PMS Configuration Guide

Overview

The following guide outlines some important properties that can be customized for a given installation. Please note that this list is not exhaustive but serves as a checklist for reviewing properties that are likely to differ from the default settings. For a complete list of properties, refer to the files listed below.

Configuration files

Partner Management Services uses the following configuration files:

application-default.properties
partner-management-default.properties

Auth allowed urls

This property is used by kernel-authcodeflowproxy-api to check request is coming from allowed urls not.

auth.allowed.urls=https://${mosip.pmp.host}/

Key manager API calls

These properties are used to specify the keymanager API to upload certificates and get original partner uploaded certificates.

mosip.kernel.sign-url=${mosip.kernel.keymanager.url}/v1/keymanager/jwtSign
pms.cert.service.token.request.clientId=${mosip.pmp.auth.clientId}
pms.cert.service.token.request.issuerUrl=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey
pmp.ca.certificaticate.upload.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/uploadCACertificate
pmp.partner.certificaticate.upload.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/uploadPartnerCertificate
pmp.partner.certificaticate.get.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/getPartnerCertificate/{partnerCertId}
pmp.partner.original.certificate.get.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/getPartnerSignedCertificate/{partnerCertId}
pmp-keymanager.upload.other.domain.cert.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/uploadOtherDomainCertificate
pmp.trust.certificates.post.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/getCaCertificates
pmp.download.trust.certificates.get.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/getCACertificateTrustPath/{caCertId}
pmp.encrypt.data.post.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/encrypt
pmp.decrypt.data.post.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/decrypt

Auth Adapter rest template authentication configs

These properties are used to set attributes for partner management services.

app id : ApplicationId for partner
client id : Kernel auth client ID for partner management services
client secret : Kernel auth secret key for partner management services

mosip.iam.adapter.clientid=${mosip.pmp.auth.clientId}
mosip.iam.adapter.clientsecret=${mosip.pmp.auth.secretKey}
mosip.iam.adapter.appid=${mosip.pmp.auth.appId}

Keycloak Configurations

These configurations are used to create user in keycloak and map to a role.

Note : All partner types should be created as roles in keycloak.

mosip.iam.realm.operations.base-url = ${keycloak.internal.url}/auth/admin/realms/{realmId}
mosip.iam.admin-url =${keycloak.internal.url}/auth/admin/
mosip.iam.admin-realm-id =admin
mosip.iam.roles-extn-url =realms/mosip/roles
mosip.iam.users-extn-url = realms/mosip/users
mosip.iam.role-user-mapping-url =/{userId}/role-mappings/realm
mosip.iam.open-id-url =${keycloak.internal.url}/auth/realms/{realmId}/protocol/openid-connect/
mosip.iam.master.realm-id=master
mosip.iam.default.realm-id=mosip
mosip.keycloak.admin.client.id=admin-cli
mosip.keycloak.admin.user.id=admin
mosip.keycloak.admin.secret.key=${keycloak.admin.password}
mosip.iam.role-users-url=${keycloak.external.url}/auth/admin/realms/mosip/roles/{userRole}/users?max=-1

Auth Services API calls

These properties are used to specify the auth manager API to validate the token.

auth.server.validate.url=${mosip.kernel.authmanager.url}/v1/authmanager/authorize/admin/validateToken
auth.server.admin.validate.url=${mosip.kernel.authmanager.url}/v1/authmanager/authorize/admin/validateToken
auth.server.admin.allowed.audience=mosip-creser-client,mosip-datsha-client,mosip-ida-client,mosip-regproc-client,mosip-admin-client,mosip-reg-client,mosip-pms-client,mosip-resident-client,mosip-idrepo-client,mosip-deployment-client
auth.jwt.secret=authjwtsecret
auth.jwt.base=Mosip-Token

mosip.iam.adapter.issuerURL=${keycloak.internal.url}/auth/realms/mosip
mosip.authmanager.client-token-endpoint=${mosip.kernel.authmanager.url}/v1/authmanager/authenticate/clientidsecretkey

UI allowed roles

This property is used to populate required roles which should be allowed in UI.(Roles are nothing but partner types)

mosip.pms.ui.required.roles=AUTH_PARTNER,DEVICE_PROVIDER,CREDENTIAL_PARTNER,FTM_PROVIDER,MISP_PARTNER,POLICYMANAGER,PARTNER_ADMIN

URL to redirect after logout

These properties specify the url to redirect after logout and the end session endpoint in OIDC.

mosip.iam.post-logout-uri-param-key=post_logout_redirect_uri
mosip.iam.end-session-endpoint-path=/protocol/openid-connect/logout

MOSIP E-Signet config

These configurations specify the E-Signet claims mapping file url, amr-acr mapping file url and the service apis for create and update OIDC and OAuth Client.

