics as exception, the registration client performs a second round of authentication for packet creation. During this authentication the supervisor needs to provide his/her credentials. If biometrics is provided during this authentication, it is sent as part of the packet to the server.

Approval during "re-registation"

During pre-processing of the packet, if the registration processor finds an error in the packet such as decryption failure, then an individual will not be communicated automatically to re-register. In such cases, registration processor marks the status of the packet as "re-register" so that a supervisor informs the individual to "re-register" his/her application. After informing the resident the officer needs to authneticate himself/herself using his/her credentials.

Geo-location

We have a feature to capture geo location of a device before any registration is performed. This is driven by a configuration. If capture of geo location is turned on, the system performs the following steps:

Validates that an on-boarded GPS device is connected to the machine.
- If an on-boarded GPS device is not found, then displays an error message.
- If more than one on-boarded GPS device is connected, then proceeds with the first GPS device that the system finds as it scans the ports of the machine.
Requests the GPS device to capture a location.
Receives the latitude and longitude from the GPS device.
- If signal is weak and GPS device is unable to capture location, then displays an error message.
Proceeds to perform following validations:
- If location capture is required only at the beginning of day, the co-ordinates are stored and validations are performed when opting to start a new registration.
- If location capture is required only at the beginning of day and location could not be captured at beginning of the day, then attempts to capture the location during the first registration of the day.
- The latitude and longitude will be stored in the packet when the packet is created.
System captures and stores the transaction details for audit purpose (except PII data).

Language Support

The Registration Client supports two languages, a primary language in which all pages of the application are rendered, and demographic details of an individual are also rendered in secondary language for convenience of the officer. The default primary and secondary languages are driven by an administrator configuration and can be setup by the admin as required. Transliteration from the primary to secondary language is supported for registration officer entered text fields.

In the below listed scenarios, system will render an error message on the Login page and inhibit Registration, and hence, the language configurations should be appropriately setup by the administrator.

If Primary Language is set to a specific value and Secondary Language is not set by Admin, or
If Secondary Language is set to a specific value and Primary Language is not set by Admin, or
If both Primary and Secondary Language are not set by Admin

Then the system will render the stated Error Message: “The system has encountered a technical error. Administrator to setup the necessary language configuration(s).”

This error message will not have an option to exit, hence not allow the user to proceed further. On page refresh, the system will render the error message again and hence, inhibit registrations. Therefore, it is important for the administrator to setup the configurations appropriately. In case configurations are setup correctly, but post Login, if a sync is initiated through the option in the homepage, and then if it is identified that either Primary/Secondary language/both are not defined, then the system will render the same error message on the homepage and not allow the user to proceed further.

Considering a scenario, wherein if Primary language and Secondary language is configured to be the same, EG: English then:

The system will render the demographic page (with both left and right side for Primary and Secondary language) in the same language
Values entered on the left side (Primary Language) will not be transliterated but auto-copied on the right side
Values on the right side will remain un-editable
As part of the packet, system will send/store data in one language only, if language code is identified to be the same – EG: ENG (English)

Therefore, it is important for the administrator to setup the configurations appropriately.

Translation

A Registration Officer can view static data translated to secondary language.

In MOSIP, the primary and secondary languages are configured by the admin.
Admin configures all the static data in both primary and secondary languages so that the registration officer can view all the pages of client application in primary (default) and second (translated) languages.
If the both languages are configured in one language, the system displays the text in default language only.

Transliteration

Registration Client enables viewing transliterated data.

The Registration Client application supports two type of languages: Primary language (the language in which the registration officer enters data) and secondary language (transliteration language). The secondary language is country specific and is set by the administrator.

When the officer starts a new registration, update or lost UIN process and provides demographic data (Full Name, Address Line 1, Address Line 2, Address Line 3, and parent/guardian Name) of an individual in the primary language. The system transliterates the data and displays in the corresponding secondary language fields.

An Officer can invoke the virtual keyboard to edit transliterated data and proceeds with registration. The following rules are followed during transliteration.

Editing transliterated language does not change the data entered in the primary language.
The system also validates the maximum character length in the transliterated language and in primary language.
If secondary language is not configured, the system does not do any transliteration and will display empty space instead.
Numeric data are not transliterated. The same numeric data are displayed in the secondary language section of the page, which are not editable.

Master data selections are not transliterated. Instead, the master data as setup in the secondary language is displayed in the relevant section.

The system then enables the officer to view the registration confirmation page. The data, which are transliterated and edited earlier are also shown in the secondary language.

Packet Upload

Registration Packet Upload

Upload the packet

The system allows a registration officer to view a list of packets and may opt to upload one or multiple packets from a list of packets.
After the registration officer selects the packet(s), he/she can upload the selected packet(s) to server.

Push those packets that are marked 'Resend' to the server

When the registration officer or supervisor navigates to the ‘Upload Packets’ page, the list of RIDs that are pending packets to upload will be displayed.
- Pending packets are those packets, which are not sent to the server due to various reasons (e.g. Sanity Check and Validation failure in the Registration Processor) and have been marked for resending.
When the registration officer or supervisor selects the ‘Upload’ option, the pending packets will be uploaded to the server.
The result of each packet uploaded will be displayed as ‘Success’ or ‘Failure’.
- Packets that are successfully sent or resent will not be sent again unless the server requests for them.
- Packets for which upload fails will continue to be in pending state.
System captures and stores the transaction details for audit purpose (except PII data).

Enable a real time packet upload when system is online upon registration submission

When EoD process is turned ON
- Registration Client checks if the system is online as soon as the assigned approver (such as supervisor) approves or rejects a new registration or UIN update.
- If client is online, the Registration Client sends Registration ID to server and then the packets are marked as “Ready to upload” and auto uploaded to server.
- If client is offline or on low bandwidth, then when the client next comes online, the Registration ID’s are sent to server through scheduled or manual sync and the packets are then marked as “ready to upload”.
- Once the packets are ready for upload, packets are uploaded in two ways:
  - The registration officer can initiate upload to server using upload function.
  - Export to external storage device for subsequent upload as required.
When EoD process is turned OFF
- Registration Client checks if system is online as soon as the registration officer submits a new registration or UIN update.
- If client is online, the Registration Client sends Registration Id to server and then the packets are marked as “Ready to upload” and auto uploaded to server.
- If client is offline or on low bandwidth, then when the client next comes online, the Registration ID’s are sent to server through scheduled or manual sync and the packets are then marked as “ready to upload”.
- Once the packets are ready for upload, packets are uploaded in two ways:
  - The registration officer can initiate upload to server using client’s upload function.
  - Export to external storage device for subsequent upload as required.

Packet Exporter & Offline Upload from External Device

Export Packets to External Device

System exports registration packet data from client machine to an external device as follows:

This feature allows the registration officer to select a destination folder to export the packets. By default all packets that are listed/eligible to be uploaded, are exported to the external device
The destination folder includes the laptop/desktop, an external hard drive or a remote location
External storage devices are not necessary to be MOSIP-registered devices
When the destination folder is selected, registration officer initiates export of packets
System exports the packets to the selected folder and performs the following steps:
- Identifies the packets in ‘Ready to Upload’ state.
- If EoD process is turned ON, packets that have been approved or rejected and packet ID sync is completed are considered ‘Ready to Upload’
- If EoD process is turned OFF, packets are considered ‘Ready to Upload’ as soon as the registration is submitted and packet ID sync is completed
- Puts the packets in the destination folder
All the Registration Officers and supervisors on-boarded to the client machine will be able to export all packets
Supports the partial export. If the system is able to export some packets to the folder and no other files due to lack of storage space or unavailability of the folder, the successfully exported packets will remain in the destination folder.
For partial or full failure, the system displays error message

Upload Packets from External Device to Server (To be Developed)

Once the server acknowledges that the packets have been received (which is uploaded from the external device to the server through a defined mechanism - Yet to be defined/developed), the packets in the client will be marked as ‘Uploaded’ upon the next sync with Server.

Packets that remain in ‘Ready to Upload’ status will be exported again when the next export is executed.
Packets in ‘Uploaded’ or any other status will not be exported again.

Analytics and Audit Logs

System captures and stores details of each transaction during registration process for audit purpose (except PII data). The audit data is stored in the audit database. When the client machine is working in an offline mode, the audit log is synced with the server as when the client machine is online.

Data Security

Registration Client integrates with Trusted Platform Model (TPM) data integrity. For enhanced security and integrity purposes, data captured from individuals are saved securely in local system and then shared to server. The details saved locally will be encrypted. Database encryption is also mandatory.

MOSIP performs the following:

Signing the data (This process is called as Signature) using Private Key provided by the TPM
- This process will ensure that the request to the server has been dispatched from a registered or trusted Registration Client machine
Validates the signature against the actual data using the Public Key or Public Part. The application does not connect or access the underlying TPM to validate the Signature. This validation ensures that the request is from a registered or trusted Registration Client machine
Encrypts and decrypts the data using RSA algorithm in TPM. System security and tampering of packets

The system uses a machine and centre specific public key to encrypt. Only the server which has the respective private key, machine id and centre id can decrypt the encrypted packet. The data stored in database and application binaries are encrypted using TPM public key and registration officers will not be able to access directly.

Installation and Software Version Upgrade

A. Registration Officer or Supervisor can download and unzip the client application set up kit

For initial installation of the client software on a particular machine, supervisor or registration officer will download an installable software (setup kit). Then unzip the setup kit and install it in the client machine.

When a registration officer or supervisor opts to download setup kit and selects the OS-specific setup kit to download, the system allows the registration officer to download the setup kit to the storage location chosen by the registration officer.

Registration officer then unzips the setup kit.
Extract the files and folders from the zip file to the chosen location.
Allows the registration officer to verify that the files and folder structure are as described in the design document.
System captures and stores the download transaction details for audit purpose (except PII data).

B. Update the client software from the server

If a software update is available, then the system will provide an option to supervisor or registration officer to update either immediately or later. If the maximum number of days without software update has been exceeded, then the system will mandate a registration officer to update the software.

The system follows the following steps during the update process:

When the client is online, the system automatically checks for updates if available.
If an update is available, the system displays a message “Updates are available” and provides two options to the registration officer
- Update now or
- Update later.
If the registration officer opts to select “Update now” option, then the registration officer can download and installs software and launches the application.
The updates are downloaded as patch updates.
When installation is in progress, the registration officer cannot perform any action on the client.
Once installation is completed, the registration officer can start working on the client.
If update is not successful, the system provides error message and provides both the options (Update Now or Update Later) again.
If the registration officer opts to select “Update later” option, then the system checks if the freeze period has been reached.
- If the freeze period has not been reached, the system allows the registration officer to continue with registration
- If freeze period has been reached, the system does not allow the registration officer for registration without updating the software.
- The client will be locked for registration, if x days (configuration setting) have passed since the last check for updates and mandates the registration officer to update the software.
If updates are not available, the system launches the application.
If update is not successful, the client returns to its earlier version.
System captures and stores the transaction details for audit purpose (except PII data).

Clean up

Pre-registration and registration data are automatically deleted from the client machine upon consumption and upon intimation from the server respectively.

Pre-registration data is deleted from the client machine immediately after consumption for a registration.
Registration packets that are identified as ‘processed’ are deleted by a periodic process.
Audit data is deleted after it is sent to the server.
All deletion is executed by a periodic process after retention of the data for a configured duration.

Data retention policies

A. Read packet status and delete packets

When the Registration Client receives a request through manual trigger or scheduled job to sync data, the system performs the following steps to read a packet status and delete the packets:

Sends the data sync request to server.
Receives response from server with packet statuses.
- Server sends status of those registration packets that were created in the specific machine, and that status that has changed since the last sync.
Saves the statuses ‘Processing’, ‘Processed’ or ‘Resend’ as received for each packet. Statuses of other packets are not updated.
Immediately deletes the packets from the local machine whose status is received as ‘Processed’.
Displays an alert in case of sync failure.
- The on-screen message is only indicated if the sync was a success or failure.
- Detailed errors can be viewed in the transaction logs.
The system does not allow registration officer to perform any activities when the data sync is running.
If the Registration Client is not online or not open during a scheduled sync, the sync will be queued up and will be executed later.
When the Registration Client is next launched and is online, checks if the previous scheduled sync was executed. If not executed earlier, then immediately starts the sync.
System captures and stores the transaction details for audit purpose (except PII data).

B. Delete transaction history (audit logs) post sync with server and the retention period

When a set of audit data is uploaded to the server and the server has acknowledged receipt of the audit data, the system performs the following steps to delete transaction history (audit logs) post sync with server and the retention period:

Runs on a daily process to identify audit data that has been sent to the server and acknowledgement is received from the server.
- The audit data acknowledgement received from the server >= x hours ago. X is configured at a country level.
Deletes the identified audit data from the client machine.
Executes at a time and frequency as configured.
- The process takes place only when the Registration Client is in open and running situation. If the Registration Client is not open during a scheduled run, it is executed as soon as the client is next started up.
Does not delete audit data, if that is yet to be sent to the server.
System captures and stores the transaction details.

Machine Retirement

Machine is termed as machine retirement due to following reason:

If the machine has obsolete specification.
When the machine is moved from one center to another (re-mapped), then the machine will retire from that old center.

Before the machine is decommissioned, the following checks must be performed:

All packets created must either be uploaded to server or exported to external device.
All pending end of day approvals are completed and re-registrations pending action are cleared, refer below for more details
All data locally saved in the machine must be cleaned up.

Re-mapping of Machine:

If a Machine has been re-mapped to another center, then:

Officer will not be allowed to do any operation in Registration Client except,
- Login/Logout
- Approve packets as part of End of Day Approval process
- Upload Packets
- Inform Residents to Re-Register and mark action accordingly
Once Packet Approval and Informing Resident is Completed, then
- Packets will be auto uploaded if anything is pending
- Initial Sync Flag is Turned On
Once the Officer logs out and tries to login again, then
- New Master data gets downloaded for the newly mapped Center

Steps to Install and Configure HDFS

This documentation is for setting up HDFS (v2.8.1) cluster with one namenode and one datanode

Setup HDFS version 2.8.1

Prerequisites

Create 2 VMs. They’ll be referred to throughout this guide as,
```
node-master.example.com
node-slave1.example.com
```
Install java (java-8-openjdk) to all the machines in the cluster and setup the JAVA_HOME environment variable for the same.
```
sudo yum install java-1.8.0-openjdk-devel
```
Get your Java installation path.
```
update-alternatives --display java
```

Note: Take the value of the current link and remove the trailing /bin/java.

For example on RHEL 7, the link is /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/bin/java

So JAVA_HOME should be /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre.

Edit ~/bashrc.sh:

Export JAVA_HOME={path-tojava} with your actual java installation path.

For example on a Debian with open-jdk-8: export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre

Note: In the further steps when u login to the hadoop account set the java path in ~/hadoop/etc/hadoop/hadoop-env.sh also.

Get the IP of master and slave nodes using:
```
ifconfig
```
Adjust /etc/hosts on all nodes according to your configuration.

Note:

While adding same machine ip to /etc/hosts, use private ip that machine instead of public IP. For other machine in the cluster use public IP. * Edit the Master node VM /etc/hosts file use private IP of Master node and public IP of the Slave node. * Edit the Slave node VM /etc/hosts file use private IP of Slave node and Public IP of Master node. * Example: 10.0.22.11 node-master.example.com 10.0.3.12 node-slave1.example.com

Creating Hadoop User

Create a hadoop user in every machine in the cluster to followup the documentation or replace the hadoop user in the documentation with your own user.

Log in to the system as the root user.
```
sudo su -
```
Create a hadoop user account using the useradd command.
```
adduser hadoop
```

Set a password for the new hadoop user using the passwd command.

passwd hadoop
Changing password for user hadoop.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Add the haddop user to the wheel group using the usermod command.
```
usermod -aG wheel hadoop
```
Test that the updated configuration allows the user you created to run commands using sudo.
- Use the su to switch to the new user account that you created.
```
su hadoop
```
- Use the groups to verify that the user is in the wheel group.
```
groups
```
- Use the sudo command to run the whoami command. As this is the first time you have run a command using sudo from hadoop user account the banner message will be displayed. You will be also be prompted to enter the password for the hadoop account.
```
sudo whoami
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for hadoop:
root
```
- The last line of the output is the user name returned by the whoami command. If sudo is configured correctly this value will be root.

You have successfully configured a hadoop user with sudo access. You can now log in to this hadoop account and use sudo to run commands as if you were logged in to the account of the root user.

Distribute Authentication Key-pairs for the Hadoop User

The master node will use an ssh-connection to connect to other nodes with key-pair authentication, to manage the cluster.

Login to node-master as the hadoop user, and generate an ssh-key:
```
ssh-keygen -t rsa
```
id_rsa.pub will contains the generated public key
Copy the public key to all the other nodes.
```
ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
```
or
Update the $HOME/.ssh/id_rsa.pub file contents of slave node to Master node $HOME/.ssh/authorized_keys file and also Update $HOME/.ssh/id_rsa.pub file contents of Master node to Slave node $HOME/.ssh/authorized_keys manually.

Verify ssh from Master node to slave node and vice versa.

```
ssh [email protected]
```

Note: if ssh fails, try setting up again the authorized_keys to the machine.

Download and Unpack Hadoop Binaries

Login to node-master as the hadoop user, download the Hadoop tarball from Hadoop project page, and unzip it: cd wget https://archive.apache.org/dist/hadoop/core/hadoop-2.8.1/hadoop-2.8.1.tar.gz tar -xzf hadoop-2.8.1.tar.gz mv hadoop-2.8.1 hadoop

Set Environment variables in each machine in the cluster

Add Hadoop binaries to your PATH. Edit /home/hadoop/.bashrc or /home/hadoop/.bash_profile and add the following line: export HADOOP_HOME=$HOME/hadoop export HADOOP_CONF_DIR=$HOME/hadoop/etc/hadoop export HADOOP_MAPRED_HOME=$HOME/hadoop export HADOOP_COMMON_HOME=$HOME/hadoop export HADOOP_HDFS_HOME=$HOME/hadoop export YARN_HOME=$HOME/hadoop export PATH=$PATH:$HOME/hadoop/bin export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre Run following command to apply environment variable changes, using source command: source /home/hadoop/.bashrc or source /home/hadoop/.bash_profile

Configure the Master Node

Configuration will be done on node-master and replicated to other slave nodes.

Set NameNode

Update ~/hadoop/etc/hadoop/core-site.xml: <configuration> <property> <name>fs.defaultFS</name> <value>hdfs://node-master.example:51000</value> </property> </configuration>

Set path for HDFS

Edit ~/hadoop/etc/hadoop/hdfs-site.xml:

<configuration>
		<property>
				<name>dfs.namenode.name.dir</name>
				<value>/home/hadoop/data/nameNode</value>
		</property>
		<property>
				<name>dfs.datanode.data.dir</name>
				<value>/home/hadoop/data/dataNode</value>
		</property>
		<property>
				<name>dfs.replication</name>
				<value>1</value>
		</property>
	<property>
		<name>dfs.permissions</name>
		<value>true</value>
	</property>
		<property>
				<name>dfs.namenode.secondary.http-address</name>
				<value>0.0.0.0:51090</value>
		</property>
		<property>
				<name>dfs.namenode.secondary.https-address</name>
				<value>0.0.0.0:51091</value>
		</property>
		<property>
				<name>dfs.datanode.address</name>
				<value>0.0.0.0:51010</value>
		</property>
		<property>
				<name>dfs.datanode.http.address</name>
				<value>0.0.0.0:51075</value>
		</property>
		<property>
				<name>dfs.datanode.ipc.address</name>
				<value>0.0.0.0:51020</value>
		</property>
		<property>
				<name>dfs.namenode.http-address</name>
				<value>0.0.0.0:51070</value>
		</property>
		<property>
				<name>dfs.namenode.https-address</name>
				<value>0.0.0.0:51470</value>
		</property>
		<property>
				<name>dfs.namenode.backup.address</name>
				<value>0.0.0.0:51100</value>
		</property>
		<property>
				<name>dfs.namenode.backup.http-address</name>
				<value>0.0.0.0:51105</value>
		</property>
</configuration>

Create directories

mkdir -p /home/hadoop/data/nameNode [where on the filesystem the DFS name node should store the name table(fsimage)]
mkdir -p /home/hadoop/data/dataNode  [where data node should store its blocks.]

Configure Master

Edit ~/hadoop/etc/hadoop/masters to be: node-master.example.com

Configure Slaves

Edit ~/hadoop/etc/hadoop/slaves to be: This slaves file will specifies the datanode to be setup in which machine node-slave1.example.com

Create duplicate config files on each node

Copy the hadoop binaries to slave nodes:
```
cd /home/hadoop/
scp hadoop-*.tar.gz node-slave1.example.com:/home/hadoop
```
or copy each configured files to other nodes
Connect to node1 via ssh. A password isn’t required, thanks to the ssh keys copied above:
```
ssh node-slave1.example.com
```
Unzip the binaries, rename the directory, and exit node-slave1.example.com to get back on the node-master.example.com:
```
tar -xzf hadoop-2.8.1.tar.gz
mv hadoop-2.8.1 hadoop
exit
```

Copy the Hadoop configuration files to the slave nodes:

for node in node-slave1.example.com; do
	scp ~/hadoop/etc/hadoop/* $node:/home/hadoop/hadoop/etc/hadoop/;
done

Format HDFS

HDFS needs to be formatted like any classical file system. On node-master, run the following command: hdfs namenode -format Your Hadoop installation is now configured and ready to run.

Start HDFS

Start the HDFS by running the following script from node-master: start-dfs.sh, stop-dfs.sh script files will be present in hadoop_Installation_Dir/sbin/start.dfs.sg

hadoop/sbin/start-dfs.sh

It’ll start NameNode and SecondaryNameNode on node-master.example.com, and DataNode on node-slave1.example.com, according to the configuration in the slaves config file.

Check that every process is running with the jps command on each node. You should get on node-master.example.com (PID will be different):
```
21922 Jps
21603 NameNode
21787 SecondaryNameNode
```
and on node-slave1.example.com:
```
19728 DataNode
19819 Jps
```

Hdfs has been Configured Successfully

Note: If datanode and namenode has not started, look into hdfs logs to debug: $HOME/hadoop/logs/

Create HDFS users

To create users for hdfs (regprocessor, prereg, idrepo), run this command:
```
sudo useradd  regprocessor
sudo useradd  prereg
sudo useradd  idrepo
```

Note: Configure the user in module specific properties file (ex- pre-registration-qa.properties) as mosip.kernel.fsadapter.hdfs.user-name=prereg**

Create a directory and give permission for each user

hdfs dfs -mkdir /user/regprocessor
hdfs dfs -chown -R regprocessor:regprocessor  /user/regprocessor
hdfs dfs -mkdir /user/prereg
hdfs dfs -chown -R prereg:prereg  /user/prereg
hdfs dfs -mkdir /user/idrepo
hdfs dfs -chown -R idrepo:idrepo  /user/idrepo

Enabling configured port through firewall in each machine in cluster

```ssh
sudo firewall-cmd --zone=public --add-port=51000/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51090/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51010/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51075/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51020/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51070/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51470/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51100/tcp --permanent
sudo firewall-cmd --zone=public --add-port=51105/tcp --permanent
sudo firewall-cmd --reload
```

Note: If different port has been configured , enable those port.

Securing HDFS

Following configuration is required to run HDFS in secure mode. Read more about kerberos here: link

Install Kerberos

Before Installing Kerberos Install the JCE Policy File

Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all cluster and Hadoop user machines. Follow this link

Kerberos

Kerberos server(KDC) and the client needs to be installed. Install the client on both master and slave nodes. KDC server will be installed on the master node.

To install packages for a Kerberos server:

yum install krb5-server krb5-libs krb5-auth-dialog

To install packages for a Kerberos client:

yum install krb5-workstation krb5-libs krb5-auth-dialog

Configuring the Master KDC Server

Edit the /etc/krb5.conf: Configuration snippets may be placed in this directory (includedir /etc/krb5.conf.d/) as well,

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
udp_preference_limit = 1
dns_lookup_realm = false
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm =  <b>NODE-MASTER.EXAMPLE.COM</b>
#default_ccache_name = KEYRING:persistent:%{uid}

[realms]
NODE-MASTER.EXAMPLE.COM = {
	kdc = node-master.example.com:51088
	admin_server = node-master.example.com
}

[domain_realm]
.node-master.example.com = NODE-MASTER.EXAMPLE.COM
node-master.example.com = NODE-MASTER.EXAMPLE.COM

Note: Place this krb5.conf file in /kernel/kernel-fsadapter-hdfs/src/main/resources mosip.kernel.fsadapter.hdfs.krb-file=classpath:krb5.conf Or if kept outside resource then give absolute path mosip.kernel.fsadapter.hdfs.krb-file=file:/opt/kdc/krb5.conf

Edit /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
	kdc_ports = <b>51088</b>
	kdc_tcp_ports = <b>51088</b>

[realms]
	NODE-MASTER.EXAMPLE.COM = {
		#master_key_type = aes256-cts
		acl_file = /var/kerberos/krb5kdc/kadm5.acl
		dict_file = /usr/share/dict/words
		admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
		supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
	}

Create the database using the kdb5_util utility.
```
/usr/sbin/kdb5_util create -s
```
Edit the /var/kerberos/krb5kdc/kadm5.acl
```
*/[email protected]	*
```
Create the first principal using kadmin.local at the KDC terminal:
```
/usr/sbin/kadmin.local -q "addprinc root/admin"
```

Start Kerberos using the following commands:

/sbin/service krb5kdc start
/sbin/service kadmin start

To set up the KDC server to auto-start on boot. ``` RHEL/CentOS/Oracle Linux 6

chkconfig krb5kdc on

chkconfig kadmin on

RHEL/CentOS/Oracle Linux 7

systemctl enable krb5kdc

systemctl enable kadmin
```

Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file.
```
kinit root/admin
```
Next, use klist to view the list of credentials in the cache.
```
klist
```
Use kdestroy to destroy the cache and the credentials it contains.
```
kdestroy -A
```

Create and Deploy the Kerberos Principals and Keytab files

For more information, check here: link

If you have root access to the KDC machine, use kadmin.local, else use kadmin. To start kadmin.local (on the KDC machine), run this command: sudo kadmin.local

To create the Kerberos principals

Do the following steps for masternode.

In the kadmin.local or kadmin shell, create the hadoop principal. This principal is used for the NameNode, Secondary NameNode, and DataNodes.
```
kadmin:  addprinc hadoop/[email protected]
```

Create the HTTP principal.

kadmin:  addprinc HTTP/[email protected]

Create principal for all user of hdfs (regprocessor, prereg, idrepo)

kadmin:  addprinc [email protected]
kadmin:  addprinc [email protected]
kadmin:  addprinc [email protected]

To create the Kerberos keytab files

Create the hdfs keytab file that will contain the hdfs principal and HTTP principal. This keytab file is used for the NameNode, Secondary NameNode, and DataNodes. kadmin: xst -norandkey -k hadoop.keytab hadoop/admin HTTP/admin Use klist to display the keytab file entries; a correctly-created hdfs keytab file should look something like this: $ klist -k -e -t hadoop.keytab Keytab name: FILE:hadoop.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 02/11/2019 08:53:51 hadoop/[email protected] (aes256-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 hadoop/[email protected] (aes128-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 hadoop/[email protected] (des3-cbc-sha1) 1 02/11/2019 08:53:51 hadoop/[email protected] (arcfour-hmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (camellia256-cts-cmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (camellia128-cts-cmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (des-hmac-sha1) 1 02/11/2019 08:53:51 hadoop/[email protected] (des-cbc-md5) 1 02/11/2019 08:53:51 HTTP/[email protected] (aes256-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 HTTP/[email protected] (aes128-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 HTTP/[email protected] (des3-cbc-sha1) 1 02/11/2019 08:53:51 HTTP/[email protected] (arcfour-hmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (camellia256-cts-cmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (camellia128-cts-cmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (des-hmac-sha1) 1 02/11/2019 08:53:51 HTTP/[email protected] (des-cbc-md5)

Creating keytab [mosip.keytab] file for application to authenticate with HDFS cluster

``` 
$sudo kadmin
kadmin: xst -norandkey -k mosip.keytab {user1}
kadmin: xst -norandkey -k mosip.keytab {user2} 
```
replace {user} with username.

To view the principals in keytab

