1 of 100

MOSIP Docs 1.1.5

Home

The MOSIP Program

The MOSIP program was conceived to help build global digital public goods in the space of digital governance. The flagship of the program is the MOSIP platform which provides the core for a foundational identity system that can be used by countries to build their national identity programs. Anchored at the International Institute of Information Technology, Bangalore (IIIT-B), MOSIP harnesses the power of open source and embraces the best practices of scalability, security and privacy. Learn more >>

About MOSIP

The Modular Open Source Identity Platform is an open-source, open standards-based foundational identity platform. MOSIP is an API-first platform that can be used by countries to build their own national id platform. MOSIP offers id life-cycle management features and identity verification capabilities out of the box.

The key objectives of MOSIP are to:

Provide the basic framework to create a fully functional foundational identity system
Provide flexibility for a country to choose and customize the features from the basic framework according to their requirements
Maintain privacy, security and confidentiality of an individual's data

Releases

The latest release of MOSIP, version 1.1.5 is here! We have added many interesting features as part of this release and also incorporated some software infrastructure changes as part of paring the technical debt. Check out the exciting new services and enhancements in the documentation.

Current Release Version: 1.1.5 Release Date: March 23, 2021 You can find the release notes .

Previous Release Version: 1.1.4 Release Date: February 12, 2021 You can find the release notes .

To view the summary of our releases, click .

MOSIP Resources

Source Code: Containers: Maven Repository: Presentations: Learning Videos: Community:

Roadmap

The MOSIP roadmap in the short term is the release of our Long Term Support Version. Our medium-term focus is to enable reference implementations of identity usage, integrations and interoperability. The long-term focus is to offer a set of core components for digital governance. Check out our and to see how you can be part of the MOSIP journey.

Architecture

Note on documentation: Information on the MOSIP architecture and design is distributed between and the design folders of the various .

As the world races towards a fully digital economy, foundational IDs and ID systems become an essential building block in establishing digital trust. They are also an essential part of Government to People (G2P) initiatives. MOSIP as a foundational ID platform delivers a key ingredient of the fabric of digital governance systems.

Pillars of a Digital Future

Digital Identity and Trust

Guiding Principles

The MOSIP philosophy is to provide a "Good ID". As part of this MOSIP embraces a core set of design and architecture principles that allow the platform to offer best practices for a Good ID system. MOSIP is built on the following architectural principles

MOSIP must follow a platform-based approach so that all common features are abstracted as reusable components and frameworks into a common layer
MOSIP must follow API first approach and expose the business functions as RESTful services
MOSIP must not use proprietary or commercial license frameworks. Where deemed essential, such components must be encapsulated to enable their replacement if necessary (to avoid vendor lock-in)
MOSIP must use open standards to expose its functionality (to avoid technology lock-in)
Each MOSIP component must be independently scalable (scale out) to meet varying load requirements
MOSIP must use commodity computing hardware & software to build the platform
Data must be encrypted in flight and at rest. All requests must be authenticated and authorized. Privacy of Identity Data is an absolute must in MOSIP
MOSIP must follow the following manageability principles – Auditability & monitor ability of every event in the system, testability of every feature of the platform & easy upgradeability of the platform
MOSIP must follow the principles of Zero-Knowledge which means that the services know nothing about the Personally Identifiable Information (PII) data stored.
MOSIP components must be loosely coupled so that they can be composed to build the identity solution as per the requirements of a country
MOSIP should work with different locales so that ID systems can be localized for languages and cultures easily.
All modules of MOSIP should be resilient such that the solution as a whole is fault tolerant
The key sub-systems of MOSIP should be designed for extensibility. For example, if an external system has to be integrated for fingerprint data, it should be easy to do so.

The key design aspects considered for MOSIP are

Ecosystem approach

The MOSIP platform is a framework and an end-to-end solution that needs additional components. For example, biometric devices and ABIS solutions are key to processing an individual's data and proving uniqueness. Through a well-defined set of standard interfaces, MOSIP allows for the integration of such components and offers a choice of providers for the same. MOSIP also needs to cater to a diverse set of institutions wanting to authenticate an Individual against the data stored in MOSIP. So, the key parameters are

All public/external facing interfaces of MOSIP must be standards-based for interoperability.
3rd party components should be integrated via standard interfaces and offer a provider model where needed.

Configurability

MOSIP should be flexible for countries to configure the base platform according to their specific requirements. Some examples of configurations in MOSIP are

A country should be able to choose the features required. For example, it must be possible for a country to turn off Finger Print capture
A country should be able to configure the attributes of an ID Object
A country should be able to define the length of the UIN number

Extensibility

MOSIP should be flexible to extend functionality on top of the basic platform. Some examples of extensibility are

A country should be able to introduce a new step in processing data
Integrate MOSIP with other ID systems and include it as part of the MOSIP data processing flow

Modularity

All components in MOSIP should be modular and their features exposed via interfaces such that the implementation behind the interface can be changed without affecting other modules. Some examples of modularity are

The UIN generator algorithm provided by the platform can be replaced by a country with their own implementation
The default demographic de-duplication algorithm provided by MOSIP can be changed to a different one without impacting the process flow

MOSIP Architecture

Design choices

The MOSIP architecture decisions have been based on the Guiding Principles defined in the charter. The design choices are in line with the need for modularity, loose coupling and scalability of its components, and being API first.

Micro-service based architecture for all platform services for modularity and scalability.
Staged Event Driven Architecture (SEDA) for processing Registration data for extensibility.
Thick client architecture for the registration client to support offline operations as well as process security.

The sections below provide different views of the logical architecture of MOSIP.

Functional Architecture

From a MOSIP perspective, several actors are involved in the ID system.

The Individual or the Resident is at the centre of it all. It is their identity that the system deals with.
The Officer is a representative of the ID issuer. There are several specialized roles for the officer.
- The Operator

The diagram shows the functional architecture of mosip with the actors.

Modular Architecture

Mosip has several modules that offer related functionality. These include the core modules of

Pre-registration
Registration client
Registration processor

and the support modules

Partner Management
Administration
Reporting

Note: All user interface modules are reference implementations and can be used as is, refactored or customized or replaced with alternative implementations in the actual deployment.

The diagram below shows the various modules of mosip with their respective service bouquets and their interaction.

Data-Model

This section contains details related to MOSIP data model design.The section also provides the data dictionary of the tables and columns defined by MOSIP databases.

Data Model Considerations

Meaningful Naming: DB objects that are being created will have a meaningful naming.
Flexible model: No business rules are set at the database level other than few mapping data. Most of the business logic is applied at application layer.
Database specific features: Use of DB specific features like defaults, DB sequences, identify fields are not used
No business logic at DB: No business logic implemented at database level other than PK, UK, FKs.
Data Security: Individual and security related information is encrypted

Data Model

Databases inventory in MOSIP.

Sl No

Database Name

Schema Name

Description

Cryptography in MOSIP

Background

The data level encryption is handled in the DTO layer in the application.

Solution

The key solution considerations are

Following are the key considerations of the encryption in the DTO layer,
- The data are classified into,
  - Sensitive

Encryption

Decryption:
- When a request is received, the DTO fields are checked for sensitivity, from the config server.
- If the DTO field is sensitive, the decryption() method is called.

Decryption

Key rotation
- On-Demand:
  - The keys are stored with the expiry date.

Modules

Pre-Registration

Overview

This module enables a resident to:

Enter demographic data & upload supporting documents

Registration

Overview

The registration client is a thick Java-based client where the resident's demographic and biometric details are captured along with the supporting documents in online or offline mode. The captured information is packaged in a secure tamper-proof way and send to the server for processing.

Registration client must provide the following :

Secure way of capturing an individual's demographic and biometric data. The captured data must be cryptographically secure such that the data cannot be tampered with. This is called a registration packet.
Interfaces to biometric devices that comply to industry standards. This ensure that any device manufactured as per standards will work with MOSIP.
Works in online and offline mode. In remote areas where internet connectivity is a challenge, the registration client must work in offline mode.
Remote software update capability. There must be a way to self-update to latest patches/upgrades (bug fixes/enhancements) in a remote way. There could be hundreds of client instances running on laptops/desktops. Updates on all of them must be controlled a central server.
Tamper-proof client software. The registration client must have an ability to validate the structure of the information captured so that it could detect any anomoly due to a possible manual tampering and reject the captured packet.

Detailed functionality

Process flow

Registration officer Onboarding

Registration preparation

Individual registration

Packet upload

End of day (EOD) process

UIN update

Lost UIN

Software update

Logical view

Component architecture

Registration packet structure

All the registration information is zipped and encrypted in a packet and sent to the server. The structure of the packet is given .

Registration client reference application

MOSIP provides an Windows-based reference implementation of the client that has a UI and the business logic to perform the above process flows. The code, design, App setup, build documentation is available in . The App may be modified according to a country's need.

First user on-boarding

TBD

Registration Packet

This document describes the registration packet structure and the packet encryption procedure.

Registration Packet

Once a resident visits the registration center and provides their demographic & biometric details an encrypted zip file is created which is called a "Packet". This packet can only be decrypted by the registration processor using a private key available in the Kernel Key Manager.

The below diagram depicts the packet creation flow using the packet manager.

First User Registration and Onboarding

Steps to generate the first User in MOSIP eco-system, refer below for the process:

1. Creating the First User in KeyCloak

First the role "Default" need to be created in KeyCloak with all other roles.

Guide to Configure MOSIP for Biometrics

MOSIP can be configured to work with proxy implementation and multiple biometric modalities (fingerprint, iris and face). Below are configurations to enable biometrics in MOSIP.

Registration Client

Adding SDK in classpath

Biometric Windows SDK (jar file) should be placed in lib folder after extracting Registration-Client zip file, and then execute run.bat file.

Enabling MDS integration

The below property should updated to enable MDS integration. This property is present in file.

Registering biometric devices for registration

Register Device Provider - Device Provider can be registered with MOSIP using
Register MDS - MDS can be registered with MOSIP using

Enabling biometric for officer and supervisor

Biometric authentication for officer and supervisor can be enabled by updating the is_active column to true in mosip_master.app_authentication_method table. List of processes for which biometric authentication can be enabled in registration client

packet_auth (Authentication when packet is created)
login_auth (Login to registration client)
exception_auth (Authentication when an exception packet is created)

By default, username password based authentication is enabled for all the above processes.

Enabling local de-duplication

Below properties should be enabled for performing local de-duplication. These properties are present in config file

Registration Processor

Configuring ABIS queue

ABIS queue can be configured in file. registration-processor-abis-middleware-stage communicates to ABIS through queue configured. It sends request to inbound queue address and receives response from outbound queue address. If there are multiple ABIS, then it can be added in same file.

ID Authentication

Adding SDK in classpath

Below properties should be set in id-authentication-{env}.properties. The classes configured below will be loaded in classpath during application initialization.

Registering biometric devices for authentication

Register Device Provider - Device Provider can be registered with MOSIP using
Register MDS - MDS can be registered with MOSIP using

Encrypting biometric data from MDS

In order to capture encrypted biometrics from MDS, MDS should use Mosip Public Key. This key should be generated in MOSIP with IDA-FIR as reference-ID for Parter-based Individual Authentication and 'INTERNAL' as reference-ID for Internal Authentication.

Device Integration Specifications

This document detailed out the design approach to integrate with the list of devices used in the MOSIP platform.

Interface approach has been taken to implement the integration with external devices. The interface should have the required method to communicate with the external devices. An Abstract class has been defined to implement the common functionality and it should be extended by Vendor specific implementation class. The device vendor's specific implementation class should extend the Abstract class and implement the required methods using available libraries.

Devices:

Scanner
Printer
GPS

Scanner:

Interface: IMosipDocumentScannerService

public Boolean isConnected() - to check the scanner connection availability.
public BufferedImage scan() - to scan the document from the scanner device.

Abstract Class: DocumentScannerService

public byte[] asPDF(List bufferedImages) - to convert the captured scanned document files into pdf format.
public byte[] asImage(List bufferedImages) - to convert the captured scanned document files into image format.
public byte[] getImageBytesFromBufferedImage(BufferedImage bufferedImage) - to get the byte[] from BuffredImage object.

Printer:

Use the JavaFx provided print functionality to interact with printer directly from UI layer. No additional interface is required. javafx.scene.web.WebView.getEngine().print(PrinterJob)

GPS:

Interface:IMosipGPSService

public String getComPortGPSData (String comPortNo, int portReadWaitTime) - it returns GPS signal in standard format.

Abstract Class:IMosipGPSServiceImpl

public GPSPosition sigalParser(String line) Inputs: gps signal (Ex: $GPRMC,055218.000,A,1259.4845,N,08014.7602,E,0.07,120.70,171018,,,A*64)
- returns the latitude and longitude from the GPS signal.

Registration Processor

Overview

Registration Processor processes the data (demographic and biometric) of an Individual for quality and uniqueness and then issues a Unique Identification Number (UIN). It also provides functionality to update demographic and biometric data and issue a new UIN if lost. The source of data are primarily from

MOSIP Registration Client

Deduplication and Manual Adjudication

Providing unique identity for a resident is one of key features of any identity platform. Hence, in MOSIP, we provide features like demographic and biometric de-duplication followed by manual adjudication to identify the uniqueness of a resident's demographic and biometric details.

De-Duplication

De-duplication is the process to find a duplicate by comparing the individual’s details (biometric and demographic data) with the data stored in the system.

ID Repository

Overview

ID Repository contains the record of identity for an individual, and provides API based mechanism to store, retrieve and update identity details by other MOSIP modules. ID Repository is used by:

Registration Processor

ID Authentication

Overview

ID Authentication (ID Auth) provides an API based authentication mechanism for entities to validate individuals. ID Authentication is the primary mode for entities to validate an individual before providing any service.

Following are the pre-requisites for an entity to do authentication of an individual

Resident Services

Overview

Resident services are the self services which is used by the resident themselves via a portal. Functionalities such as lock/unlock authentication types, reprint UIN, view authentication history etc. are available. The services use OTP method of authentication.

The back-end is a set of services with REST API interface (provided by MOSIP) and front end is a portal to be developed by the adopter according to their requirements.

Kernel

Overview

Kernel is on which MOSIP services are built. Kernel is a platform to build higher-level services as well as a secure sandbox within which the higher-level service functions. Kernel provides a bedrock to build and run the services by providing several significant necessary technical functions so that individual services are concerned with specific business functions.

Kernel is not a distinct module but a bunch of services and libraries that are shared across different modules.

Authentication and Authorization Functionality

In MOSIP, Authentication largely falls into the below categories:

Authentication via web channel (for Pre-Registration web application, Admin web application and Resident portal)
Authentication via local system i.e., offline authentication (for Registration client)

In MOSIP, Authorization falls into the below categories:

Auth Implementation

Please find below the sequence diagrams for auth flows.

Login flow:

Resource request flow:

Service to Service communication:

Documentations for the Auth Implementations

Biometrics

Build & Deploy

Cell Based Deployment Architecture

Context

Scalability of complex systems is non-trivial especially when there are multiple running components like microservices, databases, storage clusters etc. with complex interactions. End-to-end performance modelling of such a system poses significant challenges as the performance of the 'whole' does not have a straight-forward linear relationship to its 'parts'.

MOSIP recommends a cell architecture where hardware and software within a cell is fixed (canned), and the cell is benchmarked for input/output capacity. Such cells, then, may be replicated to scale up capacity in a production depolyment with traffic diverted to them via a load balancer. Ideally, each cell must be islolated from each other without any cross-dependencies. Practically, however, they may share certain resources. Scalabilty of such common resources needs to addressed separately.

Other Installation Guides

Glossary

The MOSIP narrative and documentation uses terminology which can be hackneyed, cryptic or loaded at times. The ID industry also uses this terminology in different contexts will different shades of meaning. Here we provide a set of such terms and their interpretation in the context of mosip.

Note: This document is work in progress.

A Assurance Level

Authentication

AuthN and AuthZ

C Consent

Contribute

Issue Reporting Guideline

Pre-requisite

MOSIP issues are maintained in . File the issue against the right repository.

Coding Standards

Testing

Testing Attachments Kernel

APIs

Resident Services Functionality

The Resident Service module will provide a host of services to an individual which can be availed after the creation of their Unique Identity Number (UIN). The list of services are as follows:

Update of Demographic Data (UIN update)
Track Request Status
Lock/Unlock AUTH types
Download e-UIN
Retrieve Lost Request ID(RID)/UIN
Reprint UIN
View Authentication Transaction History
Generate/revoke Virtual ID (VID).

All these features are detailed in the following features section.

Features

Track status of UIN Generation

This feature will allow an individual to track status of his/her UIN generation. The individual needs to provide the RID (Request ID received during UIN registration) as input. The system will validate this RID. On successful validation, the system will send the status of UIN generation to the individual's registered mobile number and/or email ID. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Download e-UIN

This feature will allow an individual to download his/her electronic UIN. The individual needs to provide the UIN/VID, full name, postal code, and security code as input. The system will validate the provided data, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, system will send a link to the individual's registered mobile number and/or email ID to download his/her password-protected e-UIN in PDF format. The system will also trigger a notification message to the individual's registered mobile number and/or email id after the transaction or appropriate error message if the transaction was not successful.

Retrieve Lost RID

After the UIN application is submitted by an individual providing the required demographic, biometrics and supporting documents and filling up the enrollment form by visiting a registration center, the system generates a unique RID (Request ID) as an acknowledgment number. If the individual misplaces this RID, this feature will allow an individual to retrieve his/her lost RID to subsequently trace the associated UIN. The individual needs to provide his/her Full Name, Mobile Number and/or E-Mail ID, Postal Code that was provided during registration as input. The system will first validate the individual's provided data, trigger an OTP, and perform OTP validation on the given mobile number and/or email ID. On successful validation, the system will send a link to password protected PDF containing the RID to individual's registered mobile number and/or email ID. The system will also trigger a notification message to the registered mobile number/email ID after a successful transaction or appropriate error message if the transaction was not successful.

This feature is not yet developed in MOSIP.

Retrieve Lost UIN

This feature will allow an individual to retrieve his/her lost UIN. The individual needs to provide the Full Name, Mobile Number and/or E-Mail ID, Postal Code as input. The system will first validate the individual's provided data, trigger an OTP, and perform OTP validation on the given mobile number and/or email ID. On successful validation, the system will send a link to the individual's registered mobile number and/or email ID to download his/her password-protected UIN in pdf format. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

This feature is not yet developed in MOSIP.

Re-print Request of UIN

This feature will allow an individual to raise reprint request of his/her UIN. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will take the UIN reprint request and acknowledge the request with a Request ID (RID) to the individual. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Initiate UIN Update

This feature will allow an individual to initiate update of his/her demographic details. Currently, an individual can initiate an update of the address associated to the provided UIN/VID. However, this service can be extended to further update any other aspect of the demographic data (EG: Mobile, Email, etc). The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will generate and send a Request ID (RID) for UIN update to individual's registered mobile number and/or email ID. The system will also trigger a notification message to the registered mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Track Status of UIN Update

This feature will allow an individual to track status of his/her UIN update. The individual needs to provide the RID ( Request ID for UIN Update) as input. The system will first validate the RID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will send the status of UIN Update to individual's registered mobile number and/or email ID. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

View History of Authentication Requests

This feature will allow an individual to view history of the authentication request(s) associated to his/her UIN. The individual needs to provide the UIN/VID as input. The system will first validate the UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will send unarchived Authentication History data of the individual associated to the provided UIN and all its associated VIDs. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Lock/Unlock Authentication

An individual can decide to lock specific Authentication Types (Demographic/Biometrics) of his/her UIN/VID for security reasons. It can be for one or more Authentication types. The locked Authentication Type(s) cannot be used for any future authentication request. Similarly at any point he/she may also request to unlock one or more locked Authentication types which was locked earlier.

Lock the UIN

This feature will allow an individual to lock the requested Authentication Type (Demographic, Biometrics (FP/Iris/Face/All)) associated with his/her UIN/VID. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will first send the details of all Authentication Types to the individual. The individual will then select which Authentication Type(s) will need to be locked. The system takes the request, locks the specified Authentication Type(s) and then notifies the individual. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Unlock the UIN

This feature will allow an individual to unlock requested Authentication Types (Demographic, Biometrics (FP/Iris/Face/All)) which is/are in locked status associated with his/her UIN/VID. Once unlocked, the individual can again use these Authentication Type(s) for any future authentication purpose. The individual needs to provide the UIN/VID as input. The system will first validate the individual's UIN/VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system will first send the details of all Authentication Type(s) to the individual which is/are in locked status. The individual will then select which Authentication Type(s) need to be unlocked. The system takes the request and accordingly unlocks the Authentication Type(s) and notifies the individual. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

VID Service

To safeguard the confidentiality of a UIN and for its security, Virtual ID (VID) service is provided. Based on the VID policy (defined by Country), an individual will be provided a VID during UIN registration and also he/she can create this using 'Resident Services'. The VID policy attributes defines the type of the VID, Country can name the VID as desired. VID policy constitutes time validity, no of instances, no of transactions, regeneration mode.

VID services comprise of the below.

Generate a VID

An individual can request to generate a Virtual ID via Resident Service by providing his/her UIN. The system will first validate the individual's UIN, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication the VID is generated based on the VID policy of the respective Country. The system will also send a notification message to individual’s mobile number and/or email ID after a successful transaction or appropriate error message if the transaction was not successful.

Maintain the status of a VID

This feature allows the system to maintain the status of all VIDs from the perspective of Time Validity, Transactions, and VID Revocation. The feature will be used by system's authentication module (called IDA - ID Authentication) whenever a VID is used for an authentication transaction (VID status will change to ‘USED’). Also when Resident Services is used for VID Revoke feature the status of VID changes to ‘REVOKED'.

Revoke a VID

To prevent misuse of VID, an individual can request to revoke his/her VID using Resident Service if the individual feels his/her VID has been compromised. The individual provides the VID as input. The system will then validate the individual's VID, trigger an OTP to individual's registered mobile number and/or email ID, validate the OTP and then authenticate the individual. On successful authentication, the system revokes the provided VID. Based on the VID policy of the Country a new VID will be generated during revocation and provided to the individual on the registered mobile number and/or email ID. If validation fails, the system triggers the appropriate error message.