mosip.pms.esignet.claims-mapping-file-url=https://raw.githubusercontent.com/mosip/mosip-config/develop/identity-mapping.json
mosip.pms.esignet.amr-acr-mapping-file-url=https://raw.githubusercontent.com/mosip/mosip-config/develop/amr-acr-mapping.json
mosip.pms.esignet.config-url=${mosip.esignet.service.url}/v1/esignet/oidc/.well-known/openid-configuration

mosip.pms.esignet.oidc-client-create-url=${mosip.esignet.service.url}/v1/esignet/client-mgmt/oidc-client
mosip.pms.esignet.oidc-client-update-url=${mosip.esignet.service.url}/v1/esignet/client-mgmt/oidc-client

mosip.pms.esignet.oauth-client-create-url=${mosip.esignet.service.url}/v1/esignet/client-mgmt/oauth-client
mosip.pms.esignet.oauth-client-update-url=${mosip.esignet.service.url}/v1/esignet/client-mgmt/oauth-client

User Session Idle Timeout

These properties are used to set the user inactivity idle time.

Inactivity Timer : Specifies the duration (in minutes) before the session is timed out due to inactivity.
Prompt Timer : Specifies the duration (in minutes) before the user is prompted about the impending session timeout.

mosip.pms.session.inactivity.timer=25
mosip.pms.session.inactivity.prompt.timer=5

Axios Timeout

This property is used to set the server request and response time(in minutes) for Axios.

mosip.pms.axios.timeout=3

OIDC Client Attributes

These properties are used to set attributes for OIDC client creation and update.

Grant Types : Specifies the grant types used by the OIDC client.
Client Authentication Methods : Specifies the client authentication methods.

mosip.pms.oidc.clients.grantTypes=authorization_code 
mosip.pms.oidc.clients.clientAuthMethods=private_key_jwt

Maximum allowed years for SBI Created and Expiry Date

These properties are used to set maximum number of year to be allowed for SBI created date and expiry date.

mosip.pms.expiry.date.max.year=10
mosip.pms.created.date.max.year=10

Item per page configuration

This property is used to set the maximum number of items to be displayed per page in the pagination.

mosip.pms.pagination.items.per.page=8

Configurations for Email Notifications

This property is used to set the interval (in seconds) at which notifications are automatically refreshed.

mosip.pms.auto.refresh.notifications=300

This property specifies the Keycloak URL used to retrieve all users assigned to a specific role within the mosiprealm.
- The {userRole} placeholder should be replaced with the role name.
- The max=-1 query parameter ensures that all users associated with the role are fetched without any pagination or limit.

mosip.iam.role-users-url=${keycloak.external.url}/auth/admin/realms/mosip/roles/{userRole}/users?max=-1

These properties are used to schedule the batch job that generates notifications. This job runs daily at midnight.

# This job will create notifications for Root / Intermediate certificate expiry
mosip.pms.batch.job.root.intermediate.cert.expiry.cron.schedule=0 0 0 * * *
# This job will create notifications for Partner certificate expiry
mosip.pms.batch.job.partner.cert.expiry.cron.schedule=0 0 0 * * *
# This job will create weekly notifications
mosip.pms.batch.job.weekly.notifications.cron.schedule=0 0 0 * * 6
# This job will create notifications for FTM chip certificate expiry
mosip.pms.batch.job.ftm.chip.expiry.notifications.cron.schedule=0 0 0 * * *
# This job will create notifications for SBI expiry
mosip.pms.batch.job.sbi.expiry.notifications.cron.schedule=0 0 0 * * *
# This job will create notifications for API key expiry
mosip.pms.batch.job.api.key.expiry.notifications.cron.schedule=0 0 0 * * *

This properties is used to schedule the batch job that delete past notifications.

mosip.pms.batch.job.delete.past.notifications.cron.schedule=0 0 0 * * *

These properties define the configuration for automatic deletion of past notifications in the system.
- Specifies the number of days to retain past notifications. Notifications older than this period will be deleted by the scheduled deletion job.
- Enables or disables the scheduled job that performs the deletion of past notifications.

mosip.pms.batch.job.past.notifications.deletion.period=60
mosip.pms.batch.job.enable.past.notifications.deletion=true

These properties specify the number of days before certificate expiry when notifications should be triggered.

mosip.pms.batch.job.root.intermediate.cert.expiry.periods=30,15,10,9,8,7,6,5,4,3,2,1,0
mosip.pms.batch.job.partner.cert.expiry.periods=30,15,10,9,8,7,6,5,4,3,2,1,0
mosip.pms.batch.job.ftm.chip.cert.expiry.periods=30,15,10,9,8,7,6,5,4,3,2,1,0
mosip.pms.batch.job.sbi.expiry.periods=30,15,10,9,8,7,6,5,4,3,2,1,0
mosip.pms.batch.job.api.key.expiry.periods=30,15,10,9,8,7,6,5,4,3,2,1,0

This property specifies the list of partner IDs for which certificate expiry notifications should be skipped. These IDs are excluded from the notification generation process.

mosip.pms.batch.job.skips.partner.ids=MOSIP.PROXY.SBI,mpartner-default-cert,mpartner-default-adjudication,mpartner-default-mobile,mpartner-default-print,mpartner-default-abis,mpartner-default-resident,mpartner-default-auth,mpartner-default-digitalcard,mpartner-default-esignet,

These properties is used to schedule the batch job that deactivate the expired SBI, API Key and MISP license key.