```
 klist -k -e -t mosip.keytab
```
and so on add all the users to keytab. if you want create the separate keytab file for each application and distribute them

To deploy the Kerberos keytab file

On every node in the cluster, copy or move the keytab file to a directory that Hadoop can access, such as /home/hadoop/hadoop/etc/hadoop/hadoop.keytab.

To configure Kernel HDFS Adapter

Place this mosip.keytab file in /kernel/kernel-fsadapter-hdfs/src/main/resources and update the application properties for mosip.kernel.fsadapter.hdfs.keytab-file=classpath:mosip.keytab mosip.kernel.fsadapter.hdfs.authentication-enabled=true mosip.kernel.fsadapter.hdfs.kdc-domain=NODE-MASTER.EXAMPLE.COM mosip.kernel.fsadapter.hdfs.name-node-url=hdfs://host-ip:port

Note: Configure the user in module specific properties file (example: pre-registration-qa.properties as mosip.kernel.fsadapter.hdfs.user-name=prereg).

Enable security in HDFS

To enable security in hdfs, you must stop all Hadoop daemons in your cluster and then change some configuration properties. sh hadoop/sbin/stop-dfs.sh

Enable Hadoop Security

To enable Hadoop security, add the following properties to the ~/hadoop/etc/hadoop/core-site.xml file on every machine in the cluster:

<property>
  <name>hadoop.security.authentication</name>
  <value>kerberos</value> 
</property>

<property>
  <name>hadoop.security.authorization</name>
  <value>true</value>
</property>
 
<property>
  <name>hadoop.http.filter.initializers</name>
  <value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>

<property>
  <name>hadoop.http.authentication.type</name>
  <value>kerberos</value>
</property>

<property>
  <name>hadoop.http.authentication.simple.anonymous.allowed</name>
  <value>true</value>
</property>

<property>
  <name>hadoop.http.authentication.kerberos.principal</name>
  <value>HTTP/[email protected]</value>
</property>

<property>
  <name>hadoop.http.authentication.kerberos.keytab</name>
  <value>/home/hadoop/hadoop/etc/hadoop/hadoop.keytab</value>
</property>

Add the following properties to the ~/hadoop/etc/hadoop/hdfs-site.xml file on every machine in the cluster.

<property>
  <name>dfs.block.access.token.enable</name>
  <value>true</value>
</property>

<!-- NameNode security config -->
<property>
  <name>dfs.namenode.keytab.file</name>
  `<value>/home/hadoop/hadoop/etc/hadoop/hadoop.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.namenode.kerberos.principal</name>
  <value>hadoop/[email protected]</value>
</property>
<property>
  <name>dfs.namenode.kerberos.internal.spnego.principal</name>
  <value>HTTP/[email protected]</value>
</property>

<!-- Secondary NameNode security config -->
<property>
  <name>dfs.secondary.namenode.keytab.file</name>
  <value>/home/hadoop/hadoop/etc/hadoop/hadoop.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.secondary.namenode.kerberos.principal</name>
	<value>hadoop/[email protected]</value>
</property>
<property>
  <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
  <value>HTTP/[email protected]</value>
</property>

<!-- DataNode security config -->
<property>
  <name>dfs.datanode.data.dir.perm</name>
  <value>700</value> 
</property>
<property>
  <name>dfs.datanode.keytab.file</name>
  <value>/home/hadoop/hadoop/etc/hadoop/hadoop.keytab</value><!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hadoop/[email protected]</value>
</property>

<!-- Web Authentication config -->
<property>
  <name>dfs.web.authentication.kerberos.principal</name>
  <value>HTTP/[email protected]</value>
 </property>

<property>
  <name>dfs.data.transfer.protection</name>
  <value>authentication</value>
 </property>

<property>
  <name>dfs.http.policy</name>
  <value>HTTPS_ONLY</value>
 </property>

Configuring HTTPS in HDFS

Generating the key and certificate

The first step of deploying HTTPS is to generate the key and the certificate for each machine in the cluster. You can use Java’s keytool utility to accomplish this task: Ensure that firstname/lastname OR common name (CN) matches exactly with the fully qualified domain name (e.g. node-master.example.com) of the server. keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore keystore.jks

Creating your own CA

We use openssl to generate a new CA certificate: openssl req -new -x509 -keyout ca-key.cer -out ca-cert.cer -days 365 The next step is to add the generated CA to the clients’ truststore so that the clients can trust this CA: keytool -keystore truststore.jks -alias CARoot -import -file ca-cert.cer

Signing the certificate:

The next step is to sign all certificates generated with the CA. First, you need to export the certificate from the keystore: keytool -keystore keystore.jks -alias localhost -certreq -file cert-file.cer Then sign it with the CA: openssl x509 -req -CA ca-cert.cer -CAkey ca-key.cer -in cert-file.cer -out cert-signed.cer -days 365 -CAcreateserial -passin pass:12345678 Finally, you need to import both the certificate of the CA and the signed certificate into the keystore keytool -keystore keystore.jks -alias CARoot -import -file ca-cert.cer keytool -keystore keystore.jks -alias localhost -import -file cert-signed.cer

Configuring HDFS

Change the ssl-server.xml and ssl-client.xml on all nodes to tell HDFS about the keystore and the truststore

Edit ~/hadoop/etc/hadoop/ssl-server.xml

<configuration>

<property>
  <name>ssl.server.truststore.location</name>
  <value>/home/hadoop/truststore.jks</value>
  <description>Truststore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.truststore.password</name>
  <value>12345678</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.server.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.
  Default value is 10000 (10 seconds).
  </description>
</property>

<property>
  <name>ssl.server.keystore.location</name>
  <value>/home/hadoop/keystore.jks</value>
  <description>Keystore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.password</name>
  <value>12345678</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.keypassword</name>
  <value>12345678</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.exclude.cipher.list</name>
  <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_RC4_128_MD5</value>
  <description>Optional. The weak security cipher suites that you want excluded
  from SSL communication.</description>
</property>

</configuration>

Edit ~/hadoop/etc/hadoop/ssl-client.xml

<configuration>

<property>
  <name>ssl.client.truststore.location</name>
  <value>/home/hadoop/truststore.jks</value>
  <description>Truststore to be used by clients like distcp. Must be
  specified.
  </description>
</property>

<property>
  <name>ssl.client.truststore.password</name>
  <value>12345678</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.client.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.
  Default value is 10000 (10 seconds).
  </description>
</property>

<property>
  <name>ssl.client.keystore.location</name>
  <value>/home/hadoop/keystore.jks</value>
  <description>Keystore to be used by clients like distcp. Must be
  specified.
  </description>
</property>

<property>
  <name>ssl.client.keystore.password</name>
  <value>12345678</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.keystore.keypassword</name>
  <value>12345678</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

</configuration>

After restarting the HDFS daemons (NameNode, DataNode and JournalNode), you should have successfully deployed HTTPS in your HDFS cluster.

For you face error during kerberos, check this: link

Tester Documentation

1. Introduction

1.1 Overview

The MOSIP architecture mainly consists of the following functional blocks/modules

Pre-Registration - Web application designed in Angular JS A resident can provide his demographic details in this web application and book an appointment for his future registration at a registration center
Registration Client - A Desktop thick client application developed in JavaFX. A resident is registered through the Registration Client software to generate get a unique identification number. The software captures demographic and biometrics information of the residents. It is connected to scanner devices (finger print, iris), camera and printer to capture resident biometrics information
Registration Processor - A back-end server application developed using SEDA framework It processes the client packets and generates UIN based on de-dupuplication information from ABIS (Automated Biometrics Identification System)
IDA (ID Authentication) - A back-end authentication server developed using spring family. It authenticates the resident based on registered set of biometric and demographic information

Test automation is the key to the success of comprehensive test coverage and test data. However in the context of MOSIP testing, where there are external devices and integration with third party software, test automation cannot be exhaustive and comprehensive test coverage can be achieved by testing driven by manual intervention, along with test automation.

In this document we will also talk about utilities for test data generation, tools for test automation and test strategy in general.

1.2 Scope

1.2.1 Test Coverage

Each of the modules has the following building blocks which are the testable entities, at the module level
System Integration Testing - This involves testing functional work-flows across the modules, starting from Pre-Reg and ending in IDA
Test Automation - tools, approach, test code configuration management process, regular usage

Module

Testable Entities

Levels of Testing

Pre-Registration

UI REST APIs

UI Functional Testing Individual API testing API level integration testing

Registration Client

Java APIs

UI Functional Testing (with simulators and with devices) Individual API testing API level integration testing

Registration Processor

Java APIs SEDA vert.x stages

Individual API testing Integration work-flow testing including the APIs and vert.x for processing various packet types

IDA

REST APIs

Individual API testing Integration work-flow testing

Kernel

REST APIs

Individual API testing Integration work-flow testing

1.2.2 Data Coverage

Data utility tools - approach, usage

2. Test Approach

Each module is tested, both manually and through automation software for effective test coverage.

A progressively evolving test approach is being adopted in both cases.

Manual Testing starts with module level functional coverage followed by --> integration across modules --> End to end workflow testing
Automation Testing starts with the fundamental building blocks like APIs, and grows up the stack.

Individual API verification is followed by --> API Integration testing --> integration across modules --> End to end workflow testing

4. Test Automation User Guides

4.1 Kernel Test Automation Suite - User Guide

4.1.1 About the Kernel Module

A critical interface module of MOSIP, Kernel is the core package on which MOSIP services are built upon and is a platform, which provides higher-level services and functions that shall be reused by other modules of MOSIP.

Kernel provides a foundation to build and run the services by providing several significant necessary technical functions. Kernel makes it easy to build the higher-level services (domain services, batch services and core services) by taking care of fundamental features so that individual services are concerned with specific business functions. Kernel provides an active framework that ensures structure and rules within which the higher-level services operate.

Kernel automation works with Restful and Java API’s.

The test execution module of the Kernel module involving API’s is as depicted below

4.1.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Basic knowledge on Rest assured tool
Knowledge on Maven
Knowledge on TestNg framework
Knowledge on GitHub
Good analytical and debugging skill

4.1.3 Procedure to check out the test code from the repository

Create a workspace in the local system
Open git bash in the workspace
Enter the command :- git clone https://github.com/mosip/mosip-functional-tests.git
MOSIP project shall be cloned
Import the “automationtests” project into the eclipse.

4.1.4 Pre-configuration information prior to test run

None

4.1.5 Procedure to Add new test cases into the API test suite

From the automationtests project, the test suites and cases can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Email Notification service” and explain how to add a new test

Every test case will have 2 json files named [request.json and response.json] in its sub-folder as shown below

In the request.json file, we need to mention the input that needs to be send to the API and response.json file contains the expected result for that particular input.

Based on the test cases, we need to add the test case folders with request and response files.

The readTestCases method from TestCaseReader class will read the folder names and give the test case names and readRequestResponseJson method from TestCaseReader class will read the request and response files from the tests.

4.1.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Kernel you will need an xml file named [testngKernel.xml], which will be available under [src/main/resources].
Add what are the test need to run in that xml file.
Add the path of the xml file in pom.xml file under maven surefire plugin.

4.1.7 Running a test suite

Right click project
Select “Run as configuration”
Under configuration select Maven build and create new maven build
Select current project as workspace
Pass the below commands in the Goals:
Command: clean install -Denv.user= <required environment> -Denv.endpoint=<application URL> -Denv.testLevel=<test level>
where,
- Required Environment- In which environment the suite needs to run. (Ex: qa, dev, int)
- Test Level- Type of tests like (Ex: smoke, regression, smokeAndRegression)

Here regression means all tests other than smoke tests.

Select or Click the button “RUN”
Once the execution is completed, Test report will be generated in target/surefire-reports folder with the name MOSIP_ModuleLevelAutoRun_TestNGReport.html

4.1.8 Analyze the test reports

Open the report in Internet Explorer
The report will give the module name, total number of test case execution with pass, skipped and fail count
Report will provide the build version and also execution time
Report will show API name and corresponding test case names with execution time
For failed test cases, it will show the cause of failure

4.2 Pre-Registration Test Automation Suite - User Guide

4.2.1 About the Pre-Registration Module

This is the web channel of MOSIP, which facilitates capturing individual information, relevant documents and booking an appointment with a registration center. This helps to reduce registration time and optimize the process. The current web application is highly modular by design and with multi language support. This UI can be customized or modified as per the country's requirements. A country can also build a new web/mobile application on top of the back end services that MOSIP provides.

The test execution work-flow for the module Pre-Registration involving Rest API’s is as depicted below:

4.2.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Knowledge on Rest services
Knowledge on maven
Good analytical and debugging skill

4.2.3 Procedure to checkout-out the test code from the repository

Navigate to git repository.
Copy URI
Open Git Bash
Clone repository(git clone “URI”)

4.2.4 Pre-configuration information prior to test run

None

4.2.5 Procedure to Add new test cases into the API test suite

From the code repository of the module, the test suites and cases can be located in the folder [src/main/resources]
Every API tests structure (test suite and test case) are stored in a folder/sub-folder approach. Let us take an example of “Create_PreRegistration” and Here you can see Create_PreRegistration is the suite name and inside that we have list of test cases.
To add new test case we need to create a folder inside test suite folder. You can give folder name same as test case name
Every test case name we need to add Create_PreRegistrationRequest.json file
In the Create_PreRegistartionRequest.json file, we need to mention all folder name(Test Case Name). When we run any class, then it will pick request body from folder and it will pick expected response. We will take request body, as input and it will give response (Actual Response). For Validation, we are doing JSON to JSON comparison.
In Pre-Registration module, we have created on class called PreRegistrationLibrary, which is present in io.mosip.util package. In this class, we have created all reusable method, which is used, in Pre-Registration module.

E.g. To book an appointment first we need to create an application, upload document, and then book appointment. Here for each operation we have created one method.

4.2.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Pre-Registration module you will need an xml file named [Pre-Registration_TestNG.xml], which will be available under [src/main/resources]. In this xml file we need to add class name which we want to run.

4.2.7 Running a test suite

Procedure to execute the [Reg-automation-service_TestNG.xml] xml File:

Right click the xml file Pre-Registration_TestNG.xml
Select “Run as configuration”
Run as Maven
Select workspace(${workspace_loc:/automationtests})
In Goal Pass environment name,Base URI and type of test case you want to run(smoke or regression)

Here,

Denv.user indicates environment name.
Denv.endpoint indicates base URI
Denv.testLevel indicates types of test case we want to run
Select or Click the button “RUN”
Test Suites execution will commence.
Test report will be stored in [surefire-report] folder under the base directory/project

4.2.8 Running a single test case

Right click on class, which you want to run.
Click on run as
Click on testing
Select class
In VM argument pass -Denv.user=qa -Denv.endpoint="eg:https://testenvname.mosip.io" -Denv.testLevel=smokeAndRegression

4.2.9 Analyze the test reports

Once run is complete, then refresh project and go to target/surefire folder.
Open MOSIP_ModuleLevelAutoRun_TestNGReport.html report.
To analyze failure test case check exception message.

4.3 Registration Client Test Automation Suite - User Guide

4.3.1 About the Registration Client Module

An important client interface module of MOSIP, which captures the Biometric and Demographic information of the Individual resident. This module also stores supporting information such as proof documents and information about the guardian or introducer as per the configuration set by the Admin. The packet creation is finished in this module in a secure way using sophisticated encryption algorithm and later send to the server for online mode of processing. The registration client test suites comprises of tests related to UI and Java API’s.

The test execution module of the Registration client module involving Java API’s is as depicted below

4.3.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Basic knowledge on Spring services and should know annotations
Knowledge on maven
Good analytical and debugging skill

4.3.3 Procedure to check out the test code from the repository

Instruction to checkout code from GitHub using Eclipse.

Open eclipse
Go to quick access and search “clone git”

A pop up will appear in that enter the URI, Host and Repository path as same as below. Pass your GitHub username and password and click on next.
Search the branch name, select it, and then click next. Our latest branch name as link.
Browse the directory to pull the code.
Now the code will be in eclipse git repository. Import the required project to the workspace. For registration client automation, we want to import kernel and registration projects.

4.3.4 Pre-configuration information prior to test run

None

4.3.5 Procedure to Add new test cases into the API test suite

From the code repository of the module, the test suites and cases can be located in the folder [src/test/resources]
Every API tests structure (test suite and test case) are stored in a folder/sub-folder approach. Let us take an example of “Email Notification service” and explain how to add a new test
Every test case will have a configuration property file named [condition.properties] in its sub-folder as shown below
In this condition.properties file, we need to mention the parameter type that needs to be sent to the API. [valid] indicates the value passed is a correct/right data and [invalid] indicates the data being sent is an incorrect/wrong data.(we can also check the parameter behavior for the empty and space also, for that we can pass the value as space and empty respectively in condition.properties) This information has to be entered for every field/parameter that the API consists.

Based on values set inside the condition.properties file test cases will fetch the data from yaml file and then call a data generator code internally which shall add meaningful right or incorrect values as test data into these variables. More information on the Yaml file can be found under appendix

4.3.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Registration Client module you will need an xml file named [Reg-automation-service_TestNG.xml], which will be available under [src/test/resources].

4.3.7 Running a test suite

Procedure to execute the [Reg-automation-service_TestNG.xml] xml File:

Right click the xml file Reg-automation-service_TestNG.xml
Select “Run as configuration”

Under configuration select [TestNG] and pass the VM argument as

-Dspring.profiles.active=required environment (which could be either of QA or INT or DEV) 
-Dmosip.dbpath=DB path 

DB path – this is the local DB path where all the sync happens and other data’s get updated while running the code. The empty DB name is available in /registration/registration-libs/src/main/resources/db/reg . We are copying this empty DB in our project and passing as vm argument while running the code.

-Dmosip.registration.db.key=DB key path

Sample representation of the VM argument is as below:

-Dspring.profiles.active=qa  
-Dmosip.dbpath=reg 
-Dmosip.registration.db.key=D:\keys.properties

Select or Click the button “RUN” Test Suites execution will commence.
Test report will be stored in [test-output] folder under the base directory/project

4.3.8 Appendix

1. Java API

Java application programming interface (API) is a list of all classes that are part of the Java development kit (JDK). An application-programming interface (API), in the context of Java, is a collection of prewritten packages, classes, and interfaces with their respective methods, fields and constructors.

For more detail, refer to the link

2. Yaml master data file

Yaml file is the master data set for testing the API, Sample Mater Data set is as below:

3. How to increase the data coverage inside Yaml file?

To increase the data coverage we can add as many as test data’s into the Yaml file

4. Any dependencies of values in the Database

None

4.4 Registration Processor Test Automation Suite - User Guide

4.4.1 About The Registration Processor Module

Registration Processor processes the data (demographic and biometric) of an Individual for quality and uniqueness and then issues a Unique Identification Number (UIN). The source of data are primarily from

MOSIP Registration Client
Existing ID system(s) of a country

The workflow of testing or running the test suite of the available API’s And Stages is as depicted below

4.4.2 Pre-requisites for understanding Rest API automation

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven
Knowledge on TestNg framework
Knowledge on Keyword, Data Driven and Hybrid methodology
Knowledge on GitHub
Good analytical and debugging skill

4.4.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from link
Import the automationtests project into the eclipse.

4.4.4 Procedure to Add new test cases into the API test suite

Case 1: For API Level Testing

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Sync Api Service” and explain how to add a new test

Case 2: For Stage Level Testing

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every stage can be tested by feeding negative packets to the system and expecting them to fail for the particular stage. Let us take the example of “OSI Validation Stage”
A sample property file looks like as follows:
The reg proc automation suite will tweak the values in a valid packet and will generate packets for the above attributes sequentially.
There is one more file “StageBits.properties” which has a stage string. The string is used to construct the status string for a packet. For eg if stage string is “111110000” it means that packet should go through first five stage and should fail for last 4 stages.

4.4.5 Procedure to execute or Run the tests on a new environment

To run the automation suite of Reg-Proc, build the project and get the uber jar generated under target.
Run the jar using the command line “java -Denv.user= -Denv.endpoint= -Denv.testLevel= -jar ”
Example: java -Denv.user=qa -Denv.endpoint="eg:https://testenvname.mosip.io" -Denv.testLevel=smokeandregression -jar automationtests-refactor-0.9.1-jar-with-dependencies.jar
Note: env = qa,dev,int | testLevel=smoke,regression,smokeandregression
Report will be generated under “< workspace >/testing-report.

4.4.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of module name, total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display API name and corresponding test case names with execution time along with build version and execution time.
For detailed analysis, refer logs or default testing-report and for failed test cases, the related cause of failure will be highlighted.

4.5 ID Authentication (IDA) Test Automation Suite - User Guide

4.5.1 About the ID-Authentication

MOSIP ID Authentication provides an API based authentication mechanism for entities to validate Individuals. ID Authentication is the primary mode for entities to validate an Individual before providing any service.

An example of how this service will work is as depicted below

The workflow of testing or running the test suite of the available API’s is as depicted below

4.5.2 Pre-requisites for understanding Rest API automation

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven
Knowledge on TestNg framework
Knowledge on Keyword, Data Driven and Hybrid methodology
Knowledge on GitHub
Good analytical and debugging skill

4.5.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from link
Import the automationtests project into the eclipse.

4.5.4 Procedure to Add new test cases into the API test suite

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Demo-Address Authentication service” and explain how to add a new test
Pre-requisites: open runConfiguration.properties file
Add the following two lines which represents your test case; one for the folder location and another on the test data as below, the array [X], where “X” represents the number of times this tests shall be repeated with different test data
An example: DemographicAuthentication.testDataPath[6]=ida/TestData/Demo/Name/
DemographicAuthentication.testDataFileName[6]=testdata.ida.Demo.Name.mapping.yml
If you want to remove a test, kindly comment the relevant line in this file before the execution of TestNG runner class
Configuration Setup for creating the request Json file:
Please use the TestData keyword defined under in appendix for creating your request.json file. The provided keywords are sufficient for testing the ID Authentication module, however If you ever need you can add an additional attribute to the end of this list

Sample structure of the request.JSON file, which is being created at run time using the attributes defined in the TestData, which reads from the Yaml data file:

4.5.5 Procedure to execute or Run the tests on a new environment

To run the automation suite of ID-Authentication, build the project and get the uber jar generated under target.
Run the jar using the command line “java -Denv.user= -Denv.endpoint= -Denv.testLevel= -jar ”
Example: java -Denv.user=qa -Denv.endpoint="eg:https://testenvname.mosip.io" -Denv.testLevel=smokeandregression -jar automationtests-refactor-0.9.1-jar-with-dependencies.jar
Note: env = qa,dev,int | testLevel=smoke,regression,smokeandregression
Report will be generated under “/testing-report

4.5.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of module name, total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display API name and corresponding test case names with execution time along with build version and execution time.
For detailed analysis, refer logs or default testing-report and for failed test cases, the related cause of failure will be highlighted.

4.5.7 Annexure

Yaml Test Data Format:

The sample structure should be like below:

TestData Keyword repository:

Keywords

KeywordName/Purpose

Example

$TIMESTAMPZ$

To generate current timestamp with UTC format

2019-06-20T16:18:08.008Z

$TIMESTAMP$

To generate current timestamp with timezone format

2019-06-20T16:18:08.008+05:30

$TIMESTAMP$HOUR+24
$TIMESTAMP$HOUR-24
$TIMESTAMP$MINUTE+23
$TIMESTAMP$MINUTW-56
$TIMESTAMP$SECOND+145
$TIMESTAMP$SECOND-123

To generate future or current timestamp

$RANDOM:N:10$

To generate random digit for the given number

$RANDOM:N:10$
$RANDOM:N:3$
$RANDOM:N:14$

$UIN$

To get random UIN number from uin.property file

$UIN$:WITH:Deactivated#

To get uin number from uin.property file where value contains Deactivated

$VID$

To get random VID from vid.property file where type as perpetual and status as ACTIVE

$VID:WITH:Temporary$
$VID:WITH:REVOKE$

To get random VID from vid.property file where value contains Temporary or Revoke

$VID:WHERE:UIN:WITH:VALID$

To get the VID from vid.property where uin.property value contains specified keyword after “WITH:”

$TestData: indvId_Vid_valid$
$TestData: bio_finger_LeftIndex_subType$
$TestData:bio_face_deviceCode$

To get the random value form the list in the authenticationTestData.yml file.

$input.bio-auth-request : AuthReq.transactionID$

To get the already assigned for the files

input.filename1: mappingName1: value1 mappingName2: value2
ouput.filename2: mappingName3:
$ input.filename: mappingName2$
where mappingName3 has set as value2

$errors:RevokedVID:errorCode$
$errors:InactiveVID:errorCode$

Get error code for the mentioned key “RevokedVID” from the errorCodeMsg.yml file.

$errors:InactiveVID:errorMessage$
$errors:RevokedVID:errorMessage$

Get error message for the mentioned key “RevokedVID” from the errorCodeMsg.yml file.

$idrepo ~ $input.bio-auth-request : AuthReq.individualId$ ~ DECODEFILE: individualBiometricsValue ~ //BIR/BDBInfo[Type = 'Finger'][Subtype = 'Left IndexFinger']//following::BDB$
$idrepo ~ $input.bio-auth-request : AuthReq.individualId$ ~ DECODEFILE: individualBiometricsValue ~ //BIR/BDBInfo [Type= 'Face']//following::BDB$

To get biometric value for the UIN using cbeff File. It is combination of above listed keyword.

Where $idrepo -> keyword mandatory at start.
$input.bio-auth-request : AuthReq.individualId$ -> get the value from the previously mentioned field
individualBiometricsValue -> Mapping name in UINMapping/mapping.property
//BIR/BDBInfo[Type = 'Finger'][Subtype = 'Left IndexFinger']//following::BDB -> cbeff xpath, where in this location biovalue will be saved for Left IndexFinger

$idrepo~$input.demo-auth-request: AuthReq.individualId$ ~ valueaddressLine1: langcode: TestData: primary_lang_code$
$idrepo~$input.demo-auth-request: AuthReq.individualId$ ~ valuecity: langcode: TestData: secondary_lang_code$

To get demographic data for the UIN and language.
Where $idrepo -> keyword mandatory at start.
$input.demo-auth-request: AuthReq.individualId$ -> get the value from the previously mentioned field
valueaddressLine1 -> Mapping name in UINMapping/mapping.property
TestData: primary_lang_code -> keyword to get language code from the authenticationTestData.yml

4.6 E2E Test Automation Suite - User Guide

4.6.1 About The End To End Test Rig

End to end system level Test Rig covers the functionality across the modules starting with Pre-Registration and ending in Registration Processor or IDA.

The below diagram depicts the overall design of the end to end suite.

4.6.2 Pre Requisite To Understand The Flow Of E2E Test Rig

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven
Knowledge on TestNg framework
Knowledge on Keyword, Data Driven and Hybrid methodology
Knowledge on GitHub
Good analytical and debugging skill

4.6.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from link
Import the e2etestrig project into the eclipse.

4.6.4 Basic Code Structure Of The E2E Rig

The E2E rig is a basic parent child maven project
It contains 5 child project which are as follows:
- Pre Registration which will generate list of Pre-IDs
- Registration Client which will generate list of packets.
- Registration Processor which will generate UIN for the packets.
- IDA to perform authentication.
- E2E to consume the above projects
A basic code structure looks as follows:

4.6.4.1 A Code Structure For E2E run

The E2E code has the following prerequisite

Under src/test/resources we should have an input.json which contains a data to generate the list of preIDs.
All the module level suites should be up and running.
A sample pom for e2e looks like the following:

The pre Reg Automation has the following pre Requisite :
1. It should have an input.json file which will conation info about the adults and children against whom the preIDs are being generated.
The Reg Client Automation has the following pre Requisite:
1. The pre Reg Automation Should have run.
2. A json file with a list of preIds must have been generated.
The reg Proc Automation has the following pre Requisite:
1. The reg Client and pre Reg automation should have run.
2. A list of packets must have been generated.
The IDA automation has the following pre Requisite :
1. The regProc,reg Client,Pre Reg automation should have run.
2. A list of uin should be present as a property file under src/main/resources which is generated by regProc.

4.6.5 Procedure to execute or Run the tests on a new environment

To run the automation suite simply select the “EndToEndRun.java” class under the package “io.mosip.e2e.runner”.
Report will be generated under “/testing-report.

4.6.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display applicant type and corresponding test case names with execution time along with build version and execution time.
For detailed analysis, refer logs or default testing-report and for failed test cases, the related cause of failure will be highlighted.

4.6.7 Limitations for the test rig

The rig is designed to run for only 5 packets.
The rig should run on a particular version of each module.

Sandbox Installer

Overview

The Sandbox is a safe environment isolated from your PC's underlying environment. You may use the sandbox to execute files without having to worry about malicious files or unstable programs impacting data on the system.

System Requirement

This section describes handy information that is useful to know when operating the Sandbox Installer which is tested under mentioned configuration.

Component

Number of VMs

Configuration

Persistence

Console

4 vCPU*, 16 GB RAM

128 GB SSD**

K8s MZ master

4 vCPU, 8 GB RAM

32 GB

K8s MZ workers

4 vCPU, 16 GB RAM

32 GB

K8s DMZ master

4 vCPU, 8 GB RAM

32 GB

K8s DMZ workers

4 vCPU, 16 GB RAM

32 GB

*vCPU: Virtual CPU

** Console has all the persistent data stored under /srv/nfs. Recommended storage here is SSD or any other high IOPS disk for better performance

Introduction

The Multi-VM Sandbox Installer is a fully automated deplorer that incorporates all MOSIP modules into a virtual machine cluster that can be either cloud or on premise.

The sandbox can be used for development and testing, while the Ansible scripts run MOSIP on a multi-virtual machine (VM) setup.

Caution - The sandbox is not intended for use by serious pilots or for production purposes. Also, do not run the sandbox with any confidential data.

Minibox

In Minibox, note that for any form of load or multiple pod replication scenarios, this may not be sufficient. It is possible, however, to enable the feature to bring up MOSIP modules with lesser VMs as below:

Component

Number Of VMs

Configuration

Persistence

Console

4 vCPU*, 16 GB RAM

128 GB SSD

K8s MZ master

4 vCPU, 8 GB RAM

32 GB

K8s MZ workers

4 vCPU, 16 GB RAM

32 GB

K8s DMZ master

4 vCPU, 8 GB RAM

32 GB

K8s DMZ workers

4 vCPU, 16 GB RAM

32 GB

Precondition

Terraform is a tool to securely and efficiently develop, edit, and update infrastructure. Using Terraform scripts available in _terraform/._the initial installation stage is achieved. AWS scripts are being used and maintained at present.

It is strongly recommended that the scripts be analyzed in depth before running them.

Virtual Machines (VMs) Setup

Before, MOSIP modules installation process that runs on a preset time or when a predefined condition, need to have VMs set up on all Machines. The user must ensure if the CentOS 7.8 OS is installed on all the machines:

Create user 'mosipuser' on console machine with password-less sudo su
The hostname must match hostnames in hosts.ini on all machines. Set the same with
```
$ sudo hostnamectl set-hostname <hostname>
```
Enable Internet access on all machines
Disable firewalld on all machines
Exchange ssh keys between console machines and K8s cluster machines so that ssh is password-less from console machines:
```
$[[email protected]] ssh root@<any K8s node>
$[[email protected]] ssh [email protected]
```
Make the console machine available via a public domain name (e.g. sandbox.mycompany.com)
(When you do not intend to access the sandbox externally, this step can be skipped)
Ensure the date/time is in UTC on all machines
Open ports 80, 443, 30090 (postgres), 30616 (activemq), 53 (coredns) on console machine for external access
Make sure your firewall doesn't block the UDP ports (s)

Software Prerequisites

To ensure proper installation, install these pre-requisites manually:

Git
Git Clone
Ansible

On the Installation Options, click git to install on your machine:

$ sudo yum install -y git

In User Home Directory, select Git Clone and switch to appropriate branch:

$ cd ~/
$ git clone https://github.com/mosip/mosip-infra
$ cd mosip-infra
$ git checkout 1.1.2
$ cd mosip-infra/deployment/sandbox-v2

Install Ansible and create shortcuts:

$ ./preinstall.sh
$ source ~/.bashrc

Sandbox Architectural View

Installing MOSIP

This section helps you to plan an installation of MOSIP suited to your environment. Before installing MOSIP, it is recommended that the scripts be analyzed in depth before running them.

Site Settings

Suited to your configuration, update hosts.ini. Make sure your configuration matches the system names and IP addresses
In group_vars/all.yml change sandbox_domain_name to domain name of the console machine
By default, installation scripts will try to fetch Letsencrypt's new SSL certificate for the above domain. If you already have the same, however, then set the following variables in the file group group_vars/all.yml:

ssl:
get_certificate: false
email: ''
certificate: <certificate dir>
certificate_key: <private key path>

Network Interface

It is the interconnection between a computer and a public or private network. If it is other than “eth0” by your cluster machines, update it to group_vars/k8s.yml

network_interface: "eth0"

Ansible Vault

In the Ansible vault _secrets.yml_file, all the secrets (passwords) used in automation are stored. To access the file, the default password is 'foo'. Changing this password with the following command is recommended:

$ av rekey secrets.yml

The contents of secrets.yml can be viewed and edited based on following command:

$ av view secrets.yml
$ av edit secrets.yml

Install MOSIP

When this equipment is connected to your machine it allows you to install MOSIP modules using command:

$ an site.yml

If a message prompting you for password, enter default vault password "foo" to proceed installation.

MOSIP Configuration

This section provides the following major sections to describe how to configure and verify the proper interface. The sandbox installs with default general configuration. To configure MOSIP differently, refer to the following sections:

DNS
Local docker registry
Private dockers
Sandbox access
Secrets
Config server
Pre-Reg captcha
OTP
Master data
Pod replication
Taints
TPM
Pre-Registration Schema
Registration client

Domain Name System (DNS)

DNS translates human readable domain names to machine readable IP addresses. A private DNS (CoreDNS) is mounted on the console machine by default, and /etc/resolv.conf refers to this DNS on all machines.

However, if you want to use DNS cloud providers (like Route53 on AWS), disable the installation of a private DNS by setting the following flag:

group_vars/all.yml:
    coredns:
      enabled: false  # Disable to use Cloud provided DNS

Ensure your DNS routing is taken care of by your cloud deployment. Uncomment the Route53 code for AWS in the scripts given in the:

terraform/aws/sandbox

The corends.yml ``playbook configures the CoreDNS and updates the /etc/resolv.conf file for all devices. If a system needs to be restarted, re-run the playbook to restore /etc/resolv.conf.

Local Docker Registry

This part contains information about hosting your own registry using the Local Docker Registry.

Local Registry on Console

Instead of using the default Docker Hub, you may run a local Docker registry. This is particularly useful when the Kubernetes cluster is sealed for protection on the Internet. With this sandbox, a sample Docker registry implementation is available, and you can run the same by triggering the following in group_vars/all.yml.

    docker:
      local_registry:
        enabled: true
        image: 'registry:2'
        name: 'local-registry'
        port: 5000

Notice that this register is running on the computer on the console and can be accessed as console.sb:5000. Control is through http and not through https.

Ensure that in this registry you pull all the appropriate Dockers and update versions.yml.

Caution: If you delete/reset this registry or restart the console computer, all the registry contents will be lost and the Dockers will have to be removed again.

Additional Local Registries:

If you wish to have additional local registries for Dockers, then list them here:

    docker:
      registries:
        - '{{groups.console[0]}}:{{local_docker_registry.port}}'   # Docker registry running on console

The list here is necessary to ensure that http access from cluster machines is allowed for the above registries.

Private Dockers

When you set up a private registry, you assign a server to communicate with Docker Hub over the internet. If you are pulling Dockers in Docker Hub from the private registry, then provide secrets.yml with the Docker Hub credentials and set the following flag in:

group_vars/all.yml

Update with versions.yml your Dockers versions.

Sandbox Access

When installing the default Sandbox, you must have a public domain name, so that the domain name refers to the console computer. However, if you want to access your internal network's Sandbox (for example via VPN), set the following in group_vars/all.yml:

    sandbox_domain_name: '{{inventory_hostname}}'
    site:
      sandbox_public_url: 'https://{{sandbox_domain_name}}'
      ssl:
        ca: 'selfsigned'   # The ca to be used in this deployment.

A self-signed certificate is created and the sandbox access URL is https://{{inventory hostname}}'

Secrets

All secrets are stored in secrets.yml. Edit the file and change all of the passwords for a secure Sandbox. For creation and testing, defaults will be used, but be aware that the sandbox will not be secure with defaults. In order to edit secrets.yml.

$ av edit secrets.yml

If you update PostGres passwords, you will need to update their ciphers in the property files. See the section below on Config Server. To be able to find out the text password, all the passwords used in. properties were added to secrets.yml- some of them for purely informational purposes.

Caution : Make sure that secrets.yml is updated when you change any password in. properties.

Config Server

Config server is one of the more popular centralized configuration servers used in a micro service-based application. For all modules, configurations are defined through property files located in the GitHub repository. For example, for this sandbox, the properties are located within the sandbox folder at https://github.com/mosip/mosip-config.

You can have a repository of your own with a folder containing files for properties. On GitHub, the repo will be private. In group vars/all.yml, configure the following parameters as below (example):

config_repo:
  git_repo_uri: https://github.com/mosip/mosip-config
  version: 1.1.2
  private: false
  username: <your github username>
  search_folders: sandbox
  local_git_repo:
    enabled: false

If private: true, then, in group vars/all.yml, update your GitHub username as above. Please change the password to secrets.yml:

config_repo:
    password: {YOUR GITHUB PASSWORD}

The repo is cloned to the NFS mounted folder if local git repo is allowed, and the config server pulls the properties locally. This option is useful if the sandbox is secured without access to the Internet. You should search git-in locally for any changes. Remember, however, that you will have to push them manually if you want the changes to be reflects in the parent GitHub repo. When making improvements to the configuration repo, there is no need to restart the config-server pod.