Auto-restore a VID on Revocation and with Auto-restore Policy

This feature allows for a VID to be auto regenerated and given to an individual after he/she requests for an existing VID to be revoked. The VID regeneration happens based on the VID policy defined by Country (the regeneration policy for the revoked VID should be "Auto-restore").

List of Configurable Parameters and Processes

All the configurations related to resident services are available

Resident Services API

Process View

Pre-Registration Functionality

Residents can login to the pre-registration portal by providing their email id or mobile number. The system validates the email id or phone number, once validated sends an OTP which the resident enters. The system validates the OTP redirects the user to enter or edit the details for booking an appointment.

The resident logs in to the pre-registration portal with their mobile number or email id. After successful Authentication, the system checks if the user is first-time user or not. If the user is first-time user, the system creates a new record in the database. All the pre-registration ids created from there on will be mapped to this user id.

Logout/session timeout

If the resident wishes to logout of the pre-registration system, he/she can opt to select the Logout option. The token issued during the Authentication of user Login is deleted and the user gets logged out of the system. If the user is inactive for X minutes (X is configurable), the system notifies the user one minute before the configured timeout limit and logs out after a minute. In such case, the system will not save any user data.

Creating an application

Provide demographic data

The user is provided with demographic form based on the & for new pre-registration application, user fills demographic details (e.g., Full Name, Age/DOB, Gender, Residential status, Address, mobile number, email id, etc.). The system validates the fields entered, the system also checks for the mandatory fields. Additionally, the system validates for any blacklisted words entered (as configured by the country). Once validated a pre-registration request id (PRID) is generated and the demographic details provided gets mapped to that PRID.

Consent is sought from the user for every new application created in the system.

Before filling the application form, the user is advised to provide their consent for storage and utilization of their personally identifiable information (PII). The consent is sought from the user for every new application created in the system. On providing their consent, the system redirects the user to start the pre-registration application (demographic details). The data as part of the consent form is rendered as setup by the administrator.

In case of closure of the Consent Pop-up, the following scenarios may arise:

First-time login: On closure, then system alerts the user that he will be logged out due to not providing consent.
Existing user login
- Scenario 1: Create new application from Dashboard: On closure, the user will be redirected to Dashboard page.

Create multiple applications

Once the demographic details are filled and the Documents are uploaded, if the user wishes to add an applicant, he/she can opt to select 'Add An Applicant' option on the preview page or 'Create New Application' option on the Dashboard. The system associates unique pre-registration id to the new application(s) created.

Provide data in preferred language

The user can select their language of preference, which is referred as Primary (from a list of 2 languages as set by the administrator) from the login screen, the other language from the list is considered as secondary. The user can then provide data in the preferred language (primary) as selected. The data in the right side of the demographic page will be transliterated to secondary language. The labels in the right hand side will be translated to the Secondary language. The user can verify the transliterated data and edit if required. The data will subsequently be stored in the database along with the respective language codes.

Language Configuration

In the below listed scenarios, system will render an error message on the Login page and inhibit pre-registration, and hence, the language configurations should be appropriately setup by the administrator.

If Primary Language is set to a specific value and Secondary Language is marked as null/not set by administrator, or
If Secondary Language is set to a specific value and Primary Language is marked as null/not set by administrator, or
If both Primary and Secondary Language is marked as null/not set by administrator.

Example: Primary set to English and Secondary not set or vice-versa, then system will render the stated Error Message: "The system has encountered a technical error. Administrator to setup the necessary language configuration(s)." The error message will not have an option to exit, hence not allow the user to proceed further. On page refresh, the system will render the error message again and hence, inhibit pre-registrations.

Considering a scenario, wherein if Primary language and Secondary language is configured to be the same, eg. English; then: *The system will render the demographic page (with both left and right side for Primary and Secondary lnaguage) in the same language

Values entered on the left side (Primary Language) will not be transliterated but auto-copied on the right side
Values on the right side will remain un-editable
As part of the packet, system will send/store data in one language only, if language code is identified to be the same – eg. en (English)

Viewing "My Applications" (covers status)

The pre-registrations created will be associated with user id. The user can view all the pre-registrations created by him/her in the Dashboard. The pre-registration can be in three different status (Pending appointment, Booked, Expired)

Status

Explanation

User Action

The applications are sorted and displayed by the order of creation of application. The first application created appears first, latest created/modified application appears at the end. If the user visits the registration center and consumes the appointment, then the application will be removed from the list. If the appointment date has passed, the status changes to "Expired" and is retained on the dashboard for further rebooking/modification as required.

Modify application data

The user can modify the pre-registration data by opting to select the "Modify" option for a specific application. The system provides the demographic form with pre-filled demo details and allows the user to edit the details as required. The system associates the modified demo details with the pre-registration id for which Modify information is initiated.

Discard application

The user can discard the pre-registration by clicking on the Delete icon for the pre-registration id for which he/she wishes to discard. The system provides the user with two options: 'Discard entire Application' or 'Cancel appointment'. The user chooses to discard entire application. The system deletes all the data mapped to the pre-registration id and cancels the appointment (if any).

Attaching documents to the application

Document Categories and Applicable Document Types

When user provides their demographic data, the pre-registration system captures the data.
Based on the parameters (from the configuration) for example - gender, age and residential status (Foreigner, National) from the demographic data, applicant types are determined. The pre-registration system then sends the id to the mapping.
Based on the Applicant type, the Applicable Document categories are received from the mapping. The pre-registration system then displays only applicable categories.

Referring to already uploaded documents

The POA (Proof of Address) document could be uploaded or can be referred to an already uploaded POA of an existing applicant
The user could select a particular applicant document to which he wants to refer
When Pre-registering for a family living at the same address it is not required to upload same POA again and again,instead could refer to the document as uploaded by the first family member saving space and time.

Booking an appointment

Choosing a registration center for appointment

Nearby centers based on user geo-location

An user can enable location services, in the device/machine in order to select nearby centers
The system checks for the lattitude and Longitude values of the user and fetches all the registration centers within 2 Km radius (configurable)
The first registration center as per the search criteria is shown to the user on map by default.

Find a center

An user may opt to perform text search to find a center based on which the system displays the registration centers
It is a contextual search where the user selects a search criteria and based on the selected search criteria enters relevant text.
The first registration center as per the search criteria is shown to the user on map by default

Get appointment for the day

An user logs in to the pre-registration system and opts to book appointment for pre-registration application or Modify appointment
The system presents a list of Centers to the user to select the required registration center
The time selection with calendar days along with number of slots available per calendar day will be displayed

Choosing appointment slots

Get slots availability

The user opts to view the available slots for a selected registration center.

The system displays 7 calendar days (configurable) for the user to select a slot in the chosen center
Calendar days which are Holidays or non-working days for the selected registration center are greyed out or not shown to the user
For a selected registration center 8 hours (configurable) are considered as working hours

Cancel appointment

An user can opt to cancel selected appointment\s against application which is/are in Booked Status.
In such case the system notifies the user about the successful cancellation
Following a successful appointment cancellation the system unlocks the time slot of the registration center so that someone else can book it.

Re-book appointment

The system provides the user with the list of available appointment Slots
An user can select any of the appointment Date available and any of the appointment Slot available
The user has to select against which pre-registration id the appointment slot is being booked

Appointment acknowledgement

An Acknowledgement is triggered after successful completion of pre-registration (booking an appointment)
The acknowledgement contains the following information: name, pre-registration id, age/DoB, mobile number, email id and registration center details, appointment date, appointment time)
A QR code which contains the pre-registration ID.

Download acknowledgement

User can choose to print or download the acknowledgement as PDF.

Send acknowledgement to email/phone

The system sends an acknowledgement to the applicant to the registered phone (SMS) or email as per the details provided in demographic form. In case of multiple applications, the system sends notifications for each applicant to the details provided in the demographic form of that applicant.

Additionally, user can opt to manually trigger notification(s) to the contact details of additional recipients. However, this is driven by the Notification configuration setup by the administrator, to allow a notification to be triggered by SMS/email/both or none.

The confirmation acknowledgement is also rendered on screen with a confirmation message of the notification being triggered. (Subject to the notification parameter configuration and if any mobile/email id was provided)

Registration Client Services

Retrieve application data by PRID

Upon receiving the registration center id, date range (start date, end date) for the List of pre-registrations, user id (Registration Officer/Supervisor) from Registration client, the pre-registration system processes the information.

The system generates a Transaction id
The system then fetches all the pre-registrations within the Date Range (Start Range, End Date) and for the registration center id received and calculates the count of the pre-registration ids being sent.
The system sends the List of pre-registration ids along with count of pre-registrations.

Batch Job Services

There are three batch jobs that run in Pre-registration based on a cron scheduler.

Consumed Status Batch Job

This batch job identifies the Pre-Registrations for which registration packets are created and are under processing in server. The details about these Pre-registration are removed from pre-Registration database and are moved to an Archival tables in pre-registration called as consumed tables. Later the data in consumed tables can be archived or removed based on the adopter's need.

Expiered Status Batch Job

This batch job identifies the pre-registrations which have expiered and updates the status of these pre-registrations as "Expiered".

Booking Batch Job

Booking batch job, runs every day to perform some standard tasks:

Creating the booking slots (if not available) for next 140 days (configurable) using the details available for the centers like, center working hours, lunch breaks, no. of Kiosks, slot booking times & holidays.
Canceling bookings & sending notifications to the residents, if any emergency holiday has been declared for a center.

Audit

When any transaction is performed, then the same is captured as part of MOSIP Audit Trails, which can be further used for reporting and analytics as required.

Registration Processor Functionality

ID Life cycle Management

When an individual visits a registration center to get an ID or update his/her ID details, a registration officer captures the individual’s demographic (name, date of birth, gender, etc.) and biometric (face, iris, fingerprint image) details in a Registration Client. The Registration Client packages the captured information in a secure way (in the form of encrypted packets) and sends it to Registration Processor for further processing.

The packet received from the Registration Client goes through various sanity checks and validations to perform various life cycle events. The various life cycle events that can be processed by Registration Processor are:

New ID Issuance
Update individual’s Information
De-activate individual’s ID
Re-activate individual’s ID
Find an individual’s ID

New ID issuance

A new ID issuance requires an individual to visit a registration center and provide the required information to register himself/herself in MOSIP for the first time.

When a registration officer captures an individual’s information, the Registration Client packages the captured information in the form of encrypted packets and sends it to Registration Processor. After the encrypted packet reaches the Registration Processor, the system tries to find a duplicate using the individual’s information (i.e. demographic and biometric information) in the system (this process is known as De-duplication). If the system does not find any duplicates of the individual’s information, then the system registers the individual and allocates a unique ID and sends his/her ID credential through the country's configured printing and postal service .

During the allocation of the Unique Identification Number (UIN), the system also allocates a Virtual Identification Number (VID) to the individual. VID is an alternative to UIN and is a temporary number that can be used for authentications of an individual. The individual can provide the VID instead of UIN to authenticate themselves and protect their UIN from being accessed by someone else.

MOSIP generates two types of VID such as Perpetual VID and Temporary VID.

Perpetual VID: Registration Processor will create a new perpetual VID once UIN is generated successfully.
Temporary VID: As the name goes, it is shortlived which expired after a pre-defined period after which a new temporary VID has to be re-generated. Temporary VIDs are generated by residents using resident services.

Update individual’s information

After an ID is created for an individual, then he/she can choose to update his/her demographic or biometric information. The system provides two different channels by which an individual can update his/her information - by visiting a registration center and by using the resident services.

In both the cases, the individual’s information is securely packaged and sent to Registration Processor. After all successful validations, the system updates the individual’s information and sends his/her updated ID credential through the country’s configured printing and postal service.

Information that can(not) be updated that includes both biometric and demographic data can be customized. In the current implementation,

An individual can update his/her demographic and biometric information when he/she visits the registration center.
An individual can update his/her demographic information when he/she uses the resident services.

De-activate individual’s ID

This feature is used to de-activate an individual’s ID. When an individual’s ID is deactivated, then he/she will not be able to authenticate himself/herself by using UIN or VID.

If a country wants to deactivate an individual’s ID due to any specific reason, the system deactivates the individual’s ID after certain validations are performed in Registration Processor.

Re-activate individual’s ID

This feature is used to re-activate an individual’s deactivated ID. When the individual is re-activated then he/she will be able to authenticate himself/herself by using UIN or VID.

If a country wants to reactivate an individual’s deactivated ID due to any specific reason, the system reactivates the individual’s deactivated ID after certain validations are performed in Registration Processor.

Find an individual’s ID

When an individual forgets their ID information he/she can find it by providing their biometric information in the Registration Center. Registration processor then uses the captured biometrics to find the individual’s ID and sends his/her ID credential to their registered address through the country's configured printing and postal service.

Configurable workflow

Orchestration

Orchestration is the process of configuring various independent services, which will coordinate and manage to achieve a business goal.

In Registration Processor, there are various independent stages (such as Packet Receiver Stage, Packet Validator Stage, Operator Supervisor and Introducer Validator Stage, Demographic Deduplication Stage, Biometric Deduplication Stage, UIN Allocator Stage, Notification Stage, Printing and Postal Stage, etc.), which will perform their own set of validations or operations.

These stages are connected to each other using a workflow manager to perform various ID lifecycles events for an individual.

Retry processing

Registration Processor interacts with multiple external systems where there is a certain probability of failures due to various reasons such as network issues, unavaibility of external systems etc.

Registration Processor retries processing of the stage after a configurable period of time.

Resume workflow

MOSIP system has the capability to recover and continue packet processing if any incident happens which stops processing of some of the packets. These incidents can be: an external/internal stage is not responding, database connection is lost, dependent packets have not been processed, etc.

In case of such incidents, the system have a mechanism in place which identifies any packets that are stuck at a particular stage for a long period of time and resume processing at a configured time.

Integration

Packet processing is divided broadly into three sections such as pre-processing, processing and post processing. Each section has a set of stages which are orchestrated together to create workflow. A System Integrator can customize workflow by adding or by removing stages.

If a country wants to integrate MOSIP with their system to share information to/from MOSIP then MOSIP has provision for system integrator to plugin external system to pull or push data very easily with some customization in the workflow.

Registration processor architecture gives flexibility to customize the workflow to plug-in additional stages and exclude existing stages as per the business need.

Multiple workflows

An ID goes through various lifecycles (ID issuance, update of ID information, activating or deactivating an ID) and each lifecycle has its own set of stages to achieve the end goal.

These stages are glued together to form a workflow. Hence, based on the ID lifecycle, Registration Processor has multiple workflows.

Having multiple workflow increase reusability of stages, readability of workflow configured for each event and maintainability of each workflow which also involve customizing workflow based on the country’s need.

Scalability and throughput

MOSIP is scalable so that it can handle any kind of processing load or request in the future without disturbing the base architecture. MOSIP infrastructure can handle additional processing request based on the requirement of a country. The architecture is designed in such a way that it is flexible to support scalability and holds the request until the end goal is achieved.

Processing of packet

Pre-processing validations

Sanity check

When Registration Processor receives a packet, the system performs various sanity checks on the packet, such as:

Authentication of the request: If the request is coming from a verified source.
Virus scan: In-memory virus scan of the packet received.
Packet integrity check: If the packet received was not tampered during transit by performing checksum validation.

Virus scan

Virus Scanning is an important process, which helps to detect and move the virus infected packets to the quarantine zone. With a good virus scanner integrated in MOSIP will prevent virus interference.

Whenever virus scanning is performed in Registration Processor, the encrypted packets are first scanned and then the packets are decrypted in-memory and scanned.

Virus scanning is performed twice in Registration Processor:

When a packet is received by Registration Processor.
When Registration Processor stores the packet in its internal secure file system.

Machine-Center mapping

When a packet is created in Registration Client, the packet will be created using a registered machine, devices, registration officer, registration supervisor, and registration center.

To make sure that the packets are created as per the defined rules, the system performs the following validations:

Registration Center must be active when the packet was created.
User (registration officer/registration supervisor) must be active when the packet was created.
Machine and devices, in which packet was created must be active when the packet was created.

Officer & supervisor validation

When a packet is created in Registration Client, the officer or supervisor will authenticate himself/herself, and the same is captured in the packet. There are three modes by which an officer or supervisor can authenticate himself/herself, which are listed below:

Biometric authentication
Password based authentication
OTP based authentication

In the case of biometric authentication, the Registration Processor authenticates the officer/supervisor again after receiving the packet from the Registration Client.

Processing

Individual's data validations*

Data quality check

The system provides a feature to integrate with an SDK to identify and validate the age and gender captured by the registration officer against the photo of the resident.

This validation helps the system to identify the mistakes, that are performed by the registration officer.

This is factored for future releases and is not part of the current implementation.

Biometrics quality check

The biometrics captured (face, fingerprint, or iris) for an individual is used to authenticate the individual. If the quality of the biometric image captured during registration is low, then authentication for the individual using biometrics will not be accurate.

Hence, the system provides a feature to integrate with an SDK to validate if the quality of biometrics captured of an individual is above the configured threshold. If the quality of the biometric captured is lower than the threshold configured, then the Registration Processor does not allow ID generation for the individual.

Doc validation - OCR*

When an individual visits the Registration Center to get an ID or update his/her information, the officer manually enters various demographic information for the individual, which might cause a human error. To avoid such issues, the system provides the feature to integrate with an SDK, which validates the fields that are manually entered against the corresponding documents.

This is factored for future releases and is not part of the current implementation.

Functional validations

File & document validation

When the Registration Packets are received from the Registration Client, the system checks if all the files listed in the packet are available. If available, the system verifies if the documents required for an individual are present in the packet as per the data captured. To perform this validation, the mapping of the data captured and the mandatory document required can be configured by the country.

For Example:

If the name is captured, the country can add a validation for Proof of Identity.
If the address is captured, the country can add a validation for Proof of Address.

Introducer validation

An Introducer in MOSIP introduces someone attempting to register without any valid document or proof of identity. In the current implementation, in the context of Minor's registration, the Introducer is the parent or guardian of the minor (child) who approaches the center for registration.

A minor is not mature enough to provide biometrics (like fingerprints or iris) as they are underdeveloped during the time of registration, hence, the parent or guardian acts as the Introducer to register the minor in MOSIP.

When a minor is registered, the Registration Client mandates the capture of the ID and biometrics of the parent or guardian, which is used for authenticating the parent or guardian in the Registration Processor.

To support the Principle of Inclusion, an Introducer can be any individual whose biometrics are registered in MOSIP.

Deduplication – demographic, biometrics

Deduplication is the process of finding a duplicate by comparing the individual’s details (biometric and demographic data) with the data stored in the system.

Demographic deduplication
- The system compares the demographic details (name, gender, and date of birth) of the individual with the data available in the system to find a potential match.
- If a potential match is found, then the system sends the packet to to perform a 1:1 biometric match (it is an additional check to confirm that it is a duplicate).

External system integration

All the below functions can be plugged in by a System Integrator into the MOSIP system. MOSIP provides interfaces for integration.

Data verification

Data verification is a process in which the system can verify the data captured during registration with the data received from an external system to ensure accuracy and consistency. It helps to determine whether data was accurately translated, is complete, and supports the interoperability standards.

The System Integrator can plug-in a stage in the workflow, where the stage can communicate with any external system to receive some information and validate it with the information captured at the Registration Center.

Data Enrichment

Data enrichment is a value-adding process, where external data from multiple sources is added to the existing data sets in MOSIP to enhance the quality and richness of the data. MOSIP receives some data from the external system in the form of a Packet (as per MOSIP Standards). The system can receive this updated packet from external sources and process it with the packet received from the Registration Client.

Manual verification for external system data update

When there are any discrepancies between the data received from the external system vs. the data captured during registration, a country may opt to manually verify the data. The System Integrator in such case may build a Manual Verification Module for external system data mismatch.

Manual adjudication

When biometric duplicates are found in ABIS, the System Integrator can plug in the Manual Adjudication Stage, which would send the biometric and demographic data of the duplicates to a Manual Adjudicator. The Manual Adjudicator now can perform various validations on the duplicate data and inform the MOSIP system if the two records are duplicates or not.

ABIS integration

The MOSIP System, to perform biometric de-duplication (validate if there are no biometric duplicates in the system), integrates with an ABIS.

ABIS Middleware which is designed by MOSIP and MOSIP Middleware designed by ABIS is used to communicate between the MOSIP system and ABIS.

ID issuance

Identity generation - UIN generation and association

After all the business validations are completed, the system gets a Unique Identification Number (UIN) from the UIN generation API and allocates the UIN by sending the new UIN number and the individual's information to the ID Repository.

Store/update ID Repository

After all the business validations are performed for a new ID issuance or updating an individual’s information, this information is sent to the ID Repository for storing or updating the information respectively.

Data extractor for ID authentication

The system extracts the latest copy of an individual’s data after the individual has registered in MOSIP or has updated their data in MOSIP and sends it to ID Authentication. Now, ID Authentication can use the latest copy of the individual’s data for authentication.

Capture audit trails/analytics data

When any transaction is performed in the MOSIP system or the packet fails any validations or any system-level exception happens, then the same is captured as part of MOSIP audit trails, which can be further used for reporting/analytics as required.

Post-processing

Notification

Notification (SMS/Email as configured), which is received by an individual is the final step of all the life cycle processes. The system sends a notification to the individual for various life cycle scenarios such as successful or unsuccessful issuance of UIN, update of UIN data, activate or deactivate UIN, finding a lost UIN, etc. using templates defined in the system.

Print & post

When an individual’s ID is created or an individual’s data is updated, the system sends the individual’s physical ID credential to the individual’s registered address.

This feature is the post processing integration point for the Registration Processor, where a country can generate the PDF of the individual’s ID and sends it to the country’s configured printing and postal service provider. The printing and postal service provider in turn would print the physical ID credential and deliver it to the individual’s registered address.

Packet processing status

After the Registration Client sends the packet to Registration Processor, it starts processing the packet. Registration Processor enables the Registration Client to know the processing status of such packets. The probable packet statuses are as follows:

PROCESSING: The packet is under processing.
PROCESSED: The packet has been processed and Registration Client deletes the packet from its storage location.
RESEND: Initial validation like virus scan and packet integrity check have failed for the packet for a configured number of times and Registration Client needs to resend the packet for processing.

Registration Functionality

Operators in MOSIP

The operators is the one who can login to the registration client application and perform various activities. The roles associated to an operator in MOSIP can be of a Supervisor or an Officer. Below are features accessed by a supervisor and an officer in the registration client.