# This job will auto deactivate expired SBIs
mosip.pms.batch.job.sbi.expiry.auto.deactivation.cron.schedule=0 0 0 * * *
# This job will auto deactivate expired API keys
mosip.pms.batch.job.api.key.expiry.auto.deactivation.cron.schedule=0 0 0 * * *
# This job will auto deactivate expired MISP Licenses
mosip.pms.batch.job.misp.license.expiry.auto.deactivation.cron.schedule=0 0 0 * * *

Templates for Email Notifications

Specifies the template names used for sending email notifications. Each template corresponds to a different type of notification and its email subject line.

email.notification.partner.cert.expiry.template=PARTNER_CERT_EXPIRY_TEMPLATE
email.notification.intermediate.cert.expiry.template=INTERMEDIATE_CERT_EXPIRY_TEMPLATE
email.notification.root.cert.expiry.template=ROOT_CERT_EXPIRY_TEMPLATE
email.notification.weekly.summary.template=WEEKLY_SUMMARY_TEMPLATE
email.notification.ftm.chip.cert.expiry.template=FTM_CHIP_CERT_EXPIRY_TEMPLATE
email.notification.api.key.expiry.template=API_KEY_EXPIRY_TEMPLATE
email.notification.sbi.expiry.template=SBI_EXPIRY_TEMPLATE
email.notification.partner.cert.expiry.subject.template=PARTNER_CERT_EXPIRY_SUBJECT
email.notification.intermediate.cert.expiry.subject.template=INTERMEDIATE_CERT_EXPIRY_SUBJECT
email.notification.root.cert.expiry.subject.template=ROOT_CERT_EXPIRY_SUBJECT
email.notification.weekly.summary.subject.template=WEEKLY_SUMMARY_SUBJECT
email.notification.ftm.chip.cert.expiry.subject.template=FTM_CHIP_CERT_EXPIRY_SUBJECT
email.notification.api.key.expiry.subject.template=API_KEY_EXPIRY_SUBJECT
email.notification.sbi.expiry.subject.template=SBI_EXPIRY_SUBJECT

Configuration for Data Encryption and Decryption

Defines the configuration properties used for secure data encryption and decryption through the Key Manager service.

pmp.encrypt.data.post.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/encrypt
pmp.decrypt.data.post.rest.uri=${mosip.kernel.keymanager.url}/v1/keymanager/decrypt
mosip.service.keymanager.crypto.appId=PMS
mosip.service.keymanager.crypto.refId=PII-DATA

Legacy Support Configuration Flags

These properties indicate the availability of specific endpoints and the OIDC client within the MOSIP platform. They are used to enable or disable certain features based on configurations.

# Indicates whether the ca signed partner certificate endpoint is available in MOSIP platform
mosip.pms.ca.signed.partner.certificate.available=true
# Indicates whether the OIDC client is available in MOSIP platform
mosip.pms.oidc.client.available=true
# Indicates whether the root and intermediate CA certificates are available in MOSIP platform
mosip.pms.root.and.intermediate.certificates.available=true

Regex Patterns

These regular expressions are used to validate various IDs and inputs within the PMS.

FTM ID (Allows only digits (0–9), with a length between 1 to 36 characters.)

mosip.pms.ftm.id.regex=^[0-9]{1,36}$

Certificate ID (Allows letters, digits, and hyphens (-), with a length between 1 to 36 characters.)

mosip.pms.certificate.id.regex=^[a-zA-Z0-9-]{1,36}$

OIDC Client ID (Allows letters, digits, underscores (_) and hyphens (-), with a length between 1 to 36 characters.)

mosip.pms.client.id.regex=^[a-zA-Z0-9_-]{1,100}$

Request Input Validation (Accepts a wide range of readable characters, including Letters, Numbers, Spaces and Special characters: .,@#&()-'?_!":;=\)

mosip.pms.request.input.validation.regex=^[\\p{L}\\p{N}\\p{M}\\s.,@#&()\\-'?_!":;=\\\\]+$

Unique ID generation retry configuration

This property specifies the maximum attempts to generate a unique ID (for example, policies, API keys).

If the generated ID already exists (a collision), the system retries until it finds a unique one or reaches this limit. When the maximum retries are reached, the process stops and reports failure.