If you have updated the default passwords in secrets.yml, create these password ciphers and update the changed password property files. After the config server is up, the ciphers can be created from the console machine using the following curl command:

$  curl http://mzworker0.sb:30080/config/encrypt -d  <string to be encrypted>

The above command connects via input to the Config server pod of the MZ cluster. You may also use the script to encrypt all the secrets at once by the following methods:

Context:

Several secrets are required in Ansible's secrets.yml in the config server property files. We use config server encryption to encrypt the secrets in order to prevent explicit text secrets in properties using the following command:

curl http://mzworker0.sb:30080/config/encrypt -d  <string to be encrypted>

The script here converts all secrets in secrets.yml using above command implemented in Python.

Prerequisites:

Install required modules using
```
$ ./preinstall.sh
```
Ensure config server is running
```
Config
```
Set the server URL in config.py
If the URL has an HTTPS certificate and the SSL server is self-signed, set
```
  ssl verify=False
```
Run the following command:
```
$ ./convert.py {secrets_file_path}
```
In this sandbox secrets_file_path is /home/mosipuser/mosip-infra/deployment/sandbox-v2/secrets.yml
Output is saved in out.yaml.

Pre-Reg Captcha

Captcha protects your website from fraud and abuse. It uses an advanced risk analysis engine and adaptive challenges to keep malicious software.

Get Captcha for the sandbox domain from "Google Re-captcha Admin" if you would like to allow Captcha for Pre-Reg UI. Get reCAPTCHA v2 keys for "I'm not a robot"

Set Captcha as:

google.recaptcha.site.key=sitekey
google.recaptcha.secret.key=secret

OTP Setting

As below, to receive OTP (one-time password) over email and SMS set properties:
- SMS
  - File:
    kernel-mz.properties
Properties:
kernel.sms
Email
- File:
  kernel-mz.properties

Properties

mosip.kernel.notification.email.from=emailfrom
spring.mail.host=smtphost
spring.mail.username=username
spring.mail.password=password

You may want to run MOSIP in Proxy OTP mode if you do not have access to Email and SMS gateways, in that case you can skip Proxy OTP Settings.

To run MOSIP in Proxy OTP mode set the following:

  Proxy:
      File: application-mz.properties
      Properites:
          mosip.kernel.sms.proxy-sms=true
          mosip.kernel.auth.proxy-otp=true
          mosip.kernel.auth.proxy-email=true

Note : The default OTP is set to 111111.

Master Data

Before you start installing the sandbox, load country-specific master data:

Ensure the Master Data .csv files are available in a folder, say my_dml

Add the following line in group_vars/all.yml ``-> databases -> mosip_master

      mosip_master:
      sql_path: '{{repos.commons.dest}}/db_scripts'
      dml: 'my_dml/'

Pod Replication

For production setups you may want to replicate pods more than the default replication factor of 1. Upgrade podconfig.yml to the same file. A separate production file can be generated and pointed to from group vars/all.yml ``--> podconfig file.

Taints

A taint allows a node to refuse pod to be scheduled unless that pod has a matching toleration. Kubernetes offers the functionality of taints to run a pod solely on a node. This is especially useful during performance tests where you would like to assign different nodes to non-MOSIP components.

By default, in the sandbox, taints are not added. The following modules have been provided with provisions to allow taints for:

Postgres
Minio

HDFS

Set the following in group vars/all.yml to allow taint. EXAMPLE:

postgres:
  ...
  ...
  node_affinity:
      enabled: true # To run postgres on an exclusive node
      node: 'mzworker0.sb' # Hostname**. Run only on this node, and nothing else should run on this node
  taint:
      key: "postgres" # Key for applying taint on node
      value: "only"

The node here is the machine on which you would like to exclusively run the module.

Ensure the above setting is done before you install the sandbox.

TPM for Reg Client

By default, the sandbox installs a disabled Trusted Platform Module (TPM) Reg Client Downloader.

Reg Client Downloader:

    #Playbook
    to install
    reg-client
    downloader
        #Inputs:
        #kube_config
        #prepare folder on nfs
        -hosts:console
        gather facts:true
        vars:
            reg_prop: '{{reg_client}}'
        roles:
        -{role: reg-client-prep}

Convert helm template to helm values:

    - hosts: console
        vars:
        kube_config: '{{clusters.dmz.kube_config}}'
        install_name: 'reg-client-downloader' 
        helm_chart: '{{charts_root}}/reg-client-downloader'
        is_template: true
        helm_namespace: 'default'
        helm_values: '{{charts_root}}/reg-client-downloader/values.template.j2'
        helm_strings: ''
        roles:
            - {role:  helm}

To enable TPM to use trusted private/public Reg client machine private/public keys, do the following:

Update the registered client downloader TPM environment variable:

 File: helm/charts/reg-client-downloader/values.template.j2
 Change:
 tpm: "Y"

If, before installing the sandbox, you have done the above, then you may skip this step. Otherwise, if the downloader reg client is already running on your sandbox, delete it and restart as follows:
```
$ helm2 delete reg-client-downloader
```
(Wait for all resources to get terminated)

    $ sb
    $ an playbooks/reg-client-downloader.yml

Add the name and public key in MOSIP-master/machine-master and MOSIP-master/machine-master table of the registered client machine in DB. Using TPM Utility, you can get your machine's public key

    **TPM Utility**:

Utility to obtain public TPM keys along with the name of the computer

Prerequisites:

Requires Java 11

Build:

    $ mvn clean install

Run:

    $ java -jar tpmutility-0.0.1.jar

(Use jar-with-dependencies to run under target folder)

    Sample Output:
    {"machineName" : "S540-14IWL", "publicKey" : "AAEACwACAHIAIINxl2dEhLP4GpDMjUal1yT9UtduBlILZPKh2hszFGmqABAAFwALCAAAAQABAQDiSa_AdVmDrj-ypFywexe_eSaSsrIoO5Ns0jp7niMu4hiFIwsFT7yWx2aQUQcdX5OjyXjv_XJctGxFcphLXke5fwAoW6BsbeM__1Mlhq9YvdMKlwMjhKcd-7MHHAXPUKGVmMjIJe6kWwUWh7FaZyu5hDymM5MJyYZRxz5fRos_N9ykiBxjWKZK06ZpIYI6Tj9rUNZ6HAdbJH2RmBHuO0knpbXdB-lnnVhvArAt3KWoyH3YzodHeOLJRe_Y8a-p8zRZb5h1tqlcLgshpNAqb-WJgyq2xDb0RJwzuyjjHPmJrDqlBMXHestz-ADRwXQL44iVb84LcuMbQTQ1hGcawtBj", "signingPublicKey": "AAEABAAEAHIAAAAQABQACwgAAAEAAQEAw6CuS_sekZ02Z9_N3zz1fK_V3wm01PBcFM0nURerczjO2wqIxfmXpQQql3_S819nj_MwtkZ8K2ja0MRUJzJrmmbgBreFIGTa7Zhl9uAdzKghAA5hEaXV1YcxIl8m72vZpVX_dgqYzU8dccfRChsA-FxkVe5DCr_aXjVOUHjeXZRhQ1k-d7LzpBPVz-S69rx6W3bbxaZfV25HM93Hfm5P4aarYy0Wt0fJvv-Lmbyt0SIZFOQkYS8coW0-u8OiXm3Jur2Q8pu16q4F-Qpxqym-ACBFIsbkSCngQ_y4zGniK7WnS-dCSVhC-x1NscCq3PyXhoJOjSOdNqUkDX606Ic3SQ", "keyIndex": "BD:11:54:33:44:F9:5A:0B:B5:A6:B3:C1:F7:A8:28:47:0E:AA:20:21:01:16:37:89:D1:9C:8D:EC:96:5D:F5:A6", "signingKeyIndex": "41:EB:7E:7F:4F:A9:24:55:4C:5F:AB:3A:94:81:CF:75:C2:0B:92:DF:9B:89:47:D1:AD:B0:84:7A:F7:65:6A:88"}

Machine Master Table:

The publicKey, signingPublicKey, keyIndex and signingKeyIndex - all of them to be populated in the machine_master table of mosip_master DB.

Download the registered client from https://{{sandbox domain name}}/registration-client/1.1.3/reg-client.zip

Configure Pre-Reg for ID Schema

The sandbox comes with its default ID Schema (in Master DB, identity_schema table) and Pre-Reg UI Schema pre-registration-demographic.json. In order to use different schemas, do the following:

Ensure new ID Schema is updated in Master DB, identity_schema table
Replace mosip-config/sandbox/pre-registration-demographic.json with new Pre-Reg UI Schema

Map values in pre-registration-identity-mapping.json to pre-registration-demographic.json as below:

      {
  "identity": {
      "name": {
          "value":< id of name field in your demograhic json >
          "isMandatory" : true
      },\
      "proofOfAddress": {
          "value" : < id of proof of address field in your demographic json>
      },
      "postalCode": {
           "value" : <  id of postal code field in your demographic json>
      }
  }
  }

Update the following properties in pre-registration-mz.properties preregistartion.identity.name=< identity.name.value (above)> preregistration.notification.nameFormat=< identity.name.value>
Restart the Pre-Reg Application service

Registration Client with Mock MDS and Mock SDK

Download Reg Client:

Download zip file from:

https://{sandbox domain name}/registration-client/1.1.3/reg-client.zip

Unzip the file and launch registered client by running run.bat
Reg client will generate public/private keys in the following folder
```
  c:\Users\<user name>\.mosipkeys
```
You will need the public key and key index mentioned in readme.txt for the later step to update master DB

Run MDS:

Run mock MDS as per procedure give here: Mock MDS
Pickup device details from this repo. You will need them for device info updates in the later step

Add Users in Keycloak:

Make sure keycloak admin credentials are updated in config.py
Add users like registration officers and supervisors in csv/keycloak_users.csv with their roles
Run
```
      **$ ./keycloak_users.py**
```
Update Master Data:
In the master DB DML directory, change the following CSVs. The DMLs are located in the sandbox at /home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp/commons/db-scripts/mosip-master/dml
- master-device_type.csv
- master-device_spec.csv
- master-device_master.csv
- master-device_master_h.csv
- master-machine_master.csv
- master-machine_master_h.csv
- master-user_detail.csv
- master-user_detail_h.csv
- master-zone_user.csv
- master-zone_user_h.csv

Run

*update_masterdb.sh

Example:

      $ ./update_masterdb.sh /home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp/commons/db_scripts/mosip_master

CAUTION : The above will reset entire DB and load it fresh
You may want to maintain the DML directory separately in your repo
It is assumed that all other tables of master DB are already updated

Device Provider Partner Registration:

Update the following CSVs in PMS DML directory. On sandbox the DMLs are located at /home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp/partner-management-services/db_scripts/mosip_pms/dml
- pms-partner.csv
- pms-partner_h.csv
- pms-policy_group.csv

Run update_pmsdb.sh. Example:

  $ ./update_regdevicedb.sh /home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp/commons/db_scripts/mosip_regdevice

CAUTION*: The above will reset entire DB and load it fresh
Some example CSVs are located at csv/regdevice

IDA Check:

Disable IDA check in registration-mz.properties:

mosip.registration.onboarduser_ida_auth=N

Launch Reg Client:

Set Environment Variable mosip.hostname to {sandbox domain name}
Login as a user (e.g. 110011) with password (MOSIP) to login into the client

Integrations

Guide to Work with Real HSM

Introduction:

The default sandbox uses simulator of HSM called SoftHSM. To connect to a real HSM you need to do the following:

Create client.zip
Update MOSIP properties
Point MOSIP services to HSM

client.zip:

The HSM connects over the network. Client.zip, which is a package of self-dependent PKCS11client.zip file is extracted from the artifactory when Dockers launch, unzipped, and install.sh is executed.

The zip must fulfil the following:

Contain an install.sh
Available in the artifactory

install.sh

This script must fulfil the following:

Have executable permission
Set up all that is needed to connect to HSM
Able to run inside Dockers that are based on Debian, inherited from OpenJDK Dockers
Place HSM client configuration file in mosip.kernel.keymanager.softhsm.config-path (see below)
Not set any environment variables. If needed, they should be passed while running the MOSIP service Dockers

Properties:

Update the following properties in Kernel and IDA property files:

mosip.kernel.keymanager.softhsm.config-path=/config/softhsm-application.conf
mosip.kernel.keymanager.softhsm.keystore-pass={cipher}<ciphered password>
mosip.kernel.keymanager.softhsm.certificate.common-name=www.mosip.io
mosip.kernel.keymanager.softhsm.certificate.organizational-unit=MOSIP
mosip.kernel.keymanager.softhsm.certificate.organization=IITB
mosip.kernel.keymanager.softhsm.certificate.country=IN

Ensure you restart the services after this change.

Caution: The password is highly critical. To encrypt it, make sure you use a really strong password (using Config Server encryption). In addition, Config Server access should be very tightly regulated.

Artifactory:

Artifactory is built as a Docker in the sandbox and accessed via services. In that Docker, replace the client.zip. The changed Docker can be uploaded to your own Docker Hub registry for subsequent use.

HSM URL

HSM is used by Kernel and IDA services. Point the TCP URL of these services to new HSM host and port:

hsmUrl: tcp://{hsm host}:{port}

The above parameter is available in the Helm Chart of respective service.

Integrating Antivirus Scanner

In MOSIP, virus scanners can be implemented at different levels. ClamAV is used as an antivirus scanner by default. If you want your anti-virus (AV) to be incorporated, the same can be achieved as follows:

Registration Client

Running your AV on the registration client machine is sufficient. Not required for integration with MOSIP.

Server

This is implemented as a part of Kernel ClamAV project project. MOSIP uses this project to scan registration packets. You may integrate your anti-virus (AV) in the following ways:

Option 1
The registration packets are stored in Minio. Several AVs provide traffic flow analysis in line with the stream to defend against hazards. This form of implementation based on the network can be carried out without any alteration of the MOSIP code. But to ensure that network traffic passes through your AV, a careful network configuration is required.
Option 2
To support your AV at the code level, the following Java code has to be altered. In VirusScannerImpl.java, the scanFile/scanFolder/scanDocument API must be implemented with your AV SDK.

BioSDK Integration

In reg client, reg proc, and ida, the biosdk library is included. The guide offers steps for these integrations to be enabled here.

Integration with IDA

It is expected that Biosdk will be available as an HTTP service for IDA. The ID Authentication module then calls this service. To build such a service, refer to the reference implementation. /service contains service code; while /client contains client code that is combined with the IDA that connects to the service. This service can be operated as a pod or hosted outside the cluster within the Kubernetes cluster.

It is important to compile the client code into biosdk.zip and copy it to Artifactory. It is currently available at the following address:/artifactory/libs-release-local/biosdk/mock/0.9/biosdk.zip. This zip is downloaded by IDA dockers and installed during docker startup.

Integration with Reg Proc

The above service works for regproc as well.

Integration of External Postgres DB

Sandbox Parameters

TBD

****

Make sure the Postgres is configured as 'UTC' for the time zone. This configuration is set to postgresql.conf when you install Postgres.

Integration with External Print Service

Introduction

MOSIP provides a reference implementation of print service that interfaces with the MOSIP system.

Integration Steps

Ensure the Following:

Compliant libraries, is reqartifactoryervices to link to HSM. MOSIP services install the same thing before the services start. The HSM vendor must have this library. The 1. Websub runs as https://{sandbox domain name}/websub on MOSIP and is accessible externally via Nginx. Websub runs on DMZ and nginx in the sandbox as configured for this access
Your service is able to register a topic with Websub with a callback url
The callback url is accessible from MOSIP websub
The print policy was established (be careful about enabled/disabled encryption)
Print partner created and certs uploaded DB Timezone6. The private and certificate of print partner is converted to p12 keystore format. You may use the following command:

    $ $ openssl pkcs12 -export -inkey pvt_key.pem  -in cert.pem  -out key.p12

This p12 key and password is used in your print service
Your print service reads the relevant (expected) fields from received credentials
Your print service is able to update MOSIP data share service after successfully reading the credentials

Dashboards Guide

This guide includes numerous tips for using various dashboards made available as part of the default installation of the sandbox. The links to various dashboards are available at:

https://{sandbox domain name}/index.html

KIBANA

A default dashboard to display the logs of all MOSIP services is installed as part of the sandbox installation. To view the Dashboard:

Go to Kibana Home
On the drop down on the top left select Kibana->Dashboard
In the list of dashboards search for "MOSIP Service Logs"
Select the dashboard

Kubernetes Dashboard

Dashboard links:
MZ: https://{sandbox domain name}/mz-dashboard
DMZ: https://{sandbox domain name}/dmz-dashboard
On the console machine, the tokens for the above dashboards are accessible at_/home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp_. For each dashboard, two tokens are created - admin and view-only. View-only privileges are restricted.

Grafana

Link:
https://{sandbox domain name}/grafana
Recommended charts:
11074 (for node level stats)
4784 (for container level stats)

Admin

Open the MOSIP Admin portal from the home page of the sandbox. Login with superAdmin username, MOSIP password.

Sanity Checks

The Sanity Check Procedures are the steps to verify that an installation is ready to be tested by a system administrator. In quality audits sanity check is consider as a major activity. It performs a quick test to check the main functionality of the software.

Checks while Deployment

During deployment all pods should be 'green' on the dashboard of Kubernetes, or both these commands would display pods in 1/1 or 2/2 state if you are on the command line.
```
  $ kc1 get pods -A
  $ kc2 get pods -A
```
Some pods that show status 0/1 Complete are Kubernetes jobs - they will not turn 1/1.
Note the following namespaces

Module

Namespace

MOSIP modules

Default

Kubernetes dashboard

Kubernetes-dashboard

Grafana

Monitoring

Prometheus

Monitoring

Filebeat

Monitoring

Ingress Controller

Ingress-Nginx

To check pods in a particular namespace. Example:
```
$ kc2 -n monitoring get pods
```
If any pod is 0/1 then the Helm install command times out after 20 minutes

Following are some useful commands:

      $ kc1 delete pod <pod name># To restart a pod
      $ kc2 describe pod <pod name># Details of a pod
      $ kc1 logs <pod name># Logs of a pod
      $ kc2 logs -f <pod name># **Running log
      $ helm1 list# All helm installs in mzcluster
      $ helm2 list# All helm installs in dmzcluster

Some pods have logs available in logger-sidecar as well. These are application logs.

To re-run a module, helm delete module and then start with playbook. Example:

      $ helm1 delete regproc
      $ helm2 delete dmzregproc
      $ an playbooks/regproc.yml

Module Basic Sanity Checks

Quick Sanity Check of Pre-Registration

Open Pre-Reg home page:
https://{sandbox domain name}/pre-registration-ui/
Enter your email or phone no to create an account
Enter the OTP that you received via email/sms in the selected box, or enter 111111 for Proxy OTP mode
Accept the Terms and Condition and CONTINUE after filling the demographic data
Enter your DOB or age
Select any of the Region, Province, City, Zone from the dropdown
Select any pin code from the dropdown
Phone number should be 10 digits and must not start with 0
CONTINUE after uploading required document of given size and type or skip the document upload process. (Recommended: upload any one document for testing purposes.)
Verify the demographic data and document uploaded previously and CONTINUE. You may edit with BACK if required
Choose any of the Recommended Registration Centre registration and CONTINUE
Select date and time-slot for Registration and add it to Available Applicants by clicking on + and CONTINUE
Now your first Appointment booking is done. You may view or modify your application in Your Application section

Registration Processor Test Packet Uploader

Prerequisites

Python3 must have been installed during the standard deployment setup for the scripts here.

Auth Partner Onboarding

IDA has to be on boarded as partner. Execute the partner onboarding scripts here.

Packet Creation

Refer to notes in config.py and data/packet*/ptkconf.py for various parameters of a packet. Parameters here must match records in Master DB.

Following example packets are provided. All these are for new registration:

Packet1: Individual 1 biometrics, no operator biometrics
Packet2 : Individual 2 biometrics different from above, no operator biometrics
Packet2 : Individual 2 biometrics with operator biometrics of Individual 1

Clearing the DB

This is optional. To see your packet clearly, you may want to clear all records of previous packets in mosip_regprc tables:

    $ ./cleardb.sh

Provide your postgres password.

Caution: Ensure that you want to clear the DB. Delete this script if you are in production setup.

Upload Registration Packet

Use the following command:

    $ ./test_regproc.py

Verify

Verify the transactions as below:
```
$ ./checkdb.sh
```
Provide postgres password. Note that it may take several seconds for packet to go through all the stages. You must see a SUCCESS for all stages.
UIN should have got generated
The latest transaction must be seen in credential_transaction table of mosip_credential DB
Further, identity_cache table of mosip_ida db should have fresh entries corresponding to the timestamp of UIN generated

Reset

Before we look at how to reset installation, you should ensure you have a recent backup of the clusters and persistence data.

Performing a reset will wipe out all your clusters and delete all persistence data. To reset your machine back to fresh install, run the following script:

$ an reset.yml

If a message prompting you to confirm the reset of machine, select the option “Yes/No” to proceed.

Persistence

Persistent data in the field of data processing is available over Network File System (NFS) that is hosted on console at location /srv/nfs/mosip.

For any persistent data, all pods write to this location. If required, you can backup this folder.

Note:

Postgres is initialized only once and populated. Postgres is not initialized if persistent data is present in /srv/nfs/mosip/postgres. In order to force an init, execute the following:
```
  $ an playbooks/postgres.yml --extra-vars "force_init=true"
```
Postgres includes data from Keycloak. Keycloak-init does not overwrite any data, but just updates and adds information. If you want to clean up data from Keycloak, you need to manually clean it up or reset all postgres.

Useful Tools

There are plenty of tools are installed with preinstall.sh to help in fact shortcuts commands to troubleshoot and diagnose technical issues or just little hacks that make tasks a little quicker.

Shortcut Commands

alias an='ansible-playbook -i hosts.ini --ask-vault-pass -e @secrets.yml'
alias av='ansible-vault'
alias kc1='kubectl --kubeconfig $HOME/.kube/mzcluster.config'
alias kc2='kubectl --kubeconfig $HOME/.kube/dmzcluster.config'
alias sb='cd $HOME/mosip-infra/deployment/sandbox-v2/'
alias helm1='helm --kubeconfig $HOME/.kube/mzcluster.config'
alias helm2='helm --kubeconfig $HOME/.kube/dmzcluster.config'
alias helmm='helm --kubeconfig $HOME/.kube/mzcluster.config -n monitoring'
alias kcm='kubectl -n monitoring --kubeconfig $HOME/.kube/mzcluster.config

The second part after adding above:

$ source  ~/.bashrc

Tmux

Tmux means that you can start a Tmux session and then open multiple windows inside that session. To enable it copy the config file as following:

$ cp /utils/tmux.conf ~/.tmux.conf  # Note the "."

Property File Comparator

This is tool to compare text and Property to find the difference between two text files**(*.properties)**:

$ ./utils/prop_comparator.py <file1> <file2>

MOSIP Java Coding Standards

MOSIP - Java Development Coding Standard

Repository Structure

In MOSIP, the source code modules are categorized under different repositories:

Commons - This contains common reusable library modules and service modules
- Kernel - The collection of common reusable library modules and services
- ID-Repo - The ID Repository services used by many of the MOSIP modules
Feature Specific Modules (for example)
- registration
- registration-processor
- pre-registration
- id-authentication

If a new source code module is planned to be added, and if it is a reusable library / service on which other modules will be depending on, then it should be added under Commons, otherwise, it can be created as a separate repository.

Source Code Organization in a MOSIP Repository

Source code of any feature in MOSIP will be organized as below:

feature-parent
feature-core - jar
feature-common - jar
feature-service-1 - SpringBoot service
feature-service-2 - SpringBoot service

Feature-Parent Module

This should be a POM module that aggregates all the sub-modules. This should contain,

List of all sub-modules
Common properties such as versions used by all sub-modules
Common dependencies used by all of the sub-modules
Common maven-plugins used by all sub modules

Feature-Core Java Library Module

There should be a JAR module that defines core source code files such as,

APIs (Application Programming Interfaces)
SPIs (Service Provider Interfaces)
Common Utility classes
Helper classes
DTO classes
Custom Exception classes

Common Implementation Module

There can be a JAR module that provides abstract base implementations or common implementations of the APIs and SPIs. Other modules such as service module will be depending on this module using the API/SPI implementations or extending their base implementations.
Any Service implementation class should have 'Impl' suffix.

Spring Boot Service Modules

A feature can have one or more Spring Boot Service modules, each will have one or more related services.
Each Spring Boot Service Modules will be deployed as a separate deployment unit such as a docker container. So each will contain the separate Dockerfile containing the docker build instructions for that module.
Each Spring Boot Service Modules should be configured with Swagger configuration (except specific cases where) for easy understanding of the feature, easy unit-testing and verification for the developers.
No Spring Boot Service module should be used as a dependency to any other module. Any such code dependency should be going inside the Common Implementation module.

Classes/Interfaces in MOSIP

In MOSIP following naming of Class/Interfaces their names should be of Camel cases, without any underscore.
They should have following suffixes in their names and they should be under appropriate package name based on their category,
- XyzService - For a Service interface. A service class should not be annotated with @Service. This will be in the core-module. This will be under *.spi.xyz.service package.
- XyzServiceImpl - For a Spring Service implementation class. This class should be annotated with @Service. This should not be defined in a core-module. It will be defined in a common or service module. This will be under *.spi.xyz.service.impl package.
- XyzRequestDto - For a Request Data Transfer class in a Service. This will be in the core-module. This will be under *.xyz.dto package.
- XyzResponseDto - For a Response Data Transfer class in a Service. This will be in the core-module. This will be under *.xyz.dto package.
- XyzEntity or XyzDao- For an Entity/ Data Access class, which will use JPA annotations for the entity. This will be in the core-module. This will be under or *.xyz.entity or *.xyz.dao package.
- XyzRepository - For a JPA Repository interface, which will be extending the base MOSIP Repository interface io.mosip.kernel.core.dataaccess.spi.repository.BaseRepository. This will be annotated with @Repository annotation. This will be under *.xyz.repository package.
- XyzController - For a Spring Controller class, which will be annotated with @Controller annotation. This will be under *.xyz.controller package.
- XyzConfiguration - For a Spring configuration, which will be annotated with @Configuration. This will be under *.xyz.config package.
- XyzUtil or XyzUtils - For a utility class. This will expose public static utility methods. This will be under *.xyz.util package.
- XyzHelper - For a helper class. This will be a Spring Component class annotated with @Component. This will expose public instance helper methods. This will be under *.xyz.helper package.
- XyzManager - For any management class. Also for any class that will connect external module using REST service calls. This will be a Spring Component class annotated with @Component.
- XyzConstants - For file storing constants. Please prefer to have a Constants file to define common and related constants used across the classes in a feature. This can be inside the core-module or common-module. This will be under *.xyz.constant package.
- XyzException - For a custom exception, which will be extending io.mosip.kernel.core.exception.BaseCheckedException and io.mosip.kernel.core.exception.BaseUncheckedException. This will be defined in a core-module. This will be under *.xyz.exception package.
- XyzExceptionHandler - For the centralized exception handler class in a service-module, annotated with @ControllerAdvice or @RestControllerAdvice annotation. This will be under *.xyz.exception package.
- XyzFactory - For any class/interface defining Factory design pattern. This will be under *.xyz.factory package.
- Xyzbuilder - For any class/interface defining Builder design pattern. This will be under *.xyz.builder package.
- XyzFacade - For any class/interface defining Facade design pattern.
- XyzImpl - For any implementation class that extends an API/SPI interface.
A service implementation should be always with a combination of Service Interface and its Spring Service Implementation Class. It should not be without a Service Interface defined in core-module.
Any Spring Component will be annotated with @Component. A component may or may not be implementing an interface.
Any dependency injection of a Spring Service should only to be assigned to a variable of its Service Interface type but not to its Implementation class type.
For dependency injection of a Spring Component should be assigned to a variable its Interface type if any, otherwise to the class type.

Using Lombok for Data classes

All data classes such as DTOs, Entity classes use Lombok annotations to automatically create appropriate constructors, getters and setters.
Make sure to setup the IDE used for the development for using Lombok.

MOSIP JPA Repository

Any JPA repository created in MOSIP should be extending the base MOSIP Repository interface io.mosip.kernel.core.dataaccess.spi.repository.BaseRepository.
Appropriate database configurations properties should be added to the app configuration file.

Commons/Kernel - MOSIP Common Libraries/Services

MOSIP has many common libraries and services implemented under Commons/Kernel repository.
Kernel-Core module contains may common utility classes such as Loggers, DateUtils, StringUtils and Crypto-Core etc… Also many utility services such as Kernel-KeyManager, Kernel-CryptoService, Kernel-Audit-Service, Kernel-Auth-Service, etc... .
If any common utility needs to be implemented, first check Commons/Kernel if such utility is already present and make sure it is not already implemented in Commons/Kernel. It is always welcomed to contribute any new features/ bug fixes for the existing utilities, instead of creating a new utility.

REST Services Request and Response:

Any request and response content in a service in MOSIP should be of application/json content type.
Any byte arrays to be returned in response should be Base-64-URL encoded within the response.
If any sensitive information is getting transferred in the request/response, the request/response block should be encrypted using the MOSIP public key.
Any service in MOSIP should never return error code other than 200. One or more errors to be reported in the response be returned as an array as part of "errors" attribute.
Each of the "error" attribute should under "errors" should have "errorCode", "errorMessage" and an optional "actionMessage". * For any service, possible "errorCode", "errorMessage" and the optional "actionMessage" should be properly listed documented in its API specification.
Any request/response body should have proper meta-data such as "id, "version" and "requestTime"/"responseTime", etc... .

For example:

{
  //API Metadata
  "id": "mosip.identity.auth.transactions.read",
  "version": "v1",
  "responseTime": "2019-02-15T07:23:19.590+05:30",
  "errors": [
    {
      "errorCode": "IDA-MLC-002",
      "errorMessage": "Invalid UIN",
      "actionMessage": "Please retry with the correct UIN"
    }
  ]
}

Java Coding Standard

Number of lines

The number of lines in the Java files is restricted to 2000 lines. Beyond 2000 lines, the java file is refactored into multiple files.

Class and Interface

Each java file contains one public class or interface.

When some private classes and interfaces are associated, this can be in the same file.

Declare the public class and interface as the first declaration in the file.

Ordering

When a java file is written, the following order is maintained,

Beginning documentation comment

The beginning comment should be in a C-style comment. Following is the format of the comment.

/*  
 * Firstname Lastname
 *           
 * Copyright notice
 */

Package statement

The first non-comment line is the package statement.

Import statement

After a line-break below the package statement, import statements are placed. The import statements are grouped and segregated by a line-break. For example,

import java.util.List;
import java.util.Map;
import java.time.zone.ZoneRulesException;
import org.mosip.kernel.core.authn.LoginInfo;
import org.mosip.kernel.core.exception.InvalidInputException;
import org.mosip.kernel.core.exception.UnauthenticatedException;

Do not use asterisk symbol while importing packages.

Class or Interface comment for documentation

This comment will be going in to the Javadocs

/**
 * Class/Interface description goes here
 *
 * @version 2.4 05 July 2018
 * @author Rajkumar Mahanty
 *
 */

Public class or interface definition

Then the public class or interface is defined.

Then other private class or interface are followed.

Inside a class or interface

Following is the order of elements inside the class declaration

Constant fields

Constant fields (static and final fields) should be on the top inside a Class

Non-final static fields

Then any non-final static fields are followed

Instance variables

The public class variables are followed by the protected and the private variables. These can be final or non-final fields.

Initializing Fields in a class

Do not initialize non-primitive fields with null in a Class;
Always initialize non-static fields from constructors in a Class.
Avoid using static non-final fields in a class. If it required for any specific reason, avoid initializing it in a constructor or a post-construct method.
Avoid using static initializers to initialize static final/non-final fields, instead create private static methods and call it for initializing static fields.

Constructors

The constructor declarations ordered by the number of parameters.

Method declarations

The methods are ordered by the functionality. The methods need not to be in the order of scope or accessibility.

Indentation

The indentation unit it TAB.

Line length

The number of characters in a line should not exceed 80 characters

Wrapping lines

When the number of characters exceed the limit, the line should be broken into multiple lines. The following standard is used during the line breaks,

Break the line after the comma
Break before the operator
From higher-level breaks go to the lower-level breaks.
Align the new line with the beginning of the expression at the same level on the previous line.

Comments

There are two types of comments in Java.

Implementation comments
Documentation comments

Both the comment types are used in the source code of MOSIP.

Implementation Comment

This is the comment type used for better understanding of the code. Most of the times, the source code will be maintained by different people. The programmer writes these comments so that the other programmers will come to know the functionality of the code in plain English language. Following lines are used.
Java source code can have their implementation comments in various parts of code blocks/lines with appropriate description about what the code block or line is doing.
Specifically the if-else if-else conditions can have their descriptions about their various conditional expressions.
Any complex piece of code such as a regular expression / mathematical expression can be described with appropriate descriptions about it.

Block Comments

When the developer needs to explain in detail about some functionality, block comments are used. Block comments are used anywhere in the code. It can be for the class or interface declarations or it can be within the java methods also. Example of block comments:

/*
 * This is the block comment. This is the block comment.
 * This is the block comment. This is the block comment. This is                
 * block comment.
 */

Single-Line Comments

Single line comments are used for short description. For example,

/* This is short description */
if( height > 45) {
    ...
}

Trailing Comments

Trailing comments are given in the same line where the source code resides. For example,

if(height > 45) { /* This is the trailing comment */
    ...

}

End-Of-Line comments

The end-of-line comments are also used in the source file. For example,

if(width > 45) {
    return false; // some description
}

Documentation comments

Documentation comments are used to generate the javadoc files.
Every source code file in Java should have proper Java Documentation such as description, Author and Version.
All Classes, Interfaces, Methods, Fields should have appropriate clear description about each.
A method documentation should have description about all parameters, exceptions thrown and return value.
Documentation comments can be of two kinds:
- Single line documentation comment: /** COMMENT */
- Multi-line documentation comment:
  /** * COMMENT */

Example:

/*
 * Copyright 2002-2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.mosip.orm;
import org.mosip.dao.SomeDAO;
import org.mosip.exception.SMSException;

/**
 * This class does the so and so activity. And more description goes here. And
 * more description goes here. And more description goes here. And more
 * description goes here. And more description goes here.
 *
 * @author SadanandGowda
 * @since v1.0
 */

public class SampleReference extends SomeSuperClass {
   /**
    * someClass is used for so and so purpose
    */

    @Nullable
    private final Object someClass;
   /**
    * someIdentifier is used to identify something
    */

    @Nullable
    private final Object someidentifier;

   /**
    * Create some functionality with the with the given message, unless so and so
    * functionality.
    *
    * @param msg
    *     the display message
    * @param cause
    *     the source exception
    */

    public SampleReference(String message, Throwable cause) {
        super (message, cause);
        this.someClass = null ;
        this.someidentifier = null ;
    }

   /**
    * Sends the SMS to the given phone number
    *
    * @param someClass
    *     this is for this purpose
    * @param mobileNumber
    *     the mobile number to which the SMS have to be sent
    * @param msg
    *     the message sent to the phone number
    * @return
    */

    public String sendSMS(Class<?> someClass, int mobileNumber, String msg) {
        // the SMS sending code comes here.
    }
}

Declarations

Number of variables per line

One variable is declared per line.

Placement of variables

Variables are declared at the beginning of the code block. For example,

void myMethod() {
    int int1 = 0;         // beginning of method block

    if (condition) {
        int int2 = 0;     // beginning of "if" block
        ...
    }
}

Class and Interface Declarations

No space between a method name and the parenthesis "(" starting its parameter list
Open brace "{" appears at the end of the same line as the declaration statement
Closing brace "}" starts a line by itself indented to match its corresponding opening statement,
Except when it is a null statement the "}" should appear immediately after the "{"
An empty line is there in between the method declarations.

class Sample extends Object {
    int ivar1;
    int ivar2;

    Sample(int i, int j) {
        ivar1 = i;
        ivar2 = j;
    }

    int emptyMethod() {}

    ...
}

Methods

A method should follow the "Single Responsibility" principle that will perform only one task. If it seems to do multiple sub-tasks, each sub-tasks should be created as a new method and then be invoked in that method.
If there is a logic even of a single line getting repeated in more than one place, it should be made as a separate method.
A method line count should not exceed 80 lines. If required break the blocks of code in the method to separate methods.
Methods are separated by a blank line.

Method Parameters

Never re-assign a parameter value. This may lead to unpredictable bugs.
Don't use too many number of parameters. Keep the maximum number of method parameters to 5 for simplicity.
Prefer method parameter type to be more generic such as a Super Interface or Super Class. For example, List instead of ArrayList.

Method Return Statement

Never return null for an Array return type. Return an empty array of 0 like return new String[0].
Never return null for a Set/List/Map collection return types. Return corresponding empty values such as Collections.emptySet(), Collections.emptyList() or Collections.emptyMap();
Prefer method return type to be more generic such as a Super Interface or Super Class. For example, List instead of ArrayList.

Avoid having multiple return statements in a method. Prefer to provide a single point of exit to a method. For example:

//AVOID BELOW
private int getStatus() {
	if(condition1) {
		return Status.SUCCESS;
	} else if (condition2) {
		return Status.FAILURE;
	} else {
		return Status.UNKNOWN;
	}
}

//PREFER BELOW
private int getStatus() {
	int status;

	if(condition1) {
		status = Status.SUCCESS;
	} else if (condition2) {
		status = Status.FAILURE;
	} else {
		status = Status.UNKNOWN;
	}

	return status;
}

Use Optional return type to avoid null checking. When there is possible to return null for a method, return Optional.empty().
Use OptionalInt, OptionalLong return types for a method when there is an unknown value of Integer/Long to be returned like -1;

Statements

Simple Statements

Each line should contain at most one statement. Example:

argv++;         // Correct
argc--;         // Correct  
argv++; argc--; // AVOID!

Compound Statements

Compound statements are statements that contain lists of statements enclosed in braces
```
{ 
	Statement1;
	Statement2;
	Statement3;
}
```
The enclosed statements should be indented one more level than the compound statement.
The opening brace should be at the end of the line that begins the compound statement; the closing brace should begin a line and be indented to the beginning of the compound statement.

Braces are used around all statements, even single statements, when they are part of a control structure, such as an if-else or for statement. This makes it easier to add statements without accidentally introducing bugs due to forgetting to add braces. For example:

//COMPOUND STATEMENT
if(list.size() == 2) {
	list.remove(0)
	list.remove(0)
} else {
	list.add("element1");
	list.add("element2");
}

//AVOID BELOW
if(list.isEmpty()) 
	list.add("element")
else 
	list.remove(0);

//PREFERRED WAY
if(list.isEmpty()) {
	list.add("element")
} else {
	list.remove(0);
}

"return" Statements

A return statement with a value should not use parentheses unless they make the return value more obvious in some way. Example:
```
return;
return myDisk.size();
return (size ? size : defaultSize);
```
Refer to Method return statement for more information.

if, if-else, if-else if-else Statements

Always curly braces are used in the if-else statements. Even though there is a single statement below the if-else statement, curly braces is used. For example,
```
if(width > 45) {
	return false; // some description
}
```
If there is a Boolean value to be returned in a method or assigned to a variable based on an if-else condition, the condition itself should be returned or assigned instead of true or false for the condition. For example,
```
if(isEmpty()) return true; else return false; //AVOID