The list given above corresponds to the default configuration and can be changed by the MOSIP adoptor.

Operator on-boarding

When an operator tries to login to his/her registration client for the very first time they need to be online and would be re-directed automatically to the on-boarding page. During on-boarding the operator needs to provide his/her biometrics, which would be stored and mapped to the client machine locally post authentication.

Operator's biometrics are captured during on-boarding to support login using biometrics, local duplicate checks, and registration submission via. biometric authentication in registration client.

On-boarding is successful for an operator if and only if,

The operator should be active.

When an operator whats to login to the registration client for the first time, he/she needs to have the registration client in online mode. The first time login for any user in registration client is mandated to be using user name and and password based login. After the first login and successful on-boarding; the registration client would mandate the operator to login with the configured mode decided by the administrator.

Any number of officers or supervisors can login to a registration client but,

They need to be mapped to the same center where the machine is registered.

MOSIP supports single factor and multi factor login including password, OTP, iris, fingerprint, and face authentication for registration client. An administrative configuration setting determines the mode of login.

The registration client can authenticate an operator in offline mode using the locally stored biometrics (face/finger/iris) & password, but it has to be online to authentication an operator using OTP.

While a operator attempts to login to registration client, the system will match the user name with the locally stored user names using a case-insensitive logic.

Temporarily lock the operator

The registration client temporarily locks the operator’s account in case he/she provides an invalid password, fingerprint, iris, face for five times continuously to login. The temporarily account lock lasts for 30 minutes (which is configurable).

Logout

An Operator can logout of the registration client by just,

Clicking the logout button,
Closing the registration client, or
Being in-active on the registration client for configured amount of time after which he/she is automatically logged out.

Upon logout, any unsaved data will be lost. Data will not be automatically saved in the database and will not be retained in memory though transaction details which is used for auditing will be captured & stored (except for PII data).

Registration client provides an alerts to the operator, ‘x’ minutes before reaching the auto logout time limit. Registration client displays a countdown timer in the alert. The operator can choose to dismiss the alert and continue working. This will also reset the timer to zero.

Data Sync

Master data sync

In order to run the registration client application in online or offline mode it need some master data. When the client machine is switching from offline to online mode, the locally saved data can be synced with the server & changes from server can be synced backed to client. The data sync can happen through an automated process at a set frequency or an operator can manually initiate a sync.

Configuration sync

When an operator performs data sync the configurations related to registration client also gets synced. Based on the configuration (turn on or turn off), the system allows the operator to capture applicable biometrics, authenticates, and completes the registration activities.

Client to server sync

Registration Client syncs back some information back to the server whenever a sync is triggered:

Operator on-boarding details such as mapping of user, machine & center.
List of registration packets that are newly created.
The registration packets are also uploaded to the registration processor.

Only the additions, deletions, and modifications made since the last sync are sent to the server.

Packet status sync

During the sync operation the registration client request for the registration server for the status of some of the packets that it has already synced in the server. Knowing the status of the packets helps the registration client to,

Delete the packets from it's local file system based on the countries policy.
Re-Upload the packet if it is missing in the server.
Inform the resident to re-register if packet processing fails in server.

Pre-registration data download

An Operator can download the pre-registration data of his/her center for a date range (current date - end date) while being online (where the date range is configurable) and store it locally in the registration machine for offline use. Now when the system is offline and the pre-registration data is already downloaded; the operator can enter the pre-registration id to auto-populate the registration form with the demographic details of the resident.

Now if the registration machine is online the operator can enter the resident's pre-registration data in real time irrespective of the center selected by the resident while filling the pre-registration form.

Date Range of pre-registration data to be downloaded and storage location of pre-registration data in the registration machine is configurable.

Health check

Peripherals check

The registration client has the provision to show if the registration machine has internet connectivity or not.

Disk space check

Upon receiving a request to create a registration packet at the end of data capture and authentication steps, registration client validates if the disk space available on the registration machine to store the registration packet is sufficient or not. If disk space is insufficient, registration client displays an error message and data entered by registration officer is not saved. Then registration officer needs to clean up the registration machine to make sufficient space and try the registering the resident again.

Virus scan/Security scan

When the registration client application is open, the application scans the registration packets at a configured frequency for viruses. If the registration client application is not open at the configured time, the scan will be queued up and will run when the client application is open.

Registration services

New registration

An operator can initiate the process of registering an new applicant in the MOSIP ecosystem by filling the new registration form with the resident. Below are few of the processes needed to complete a new registration.

Enter demographic data and upload documents of a resident

If the resident has a pre-registration id, the operator can auto-populate the demographic data and the documents by entering the pre-registration id.

If the resident doesn't have a pre-registration id, the operator can enter the resident’s demographic details (such as Name, Gender, DOB, Residential Address, etc.) & upload the documents (such as Proof of Address, Proof of Identity, Proof of Birth) based on the by the country.

After the demographic details are entered the registration client validates the entered demographic data as per the Id validation rules defined in the ID Object UI Specification and appropriate error messages are shown in case the validation fails.

Capture biometrics of a resident

The capture of biometrics is governed by the country, i.e. capture of each modality (fingerprint, iris or face) can be controlled by the country using the global configuration to turning on or off, capture of a particular biometrics.

When the operator clicks on the capture button and tries to capture the biometrics of the resident, the device needs to make the capture when the quality of the biometrics is more than the threshold configured by the country. The device will try to capture the biometrics until the quality threshold has crossed or the device capture timeout has crossed which is also configurable.

Post the timeout has occurred and the captured quality of biometrics is less than the threshold, registration client provide an option to the operator to retry capture of biometrics but for a particular number of times which is also configurable.

If the resident has a biometric exception (resident is missing a finger/iris or quality of finger/iris is very poor) the resident can mark that particular biometrics as exception but the resident has provide an exception photo after providing the biometrics.

Device validation

The biometric devices connected to the registration machine to perform registration needs to registered devices and hence device validation is a very important process. The devices are validated using the master data that is received from the server during sync. Once the validation is successful and the device is connected to the registration machine a three way mapping of the center, machine & device is created and synced back to the server.

For every registration, the registration client provides an option for the operator to mark an individual's consent as Yes or No. The operator marks consent after confirming with the resident. Whether the consent is marked as Yes or No, it will not have any impact on issuance of UIN for that resident and the registration processor will not execute any validations in this regard during packet processing.

New registration for an infant

The registration flow for an infant is slightly different from that of registering an adult. The categorization of normal resident and infant is determined based on the age calculated by when the resident provides the date of birth. The age of infant is a configurable parameter (in the current configuration age of infant is set to 5 years).

For an infant registration client doesn't collect the biometrics (except for photo) but it collects the parent/guardian UIN or RID and biometrics for authentication in the server side. Apart from parent/guardian details the resident need to provide a Proof of Relationship document defined by the country.

Update resident's details

When a resident visits the registration center to update his/her demographic or biometrics details, the operator captures the updated data as provided by the resident in the registration client.

Process Flow using which data gets captured by registration client for updating a resident's data:

The UIN update feature is configurable by a country. The Admin can turn ON or OFF, the UIN update feature using the configuration.

Find a lost UIN

There might be a situation when a resident might have lost his UIN and visits the registration center for retrieving the same, the operator then captures the biometrics and demographic details of the individual and processes a request to retrieve the lost UIN. The system sends a notification to the individual upon successful creation of the UIN retrieval request.

Acknowledgement and Notifications

Printing the registration receipt

Once the registration process (new registration, UIN update or lost UIN) is completed, the registration client generates an unique request id and a registration receipt which contains labels & data in configured language. This data also contains a QR code of the RID, photograph of the resident and ranking of each finger from 1 to 10 (1 being the finger with the best quality). This receipt is print friendly and can be used for printing using any printer.

Sending email and SMS notifications

Once a registration process is completed, a notification is sent to the resident using the email ID and mobile number that was provided as part of demographic data. This notification sent is driven by a template created as part of master data and the language selected (primary, secondary or both) & notification mode (SMS, Email or none) is driven by configurations.

Registration Client also provides an option to send SMS and email notifications to additional recipient\s (other than the individual’s primary email ID and mobile number).

Use of biometric SDKs in registration client

Local biometric authentication for operators

Registration client perform authentication for registration officers and supervisors during various scenarios in registration client. In order to perform authentication using biometrics in such scenarios registration client need to integrate with a biometric SDK. The scenarios where biometric authentication is performed in registration client are:

When operator wants to login to registration client
When operator creates a packet
When an exception packet is created we need to perform supervisor authentication

For performing all the above mentioned authentication scenarios, registration client uses the operator's biometrics captured during on-boarding. The match threshold for authentication is a configurable parameter.

Local biometric de-duplication

There could be a scenario where an operator in-order to show a demonstration to the resident might capture his/her own biometrics, which could let to packet processing failure in the server side. Hence, in order to avoid such cases we perform de-duplication of biometrics of the resident against the operator's biometrics who have on-boarded to that registration machine.

Registration officer and supervisor approvals

Approval for packet creation

An operator needs authenticate himself/herself when the registration process is completed. After successful authentication an encrypted packet is created in registration client. During this process if biometrics is used as the mode of authentication, the operator's biometrics is sent to server as part of the packet for verification in the server side.

Approval of exception packet

If a packet is created for a resident who has marked his/her biometrics as exception, the registration client performs a second round of authentication for packet creation. During this authentication the supervisor needs to provide his/her credentials. If biometrics is provided during this authentication, it is sent as part of the packet to the server.

Approval during "re-registation"

During pre-processing of the packet, if the registration processor finds an error in the packet such as decryption failure, then an individual will not be communicated automatically to re-register. In such cases, registration processor marks the status of the packet as "re-register" so that a supervisor informs the individual to "re-register" his/her application. After informing the resident the officer needs to authneticate himself/herself using his/her credentials.

Geo-location

We have a feature to capture geo location of a device before any registration is performed. This is driven by a configuration. If capture of geo location is turned on, the system performs the following steps:

Validates that an on-boarded GPS device is connected to the machine.
- If an on-boarded GPS device is not found, then displays an error message.
- If more than one on-boarded GPS device is connected, then proceeds with the first GPS device that the system finds as it scans the ports of the machine.

Language Support

The Registration Client supports two languages, a primary language in which all pages of the application are rendered, and demographic details of an individual are also rendered in secondary language for convenience of the officer. The default primary and secondary languages are driven by an administrator configuration and can be setup by the admin as required. Transliteration from the primary to secondary language is supported for registration officer entered text fields.

In the below listed scenarios, system will render an error message on the Login page and inhibit Registration, and hence, the language configurations should be appropriately setup by the administrator.

If Primary Language is set to a specific value and Secondary Language is not set by Admin, or
If Secondary Language is set to a specific value and Primary Language is not set by Admin, or
If both Primary and Secondary Language are not set by Admin

Then the system will render the stated Error Message: “The system has encountered a technical error. Administrator to setup the necessary language configuration(s).”

This error message will not have an option to exit, hence not allow the user to proceed further. On page refresh, the system will render the error message again and hence, inhibit registrations. Therefore, it is important for the administrator to setup the configurations appropriately. In case configurations are setup correctly, but post Login, if a sync is initiated through the option in the homepage, and then if it is identified that either Primary/Secondary language/both are not defined, then the system will render the same error message on the homepage and not allow the user to proceed further.

Considering a scenario, wherein if Primary language and Secondary language is configured to be the same, EG: English then:

The system will render the demographic page (with both left and right side for Primary and Secondary language) in the same language
Values entered on the left side (Primary Language) will not be transliterated but auto-copied on the right side
Values on the right side will remain un-editable

Therefore, it is important for the administrator to setup the configurations appropriately.

Translation

A Registration Officer can view static data translated to secondary language.

In MOSIP, the primary and secondary languages are configured by the admin.
Admin configures all the static data in both primary and secondary languages so that the registration officer can view all the pages of client application in primary (default) and second (translated) languages.
If the both languages are configured in one language, the system displays the text in default language only.

Transliteration

Registration Client enables viewing transliterated data.

The Registration Client application supports two type of languages: Primary language (the language in which the registration officer enters data) and secondary language (transliteration language). The secondary language is country specific and is set by the administrator.

When the officer starts a new registration, update or lost UIN process and provides demographic data (Full Name, Address Line 1, Address Line 2, Address Line 3, and parent/guardian Name) of an individual in the primary language. The system transliterates the data and displays in the corresponding secondary language fields.

An Officer can invoke the virtual keyboard to edit transliterated data and proceeds with registration. The following rules are followed during transliteration.

Editing transliterated language does not change the data entered in the primary language.
The system also validates the maximum character length in the transliterated language and in primary language.
If secondary language is not configured, the system does not do any transliteration and will display empty space instead.

Master data selections are not transliterated. Instead, the master data as setup in the secondary language is displayed in the relevant section.

The system then enables the officer to view the registration confirmation page. The data, which are transliterated and edited earlier are also shown in the secondary language.

Packet Upload

Registration Packet Upload

Upload the packet

The system allows a registration officer to view a list of packets and may opt to upload one or multiple packets from a list of packets.
After the registration officer selects the packet(s), he/she can upload the selected packet(s) to server.

Push those packets that are marked 'Resend' to the server

When the registration officer or supervisor navigates to the ‘Upload Packets’ page, the list of RIDs that are pending packets to upload will be displayed.
- Pending packets are those packets, which are not sent to the server due to various reasons (e.g. Sanity Check and Validation failure in the Registration Processor) and have been marked for resending.
When the registration officer or supervisor selects the ‘Upload’ option, the pending packets will be uploaded to the server.

Enable a real time packet upload when system is online upon registration submission

When EoD process is turned ON
- Registration Client checks if the system is online as soon as the assigned approver (such as supervisor) approves or rejects a new registration or UIN update.
- If client is online, the Registration Client sends Registration ID to server and then the packets are marked as “Ready to upload” and auto uploaded to server.

Packet Exporter & Offline Upload from External Device

Export Packets to External Device

System exports registration packet data from client machine to an external device as follows:

This feature allows the registration officer to select a destination folder to export the packets. By default all packets that are listed/eligible to be uploaded, are exported to the external device
The destination folder includes the laptop/desktop, an external hard drive or a remote location
External storage devices are not necessary to be MOSIP-registered devices

Upload Packets from External Device to Server (To be Developed)

Once the server acknowledges that the packets have been received (which is uploaded from the external device to the server through a defined mechanism - Yet to be defined/developed), the packets in the client will be marked as ‘Uploaded’ upon the next sync with Server.

Packets that remain in ‘Ready to Upload’ status will be exported again when the next export is executed.
Packets in ‘Uploaded’ or any other status will not be exported again.

Analytics and Audit Logs

System captures and stores details of each transaction during registration process for audit purpose (except PII data). The audit data is stored in the audit database. When the client machine is working in an offline mode, the audit log is synced with the server as when the client machine is online.

Data Security

Registration Client integrates with Trusted Platform Model (TPM) data integrity. For enhanced security and integrity purposes, data captured from individuals are saved securely in local system and then shared to server. The details saved locally will be encrypted. Database encryption is also mandatory.

MOSIP performs the following:

Signing the data (This process is called as Signature) using Private Key provided by the TPM
- This process will ensure that the request to the server has been dispatched from a registered or trusted Registration Client machine
Validates the signature against the actual data using the Public Key or Public Part. The application does not connect or access the underlying TPM to validate the Signature. This validation ensures that the request is from a registered or trusted Registration Client machine

The system uses a machine and centre specific public key to encrypt. Only the server which has the respective private key, machine id and centre id can decrypt the encrypted packet. The data stored in database and application binaries are encrypted using TPM public key and registration officers will not be able to access directly.

Installation and Software Version Upgrade

A. Registration Officer or Supervisor can download and unzip the client application set up kit

For initial installation of the client software on a particular machine, supervisor or registration officer will download an installable software (setup kit). Then unzip the setup kit and install it in the client machine.

When a registration officer or supervisor opts to download setup kit and selects the OS-specific setup kit to download, the system allows the registration officer to download the setup kit to the storage location chosen by the registration officer.

Registration officer then unzips the setup kit.
Extract the files and folders from the zip file to the chosen location.
Allows the registration officer to verify that the files and folder structure are as described in the design document.

B. Update the client software from the server

If a software update is available, then the system will provide an option to supervisor or registration officer to update either immediately or later. If the maximum number of days without software update has been exceeded, then the system will mandate a registration officer to update the software.

The system follows the following steps during the update process:

When the client is online, the system automatically checks for updates if available.
If an update is available, the system displays a message “Updates are available” and provides two options to the registration officer
- Update now or

Clean up

Pre-registration and registration data are automatically deleted from the client machine upon consumption and upon intimation from the server respectively.

Pre-registration data is deleted from the client machine immediately after consumption for a registration.
Registration packets that are identified as ‘processed’ are deleted by a periodic process.
Audit data is deleted after it is sent to the server.

Data retention policies

A. Read packet status and delete packets

When the Registration Client receives a request through manual trigger or scheduled job to sync data, the system performs the following steps to read a packet status and delete the packets:

Sends the data sync request to server.
Receives response from server with packet statuses.
- Server sends status of those registration packets that were created in the specific machine, and that status that has changed since the last sync.

B. Delete transaction history (audit logs) post sync with server and the retention period

When a set of audit data is uploaded to the server and the server has acknowledged receipt of the audit data, the system performs the following steps to delete transaction history (audit logs) post sync with server and the retention period:

Runs on a daily process to identify audit data that has been sent to the server and acknowledgement is received from the server.
- The audit data acknowledgement received from the server >= x hours ago. X is configured at a country level.
Deletes the identified audit data from the client machine.

Machine Retirement

Machine is termed as machine retirement due to following reason:

If the machine has obsolete specification.
When the machine is moved from one center to another (re-mapped), then the machine will retire from that old center.

Before the machine is decommissioned, the following checks must be performed:

All packets created must either be uploaded to server or exported to external device.
All pending end of day approvals are completed and re-registrations pending action are cleared, refer below for more details
All data locally saved in the machine must be cleaned up.

Re-mapping of Machine:

If a Machine has been re-mapped to another center, then:

Officer will not be allowed to do any operation in Registration Client except,
- Login/Logout
- Approve packets as part of End of Day Approval process

Steps to Install and Configure HDFS

This documentation is for setting up HDFS (v2.8.1) cluster with one namenode and one datanode

Setup HDFS version 2.8.1

Prerequisites

Create 2 VMs. They’ll be referred to throughout this guide as,
Install java (java-8-openjdk) to all the machines in the cluster and setup the JAVA_HOME environment variable for the same.
Get your Java installation path.

Note: Take the value of the current link and remove the trailing /bin/java.

For example on RHEL 7, the link is /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/bin/java

So JAVA_HOME should be /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre.

Edit ~/bashrc.sh:

Export JAVA_HOME={path-tojava} with your actual java installation path.

For example on a Debian with open-jdk-8: export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre

Note: In the further steps when u login to the hadoop account set the java path in ~/hadoop/etc/hadoop/hadoop-env.sh also.

Get the IP of master and slave nodes using:
Adjust /etc/hosts on all nodes according to your configuration.

Note:

While adding same machine ip to /etc/hosts, use private ip that machine instead of public IP. For other machine in the cluster use public IP. * Edit the Master node VM /etc/hosts file use private IP of Master node and public IP of the Slave node. * Edit the Slave node VM /etc/hosts file use private IP of Slave node and Public IP of Master node. * Example: 10.0.22.11 node-master.example.com 10.0.3.12 node-slave1.example.com

Creating Hadoop User

Create a hadoop user in every machine in the cluster to followup the documentation or replace the hadoop user in the documentation with your own user.

Log in to the system as the root user.
Create a hadoop user account using the useradd command.
Set a password for the new hadoop user using the passwd command.

You have successfully configured a hadoop user with sudo access. You can now log in to this hadoop account and use sudo to run commands as if you were logged in to the account of the root user.

Distribute Authentication Key-pairs for the Hadoop User

The master node will use an ssh-connection to connect to other nodes with key-pair authentication, to manage the cluster.

Login to node-master as the hadoop user, and generate an ssh-key:
id_rsa.pub will contains the generated public key
Copy the public key to all the other nodes.
or

Verify ssh from Master node to slave node and vice versa.

Note: if ssh fails, try setting up again the authorized_keys to the machine.

Download and Unpack Hadoop Binaries

Login to node-master as the hadoop user, download the Hadoop tarball from Hadoop project page, and unzip it: cd wget https://archive.apache.org/dist/hadoop/core/hadoop-2.8.1/hadoop-2.8.1.tar.gz tar -xzf hadoop-2.8.1.tar.gz mv hadoop-2.8.1 hadoop

Set Environment variables in each machine in the cluster

Add Hadoop binaries to your PATH. Edit /home/hadoop/.bashrc or /home/hadoop/.bash_profile and add the following line: export HADOOP_HOME=$HOME/hadoop export HADOOP_CONF_DIR=$HOME/hadoop/etc/hadoop export HADOOP_MAPRED_HOME=$HOME/hadoop export HADOOP_COMMON_HOME=$HOME/hadoop export HADOOP_HDFS_HOME=$HOME/hadoop export YARN_HOME=$HOME/hadoop export PATH=$PATH:$HOME/hadoop/bin export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre Run following command to apply environment variable changes, using source command: source /home/hadoop/.bashrc or source /home/hadoop/.bash_profile

Configure the Master Node

Configuration will be done on node-master and replicated to other slave nodes.

Set NameNode

Update ~/hadoop/etc/hadoop/core-site.xml: <configuration> <property> <name>fs.defaultFS</name> <value>hdfs://node-master.example:51000</value> </property> </configuration>

Set path for HDFS

Edit ~/hadoop/etc/hadoop/hdfs-site.xml:
Create directories

Configure Master

Edit ~/hadoop/etc/hadoop/masters to be: node-master.example.com

Configure Slaves

Edit ~/hadoop/etc/hadoop/slaves to be: This slaves file will specifies the datanode to be setup in which machine node-slave1.example.com

Create duplicate config files on each node

Copy the hadoop binaries to slave nodes:
or copy each configured files to other nodes
Connect to node1 via ssh. A password isn’t required, thanks to the ssh keys copied above:
Unzip the binaries, rename the directory, and exit node-slave1.example.com to get back on the node-master.example.com:

Format HDFS

HDFS needs to be formatted like any classical file system. On node-master, run the following command: hdfs namenode -format Your Hadoop installation is now configured and ready to run.