# Maximum retries for unique ID generation to prevent infinite loops
mosip.pms.id.generation.max.retries=100

Supported Languages Configuration

This property lists the supported languages for creating a MISP partner. Each language uses its standard code (for example, eng for English, hin for Hindi).

mosip.pms.supported.notification.languages=eng,hin,ara,fra,tam,kan

Partner Type Roles

These properties specify partner type roles that are used to grant access to various APIs in partner management service.

-------- Partner Management Service ---------
mosip.role.pms.getpartnercertificates=AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,DEVICE_PROVIDER,FTM_PROVIDER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER
mosip.role.pms.userconsent=AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,DEVICE_PROVIDER,FTM_PROVIDER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER,POLICYMANAGER
mosip.role.pms.getsbidetails=DEVICE_PROVIDER,PARTNER_ADMIN
mosip.role.pms.postadddevicetosbi=DEVICE_PROVIDER,PARTNER_ADMIN
mosip.role.pms.postdevicewithsbimapping=PARTNER_ADMIN
mosip.role.pms.patchdeactivatedevice=DEVICE_PROVIDER,PARTNER_ADMIN
mosip.role.pms.patchdeactivatesbi=DEVICE_PROVIDER,PARTNER_ADMIN
mosip.role.pms.getftmchipdetails=FTM_PROVIDER,PARTNER_ADMIN
mosip.role.pms.patchdeactivateftm=FTM_PROVIDER,PARTNER_ADMIN
mosip.role.pms.getoriginalftmcertificate=FTM_PROVIDER,PARTNER_ADMIN
mosip.role.pms.getpartnerdetails=PARTNER_ADMIN
mosip.role.pms.getadminpartners=PARTNER_ADMIN
mosip.role.pms.getallpartnerpolicymappingrequests=PARTNER_ADMIN,AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER
mosip.role.pms.getoauthpartnersclients=PARTNER_ADMIN,AUTH_PARTNER
mosip.role.pms.getpartnersapikeyrequests=PARTNER_ADMIN,AUTH_PARTNER
mosip.role.pms.getpartnersftmchipdetails=PARTNER_ADMIN
mosip.role.pms.getallsbidetails=PARTNER_ADMIN,DEVICE_PROVIDER
mosip.role.pms.getalldevicedetails=PARTNER_ADMIN
mosip.role.pms.gettrustcertificates=PARTNER_ADMIN
mosip.role.pms.getdownloadtrustcertificates=PARTNER_ADMIN
mosip.role.pms.getpartnersv3=DEVICE_PROVIDER,FTM_PROVIDER,PARTNER_ADMIN,AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER
mosip.role.pms.getnotifications=DEVICE_PROVIDER,FTM_PROVIDER,PARTNER_ADMIN,AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,CREDENTIAL_PARTNER,ONLINE_VERIFICATION_PARTNER
mosip.role.pms.putnotificationseentimestamp=AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,DEVICE_PROVIDER,FTM_PROVIDER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER,POLICYMANAGER
mosip.role.pms.getnotificationseentimestamp=AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,DEVICE_PROVIDER,FTM_PROVIDER,CREDENTIAL_PARTNER,PARTNER_ADMIN,ONLINE_VERIFICATION_PARTNER,POLICYMANAGER
mosip.role.pms.patchdismissnotification=DEVICE_PROVIDER,FTM_PROVIDER,PARTNER_ADMIN,AUTH_PARTNER,ABIS_PARTNER,SDK_PARTNER,CREDENTIAL_PARTNER,ONLINE_VERIFICATION_PARTNER
mosip.role.pms.getallmisplicenses=PARTNER_ADMIN
mosip.role.pms.postlinkpolicygrouptopartner=PARTNER_ADMIN
mosip.role.pms.postgeneratemisplicense=PARTNER_ADMIN
mosip.role.pms.getmisplicensedetails=PARTNER_ADMIN
mosip.role.pms.patchdeactivatemisplicensekey=PARTNER_ADMIN
mosip.role.pms.putregeneratemisplicensekey=PARTNER_ADMIN
-------- Policy Management Service ---------
mosip.role.pms.getpolicygroups=AUTH_PARTNER,CREDENTIAL_PARTNER,ONLINE_VERIFICATION_PARTNER,ABIS_PARTNER,MANUAL_ADJUDICATION,PARTNER_ADMIN,POLICYMANAGER
mosip.role.pms.getallpolicies=PARTNER_ADMIN,POLICYMANAGER
mosip.role.pms.patchdeactivatepolicy=PARTNER_ADMIN,POLICYMANAGER
mosip.role.pms.patchdeactivatepolicygroup=PARTNER_ADMIN,POLICYMANAGER

PreviousDeploy NextAPI changes with PMS Revamp

Last updated 1 month ago

Was this helpful?