return isEmpty(); //PREFER
```
Prefer "switch" statement when possible over having multiple “if-else if-else if-else” statements.

Conditional Expressions

If any binary operator is used before "?" in the ternary operator, then parentheses is used.

(age >= 25) ? "VALID" : "INVALID" ;

Prefer if-else statement over conditional expressions if it gets complex with the condition or the statements.
Avoid using nested conditional expressions for better readability.

"switch" Statements

A switch statement should have the following form:

switch (condition) {
case ABC:
    statements;
    /* falls through */
case DEF:
    statements;
    break;
case XYZ:
    statements;
    break;
default:
    statements;
    break;
}

Every time a case falls through (doesn't include a break statement), add a comment where the break statement would normally be. This is shown in the preceding code example with the /* falls through */ comment.
Every switch statement should include a default case. The break in the default case is redundant, but it prevents a fall-through error if later another case is added.

White Space

Blank Lines

Only for the following situations 2 blank lines are used,

Between 2 different sections of the source file
If you have more than one class or interface, use 2 blank lines

Only for the following situations, 1 blank line is used,

Between method declarations.
Between the variable declarations and the method code.
Before the block comment or line comment.
To provide a better readability in between logical blocks, an empty line are used, wherever applicable.

Blank Spaces

Under the following circumstances, blank space are used,

When a keyword followed by parenthesis, a blank space should be given after the keyword. For example,

while(age > 60)  {
    ...
}

In the argument list, the parameters are given a space after comma.

Naming Conventions

Package names

All the package name in MOSIP application starts with io.mosip. Refer to Classes/Interfaces in MOSIP section for various kinds or classes and the package names under which they should be kept.

Classes

The names given to classes are always nouns and in camel case. Refer to Classes/Interfaces in MOSIP section for various kinds or classes and their names.

Interfaces

The names given to interface is always noun and in camel case. Refer to Classes/Interfaces in MOSIP section for various kinds or interfaces and their names.

Methods

The method names are always verbs and in camel case. For example

public void deleteFromCache(String cacheName, String key) {
    ...
}

Variables

The variable names are short and meaningful. Any new observer can understand the meaning of the variable. No single letter variable names are used. Camel case is used when declaring variables.

Constants

The constants are given the name in capital letters. The words in the names are separated by underscore.
String literals should not be used in the code directly. Declare them as constant in the class.
Magic Numbers should not be used in code, they should be declared as constants.
Create XyzConstants class to group related and reused constants within a module/feature.

Programming Practices

Providing Access to Instance and Class Variables

The instance variables should not be made public unless you have a specific reason.
Provide the most restrictive access to the fields, methods and Inner Classes such as private, default or protected. Avoid giving public access to them unless it is really required. Avoid using public non-final fields in a Class.

Referring to Class Variables and Methods

Always use the class name to call the static method. For example,

LogFactory.getLogger();

Constants

Numerical values should not be used in the code directly. Declare them and use it in the code. For example,

int MAX_AGE = 60;
while (age > MAX_AGE) {
    ...
}

Variable Assignments

Avoid multiple assignments in the same line. For example,

int a, b = 10 // AVOID
// PREFER
int a = 10;
int b = 10;

Prefer primitive type variables over boxed types wherever possible. For example, prefer int, boolean and long over their Boxed counterparts such as Integer, Boolean and Long.
Prefer variable type to be more generic such as a Super Interface or Super Class. For example, List instead of ArrayList.

Optional

Use Optional return type in a method to avoid null checking. When there is possible to return null for a method, return Optional.empty().
Use OptionalInt or OptionalLong return type in a method when there is an unknown value of Integer/Long to be returned like -1;
Avoid getting value from Optional using Optional.get() without checking for Optional.isPresent() condition, otherwise use Optional.orElse() .
Use primitive optional classes such as OptionalInt or OptionalLong over Optional<Integer> or Optional<Long>.

Lambdas

Lambda Expressions

Prefer Method Reference over a Lambda Expression

Function<Employee, String> = employee -> employee.getName() // AVOID
Function<Employee, String> = employee::getName // PREFER

Keep Lambda Expressions Short and Self-explanatory so that it is easy to understand. . Provide clear understandable name to the parameters in Lambda Expressions.

Always use parameter type inference. For example,

(employee, requesterEmployee) -> employee.name.compareTo(requesterEmployee.name) // PREFER
(Employee employee, Employee requesterEmployee) -> {employee.name.compareTo(requesterEmployee.name)} // PREFER

Do not use the parenthesis for a single parameter lambda expression.

(employee) -> employee.getName().compareTo("ABC") // AVOID
employee -> employee.getName().compareTo("ABC") // PREFER

Use “Effectively Final” Variables in Lambda Expressions. It is not required to mark every target variable as final.
Avoid mutating Object Variables in Lambda Expression.
Avoid using the block lambdas wherever an expression lambda are used. For example:

// PREFER
someVar -> someVar.toUpperCase(Constants.SOME_CONST);
// AVOID
someVar -> {
**return** someVar.toUpperCase(Constants.SOME_CONST);
}

Functional Interfaces

Prefer Standard Functional Interfaces over creating a similar one unless it is really required. Use Standard Functional interfaces, which are gathered in the java.util.function package, satisfy most developers' needs in providing target types for lambda expressions and method references.
On a new Functional Interface declaration always use @FunctionalInterface annotation. This is not only for the documentation purpose but also to avoid accidentally breaking the Functional Interface behavior.
Instantiate Functional Interfaces with Lambda Expressions instead of creating anonymous inner class instances for that.
Whenever calling the functional interface, place them at last in the parameter list.

For example:

// PREFER
public Foo parse(Locale locale, **Function<Locale,Foo> fn** );

// AVOID
public Foo parse( **Function<Locale,Foo> fn** , Locale locale);

Streams

Prefer Streams over for loops. Streams are more readable and functional than the "for" loops, as they support operations such as map, flatMap, filter, reduce and collect.
Exception handling in the streams are carefully handled.
Avoid mutating objects within Collection.forEach() or Stream.forEach(), use Stream.collect() instead. For example use Stream.collect(Collectors.toList()) instead of mutating a list for collecting elements to a list.
Use parallel streams where ever possible to boost performance, whenever it does not involve sort/order/limit intermediate operations.

Exceptions

MOSIP applications should never allow to exit abruptly because of a critical error. Even if there is a critical error there should be a graceful exit with proper information about the error.

Exception hierarchy

Each feature should be defining their own Checked and Unchecked Exceptions by extending io.mosip.kernel.core.exception.BaseCheckedException and io.mosip.kernel.core.exception.BaseUncheckedException .
- The Checked and Unchecked exceptions should be used appropriately as needed. Make sure which one to use when based on the exception handling requirement.

Throwing exceptions

Throw specific exceptions in a method, rather than generic exceptions. For example,

public void myMethod()throws Exception{  // AVOID
public void myMethod()throws NumberFormatException{  // PREFER

Documenting exceptions

The exceptions are documented clearly. For example,

/**
 * The method description goes here ...
 *
 * @param input
 * @throws PacketNotValidException
 * if so and so... happens
 */
public void myMethod(String someInput) throws PacketNotValidException {

Catching exceptions

Always prefer to use try-with-resource block when applicable like instantiating a Input or Output stream/reader or Connection, which are AutoCloseable.
The following example uses a try-with-resources statement to automatically close a java.sql.Statement object:

public static void viewTable(Connection con) throws SQLException {
    String query = "select COF_NAME, SUP_ID, PRICE, SALES, TOTAL from COFFEES";
    try (Statement stmt = con.createStatement()) {
        ResultSet rs = stmt.executeQuery(query);
        ...
        }
    } catch (SQLException e) {
        JDBCTutorialUtilities.printSQLException(e);
    }
}

A try-with-resources statement can have catch and finally blocks just like an ordinary try statement.
Always catch specific exceptions over a more generic exceptions like Exception/Throwable class. For example,

// AVOID BELOW
try {
    ...
} catch(Exception e) {  //AVOID
    ...
}
// PREFER BELOW
try {
    ...
} catch(RestException e) { // PREFER
    ...
}

Never leave a catch block empty. Either handle the exception, or say proper reason for doing nothing in it.

// AVOID BELOW
try {
   ...
} catch(NumberFormatException e) {} // AVOID
//PREFER BELOW
try {
   ...
} catch(NumberFormatException e) {
   // This exception condition will never occur as schema validation is already performed. 
   // So nothing handled here.
}

Use multi-catch blocks wherever possible to club common handling of multiple exceptions.
Always log exceptions to file in a catch block for debugging purpose.

try {
   ...
} catch(NumberFormatException e) {
   // Log exception
   logger.error(...)
   // Handle exception
   ...
}

Error and Throwable are never caught in MOSIP.

Exception handling in a Service module

Any service module should handle their exceptions in a common place such as a common Exception Handler which can be annotated with @ControllerAdvice or @RestControllerAdvice
Any service in MOSIP should never return error code other than 200. One or more errors to be reported in the response be returned as an array as part of "errors" attribute.

Logs

Log levels

Logs are classified and logged accordingly. Following are the various log levels used in the MOSIP application.

TRACE
DEBUG
INFO
WARN
ERROR

The log levels are configured according to the environment such as Development, Testing, UAT or Production. For example, the log levels in production is from WARN. Whereas in Development and Testing environment, it is from TRACE.

MOSIP log component

MOSIP's log component from the core-kernel is used to log entries. The log module in the core-kernel is used to log all the log entries.

First create a logger utility class under the core module of the feature like below:

import io.mosip.kernel.core.logger.spi.Logger;
import io.mosip.kernel.logger.logback.appender.RollingFileAppender;
import io.mosip.kernel.logger.logback.factory.Logfactory;
/**
 * Logger for XYZ module which provides implementation from kernel logback.
 * 
 * @author XXX
 *
 */
public final class XYZLogger {
	
	private static RollingFileAppender mosipRollingFileAppender;
	
	static {
		mosipRollingFileAppender = new RollingFileAppender();
		mosipRollingFileAppender.setAppend(true);
		mosipRollingFileAppender.setAppenderName("fileappender");
		mosipRollingFileAppender.setFileName("logs/id-auth.log");
		mosipRollingFileAppender.setFileNamePattern("logs/id-auth-%d{yyyy-MM-dd}-%i.log");
		mosipRollingFileAppender.setImmediateFlush(true);
		mosipRollingFileAppender.setMaxFileSize("1mb");
		mosipRollingFileAppender.setMaxHistory(3);
		mosipRollingFileAppender.setPrudent(false);
		mosipRollingFileAppender.setTotalCap("10mb");
	}

	/**
	 * Instantiates a new XYZ logger.
	 */
	private XyzLogger() {
	}

	/**
	 * Method to get the rolling file logger for the class provided.
	 *
	 * @param clazz
	 *            the clazz for which the logger instance to be created.
	 * @return the logger
	 */
	public static Logger getLogger(Class<?> clazz) {
		return Logfactory.getDefaultRollingFileLogger(mosipRollingFileAppender, clazz);
	}
}

To log any information/error/debug in a class,
- create a logger instance in that class as below: private static Logger mosipLogger = XYZLogger.getLogger(MyClass.class);
- In appropriate places invoke the appropriate log method of mosipLogger such as error, debug or info with appropriate parameters passed to it.

MOSIP log format

Every log entry contains the following format,

<date_iso> - <application_id> - <module_id> - <component_id> - <id_type> - <idvalue> - <description>

For example,

2008-09-15T15:53:00+05:00 - ENROLMENT – PACKET_VALIDATOR - VALIDATE – EnrolmentId - 829329 – Packet validator had been called and now we are going to validate the packets.

No sensitive information is logged

Never log any sensitive information such as user credentials, individual identity information to the log, mask the data if required before logging.
Care should be taken, not to log any sensitive information is logged. Modules leads to review the code to ensure that no sensitive information is logged.

Audit Logging in MOSIP

Any service in MOSIP should invoke Kernel's AuditManager REST Service for audit logging of the status of the services such as
- Success
- Failure
- Exception occurred - the error codes and error messages.
Define the appropriate Audit Modules and Audit Events for any feature and use pass them appropriately in the Audit Parameters while invoking the Audit REST service.
Make sure to invoke the Audit REST service Asynchronously to prevent any time lagging in response because of the Audit REST service call.

Common utilities

Apache Commons is used to handle the common utilities like StringUtil, FileUtil, Hashcode, toString, null check etc., are

In case if Apache Commons doesn't have the necessary utilities, the util project from mosip-core is used.

Miscellaneous Practices

Following are the miscellaneous practices which are followed in MOSIP.

Parenthesis

Parenthesis are used in the code liberally to improve the readability and for precedence clarity.

Type Casting

Never type cast a variable without doing instanceof checking.
Avoid unnecessary type casting when the type of the value/expression is already assigned to a correct variable type/return type.

Generics

Avoid using Generic classes without Parameter types. For example:

List nameList = new ArrayList(); // AVOID
List<String> nameList = new ArrayList<>(); //PREFER

Use diamond operator while constructing Generic objects. For example:

new HashMap<String, List<String>>() //AVOID
new HashMap<>() //PREFER

Method Calls Chaining

While chaining multiple method calls, keep one method call per line for better clarity and easy debugging of any issue (especially to get line number in exception stack trace where exactly is the error/exception occurs). For example:

MessageDialog.makeText(text)
	.setGravity(Gravity.TOP, 0, 0)
	.setView(layout)
	.show();

Special Comments

Special comments are used to give a hint for further development. Following are the special comments used in the MOSIP project,
- TODO
- FIXME
- NOTE
- OPTIMIZE
It should be made sure to track the above comments, perform action accordingly, and remove them when they become irrelevant.

References

Registration Client Developer Documentation

This document guide the developer to find the traceability between functionality and the respective technical component. The provided technical classes are available in the package of 'registration-service' module. In this module the required functions are exposed as public method and that can be used to obtain the required features.

It doesn't detail about each methods level information since that are covered in Javadoc of each component.

Functionality Vs technical component mapping

Functionality:

Technical Detail:

Post successful login, session context would be created. That will be used throughout the application at the required places. The user detail and the respective roles are encapsulated inside the context. Without creation of this context object, the packet can't be created.

Main Service class and method:

SessionContext.create(UserDTO userDTO, String loginMethod, boolean isInitialSetUp, boolean isUserNewToMachine, AuthenticationValidatorDTO authenticationValidatorDTO)

Input parameter:

UserDTO – It should contain info of id, name, roles, center-id. loginMethod – possible values are PWD, OTP, FINGERPRINT, FACE, IRIS. isInitialSetUp – true/false, isUserNewToMachine – true/false, AuthenticationValidatorDTO – should contain id, password, otp

Auth:

Not required.

External Connectivity:

Service and DB

Functionality:

Packet Creation - New Registration / Update UIN/ Lost UIN

Technical Detail:

Based on the business need [New Registration / Update UIN/ Lost UIN] this 'RegistrationDTO' object should be populated with the relevant data and also pass the 'RegistrationMetaDataDTO.RegistrationCategory' as [New/ Update/ Lost].

Main Service class and methods

PacketHandlerService.handle(RegistrationDTO registrationDTO)

Input Parameter:

The RegistrationDTO object contains the RID, PRID, registration details of the individual and also contains the officer and supervisor details. This object has the following sub-classes: a. DemographicDTO - Details of the Demographic and Documents, b. BiometricDTO - Biometrics (Fingerprints, Irises, Face and Exception Face) of the individual, parent (or guardian), officer and supervisor, c. RegistrationMetaDataDTO - Metadata related to registration and d. OSIDataDTO - Details of the officer and supervisor who had authenticated the registration.

Auth:

SessionContext is required for creating the packet

External Connectivity

DB, File system

New Registration - Adult

As part of New registration, individual's Demographic, documents[POI and POA] and bio-metric [fingerprint, iris and face] will be captured. If an exception of the bio-metrics is marked, then exception photo will be captured.

New Registration - Child

As part of New registration, individual's Demographic, documents [POI, POA and POR] and anyone of parent's bio-metric [fingerprint/iris/face(if all fingerprint and iris are marked as exception)] along with that Parent's/Guardian's RID/UIN will be captured. If an exception is marked for the parent bio-metrics, an exception photo will be captured for the parent

UIN Update - Adult

As part of UIN Update, individual's will have the option to select the field that would like to update. For Demographic update --> UIN number, Name, Document[only if Name/Address is selected then POI for name and POA for address is mandate], and anyone of the bio-metric will be captured as a mandatory values. For Bio-metric update --> UIN number, Name and Bio-metrics [fingerprint, iris and face] will be captured, if an exception marked then exception photo will be captured

UIN Update-Child

As part of UIN Update, individual's will have the option to select which one they are going to be update. For Demographic update --> UIN Number, Name,POR document along with that Parent/Guardian Name and UIN along with anyone parent bio-metric should be captured; if any exception marked then the exception photo of the Parent/Guardian will be captured.

Lost UIN-Adult

As part of Lost UIN, an individual's all Bio-metrics[fingerprints, iris, and face] will be mandatory to find the lost UIN.

Lost UIN-Child

As part of Lost UIN, Parent/Guardian Bio-metric will be mandatory to find the lost UIN of the child. if an exception marked then the exception photo of the parent/Guardian will be captured.

Functionality:

PACKET SYNC– Sync all the Approved/ Rejected/ Re-Register Approved packets before Uploading to server

Main Service class and method:

PacketSyncServiceImpl.java - packetSync(List packetsToBeSynced)

Input Parameter:

packetsToBeSynced – The packet details which needs to be Synced.

Auth:

Authentication token required.

External Connectivity:

Packet Sync service REST call

Functionality:

Packet Upload

Main Service class and method:

PacketUploadService.pushPacket(File packet)

Input Parameter:

File object, which contains the packet to be uploaded.

Auth:

Authentication token required while doing file upload. Based on the SessionContext object the advice would attach the token and invoke the required service call.

External Connectivity:

Service, DB, File system

Functionality:

Packet Export

Main Service class and method:

PacketExportService.getSyncedRecords() - to fetch the packet to be exported. updateRegistrationStatus(List exportedPackets) - update the status once exported.

Input Parameter:

List of packet object.

Auth:

No.

External Connectivity:

DB, File system

Functionality:

Download Pre-Registration data during New Registration

Technical Detail:

The user provided pre-registration packet id related [demo/ doc] detail would be downloaded from Pre-registration DB using the respective REST service. After downloading the packet, the data would be mapped to the UI object and render the same to UI to display in the screen.

Main Service class and method:

PreRegistrationDataSyncServiceImpl.java - getPreRegistration(String preRegistrationId)

Input Parameter:

preRegistrationId- The pre reg id

Auth:

Authentication token required while downloading the packets. Based on the SessionContext object the advice would attach the token and invoke the required service call.

External Connectivity:

Pre Reg service REST call

Functionality:

EOD APPROVAL – Approve/Reject all the created packets

Main Service class and method:

RegistrationApprovalServiceImpl.java - updateRegistration(String registrationID, String statusComments, String clientStatusCode)

Input Parameter:

registrationID – The registration id of the packet that needs to be updated, statusComments - The comment status that needs to be updated for the given registration id of the packet, clientStatusCode - The status code that needs to be updated for the given registration id of the packet.

Auth:

External Connectivity:

Functionality:

Sync Data from Server to Client and Vice Versa.

Technical Detail:

This functionality will be executed as specified as sync-frequency in local DB. During start of the application, the scheduler would be loaded with the jobs configured in db and trigger the job. The scheduler would trigger the jobs at the configured frequency. While running the jobs, based on the functionality it would invoke the respective services and invoke the required external services to sync the data from server to client and vice versa. Post completion or every state of the job execution, the status would be updated in local db.

Main Service class and methods

JobConfigurationServiceImpl.executeAllJobs() - This would load all the active jobs from the local db and trigger the jobs.

Input Parameter:

Auth:

Auth token required for external services. This would be automatically taken care within this method. Nothing explicitly to be passed.

External Connectivity:

REST API calls, DB

Functionality:

MDM Integration – Register Device

Technical Detail:

This method automatically scans all devices by connecting to the MDM service, which is running in a particular port and stores it in device registry.

Main Service class and method:

MosipBioDeviceManager - init()

Input Parameter:

No parameter needed.

Auth:

Not required

External Connectivity:

deviceInfo - MDM service REST call

Functionality:

MDM Integration -Capture bio-metric

Main Service class and method:

BioServiceImpl - getFingerPrintImageAsDTOWithMdm(FingerprintDetailsDTO fpDetailsDTO, String fingerType)

Input Parameter:

FingerprintDetailsDTO – dto contains the finger print related details, fingerType – Type of the device like Fingerprint/ Iris/Face etc

Auth:

Not required

External Connectivity:

Capture - MDM service REST call

Functionality:

MDM Integration - Validate bio-metric against the bio value already captured and stored in Database.

Main Service class and method:

BioServiceImpl - validateFingerPrint(String userId) - based on provided user Id the relevant bio information would be fetched from database and same would be validated against the bio data received from MDM service.

Input Parameter:

mosipBioDeviceManager – scan(String deviceType)

Auth:

Not required

External Connectivity:

DB, Capture - MDM service REST call

Functionality:

MDM Integration - Display video stream

Main Service class and method:

Yet to be implemented

Input Parameter:

Auth:

Not required

External Connectivity:

Functionality:

TPM Public Key Sync

Technical Detail:

This service will be executed during initial set-up of registration client application. This service gets the Public Part of the Key used for signing from the TPM. Uploads this public key along with the machine name to the server. This service returns the key index which will be used for Master Sync Service

Main Service class and method:

TPMPublicKeySyncService.syncTPMPublicKey()

Input Parameter:

Auth:

TPM 2.0 is required for this service

External Connectivity:

TPM, Web Service

Packet Structure

The packets are created during individual registration process are structured and secured. The detail of the same can be found in this link.

Packet Structure

Packet Status

List of packet status maintained in client db while moving the packet to the different state before and after pushing to the server.

Packet Status Desc

Status in Client

Once Packet Created

REGISTERED

Packet Approved

APPROVED

'Re-Register' packet approved

RE_REGISTER_APPROVED

Packet Rejected

REJECTED

Packet IDs Synced with Server

SYNCED

Packet pushed to Server

PUSHED

Packet exported to device

EXPORTED

Packet Status Desc

Status from Server

Packet in processing state

PROCESSING

UIN generated for the packet

PROCESSED

Unable to process the packet.

REREGISTER

Failed while processing packet due to internal issue

RESEND

Packet is received but not uploaded in LANDING_ZONE

RECEIVED

Duplicate found in abis

REJECTED

List of Jobs

Below provided jobs are executed in batch mode through spring batch. The job execution frequencies are mentioned in the DB job related table. These jobs can also be triggered through manual process using 'Sync' option in the Menu, During initial login after successful online authentication and While starting the application if initial sync already completed.

Sl.No:

Service Desc.

Dependent Module

Under 'Sync' Menu

Initial Login

Application Launch

Pre-registration Data Sync

Pre-reg

Policy Sync

Kernel

Registration Client Config Sync

Kernel

Registration Packet Status Reader

Reg-Proc

User Detail/Role Setup Sync

Kernel

Pre Registration Packet Deletion Job

local job

Registration Packet Deletion Job

Local Job

User Machine Mapping Sync Job

Kernel

Audit Log Deletion Job

Local Job

10.

Registration Packet Sync

Reg-Proc

11.

Registration Packet Virus Scan

Reg-Proc

12.

Public key Sync service

Kernel

13.

User Salt Sync service

Kernel

Configuration Rule

As 'configurability' is the one of the major NFR being considered while designing the application, here listed out the required files where the configurations can be modified that will get reflected in application during runtime.

'registration-qa.properties' - Registration application specific configuration.
'application-qa.properties' - Overall application level common configuration.

These configuration would be downloaded to the client machine through the 'config' sync service. If there is any change with respect to 'kernel' properties then after downloading the properties the application will ask for 'restart'.

Age configuration:

Age limit is configurable in the application. User should modify the max age limit in both 'application' and 'registration' properties file.
{application property key : 'mosip.id.validation.identity.age'}
{registration property key : 'mosip.registration.max_age'}

Table Details

Below find the list of tables used in Registration client application. Based on use cases, the table data gets updated during either sync process or transaction in local machine. There are few jobs are configured to clean the transactions histories from local tables and also pushing the audit data to server.

Sl. No

Table Name

Description

Source

biometric_attribute

It contains the list of biometric attribute description[left slap, right iris..] for each biometric type [Fingerprint, Iris, Photo] with respect to language code

sync from server master table

biometric_type

It contains the list of biometric type[Fingerprint, Iris, Photo] while respect to language code

Sync from server master table

blacklisted_words

It contains the list of words which were not allowed during Registration process with respect to language code

Sync from server master table

device_master

It contains master information related to device with respect to language code

Sync from server master table

device_spec

It contains device specifications like brand, model with respect to language code

Sync from server master table

device_type

It contains types of devices[Fingerprint scanner, camera] and their description with respect to language code

Sync from server master table

doc_category

It contains list of document categories[Proof Of Address, Proof Of Identity...] which will be displayed in UI with respect to language code

Sync from server master table

doc_type

It contains list of document types that are allowed for uploading documents in Registration with respect to language code

Sync from server master table

gender

It contains list of gender types that are being used in Registration with respect to language code

Sync from server master table

10.

id_type

It contains list of Id types [Registration Id, Pre Registration Id] that are being used in Registration with respect to language code

Sync from server master table

11.

language

It contains list of languages that are being used in Registration

Sync from server master table

12.

location

It contains list of locations that are being used in Registration with respect to language code

Sync from server master table

13.

machine_master

It contains list of machine related data[mac address, serial number, machine name...] with respect to language code

Sync from server master table

14.

machine_spec

It contains list of machine specifications[brand, model...] with respect to language code

Sync from server master table

15.

machine_type

It contains list of machine types[Desktop,Laptop...] with respect to language code

Sync from server master table

16.

reason_category

It contains list of reason categories[Client Rejection, Manual Adjudication...] with respect to language code

Sync from server master table

17.

reason_list

It contains list of reasons [Invalid Address, Gender-Photo Mismatch...] that are listed during Registration Approval/Rejection with respect to language code

Sync from server master table

18.

registration_center

It contains list of Registration center ids with respect to language code

Sync from server master table

19.

reg_center_device

It contains list of Registration center ids with respect to language code

Sync from server master table

20.

reg_center_machine

It contains list of machine ids which are mapped to corresponding center id

Sync from server master table

21.

reg_center_machine_device

It is mapping table of center, machine and device

Sync from server master table.

22.

reg_center_type

It contains list of center types with respect to language code

Sync from server master table

23.

reg_center_user

It contains list of user ids that are mapped to corresponding center id

Sync from server master table

24.

reg_center_user_machine

It is a mapping table for center, user and machine

During Onboarding process

25.

template

It contains list of Templates that will be displayed during Registration with respect to language code

Sync from server master table

26.

template_type

It contains list of template types[email template, sms template..] with respect to language code

Sync from server master table

27.

title

It contains list of Titles[Mr, Mrs..] with respect to language code

Sync from server master table

28.

valid_document

It contains list of valid documents allowed for Registration with respect to language code

Sync from server master table

29.

sync_job_def

It contains list of Job details[Master Sync, User Detail Sync..] that are required for sync

Sync from server master table

30.

screen_authorization

It contains list of Screen Ids which are required for accessing features[New Registration, EOD..] with respect to roles

Sync from server master table

31.

role_list

It contains list of roles[Registration Officer, Registration Supervisor..] referred in Registration

Sync from server master table

32.

process_list

It contains list of process[login, eod..] happen during registration

Sync from server master table

33.

app_authentication_method

It contains list if authentication methods[PWD, OTP..] with respect to roles and process[login, eod..]

Sync from server master table

34.

app_detail

It contains list of application details[Pre-Registration, Registration Client] with respect to language code

Sync from server master table

35.

app_role_priority

It contains list of role priority details with respect to Process[login, eod..] and roles

Sync from server master table

36.

GLOBAL_PARAM

It contains list of Configuration related details used in Registration application.

Sync from server configuration [registration.properties, application.properties]

37.

user_detail

It contains list of User details[id,name, email..]

Sync from server master table

38.

user_pwd

It contains User Password details

Sync from server master table

39.

user_role

It contains data of roles which were mapped to the user

Sync from server master table

40.

user_biometric

It contains User biometrics[Fingerprint, Iris..] details[minutia, biometric type..]

During Onboarding Process

41.

key_store

It contains Mosip Public key , Packet creation key

During Public key Sync and Policy sync

42.

sync_control

It contains information about the jobs which are executed successfully along with its last time stamp

During Manual Sync and Scheduled Jobs

43.

sync_transaction

It contains data about all sync transactions

During Manual Sync and Scheduled Jobs

44.

registration

It contains data about Registration Packet[Registration Id, Status..]

During Registration process

45.

registration_transaction

It contains data of all transactions during registration process

During Registration process

46.

pre_registration_list

It contains list of Pre Registration details[Pre Registration Id, Status..]

During Pre Registration Sync

47.

audit_log_control

It contains data of Audit logging[From Time, To Time..]

During local transaction.

UI - labels and messages

The UI specific labels and messages are maintained in the language specific property file. Based on the primary and secondary language the respective bundle would be loaded during runtime and displayed in the screen.

messages_en.properties - Messages are in English language. messages_ar.properties - Messages are in Arabic language. messages_fr.properties - Messages are in French language. labels_en.properties - Labels are in English language. labels_ar.properties - Labels are in Arabic language. labels_fn.properties - Labels are in French language.

Error code and description

Below find the list of error code and description which are thrown from application during the process.

Class Name

Error Codes

Description

GPSFacade

REG-LGE-002

GPS signal is weak please capture again

SyncStatusValidatorService

REG-ICS-006

GPS signal is weak please capture again

SyncStatusValidatorService

REG-ICS-005

GPS device not found. Please connect an on-boarded GPS device.

SyncStatusValidatorService

REG-ICS-005

Please connect the GPS Device

SyncStatusValidatorService

REG-ICS-004

Please insert the GPS device in the Specified Port

RegistrationApprovalController

LGN-UI-SHE

IO Exception

PacketSynchService

REG-PSS

Unable to Sync Packets to the server

PacketUploadService

REG-PUS

Unable to Push Packets to the server

BioService

IRC-IFC

Exception while scanning iris of the individual

BioService

FPC-FCS

Exception while scanning fingerprints of the individual

RestClientAuthAdvice

REG-RCA

Exception while adding authorization token to web-service request

TPMUtil

TPM-UTL-001

Exception while signing the data using TPM

TPMUtil

TPM-UTL-002

Exception while validating the signature provided by TPM

TPMUtil

TPM-UTL-003

Exception while encrypting the data using asymmetric crypto-algorithm through TPM

TPMUtil

TPM-UTL-004

Exception while encrypting the data using asymmetric crypto-algorithm through TPM

TPMUtil

TPM-UTL-005

Exception while getting the public part of the TPM signing key

TPMUtil

TPM-UTL-006

Exception while getting the TPM instance

TPMUtil

TPM-UTL-007

Exception while closing the TPM instance

TPMUtil

TPM-INT-001

Exception while closing the TPM instance

RegIdObjectValidator

REG-IOS-001

Invalid ID Object Schema

RegIdObjectValidator

REG-IOS-002

Invalid ID Object Pattern

RegIdObjectValidator

REG-IOS-003

Invalid Master Data Object Pattern

RestClientAuthAdvice

REG-RCA-001

Generic Exception reported by server, while invoking web-service.

RestClientAuthAdvice

REG-RCA-002

Exception while generating the signature of request body

RestClientAuthAdvice

REG-SDU-004

Response header received from the web-service is not as expected

DemographicDetailController

KER-IDV-102

PRID should not contain any sequential and repeated block of number for 2 or more than two digits

UpdateUINController

KER-IDV-203

UIN length should be as per configured digit.

RegistrationController

KER-TRL-002

Language code not supported

DemographicDetailController

KER-IDV-103

PRID length should be as configured digit

RestClientUtil

RPR-PKR-009

Packet HashSequence did not match

MDS Specification

Introduction & Background

Objective

The objective of this specification document is to establish the technical and compliance standards/ protocols that are necessary for a biometric device to be used in MOSIP solutions.

Target Audience

This is a biometric device specification document and aims to help the biometric device manufacturers, their developers, and their designers in building MOSIP-compliant devices. It is assumed that the readers are familiar with MOSIP registration and authentication services.

MOSIP Devices

All devices that collect biometric data for MOSIP should operate within the specification of this document.

Revision History

Version

State

Date

Changes

0.9.2

Frozen

Aug-2019

0.9.3

Frozen

Feb-2020

0.9.5

Draft

13-Jun-2020

0.9.5

Draft

10-Aug-2020

Signature for API to retrieve encryption certificate has been changed from GET to POST and Device Stream now supports an optional parameter - timeout

0.9.5

Draft

04-Dec-2020

In the header of JWT Signature, the key to store the type has been changed to "typ" from "type" as per JWT standards. Kindly view the digital id specification for the change.

0.9.5

Draft

26-Feb-2021

Updated the to include PCI PED 2.0 and CC.

0.9.5

Draft

24-Mar-2021

The reference to L2 devices has been removed from this document. The biometric specification listed here has been moved to a new section and the old specification is now in for reference.

0.9.5

Draft

07-Apr-2021

Device De registration API spec was updated.

0.9.5

Draft

08-Apr-2021

We will be following datetime values in ISO 8601 with format yyyy-mm-ddTHH:MM:ssZ. The same has been updated throughout the document.

0.9.5

Draft

24-May-2021

Clarification on hash and previousHash definition has been provided

0.9.5

Draft

04-Apr-2022

Register and De-register of devices have been removed from MOSIP. Device validation in MOSIP will be done via cryptography. Here onwards, registering a device will mean a device obtaining a certificate from the management server.

0.9.5

Draft

27-Jul-2022

Added the section on

0.9.5

Draft

24-Oct-2023

Added error code for devices in busy or not ready state. Also added validation for transactionID in request parameters.

Glossary of Terms

Device Provider - An entity that manufactures or imports the devices in their name. This entity should have legal rights to obtain an organization-level digital certificate from the respective authority in the country.
FTM Provider - An entity that manufactures or guarantees the trustworthiness of the foundational trust module. This can be the device provider as well.
Device - A hardware capable of capturing biometric information.
L1 Certified Device / L1 Device - A device certified as capable of performing encryption in line with this spec in its trusted zone.
L0 Certified Device / L0 Device - A device certified as one where the encryption is done on the host machine device driver or the MOSIP device service.
FTM Provider Certificate - A digital certificate issued to the "Foundational Trust Provider". This certificate proves that the provider has successfully gone through the required Foundational Trust Provider evaluation. The entity is expected to keep this certificate in secure possession in an HSM. All the individual FTM trust certificates are issued using this certificate as the root. This certificate would be issued by the countries in conjunction with MOSIP.
Device Provider Certificate - A digital certificate issued to the "Device Provider". This certificate proves that the provider has been certified for L0/L1 respective compliance. The entity is expected to keep this certificate in secure possession in an HSM. All the individual trust certificates are issued using this certificate as the root. This certificate is issued by the countries in conjunction with MOSIP.
Registration - The process of applying for a Foundational Id.
KYC - Know Your Customer. The process of providing consent to perform profile verification and update.
Auth - The process of verifying one’s identity.
FPS - Frames Per Second
Management Server - A server run by the device provider to manage the life cycle of the biometric devices.
Device Registration - The process of a device obtaining a certificate from the management server.
Signature - All signatures should be as per RFC 7515.
header in signature - The header in the signature means the attribute with "alg" set to RS256 and x5c set to base64encoded certificate.
payload is the byte array of the actual data, always represented as base64urlencoded.
signature - base64urlencoded signature bytes
ISO format timestamp | ISO 8601 with the format yyyy-mm-ddTHH:MM:ssZ (Example: 2020-12-08T09:39:37Z). This value should be in UTC (Coordinated Universal Time).

Device Specification

The MOSIP device specification provides compliance guidelines devices for that to work with MOSIP. The compliance is based on device capability, trust and communication protocols. A MOSIP-compliant device would follow the standards established in this document. It is expected that the devices are compliant with this specification and tested and validated. The details of each of these are outlined in the subsequent sections.

Device Capability

The MOSIP-compliant device is expected to perform the following,

Should have the ability to collect one or more biometric
Should have the ability to sign the captured biometric image or template.
Should have the ability to protect secret keys
Should have no mechanism to inject the biometric

Base Specifications for Devices

For details about biometric data specifications please view the page MOSIP Biometric Specification.