Start HDFS

Start the HDFS by running the following script from node-master: start-dfs.sh, stop-dfs.sh script files will be present in hadoop_Installation_Dir/sbin/start.dfs.sg

It’ll start NameNode and SecondaryNameNode on node-master.example.com, and DataNode on node-slave1.example.com, according to the configuration in the slaves config file.

Check that every process is running with the jps command on each node. You should get on node-master.example.com (PID will be different):
and on node-slave1.example.com:

Hdfs has been Configured Successfully

Note: If datanode and namenode has not started, look into hdfs logs to debug: $HOME/hadoop/logs/

Create HDFS users

To create users for hdfs (regprocessor, prereg, idrepo), run this command:

Note: Configure the user in module specific properties file (ex- pre-registration-qa.properties) as mosip.kernel.fsadapter.hdfs.user-name=prereg**

Create a directory and give permission for each user

Enabling configured port through firewall in each machine in cluster

Note: If different port has been configured , enable those port.

Securing HDFS

Following configuration is required to run HDFS in secure mode. Read more about kerberos here:

Install Kerberos

Before Installing Kerberos Install the JCE Policy File

Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all cluster and Hadoop user machines. Follow this

Kerberos

Kerberos server(KDC) and the client needs to be installed. Install the client on both master and slave nodes. KDC server will be installed on the master node.

To install packages for a Kerberos server:
To install packages for a Kerberos client:

Configuring the Master KDC Server

Edit the /etc/krb5.conf: Configuration snippets may be placed in this directory (includedir /etc/krb5.conf.d/) as well,

Note: Place this krb5.conf file in /kernel/kernel-fsadapter-hdfs/src/main/resources mosip.kernel.fsadapter.hdfs.krb-file=classpath:krb5.conf Or if kept outside resource then give absolute path mosip.kernel.fsadapter.hdfs.krb-file=file:/opt/kdc/krb5.conf

Edit /var/kerberos/krb5kdc/kdc.conf
Create the database using the kdb5_util utility.
Edit the /var/kerberos/krb5kdc/kadm5.acl

To set up the KDC server to auto-start on boot. ``` RHEL/CentOS/Oracle Linux 6

Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file.
Next, use klist to view the list of credentials in the cache.
Use kdestroy to destroy the cache and the credentials it contains.

Create and Deploy the Kerberos Principals and Keytab files

For more information, check here:

If you have root access to the KDC machine, use kadmin.local, else use kadmin. To start kadmin.local (on the KDC machine), run this command: sudo kadmin.local

To create the Kerberos principals

Do the following steps for masternode.

In the kadmin.local or kadmin shell, create the hadoop principal. This principal is used for the NameNode, Secondary NameNode, and DataNodes.
Create the HTTP principal.
Create principal for all user of hdfs (regprocessor, prereg, idrepo)

To create the Kerberos keytab files

Create the hdfs keytab file that will contain the hdfs principal and HTTP principal. This keytab file is used for the NameNode, Secondary NameNode, and DataNodes. kadmin: xst -norandkey -k hadoop.keytab hadoop/admin HTTP/admin Use klist to display the keytab file entries; a correctly-created hdfs keytab file should look something like this: $ klist -k -e -t hadoop.keytab Keytab name: FILE:hadoop.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 02/11/2019 08:53:51 hadoop/[email protected] (aes256-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 hadoop/[email protected] (aes128-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 hadoop/[email protected] (des3-cbc-sha1) 1 02/11/2019 08:53:51 hadoop/[email protected] (arcfour-hmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (camellia256-cts-cmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (camellia128-cts-cmac) 1 02/11/2019 08:53:51 hadoop/[email protected] (des-hmac-sha1) 1 02/11/2019 08:53:51 hadoop/[email protected] (des-cbc-md5) 1 02/11/2019 08:53:51 HTTP/[email protected] (aes256-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 HTTP/[email protected] (aes128-cts-hmac-sha1-96) 1 02/11/2019 08:53:51 HTTP/[email protected] (des3-cbc-sha1) 1 02/11/2019 08:53:51 HTTP/[email protected] (arcfour-hmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (camellia256-cts-cmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (camellia128-cts-cmac) 1 02/11/2019 08:53:51 HTTP/[email protected] (des-hmac-sha1) 1 02/11/2019 08:53:51 HTTP/[email protected] (des-cbc-md5)

Creating keytab [mosip.keytab] file for application to authenticate with HDFS cluster

To view the principals in keytab

To deploy the Kerberos keytab file

On every node in the cluster, copy or move the keytab file to a directory that Hadoop can access, such as /home/hadoop/hadoop/etc/hadoop/hadoop.keytab.

To configure Kernel HDFS Adapter

Place this mosip.keytab file in /kernel/kernel-fsadapter-hdfs/src/main/resources and update the application properties for mosip.kernel.fsadapter.hdfs.keytab-file=classpath:mosip.keytab mosip.kernel.fsadapter.hdfs.authentication-enabled=true mosip.kernel.fsadapter.hdfs.kdc-domain=NODE-MASTER.EXAMPLE.COM mosip.kernel.fsadapter.hdfs.name-node-url=hdfs://host-ip:port

Note: Configure the user in module specific properties file (example: pre-registration-qa.properties as mosip.kernel.fsadapter.hdfs.user-name=prereg).

Enable security in HDFS

To enable security in hdfs, you must stop all Hadoop daemons in your cluster and then change some configuration properties. sh hadoop/sbin/stop-dfs.sh

Enable Hadoop Security

To enable Hadoop security, add the following properties to the ~/hadoop/etc/hadoop/core-site.xml file on every machine in the cluster:
Add the following properties to the ~/hadoop/etc/hadoop/hdfs-site.xml file on every machine in the cluster.

Configuring HTTPS in HDFS

Generating the key and certificate

The first step of deploying HTTPS is to generate the key and the certificate for each machine in the cluster. You can use Java’s keytool utility to accomplish this task: Ensure that firstname/lastname OR common name (CN) matches exactly with the fully qualified domain name (e.g. node-master.example.com) of the server. keytool -genkey -alias localhost -keyalg RSA -keysize 2048 -keystore keystore.jks

Creating your own CA

We use openssl to generate a new CA certificate: openssl req -new -x509 -keyout ca-key.cer -out ca-cert.cer -days 365 The next step is to add the generated CA to the clients’ truststore so that the clients can trust this CA: keytool -keystore truststore.jks -alias CARoot -import -file ca-cert.cer

Signing the certificate:

The next step is to sign all certificates generated with the CA. First, you need to export the certificate from the keystore: keytool -keystore keystore.jks -alias localhost -certreq -file cert-file.cer Then sign it with the CA: openssl x509 -req -CA ca-cert.cer -CAkey ca-key.cer -in cert-file.cer -out cert-signed.cer -days 365 -CAcreateserial -passin pass:12345678 Finally, you need to import both the certificate of the CA and the signed certificate into the keystore keytool -keystore keystore.jks -alias CARoot -import -file ca-cert.cer keytool -keystore keystore.jks -alias localhost -import -file cert-signed.cer

Configuring HDFS

Change the ssl-server.xml and ssl-client.xml on all nodes to tell HDFS about the keystore and the truststore

Edit ~/hadoop/etc/hadoop/ssl-server.xml
Edit ~/hadoop/etc/hadoop/ssl-client.xml

After restarting the HDFS daemons (NameNode, DataNode and JournalNode), you should have successfully deployed HTTPS in your HDFS cluster.

For you face error during kerberos, check this:

Tester Documentation

1. Introduction

1.1 Overview

The MOSIP architecture mainly consists of the following functional blocks/modules

Pre-Registration - Web application designed in Angular JS A resident can provide his demographic details in this web application and book an appointment for his future registration at a registration center
Registration Client - A Desktop thick client application developed in JavaFX. A resident is registered through the Registration Client software to generate get a unique identification number. The software captures demographic and biometrics information of the residents. It is connected to scanner devices (finger print, iris), camera and printer to capture resident biometrics information
Registration Processor - A back-end server application developed using SEDA framework It processes the client packets and generates UIN based on de-dupuplication information from ABIS (Automated Biometrics Identification System)

Test automation is the key to the success of comprehensive test coverage and test data. However in the context of MOSIP testing, where there are external devices and integration with third party software, test automation cannot be exhaustive and comprehensive test coverage can be achieved by testing driven by manual intervention, along with test automation.

In this document we will also talk about utilities for test data generation, tools for test automation and test strategy in general.

1.2 Scope

1.2.1 Test Coverage

Each of the modules has the following building blocks which are the testable entities, at the module level
System Integration Testing - This involves testing functional work-flows across the modules, starting from Pre-Reg and ending in IDA
Test Automation - tools, approach, test code configuration management process, regular usage

Module

Testable Entities

Levels of Testing

1.2.2 Data Coverage

Data utility tools - approach, usage

2. Test Approach

Each module is tested, both manually and through automation software for effective test coverage.

A progressively evolving test approach is being adopted in both cases.

Manual Testing starts with module level functional coverage followed by --> integration across modules --> End to end workflow testing
Automation Testing starts with the fundamental building blocks like APIs, and grows up the stack.

Individual API verification is followed by --> API Integration testing --> integration across modules --> End to end workflow testing

4. Test Automation User Guides

4.1 Kernel Test Automation Suite - User Guide

4.1.1 About the Kernel Module

A critical interface module of MOSIP, Kernel is the core package on which MOSIP services are built upon and is a platform, which provides higher-level services and functions that shall be reused by other modules of MOSIP.

Kernel provides a foundation to build and run the services by providing several significant necessary technical functions. Kernel makes it easy to build the higher-level services (domain services, batch services and core services) by taking care of fundamental features so that individual services are concerned with specific business functions. Kernel provides an active framework that ensures structure and rules within which the higher-level services operate.

Kernel automation works with Restful and Java API’s.

The test execution module of the Kernel module involving API’s is as depicted below

4.1.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Basic knowledge on Rest assured tool
Knowledge on Maven

4.1.3 Procedure to check out the test code from the repository

Create a workspace in the local system
Open git bash in the workspace
Enter the command :- git clone https://github.com/mosip/mosip-functional-tests.git

4.1.4 Pre-configuration information prior to test run

None

4.1.5 Procedure to Add new test cases into the API test suite

From the automationtests project, the test suites and cases can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Email Notification service” and explain how to add a new test

Every test case will have 2 json files named [request.json and response.json] in its sub-folder as shown below

In the request.json file, we need to mention the input that needs to be send to the API and response.json file contains the expected result for that particular input.

Based on the test cases, we need to add the test case folders with request and response files.

The readTestCases method from TestCaseReader class will read the folder names and give the test case names and readRequestResponseJson method from TestCaseReader class will read the request and response files from the tests.

4.1.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Kernel you will need an xml file named [testngKernel.xml], which will be available under [src/main/resources].
Add what are the test need to run in that xml file.
Add the path of the xml file in pom.xml file under maven surefire plugin.

4.1.7 Running a test suite

Right click project
Select “Run as configuration”
Under configuration select Maven build and create new maven build

Here regression means all tests other than smoke tests.

Select or Click the button “RUN”
Once the execution is completed, Test report will be generated in target/surefire-reports folder with the name MOSIP_ModuleLevelAutoRun_TestNGReport.html

4.1.8 Analyze the test reports

Open the report in Internet Explorer
The report will give the module name, total number of test case execution with pass, skipped and fail count
Report will provide the build version and also execution time

4.2 Pre-Registration Test Automation Suite - User Guide

4.2.1 About the Pre-Registration Module

This is the web channel of MOSIP, which facilitates capturing individual information, relevant documents and booking an appointment with a registration center. This helps to reduce registration time and optimize the process. The current web application is highly modular by design and with multi language support. This UI can be customized or modified as per the country's requirements. A country can also build a new web/mobile application on top of the back end services that MOSIP provides.

The test execution work-flow for the module Pre-Registration involving Rest API’s is as depicted below:

4.2.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Knowledge on Rest services
Knowledge on maven

4.2.3 Procedure to checkout-out the test code from the repository

Navigate to git repository.
Copy URI
Open Git Bash

4.2.4 Pre-configuration information prior to test run

None

4.2.5 Procedure to Add new test cases into the API test suite

From the code repository of the module, the test suites and cases can be located in the folder [src/main/resources]
Every API tests structure (test suite and test case) are stored in a folder/sub-folder approach. Let us take an example of “Create_PreRegistration” and Here you can see Create_PreRegistration is the suite name and inside that we have list of test cases.
To add new test case we need to create a folder inside test suite folder. You can give folder name same as test case name

E.g. To book an appointment first we need to create an application, upload document, and then book appointment. Here for each operation we have created one method.

4.2.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Pre-Registration module you will need an xml file named [Pre-Registration_TestNG.xml], which will be available under [src/main/resources]. In this xml file we need to add class name which we want to run.

4.2.7 Running a test suite

Procedure to execute the [Reg-automation-service_TestNG.xml] xml File:

Right click the xml file Pre-Registration_TestNG.xml
Select “Run as configuration”
Run as Maven

Here,

Denv.user indicates environment name.
Denv.endpoint indicates base URI
Denv.testLevel indicates types of test case we want to run

4.2.8 Running a single test case

Right click on class, which you want to run.
Click on run as
Click on testing

4.2.9 Analyze the test reports

Once run is complete, then refresh project and go to target/surefire folder.
Open MOSIP_ModuleLevelAutoRun_TestNGReport.html report.
To analyze failure test case check exception message.

4.3 Registration Client Test Automation Suite - User Guide

4.3.1 About the Registration Client Module

An important client interface module of MOSIP, which captures the Biometric and Demographic information of the Individual resident. This module also stores supporting information such as proof documents and information about the guardian or introducer as per the configuration set by the Admin. The packet creation is finished in this module in a secure way using sophisticated encryption algorithm and later send to the server for online mode of processing. The registration client test suites comprises of tests related to UI and Java API’s.

The test execution module of the Registration client module involving Java API’s is as depicted below

4.3.2 Pre-requisites for understanding Java API automation

Knowledge on Java 8
Basic knowledge on Spring services and should know annotations
Knowledge on maven

4.3.3 Procedure to check out the test code from the repository

Instruction to checkout code from GitHub using Eclipse.

Open eclipse
Go to quick access and search “clone git”

A pop up will appear in that enter the URI, Host and Repository path as same as below. Pass your GitHub username and password and click on next.
Search the branch name, select it, and then click next. Our latest branch name as .
Browse the directory to pull the code.

4.3.4 Pre-configuration information prior to test run

None

4.3.5 Procedure to Add new test cases into the API test suite

From the code repository of the module, the test suites and cases can be located in the folder [src/test/resources]
Every API tests structure (test suite and test case) are stored in a folder/sub-folder approach. Let us take an example of “Email Notification service” and explain how to add a new test
Every test case will have a configuration property file named [condition.properties

Based on values set inside the condition.properties file test cases will fetch the data from yaml file and then call a data generator code internally which shall add meaningful right or incorrect values as test data into these variables. More information on the Yaml file can be found under appendix

4.3.6 Procedure to execute or Run the tests on a new environment

To run the automation suite of Registration Client module you will need an xml file named [Reg-automation-service_TestNG.xml], which will be available under [src/test/resources].

4.3.7 Running a test suite

Procedure to execute the [Reg-automation-service_TestNG.xml] xml File:

Right click the xml file Reg-automation-service_TestNG.xml
Select “Run as configuration”
Under configuration select [TestNG] and pass the VM argument as

4.3.8 Appendix

1. Java API

Java application programming interface (API) is a list of all classes that are part of the Java development kit (JDK). An application-programming interface (API), in the context of Java, is a collection of prewritten packages, classes, and interfaces with their respective methods, fields and constructors.

For more detail, refer to the

2. Yaml master data file

Yaml file is the master data set for testing the API, Sample Mater Data set is as below:

3. How to increase the data coverage inside Yaml file?

To increase the data coverage we can add as many as test data’s into the Yaml file

4. Any dependencies of values in the Database

None

4.4 Registration Processor Test Automation Suite - User Guide

4.4.1 About The Registration Processor Module

Registration Processor processes the data (demographic and biometric) of an Individual for quality and uniqueness and then issues a Unique Identification Number (UIN). The source of data are primarily from

MOSIP Registration Client
Existing ID system(s) of a country

The workflow of testing or running the test suite of the available API’s And Stages is as depicted below

4.4.2 Pre-requisites for understanding Rest API automation

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven

4.4.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from
Import the automationtests project into the eclipse.

4.4.4 Procedure to Add new test cases into the API test suite

Case 1: For API Level Testing

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Sync Api Service” and explain how to add a new test

Case 2: For Stage Level Testing

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every stage can be tested by feeding negative packets to the system and expecting them to fail for the particular stage. Let us take the example of “OSI Validation Stage”
A sample property file looks like as follows:

4.4.5 Procedure to execute or Run the tests on a new environment

To run the automation suite of Reg-Proc, build the project and get the uber jar generated under target.
Run the jar using the command line “java -Denv.user= -Denv.endpoint= -Denv.testLevel= -jar ”
Example: java -Denv.user=qa -Denv.endpoint="eg:https://testenvname.mosip.io" -Denv.testLevel=smokeandregression -jar automationtests-refactor-0.9.1-jar-with-dependencies.jar
Note: env = qa,dev,int | testLevel=smoke,regression,smokeandregression

4.4.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of module name, total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display API name and corresponding test case names with execution time along with build version and execution time.

4.5 ID Authentication (IDA) Test Automation Suite - User Guide

4.5.1 About the ID-Authentication

MOSIP ID Authentication provides an API based authentication mechanism for entities to validate Individuals. ID Authentication is the primary mode for entities to validate an Individual before providing any service.

An example of how this service will work is as depicted below

The workflow of testing or running the test suite of the available API’s is as depicted below

4.5.2 Pre-requisites for understanding Rest API automation

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven

4.5.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from
Import the automationtests project into the eclipse.

4.5.4 Procedure to Add new test cases into the API test suite

From the automationtests project, the testdata can be located in the folder [src/main/resources]
Every API tests structure (model, api name and test case) are stored in a folder/sub-folder approach. Let us take an example of “Demo-Address Authentication service” and explain how to add a new test
Pre-requisites: open runConfiguration.properties file

Sample structure of the request.JSON file, which is being created at run time using the attributes defined in the TestData, which reads from the Yaml data file:

4.5.5 Procedure to execute or Run the tests on a new environment

To run the automation suite of ID-Authentication, build the project and get the uber jar generated under target.
Run the jar using the command line “java -Denv.user= -Denv.endpoint= -Denv.testLevel= -jar ”
Example: java -Denv.user=qa -Denv.endpoint="eg:https://testenvname.mosip.io" -Denv.testLevel=smokeandregression -jar automationtests-refactor-0.9.1-jar-with-dependencies.jar
Note: env = qa,dev,int | testLevel=smoke,regression,smokeandregression

4.5.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of module name, total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display API name and corresponding test case names with execution time along with build version and execution time.

4.5.7 Annexure

Yaml Test Data Format:

The sample structure should be like below:

TestData Keyword repository:

Keywords

KeywordName/Purpose

Example

4.6 E2E Test Automation Suite - User Guide

4.6.1 About The End To End Test Rig

End to end system level Test Rig covers the functionality across the modules starting with Pre-Registration and ending in Registration Processor or IDA.

The below diagram depicts the overall design of the end to end suite.

4.6.2 Pre Requisite To Understand The Flow Of E2E Test Rig

Knowledge on Core Java
Basic knowledge on Rest assured library
Knowledge on Maven

4.6.3 Procedure to checkout-out the test code from the repository

Launch eclipse with new or existing workspace
Clone project from
Import the e2etestrig project into the eclipse.

4.6.4 Basic Code Structure Of The E2E Rig

The E2E rig is a basic parent child maven project
It contains 5 child project which are as follows:
- Pre Registration which will generate list of Pre-IDs

4.6.4.1 A Code Structure For E2E run

The E2E code has the following prerequisite

Under src/test/resources we should have an input.json which contains a data to generate the list of preIDs.
All the module level suites should be up and running.
A sample pom for e2e looks like the following:

The pre Reg Automation has the following pre Requisite :
1. It should have an input.json file which will conation info about the adults and children against whom the preIDs are being generated.
The Reg Client Automation has the following pre Requisite:

4.6.5 Procedure to execute or Run the tests on a new environment

To run the automation suite simply select the “EndToEndRun.java” class under the package “io.mosip.e2e.runner”.
Report will be generated under “/testing-report.

4.6.6 Analyze the test reports

Report can be opened in any Web browser (i.e. Internet Explorer)
The report will consist of total number of test case executed with status as either pass, skipped and fail and their count.
Report will also display applicant type and corresponding test case names with execution time along with build version and execution time.

4.6.7 Limitations for the test rig

The rig is designed to run for only 5 packets.
The rig should run on a particular version of each module.