We recommend that countries look at ergonomics, accessibility, ease of usage, and common availability of devices while choosing devices for use in registration and authentication scenarios.

Device Trust

MOSIP-compliant devices provide a trusted environment for the devices to be used in registration, KYC and AUTH scenarios. The trust level is established based on the device support for trusted execution.

L1 - The trust is provided by a secure chip with a secure execution environment.
L0 - The trust is provided at the software level. No hardware-related trust exists. This type of compliance is used in controlled environments.

Foundational Trust Module (FTM)

The foundational trust module would be created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.

The module can securely generate, store and process cryptographic keys.
Generation of asymmetric keys and symmetric keys with TRNG.
The module can protect keys from extraction.
The module has to protect the keys from physical tampering, temperature, frequency and voltage-related attacks.
The module could withstand Hardware cloning.
The module could withstand probing attacks
The module provides memory segregation for cryptographic operations and protection against buffer overflow attacks
The module provides the ability to withstand cryptographic side-channel attacks like Differential Power analysis attacks, Timing attacks.
CAVP validated the implementation of the cryptographic algorithm.
The module can perform a cryptographically validatable secure boot.
The module can run trusted applications.

The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:

Secure Boot
- Ability to cryptographically verify code before execution.
- Ability to check for integrity violations of the module/device.
- Halt upon failure.
- Ability to securely upgrade and perform forward-only upgrades, to thwart downgrade attacks.
- SHA256 hash equivalent or above should be used for all hashing requirements
- All root of trust is provisioned upon first boot or before.
- All upgrades would be considered a success only after the successful boot with proper hash and signature verification.
- The boot should fail upon hash/signature failures and would never operate in an intermediary state.
- A maximum of 10 failed attempts should lock the upgrade process and brick the device. However, chip manufacturers can decide to be less than 10.
Secure application
- Ability to run applications that are trusted.
- Protect against the downgrading of applications.
- Isolated memory to support cryptographic operations.
- All trust is anchored during the first boot and not modifiable.

Certification

The FTM should have at least one of the following certifications in each category to meet the given requirement.

Category: Cryptographic Algorithm Implementation

CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)

The supported algorithm and curves are listed here

Category: FTM Chip

(ONE of the following certifications)

FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)
One of the following Common Criteria (CC) certification
- https://www.commoncriteriaportal.org/files/ppfiles/pp0035a.pdf
- https://www.commoncriteriaportal.org/files/ppfiles/pp0084a_pdf.pdf

System/Device Level Tamper (optional)

System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.

Threats to Protect

The FTM should protect against the following threats.

Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
- Physical tamper - No way to physically tamper and obtain its secrets.
- Voltage & frequency related attacks - Should shield against voltage leaks and should prevent low voltage. The FTM should always be in either the state operational normally or inoperable. The FTM should never be operable when its input voltages are not met.
- Temperature attacks on the crypto block - Low or High the FTM are expected to operate or reach an inoperable state. No state in between.
Differential Power Analysis attack.
Probing attacks - FTM should protect its surface area against any probe-related attacks.
Segregation of memory for execution of cryptographic operation (crypto block should be protected from buffer overflow type attacks).
Vulnerability of the cryptographic algorithm implementation.
Attacks against secure boot & secure upgrade.
TEE/Secure processor OS attack (if applicable).

Foundational Trust Module Identity

Upon FTM provider approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to an FTM certificate chain. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip is expected to be in its permanent memory.

The validity of the chip certificate can not exceed 20 years from the date of manufacturing.

Device

MOSIP devices are most often used to collect biometrics. The devices are expected to follow the specification for all levels of compliance and their usage. The MOSIP devices fall under the category of Trust Level 3 (TL3) as defined in MOSIP architecture. At TL3 device is expected to be whitelisted with a fully capable PKI and secure storage of keys at the hardware.

L0 - A device can obtain L0 certification when it uses a software-level cryptographic library with no secure boot or FTM. These devices will follow different device identities and the same would be mentioned as part of exception flows.
L1 - A device can obtain L1 certification when it is built in a secure facility with one of the certified FTM.

Device Identity

All devices that connect to MOSIP must be identifiable. MOSIP believes in cryptographic Identity as its basis for trust.

Physical ID

An identification mark that shows MOSIP compliance and a readable unique device serial number (minimum of 12 alphanumeric characters) make and model. The same information has to be available over a 2D QR Code or Barcode. This is to help field support and validation.

Digital ID

A digital device ID in MOSIP would be a signed JSON (RFC 7515) as follows:

{
  "serialNo": "Serial number",
  "make": "Make of the device",
  "model": "Model of the device",
  "type": "Type of the biometric device",
  "deviceSubType": "Subtypes of the biometric device",
  "deviceProvider": "Device provider name",
  "deviceProviderId": "Device provider id",
  "dateTime": "Current datetime in ISO format"
}

Signed with the JSON Web Signature (RFC 7515) using the "Foundational Trust Module" Identity key, this data is the fundamental identity of the device. Every MOSIP-compliant device will need the foundational trust module.

The only exception to this rule is for the L0-compliant devices that have the purpose of "Registration". L0 devices would sign the Digital Id with the device key.

A signed digital ID would look as follows:

"digitalId": "base64urlencoded(header).base64urlencoded(payload).base64urlencoded(signature)"

The header in the digital id would have:

"alg": "RS256",
"typ": "JWT",
"x5c": "<Certificate of the FTM chip, If in case the chain of certificates are sent then the same will be ignored">

MOSIP assumes that the first certificate in the x5c is the FTM's chip public certificate issued by the FTM root certificate.

An unsigned digital ID would look as follows:

"digitalId": "base64urlencoded(payload)"

Payload is the Digital ID JSON object.

For an L0 unregistered device, the digital id will be unsigned. In all other scenarios, except for a discovery call, the digital ID will be signed either by the chip key (L1) or the device key (L0).

Accepted Values for Digital ID

Parameters

Description

serialNo

Serial number of the device.
This value should be same as printed on the device (Refer ).

make

Brand name.
This value should be the same as printed on the device (Refer to ).

model

Model of the device.
This value should be the same as printed on the device (Refer to ).

type

Currently allowed values for device type are "Finger", "Iris" or "Face".
More types can be added based on Adopter's implementation.

deviceSubType

The device subtype is based on the device type.
For Finger - "Slap", "Single" or "Touchless"
For Iris - "Single" or "Double"
For Face - "Full face"

deviceProvider

Name of the device provider.
The device provider should be a legal entity in the country.

dateTime

The current time during the issuance of the request.
This is in ISO format.

Keys

List of keys used in the device and their explanation.

Device Key

Each biometric device would contain an authorized private key after the device registration. This key is rotated frequently based on the requirement of the respective adopter of MOSIP. By default, MOSIP recommends a 30-day key rotation policy for the device key. The device keys are created by the device providers inside the FTM during a successful registration. The device keys are used for signing the biometric. More details of the signing and its usage will be here. This key is issued by the device provider and the certificate of the device key is issued by the device provider key which in turn is issued by the MOSIP adopter after approval of the device provider's specific model.

FTM Key

The FTM key is the root of the identity. This key is created by the FTM provider during the manufacturing/provisioning stage. This is a permanent key and would never be rotated. This key is used to sign the Digital ID.

MOSIP Key

The MOSIP key is the public key provided by the MOSIP adopter. This key is used to encrypt the biometric. Details of the encryption are listed below. We recommend rotating this key every 1 year.

Device Service - Communication Interfaces

The section explains the necessary details of the biometric device connectivity, accessibility, discover-ability and protocols used to build and communicate with the device.

The device should implement only the following set of APIs. All the APIs are independent of the physical layer and the operating system, with the invocation being different across operating systems. While the operating system names are defined in this spec a similar technology can be used for unspecified operating systems. It is expected that the device service ensures that the device is connected locally to the host.

Device Discovery

Device discovery would be used to identify MOSIP-compliant devices in a system by the applications. The protocol is designed as a simple plug-and-play with all the necessary abstractions to the specifics.

Device Discovery Request

{
  "type": "type of the device"
}

Accepted Values for Device Discovery Request

type - "Biometric Device", "Finger", "Face", "Iris"

"Biometric Device" - is a special type and is used in case you are looking for any biometric device.

Device Discovery Response

[
  {
    "deviceId": "Internal ID",
    "deviceStatus": "Device status",
    "certification": "Certification level",
    "serviceVersion": "Device service version",
    "deviceSubId": ["Array of supported device sub Ids"],
    "callbackId": "Base URL to reach the device",
    "digitalId": "Unsigned Digital ID of the device",
    "deviceCode": "Same as serialNo in digital ID",
    "specVersion": ["Array of supported MDS specification version"],
    "purpose": "Auth or Registration or empty if not registered",
    "error": {
      "errorCode": "101",
      "errorInfo": "Invalid JSON Value Type For Discovery.."
    }
  },
  ...
]

Accepted Values for Device Discovery Response

Parameters

Description

deviceStatus

Allowed values are "Ready", "Busy", "Not Ready" or "Not Registered".
Error codes should be sent for device in "Busy", "Not Ready" and "Not Registered" from the below .

certification

Allowed values are "L0" or "L1" based on the level of certification.

serviceVersion

Device service version.

deviceId

Internal ID to identify the actual biometric device within the device service.

deviceSubId

Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).

callbackId

This differs as per the OS.
In the case of Linux and windows operating systems, it is an HTTP URL.
In the case of android, it is the intent name.
In IOS, it is the URL scheme.
The call-back URL takes precedence over future requests as a base URL.

digitalId

Digital ID as per the Digital ID definition but it will not be signed.

deviceCode

Same as serialNo in digital ID.

specVersion

An array of supported MDS specification versions. The array element zero will always contain the spec version using which the response is created.

purpose

Purpose of the device in the MOSIP ecosystem. Allowed values are "Auth" or "Registration".

error

Relevant errors as defined under the of this document.

error.errorCode

A standardized error code is defined in the .

error.errorInfo

Description of the error that can be displayed to the end user. Multi-lingual support.

The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device".
This response is a direct JSON as shown in the response.

Windows/Linux

All the device API will be based on the HTTP specification. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.

The applications that require access to MOSIP devices could discover them by sending the HTTP request to the supported port range. We will call this port the device_service_port in the rest of the document.

HTTP Request:

MOSIPDISC http://127.0.0.1:<device_service_port>/device
HOST: 127.0.0.1: <device_service_port>
EXT: <app name>

HTTP Response:

HTTP/1.1 200 OK
CACHE-CONTROL:no-store
LOCATION:http://127.0.0.1:<device_service_port>
Content-Length: length in bytes of the body
Content-Type: application/json
Connection: Closed

The payloads are JSON in both cases and are part of the body.
CallbackId would be set to the http://127.0.0.1:<device_service_port>/. So, the caller will use the respective HTTP verb/method and the URL to call the service.

Android

For details on android specifications please view the section - Android SBI Specification.

Device Info

The device information API would be used to identify the MOSIP-compliant devices and their status by the applications.

Device Info Request

Accepted Values for Device Info Request

Device Info Response

[
  {
    "deviceInfo": {
      "deviceStatus": "Current status",
      "deviceId": "Internal ID",
      "firmware": "Firmware version",
      "certification": "Certification level",
      "serviceVersion": "Device service version",
      "deviceSubId": ["Array of supported device sub Ids"],
      "callbackId": "Baseurl to reach the device",
      "digitalId": "Signed digital id as described in the digital id section of this document.",
      "deviceCode": "Same as serialNo in digital ID",
      "env": "Target environment",
      "purpose": "Auth or Registration",
      "specVersion": ["Array of supported MDS specification version"],
    },
    "error": {
      "errorCode": "101",
      "errorInfo": "Invalid JSON Value "
    }
  }
  ...
]

So the API would respond in the following format.

[
  {
    "deviceInfo": "base64urlencode(header).base64urlencode(payload).base64urlencode(signature)"
    "error": {
      "errorCode": "100",
      "errorInfo": "Device not registered. In this case, the device info will be only base64urlencode(payload)"
    }
  }
]

Allowed values for Device Info Response

Parameters

Description

deviceInfo

The deviceInfo object is sent as JSON Web Token (JWT).
For a device which is not registered, the deviceInfo will be unsigned.
For a device which is registered, the deviceInfo will be signed using the device key.

deviceInfo.deviceStatus

This is the status of the device.
Allowed values are "Ready", "Busy", "Not Ready" or "Not Registered".
Error codes should be sent for device in "Busy", "Not Ready" and "Not Registered" from the below .

deviceInfo.deviceId

Internal Id to identify the actual biometric device within the device service.

deviceInfo.firmware

The exact version of the firmware.
In the case of L0, this is the same as serviceVersion.

deviceInfo.certification

Allowed values are "L0" or "L1" based on the level of certification.

deviceInfo.serviceVersion

The version of the MDS specification that is supported.

deviceInfo.deviceId

Internal ID to identify the actual biometric device within the device service.

deviceSubId

Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).

deviceInfo.callbackId

This differs as per the OS.
In the case of Linux and windows operating systems, it is an HTTP URL.
In the case of android, it is the intent name.
In IOS, it is the URL scheme.
The call-back URL takes precedence over future requests as a base URL.

deviceInfo.digitalId

The digital id is as per the digital id definition.
For L0 devices which is not registered, the digital id will be unsigned.
For L0 devices which are registered, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.

deviceInfo.env

The target environment.
For devices that are not registered the environment is "None".
For a device that is registered, then send the environment in which it is registered.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".

deviceInfo.purpose

The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".

deviceInfo.specVersion

An array of supported MDS specification versions. The array element Zero will always contain the spec version using which the response is created.

error

Relevant errors as defined under the of this document.

error.errorCode

A standardized error code is defined in the .

error.errorInfo

Description of the error that can be displayed to the end user. Multi-lingual support.

The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device".

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.

HTTP Request:

MOSIPDINFO http://127.0.0.1:<device_service_port>/info
HOST: 127.0.0.1:<device_service_port>
EXT: <app name>

HTTP Response:

HTTP/1.1 200 OK
CACHE-CONTROL:no-store
LOCATION:http://127.0.0.1:<device_service_port>
Content-Length: length in bytes of the body
Content-Type: application/json
Connection: Closed

The payloads are JSON in both cases and are part of the body.

Android

For details on android specifications please view the section - Android SBI Specification.

Capture

The capture request would be used to capture a biometric from MOSIP-compliant devices by the applications. The captured call will respond with success to only one call at a time. So, in case of a parallel call, the device info details are sent with the status "Busy".

Capture Request

{
  "env": "Target environment",
  "purpose": "Auth or Registration",
  "specVersion": "Expected version of the MDS spec",
  "timeout": "Timeout for capture",
  "captureTime": "Capture request time in ISO format",
  "domainUri": "URI of the auth server",
  "transactionId": "Transaction Id for the current capture",
  "bio": [
    {
      "type": "Type of the biometric data",
      "count":  "Finger/Iris count, in case of face max, is set to 1",
      "bioSubType": ["Array of subtypes"],
      "requestedScore": "Expected quality score that should match to complete a successful capture",
      "deviceId": "Internal Id",
      "deviceSubId": "Specific Device Sub Id",
      "previousHash": "Hash of the previous block"
    }
  ],
  "customOpts": {
    //Max of 50 key-value pairs. This is so that vendor-specific parameters can be sent if necessary. The values cannot be hardcoded and have to be configured by the apps server and should be modifiable upon need by the applications. Vendors are free to include additional parameters and fine-tuning parameters. None of these values should go undocumented by the vendor. No sensitive data should be available in the customOpts.
  }
}

The count value should be driven by the count of the bioSubType for Iris and Finger. For Face, there will be no bioSubType but the count should be "1".

Allowed Values for Capture Request

Parameters

Description

env

The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".

purpose

The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".

specVersion

Expected version of MDS specification.

timeout

Max time the app will wait for the capture.
It's expected that the API will respond back before the timeout with the best frame.
All timeouts are in milliseconds.

captureTime

Time of capture in ISO format.
The time is as per the requested application.

domainUri

URI of the authentication server.
This can be used to federate across multiple providers or countries or unions.

transactionId

Unique Id of the transaction.
This is an internal Id to the application that's requesting a capture.
Different IDs should be used for every request.
The transactionId can have minimum lenght as 4 and max length as 50.
Allowed characters in transactionId are alphabets, numbers and hyphens (-).
If the above validations are not met then a error can be thrown in the .

bio.type

Allowed values are "Finger", "Iris" or "Face".

bio.count

The number of biometric data that is collected for a given type.
The device should validate and ensure that this number is in line with the type of biometric that's captured.

bio.bioSubType

For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType

bio.requestedScore

Upon reaching the quality score the biometric device is expected to auto-capture the image. If the requested score is not met, until the timeout, the best frame during the capture sequence must be captured/returned. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned below.

bio.deviceId

Internal Id to identify the actual biometric device within the device service.

bio.deviceSubId

Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific model of the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index that always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).

bio.previousHash

For the first capture, the previousHash is the SHA256 hash of an empty UTF-8 string. From the second capture the previous capture's "hash" is used as input. This is used to chain all the captures across modalities so all captures have happened for the same transaction and during the same time.

customOpts

In case, the device vendor wants to send additional parameters they can use this to send key-value pairs if necessary.
The values cannot be hard coded and have to be configured by the app's server and should be modifiable upon need by the applications.
Vendors are free to include additional parameters and fine-tune the process.
None of these values should go undocumented by the vendor.
No sensitive data should be available in the customOpts.

NFIQ v1.0 on a scale of 0-100 (quality score).

Scale

NFIQ v1.0

81 - 100

61 - 80

41 - 60

21 - 40

0 - 20

Capture Response

{
  "biometrics": [
    {
      "specVersion": "MDS spec version",
      "data": {
        "digitalId": "digital Id as described in this document",
        "deviceCode": "Same as serialNo in digital ID",
        "deviceServiceVersion": "MDS version",
        "bioType": "Finger",
        "bioSubType": "UNKNOWN",
        "purpose": "Auth or Registration",
        "env": "Target environment",
        "domainUri": "URI of the auth server",
        "bioValue": "Encrypt biodata (ISO) with random 256-bit AES key (session key) and encode encrypted biodata with base64 URL safe encoding.",
        "transactionId": "Unique transaction id",
        "timestamp": "Capture datetime in ISO format",
        "requestedScore": "Floating point number to represent the minimum required score for the capture",
        "qualityScore": "Floating point number representing the score for the current capture"
      },
      "hash": "sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data before encryption)",
      "sessionKey": "Encrypt the session key (used to encrypt the bioValue) with MOSIP public key and encode encrypted session key with base64 URL safe encoding.",
      "thumbprint": "SHA256 representation of the certificate (HEX encoded) that was used for encryption of session key. All texts to be treated as uppercase without any spaces or hyphens.",
      "error": {
        "errorCode": "101",
        "errorInfo": "Invalid JSON Value"
      }
    },
    {
      "specVersion": "MDS spec version",
      "data": {
        "digitalId": "Digital Id as described in this document",
        "deviceCode": "Same as serialNo in digital ID",
        "deviceServiceVersion": "MDS version",
        "bioType": "Finger",
        "bioSubType": "Left IndexFinger",
        "purpose": "Auth or Registration",
        "env": "target environment",
        "domainUri": "URI of the auth server",
        "bioValue": "Encrypt biodata (ISO) with random 256-bit AES key (session key) and encode encrypted biodata with base64 URL safe encoding.",
        "transactionId": "unique transaction id",
        "timestamp": "Capture datetime in ISO format",
        "requestedScore": "Floating point number to represent the minimum required score for the capture",
        "qualityScore": "Floating point number representing the score for the current capture"
      },
      "hash": "sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data before encryption)",
      "sessionKey": "Encrypt the session key (used to encrypt the biovalue) with MOSIP public key and encode encrypted session key with base64 URL safe encoding.",
      "thumbprint": "SHA256 representation of the certificate (HEX encoded) that was used for encryption of session key. All texts to be treated as uppercase without any spaces or hyphens.",
      "error": {
        "errorCode": "101",
        "errorInfo": "Invalid JSON Value"
      }
    }
  ]
}

Accepted Values for Capture Response

Parameters

Description

specVersion

The version of the MDS specification using which the response was generated.

data

The data object is sent as JSON Web Token (JWT).
The data block will be signed using the device key.

data.digitalId

The digital id is as per the digital id definition in JWT format.
For L0 devices, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.

data.deviceCode

Same as serialNo in digital ID.

data.deviceServiceVersion

MDS version

data.bioType

Allowed values are "Finger", "Iris" or "Face".

data.bioSubType

For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType

data.purpose

The purpose of the device in the MOSIP ecosystem.
Allowed values are "Auth".

data.env

The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".

data.domainUri

URI of the authentication server.
This can be used to federate across multiple providers or countries or unions.

data.bioValue

Biometric data is encrypted with a random symmetric (AES GCM) key and base-64-URL encoded. For symmetric key encryption of bioValue, (biometrics.data.timestamp XOR transactoinId) is computed and the last 16 bytes and the last 12 bytes of the results are set as the aad and the IV(salt) respectively. Look at the Authentication document to understand more about encryption.

data.transactionId

Same transactionId shared in the request should be used.

data.timestamp

Time as per the biometric device.
Note: The biometric device is expected to sync its time from the management server at regular intervals so accurate time could be maintained on the device.

data.requestedScore

Floating point number to represent the minimum required score for the capture. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned above.

data.qualityScore

The floating point number represents the score for the current capture. This value will be scaled from 0 - 100 for NFIQ v1.0. The logic for scaling is mentioned above.

hash

sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data before encryption)

sessionKey

The session key (used for the encryption of the biodata (ISO)) is encrypted using the MOSIP public certificate with RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING algorithm and then encode the encrypted session key with base64 URL safe encoding.

thumbprint

SHA256 representation of the certificate (HEX encoded) that was used for encryption of the session key. All texts are to be treated as uppercase without any spaces or hyphens.

error

Relevant errors as defined under the of this document.

error.errorCode

Standardized error code defined in the .

error.errorInfo

Description of the error that can be displayed to the end-user. Multi-lingual support.

The entire data object is sent in JWT format. So, the data object will look like this:

"data" : "base64urlencode(header).base64urlencode(payload).base64urlencode(signature)
payload - is defined as the entire byte array of the data block.

Windows/Linux

The applications that require capturing biometric data from a MOSIP device could do so by sending the HTTP request to the supported port range.

HTTP Request:

CAPTURE [http://127.0.0.1:<device_service_port>/capture](http://127.0.0.1/capture)
HOST: 127.0.0.1: <apps port>
EXT: <app name>

HTTP Response:

HTTP/1.1 200 OK
CACHE-CONTROL:no-store
LOCATION:[http://127.0.0.1](http://127.0.0.1):<device_service_port>
Content-Length: length in bytes of the body
Content-Type: application/json
Connection: Closed

The payloads are JSON in both cases and are part of the body.

Android

For details on android specifications please view the section - Android SBI Specification.

Device Stream

The device would open a stream channel to send live video streams. This would help when there is an assisted operation to collect biometrics. Please note the stream APIs are available only for the registration environment.

Used only for registration module-compatible devices. This API is visible only for the devices that are registered for the purpose of "Registration".

Device Stream Request

{
  "deviceId": "Internal Id",
  "deviceSubId": "Specific device sub Id",
  "timeout": "Timeout for stream"
}

Allowed Values for device Stream Request

Parameters

Description

deviceId

Internal Id to identify the actual biometric device within the device service.

deviceSubId

Allowed values are 1, 2 or 3.
The device sub-id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index which always starts with 1 and increases sequentially for each sub-device present.
In the case of Finger/Iris, it's 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).

timeout

Max time after which the stream should close.
This is an optional parameter and by default, the value will be 5 minutes.
All timeouts are in milliseconds.

Device Stream Response

Live Video stream with a quality of 3 frames per second or more using M-JPEG.

The preview should have quality markings and segment markings. The preview would also be used to display an error message on the user screen. All error messages should be localized.

Error Response for Device Stream

{
  "error": {
    "errorCode": "202",
    "errorInfo": "No Device Connected."
  }
}

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.

HTTP Request:

STREAM   http://127.0.0.1:<device_service_port>/stream
HOST: 127.0.0.1: <apps port>
EXT: <app name>

HTTP Response: HTTP Chunk of frames to be displayed. Minimum frames 3 per second.

Android

For details on android specifications please view the section - Android SBI Specification.

Registration Capture

The registration client application will discover the device. Once the device is discovered the status of the device is obtained with the device info API. During the registration, the registration client sends the RCAPTURE API and the response will provide the actual biometric data in a digitally signed non-encrypted form. When the Device Registration Capture API is called the frames should not be added to the stream. The device is expected to send the images in ISO format.

The requestedScore is on a scale of 1-100 (NFIQ v2.0 for fingerprints). So, in cases where you have four fingers the average of all will be considered for the capture threshold. The device would always send the best frame during the capture time even if the requested score is not met.

The API is used by devices that are compatible with the registration module. This API should not be supported by devices that are compatible with authentication.

Registration Capture Request

{
  "env":  "Target environment",
  "purpose": "Auth or Registration",
  "specVersion": "Expected MDS spec version",
  "timeout": "Timeout for registration capture",
  "captureTime": "Time of capture request in ISO format",
  "transactionId": "Transaction Id for the current capture",
  "bio": [
    {
      "type": "Type of the biometric data",
      "count":  "Finger/Iris count, in case of face max, is set to 1",
      "bioSubType": ["Array of subtypes"], //Optional
      "exception": ["Finger or Iris to be excluded"],
      "requestedScore": "Expected quality score that should match to complete a successful capture",
      "deviceId": "Internal Id",
      "deviceSubId": "Specific device Id",
      "previousHash": "Hash of the previous block"
    }
  ],
  "customOpts": {
    //max of 50 key-value pairs. This is so that vendor-specific parameters can be sent if necessary. The values cannot be hardcoded and have to be configured by the apps server and should be modifiable upon need by the applications. Vendors are free to include additional parameters and fine-tuning parameters. None of these values should go undocumented by the vendor. No sensitive data should be available in the customOpts.
  }
}

To capture the exception photo exception value for Iris or Finger should be sent in bio.exception for bio.type = 'Face'. ICAO checks are not mandatory here but one face must be present within the frame.

Accepted Values for Registration Capture Request

Parameters

Description

env

The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".

purpose

The purpose of the device in the MOSIP ecosystem.
For devices that are not registered the purpose is empty.
Allowed values are "Auth" or "Registration".

specVersion

Expected version of MDS specification.

timeout

Max time the app will wait for the capture.
Its expected that the API will respond back before timeout with the best frame.
All timeouts are in milliseconds.

captureTime

Time of capture in ISO format.
The time is as per the requesting application.

transactionId

Unique Id of the transaction.
This is an internal Id to the application that's requesting a capture.
Different IDs should be used for every request.
The transactionId can have minimum lenght as 4 and max length as 50.
Allowed characters in transactionId are alphabets, numbers and hyphens (-).
If the above validations are not met then a error can be thrown in the .

bio.type

Allowed values are "Finger", "Iris" or "Face".

bio.count

Number of biometric data that is collected for a given type.
The device should validate and ensure that this number is in line with the type of biometric that's captured.

bio.bioSubType

Array of bioSubType for respective biometric type.
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType
This is an optional parameter.

bio.exception

This is an array and all the exceptions are marked.
In case exceptions are sent for face then follow the exception photo specification above.
For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb"]
For Iris: ["Left", "Right"]

bio.requestedScore

Upon reaching the quality score the biometric device is expected to auto capture the image.

bio.deviceId

Internal Id to identify the actual biometric device within the device service.

bio.deviceSubId

Allowed values are 1, 2 or 3.
The device sub id could be used to enable a specific module in the scanner appropriate for a biometric capture requirement.
Device sub id is a simple index that always starts with 1 and increases sequentially for each sub-device present.
In case of Finger/Iris its 1 for left slap/iris, 2 for right slap/iris and 3 for two thumbs/irises.
The device sub id should be set to 0 if we don't know any specific device sub id (0 is not applicable for fingerprint slap).

bio.previousHash

For the first capture the previousHash is the SHA256 hash of an empty UTF-8 string. From the second capture the previous capture's "hash" is used as input. This is used to chain all the captures across modalities so all captures have happened for the same transaction and during the same time.

customOpts

In case, the device vendor wants to send additional parameters they can use this to send key value pair if necessary.
The values cannot be hard coded and have to be configured by the apps server and should be modifiable upon need by the applications.
Vendors are free to include additional parameters and fine-tuning the process.
None of these values should go undocumented by the vendor.
No sensitive data should be available in the customOpts.

Registration Capture Response

{
  "biometrics": [
    {
      "specVersion": "MDS Spec version",
      "data": {
        "digitalId": "Digital id of the device as per the Digital Id definition..",
        "bioType": "Biometric type",
        "deviceCode": "Same as serialNo in digital ID",
        "deviceServiceVersion": "MDS version",
        "bioSubType": "Left IndexFinger",
        "purpose": "Auth or Registration",
        "env": "Target environment",
        "bioValue": "base64urlencoded biometrics (ISO format)",
        "transactionId": "Unique transaction id sent in request",
        "timestamp": "2019-02-15T10:01:57Z",
        "requestedScore": "Floating point number to represent the minimum required score for the capture. This ranges from 0-100.",
        "qualityScore": "Floating point number representing the score for the current capture. This ranges from 0-100."
      },
      "hash": "sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data)",    
      "error": {
        "errorCode": "101",
        "errorInfo": "Invalid JSON Value Type For Discovery.. ex: {type: 'Biometric Device' or 'Finger' or 'Face' or 'Iris' } "
      }
    },
    {
      "specVersion": "MDS Spec version",
      "data": {
        "deviceCode": "Same as serialNo in digital ID",
        "bioType": "Finger",
        "digitalId": "Digital id of the device as per the Digital Id definition.",
        "deviceServiceVersion": "MDS version",
        "bioSubType": "Left MiddleFinger",
        "purpose": "Auth or Registration",
        "env": "Target environment",
        "bioValue": "base64urlencoded extracted biometric (ISO format)",
        "transactionId": "Unique transaction id sent in request",
        "timestamp": "2019-02-15T10:01:57Z",
        "requestedScore": "Floating point number to represent the minimum required score for the capture. This ranges from 0-100",
        "qualityScore": "Floating point number representing the score for the current capture. This ranges from 0-100"
      },
      "hash": "sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data)",
      "error": {
        "errorCode": "101",
        "errorInfo": "Invalid JSON Value Type For Discovery.. ex: {type: 'Biometric Device' or 'Finger' or 'Face' or 'Iris' }"
      }
    }
  ]
}

Allowed Values for Registration Capture Response

Parameters

Description

specVersion

Version of the MDS specification using which the response was generated.

data

The data object is sent as JSON Web Token (JWT).
The data block will be signed using the device key.

data.bioType

Allowed values are "Finger", "Iris" or "Face".

data.digitalId

The digital id as per the digital id definition in JWT format.
For L0 devices, the digital id will be signed using the device key.
For L1 devices, the digital id will be signed using the FTM key.

data.bioSubType

For Finger: ["Left IndexFinger", "Left MiddleFinger", "Left RingFinger", "Left LittleFinger", "Left Thumb", "Right IndexFinger", "Right MiddleFinger", "Right RingFinger", "Right LittleFinger", "Right Thumb", "UNKNOWN"]
For Iris: ["Left", "Right", "UNKNOWN"]
For Face: No bioSubType

data.deviceServiceVersion

MDS Version

data.env

The target environment.
Allowed values are "Staging", "Developer", "Pre-Production" or "Production".

data.purpose

The purpose of the device in the MOSIP ecosystem.
Allowed values are "Auth" or "Registration".

data.bioValue

Base64-URL-encoded biometrics (in ISO format)

data.transactionId

Same transactionId shared in the request should be used.

data.timestamp

Time as per the biometric device.
Note: The biometric device is expected to sync its time from the management server at regular intervals so accurate time could be maintained on the device.

data.requestedScore

Floating point number to represent the minimum required score for the capture.

data.qualityScore

Floating point number representing the score for the current capture.

hash

sha256 in hex format in upper case (previous "hash" + sha256 hash of the current biometric ISO data).

error

Relevant errors as defined under the of this document.

error.errorCode

Standardized error code defined in the .

error.errorInfo

Description of the error that can be displayed to end user. Multi lingual support.

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.

HTTP Request:

RCAPTURE  http://127.0.0.1:<device_service_port>/capture
HOST: 127.0.0.1: <apps port>
EXT: <app name>

HTTP Response: HTTP response.

Android

For details on android specifications please view the section - Android SBI Specification.

Certificates

The MOSIP server would provide the following retrieve encryption certificate API which is white-listed to the management servers of the device provider or their partners.

Retrieve Encryption Certificate Request URL

POST https://{base_url}/v1/masterdata/device/encryptioncertficates

Version: v1

Retrieve Encryption Certificate Request

{
  "id": "io.mosip.auth.country.certificate",
  "version": "certificate server API version as defined above",
  "request": {
    "data": {
      "env":  "target environment",
      "domainUri": "uri of the auth server"
    }
  },
  "requesttime": "current timestamp in ISO format"
}

The request is sent in a JWT format. So the final request will look like this:

"request": {
  "data": "base64urlencode(header).base64urlencode(payload).base64urlencode(signature)"
}

Accepted Values for Retrieve Certificate Request

env - Allowed values are Staging| Developer| Pre-Production | Production
domainUri - unique uri per auth providers. This can be used to federate across multiple providers or countries or unions.

Encryption Certificate Response

{
  "id": "io.mosip.auth.country.certificate",
  "version": "certificate server API version as defined above",
  "responsetime": "Current time in ISO format",
  "response": [
    {
      "certificate": "base64encoded certificate as x509 V3 format"
    }
  ]
}

The entire response is sent in a JWT format. So the final response will look like this:

"response" : "base64urlencode(header).base64urlencode(payload).base64urlencode(signature)"

Management Server and Management Client

Management Server Functionalities and Interactions

The management server has the following objectives.

Validate the devices to ensure they genuine devices from the respective device provider. This can be achieved using the device info and the certificates for the Foundational Trust Module.
Register the genuine device with the MOSIP device server.
Manage/Sync time between the end device and the server. The time to be synced should be the only trusted time accepted by the device.
Ability to issue commands to the end device for
1. De-registration of the device (Device Keys)
2. Collect device information to maintain, manage, support and upgrade a device remotely.
A central repository of all the approved devices from the device provider.
Safe storage of keys using HSM FIPS 140-2 Level 3. These keys are used to issue the device certificate upon registration. The Management Server is created and hosted by the device provider outside of MOSIP software. The communication protocols between the MDS and the Management Server can be decided by the respective device provider. Such communication should be restricted to the above-specified interactions only. No transactional information should be sent to this server.
Should have the ability to push updates from the server to the client devices.

As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.

Management Client

The management client is the interface that connects the device with the respective management server. The communication between the management server and its clients must be designed with scalability, robustness, performance and security. The management server may add many more capabilities than what is described here, But the basic security objectives should be met at all times irrespective of the offerings.