[
  {
    "id": "IDSchemaVersion",
    "description": "ID Schema Version",
    "label": {
      "primary": "IDSchemaVersion"
    },
    "type": "number",
    "minimum": 0,
    "maximum": 0,
    "controlType": null,
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "none",
    "inputRequired": false,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "IdSchemaVersion",
    "contactType": null,
    "group": null,
    "required": true
  },
  {
    "id": "UIN",
    "description": "UIN",
    "label": {
      "primary": "UIN"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "none",
    "inputRequired": false,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "UIN",
    "contactType": null,
    "group": null,
    "required": false
  },
  {
    "id": "fullName",
    "description": "Full Name",
    "label": {
      "primary": "Full Name",
      "secondary": "الاسم الكامل"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^(?=.{3,50}$).*",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "name",
    "contactType": null,
    "group": "FullName",
    "required": true
  },
  {
    "id": "dateOfBirth",
    "description": "dateOfBirth",
    "label": {
      "primary": "DOB",
      "secondary": "دوب"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "ageDate",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^(1869|18[7-9][0-9]|19[0-9][0-9]|20[0-9][0-9])/([0][1-9]|1[0-2])/([0][1-9]|[1-2][0-9]|3[01])$",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "identity.isNew || (identity.isUpdate && (identity.updatableFieldGroups contains 'GuardianDetails' || identity.updatableFieldGroups contains 'DateOfBirth'))"
      }
    ],
    "subType": "dateOfBirth",
    "contactType": null,
    "group": "DateOfBirth",
    "required": true
  },
  {
    "id": "gender",
    "description": "gender",
    "label": {
      "primary": "Gender",
      "secondary": "جنس"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Gender",
    "contactType": null,
    "group": "Gender",
    "required": true
  },
  {
    "id": "addressLine1",
    "description": "addressLine1",
    "label": {
      "primary": "AddressLine1",
      "secondary": "العنوان السطر 1"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^(?=.{3,50}$).*",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "addressLine1",
    "contactType": "Postal",
    "group": "Address",
    "required": true
  },
  {
    "id": "addressLine2",
    "description": "addressLine2",
    "label": {
      "primary": "AddressLine2",
      "secondary": "سطر العنوان 2"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^(?=.{3,50}$).*",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "addressLine2",
    "contactType": "Postal",
    "group": "Address",
    "required": false
  },
  {
    "id": "addressLine3",
    "description": "addressLine3",
    "label": {
      "primary": "AddressLine3",
      "secondary": "العنوانالخط 3"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^(?=.{3,50}$).*",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "addressLine3",
    "contactType": "Postal",
    "group": "Address",
    "required": false
  },
  {
    "id": "residenceStatus",
    "description": "residenceStatus",
    "label": {
      "primary": "Residence Status",
      "secondary": "حالة الإقامة"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "residenceStatus",
    "contactType": null,
    "group": "ResidenceStatus",
    "required": false
  },
  {
    "id": "referenceIdentityNumber",
    "description": "referenceIdentityNumber",
    "label": {
      "primary": "Reference Identity Number",
      "secondary": "حالة الإقامة"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "kyc",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^([0-9]{10,30})$",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "none",
    "contactType": null,
    "group": "ReferenceIdentityNumber",
    "required": false
  },
  {
    "id": "region",
    "description": "region",
    "label": {
      "primary": "Region",
      "secondary": "منطقة"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Region",
    "contactType": "Postal",
    "group": "Location",
    "required": true
  },
  {
    "id": "province",
    "description": "province",
    "label": {
      "primary": "Province",
      "secondary": "المحافظة"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Province",
    "contactType": "Postal",
    "group": "Location",
    "required": true
  },
  {
    "id": "city",
    "description": "city",
    "label": {
      "primary": "City",
      "secondary": "مدينة"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "City",
    "contactType": "Postal",
    "group": "Location",
    "required": true
  },
  {
    "id": "zone",
    "description": "zone",
    "label": {
      "primary": "Zone",
      "secondary": "منطقة"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Zone",
    "contactType": null,
    "group": "Location",
    "required": true
  },
  {
    "id": "postalCode",
    "description": "postalCode",
    "label": {
      "primary": "Postal Code",
      "secondary": "الكود البريدى"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "dropdown",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Postal Code",
    "contactType": "Postal",
    "group": "Location",
    "required": true
  },
  {
    "id": "phone",
    "description": "phone",
    "label": {
      "primary": "Phone",
      "secondary": "هاتف"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^[+]*([0-9]{1})([0-9]{9})$",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Phone",
    "contactType": "email",
    "group": "Phone",
    "required": true
  },
  {
    "id": "email",
    "description": "email",
    "label": {
      "primary": "Email",
      "secondary": "البريد الإلكتروني"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [
      {
        "type": "regex",
        "validator": "^[A-Za-z0-9_\\-]+(\\.[A-Za-z0-9_]+)*@[A-Za-z0-9_-]+(\\.[A-Za-z0-9_]+)*(\\.[a-zA-Z]{2,})$",
        "arguments": []
      }
    ],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "Email",
    "contactType": "email",
    "group": "Email",
    "required": true
  },
  {
    "id": "parentOrGuardianName",
    "description": "parentOrGuardianName",
    "label": {
      "primary": "Parent Name",
      "secondary": "اسم الوالدين"
    },
    "type": "simpleType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "evidence",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "( identity.isNew && identity.isChild ) || ( identity.isUpdate && identity.isChild )"
      }
    ],
    "subType": "parentOrGuardianName",
    "contactType": null,
    "group": "GuardianDetails",
    "required": false
  },
  {
    "id": "parentOrGuardianRID",
    "description": "parentOrGuardianRID",
    "label": {
      "primary": "Parent RID",
      "secondary": "الوالد RID"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "evidence",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "( identity.isChild && (identity.parentOrGuardianUIN == nil || identity.parentOrGuardianUIN == empty) )"
      }
    ],
    "subType": "RID",
    "contactType": null,
    "group": "GuardianDetails",
    "required": false
  },
  {
    "id": "parentOrGuardianUIN",
    "description": "parentOrGuardianUIN",
    "label": {
      "primary": "Parent UIN",
      "secondary": "الأصل UIN"
    },
    "type": "string",
    "minimum": 0,
    "maximum": 0,
    "controlType": "textbox",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "evidence",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "( identity.isChild && (identity.parentOrGuardianRID == nil || identity.parentOrGuardianRID == empty) )"
      }
    ],
    "subType": "UIN",
    "contactType": null,
    "group": "GuardianDetails",
    "required": false
  },
  {
    "id": "proofOfAddress",
    "description": "proofOfAddress",
    "label": {
      "primary": "Address Proof",
      "secondary": "إثبات العنوان"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "identity.isNew || ( identity.isUpdate && (identity.updatableFields contains 'addressLine1' || identity.updatableFields contains 'addressLine2' || identity.updatableFields contains 'addressLine3'))"
      }
    ],
    "subType": "POA",
    "contactType": null,
    "group": "Documents",
    "required": false
  },
  {
    "id": "proofOfIdentity",
    "description": "proofOfIdentity",
    "label": {
      "primary": "Identity Proof",
      "secondary": "إثبات الهوية"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "identity.isNew || ( identity.isUpdate && identity.updatableFields contains 'fullName')"
      }
    ],
    "subType": "POI",
    "contactType": null,
    "group": "Documents",
    "required": true
  },
  {
    "id": "proofOfRelationship",
    "description": "proofOfRelationship",
    "label": {
      "primary": "Relationship Proof",
      "secondary": "إثبات العلاقة"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "( identity.isNew && identity.isChild ) || ( identity.isUpdate && (identity.updatableFieldGroups contains 'GuardianDetails' || identity.isChild))"
      }
    ],
    "subType": "POR",
    "contactType": null,
    "group": "Documents",
    "required": false
  },
  {
    "id": "proofOfDateOfBirth",
    "description": "proofOfDateOfBirth",
    "label": {
      "primary": "DOB Proof",
      "secondary": "دليل DOB"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "identity.isUpdate && identity.updatableFields contains 'dateOfBirth'"
      }
    ],
    "subType": "POB",
    "contactType": null,
    "group": "Documents",
    "required": false
  },
  {
    "id": "proofOfException",
    "description": "proofOfException",
    "label": {
      "primary": "Exception Proof",
      "secondary": "إثبات الاستثناء"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "evidence",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "POE",
    "contactType": null,
    "group": "Documents",
    "required": false
  },
  {
    "id": "proofOfException-1",
    "description": "proofOfException",
    "label": {
      "primary": "Exception Proof",
      "secondary": "إثبات الاستثناء 2"
    },
    "type": "documentType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "fileupload",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "evidence",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": null,
    "requiredOn": [],
    "subType": "POE",
    "contactType": null,
    "group": "Documents",
    "required": false
  },
  {
    "id": "individualBiometrics",
    "description": "",
    "label": {
      "primary": "Applicant Biometrics",
      "secondary": "القياسات الحيوية الفردية"
    },
    "type": "biometricsType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "biometrics",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": [
      "leftEye",
      "rightEye",
      "rightIndex",
      "rightLittle",
      "rightRing",
      "rightMiddle",
      "leftIndex",
      "leftLittle",
      "leftRing",
      "leftMiddle",
      "leftThumb",
      "rightThumb",
      "face"
    ],
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "(identity.isNew || identity.isLost || ( identity.isUpdate && identity.updatableFieldGroups contains 'Biometrics'))"
      }
    ],
    "subType": "applicant",
    "contactType": null,
    "group": "Biometrics",
    "required": true
  },
  {
    "id": "individualAuthBiometrics",
    "description": "Used to hold biometrics only for authentication",
    "label": {
      "primary": "Authentication Biometrics",
      "secondary": "القياسات الحيوية الفردية"
    },
    "type": "biometricsType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "biometrics",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": [
      "leftEye",
      "rightEye",
      "rightIndex",
      "rightLittle",
      "rightRing",
      "rightMiddle",
      "leftIndex",
      "leftLittle",
      "leftRing",
      "leftMiddle",
      "leftThumb",
      "rightThumb",
      "face"
    ],
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "!identity.isChild && identity.isUpdate && !(identity.updatableFieldGroups contains 'Biometrics' || identity.updatableFieldGroups contains 'GuardianDetails')"
      }
    ],
    "subType": "applicant-auth",
    "contactType": null,
    "group": null,
    "required": false
  },
  {
    "id": "parentOrGuardianBiometrics",
    "description": "",
    "label": {
      "primary": "Guardian Biometrics",
      "secondary": "القياسات الحيوية للوالدين"
    },
    "type": "biometricsType",
    "minimum": 0,
    "maximum": 0,
    "controlType": "biometrics",
    "fieldType": "default",
    "format": "none",
    "fieldCategory": "pvt",
    "inputRequired": true,
    "validators": [],
    "bioAttributes": [
      "leftEye",
      "rightEye",
      "rightIndex",
      "rightLittle",
      "rightRing",
      "rightMiddle",
      "leftIndex",
      "leftLittle",
      "leftRing",
      "leftMiddle",
      "leftThumb",
      "rightThumb",
      "face"
    ],
    "requiredOn": [
      {
        "engine": "MVEL",
        "expr": "(identity.isChild && identity.isNew) || (identity.isUpdate && identity.updatableFieldGroups contains 'GuardianDetails')"
      }
    ],
    "subType": "introducer",
    "contactType": null,
    "group": "Biometrics",
    "required": false
  }
]

Sandbox Installer

Overview

The Sandbox is a safe environment isolated from your PC's underlying environment. You may use the sandbox to execute files without having to worry about malicious files or unstable programs impacting data on the system.

System Requirement

This section describes handy information that is useful to know when operating the Sandbox Installer which is tested under mentioned configuration.

Component

Number of VMs

Configuration

Persistence

*vCPU: Virtual CPU

** Console has all the persistent data stored under /srv/nfs. Recommended storage here is SSD or any other high IOPS disk for better performance

Introduction

The Multi-VM Sandbox Installer is a fully automated deplorer that incorporates all MOSIP modules into a virtual machine cluster that can be either cloud or on premise.

The sandbox can be used for development and testing, while the Ansible scripts run MOSIP on a multi-virtual machine (VM) setup.

Caution - The sandbox is not intended for use by serious pilots or for production purposes. Also, do not run the sandbox with any confidential data.

Minibox

In Minibox, note that for any form of load or multiple pod replication scenarios, this may not be sufficient. It is possible, however, to enable the feature to bring up MOSIP modules with lesser VMs as below:

Component

Number Of VMs

Configuration

Persistence

Precondition

Terraform is a tool to securely and efficiently develop, edit, and update infrastructure. Using Terraform scripts available in _terraform/._the initial installation stage is achieved. AWS scripts are being used and maintained at present.

It is strongly recommended that the scripts be analyzed in depth before running them.

Virtual Machines (VMs) Setup

Before, MOSIP modules installation process that runs on a preset time or when a predefined condition, need to have VMs set up on all Machines. The user must ensure if the CentOS 7.8 OS is installed on all the machines:

Create user 'mosipuser' on console machine with password-less sudo su
The hostname must match hostnames in hosts.ini on all machines. Set the same with
Enable Internet access on all machines

Software Prerequisites

To ensure proper installation, install these pre-requisites manually:

Git
Git Clone
Ansible

On the Installation Options, click git to install on your machine:

In User Home Directory, select Git Clone and switch to appropriate branch:

Install Ansible and create shortcuts:

Sandbox Architectural View

Installing MOSIP

This section helps you to plan an installation of MOSIP suited to your environment. Before installing MOSIP, it is recommended that the scripts be analyzed in depth before running them.

Site Settings

Suited to your configuration, update hosts.ini. Make sure your configuration matches the system names and IP addresses
In group_vars/all.yml change sandbox_domain_name to domain name of the console machine
By default, installation scripts will try to fetch Letsencrypt's new SSL certificate for the above domain. If you already have the same, however, then set the following variables in the file group

Network Interface

It is the interconnection between a computer and a public or private network. If it is other than “eth0” by your cluster machines, update it to group_vars/k8s.yml

Ansible Vault

In the Ansible vault _secrets.yml_file, all the secrets (passwords) used in automation are stored. To access the file, the default password is 'foo'. Changing this password with the following command is recommended:

The contents of secrets.yml can be viewed and edited based on following command:

Install MOSIP

When this equipment is connected to your machine it allows you to install MOSIP modules using command:

If a message prompting you for password, enter default vault password "foo" to proceed installation.

MOSIP Configuration

This section provides the following major sections to describe how to configure and verify the proper interface. The sandbox installs with default general configuration. To configure MOSIP differently, refer to the following sections:

Domain Name System (DNS)

DNS translates human readable domain names to machine readable IP addresses. A private DNS (CoreDNS) is mounted on the console machine by default, and /etc/resolv.conf refers to this DNS on all machines.

However, if you want to use DNS cloud providers (like Route53 on AWS), disable the installation of a private DNS by setting the following flag:

Ensure your DNS routing is taken care of by your cloud deployment. Uncomment the Route53 code for AWS in the scripts given in the:

The corends.yml ``playbook configures the CoreDNS and updates the /etc/resolv.conf file for all devices. If a system needs to be restarted, re-run the playbook to restore /etc/resolv.conf.

Local Docker Registry

This part contains information about hosting your own registry using the Local Docker Registry.

Local Registry on Console

Instead of using the default Docker Hub, you may run a local Docker registry. This is particularly useful when the Kubernetes cluster is sealed for protection on the Internet. With this sandbox, a sample Docker registry implementation is available, and you can run the same by triggering the following in group_vars/all.yml.

Notice that this register is running on the computer on the console and can be accessed as console.sb:5000. Control is through http and not through https.

Ensure that in this registry you pull all the appropriate Dockers and update versions.yml.

Caution: If you delete/reset this registry or restart the console computer, all the registry contents will be lost and the Dockers will have to be removed again.

Additional Local Registries:

If you wish to have additional local registries for Dockers, then list them here:

The list here is necessary to ensure that http access from cluster machines is allowed for the above registries.

Private Dockers

When you set up a private registry, you assign a server to communicate with Docker Hub over the internet. If you are pulling Dockers in Docker Hub from the private registry, then provide secrets.yml with the Docker Hub credentials and set the following flag in:

Update with versions.yml your Dockers versions.

Sandbox Access

When installing the default Sandbox, you must have a public domain name, so that the domain name refers to the console computer. However, if you want to access your internal network's Sandbox (for example via VPN), set the following in group_vars/all.yml:

A self-signed certificate is created and the sandbox access URL is hostname}}'

Secrets

All secrets are stored in secrets.yml. Edit the file and change all of the passwords for a secure Sandbox. For creation and testing, defaults will be used, but be aware that the sandbox will not be secure with defaults. In order to edit secrets.yml.

If you update PostGres passwords, you will need to update their ciphers in the property files. See the section below on Config Server. To be able to find out the text password, all the passwords used in. properties were added to secrets.yml- some of them for purely informational purposes.

Caution : Make sure that secrets.yml is updated when you change any password in. properties.

Config Server

Config server is one of the more popular centralized configuration servers used in a micro service-based application. For all modules, configurations are defined through property files located in the GitHub repository. For example, for this sandbox, the properties are located within the sandbox folder at .

You can have a repository of your own with a folder containing files for properties. On GitHub, the repo will be private. In group vars/all.yml, configure the following parameters as below (example):

If private: true, then, in group vars/all.yml, update your GitHub username as above. Please change the password to secrets.yml:

The repo is cloned to the NFS mounted folder if local git repo is allowed, and the config server pulls the properties locally. This option is useful if the sandbox is secured without access to the Internet. You should search git-in locally for any changes. Remember, however, that you will have to push them manually if you want the changes to be reflects in the parent GitHub repo. When making improvements to the configuration repo, there is no need to restart the config-server pod.

If you have updated the default passwords in secrets.yml, create these password ciphers and update the changed password property files. After the config server is up, the ciphers can be created from the console machine using the following curl command:

The above command connects via input to the Config server pod of the MZ cluster. You may also use the script to encrypt all the secrets at once by the following methods:

Several secrets are required in Ansible's secrets.yml in the config server property files. We use config server encryption to encrypt the secrets in order to prevent explicit text secrets in properties using the following command:

The script here converts all secrets in secrets.yml using above command implemented in Python.

Prerequisites:

Install required modules using
Ensure config server is running
Set the server URL in config.py

Pre-Reg Captcha

Captcha protects your website from fraud and abuse. It uses an advanced risk analysis engine and adaptive challenges to keep malicious software.

Get Captcha for the sandbox domain from "Google Re-captcha Admin" if you would like to allow Captcha for Pre-Reg UI. Get reCAPTCHA v2 keys for "I'm not a robot"
Set Captcha as:

OTP Setting

As below, to receive OTP (one-time password) over email and SMS set properties:
- SMS
  - File:

Master Data

Before you start installing the sandbox, load country-specific master data:

Ensure the Master Data .csv files are available in a folder, say my_dml
Add the following line in group_vars/all.yml ``-> databases -> mosip_master

Pod Replication

For production setups you may want to replicate pods more than the default replication factor of 1. Upgrade podconfig.yml to the same file. A separate production file can be generated and pointed to from group vars/all.yml ``--> podconfig file.

Taints

A taint allows a node to refuse pod to be scheduled unless that pod has a matching toleration. Kubernetes offers the functionality of taints to run a pod solely on a node. This is especially useful during performance tests where you would like to assign different nodes to non-MOSIP components.

By default, in the sandbox, taints are not added. The following modules have been provided with provisions to allow taints for:

Postgres
Minio
HDFS
Set the following in group

Ensure the above setting is done before you install the sandbox.

TPM for Reg Client

By default, the sandbox installs a disabled Trusted Platform Module (TPM) Reg Client Downloader.

Reg Client Downloader:

Convert helm template to helm values:

To enable TPM to use trusted private/public Reg client machine private/public keys, do the following:

Update the registered client downloader TPM environment variable:
If, before installing the sandbox, you have done the above, then you may skip this step. Otherwise, if the downloader reg client is already running on your sandbox, delete it and restart as follows:
(Wait for all resources to get terminated)

Add the name and public key in MOSIP-master/machine-master and MOSIP-master/machine-master table of the registered client machine in DB. Using TPM Utility, you can get your machine's public key

Utility to obtain public TPM keys along with the name of the computer

Prerequisites:

Build:

Run:

(Use jar-with-dependencies to run under target folder)

Machine Master Table:

The publicKey, signingPublicKey, keyIndex and signingKeyIndex - all of them to be populated in the machine_master table of mosip_master DB.

Download the registered client from domain name}}/registration-client/1.1.3/reg-client.zip

Configure Pre-Reg for ID Schema

The sandbox comes with its default ID Schema (in Master DB, identity_schema table) and Pre-Reg UI Schema pre-registration-demographic.json. In order to use different schemas, do the following:

Ensure new ID Schema is updated in Master DB, identity_schema table
Replace mosip-config/sandbox/pre-registration-demographic.json with new Pre-Reg UI Schema

Registration Client with Mock MDS and Mock SDK

Download Reg Client:

Download zip file from:
Unzip the file and launch registered client by running run.bat
Reg client will generate public/private keys in the following folder

Run MDS:

Run mock MDS as per procedure give here: Mock MDS
Pickup device details from this repo. You will need them for device info updates in the later step

Add Users in Keycloak:

Make sure keycloak admin credentials are updated in config.py
Add users like registration officers and supervisors in csv/keycloak_users.csv with their roles

Device Provider Partner Registration:

Update the following CSVs in PMS DML directory. On sandbox the DMLs are located at /home/mosipuser/mosip-infra/deployment/sandbox-v2/tmp/partner-management-services/db_scripts/mosip_pms/dml
- pms-partner.csv
- pms-partner_h.csv

IDA Check:

Disable IDA check in registration-mz.properties:

Launch Reg Client:

Set Environment Variable mosip.hostname to {sandbox domain name}
Login as a user (e.g. 110011) with password (MOSIP) to login into the client

Integrations

Guide to Work with Real HSM

Introduction:

The default sandbox uses simulator of HSM called SoftHSM. To connect to a real HSM you need to do the following:

Create client.zip
Update MOSIP properties
Point MOSIP services to HSM

client.zip:

The HSM connects over the network. Client.zip, which is a package of self-dependent PKCS11client.zip file is extracted from the artifactory when Dockers launch, unzipped, and install.sh is executed.

The zip must fulfil the following:

Contain an install.sh
Available in the artifactory

install.sh

This script must fulfil the following:

Have executable permission
Set up all that is needed to connect to HSM
Able to run inside Dockers that are based on Debian, inherited from OpenJDK Dockers

Properties:

Update the following properties in Kernel and IDA property files:

Ensure you restart the services after this change.

Caution: The password is highly critical. To encrypt it, make sure you use a really strong password (using Config Server encryption). In addition, Config Server access should be very tightly regulated.

Artifactory:

Artifactory is built as a Docker in the sandbox and accessed via services. In that Docker, replace the client.zip. The changed Docker can be uploaded to your own Docker Hub registry for subsequent use.

HSM URL

HSM is used by Kernel and IDA services. Point the TCP URL of these services to new HSM host and port:

The above parameter is available in the Helm Chart of respective service.

Integrating Antivirus Scanner

In MOSIP, virus scanners can be implemented at different levels. ClamAV is used as an antivirus scanner by default. If you want your anti-virus (AV) to be incorporated, the same can be achieved as follows:

Registration Client

Running your AV on the registration client machine is sufficient. Not required for integration with MOSIP.