For better and more efficient handling of the device at large volumes, we expect the devices to auto-register to the Management Server.
All communication to the server and from the server should follow the below properties.
1. All communication is digitally signed with the approved algorithms
2. All communication to the server is encrypted using one of the approved public key cryptography (HTTPS – TLS1.2/1.3 is required with one of the approved algorithms.
3. All request has timestamps attached in ISO format to the milliseconds inside the signature.
4. All communication back and forth should have the signed digital id as one of the attributes.
It's expected that auto-registration has an absolute way to identify and validate the devices.
The management client should be able to detect the devices in a plug-and-play model.
All key rotations should be triggered from the server.
Should have the ability to detect if it's speaking to the right management server.
All upgrades should be verifiable and the client should have the ability to verify software upgrades.
Should not allow any downgrade of software.
Should not expose any API to capture biometrics. The management server should have no ability to trigger a capture request.
No logging of biometric data is allowed. (Both in the encrypted and unencrypted format)

Compliance

L1 Certified Device / L1 Device - A device certified as capable of performing encryption on the device inside its trusted zone. L0 Certified Device / L0 Device - A device certified as one where the encryption is done on the host inside its device driver or the MOSIP device service.

Secure Provisioning

Secure provisioning applies to both the FTM and the Device providers.

The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility that is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.
All debug options within the FTM or device should be disabled permanently
All key creations need for provisioning should happen automatically using FIPS 140-2 Level 3 or higher devices. No individual or group or organization should have a mechanism to influence this behaviour.
Before the devices/FTM leaves the secure provisioning facility all the necessary trust should be established and should not be re-programmable.

As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.*

Compliance Level

API

Compatible

Device Discovery

L0/L1

Device Info

L0/L1

Capture

Registration Capture

L0/L1

Cryptography

Supported algorithms:

Usage

Algorithm

Key Size

Storage

Encryption of biometrics - Session Key

AES

>=256

No storage, Key is created with TRNG/DRBG inside FTM

Encryption session key data outside of FTM

RSA OAEP

>=2048

FTM trusted memory

Encryption session key data outside of FTM

ECC curve 25519

>=256

FTM trusted memory

Biometric Signature

RSA

>=2048

Key never leaves FTM created and destroyed

Biometric Signature

ECC curve 25519

>=256

Key never leaves FTM created and destroyed

Secure Boot

RSA

>=256

FTM trusted memory

Secure Boot

ECC curve 25519

>=256

FTM trusted memory

No other ECC curves are supported.

Signature

In all the above APIs, some of the requests and responses are signed with various keys to verify the requester's authenticity. Here we have detailed the key used for signing a particular block in a request or response body of various APIs.

Request/Response

Block

Signature Key

Device Discovery Response

Device Info

NA as it will not be signed

Device Discovery Response

Digital ID

NA as it will not be signed

Device Info Response

Device Info

NA in case of unregistered device
Device Key in case of registered device

Device Info Response

Digital ID

For L0 device using device key
For L1 device using FTM chip key

Capture Response

Data

Device key is used

Capture Response

Digital ID

FTM chip key is used

Registration Capture Response

Data

Device key is used

Registration Capture Response

Digital ID

For L0 device using device key
For L1 device using FTM chip key

Android SBI Specification

This section explains the mechanism for the SBI devices to communicate in the android operating system.

Status

Draft document V 0.9

Approach

Discovery will return the appId of the discovered items. Users will be given a choice to choose one of the discovered SBI app. The selected app responds back to the intent using the default intent callback functionality.

Device Discovery

Request: io.sbi.device action: io.sbi.device data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data (byte array) is set in the intent extras with the key as “response”.

callbackId should be set to the appId, and can not be empty in android.

Device Info

Request: appId.Info action: appId.Info data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data as a byte array is set in the intent extras with the key as “response”.

deviceInfo: callbackId should be set to the appId, can not be empty in android.

Capture

Request: appId.Capture action: appId.Capture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.

URI must be invalidated right after the read.

rCapture

Request: appId.rCapture action: appId.rCapture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.

The content provider should not support insert, update, delete

Device Stream

On receiving rCapture request MDS must show the stream within its UI in the foreground.

Security

Ensure to set the correct authority in the manifest and set the android:exported as “False”

Android Tab Specs

Android 9 (API Level 28) and above with hardware-backed key store.

Error Codes

Code

Message

Success

100

Device not registered

101

Unable to detect a biometric object

102

Technical error during extraction.

103

Device tamper detected

104

Unable to connect to the management server

105

Image orientation error

106

Device not found

107

Device public key expired

108

Domain public key missing

109

Requested number of biometric (Finger/IRIS) not supported

110

Device is not ready

111

Device is Busy

112

Invalid Transaction ID

5xx

Custom errors. The device provider is free to choose his error code and error messages.

Master Data Services Functionality

Master Data Management

Location Hierarchy

Create Location Hierarchy

Upon receiving a request to add Location hierarchy (e.g., Country - Region - Province - City- LAA) with the input parameters (code, name, hierarchy_level, hierarchy_level_name, parent_loc_code ,lang_code and is_active), the system stores the Location hierarchy in the Database

While storing the location hierarchy in the database, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (128) - Mandatory
- hierarchy_level - smallint - Mandatory
- hierarchy_level_name - character (64) - Mandatory
- parent_loc_code - character (32) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
Validate if the Location name received does not already exist in the hierarchy for which the location is getting created
- If Location name already exist under the hierarchy level, throw an appropriate error
The API should not allow creation of the Location if the data is not received in default language
If the data for the Location is not received in all the configured languages, the API should allow the Location to be created given the Point 3 is satisfied.
The API should activate the Location while creation provided the data for all the configured languages is received during the initial creation
- If the data for all the configured languages is not received, deactivate the Location while creation
While storing the location,
- cr_by should be the Username of the user who is accessing this API
- cr_dtimes should be the date-time at which the user is creating the Location
Responds with the Location Hierarchy created successfully
The component restricts the bulk creation of Master Data through API. However it could be done through a script as need be depending on the requirement of the country.
In case of exceptions, system triggers error messages as received from the Database

Update a Location

On receiving a request to update a Location with the input parameters (code, name, hierarchy_level, hierarchy_level_name, parent_loc_code, lang_code and is_active), the system updates the Location in the Location Database for the code received.

The system performs the following steps to update the location in the Master Database:

Validates if all required input parameters have been received as listed below for each specific request
- code character (36) - Mandatory
- name character (128) - Mandatory
- hierarchy_level smallint - Mandatory
- hierarchy_level_name character (64) - Mandatory
- parent_loc_code character (32) - Mandatory
- lang_code character (3) - Mandatory
- is_active boolean - Mandatory
Validate if the Location name received does not already exist in the hierarchy of the Location
- If Location name already exist under the hierarchy level, throw an appropriate error
The API should not allow activation of Location if the data for the Location is not present in all the languages which are configured for a country
For the code received in the request, replaces all the data received in the request against the data existing in the Location database against the same code.
While receiving the request for activation, If the Location is already Active, the API should throw an error message. Refer messages section.
While receiving the request for deactivation, If the Location is already Inactive, the API should throw an error message. Refer messages section
If for a Location data, is_active flag is being sent as “False” and there are active child Locations (also the subsequent child locations) being mapped to received location, do not deactivate the location. Respond with appropriate message. Refer messages section
Deleted record are not be updated
upd_by should be the Username of the user who is accessing this API
upd_dtimes should be the date-time when the Location is being updated
Responds with data not found error if deleted record is received in the request
Responds with appropriate message if the Location is updated successfully
In case of Exceptions, system triggers relevant error messages

Verify Location

Upon receiving a request to validate the Location Name with input parameters (Location Name), the system checks the Location Name in the Master Database

While checking the location in the Database, the system performs the following steps:

Validates if the request contains the following input parameters
- Location Name - Mandatory
If the mandatory input parameters are missing, throw the appropriate message
In case of Exceptions, system triggers relevant error messages

Fetch Location Hierarchy Levels based on a Language Code

Upon receiving a request to fetch the Location Hierarchy Levels with input parameters (Language Code), the system fetches the Location Hierarchy Levels in the requested language. The following steps are performed by the system:

Validates if the request contains following input parameters (Language Code)
- Language Code - Mandatory
Validates if the response contains the Location Hierarchy Levels with the following attributes
- Hierarchy Level
- Hierarchy Name
- IsActive
In case of Exceptions, system triggers relevant error messages

Fetch the Location Hierarchy Data based on a Location Code and a Language Code

Upon receiving a request to fetch all the Location Hierarchy Data with input parameters (Location Code and Language Code), the system fetches the Location Hierarchy Data based on requested Location code and language code. The following steps are performed by the system:

Validates if the request contains the following input parameters
- Location Code - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throw the appropriate message.
Validates if the response contains the following location hierarchy data and the corresponding attributes against the Location Code and Language Code received in the input parameter (i) List of Countries against the Location Code
- Country Code
- Country Name
- IsActive
(ii) List of Regions against the Location Code
- Region Code
- Region Name
- IsActive
(iii) List of Provinces against the Location Code
- Province Code
- Province Name
- IsActive
(iv) List of Cities against the Location Code
- City Code
- City Name
- IsActive
(v) List of Local Administrative authorities against the Location Code
- Local Administrative Authority Code
- Local Administrative Authority Name
- IsActive
(vi) List of Pincodes against the Location Code
- Pincode
- IsActive
Responds to the source with all the Location Hierarchy Data based on the Location Code
In case of Exceptions, system triggers relevant error messages.

Fetch the Location Hierarchy Data for the bottom next hierarchy based on a Location Code and a Language Code

Upon receiving a request to fetch all the Location Hierarchy Data with input parameters (Location Code and Language Code), the system fetches the Location Hierarchy Data for the next hierarchy level. The following steps are performed by the system:

Validates if the request contains the following input parameters
- Location Code - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
Fetches the Location data of only the child hierarchy of location code received (For e.g., if the location code for a particular Province is received, responds with the data of all the Cities existing in that Province, similarly if location code of a City is received, responds all the data regarding the Local Administrative Authorities existing under that City)
Responds to the source with the data fetched
In case of Exceptions, system should trigger an error message.

Delete a Location

On receiving a request to delete a Location with the input parameters (code), the system updates the is_deleted flag to true in the Location Database against the code received.

The system performs the following steps in order to delete the loaction received in the code:

Validates if all required input parameters have been received as listed below for each specific request
Delete all records for the code received
Deleted record are not be deleted again
Responds with data not found error if deleted record is received in the request
Responds with dependency found error if a record to be deleted is used as foreign key in the dependent table
Responds with the Code for the Location Hierarchy deleted successfully
- code - character (36) - Mandatory
In case of Exceptions, system triggers relevant error messages.

List of Holidays

Create Holiday

Upon receiving a request to add Holiday Data with the input parameters (location_code, holiday_date, holiday_name, holiday_desc, lang_code and is_active), the system stores the Holiday in the Database. The following steps are performed by the system:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- location_code - Character - 128 - Mandatory
- holiday_date - Date Format (yyyy-mm-dd) - Mandatory
- holiday_name - Character - 64 - Mandatory
- holiday_desc - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message.
'location_code' received should be from list of 'codes' from 'location' masterdata table
- If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Holiday data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Holiday as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Holiday details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update Holiday

This API should only be accessible to Global Admin
The API should accept only the below parameter
- id - Character - 36 - Mandatory
- location_code - Character - 128 - Mandatory
- holiday_date - Date Format (yyyy-mm-dd) - Mandatory
- holiday_name - Character - 64 - Mandatory
- holiday_desc - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message.
- 'location_code' received should be from list of 'codes' from 'location' masterdata table
If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Template data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Template as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Template details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Fetch List of Holidays based on a Registration Center ID, a Year and a Language Code

On receiving a request to fetch the list of Holidays with the input parameters (Registration Center ID, Year and Language Code), the system fetches the list of Holidays mapped to a Registration Center and for the year and Language Code received in input parameter as per the below steps:

Validates if the received request contains the following input parameters
- Registration Center ID - Mandatory
- Year - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message
Validates if the response contains the List of Holidays against the Registration Center ID and the year received and contains the following attributes for a Region
- Holiday ID
- Holiday Date
- Holiday Name
- IsActive
Responds to the source with the List of Holidays
In case of Exceptions, system triggers relevant error messages

Biometric Authentication Type

Create Biometric Authentication Type

On receiving a request to add Biometric Authentication Type (e.g., Fingerprint, Iris) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Biometric Authentication Type in the Database as per the below steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr - character (256) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
Responds with the Biometric Authentication Type Code and Language Code for the Biometric Authentication Type created successfully
The component restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Fetch the List of Biometric Authentication Type based on a Language Code

On receiving a request to fetch the List of Biometric Authentication Type with input parameters (Language Code), the system fetches the List of Biometric Authentication Type against the Language Code as per the below steps:

Validates if the request to add Biometric Authentication Type contains the following parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.
Validates if the response contains the List of Biometric Authentication Type against the Language Code along with the IsActive Flag for each Biometric Authentication Type
Responds to the source with List of Biometric Authentication Type
In case of Exceptions, system triggers relevant error messages

Biometric Attribute Type

Create Biometric Attribute

On receiving a request to add Biometric Attribute (e.g., Right Thumb, Left Thumb) with the input parameters (code, name, descr, bmtyp_code, lang_code and is_active), the system stores the Biometric Attribute in the Database as per the below steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr - character (128) - Optional
- bmtyp_code - character (36) - Mandatory
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
Responds with the Biometric Attribute Code and Language Code for the Biometric Attribute created successfully
The component restricts the bulk creation of Master Data
Responds to the source with the appropriate message.
In case of Exceptions, system triggers error messages as received from the Database

Fetch the List of Biometric Attributes based on the Biometric Authentication Type and a Language Code

On receiving a request to fetch the List of Biometric Attributes with input parameters (Biometric Authentication Type and Language Code), the system fetches the List of Biometric Attributes against the Biometric Authentication Type and the Language Code Received as per the below steps:

Validates if the request contains the following input parameters
- Biometric Authentication Type - Mandatory
- Language Code - Mandatory
If no data is present in the Database for the input parameter received, responds with an appropriate message.
If both the input parameter is missing, responds with all the data.
If one of the input parameters is missing, throw the appropriate message. Refer "Messages" section.
Validates if the response contains the List of Biometric Attributes with all the attributes against Biometric Authentication Type and Language Code Received
- Biometric Attribute Code - Mandatory
- Biometric Attribute Name - Mandatory
- Biometric Attribute Description - Optional
- IsActive – Mandatory
Responds to the source with the Fetched Data
In case of Exceptions, system triggers relevant error messages

Gender

Create Gender Types

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
API should perfrom below multi-language validations on the Gender Type data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Gender Type and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Gender Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database Gender Type Code should be generated at the back-end for any Gender Type added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Gender Type
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update a Gender Type

On receiving a request to update a Gender Type with the input parameters (code, name, lang_code and is_active), the system updates the Gender Type in the Gender Type Database for the code received as per the below steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Gender Type data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Gender Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Gender Type details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Check the existence of a Gender in Master Database

On receiving a request to validate the Gender Name with input parameters (Gender Name), the system checks the Gender Name in the Master Database as per the below listed steps:

Validates if the request contains the following input parameters
- Gender Name - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
Responds to the source with the appropriate message
In case of Exceptions, system triggers relevant error messages

Fetch the List of Gender Types based on a Language Code

On receiving a request to fetch the List of Gender Types with the input parameters (Language Code), the system fetches the List of Gender Types against the Language Code received as per the below listed steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the Language code is missing, responds with all the data.
Validates if the response contains the List of Gender Types with the following attributes
- Gender Code
- Gender Name
- isActive
Responds to the source with the List of Gender Types
In case of Exceptions, system triggers relevant error messages

Document Category

Create Document Category in Master Database

On receiving a request to add Document Category with the input parameters (code, name, descr, lang_code and is_active), the system stores the Document Category in the Database as per the below listed steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message.
API should perfrom below multi-language validations on the Document Category data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Document Category and throw an error message.
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Document Category as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Document Category Code should be generated at the back-end for any Document Category added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Document Category
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update a Document Category in the Document Category Master Database

On receiving a request to update a Document Category with the input parameters (code, name, descr, lang_code and is_active), the system update the Document Category in the Document Category Database for the Code received as per the below listed steps:

The API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message.
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Document Category data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Document Category as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Document Category details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Fetch list of Document Categories based on a Language Code

On receiving a request to fetch Document Category Details with the input parameters (Language Code), the system fetches all the Document Categories for the Language Code Received as per the below listed steps:

Validates if all required input parameters have been received as listed below for each specific request
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.
Validates if the response contains the following attributes for the Document Category Code
- Document Category Code - Mandatory
- Document Category Name - Mandatory
- Document Category Description - Optional
- IsActive - Mandatory
In case of Exceptions, system triggers relevant error messages

Document Type

Create Document Type

On receiving a request to add Document Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the Document Type in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr - character (128) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
The API should not allow creation of the Document Type if the data is not received in default language
If the data for the Document Type is not received in all the configured languages, the API should allow the Document Type to be created given the Point 2 is satisfied.
The API should activate the Document Type while creation provided data for all the configured languages is received during the initial creation
cr_by should be the Username of the user who is accessing this API
cr_dtimes should be the date-time when the user is creating the Document Type
If the data for all the configured languages is not received, deactivate the Document Type while creation
Responds with an appropriate message for the Document Type created successfully
In case of Exceptions, system triggers relevant error messages

Update a Document Type

On receiving a request to update a Document Type with the input parameters (code, name, descr, lang_code and is_active), the system updates the Document Type in the Document Type Database for the Code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr - character (128) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
For the code received in the request, replaces all the data received in the request against the data existing in the Document Type database against the same code
upd_by should be the Username of the user who is accessing this API upd_dtimes should be the date-time when the user updates the Document Type Details
The API should not allow activation of Document Type if the data for the Document Type is not present in all the languages which are configured for a country
While receiving the request for activation, If the Document Type is already Active, the API should throw an error message. Refer messages section.
While receiving the request for deactivation, If the Document Type is already Inactive, the API should throw an error message. Refer messages section.
Deleted record are not be updated
Responds with data not found error if deleted record is received in the request
Responds with the appropriate message for the Document Category updated successfully
In case of Exceptions, system triggers relevant error messages

Delete a Document Type

On receiving a request to delete a Document Type with the input parameters (code), the system updates the is_deleted flag to true in the Document Type Database against the code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
Delete all records for the code received
Deleted record are not be deleted again
Responds with data not found error if deleted record is received in the request
Responds with dependency found error if a record to be deleted is used as foreign key in the dependent table
Responds with the Document Category Code for the Document Category deleted successfully
In case of Exceptions, system triggers relevant error messages

Applicant Type - Document Category - Document Type Mapping

Fetch list of Document Categories based on Applicant Type from Master Database

Upon receiving a request to fetch List of Document Categories with the input parameters (Applicant Type Code), the system fetches all the Document Categories for the Applicant Type Code Received

While fetching the list of documents, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- Applicant Type Code - Mandatory
If the mandatory input parameter is missing, responds with the appropriate error message
Validates if the response contains the following attributes for each Document Category Code
- Document Category Code
- Name
- Description
- Language Code
- Is Active
In case of Exceptions, system triggers relevant error messages

Fetch List of Document Category-Document Type mappings based on Applicant Type and a List of Language Codes

Upon receiving a request to fetch List of Document Category-Document Type mappings with input parameters (Applicant Type and List of Language Codes), the system fetches the required data

While fetching the data, the system performs the following steps:

Validates if the request contains the following input parameters
- Applicant Type - Mandatory
- List of Language Codes - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
Fetches the Document Category-Document Type mapping for all language codes received in response
The response contains the List of Mappings of Document Category and Document Type against each Document Category
Each Document Category contains the below attributes
- Document Category Code
- Name
- Description
- Language Code
- Is Active
Each Document Type contains the below attributes
- Document Type Code
- Name
- Description
- Language Code
- Is Active
In case of Exceptions, system triggers relevant error messages

Delete a Document Category-Type mapping in the Document Category-Type mapping Master Database

On receiving a request to delete a Document Category-Type mapping with the input parameters (doccat_code, doctyp_code), the system updates the is_deleted flag to true in the Document Category-Type mapping Database against the input received

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- doccat_code - character (36) - Mandatory
- doctyp_code - character (36) - Mandatory
Responds with the doc_type Code and doccat_code for the Document Category-Type mapping deleted successfully
In case of Exceptions, system triggers relevant error messages.

Fetch applicant type based on Individual Type Code, Date of Birth, Gender Type Code and Biometric Exception Type

On receiving a request to get Applicant type with input parameters (Individual Type Code, Date of Birth, Gender Type Code and Biometric Exception Type), the system derives the Applicant Type from the input parameter and performs the following steps:

Validates if the request contains the following input parameters
- Individual Type Code - Mandatory
- Date of Birth - Mandatory
- Gender Type Code - Mandatory
- Biometric Exception Type - Optional
Derives the Age Group Type based on following logic
- Child if Age < 5
- Adult if Age >= 5
If the mandatory input parameters are missing, throws the appropriate message
Derives the applicant type as per the define logic
In case of Exceptions, system triggers relevant error messages

Check the mapping of Applicant Type-Document Category Name-Document Type Name

On receiving a request to check the mapping of Applicant Type-Document Category-Document Type mapping parameters (Applicant Type, Document Category Name and Document Type Name), the system checks the mapping and performs the following steps:

Validates if the request contains the following input parameters
- Applicant Type Code
- Document Category Name
- Document Type Name
If the mandatory input parameters are missing, throws the appropriate message.
If the mapping exists, responds with "Valid".
If the mapping does not exist, responds with "Invalid".
In case of Exceptions, system triggers relevant error messages

List of Rejection Reasons

Create a Rejection Reason in Reason List Master Database

Upon receiving a request to add a Reason with the input parameters (code, name, descr, rsncat_code, lang_code and is_active), the system stores the Reason in the Database

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- code - character (64) - Mandatory
- descr - character (256) - Mandatory
- rsncat_code - character (36) – Mandatory (The parameter rsncat_code refers to a Language stored in Language Masterdata)
- lang_code - character (3) – Mandatory (The parameter lang_code refers to a Language stored in Language Masterdata)
- is_active - boolean - Mandatory
Validates if the response contains the following attributes for a Reason Category Code added
- Code
- Language Code
- Rsncat_code (Reason Category Code)
Responds to the source with the appropriate message.
In case of Exceptions, system triggers relevant error messages.

Fetch the requested list of reasons based on Reason Category Code and Language Code

Upon receiving a request to Fetch the requested List of Reasons with the required input parameters (Reason 1. Category Code, Language Code), the system fetches the requested List of reasons stored against the Reason Category Code and Language Code received.

The system performs the following steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
- Reason Category Code - Mandatory
If either of the mandatory input parameters is missing, responds with the appropriate message as define below in message sections
Validates if the response contains the:
- Requested list based on the requested Language Code and Reason Category Code
- List of Reasons with the corresponding attributes for the list
  - Reason ID
  - Reason Name (per Reason ID)
  - Language Code
  - Reason Category Code
  - IsActive
Responds to the source with the relevant List of Reasons, as per the stated business rules
In case of Exceptions, system triggers relevant error messages as listed below

List of Languages

Create List of Languages

After receiving a request to add Language Details with the input parameters (code, name, family, native_name and is_active), the system stores the Language Details in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
- name - character (64) - Mandatory
- family - character (64) - Optional
- native_name - character (64) - Optional
- is_active - boolean - Mandatory
Responds with the Language Code for the language successfully created
In case of Exceptions, system triggers relevant error messages

Fetch the List of Languages

After receiving a request to fetch the List of Languages, the system fetches the List of Languages and performs the following steps:

Validates if the response contains the List of all Languages with the following attributes
- Language Code - Mandatory
- Language Name - Mandatory
- IsActive – Mandatory
Responds to the source with the List of Languages
In case of Exceptions, system triggers relevant error messages

Update and Delete a Language in the List of Languages Master Database

Update

After receiving a request to update a Language with the input parameters (code, name, family, native_name and is_active), the system updates the Language Details in the List of languages Database for the Code received in request

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
- name - character (64) - Mandatory
- family - character (64) - Optional
- native_name - character (64) - Optional
- is_active - boolean - Mandatory
For the Code received in the request, replaces all the data received in the request against the data existing in the List of languages database against the same code.
Deleted record are not updated
Responds with data not found error if deleted record is received in the request
Responds with the Language Code for the language successfully updated
In case of Exceptions, system triggers relevant error messages

Delete

After receiving a request to delete a Language with the input parameters (code), the system updates the is_deleted flag to true in the List of languages Database against the code received in request

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
Deleted record should not be deleted again
Responds with data not found error if deleted record is received in the request
Responds with the Language Code for the language successfully deleted
In case of Exceptions, system triggers relevant error messages.

List of Titles

Create a Title

On receiving a request to add a Title (e.g., MR., Mrs.) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Title in the Database and performs the following steps:

The API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
API should perfrom below multi-language validations on the Title data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Title and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Title as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Title Code should be generated at the back-end for any Title added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Title
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update a Title

On receiving a request to update a Title with the input parameters (code, name, descr, lang_code and is_active), the system updates the Title in the Title Database for the code received and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Title data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Title as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Title details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Fetch the List of Titles

On receiving a request to fetch Title Details with the input parameters (Language Code), the system fetches all the Titles with all the attributes for the Language Code Received

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.
Validates if the response contains List of Titles against the received Language Code along with the following attributes for the Title Code
- Title Code - Mandatory
- Title Name - Mandatory
- Title Description - Optional
- IsActive - Mandatory
In case of Exceptions, system triggers relevant error messages

Template File Format

Create Template File Format

On receiving a request to add Template File Format with the input parameters (code, descr, lang_code and is_active), the system stores the Template File Format in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Mandatory
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
Validates if the response contains the following attributes for a Template File Format added
- Code
- Language Code
Responds with the Template File Format Code and Language Code for the Template File Format created successfully
In case of Exceptions, system triggers relevant error messages.

Create Template File Format

Update and Delete a Template File Format in Template File Format Master Database

Update

On receiving a request to update a Template File Format with the input parameters (code, descr, lang_code and is_active), the system updates the Template File Format in the Template File Format Database for the Code received

While updating the Template File Format, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
For the code received in the request, replaces all the data received in the request against the data existing in the Template File Format database against the same code.
Deleted record are not updated
Responds with data not found error if deleted record is received in the request
Responds with the Template File Format Code and Language Code for the Template File Format updated successfully
In case of Exceptions, system triggers relevant error messages

Delete

On receiving a request to delete a Template File Format with the input parameters (code), the system updates the is_deleted flag to true in the Template File Format Database against the code received

While deleting the Template File Format, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
Delete all records for the code received
Deleted record are not deleted again
Responds with data not found error if deleted record is received in the request
Responds with dependency found error (Refer Acceptance criteria) if a record to be deleted is used as foreign key in the dependent table
Responds with the Template File Format Code for the Template File Format deleted successfully
In case of Exceptions, system triggers relevant error messages.

List of Template Types

MOSIP system can create Template Type in the Master Database.

Upon receiving a request to add Template Type (e.g., SMS Notification template - New Registration) with the input parameters (code, descr, lang_code and is_active), the system stores the Template Type in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Mandatory
- lang_code - character (3) - Mandatory
- is_active - boolean – Mandatory
Responds with the Template Type Code and Language Code for the Template Type created successfully
This component also restricts the bulk creation of Master Database
In case of Exceptions, system triggers relevant error messages as listed below.

List of Templates

Create Template

On receiving a request to add a Template with the input parameters (id, name, descr, file_format_code, model, file_txt, module_id, module_name, template_typ_code, lang_code and is_active), the system stores the Template in the Database and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 128 - Mandatory
- descr - Character - 256 - Optional
- file_format_code - 36 - Mandatory
- model - Character - 128 - Optional
- file_txt - Character - 4086 - Mandatory
- module_id - Character - 36 - Mandatory
- module_name - Character - 128 - Mandatory
- template_typ_code - Character - 36 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message.
'file_format_code' received should be from list of 'codes' from 'template_file_format' masterdata table
- If not, the API should throw an error.
'template_typ_code' received should be from list of 'codes' from 'template_type' masterdata table
- If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Template data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Template as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Template details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Fetch Template based on a Template Type and a Language Code

On receiving a request to fetch a Template with the input parameters (Template Type Code and List of Language Code), the system fetches the Template for the Template Type Code and all Language Codes received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Template Type Code - Mandatory
- List of Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message. Refer "Messages" section.
Response must contain templates for all the language codes received in the input parameter
Validates if the response contains the Template along with the following attributes
- Template Type Code - Mandatory
- Template - Mandatory
- IsActive
In case of Exceptions, system triggers relevant error messages

Update a Template

On receiving a request to update a Template with the input parameters (id, name, descr, file_format_code, model, file_txt, module_id, module_name, template_typ_code, lang_code and is_active), the system updates the Template in the Template Database for the id received and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory
- name - Character - 128 - Mandatory
- descr - Character - 256 - Optional
- file_format_code - 36 - Mandatory
- model - Character - 128 - Optional
- file_txt - Character - 4086 - Mandatory
- module_id - Character - 36 - Mandatory
- module_name - Character - 128 - Mandatory
- template_typ_code - Character - 36 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
'file_format_code' received should be from list of 'codes' from 'template_file_format' masterdata table
- If not, the API should throw an error.
'template_typ_code' received should be from list of 'codes' from 'template_type' masterdata table
- If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Template data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Template as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Template details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

List of Blacklisted Words

Create Blacklisted Words