Server

This is implemented as a part of Kernel ClamAV project project. MOSIP uses this project to scan registration packets. You may integrate your anti-virus (AV) in the following ways:

Option 1
The registration packets are stored in Minio. Several AVs provide traffic flow analysis in line with the stream to defend against hazards. This form of implementation based on the network can be carried out without any alteration of the MOSIP code. But to ensure that network traffic passes through your AV, a careful network configuration is required.
Option 2
To support your AV at the code level, the following Java code has to be altered. In VirusScannerImpl.java

BioSDK Integration

In reg client, reg proc, and ida, the biosdk library is included. The guide offers steps for these integrations to be enabled here.

Integration with IDA

It is expected that Biosdk will be available as an HTTP service for IDA. The ID Authentication module then calls this service. To build such a service, refer to the reference implementation. /service contains service code; while /client contains client code that is combined with the IDA that connects to the service. This service can be operated as a pod or hosted outside the cluster within the Kubernetes cluster.

It is important to compile the client code into biosdk.zip and copy it to Artifactory. It is currently available at the following address:/artifactory/libs-release-local/biosdk/mock/0.9/biosdk.zip. This zip is downloaded by IDA dockers and installed during docker startup.

Integration with Reg Proc

The above service works for regproc as well.

Integration of External Postgres DB

Sandbox Parameters

****

Make sure the Postgres is configured as 'UTC' for the time zone. This configuration is set to postgresql.conf when you install Postgres.

Integration with External Print Service

Introduction

MOSIP provides a reference implementation of print service that interfaces with the MOSIP system.

Integration Steps

Ensure the Following:

Compliant libraries, is reqartifactoryervices to link to HSM. MOSIP services install the same thing before the services start. The HSM vendor must have this library. The 1. Websub runs as domain name}/websub on MOSIP and is accessible externally via Nginx. Websub runs on DMZ and nginx in the sandbox as configured for this access
Your service is able to register a topic with Websub with a callback url

This p12 key and password is used in your print service
Your print service reads the relevant (expected) fields from received credentials
Your print service is able to update MOSIP data share service after successfully reading the credentials

Dashboards Guide

This guide includes numerous tips for using various dashboards made available as part of the default installation of the sandbox. The links to various dashboards are available at:

KIBANA

A default dashboard to display the logs of all MOSIP services is installed as part of the sandbox installation. To view the Dashboard:

Go to Kibana Home
On the drop down on the top left select Kibana->Dashboard
In the list of dashboards search for "MOSIP Service Logs"

Kubernetes Dashboard

Dashboard links:
MZ: domain name}/mz-dashboard
DMZ: domain name}/dmz-dashboard
On the console machine, the tokens for the above dashboards are accessible at_

Grafana

Link:
domain name}/grafana
Recommended charts:
11074 (for node level stats)

Admin

Open the MOSIP Admin portal from the home page of the sandbox. Login with superAdmin username, MOSIP password.

Sanity Checks

The Sanity Check Procedures are the steps to verify that an installation is ready to be tested by a system administrator. In quality audits sanity check is consider as a major activity. It performs a quick test to check the main functionality of the software.

Checks while Deployment

During deployment all pods should be 'green' on the dashboard of Kubernetes, or both these commands would display pods in 1/1 or 2/2 state if you are on the command line.
Some pods that show status 0/1 Complete are Kubernetes jobs - they will not turn 1/1.
Note the following namespaces

Module

Namespace

To check pods in a particular namespace. Example:
If any pod is 0/1 then the Helm install command times out after 20 minutes
Following are some useful commands:
Some pods have logs available in logger-sidecar as well. These are application logs.

Module Basic Sanity Checks

Quick Sanity Check of Pre-Registration

Open Pre-Reg home page:
domain name}/pre-registration-ui/
Enter your email or phone no to create an account

Registration Processor Test Packet Uploader

Prerequisites

Auth Partner Onboarding

Packet Creation

Refer to notes in config.py and data/packet*/ptkconf.py for various parameters of a packet. Parameters here must match records in Master DB.

Following example packets are provided. All these are for new registration:

Packet1: Individual 1 biometrics, no operator biometrics
Packet2 : Individual 2 biometrics different from above, no operator biometrics
Packet2 : Individual 2 biometrics with operator biometrics of Individual 1

Clearing the DB

This is optional. To see your packet clearly, you may want to clear all records of previous packets in mosip_regprc tables:

Provide your postgres password.

Caution: Ensure that you want to clear the DB. Delete this script if you are in production setup.

Upload Registration Packet

Use the following command:

Verify

Verify the transactions as below:
Provide postgres password. Note that it may take several seconds for packet to go through all the stages. You must see a SUCCESS for all stages.
UIN should have got generated

Reset

Before we look at how to reset installation, you should ensure you have a recent backup of the clusters and persistence data.

Performing a reset will wipe out all your clusters and delete all persistence data. To reset your machine back to fresh install, run the following script:

If a message prompting you to confirm the reset of machine, select the option “Yes/No” to proceed.

Persistence

Persistent data in the field of data processing is available over Network File System (NFS) that is hosted on console at location /srv/nfs/mosip.

For any persistent data, all pods write to this location. If required, you can backup this folder.

Note:

Postgres is initialized only once and populated. Postgres is not initialized if persistent data is present in /srv/nfs/mosip/postgres. In order to force an init, execute the following:
Postgres includes data from Keycloak. Keycloak-init does not overwrite any data, but just updates and adds information. If you want to clean up data from Keycloak, you need to manually clean it up or reset all postgres.

Useful Tools

There are plenty of tools are installed with preinstall.sh to help in fact shortcuts commands to troubleshoot and diagnose technical issues or just little hacks that make tasks a little quicker.

Shortcut Commands

The second part after adding above:

Tmux

Tmux means that you can start a Tmux session and then open multiple windows inside that session. To enable it copy the config file as following:

Property File Comparator

This is tool to compare text and Property to find the difference between two text files**(*.properties)**:

MOSIP Java Coding Standards

MOSIP - Java Development Coding Standard

Repository Structure

In MOSIP, the source code modules are categorized under different repositories:

Commons - This contains common reusable library modules and service modules
- Kernel - The collection of common reusable library modules and services
- ID-Repo - The ID Repository services used by many of the MOSIP modules

If a new source code module is planned to be added, and if it is a reusable library / service on which other modules will be depending on, then it should be added under Commons, otherwise, it can be created as a separate repository.

Source Code Organization in a MOSIP Repository

Source code of any feature in MOSIP will be organized as below:

feature-parent
feature-core - jar
feature-common - jar

Feature-Parent Module

This should be a POM module that aggregates all the sub-modules. This should contain,

List of all sub-modules
Common properties such as versions used by all sub-modules
Common dependencies used by all of the sub-modules

Feature-Core Java Library Module

There should be a JAR module that defines core source code files such as,

APIs (Application Programming Interfaces)
SPIs (Service Provider Interfaces)
Common Utility classes

Common Implementation Module

There can be a JAR module that provides abstract base implementations or common implementations of the APIs and SPIs. Other modules such as service module will be depending on this module using the API/SPI implementations or extending their base implementations.
Any Service implementation class should have 'Impl' suffix.

Spring Boot Service Modules

A feature can have one or more Spring Boot Service modules, each will have one or more related services.
Each Spring Boot Service Modules will be deployed as a separate deployment unit such as a docker container. So each will contain the separate Dockerfile containing the docker build instructions for that module.
Each Spring Boot Service Modules should be configured with Swagger configuration (except specific cases where) for easy understanding of the feature, easy unit-testing and verification for the developers.

Classes/Interfaces in MOSIP

In MOSIP following naming of Class/Interfaces their names should be of Camel cases, without any underscore.
They should have following suffixes in their names and they should be under appropriate package name based on their category,
- XyzService - For a Service interface. A service class should not be annotated with

Using Lombok for Data classes

All data classes such as DTOs, Entity classes use Lombok annotations to automatically create appropriate constructors, getters and setters.
Make sure to setup the IDE used for the development for using Lombok.

MOSIP JPA Repository

Any JPA repository created in MOSIP should be extending the base MOSIP Repository interface io.mosip.kernel.core.dataaccess.spi.repository.BaseRepository.
Appropriate database configurations properties should be added to the app configuration file.

Commons/Kernel - MOSIP Common Libraries/Services

MOSIP has many common libraries and services implemented under Commons/Kernel repository.
Kernel-Core module contains may common utility classes such as Loggers, DateUtils, StringUtils and Crypto-Core etc… Also many utility services such as Kernel-KeyManager, Kernel-CryptoService, Kernel-Audit-Service, Kernel-Auth-Service, etc... .
If any common utility needs to be implemented, first check Commons/Kernel if such utility is already present and make sure it is not already implemented in Commons/Kernel. It is always welcomed to contribute any new features/ bug fixes for the existing utilities, instead of creating a new utility.

REST Services Request and Response:

Any request and response content in a service in MOSIP should be of application/json content type.
Any byte arrays to be returned in response should be Base-64-URL encoded within the response.
If any sensitive information is getting transferred in the request/response, the request/response block should be encrypted using the MOSIP public key.

For example:

Java Coding Standard

Number of lines

The number of lines in the Java files is restricted to 2000 lines. Beyond 2000 lines, the java file is refactored into multiple files.

Class and Interface

Each java file contains one public class or interface.

When some private classes and interfaces are associated, this can be in the same file.

Declare the public class and interface as the first declaration in the file.

Ordering

When a java file is written, the following order is maintained,

Beginning documentation comment

The beginning comment should be in a C-style comment. Following is the format of the comment.

Package statement

The first non-comment line is the package statement.

Import statement

After a line-break below the package statement, import statements are placed. The import statements are grouped and segregated by a line-break. For example,

Do not use asterisk symbol while importing packages.

Class or Interface comment for documentation

This comment will be going in to the Javadocs

Public class or interface definition

Then the public class or interface is defined.

Then other private class or interface are followed.

Inside a class or interface

Following is the order of elements inside the class declaration

Constant fields

Constant fields (static and final fields) should be on the top inside a Class

Non-final static fields

Then any non-final static fields are followed

Instance variables

The public class variables are followed by the protected and the private variables. These can be final or non-final fields.

Initializing Fields in a class

Do not initialize non-primitive fields with null in a Class;
Always initialize non-static fields from constructors in a Class.
Avoid using static non-final fields in a class. If it required for any specific reason, avoid initializing it in a constructor or a post-construct method.

Constructors

The constructor declarations ordered by the number of parameters.

Method declarations

The methods are ordered by the functionality. The methods need not to be in the order of scope or accessibility.

Indentation

The indentation unit it TAB.

Line length

The number of characters in a line should not exceed 80 characters

Wrapping lines

When the number of characters exceed the limit, the line should be broken into multiple lines. The following standard is used during the line breaks,

Break the line after the comma
Break before the operator
From higher-level breaks go to the lower-level breaks.

Comments

There are two types of comments in Java.

Implementation comments
Documentation comments

Both the comment types are used in the source code of MOSIP.

Implementation Comment

This is the comment type used for better understanding of the code. Most of the times, the source code will be maintained by different people. The programmer writes these comments so that the other programmers will come to know the functionality of the code in plain English language. Following lines are used.
Java source code can have their implementation comments in various parts of code blocks/lines with appropriate description about what the code block or line is doing.
Specifically the if-else if-else

Block Comments

When the developer needs to explain in detail about some functionality, block comments are used. Block comments are used anywhere in the code. It can be for the class or interface declarations or it can be within the java methods also. Example of block comments:

Single-Line Comments

Single line comments are used for short description. For example,

Trailing Comments

Trailing comments are given in the same line where the source code resides. For example,

End-Of-Line comments

The end-of-line comments are also used in the source file. For example,

Documentation comments

Documentation comments are used to generate the javadoc files.
Every source code file in Java should have proper Java Documentation such as description, Author and Version.
All Classes, Interfaces, Methods, Fields should have appropriate clear description about each.

Example:

Declarations

Number of variables per line

One variable is declared per line.

Placement of variables

Variables are declared at the beginning of the code block. For example,

Class and Interface Declarations

No space between a method name and the parenthesis "(" starting its parameter list
Open brace "{" appears at the end of the same line as the declaration statement
Closing brace "}" starts a line by itself indented to match its corresponding opening statement,

Methods

A method should follow the "Single Responsibility" principle that will perform only one task. If it seems to do multiple sub-tasks, each sub-tasks should be created as a new method and then be invoked in that method.
If there is a logic even of a single line getting repeated in more than one place, it should be made as a separate method.
A method line count should not exceed 80 lines. If required break the blocks of code in the method to separate methods.

Method Parameters

Never re-assign a parameter value. This may lead to unpredictable bugs.
Don't use too many number of parameters. Keep the maximum number of method parameters to 5 for simplicity.
Prefer method parameter type to be more generic such as a Super Interface or Super Class. For example, List instead of ArrayList

Method Return Statement

Never return null for an Array return type. Return an empty array of 0 like return new String[0].
Never return null for a Set/List/Map collection return types. Return corresponding empty values such as Collections.emptySet(), Collections.emptyList() or Collections.emptyMap();

Statements

Simple Statements

Each line should contain at most one statement. Example:

Compound Statements

Compound statements are statements that contain lists of statements enclosed in braces
The enclosed statements should be indented one more level than the compound statement.
The opening brace should be at the end of the line that begins the compound statement; the closing brace should begin a line and be indented to the beginning of the compound statement.

"return" Statements

A return statement with a value should not use parentheses unless they make the return value more obvious in some way. Example:
Refer to for more information.

if, if-else, if-else if-else Statements

Always curly braces are used in the if-else statements. Even though there is a single statement below the if-else statement, curly braces is used. For example,
If there is a Boolean value to be returned in a method or assigned to a variable based on an if-else condition, the condition itself should be returned or assigned instead of true or false for the condition. For example,

Conditional Expressions

If any binary operator is used before "?" in the ternary operator, then parentheses is used.

Prefer if-else statement over conditional expressions if it gets complex with the condition or the statements.
Avoid using nested conditional expressions for better readability.

"switch" Statements

A switch statement should have the following form:

Every time a case falls through (doesn't include a break statement), add a comment where the break statement would normally be. This is shown in the preceding code example with the /* falls through */ comment.
Every switch statement should include a default case. The break in the default case is redundant, but it prevents a fall-through error if later another case is added.

White Space

Blank Lines

Only for the following situations 2 blank lines are used,

Between 2 different sections of the source file
If you have more than one class or interface, use 2 blank lines

Only for the following situations, 1 blank line is used,

Between method declarations.
Between the variable declarations and the method code.
Before the block comment or line comment.

Blank Spaces

Under the following circumstances, blank space are used,

When a keyword followed by parenthesis, a blank space should be given after the keyword. For example,

In the argument list, the parameters are given a space after comma.

Naming Conventions

Package names

All the package name in MOSIP application starts with io.mosip. Refer to section for various kinds or classes and the package names under which they should be kept.

Classes

The names given to classes are always nouns and in camel case. Refer to section for various kinds or classes and their names.

Interfaces

The names given to interface is always noun and in camel case. Refer to section for various kinds or interfaces and their names.

Methods

The method names are always verbs and in camel case. For example

Variables

The variable names are short and meaningful. Any new observer can understand the meaning of the variable. No single letter variable names are used. Camel case is used when declaring variables.

Constants

The constants are given the name in capital letters. The words in the names are separated by underscore.
String literals should not be used in the code directly. Declare them as constant in the class.
Magic Numbers should not be used in code, they should be declared as constants.

Programming Practices

Providing Access to Instance and Class Variables

The instance variables should not be made public unless you have a specific reason.
Provide the most restrictive access to the fields, methods and Inner Classes such as private, default or protected. Avoid giving public access to them unless it is really required. Avoid using public non-final fields in a Class.

Referring to Class Variables and Methods

Always use the class name to call the static method. For example,

Constants

Numerical values should not be used in the code directly. Declare them and use it in the code. For example,

Variable Assignments

Avoid multiple assignments in the same line. For example,

Prefer primitive type variables over boxed types wherever possible. For example, prefer int, boolean and long over their Boxed counterparts such as Integer, Boolean and Long.

Optional

Use Optional return type in a method to avoid null checking. When there is possible to return null for a method, return Optional.empty().
Use OptionalInt or OptionalLong return type in a method when there is an unknown value of Integer/Long to be returned like -1

Lambdas

Lambda Expressions

Prefer Method Reference over a Lambda Expression

Keep Lambda Expressions Short and Self-explanatory so that it is easy to understand. . Provide clear understandable name to the parameters in Lambda Expressions.
Always use parameter type inference. For example,
Do not use the parenthesis for a single parameter lambda expression.

Functional Interfaces

Prefer Standard Functional Interfaces over creating a similar one unless it is really required. Use Standard Functional interfaces, which are gathered in the java.util.function package, satisfy most developers' needs in providing target types for lambda expressions and method references.
On a new Functional Interface declaration always use @FunctionalInterface annotation. This is not only for the documentation purpose but also to avoid accidentally breaking the Functional Interface behavior.

For example:

Streams

Prefer Streams over for loops. Streams are more readable and functional than the "for" loops, as they support operations such as map, flatMap, filter, reduce and collect.
Exception handling in the streams are carefully handled.
Avoid mutating objects within Collection.forEach() or Stream.forEach()

Exceptions

MOSIP applications should never allow to exit abruptly because of a critical error. Even if there is a critical error there should be a graceful exit with proper information about the error.

Exception hierarchy

Each feature should be defining their own Checked and Unchecked Exceptions by extending io.mosip.kernel.core.exception.BaseCheckedException and io.mosip.kernel.core.exception.BaseUncheckedException .

Throwing exceptions

Throw specific exceptions in a method, rather than generic exceptions. For example,

Documenting exceptions

The exceptions are documented clearly. For example,

Catching exceptions

Always prefer to use try-with-resource block when applicable like instantiating a Input or Output stream/reader or Connection, which are AutoCloseable.
The following example uses a try-with-resources statement to automatically close a java.sql.Statement object:

A try-with-resources statement can have catch and finally blocks just like an ordinary try statement.
Always catch specific exceptions over a more generic exceptions like Exception/Throwable class. For example,

Never leave a catch block empty. Either handle the exception, or say proper reason for doing nothing in it.

Use multi-catch blocks wherever possible to club common handling of multiple exceptions.
Always log exceptions to file in a catch block for debugging purpose.

Error and Throwable are never caught in MOSIP.

Exception handling in a Service module

Any service module should handle their exceptions in a common place such as a common Exception Handler which can be annotated with @ControllerAdvice or @RestControllerAdvice
Any service in MOSIP should never return error code other than 200. One or more errors to be reported in the response be returned as an array as part of "errors" attribute.

Logs

Log levels

Logs are classified and logged accordingly. Following are the various log levels used in the MOSIP application.

TRACE
DEBUG
INFO

The log levels are configured according to the environment such as Development, Testing, UAT or Production. For example, the log levels in production is from WARN. Whereas in Development and Testing environment, it is from TRACE.

MOSIP log component

MOSIP's log component from the core-kernel is used to log entries. The log module in the core-kernel is used to log all the log entries.

First create a logger utility class under the core module of the feature like below:

To log any information/error/debug in a class,
- create a logger instance in that class as below: private static Logger mosipLogger = XYZLogger.getLogger(MyClass.class);
- In appropriate places invoke the appropriate log method of mosipLogger such as

MOSIP log format

Every log entry contains the following format,

For example,

No sensitive information is logged

Never log any sensitive information such as user credentials, individual identity information to the log, mask the data if required before logging.
Care should be taken, not to log any sensitive information is logged. Modules leads to review the code to ensure that no sensitive information is logged.

Audit Logging in MOSIP

Any service in MOSIP should invoke Kernel's AuditManager REST Service for audit logging of the status of the services such as
- Success
- Failure

Common utilities

Apache Commons is used to handle the common utilities like StringUtil, FileUtil, Hashcode, toString, null check etc., are

In case if Apache Commons doesn't have the necessary utilities, the util project from mosip-core is used.

Miscellaneous Practices

Following are the miscellaneous practices which are followed in MOSIP.

Parenthesis

Parenthesis are used in the code liberally to improve the readability and for precedence clarity.

Type Casting

Never type cast a variable without doing instanceof checking.
Avoid unnecessary type casting when the type of the value/expression is already assigned to a correct variable type/return type.

Generics

Avoid using Generic classes without Parameter types. For example:

Use diamond operator while constructing Generic objects. For example:

Method Calls Chaining

While chaining multiple method calls, keep one method call per line for better clarity and easy debugging of any issue (especially to get line number in exception stack trace where exactly is the error/exception occurs). For example:

Special Comments

Special comments are used to give a hint for further development. Following are the special comments used in the MOSIP project,
- TODO
- FIXME

References

MDS Specification

Introduction & Background

Objective

The objective of this specification document is to establish the technical and compliance standards/ protocols that are necessary for a biometric device to be used in MOSIP solutions.

Target Audience

This is a biometric device specification document and aims to help the biometric device manufacturers, their developers, and their designers in building MOSIP-compliant devices. It is assumed that the readers are familiar with MOSIP registration and authentication services.

MOSIP Devices

All devices that collect biometric data for MOSIP should operate within the specification of this document.

Revision History

Version

State

Date

Changes

Glossary of Terms

Device Provider - An entity that manufactures or imports the devices in their name. This entity should have legal rights to obtain an organization-level digital certificate from the respective authority in the country.
FTM Provider - An entity that manufactures or guarantees the trustworthiness of the foundational trust module. This can be the device provider as well.
Device - A hardware capable of capturing biometric information.

Device Specification

The MOSIP device specification provides compliance guidelines devices for that to work with MOSIP. The compliance is based on device capability, trust and communication protocols. A MOSIP-compliant device would follow the standards established in this document. It is expected that the devices are compliant with this specification and tested and validated. The details of each of these are outlined in the subsequent sections.

Device Capability

The MOSIP-compliant device is expected to perform the following,

Should have the ability to collect one or more biometric
Should have the ability to sign the captured biometric image or template.
Should have the ability to protect secret keys

Base Specifications for Devices

For details about biometric data specifications please view the page .

We recommend that countries look at ergonomics, accessibility, ease of usage, and common availability of devices while choosing devices for use in registration and authentication scenarios.

Device Trust

MOSIP-compliant devices provide a trusted environment for the devices to be used in registration, KYC and AUTH scenarios. The trust level is established based on the device support for trusted execution.

L1 - The trust is provided by a secure chip with a secure execution environment.
L0 - The trust is provided at the software level. No hardware-related trust exists. This type of compliance is used in controlled environments.

Foundational Trust Module (FTM)

The foundational trust module would be created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.

The module can securely generate, store and process cryptographic keys.
Generation of asymmetric keys and symmetric keys with TRNG.
The module can protect keys from extraction.

The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:

Secure Boot
- Ability to cryptographically verify code before execution.
- Ability to check for integrity violations of the module/device.

Certification

The FTM should have at least one of the following certifications in each category to meet the given requirement.

Category: Cryptographic Algorithm Implementation

CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)

The supported algorithm and curves are listed

Category: FTM Chip

(ONE of the following certifications)

FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)

System/Device Level Tamper (optional)

System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.

Threats to Protect

The FTM should protect against the following threats.

Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
- Physical tamper - No way to physically tamper and obtain its secrets.

Foundational Trust Module Identity

Upon FTM provider approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to an FTM certificate chain. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip is expected to be in its permanent memory.

The validity of the chip certificate can not exceed 20 years from the date of manufacturing.

Device

MOSIP devices are most often used to collect biometrics. The devices are expected to follow the specification for all levels of compliance and their usage. The MOSIP devices fall under the category of Trust Level 3 (TL3) as defined in MOSIP architecture. At TL3 device is expected to be whitelisted with a fully capable PKI and secure storage of keys at the hardware.

L0 - A device can obtain L0 certification when it uses a software-level cryptographic library with no secure boot or FTM. These devices will follow different device identities and the same would be mentioned as part of exception flows.
L1 - A device can obtain L1 certification when it is built in a secure facility with one of the certified FTM.

Device Identity

All devices that connect to MOSIP must be identifiable. MOSIP believes in cryptographic Identity as its basis for trust.

Physical ID

An identification mark that shows MOSIP compliance and a readable unique device serial number (minimum of 12 alphanumeric characters) make and model. The same information has to be available over a 2D QR Code or Barcode. This is to help field support and validation.

Digital ID

A digital device ID in MOSIP would be a signed JSON (RFC 7515) as follows:

Signed with the JSON Web Signature (RFC 7515) using the "Foundational Trust Module" Identity key, this data is the fundamental identity of the device. Every MOSIP-compliant device will need the foundational trust module.

The only exception to this rule is for the L0-compliant devices that have the purpose of "Registration". L0 devices would sign the Digital Id with the device key.

A signed digital ID would look as follows:

The header in the digital id would have:

MOSIP assumes that the first certificate in the x5c is the FTM's chip public certificate issued by the FTM root certificate.

An unsigned digital ID would look as follows:

Payload is the Digital ID JSON object.

For an L0 unregistered device, the digital id will be unsigned. In all other scenarios, except for a discovery call, the digital ID will be signed either by the chip key (L1) or the device key (L0).

Accepted Values for Digital ID

Parameters

Description

Keys

List of keys used in the device and their explanation.

Device Key

Each biometric device would contain an authorized private key after the device registration. This key is rotated frequently based on the requirement of the respective adopter of MOSIP. By default, MOSIP recommends a 30-day key rotation policy for the device key. The device keys are created by the device providers inside the FTM during a successful registration. The device keys are used for signing the biometric. More details of the signing and its usage will be . This key is issued by the device provider and the certificate of the device key is issued by the device provider key which in turn is issued by the MOSIP adopter after approval of the device provider's specific model.

FTM Key

The FTM key is the root of the identity. This key is created by the FTM provider during the manufacturing/provisioning stage. This is a permanent key and would never be rotated. This key is used to sign the Digital ID.

MOSIP Key

The MOSIP key is the public key provided by the MOSIP adopter. This key is used to encrypt the biometric. Details of the encryption are listed below. We recommend rotating this key every 1 year.

Device Service - Communication Interfaces

The section explains the necessary details of the biometric device connectivity, accessibility, discover-ability and protocols used to build and communicate with the device.

The device should implement only the following set of APIs. All the APIs are independent of the physical layer and the operating system, with the invocation being different across operating systems. While the operating system names are defined in this spec a similar technology can be used for unspecified operating systems. It is expected that the device service ensures that the device is connected locally to the host.

Device Discovery

Device discovery would be used to identify MOSIP-compliant devices in a system by the applications. The protocol is designed as a simple plug-and-play with all the necessary abstractions to the specifics.

Device Discovery Request

Accepted Values for Device Discovery Request

type - "Biometric Device", "Finger", "Face", "Iris"

"Biometric Device" - is a special type and is used in case you are looking for any biometric device.

Device Discovery Response

Accepted Values for Device Discovery Response

Parameters

Description

The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device".

Windows/Linux

All the device API will be based on the HTTP specification. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.

The applications that require access to MOSIP devices could discover them by sending the HTTP request to the supported port range. We will call this port the device_service_port in the rest of the document.

HTTP Request:

HTTP Response:

The payloads are JSON in both cases and are part of the body.
CallbackId would be set to the http://127.0.0.1:<device_service_port>/. So, the caller will use the respective HTTP verb/method and the URL to call the service.

Android

For details on android specifications please view the section - .

Device Info

The device information API would be used to identify the MOSIP-compliant devices and their status by the applications.

Device Info Request

Accepted Values for Device Info Request

Device Info Response

So the API would respond in the following format.

Allowed values for Device Info Response

Parameters

Description

The response is an array that we could have a single device enumerating with multiple biometric options.
The service should ensure to respond only if the type parameter matches the type of device or the type parameter is a "Biometric Device".

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range. The device always binds to any of the available ports ranging from 4501 - 4600. The IP address used for binding has to be 127.0.0.1 and not localhost.

HTTP Request:

HTTP Response:

The payloads are JSON in both cases and are part of the body.

Android

For details on android specifications please view the section - .

Capture

The capture request would be used to capture a biometric from MOSIP-compliant devices by the applications. The captured call will respond with success to only one call at a time. So, in case of a parallel call, the device info details are sent with the status "Busy".

Capture Request

The count value should be driven by the count of the bioSubType for Iris and Finger. For Face, there will be no bioSubType but the count should be "1".

Allowed Values for Capture Request

Parameters

Description

NFIQ v1.0 on a scale of 0-100 (quality score).

Scale

NFIQ v1.0

Capture Response

Accepted Values for Capture Response

Parameters

Description

The entire data object is sent in JWT format. So, the data object will look like this:

Windows/Linux

The applications that require capturing biometric data from a MOSIP device could do so by sending the HTTP request to the supported port range.

HTTP Request:

HTTP Response:

The payloads are JSON in both cases and are part of the body.

Android

For details on android specifications please view the section - .

Device Stream

The device would open a stream channel to send live video streams. This would help when there is an assisted operation to collect biometrics. Please note the stream APIs are available only for the registration environment.

Used only for registration module-compatible devices. This API is visible only for the devices that are registered for the purpose of "Registration".

Device Stream Request

Allowed Values for device Stream Request

Parameters

Description

Device Stream Response

Live Video stream with a quality of 3 frames per second or more using .

The preview should have quality markings and segment markings. The preview would also be used to display an error message on the user screen. All error messages should be localized.

Error Response for Device Stream

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.

HTTP Request:

HTTP Response: HTTP Chunk of frames to be displayed. Minimum frames 3 per second.

Android

For details on android specifications please view the section - .

Registration Capture

The registration client application will discover the device. Once the device is discovered the status of the device is obtained with the device info API. During the registration, the registration client sends the RCAPTURE API and the response will provide the actual biometric data in a digitally signed non-encrypted form. When the Device Registration Capture API is called the frames should not be added to the stream. The device is expected to send the images in ISO format.

The requestedScore is on a scale of 1-100 (NFIQ v2.0 for fingerprints). So, in cases where you have four fingers the average of all will be considered for the capture threshold. The device would always send the best frame during the capture time even if the requested score is not met.

The API is used by devices that are compatible with the registration module. This API should not be supported by devices that are compatible with authentication.

Registration Capture Request

To capture the exception photo exception value for Iris or Finger should be sent in bio.exception for bio.type = 'Face'. ICAO checks are not mandatory here but one face must be present within the frame.

Accepted Values for Registration Capture Request

Parameters

Description

Registration Capture Response

Allowed Values for Registration Capture Response

Parameters

Description

Windows/Linux

The applications that require more details of the MOSIP devices could get them by sending the HTTP request to the supported port range.

HTTP Request:

HTTP Response: HTTP response.

Android

For details on android specifications please view the section - .

Certificates

The MOSIP server would provide the following retrieve encryption certificate API which is white-listed to the management servers of the device provider or their partners.

Retrieve Encryption Certificate Request URL

POST https://{base_url}/v1/masterdata/device/encryptioncertficates

Version: v1

Retrieve Encryption Certificate Request

The request is sent in a JWT format. So the final request will look like this:

Accepted Values for Retrieve Certificate Request

Encryption Certificate Response

The entire response is sent in a JWT format. So the final response will look like this:

Management Server and Management Client

Management Server Functionalities and Interactions

The management server has the following objectives.

Validate the devices to ensure they genuine devices from the respective device provider. This can be achieved using the device info and the certificates for the Foundational Trust Module.
Register the genuine device with the MOSIP device server.
Manage/Sync time between the end device and the server. The time to be synced should be the only trusted time accepted by the device.

As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.

Management Client

The management client is the interface that connects the device with the respective management server. The communication between the management server and its clients must be designed with scalability, robustness, performance and security. The management server may add many more capabilities than what is described here, But the basic security objectives should be met at all times irrespective of the offerings.

For better and more efficient handling of the device at large volumes, we expect the devices to auto-register to the Management Server.
All communication to the server and from the server should follow the below properties.
1. All communication is digitally signed with the approved algorithms

Compliance

L1 Certified Device / L1 Device - A device certified as capable of performing encryption on the device inside its trusted zone. L0 Certified Device / L0 Device - A device certified as one where the encryption is done on the host inside its device driver or the MOSIP device service.

Secure Provisioning

Secure provisioning applies to both the FTM and the Device providers.

The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility that is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.

As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.*

Compliance Level

API

Compatible

Cryptography

Supported algorithms:

Usage

Algorithm

Key Size

Storage

No other ECC curves are supported.

Signature

In all the above APIs, some of the requests and responses are signed with various keys to verify the requester's authenticity. Here we have detailed the key used for signing a particular block in a request or response body of various APIs.

Request/Response

Block

Signature Key

Android SBI Specification

This section explains the mechanism for the SBI devices to communicate in the android operating system.

Status

Draft document V 0.9

Approach

Discovery will return the appId of the discovered items. Users will be given a choice to choose one of the discovered SBI app. The selected app responds back to the intent using the default intent callback functionality.

Device Discovery

Request: io.sbi.device action: io.sbi.device data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data (byte array) is set in the intent extras with the key as “response”.

callbackId should be set to the appId, and can not be empty in android.

Device Info

Request: appId.Info action: appId.Info data: no change type: application/json Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The serialized response data as a byte array is set in the intent extras with the key as “response”.

deviceInfo: callbackId should be set to the appId, can not be empty in android.

Capture

Request: appId.Capture action: appId.Capture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.

URI must be invalidated right after the read.

rCapture

Request: appId.rCapture action: appId.rCapture data: no change type: application/json flag: FLAG_GRANT_READ_URI_PERMISSION Request Schema: No change in the data structure. The serialized request data as a byte array is set in the intent extras with the key as “input”. Response Schema: No change in the data structure. The response content is set as content URI “content://authority/path/id” in the intent extras as a string with the key as “response”.

The content provider should not support insert, update, delete

Device Stream

On receiving rCapture request MDS must show the stream within its UI in the foreground.

Security

Ensure to set the correct authority in the manifest and set the android:exported as “False”

Android Tab Specs

Android 9 (API Level 28) and above with hardware-backed key store.

Error Codes

Code

Message

Master Data Services Functionality

Master Data Management

Location Hierarchy

Create Location Hierarchy

Upon receiving a request to add Location hierarchy (e.g., Country - Region - Province - City- LAA) with the input parameters (code, name, hierarchy_level, hierarchy_level_name, parent_loc_code ,lang_code and is_active), the system stores the Location hierarchy in the Database

While storing the location hierarchy in the database, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (128) - Mandatory

Update a Location

On receiving a request to update a Location with the input parameters (code, name, hierarchy_level, hierarchy_level_name, parent_loc_code, lang_code and is_active), the system updates the Location in the Location Database for the code received.

The system performs the following steps to update the location in the Master Database:

Validates if all required input parameters have been received as listed below for each specific request
- code character (36) - Mandatory
- name character (128) - Mandatory

Verify Location

Upon receiving a request to validate the Location Name with input parameters (Location Name), the system checks the Location Name in the Master Database

While checking the location in the Database, the system performs the following steps:

Validates if the request contains the following input parameters
- Location Name - Mandatory
If the mandatory input parameters are missing, throw the appropriate message

Fetch Location Hierarchy Levels based on a Language Code

Upon receiving a request to fetch the Location Hierarchy Levels with input parameters (Language Code), the system fetches the Location Hierarchy Levels in the requested language. The following steps are performed by the system:

Validates if the request contains following input parameters (Language Code)
- Language Code - Mandatory
Validates if the response contains the Location Hierarchy Levels with the following attributes

Fetch the Location Hierarchy Data based on a Location Code and a Language Code

Upon receiving a request to fetch all the Location Hierarchy Data with input parameters (Location Code and Language Code), the system fetches the Location Hierarchy Data based on requested Location code and language code. The following steps are performed by the system:

Validates if the request contains the following input parameters
- Location Code - Mandatory
- Language Code - Mandatory

Fetch the Location Hierarchy Data for the bottom next hierarchy based on a Location Code and a Language Code

Upon receiving a request to fetch all the Location Hierarchy Data with input parameters (Location Code and Language Code), the system fetches the Location Hierarchy Data for the next hierarchy level. The following steps are performed by the system:

Validates if the request contains the following input parameters
- Location Code - Mandatory
- Language Code - Mandatory

Delete a Location

On receiving a request to delete a Location with the input parameters (code), the system updates the is_deleted flag to true in the Location Database against the code received.

The system performs the following steps in order to delete the loaction received in the code:

Validates if all required input parameters have been received as listed below for each specific request
Delete all records for the code received
Deleted record are not be deleted again

List of Holidays

Create Holiday

Upon receiving a request to add Holiday Data with the input parameters (location_code, holiday_date, holiday_name, holiday_desc, lang_code and is_active), the system stores the Holiday in the Database. The following steps are performed by the system:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- location_code - Character - 128 - Mandatory

Update Holiday

This API should only be accessible to Global Admin
The API should accept only the below parameter
- id - Character - 36 - Mandatory

Fetch List of Holidays based on a Registration Center ID, a Year and a Language Code

On receiving a request to fetch the list of Holidays with the input parameters (Registration Center ID, Year and Language Code), the system fetches the list of Holidays mapped to a Registration Center and for the year and Language Code received in input parameter as per the below steps:

Validates if the received request contains the following input parameters
- Registration Center ID - Mandatory
- Year - Mandatory

Biometric Authentication Type

Create Biometric Authentication Type

On receiving a request to add Biometric Authentication Type (e.g., Fingerprint, Iris) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Biometric Authentication Type in the Database as per the below steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

Fetch the List of Biometric Authentication Type based on a Language Code

On receiving a request to fetch the List of Biometric Authentication Type with input parameters (Language Code), the system fetches the List of Biometric Authentication Type against the Language Code as per the below steps:

Validates if the request to add Biometric Authentication Type contains the following parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.

Biometric Attribute Type

Create Biometric Attribute

On receiving a request to add Biometric Attribute (e.g., Right Thumb, Left Thumb) with the input parameters (code, name, descr, bmtyp_code, lang_code and is_active), the system stores the Biometric Attribute in the Database as per the below steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

Fetch the List of Biometric Attributes based on the Biometric Authentication Type and a Language Code

On receiving a request to fetch the List of Biometric Attributes with input parameters (Biometric Authentication Type and Language Code), the system fetches the List of Biometric Attributes against the Biometric Authentication Type and the Language Code Received as per the below steps:

Validates if the request contains the following input parameters
- Biometric Authentication Type - Mandatory
- Language Code - Mandatory

Gender

Create Gender Types

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update a Gender Type

On receiving a request to update a Gender Type with the input parameters (code, name, lang_code and is_active), the system updates the Gender Type in the Gender Type Database for the code received as per the below steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

Check the existence of a Gender in Master Database

On receiving a request to validate the Gender Name with input parameters (Gender Name), the system checks the Gender Name in the Master Database as per the below listed steps:

Validates if the request contains the following input parameters
- Gender Name - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.

Fetch the List of Gender Types based on a Language Code

On receiving a request to fetch the List of Gender Types with the input parameters (Language Code), the system fetches the List of Gender Types against the Language Code received as per the below listed steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the Language code is missing, responds with all the data.

Document Category

Create Document Category in Master Database

On receiving a request to add Document Category with the input parameters (code, name, descr, lang_code and is_active), the system stores the Document Category in the Database as per the below listed steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update a Document Category in the Document Category Master Database

On receiving a request to update a Document Category with the input parameters (code, name, descr, lang_code and is_active), the system update the Document Category in the Document Category Database for the Code received as per the below listed steps:

The API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

Fetch list of Document Categories based on a Language Code

On receiving a request to fetch Document Category Details with the input parameters (Language Code), the system fetches all the Document Categories for the Language Code Received as per the below listed steps:

Validates if all required input parameters have been received as listed below for each specific request
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.

Document Type

Create Document Type

On receiving a request to add Document Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the Document Type in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

Update a Document Type

On receiving a request to update a Document Type with the input parameters (code, name, descr, lang_code and is_active), the system updates the Document Type in the Document Type Database for the Code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

Delete a Document Type

On receiving a request to delete a Document Type with the input parameters (code), the system updates the is_deleted flag to true in the Document Type Database against the code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
Delete all records for the code received

Applicant Type - Document Category - Document Type Mapping

Fetch list of Document Categories based on Applicant Type from Master Database

Upon receiving a request to fetch List of Document Categories with the input parameters (Applicant Type Code), the system fetches all the Document Categories for the Applicant Type Code Received

While fetching the list of documents, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- Applicant Type Code - Mandatory
If the mandatory input parameter is missing, responds with the appropriate error message

Fetch List of Document Category-Document Type mappings based on Applicant Type and a List of Language Codes

Upon receiving a request to fetch List of Document Category-Document Type mappings with input parameters (Applicant Type and List of Language Codes), the system fetches the required data

While fetching the data, the system performs the following steps:

Validates if the request contains the following input parameters
- Applicant Type - Mandatory
- List of Language Codes - Mandatory

Delete a Document Category-Type mapping in the Document Category-Type mapping Master Database

On receiving a request to delete a Document Category-Type mapping with the input parameters (doccat_code, doctyp_code), the system updates the is_deleted flag to true in the Document Category-Type mapping Database against the input received

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- doccat_code - character (36) - Mandatory
- doctyp_code - character (36) - Mandatory

Fetch applicant type based on Individual Type Code, Date of Birth, Gender Type Code and Biometric Exception Type

On receiving a request to get Applicant type with input parameters (Individual Type Code, Date of Birth, Gender Type Code and Biometric Exception Type), the system derives the Applicant Type from the input parameter and performs the following steps:

Validates if the request contains the following input parameters
- Individual Type Code - Mandatory
- Date of Birth - Mandatory

Check the mapping of Applicant Type-Document Category Name-Document Type Name

On receiving a request to check the mapping of Applicant Type-Document Category-Document Type mapping parameters (Applicant Type, Document Category Name and Document Type Name), the system checks the mapping and performs the following steps:

Validates if the request contains the following input parameters
- Applicant Type Code
- Document Category Name

List of Rejection Reasons

Create a Rejection Reason in Reason List Master Database

Upon receiving a request to add a Reason with the input parameters (code, name, descr, rsncat_code, lang_code and is_active), the system stores the Reason in the Database

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- code - character (64) - Mandatory

Fetch the requested list of reasons based on Reason Category Code and Language Code

Upon receiving a request to Fetch the requested List of Reasons with the required input parameters (Reason 1. Category Code, Language Code), the system fetches the requested List of reasons stored against the Reason Category Code and Language Code received.

The system performs the following steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
- Reason Category Code - Mandatory

List of Languages

Create List of Languages

After receiving a request to add Language Details with the input parameters (code, name, family, native_name and is_active), the system stores the Language Details in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
- name - character (64) - Mandatory

Fetch the List of Languages

After receiving a request to fetch the List of Languages, the system fetches the List of Languages and performs the following steps:

Validates if the response contains the List of all Languages with the following attributes
- Language Code - Mandatory
- Language Name - Mandatory

Update and Delete a Language in the List of Languages Master Database

Update

After receiving a request to update a Language with the input parameters (code, name, family, native_name and is_active), the system updates the Language Details in the List of languages Database for the Code received in request

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
- name - character (64) - Mandatory

Delete

After receiving a request to delete a Language with the input parameters (code), the system updates the is_deleted flag to true in the List of languages Database against the code received in request

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (3) - Mandatory
Deleted record should not be deleted again

List of Titles

Create a Title

On receiving a request to add a Title (e.g., MR., Mrs.) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Title in the Database and performs the following steps:

The API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update a Title

On receiving a request to update a Title with the input parameters (code, name, descr, lang_code and is_active), the system updates the Title in the Title Database for the code received and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

Fetch the List of Titles

On receiving a request to fetch Title Details with the input parameters (Language Code), the system fetches all the Titles with all the attributes for the Language Code Received

The system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- Language Code - Mandatory
If the mandatory input parameters are missing, responds with all the data.

Template File Format

Create Template File Format

On receiving a request to add Template File Format with the input parameters (code, descr, lang_code and is_active), the system stores the Template File Format in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Mandatory

Create Template File Format

Update and Delete a Template File Format in Template File Format Master Database

Update

On receiving a request to update a Template File Format with the input parameters (code, descr, lang_code and is_active), the system updates the Template File Format in the Template File Format Database for the Code received

While updating the Template File Format, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Optional

Delete

On receiving a request to delete a Template File Format with the input parameters (code), the system updates the is_deleted flag to true in the Template File Format Database against the code received

While deleting the Template File Format, the system performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
Delete all records for the code received

List of Template Types

MOSIP system can create Template Type in the Master Database.