Upon receiving a request to add a Blacklisted Word with the input parameters (code, name, descr, lang_code and is_active), the system stores the Blacklisted Word in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word - character (128) - Mandatory
- descr - character (256) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
cr_by should be the Username of the user who is accessing this API
cr_dtimes should be the date-time when the user is creating the Blacklisted Word
Responds with the appropriate message for the Device created successfully
The component should restricts the bulk creation of Master Database
In case of Exceptions, system triggers error messages as received from the Database.

Update a Blacklisted Word

Upon receiving request to update a Blacklisted Word with the input parameters (code, name, descr, lang_code and is_active), the system updates the Blacklisted Word in the Blacklisted Word Database for the code received and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word- character (128) - Mandatory
- descr - character (256) - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
For the code received in the request, replaces all the data received in the request against the data existing in the Blacklisted Word database against the same code
upd_by should be the Username of the user who is accessing this API
upd_dtimes should be the date-time when the user updates the Blacklisted Word Details
Deleted record are not updated
Responds with data not found error if deleted record is received in the request
Responds with the appropriate message for the Blacklisted word updated successfully
In case of Exceptions, system triggers relevant error messages as listed below

Delete a Blacklisted Word

Upon receiving a request to delete a Blacklisted Word with the input parameters (code), the system updates the is_deleted flag to true in the Blacklisted Word Database against the code received and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word- int - Mandatory
Deleted record are not deleted again
Responds with data not found error if deleted record is received in the request
Responds with the Word for the Blacklisted word deleted successfully
In case of Exceptions, system triggers relevant error messages as listed below

Fetch List of Blacklisted words based on a Language Code

Upon receiving a request to Fetch the List of Blacklisted words with input parameters (Language Code), the system fetches the List of Blacklisted words against the Language Code received

While fetching the black listed words, the system performs the following steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
Validates if the response contains the List of Blacklisted words against Language Code and the corresponding attributes for the Blacklisted word
- Blacklisted Word
- IsActive
In case of Exceptions, system triggers relevant error messages.

List of Reason Categories

MOSIP system can create a Reason Category in Master Database

Upon receiving a request to add Reason Category with the input parameters (code, name, descr, lang_code and is_active), the system stores the Reason Category in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr - character (256) - Mandatory
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
Validates if the response contains the following attributes for a Reason Category added
- Code
- Language Code
Responds with the Reason Category code and Language Code for the Reason Category created successfully
In case of Exceptions, system triggers relevant error messages as listed below

List of Applications

Create a List of Applications

Upon receiving a request to add Application with the input parameters (code, name, descr, lang_code and is_active), the system stores the Application in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory
- descr- character (256) - Mandatory
- lang_code - character (3) – Mandatory (The parameter lang_code refers to a Language stored in Language Masterdata. Refer)
- is_active - boolean - Mandatory
Validates if the response contains the following attributes for an Application added
- Code
- Language Code
Responds with the Application ID and Language Code for the Application created successfully
In case of Exceptions, system triggers relevant error messages as listed below

Fetch List of Applications based on received input parameter

Fetch the List of all Applications

Upon receiving a request to Fetch List of Applications, the system fetches all the List of Applications and performs the following steps:

Validates if the response contains the following attributes for each Application
- Application ID
- Application Detail
- IsActive
The response must contain the list of applications in all the languages present in the Database
Responds to the source with all the Application attributes.

Fetch the Application detail based on a Language Code and Application ID

Upon receiving a request to Fetch List of Applications with the required input parameters (Application ID, Language Code), the system fetches the Application Detail based on the Application ID and Language Code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Application ID - Mandatory
- Language Code - Mandatory
Responds with the Application Data against the Application ID and Language Code Received
Validates if the response contains the following attributes for each Application
- Application ID
- Application Detail
- IsActive
Responds to the source with the Application Detail
If the mandatory input parameters are missing, responds with all the data.
In case of Exceptions, system triggers relevant error messages as listed below

List of ID Types

Create an ID type

Upon receiving a request to add an ID Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the ID Type in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- code - character (64) - Mandatory
- descr - character (256) - Mandatory
- lang_code - character (3) – Mandatory (refers to a Language stored in Language Masterdata)
- is_active - boolean - Mandatory
Validates if the response contains the following attributes for an ID Type added
- Code
- Language Code
Responds with the ID Type Code and Language Code for the ID type created successfully
In case of Exceptions, system triggers relevant error messages as listed below.

Fetch the List of ID Types based on Language Code

Upon receiving a request to fetch the List of ID Types with input parameters (Language Code), the system fetches the List of ID Types against the Language Code Received

Refer below for the process:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message. Refer "Messages" section below.
Validates if the response contains the List of ID Types with the following attributes
- ID Type Name
- ID Type Code
- IsActive
In case of Exceptions, system triggers relevant error messages.

User Details

Upon receiving a request to fetch the user history record with input parameters (User ID and Date Timestamp), the system fetches all the attributes of the user from the history table and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request.
- User ID - Mandatory
- Date Timestamp - Mandatory
The record fetched are the latest record existing on or before the date received in the input parameter.
If the mandatory input parameters are missing, then the system triggers the appropriate message.
Response will contain all the attributes for the user including the Active/Inactive status.
In case of exceptions, system triggers relevant error messages.

Fetch RID based on a User ID

Receive request to retrieve RID based on input parameter (User ID, App ID)
- User ID and App ID both will be mandatory
Fetch the RID
Respond to the source with the fetched data
Respond with error 'User doesn't exist' if no user is found for User ID received

Document Type to Category Mapping

Create a mapping record of Document Type and Document Category in Valid Document Mapping Master Database

Upon receiving a request to add a mapping of Document Type and Document Category with the input parameters (doctyp_code, doccat_code) the system stores the Mapping of Document type and Document category in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- doctyp_code - character - 36 - mandatory
- doccat_code - character - 36 - mandatory
If the mapping does not exist
- is_active flag should be stored as true when the mapping is created
- Store the default language code against the mapping
- cr_by should be the User ID of the user who is accessing this API
- cr_dtimes should be the date-time at which the user is creating the Document Category - Document Type Mapping
if the mapping already exist but is in inactive state
- Update the is_acitve flag as “True”
- Updated the upd_by and upd_dtimes values against the mapping
If the mapping already exist in active state, throw appropriate error message
Responds with the appropriate message for the mapping being created successfully
The API restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Remove a mapping record of Document Type and Document Category in Valid Document Mapping Master Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- doctyp_code - character - 36 - mandatory
- doccat_code - character - 36 - mandatory
If the Document Type is already un-mapped from Document Category, throw an appropriate error message
upd_by should be the User ID of the user who is accessing this API
upd_dtimes should be the date-time when the Document Category - Document Type Mapping is being updated
Change the Is_active flag to “False” for removing the mapping
Responds with the appropriate message for the mapping being created successfully
The API restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Working and Non-Working Days

API should be able to fetch working days for a Center based on a Center ID

Refer below for the process:

The API should support taking Center ID and Language Code as an mandatory input parameter
The API should respond to the source with all the days of the week for the Center in the language received
Each day should have an attribute marking whether the day is a working day or off-work day
Each day should have an attribute defing the calenday order of days of the week

If the working days are not defined against the Center, the API should fetch the globally defined working and non-working days.

The API should throw error messages in scenarios mentioned in error messages section.

Exceptional Holidays for a Center

API should be able to fetch any defined exceptional holiday dates for a Center based on a Center ID

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Center ID - character - 10 - mandatory
API should respond to the source with all the exceptional holiday dates for the Center ID received
API should throw relevant error messages in any error scenarios

Registration Management

Registration Center Type

Create Registration Center Type

On receiving a request to add Registration Center Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the Registration Center Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
API should perfrom below multi-language validations on the Gender Type data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the 8. API should not allow creation of the Gender Type and throw an error message.
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Gender Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Gender Type Code should be generated at the back-end for any Gender Type added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Gender Type
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update a Registration Center Type

On receiving a request to update a Registration Center Type with the input parameters (code, name, descr, lang_code and is_active), the system Updates the Registration Center Type Details in the Registration Center Type Database for the Code received

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Gender Type data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Gender Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Gender Type details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Registration Center

Create a Registration Center

Upon receiving a request to add Registration Center with the input parameters, the system Stores the Registration Center in the Database

Refer below for the process:

The system validates if all required input parameters have been received as listed below for each specific request
- name - character (128) - mandatory
- cntrtyp_code - character (36) - mandatory
- addr_line1 - character (256) - mandatory
- addr_line2 - character (256) - optional
- addr_line3 - character (256) - optional
- latitude - character (32) - mandatory
- longitude - character (32) - mandatory
- location_code - character (36) - mandatory
- contact_phone - character (16) - optional
- contact_person - character (256) - optional
- working_hours - character (32) - mandatory
- per_kiosk_process_time - time - mandatory
- center_start_time - time - mandatory
- center_end_time - time - mandatory
- lunch_start_time - time - optional
- lunch_end_time - time - optional
- holiday_loc_code - character (36) - mandatory
- timezone - string (128) - optional
- lang_code - character (3) - mandatory
- zone_code - character (36) - mandatory
is_active should be set as “False”
number_of_kiosks should be kept as zero for creation of a Registration Center
center_end_time should not be before the center_start_time
Latitude and Longitude should be in format of “(-)XX.XXXX”
- Latitude and Longitude should contain at-least 4 digits after decimal
If lunch_end_time and lunch_start_time is sent in the request,
- lunch_end_time should not be before the lunch_start_time
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
cr_by should be the Username of the user who is accessing this API
cr_dtimes should be the date-time at which the user is creating the Registration Center
Center ID should be generated by calling the Registration Center ID Generator and stored against every new Center Created
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Registration Center
Responds with the appropriate message for the Registration Center created successfully
History record should be stores for every creation of a new Registration Center
The API should restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Update a Registration Center

On receiving a request to update a Registration Center with the input parameters, the system updates the Registration Center Details in the List of Registration Center Database for the center_id received

Refer below for the process:

The system validates if all required input parameters have been received as listed below for each specific request
- center_id - character (36) - mandatory
- name - character (128) - mandatory
- cntrtyp_code - character (36) - mandatory
- addr_line1 - character (256) - mandatory
- addr_line2 - character (256) - optional
- addr_line3 - character (256) - optional
- latitude - character (32) - mandatory
- longitude - character (32) - mandatory
- location_code - character (36) - mandatory
- contact_phone - character (16) - optional
- contact_person - character (256) - optional
- working_hours - character (32) - mandatory
- per_kiosk_process_time - time - mandatory
- center_start_time - time - mandatory
- center_end_time - time - mandatory
- lunch_start_time - time - optional
- lunch_end_time - time - optional
- holiday_loc_code - character (36) - mandatory
- timezone - string (128) - optional
- lang_code - character (3) - mandatory
- zone_code - character (36) - mandatory
- is_active - boolean - mandatory
For the center_id received in the request, replaces all the data received in the request against the data existing in the List of Registration Center database against the same center_id.
All the mandatory input parameters should be present
center_end_time should not be before the center_start_time
Latitude and Longitude should be in format of “(-)XX.XXXX”
- Latitude and Longitude should contain at-least 4 digits after decimal
If lunch_end_time and lunch_start_time is sent in the request,
- lunch_end_time should not be before the lunch_start_time
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Registration Center as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
upd_by should be the Username of the user who is accessing this API
upd_dtimes should be the date-time at which the user is creating the Registration Center
History record should be stores for every modification of a Registration Center
Responds with the Registration Center Code and Language Code for the Registration Center updated successfully
In case of Exceptions, system triggers relevant error messages

Decommission a Registration Center

Upon receiving a request to Decommission a Registration Center with the input parameters (center_id), the system updates the is_deleted flag to true in the List of Registration Center Database against the center_id received

Refer below for the process:

Validate if all required input parameters have been received as listed below for each specific request
- center_id - character (36) - Mandatory
Change the “is_Deleted” flag against Registration Center ID to “True”
Change the “is_Active” flag to “False” against the Registration Center.
upd_by should be the Username of the user who is accessing this API
del_dtimes should be the date-time when the Registration Center is being decommissioned
Validate if any Machine, Devices or Users are mapped to the Registration Center
- If any Machine, Device or User is assigned to the Registration Center, do no decommission the Registration Center, throw an appropriate error message. Refer “Messages Section”.
The User accessing the API should only be able to decommission a Center under its administrative zone only
Responds with the appropriate message for the Registration Center decommissioned successfully
In case of Exceptions, system triggers relevant error messages

Fetch Registration Center details based on a Registration Center ID and Language Code.

On receiving a request to fetch Registration Center Details with the input parameters (Registration Center ID and Language Code), the system fetches all the Registration Center attributes for the Registration Center ID and Language Code received. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
System also validates if the response contains the following attributes for the Registration Center ID along with values as applicable
- Registration Center ID
- Registration Center Name
- Longitude
- Latitude
- IsActive
- Center Type Code
- Address
- Working Hours
- Contact Number
- No. of kiosk
- Per kiosk Processing time
- Starting time
- End time
- IsActive
In case of Exceptions, system triggers relevant error messages.

Fetch Registration Center record based on a Registration center ID, Date and Language Code from the Registration Center Updation/Creation History table

On receiving a request to fetch Registration Center Creation/Updation History Detail with the input parameters (Registration Center ID, Date and Language Code), the system fetches all the attributes of Registration Center from the history table for the Registration Center ID, Date and Language Code received

Refer below for the process:

While fetching registration center records the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Date - Mandatory
- Language Code - Mandatory
The record fetched is the latest record existing on or before the date received in the input parameter
If the mandatory input parameters are missing, system throws the appropriate message.
Validates if the response contains the following attributes for the Registration Center ID along with values as applicable
- Registration Center ID
- Registration Center Name
- Longitude
- Latitude
- IsActive
- Center Type Code
- Address
- Working Hours
- Contact Number
- No. of kiosk
- Per koisk Processing time
- Starting time
- End time
- IsActive
In case of Exceptions, system triggers relevant error messages.

Fetch Registration Center details based on a Location Code and a Language Code

Upon receiving a request to fetch the List of Registration Centers with the input parameter (Location Code and Language Code), the system fetches the list of all the Registration Centers against the Location Code and Language Code received with all the attributes for each Registration Center. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Location Code
- Language Code
If the mandatory input parameters are missing, throws the appropriate message
Validates if the response contains all the Registration Center against the Location Code received with the following attributes for the Registration Centers
- Registration Center ID
- Registration Center Name
- Longitude
- Latitude
- IsActive
- Center Type
- Address
- Working Hours
- Contact Number
- No. of kiosk
- Per koisk Processing time
- Starting time
- End time
- IsActive
In case of Exceptions, system triggers relevant error messages

Fetch Registration Center details based on a Longitude and a Latitude, Proximity Distance and Language Code

On receiving a request to fetch the List of Registration Centers with the input parameter (Longitude and Latitude, Proximity distance and Language Code), the system fetches the List of Registration Centers against the input parameters received. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Longitude
- Latitude
- Proximity Distance
- Language Code
If the mandatory input parameters are missing, throw the appropriate message
The responses contain the list of all the Registration Centers in the radius of Proximity distance radius of the Longitude and the Latitude received with all the attributes for each Registration Center
System fetches the record against the Language Code Received
Validates if the response contains all the Registration Center against the Longitude and the Latitude and the Language Code received with the following attributes for the Registration Centers
- Registration Center ID
- Registration Center Name
- Longitude
- Latitude
- IsActive
- Center Type
- Address
- Working Hours
- Contact Number
- No. of kiosk
- Per koisk Processing time
- Starting time
- End time
- IsActive
In case of Exceptions, system triggers relevant error messages

Fetch the List of Registration Centers based on Location Hierarchy Level, text input and a Language Code

Upon receiving a request to fetch the List of Registration centers with input parameters (Location Hierarchy Level, Text Input and a Language Code), the system fetches the List of Registration centers. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the list of registration centers the system validates if the request contains the following input parameters
- Location Hierarchy Level - Mandatory
- Text Input - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message
The list of registration center is fetched based on the combination of Location Hierarchy level and Text received.
System also fetches the list based on the language code received.
The response contains below mentioned attributes for each registration center
- Registration Center ID
- Registration Center Name
- Longitude
- Latitude
- IsActive
- Center Type Code
- Address
- Working Hours
- Contact Number
- No. of kiosk
- Per kiosk Processing time
- Starting time
- End time
- IsActive
In case of Exceptions, system triggers relevant error messages.

Validates whether a Registration Center is under working hours based on a timestamp received

On receiving a request to fetch Registration Center Details with the input parameters (Registration Center ID and Date-Timestamp), the system determines the status of the Registration center as per the logic defined.

Refer below for the process:

While determining the status of registration center the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Date-Timestamp - Mandatory
If the mandatory input parameters are missing, system throws the appropriate message.
Responds with "Accept" message if both the following conditions are met:
- The Registration Center corresponding to the Registration Center ID received must be not on a holiday on the date received in the input parameter.
- The Timestamp received in the input parameter must be greater the Registration Center Opening time and Less than or equal to Closing time + 1 Hour.
Responds with the reject scenario if the above two conditions together are not met.
E.g., If the Registration center in not on a holiday and its opening and closing time is (9:00 AM to 5:00 PM). Find the sample response below for different timestamp received.
- Timestamp - 4:00 PM - Accepted
- Timestamp - 5:00 PM - Accepted
- Timestamp - 6:00 PM - Accepted
- Timestamp - 6:01 PM - Rejected
In case of Exceptions, system triggers relevant error messages

List of Machine Types

Creation of a Machine Type

Upon receiving a request to add Machine Type (e.g., Dongle/Desktop) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Machine Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
API should perfrom below multi-language validations on the Machine Type data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Machine Type and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Machine Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Machine Type Code should be generated at the back-end for any Machine Type added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Machine Type
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update of a Machine Type

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Machine Type data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Machine Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Machine Type details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

List of Machine Specifications

Create Machine Specifications

On receiving a request to add Machine Specifications with the input parameters (name, brand, model, mtyp_code, min_driver_ver, descr, lang_code and is_active) the system stores the Machine Specifications in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- brand - Character - 32 - Mandatory
- model - Character - 16 - Mandatory
- mtyp_code - Character - 36 - Mandatory
- min_driver_version - Character - 16 - Mandatory
- descr - Character - 256 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
mtyp_code received should be from list of 'codes' from machine_type masterdata table
- If not, the API should throw an error. Refer messages section
API should perfrom below multi-language validations on the Machine Specification data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Machine Specification and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Machine Specification as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Machine Specification Id should be generated at the back-end for any Machine Specification added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Machine Specification
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update a Machine Specification

On receiving a request to update a Machine Specification with the input parameters (id, name, brand, model, mtyp_code, min_driver_ver, descr, lang_code and is_active), the system updates the Machine Specification Details in the Machine Specification Database for the id received

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- brand - Character - 32 - Mandatory
- model - Character - 16 - Mandatory
- mtyp_code - Character - 36 - Mandatory
- min_driver_version - Character - 16 - Mandatory
- descr - Character - 256 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
- mtyp_code received should be from list of 'codes' from machine_type masterdata table
If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Machine Specification data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Machine Specification as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Machine Specification details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

List of Machines

Create a Machine in Master Database

On receiving a request to add Machine with the input parameters, the system Stores the Machine Details in the Database

Refer below for the process:

While creating the machine IDs the system validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - mandatory
- name - character (64) - mandatory
- mac_address - character (64) - mandatory
- serial_num - character (64) - mandatory
- ip_address- character (17) - optional
- validity_end_dtimes - timestamp
- mspec_id - character (36) - mandatory
- lang_code - character (3) - mandatory
- zone_code - character (36) - mandatory
- is_active - boolean - mandatory
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
cr_by should be the Username of the user who is accessing this API
cr_dtimes should be the date-time at which the user is creating the Machine
Machine ID should be generated by calling the Machine ID Generator and stored against every new Machine Created
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Machine and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Machine as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If the request has been received for Deactivating an active machine, and the machine is mapped to a Registration Center, reduce the number of kiosk by 1 for that Registration Center in the Registration Center Master DB.
If the request has been received for Activating an Inactive machine, and the machine is mapped to a Registration Center, increase the number of kiosk by 1 for that Registration Center in the Registration Center Master DB.
Responds with the appropriate message for the Machine created successfully
History record should be stores for every creation of a new Machine
The API should restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Update a Machine in the List of Machines Master Database

On receiving a request to update a Machine with the input parameters, the system Updates the Machine Details in the List of Machines Database for the machine_id received

Refer below for the process:

While updating the machine ID the system Validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - mandatory
- name - character (64) - mandatory
- mac_address - character (64) - mandatory
- serial_num - character (64) - mandatory
- ip_address- character (17) - optional
- validity_end_dtimes - timestamp
- mspec_id - character (36) - mandatory
- lang_code - character (3) - mandatory
- zone_code - character (36) - mandatory
- is_active - boolean - mandatory
For the machine_id received in the request, replaces all the data received in the request against the data existing in the List of Registration Center database against the same machine_id.
All the mandatory input parameters should be present
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
The API should not allow activation of Machine if the data for the Machine is not present in all the languages which are configured for a country
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Machine as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
upd_by should be the Username of the user who is accessing this API
upd_dtimes should be the date-time at which the user is creating the Machine
History record should be stores for every modification of a Machine
Responds with the Registration Center Code and Language Code for the Machine updated successfully
In case of Exceptions, system triggers relevant error messages

Decommission a Machine in the List of Machines Master Database

On receiving a request to decommission a Machine with the input parameters (machine_id), the system Updates the is_deleted flag to true in the List of Machines Database against the machine_id received

Refer below for the process:

While deleting the machine IDs the system Validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - Mandatory
Change the “is_Deleted” flag against Machine ID to “True”
Change the “is_Active” flag to “False” against the Machine.
upd_by should be the Username of the user who is accessing this API
del_dtimes should be the date-time when the Machine is being decommissioned
Validate if the Machine is mapped to the Registration Center
- If yes, do no decommission the Machine, throw an appropriate error message. Refer “Messages Section”.
The User accessing the API should only be able to decommission a Machine under its administrative zone only
Responds with the appropriate message for the Machine decommissioned successfully
In case of Exceptions, system triggers relevant error messages

Fetch Machine Registration/Updation History detail based on a Machine ID and Language Code

Upon receiving a request to fetch Machine History Registration/Updation Detail with the input parameters (Machine ID, Date and Language Code), the system Fetches all the attributes of Machine from the history table for the Machine ID, Date and Language Code received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the machine registration and updation history the system Validates if all required input parameters have been received as listed below for each specific request
- Machine ID - Mandatory
- Date - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message
Validates if the response contains the following attributes for the Machine ID and Language Code Received
- Machine ID
- Machine Name
- Mac Address
- IP Address
- Serial Number
- Machine Spec ID
- IsActive
In case of Exceptions, system triggers relevant error messages

Fetch Machine Details based on a Machine ID and a Language Code

On receiving a request to Fetch Machine Details with the input parameters (Machine ID and Language Code), the system Fetches all the Machine attributes for the Machine ID and the Language Code Received

Refer below for the process:

While fetching the machine IDs the system Validates if all required input parameters have been received as listed below for each specific request
- Machine ID - Mandatory
- Language Code
If the request has come for fetching all the machine details, responds with all the list of machines
If the mandatory input parameters are missing, throws the appropriate message.
Validates if the response contains the following attributes for the Machine ID
- Machine ID
- Machine Name
- Mac Address
- IP Address
- Serial Number
- Machine Spec ID
- IsActive
In case of Exceptions, system triggers relevant error messages.

Mappings of Registration Center, Machine and User Mappings

Create a mapping record of Center, User and Machine in Center-User-Machine Mapping Master Database

On receiving a request to add a mapping of Center, User and Machine with the input parameters (regcntr_id, usr_id, machine_id and is_active), the system Stores the Mapping of Center, User and Machine in the Database

Refer below for the process:

While mapping the system Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) - Mandatory
- usr_id- character (36) - Mandatory
- machine_id - character (10) - Mandatory
- is_active - boolean - Mandatory
Responds with the Center ID, Machine ID ad User ID for the Center, User and Machine mapping created successfully
The component restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Delete a Center-Machine-User mapping in the Center-Machine-User mapping Master Database

On receiving a request to delete a Center-Machine-User mapping with the input parameters (regcntr_id, machine_id, usr_id), the system Updates the is_deleted flag to true in the Center-Machine-User mapping Database against the input received

Refer below for the process:

While deleting the system Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory
- usr_id - character (36) - Mandatory
Responds with the Center ID, Machine ID ad User ID for the Center, User and Machine mapping deleted successfully
In case of Exceptions, system triggers relevant error messages.

Fetch Mapping History of Registration Center, Machine and User based on Registration Centre ID, Machine ID, User ID and Date

On receiving a request to fetch Mapping History of Registration, Machine and User with input parameters (Registration Centre ID, Machine ID, User ID and Date), the system Fetches all the attributes of Registration, Machine and User Mapping from the history table for the Machine ID and Date received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the mappings the system Validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Machine ID - Mandatory
- User ID - Mandatory
- Date - Mandatory
If the mandatory input parameters are missing, system throws the appropriate message.
Validates if the response contains following attributes
- Registration Center ID
- Machine ID
- User ID
- IsActive
In case of Exceptions, system triggers relevant error messages.

List of Devices

Create a Device

On receiving request to add a device with the input parameters, the system Stores the device in the Database

Refer below for the process:

While creating a device the system Validates if all required input parameters have been received as listed below for each specific request
- name - character (64) - Mandatory
- mac_address - character (64) - Mandatory
- serial_num - character (64) - Mandatory
- ip_address - character (17) - Optional
- dspec_id - character (36) - Mandatory
- validity_end_date - date - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
cr_by should be the Username of the user who is accessing this API
cr_dtimes should be the date-time at which the user is creating the Device
Device ID should be generated by calling the Device ID Generator and stored against every new Device Created
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Device and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Device as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
Responds with the appropriate message for the Device created successfully
History record should be stores for every creation of a new Device
The API should restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Update a Device

Upon receiving a request update a Device with the input parameters, the system Updates the Device Details in the List of Devices Database for the id received

Refer below for the process:

While updating the device in device type list the system Validates if all required input parameters have been received as listed below for each specific request
- id - character (36) - Mandatory
- name - character (64) - Mandatory
- mac_address - character (64) - Mandatory
- serial_num - character (64) - Mandatory
- ip_address - character (17) - Optional
- dspec_id - character (36) - Mandatory
- validity_end_date - date - Optional
- lang_code - character (3) - Mandatory
- is_active - boolean - Mandatory
For the device_id received in the request, replaces all the data received in the request against the data existing in the List of Registration Center database against the same device_id.
All the mandatory input parameters should be present
The Zone received should be either same as the Zone mapped of the Administrator or a child zone of the Administrator's Zone
The API should not allow activation of Device if the data for the Device is not present in all the languages which are configured for a country
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Device as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
upd_by should be the Username of the user who is accessing this API
upd_dtimes should be the date-time at which the user is creating the Device
History record should be stores for every modification of a Device
Responds with the Registration Center Code and Language Code for the Device updated successfully
In case of Exceptions, system triggers relevant error messages

Decommission a Device

Upon receiving a request to decommission a Device with the input parameters (id) and Update the is_deleted flag to true in the List of Devices Database against the id received

Refer below for the process:

While deleting the device in the device list the system validates if all required input parameters have been received as listed below for each specific request
- id - character (36) - Mandatory
Change the “is_Deleted” flag against Device ID to “True”
Change the “is_Active” flag to “False” against the Device.
upd_by should be the Username of the user who is accessing this API
del_dtimes should be the date-time when the Device is being decommissioned
Validate if the Device is mapped to the Registration Center
- If yes, do no decommission the Device, throw an appropriate error message. Refer “Messages Section”.
The User accessing the API should only be able to decommission a Device under its administrative zone only
Responds with the appropriate message for the Machine decommissioned successfully
In case of Exceptions, system triggers relevant error messages

Fetch all the List of Devices based on Device Type and Language Code

On receiving request to Fetch list of all Device with the requirement input parameter (Language Code and/or Device Type), the system Fetches all the Devices against the Language Code and/or Device Type as requested

Refer below for the process:

While fetching the device types the system Validates if the request contains the following input parameters
- Device Type - Optional
- Language Code - Mandatory
If the mandatory input parameters are missing, system throws the appropriate message.
If the input parameters contain only Language Code:
- The response contains all the list of devices for all device types against the Languages code received
If the input parameters contain both Device Type and Language Code:
- The response contains the list of devices against the Languages code for that Device Type only
After validation, the above listed parameters system responds with an appropriate message if data does not exist against the Language code/Device Type received.
Validates if the response contains the following attributes for each Device ID, if the input parameters contain only Language Code:
- Device ID - Mandatory
- Machine Name - Mandatory
- Mac Address - Mandatory
- IP address - Optional
- Serial Number - Mandatory
- Device Spec ID - Mandatory
- IsActive - Mandatory
Validates if the response contains the following attributes for each Device ID, if the input parameters contain Device Type and Language Code:
- Device Type-Mandatory
- Device ID - Mandatory
- Machine Name - Mandatory
- Mac Address - Mandatory
- IP address - Optional
- Serial Number - Mandatory
- Device Spec ID - Mandatory
- IsActive - Mandatory
In case of Exceptions, system triggers relevant error messages.

Fetch Device Registration/Update History detail based on a Device ID and Language Code

On receiving request to fetch Device History Registration/Update Detail with the input parameters (Device ID, Date and Language Code), the system fetches all the attributes of Device from the history table for the Device ID, Date and Language Code received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the device registration and update history the system validates if all required input parameters have been received as listed below for each specific request
- Device ID - Mandatory
- Date - Mandatory
- Language Code - Mandatory
If the mandatory input parameters are missing, system throws the appropriate message
Validates if the response contains the following attributes for the Device ID and Language Code Received
- Device ID - Mandatory
- Device Name - Mandatory
- Mac Address - Mandatory
- IP address - Optional
- Serial Number - Mandatory
- Device Spec ID - Mandatory
- Validity Time - Optional
- Language Code - Mandatory
- IsActive - Mandatory
In case of Exceptions, system triggers relevant error messages.

List of Device Specifications

Create Device Specifications

On receiving request to add Device Specifications with the input parameters (name, brand, model, dtype_code, min_driver_ver, descr, lang_code and is_active), the system Stores the Device Specifications in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- brand - Character - 32 - Mandatory
- model - Character - 16 - Mandatory
- dtyp_code - Character - 36 - Mandatory
- min_driver_version - Character - 16 - Mandatory
- descr - Character - 256 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
dtyp_code received should be from list of 'codes' from device_type masterdata table
- If not, the API should throw an error. Refer messages section
API should perfrom below multi-language validations on the Device Specification data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Device Specification and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Device Specification as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Device Specification Id should be generated at the back-end for any Device Specification added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Device Specification
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Fetch List of Device Specifications based on a Language Code

On receiving request to fetch the List of Device Specifications with input parameters (Language Code and/or Device Type) the system fetches the List of Device Specifications against the Language Code and/or Device Type

While fetching the List of Device Specifications against the Language Code and/or Device Type the system performs the following steps

Validates if the request contains the following input parameters
- Language Code - Mandatory
- Device Type - Optional
If the mandatory input parameters are missing, throws the appropriate message.
If the input parameters contain only Language Code:
- The response contains all the list of device specs against all the devices for the requested Language Code
If the input parameters contain Device Type and Language Code:
- The response contains only the list of device specs against the requested device type for the requested Language Code
Validates if the response contains the List of Device Specifications with the following attributes, if the input parameters contain only Language Code
- Device Specification ID
- Device Name
- Device Brand
- Device Model
- Device Type
- Minimum Driver Version
- IsActive
Validates if the response contains the List of Device Specifications with the following attributes, if the input parameters contain Device Type and Language Code
- Device Type
- Device Specification ID
- Device Name
- Device Brand
- Device Model
- Device Type
- Minimum Driver Version
- IsActive
In case of Exceptions, system triggers relevant error messages

Update a Device Specification

On receiving a request to update a Device Specification with the input parameters (id, name, brand, model, dtype_code, min_driver_ver, descr, lang_code and is_active) the system updates the Device Specification Details in the Device Specification Database for the id received

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- brand - Character - 32 - Mandatory
- model - Character - 16 - Mandatory
- dtyp_code - Character - 36 - Mandatory
- min_driver_version - Character - 16 - Mandatory
- descr - Character - 256 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
- dtyp_code received should be from list of 'codes' from device_type masterdata table
If not, the API should throw an error.
If all the above validations are successfull, the API should update the data in the database agianst the id received
API should perfrom below multi-language validations on the Device Specification data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Device Specification as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Device Specification details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

List of Device Types

Create Device Type

Upon receiving a request to add Device Type with the input parameters (code, name, descr, lang_code and is_active), the system Stores the Device Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
API should perfrom below multi-language validations on the Device Type data recieved
If, the data is recieved in secondary language and the data for primary language is not present in the database, the API should not allow creation of the Device Type and throw an error message. Refer messages section
If in the request, all the mandatory data is received in primary langauge but not in the secondary langauge, API should store the data but mark the Device Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
If all the above validations are successfull, the API should store the data the the database
Device Type Code should be generated at the back-end for any Device Type added using a UUID generator
API should store cr_by as the Username of the user who is accessing this API
API should store cr_dtimes as the date-time at which the user is creating the Device Type
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Update Device Type

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory
- name - Character - 64 - Mandatory
- descr - Character - 128 - Optional
- lang_code - Character - 3 - Mandatory
- is_active - boolean (true/false) - Mandatory
All the mandatory input parameter(s) should be present in the reqeust. If not, throw an appropriate error message
The API should validate the data type and length for each attribute as mentioned above.
In case of any failed validation, API should respond with appropriate error message. Refer messages section
If all the above validations are successfull, the API should update the data in the database agianst the code received
API should perfrom below multi-language validations on the Device Type data recieved
If in the database, all the mandatory data is present in primary langauge but not in the secondary langauge, API should update the data but mark the Device Type as Inactive (is_acitve = false) regardless of what is received in the request for is_active flag
API should store upd_by as the Username of the user who is accessing this API
API should store upd_dtimes as the date-time at which the user is modiying the Device Type details
API should only allow creation of one record at a time and should restrict bulk creation
API should audit the relevant data when the API is called successfully or when an error is encountered

Mappings of Registration Center and Machine

Create a mapping record of Machine and Center

Upon receiving a request to add a mapping of Machine and Center with the input parameters (regcntr_id, machine_id, and is_active), the system stores the Mapping of Machine and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- machine_id - character (10) – Mandatory (refers to a Machine stored in Machine Masterdata)
- is_active - boolean - Mandatory
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center belongs to the Zone of Machine or belongs to a child Zone of the Machine's Zone
Validate if the Machine belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center and Machine received are not in decommissioned state
If the above conditions in point 2, 3, 4 and 5 are not met, throw respective error messages. Refer messages section
If the Machine ID is already mapped to another Registration Center ID and the mapping is Active, throw an appropriate error
If the mapping is Inactive, create the new mapping
Store the default language code against the mapping
If the Registration Center ID - Machine ID mapping already exist but is in Inactive state, re-activate the mapping
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” sectione.

Delete a Center-Machine mapping

Upon receiving a request to delete a Center-Machine mapping with the input parameters (regcntr_id, machine_id), the system updates the is_active flag to false in the Center-Machine mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Machine belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
If the above conditions in point 3 and 4 are not met, throw respective error messages. Refer messages section
If the mapping does not exist or is in inactive state, throw an appropriate error
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” section

Mappings of Registration Center and Device

Create a mapping record of Device and Center

Upon receiving a request to add a mapping of Device and Center with the input parameters (regcntr_id, device_id), the system stores the Mapping of Device and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- device_id - character (36) – Mandatory (refers to a Device stored in Device Masterdata)
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center belongs to the Zone of Device or belongs to a child Zone of the Device's Zone
Validate if the Device belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center and Device received are not in decommissioned state
If the above conditions in point 2, 3, 4 and 5 are not met, throw respective error messages. Refer messages section
If the Device ID is already mapped to another Registration Center ID and the mapping is Active, throw an appropriate error
If the mapping is Inactive, create the new mapping
Store the default language code against the mapping
If the Registration Center ID - Device ID mapping already exist but is in Inactive state, re-activate the mapping
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” section

Unmap a Center-Device mapping

Upon receiving a request to delete a Center-Device mapping with the input parameters (regcntr_id, device_id), the system updates the is_active flag to false in the Center-Device mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- device_id - character (36) - Mandatory
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Device belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
If the above conditions in point 3 and 4 are not met, throw respective error messages. Refer messages section 5 If the mapping does not exist or is in inactive state, throw an appropriate error
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” section

Fetch Device-Center History record based on the timestamp received

On receiving a request to fetch Mapping History of Center and Device with input parameters (Registration Center ID, Device ID and Date Timestamp) the system fetches all the attributes of Center and Device Mapping from the history table for the Registration Center ID, Device ID and Date received

The record fetched is the latest record existing on or before the date received in the input parameter

While fetching the attributes of Center and Device Mapping from the history table the system performs the following steps

Validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Device ID - Mandatory
- Date Timestamp - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.
Validates if the response contains following attributes
- Registration Center ID
- Device ID
- IsActive
- Effective date
In case of Exceptions, system triggers relevant error messages

Mappings of Registration Center, Machine, and Device

Create a mapping record of Center, Machine and Device

Upon receiving a request to add a mapping of Center, Machine and Device with the input parameters (regcntr_id, machine_id, device_id, and is_active), the system stores the Mapping of Center, Machine and Device in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) – Mandatory (refers to a Registration Center stored in Registration Center Masterdata)
- machine_id - character (36) – Mandatory (refers to a Registration Center stored in Registration Center Masterdata)
- device_id - character (36) – Mandatory (refers to a Device stored in Device Masterdata)
- is_active - boolean - Mandatory
Responds with the Device Id, Machine ID and Center ID for the mapping of Center, Machine and Device created successfully
The component restricts the bulk creation of Master Data
In case of Exceptions, system triggers error messages as received from the Database.

Delete a Center-Machine-Device mapping

Upon receiving a request to delete a Center-Machine-Device mapping with the input parameters (regcntr_id, machine_id, device_id), the system updates the is_deleted flag to true in the Center-Machine-Device mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory
- device_id - character (36) - Mandatory
Deleted record are not be deleted again
Responds with data not found error if deleted record is received in the request
Responds with the Device Id, Machine ID and Center ID for the mapping of Center, Machine and Device deleted successfully
In case of Exceptions, system triggers relevant error messages.

Mappings of Registration Center and User

Create a mapping record of User and Center

Upon receiving a request to add a mapping of User and Center with the input parameters (regcntr_id, usr_id, and is_active), the system stores the Mapping of User and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- usr_id - character (36) – Mandatory (refers to a User stored in User Masterdata)
- is_active - boolean - Mandatory
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center belongs to the Zone of User or belongs to a child Zone of the User's Zone
Validate if the User belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the Registration Center and User received are not in decommissioned state
If the above conditions in point 2, 3, 4 and 5 are not met, throw respective error messages. Refer messages section
If the User ID is already mapped to another Registration Center ID and the mapping is Active, throw an appropriate error
If the mapping is Inactive, create the new mapping
Store the default language code against the mapping
If the Registration Center ID - User ID mapping already exist but is in Inactive state, re-activate the mapping
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” section

Delete a Center-User mapping

Upon receiving a request to delete a Center-User mapping with the input parameters (regcntr_id, usr_id), the system updates the is_active flag to false in the Center-User mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- usr_id - character (36) - Mandatory
Validate if the Registration Center belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
Validate if the User belongs to the Zone of Admin or belongs to a child Zone of the Admin's Zone
If the above conditions in point 3 and 4 are not met, throw respective error messages. Refer messages section
If the mapping does not exist or is in inactive state, throw an appropriate error
In case of Exceptions/Success, system should trigger relevant messages. Refer “Messages” section

MISP Management

License Key Allocation

Create MISP

The system receives a request to create a MISP with input parameters (MISP ID, MISP Organization Name, MISP Contact Number, MISP Email ID, MISP Address, MISP User name, MISP Password, MISP License Key, MISP License Key Status, IsActive)
Stores the data in the database
Responds to the source with the required message
If the mandatory input parameters are missing, throws the appropriate message.
In case of exceptions, system triggers relevant error messages.

Read MISP

The system receives a request to fetch a MISP with input parameters (MISP ID and/or MISP Organization Name)
Fetches the data existing against the input parameter received.
If only MISP ID is received, fetches data against the MISP ID from the database
If MISP Organization Name is received, fetches data against the MISP Organization Name from the database
If both MISP ID and MISP Organization Name is received, fetches data against the combination of both the input parameters (Complete match of Org name and MISP ID)
Fetches only active data from the database
If the input parameter received is null or empty, fetches all the data
If the mandatory input parameters are missing, throws the appropriate message.
If the data does not exist for input parameters received, throws the appropriate message.
In case of Exceptions, system triggers relevant error messages.

Update MISP

The system receives a request to update a MISP with input parameters (MISP ID, MISP Organization Name, MISP Contact Number, MISP Email ID, MISP Address, MISP User name, MISP Password, MISP License Key, MISP License Key Status, IsActive
Updates the data and Responds to the source with the required message
MISP ID will serves as search criteria to update the record in the database
The system updates the data received against the data already existing in the database against the MISP ID received
If the mandatory input parameters are missing, throws the appropriate message.
In case of Exceptions, system triggers relevant error messages.

Delete MISP

The system receives a request to delete a MISP with input parameters (MISP ID)
Deletes the data as mentioned as requested
Responds to the source with the required message
If the mandatory input parameters are missing, throws the appropriate message.
In case of exceptions, system triggers relevant error messages.

Registration Processor Audits

All modules

System Events

The following events are triggered as part of System Event Type for all modules in Registration Processor

Failure response for System Event Type

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that there was an unexpected exception occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a bad gateway

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the service is unavailable

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an internal server error has occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a time out error has occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while mapping the identity json

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while creating an object of Json value class

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the field could not be found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while parsing the json

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while converting the input streams to bytes

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while parsing the date value

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an IO exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a data access exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a API resource exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a illegal access exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invocation target exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a introspection exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the object store was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the copying of packet tags to message events failed

No ID

No ID Type

Packet Receiver Stage

User Events

The following events are triggered as part of User Event Type in Packet Receiver Stage

Success response for User Event Type in Packet Receiver Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_407

User

Add/Save

This event specifies that the packet receiver validation is successful.

No ID

No ID Type

RPR_407

User

Add/Save

This event specifies that the Packet is received and uploaded to landing zone

No ID

No ID Type

System Events

The following events are triggered as part of System Event Type in Packet Receiver Stage

Failure response for System Event Type in Packet Receiver Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the size of the packet is invalid

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet format is invalid

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet validation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a duplicate packet request has been received

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet is not available in the request

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an unknown exception was found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the virus scan service is not responding

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Packet Hash Sequence did not match

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a virus found in packet

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the database is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet size is not matching

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration Packet HashSequence is not equal to the synced packet HashSequence

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet decryption has failed

No ID

No ID Type

OSI Validator Stage

User Events

The following events are triggered as part of User Event Type in OSI Validator Stage

Success response for User Event Type in OSI Validator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the OSI validation was successful.

No ID

No ID Type

System Events

The following events are triggered as part of System Event Type in OSI Validator Stage

Failure response for System Event Type in OSI Validator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the OSI validation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet store is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was biometric type exception.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the request could not be processed and should be tried again.

No ID

No ID Type

Packet Classifier Stage

User Events

The following events are triggered as part of User Event Type in Packet Classifier Stage

Success response for User Event Type in Packet Classifier Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the packet classifier was successful.

No ID

No ID Type

The following events are triggered as part of System Event Type in Packet Classifier Stage

Failure response for System Event Type in Packet Classifier Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the packet classifier has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet classification has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the tag generation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that getting the required Id object field names from tag generator has failed.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Idobject mapping file field was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Field's schema data type is not supported.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the JSON parsing of field value according to the schema type has failed.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the JSON parsing to java object has failed.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the JSON parsing of meta info has failed.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Mapping field name is not present in identity mapping json.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the required value is not available in the configured language for field.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the FieldDTO or non string field value is null.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the sync registration entity is not available.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Exception Biometrics entry is not available in metainfo map.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Operations data entry is not avaiable in metainfo map.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Meta data entry is not avaiable in metainfo map.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Age Group Range Map configuration does not contain age group for given age.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the captured registered devices entry is not avaiable in the metainfo map.

No ID

No ID Type

Packet Uploader Stage

User Events

The following events are triggered as part of User Event Type in Packet Uploader Stage

Success response for User Event Type in Packet Uploader Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the packet is uploaded to the file system successfully.

No ID

No ID Type

RPR_402

User

Packet Archiving

This event specifies that the packet is successfully archived.

No ID

No ID Type

The following events are triggered as part of System Event Type in Packet Uploader Stage

Failure response for System Event Type in Packet Uploader Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the packet was not found in the landing zone

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the file is already exists in file store and its now deleted from landing zone

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Packet store set by the System is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the registration packet virus scan has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Virus scanner service has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the JSCH connection has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet could not be retreived from the nginx URL

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration packet is not in Sync with Sync table

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration packet decryption has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet upload has failed during cleanup

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet upload failed during the archival

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the there was a failure in uploading the packet to Packet Store

No ID

No ID Type

Packet Validator Stage

User Events

The following events are triggered as part of User Event Type in Packet Validator Stage

Success response for User Event Type in Packet Validator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the packet validation was successful.

No ID

No ID Type

The following events are triggered as part of System Event Type in Packet Validator Stage

Failure response for System Event Type in Packet Validator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the structural validation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the data is not available in Master DB

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the attribute is not available in ID JSON for master data validation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the resource was not found for master data validation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an invalid attribute value for master data validation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the the API resource was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the ID Schema validation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the document type was invalid for document validation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the ID Json was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the document validation failed for applicant

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet was rejected by the supervisor.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the an error has occured in the packet manager.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the ID Schema validation has failed.

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the UIN is deactivated

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the mandatory field validation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a registration type mismatch

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the UIN is invalid

No ID

No ID Type

Quality Checker Stage

User Events

The following events are triggered as part of User Event Type in Quality Checker Stage

Success response for User Event Type in Quality Checker Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the Quality check was successful.

No ID

No ID Type

The following events are triggered as part of System Event Type in Quality Checker Stage

Failure response for System Event Type in Quality Checker Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the Registration table was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the result was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid QC User Id

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration ID was invalid

RID

Registration Id

RPR_405

System

Exception

This event specifies that it was unable to find Biometric file name in ID JSON

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find Biometric file in the Packet

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a Biometric Exception was received form IDA

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the requested biometric type was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Individual Biometric Parameter was not found in the ID JSON

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Quality ccore of the Biometrics captured was below the threshold

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Packet store set by the System is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an unknown exception has occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an exception has occured in the packet manager

No ID

No ID Type

Secure Zone Notification Stage

User Events

The following events are triggered as part of User Event Type in Secure Zone Notification Stage

Success response for User Event Type in Secure Zone Notification Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_401

User

Add/Save

This event specifies that the secure zone notification was successful.

No ID

No ID Type

The following events are triggered as part of System Event Type in Secure Zone Notification Stage

Failure response for System Event Type in Secure Zone Notification Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that an exception has occured in secure zone notification stage

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration table was not accessible

No ID

No ID Type

Message Sender Stage

User Events

The following events are triggered as part of User Event Type in Message Sender Stage

Success response for User Event Type in Message Sender Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the message sending stage was successfully executed.

No ID

No ID Type

The following events are triggered as part of System Event Type in Message Sender Stage

Failure response for System Event Type in Message Sender Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the template was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the processing of template has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the packet store set by the system is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the template generation has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the phone number was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Email ID was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the configuration and language code was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to send the notification since UIN was not found for the lost packet

UIN

RPR_405

System

Exception

This event specifies that the template configuration and language was not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Message Sender Stage has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that either Email ID or Phone or Template or Notification Type is Missing

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the email sending has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the SMS sending has failed

No ID

No ID Type

Print Stage

User Events

The following events are triggered as part of User Event Type in Print Stage

Success response for User Event Type in Print Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the print request was submitted successfully.

No ID

No ID Type

RPR_402

User

Update

This event specifies that the print and post event was completed successfully.

No ID

No ID Type

The following events are triggered as part of System Event Type in Print Stage

Failure response for System Event Type in Print Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that there was an error while generating the PDF for UIN Card

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the UIN was not found in the database

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the PDF generation has Failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Queue connection is null

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while generating the QR Code

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while setting up the applicant photo

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while setting the QR Code for UIN card

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the ID Repo response is null

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the ID Repo response has no documents

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while getting response from Print and Postal service provider

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while print data validation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was a Invalid CardType

UIN

RPR_405

System

Exception

This event specifies that it was a Invalid IdType

UIN,VID,RID

RPR_405

System

Exception

This event specifies that the UIN is not valid

UIN

RPR_405

System

Exception

This event specifies that the VID is not valid

VID

RPR_405

System

Exception

This event specifies that the RID is not valid

RID

RPR_405

System

Exception

This event specifies that there was an error while creating the VID

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it could not generate/regenerate VID as per policy,Please use existing VID

VID

RPR_405

System

Exception

This event specifies that the input parameter was missing

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid input parameter

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Pdf was not added to queue due to queue failure

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the uin card was resent for printing

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while QR Code generation

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while creating the VID

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a PDF signature error

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the print request has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource was not accessible

No ID

No ID Type

Re-Processor Stage

User Events

The following events are triggered as part of User Event Type in Re-Processor Stage

Success response for User Event Type in Re-Processor Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the packet reprocessing was successfull.

No ID

No ID Type

RPR_402

User

Update

This event specifies that the request sent to reprocessor was successfull.

No ID

No ID Type

RPR_402

User

Update

This event specifies that the packet reprocessing has failed

No ID

No ID Type

The following events are triggered as part of System Event Type in Re-Processor Stage

Failure response for System Event Type in Re-Processor Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the Reprocessor stage has failed

No ID

No ID Type

ABIS Handler Stage

User Events

The following events are triggered as part of User Event Type in ABIS Handler Stage

Success response for User Event Type in ABIS Handler Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the ABIS handler stage was successfull.

No ID

No ID Type

RPR_402

User

Update

This event specifies that the Abis insert Requests was sucessfully sent to the Queue.

No ID

No ID Type

The following events are triggered as part of System Event Type in ABIS Handler Stage

Failure response for System Event Type in ABIS Handler Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the Abis Queue details are not found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the potential match records are not found for demo dedupe potential match

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an internal error occured in Abis handler identify request

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find ABIS Reference ID

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find latest Transaction ID

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find Identify Request

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find ABIS Connection Properties

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an unknown exception was found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to find ABIS Batch ID

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to connect with the ABIS Queue

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an Internal error has occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a duplicate insert response is received from abis for same request id

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a duplicate identify response is received from abis for same request id

No ID

No ID Type

Bio Dedupe Stage

User Events

The following events are triggered as part of User Event Type in Bio Dedupe Stage

Success response for User Event Type in Bio Dedupe Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the packet dedupe was successfull.

No ID

No ID Type

RPR_402

User

Update

This event specifies that a potential match was found while processing bio dedupe.

No ID

No ID Type

RPR_402

User

Update

This event specifies that a unique match was found for the Biometrics Received.

No ID

No ID Type

The following events are triggered as part of System Event Type in Bio Dedupe Stage

Failure response for System Event Type in Bio Dedupe Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the Bio Dedupe has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that it was unable to access the packet from Packet Store

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Biometric Insertion has failed in ABIS

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an ABIS Internal error has occurred

No ID

No ID Type

RPR_405

System

Exception

This event specifies that a Datashare exception has occured

No ID

No ID Type

Biometric Authentication Stage

User Events

The following events are triggered as part of User Event Type in Biometric Authentication Stage

Success response for User Event Type in Biometric Authentication Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the Biometric Authentication was successfull.

No ID

No ID Type

The following events are triggered as part of System Event Type in Biometric Authentication Stage

Failure response for System Event Type in Biometric Authentication Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the Biometric Authentication has failed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a IO exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the request could not be processed

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the registration table was not accessible

No ID

No ID Type

Demo Dedupe Stage

User Events

The following events are triggered as part of User Event Type in Demo Dedupe Stage

Success response for User Event Type in Demo Dedupe Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the demo dedupe was successfull.

No ID

No ID Type

The following events are triggered as part of System Event Type in Demo Dedupe Stage

Failure response for System Event Type in Demo Dedupe Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

System

Exception

This event specifies that a Potential duplicate packet was found for registration id

RID

Registration ID

RPR_402

System

Exception

This event specifies that the Demographic Deduplication was Skipped

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an ABIS response details was found.Hence sending to manual adjudication

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource was not accessible

No ID

No ID Type

Manual Verification Stage

User Events

The following events are triggered as part of User Event Type in Manual Verification Stage

Success response for User Event Type in Manual Verification Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the Manual verification was approved.

No ID

No ID Type

The following events are triggered as part of System Event Type in Manual Verification Stage

Failure response for System Event Type in Manual Verification Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that there was a Invalid file request

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the requested file is not present

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid status update

No ID

No ID Type

RPR_405

System

Exception

This event specifies that no assigned record was found

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the fields can not be empty

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a missing input parameter - requesttime

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a missing input parameter - id

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid input parameter - version

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid input parameter - requesttime

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid input parameter - id

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a invalid argument exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an unknown exception has occured

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a request decoding exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the User Id does not exists in the master list

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the User is not in ACTIVE status

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration Id should not be null or empty

RID

Registration ID

RPR_405

System

Exception

This event specifies that the User Id should not be empty or null

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Packet was not found in Packet Store

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was a missing input parameter - version

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the match type is Invalid

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the manual verification was rejected

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the Registration Id should not be empty or null

RID

Registration ID

RPR_405

System

Exception

This event specifies that the No matched reference id found for given RID

RID

Registration ID

RPR_405

System

Exception

This event specifies that there was a table not accessible exception in manual verification

No ID

No ID Type

RPR_405

System

Exception

This event specifies that an invalid message was received from the queue

No ID

No ID Type

UIN Generator Stage

User Events

The following events are triggered as part of User Event Type in UIN Generator Stage

Success response for User Event Type in UIN Generator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_402

User

Update

This event specifies that the UIN generation was successful.

UIN

RPR_402

User

Update

This event specifies that the UIN generation was successful.

UIN

RPR_402

User

Update

This event specifies that the UIN generation was successful.

UIN

RPR_402

User

Update

This event specifies that the UIN generation was successful.

UIN

RPR_402

User

Update

This event specifies that the UIN generation was successful.

UIN

The following events are triggered as part of System Event Type in UIN Generator Stage

Failure response for System Event Type in UIN Generator Stage

Sl No.

Event ID

Event Type

Event Name

Description

Reference ID

Reference ID Type

RPR_405

System

Exception

This event specifies that the packet store set by the System is not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an error while parsing the Json

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the API resource was not accessible

No ID

No ID Type

RPR_405

System

Exception

This event specifies that there was an IO exception

No ID

No ID Type

RPR_405

System

Exception

This event specifies that the VID status is not active

VID

Virtual ID

RPR_405

System

Exception

This event specifies that the UIN updation has failed

UIN

RPR_405

System

Exception

This event specifies that the UIN is already activated

UIN

RPR_405

System

Exception

This event specifies that the UIN is already deactivated

UIN

RPR_405

System

Exception

This event specifies that the UIN activation has failed

UIN

RPR_405

System

Exception

This event specifies that the UIN reactivation has failed

UIN

RPR_405

System

Exception

This event specifies that the UIN deactivation has failed

UIN

RPR_405

System

Exception

This event specifies that the VID creation has failed

VID

Virtual ID

RPR_405

System

Exception

This event specifies that the UIN was not found for the matched RID

UIN

RPR_405

System

Exception

This event specifies that the UIN Generation has failed

UIN