Upon receiving a request to add Template Type (e.g., SMS Notification template - New Registration) with the input parameters (code, descr, lang_code and is_active), the system stores the Template Type in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- descr - character (256) - Mandatory

List of Templates

Create Template

On receiving a request to add a Template with the input parameters (id, name, descr, file_format_code, model, file_txt, module_id, module_name, template_typ_code, lang_code and is_active), the system stores the Template in the Database and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 128 - Mandatory

Fetch Template based on a Template Type and a Language Code

On receiving a request to fetch a Template with the input parameters (Template Type Code and List of Language Code), the system fetches the Template for the Template Type Code and all Language Codes received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Template Type Code - Mandatory
- List of Language Code - Mandatory

Update a Template

On receiving a request to update a Template with the input parameters (id, name, descr, file_format_code, model, file_txt, module_id, module_name, template_typ_code, lang_code and is_active), the system updates the Template in the Template Database for the id received and performs the following steps:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory

List of Blacklisted Words

Create Blacklisted Words

Upon receiving a request to add a Blacklisted Word with the input parameters (code, name, descr, lang_code and is_active), the system stores the Blacklisted Word in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word - character (128) - Mandatory
- descr - character (256) - Optional

Update a Blacklisted Word

Upon receiving request to update a Blacklisted Word with the input parameters (code, name, descr, lang_code and is_active), the system updates the Blacklisted Word in the Blacklisted Word Database for the code received and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word- character (128) - Mandatory
- descr - character (256) - Optional

Delete a Blacklisted Word

Upon receiving a request to delete a Blacklisted Word with the input parameters (code), the system updates the is_deleted flag to true in the Blacklisted Word Database against the code received and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- word- int - Mandatory
Deleted record are not deleted again

Fetch List of Blacklisted words based on a Language Code

Upon receiving a request to Fetch the List of Blacklisted words with input parameters (Language Code), the system fetches the List of Blacklisted words against the Language Code received

While fetching the black listed words, the system performs the following steps:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message.

List of Reason Categories

MOSIP system can create a Reason Category in Master Database

Upon receiving a request to add Reason Category with the input parameters (code, name, descr, lang_code and is_active), the system stores the Reason Category in the Database and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

List of Applications

Create a List of Applications

Upon receiving a request to add Application with the input parameters (code, name, descr, lang_code and is_active), the system stores the Application in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- name - character (64) - Mandatory

Fetch List of Applications based on received input parameter

Fetch the List of all Applications

Upon receiving a request to Fetch List of Applications, the system fetches all the List of Applications and performs the following steps:

Validates if the response contains the following attributes for each Application
- Application ID
- Application Detail

Fetch the Application detail based on a Language Code and Application ID

Upon receiving a request to Fetch List of Applications with the required input parameters (Application ID, Language Code), the system fetches the Application Detail based on the Application ID and Language Code received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Application ID - Mandatory
- Language Code - Mandatory

List of ID Types

Create an ID type

Upon receiving a request to add an ID Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the ID Type in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- code - character (36) - Mandatory
- code - character (64) - Mandatory

Fetch the List of ID Types based on Language Code

Upon receiving a request to fetch the List of ID Types with input parameters (Language Code), the system fetches the List of ID Types against the Language Code Received

Refer below for the process:

Validates if the request contains the following input parameters
- Language Code - Mandatory
If the mandatory input parameters are missing, throws the appropriate message. Refer "Messages" section below.

User Details

Upon receiving a request to fetch the user history record with input parameters (User ID and Date Timestamp), the system fetches all the attributes of the user from the history table and performs the following steps:

Validates if all required input parameters have been received as listed below for each specific request.
- User ID - Mandatory
- Date Timestamp - Mandatory

Fetch RID based on a User ID

Receive request to retrieve RID based on input parameter (User ID, App ID)
- User ID and App ID both will be mandatory
Fetch the RID

Document Type to Category Mapping

Create a mapping record of Document Type and Document Category in Valid Document Mapping Master Database

Upon receiving a request to add a mapping of Document Type and Document Category with the input parameters (doctyp_code, doccat_code) the system stores the Mapping of Document type and Document category in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- doctyp_code - character - 36 - mandatory
- doccat_code - character - 36 - mandatory

Remove a mapping record of Document Type and Document Category in Valid Document Mapping Master Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- doctyp_code - character - 36 - mandatory
- doccat_code - character - 36 - mandatory

Working and Non-Working Days

API should be able to fetch working days for a Center based on a Center ID

Refer below for the process:

The API should support taking Center ID and Language Code as an mandatory input parameter
The API should respond to the source with all the days of the week for the Center in the language received
Each day should have an attribute marking whether the day is a working day or off-work day

If the working days are not defined against the Center, the API should fetch the globally defined working and non-working days.

The API should throw error messages in scenarios mentioned in error messages section.

Exceptional Holidays for a Center

API should be able to fetch any defined exceptional holiday dates for a Center based on a Center ID

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- Center ID - character - 10 - mandatory
API should respond to the source with all the exceptional holiday dates for the Center ID received

Registration Management

Registration Center Type

Create Registration Center Type

On receiving a request to add Registration Center Type with the input parameters (code, name, descr, lang_code and is_active), the system stores the Registration Center Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update a Registration Center Type

On receiving a request to update a Registration Center Type with the input parameters (code, name, descr, lang_code and is_active), the system Updates the Registration Center Type Details in the Registration Center Type Database for the Code received

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

Registration Center

Create a Registration Center

Upon receiving a request to add Registration Center with the input parameters, the system Stores the Registration Center in the Database

Refer below for the process:

The system validates if all required input parameters have been received as listed below for each specific request
- name - character (128) - mandatory
- cntrtyp_code - character (36) - mandatory

Update a Registration Center

On receiving a request to update a Registration Center with the input parameters, the system updates the Registration Center Details in the List of Registration Center Database for the center_id received

Refer below for the process:

The system validates if all required input parameters have been received as listed below for each specific request
- center_id - character (36) - mandatory
- name - character (128) - mandatory

Decommission a Registration Center

Upon receiving a request to Decommission a Registration Center with the input parameters (center_id), the system updates the is_deleted flag to true in the List of Registration Center Database against the center_id received

Refer below for the process:

Validate if all required input parameters have been received as listed below for each specific request
- center_id - character (36) - Mandatory
Change the “is_Deleted” flag against Registration Center ID to “True”

Fetch Registration Center details based on a Registration Center ID and Language Code.

On receiving a request to fetch Registration Center Details with the input parameters (Registration Center ID and Language Code), the system fetches all the Registration Center attributes for the Registration Center ID and Language Code received. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Language Code - Mandatory

Fetch Registration Center record based on a Registration center ID, Date and Language Code from the Registration Center Updation/Creation History table

On receiving a request to fetch Registration Center Creation/Updation History Detail with the input parameters (Registration Center ID, Date and Language Code), the system fetches all the attributes of Registration Center from the history table for the Registration Center ID, Date and Language Code received

Refer below for the process:

While fetching registration center records the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Date - Mandatory

Fetch Registration Center details based on a Location Code and a Language Code

Upon receiving a request to fetch the List of Registration Centers with the input parameter (Location Code and Language Code), the system fetches the list of all the Registration Centers against the Location Code and Language Code received with all the attributes for each Registration Center. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Location Code
- Language Code

Fetch Registration Center details based on a Longitude and a Latitude, Proximity Distance and Language Code

On receiving a request to fetch the List of Registration Centers with the input parameter (Longitude and Latitude, Proximity distance and Language Code), the system fetches the List of Registration Centers against the input parameters received. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the registration center details the system validates if all required input parameters have been received as listed below for each specific request
- Longitude
- Latitude

Fetch the List of Registration Centers based on Location Hierarchy Level, text input and a Language Code

Upon receiving a request to fetch the List of Registration centers with input parameters (Location Hierarchy Level, Text Input and a Language Code), the system fetches the List of Registration centers. The system only fetches active Registration Centers.

Refer below for the process:

While fetching the list of registration centers the system validates if the request contains the following input parameters
- Location Hierarchy Level - Mandatory
- Text Input - Mandatory

Validates whether a Registration Center is under working hours based on a timestamp received

On receiving a request to fetch Registration Center Details with the input parameters (Registration Center ID and Date-Timestamp), the system determines the status of the Registration center as per the logic defined.

Refer below for the process:

While determining the status of registration center the system validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Date-Timestamp - Mandatory

List of Machine Types

Creation of a Machine Type

Upon receiving a request to add Machine Type (e.g., Dongle/Desktop) with the input parameters (code, name, descr, lang_code and is_active), the system stores the Machine Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update of a Machine Type

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

List of Machine Specifications

Create Machine Specifications

On receiving a request to add Machine Specifications with the input parameters (name, brand, model, mtyp_code, min_driver_ver, descr, lang_code and is_active) the system stores the Machine Specifications in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update a Machine Specification

On receiving a request to update a Machine Specification with the input parameters (id, name, brand, model, mtyp_code, min_driver_ver, descr, lang_code and is_active), the system updates the Machine Specification Details in the Machine Specification Database for the id received

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory

List of Machines

Create a Machine in Master Database

On receiving a request to add Machine with the input parameters, the system Stores the Machine Details in the Database

Refer below for the process:

While creating the machine IDs the system validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - mandatory
- name - character (64) - mandatory

Update a Machine in the List of Machines Master Database

On receiving a request to update a Machine with the input parameters, the system Updates the Machine Details in the List of Machines Database for the machine_id received

Refer below for the process:

While updating the machine ID the system Validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - mandatory
- name - character (64) - mandatory

Decommission a Machine in the List of Machines Master Database

On receiving a request to decommission a Machine with the input parameters (machine_id), the system Updates the is_deleted flag to true in the List of Machines Database against the machine_id received

Refer below for the process:

While deleting the machine IDs the system Validates if all required input parameters have been received as listed below for each specific request
- machine_id - character (36) - Mandatory
Change the “is_Deleted” flag against Machine ID to “True”

Fetch Machine Registration/Updation History detail based on a Machine ID and Language Code

Upon receiving a request to fetch Machine History Registration/Updation Detail with the input parameters (Machine ID, Date and Language Code), the system Fetches all the attributes of Machine from the history table for the Machine ID, Date and Language Code received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the machine registration and updation history the system Validates if all required input parameters have been received as listed below for each specific request
- Machine ID - Mandatory
- Date - Mandatory

Fetch Machine Details based on a Machine ID and a Language Code

On receiving a request to Fetch Machine Details with the input parameters (Machine ID and Language Code), the system Fetches all the Machine attributes for the Machine ID and the Language Code Received

Refer below for the process:

While fetching the machine IDs the system Validates if all required input parameters have been received as listed below for each specific request
- Machine ID - Mandatory
- Language Code

Mappings of Registration Center, Machine and User Mappings

Create a mapping record of Center, User and Machine in Center-User-Machine Mapping Master Database

On receiving a request to add a mapping of Center, User and Machine with the input parameters (regcntr_id, usr_id, machine_id and is_active), the system Stores the Mapping of Center, User and Machine in the Database

Refer below for the process:

While mapping the system Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) - Mandatory
- usr_id- character (36) - Mandatory

Delete a Center-Machine-User mapping in the Center-Machine-User mapping Master Database

On receiving a request to delete a Center-Machine-User mapping with the input parameters (regcntr_id, machine_id, usr_id), the system Updates the is_deleted flag to true in the Center-Machine-User mapping Database against the input received

Refer below for the process:

While deleting the system Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory

Fetch Mapping History of Registration Center, Machine and User based on Registration Centre ID, Machine ID, User ID and Date

On receiving a request to fetch Mapping History of Registration, Machine and User with input parameters (Registration Centre ID, Machine ID, User ID and Date), the system Fetches all the attributes of Registration, Machine and User Mapping from the history table for the Machine ID and Date received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the mappings the system Validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Machine ID - Mandatory

List of Devices

Create a Device

On receiving request to add a device with the input parameters, the system Stores the device in the Database

Refer below for the process:

While creating a device the system Validates if all required input parameters have been received as listed below for each specific request
- name - character (64) - Mandatory
- mac_address - character (64) - Mandatory

Update a Device

Upon receiving a request update a Device with the input parameters, the system Updates the Device Details in the List of Devices Database for the id received

Refer below for the process:

While updating the device in device type list the system Validates if all required input parameters have been received as listed below for each specific request
- id - character (36) - Mandatory
- name - character (64) - Mandatory

Decommission a Device

Upon receiving a request to decommission a Device with the input parameters (id) and Update the is_deleted flag to true in the List of Devices Database against the id received

Refer below for the process:

While deleting the device in the device list the system validates if all required input parameters have been received as listed below for each specific request
- id - character (36) - Mandatory
Change the “is_Deleted” flag against Device ID to “True”

Fetch all the List of Devices based on Device Type and Language Code

On receiving request to Fetch list of all Device with the requirement input parameter (Language Code and/or Device Type), the system Fetches all the Devices against the Language Code and/or Device Type as requested

Refer below for the process:

While fetching the device types the system Validates if the request contains the following input parameters
- Device Type - Optional
- Language Code - Mandatory

Fetch Device Registration/Update History detail based on a Device ID and Language Code

On receiving request to fetch Device History Registration/Update Detail with the input parameters (Device ID, Date and Language Code), the system fetches all the attributes of Device from the history table for the Device ID, Date and Language Code received

The record fetched is the latest record existing on or before the date received in the input parameter

Refer below for the process:

While fetching the device registration and update history the system validates if all required input parameters have been received as listed below for each specific request
- Device ID - Mandatory
- Date - Mandatory

List of Device Specifications

Create Device Specifications

On receiving request to add Device Specifications with the input parameters (name, brand, model, dtype_code, min_driver_ver, descr, lang_code and is_active), the system Stores the Device Specifications in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Fetch List of Device Specifications based on a Language Code

On receiving request to fetch the List of Device Specifications with input parameters (Language Code and/or Device Type) the system fetches the List of Device Specifications against the Language Code and/or Device Type

While fetching the List of Device Specifications against the Language Code and/or Device Type the system performs the following steps

Validates if the request contains the following input parameters
- Language Code - Mandatory
- Device Type - Optional

Update a Device Specification

On receiving a request to update a Device Specification with the input parameters (id, name, brand, model, dtype_code, min_driver_ver, descr, lang_code and is_active) the system updates the Device Specification Details in the Device Specification Database for the id received

This API should only be accessible to Global Admin
The API should accept only the below parameters
- id - Character - 36 - Mandatory

List of Device Types

Create Device Type

Upon receiving a request to add Device Type with the input parameters (code, name, descr, lang_code and is_active), the system Stores the Device Type in the Database

Refer below for the process:

This API should only be accessible to Global Admin
The API should accept only the below parameters
- name - Character - 64 - Mandatory

Update Device Type

This API should only be accessible to Global Admin
The API should accept only the below parameters
- code - Character - 36 - Mandatory

Mappings of Registration Center and Machine

Create a mapping record of Machine and Center

Upon receiving a request to add a mapping of Machine and Center with the input parameters (regcntr_id, machine_id, and is_active), the system stores the Mapping of Machine and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- machine_id - character (10) – Mandatory (refers to a Machine stored in Machine Masterdata)

Delete a Center-Machine mapping

Upon receiving a request to delete a Center-Machine mapping with the input parameters (regcntr_id, machine_id), the system updates the is_active flag to false in the Center-Machine mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory

Mappings of Registration Center and Device

Create a mapping record of Device and Center

Upon receiving a request to add a mapping of Device and Center with the input parameters (regcntr_id, device_id), the system stores the Mapping of Device and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- device_id - character (36) – Mandatory (refers to a Device stored in Device Masterdata)

Unmap a Center-Device mapping

Upon receiving a request to delete a Center-Device mapping with the input parameters (regcntr_id, device_id), the system updates the is_active flag to false in the Center-Device mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- device_id - character (36) - Mandatory

Fetch Device-Center History record based on the timestamp received

On receiving a request to fetch Mapping History of Center and Device with input parameters (Registration Center ID, Device ID and Date Timestamp) the system fetches all the attributes of Center and Device Mapping from the history table for the Registration Center ID, Device ID and Date received

The record fetched is the latest record existing on or before the date received in the input parameter

While fetching the attributes of Center and Device Mapping from the history table the system performs the following steps

Validates if all required input parameters have been received as listed below for each specific request
- Registration Center ID - Mandatory
- Device ID - Mandatory

Mappings of Registration Center, Machine, and Device

Create a mapping record of Center, Machine and Device

Upon receiving a request to add a mapping of Center, Machine and Device with the input parameters (regcntr_id, machine_id, device_id, and is_active), the system stores the Mapping of Center, Machine and Device in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) – Mandatory (refers to a Registration Center stored in Registration Center Masterdata)
- machine_id - character (36) – Mandatory (refers to a Registration Center stored in Registration Center Masterdata)

Delete a Center-Machine-Device mapping

Upon receiving a request to delete a Center-Machine-Device mapping with the input parameters (regcntr_id, machine_id, device_id), the system updates the is_deleted flag to true in the Center-Machine-Device mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- machine_id - character (36) - Mandatory

Mappings of Registration Center and User

Create a mapping record of User and Center

Upon receiving a request to add a mapping of User and Center with the input parameters (regcntr_id, usr_id, and is_active), the system stores the Mapping of User and Center in the Database

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (10) – Mandatory (refers to a Registration Center stored in Registration Center)
- usr_id - character (36) – Mandatory (refers to a User stored in User Masterdata)

Delete a Center-User mapping

Upon receiving a request to delete a Center-User mapping with the input parameters (regcntr_id, usr_id), the system updates the is_active flag to false in the Center-User mapping Database against the input received

Refer below for the process:

Validates if all required input parameters have been received as listed below for each specific request
- regcntr_id - character (36) - Mandatory
- usr_id - character (36) - Mandatory

MISP Management

License Key Allocation

Create MISP

The system receives a request to create a MISP with input parameters (MISP ID, MISP Organization Name, MISP Contact Number, MISP Email ID, MISP Address, MISP User name, MISP Password, MISP License Key, MISP License Key Status, IsActive)
Stores the data in the database
Responds to the source with the required message

Read MISP

The system receives a request to fetch a MISP with input parameters (MISP ID and/or MISP Organization Name)
Fetches the data existing against the input parameter received.
If only MISP ID is received, fetches data against the MISP ID from the database

Update MISP

The system receives a request to update a MISP with input parameters (MISP ID, MISP Organization Name, MISP Contact Number, MISP Email ID, MISP Address, MISP User name, MISP Password, MISP License Key, MISP License Key Status, IsActive
Updates the data and Responds to the source with the required message
MISP ID will serves as search criteria to update the record in the database

Delete MISP

The system receives a request to delete a MISP with input parameters (MISP ID)
Deletes the data as mentioned as requested
Responds to the source with the required message

MOSIP Docs 1.1.5

Home

hashtagThe MOSIP Program

hashtagAbout MOSIP

hashtagReleases

hashtagMOSIP Resources

hashtagRoadmap

Architecture

Guiding Principles

hashtagEcosystem approach

hashtagConfigurability

hashtagExtensibility

hashtagModularity

MOSIP Architecture

hashtagDesign choices

hashtagFunctional Architecture

hashtagModular Architecture

Data-Model

hashtagData Model Considerations

hashtagData Model

Cryptography in MOSIP

hashtagBackground

hashtagSolution

Modules

Pre-Registration

hashtagOverview

Registration

hashtagOverview

hashtagDetailed functionality

hashtagProcess flow

hashtagRegistration officer Onboarding

hashtagRegistration preparation

hashtagIndividual registration

hashtagPacket upload

hashtagEnd of day (EOD) process

hashtagUIN update

hashtagLost UIN

hashtagSoftware update

hashtagLogical view

hashtagComponent architecture

hashtagRegistration packet structure

hashtagRegistration client reference application

hashtagFirst user on-boarding

Registration Packet

hashtagRegistration Packet

First User Registration and Onboarding

hashtag1. Creating the First User in KeyCloak

Guide to Configure MOSIP for Biometrics

hashtagRegistration Client

hashtagAdding SDK in classpath

hashtagEnabling MDS integration

hashtagRegistering biometric devices for registration

hashtagEnabling biometric for officer and supervisor

hashtagEnabling local de-duplication

hashtagRegistration Processor

hashtagConfiguring ABIS queue

hashtagID Authentication

hashtagAdding SDK in classpath

hashtagRegistering biometric devices for authentication

hashtagEncrypting biometric data from MDS

Device Integration Specifications

hashtagDevices:

hashtagScanner:

hashtagPrinter:

hashtagGPS:

Registration Processor

hashtagOverview

Deduplication and Manual Adjudication

hashtagDe-Duplication

ID Repository

hashtagOverview

ID Authentication

hashtagOverview

Resident Services

hashtagOverview

Kernel

hashtagOverview

Authentication and Authorization Functionality

Auth Implementation

hashtagDocumentations for the Auth Implementations

The MOSIP Program

About MOSIP

Releases

MOSIP Resources

Roadmap

Ecosystem approach

Configurability

Extensibility

Modularity

Design choices

Functional Architecture

Modular Architecture

Data Model Considerations

Data Model

Background

Solution

Overview

Overview

Detailed functionality

Process flow

Registration officer Onboarding

Registration preparation

Individual registration

Packet upload

End of day (EOD) process

UIN update

Lost UIN

Software update

Logical view

Component architecture

Registration packet structure

Registration client reference application

First user on-boarding

Registration Packet

1. Creating the First User in KeyCloak

Registration Client

Adding SDK in classpath

Enabling MDS integration

Registering biometric devices for registration

Enabling biometric for officer and supervisor

Enabling local de-duplication

Registration Processor

Configuring ABIS queue

ID Authentication

Adding SDK in classpath

Registering biometric devices for authentication

Encrypting biometric data from MDS

Devices:

Scanner:

Printer:

GPS:

Overview

De-Duplication

Overview

Overview

Overview

Overview

Documentations for the Auth Implementations

Context

Pre-requisite

Ecosystem approach

Configurability

Extensibility

Modularity

Building a National ID System using MOSIP

The MOSIP Program

About MOSIP

Releases

MOSIP Resources

Roadmap

Overview

Overview

Detailed functionality

Process flow

Services

Logical View

Build and deploy

APIs

UI Reference Implementation

Process flow