1 of 100

MOSIP Docs 1.2.0

Home

About MOSIP

The Modular Open Source Identity Platform is an open-source, open standards-based foundational identity platform. MOSIP is an API-first platform that can be used by countries to build their own national ID platform. MOSIP offers ID Lifecycle Management features and identity verification capabilities out of the box. Conceived to help build global digital public goods in the space of digital identification and governance, MOSIP is anchored at the International Institute of Information Technology, Bangalore (IIIT-B). It harnesses the power of open-source technologies and embraces the best practices of scalability, security and privacy. Learn more >>

The key objectives of MOSIP are to:

Provide the basic framework to create a fully functional foundational identity system
Provide flexibility for a country to choose and customize the features from the basic framework according to their requirements
Maintain privacy, security and confidentiality of an individual's data
Provide a scalable and accessible solution to cater to a wide range of populations (a few thousand to several hundreds of millions.

Releases

The latest release of MOSIP, version 1.2.0 LTS is here! Check out the exciting new services and enhancements in the documentation.

To learn more, see our Releases Notes.

To read through the previous version of the documentation, see the Older version documentation (1.1.5).

Resources

Source Code: GitHub Repositories
Containers: Docker Repository
Maven Repository: Nexus Repository
Presentations: mosip.io
Training: MOSIP Academy
Learning videos: YouTube Channel
Community: MOSIP Community on Discourse

Overview

What is Digital Identification?

Digital Identification is a means of identifying 'who you are' through some kind of digital medium. The digital medium could be any device such as a mobile phone or a computer or anything that has a digital means of identifying 'who you are' in both offline and online mode with your consent irrespective of your religion, caste, creed, gender, country and ethnicity. The Internet is only an enabler but is not the mandatory requirement for digital identification. While identifying 'who you are', the user bearing the identity must have absolute control of revealing a controlled set of information that they wish to reveal and not everything in order to become eligible for getting a service rendered.

What is a foundational ID system?

Governments are exploring the development of multipurpose foundational ID systems, in which individuals receive a unique identifier from the government that they can use for identity assertion and verification. It can then be used to access a wide variety of government and private services.

Functional IDs are the IDs that are used in specific use cases. By design, they are created having the final usecase in mind such as healthcare, finance, banking, insurance, social and civil registry etc. The Functional ID systems can leverage the Foundational ID system.

What is MOSIP?

MOSIP is a robust, secure, open-source platform for building foundational identity systems. MOSIP is configurable and flexible to adapt to a country’s national ID requirements.

Privacy and security

MOSIP modules

MOSIP ecosystem

MOSIP needs to work along with other ecosystem players to create a solution for a particular country.

MOSIP offerings

Key MOSIP offerings are:

ID Lifecycle Management
ID Authentication

Building a national ID system using MOSIP

National ID systems can leverage MOSIP as the base platform and configure, customize, and extend it to build systems just the way needed. The image below depicts how MOSIP provides the base layer to build a national ID platform.

Architecture

MOSIP as it stands is a modular microservice based architecture. It's modularity helps in adoption of MOSIP at complex situations. Most of the MOSIP modules are designed to be a strong foundation infrastructure modules and can be adopted in several projects.

MOSIP is designed with the following architecture principles. These architecture principles are core to the development of the system's feature and has a great influence on how and why specific software design patterns are used within.

Data Privacy
No Vendor Lock-in
Open Standards
Async/ Offline First
Commodity Computing
Fault tolerant
Manageable
Secure By Default

Overview

To know how MOSIP can be deployed, refer Getting Started. The different installation models are detailed out in the Deployment section.

High-Level Reference Functional Architecture

The High-Level Reference Functional Architecture serves as a blueprint outlining the system's high-level functioning and interactions, providing a structured framework.

ID Lifecycle Management

Overview

Identity Lifecycle Management refers to the process of issuing and managing user identities in a given system. An individual can visit a registration centre to get a new ID or update their ID details. A registration officer would typically capture the individual’s demographic (name, date of birth, gender, etc.) and biometric (face, iris, and fingerprint image) details.

The various life cycle events are briefly explained below:

New ID issuance (for adults and infants)
ID data update or update individual’s information
De-activate or re-activate the individual’s ID
Lost ID
Correction process

New ID issuance

Pre-registration

A resident can access the pre-registration portal and do the following:

Enter demographic data and upload supporting documents
Book an appointment for one or many users for registration by choosing a suitable registration centre and a convenient time slot
Receive appointment notifications
Reschedule, update and cancel appointments

Registration (enrolment)

For adults

The resident visits a registration centre.
The registration officer captures demographic details, biometrics and documents and uploads the same for processing.
Upon successful registration, a registration ID (RID) is allocated to the resident and an acknowledgement slip containing the captured details and the RID is issued (printed) to the resident as proof of registration.
The registration processor processes the registration details perform quality checks and checks for duplicate entries (de-duplication).
Upon successful processing, a Unique Identification Number (UIN) is allocated to the resident and a notification is sent to the resident on the registered phone number and/or email.
Upon a failure in processing, the registration process is discarded and a notification is sent to the resident on the registered phone number and/or email.

For infants/children

A child visits the registration centre along with a guardian/parent.
The registration officer captures the demographic details along with the face photo.

Note: For infants/children less than 5 years old, the Registration Client does not capture the biometrics as they are still evolving. However, the country may choose to override the same by modifying the rules accordingly.

Parent/guardian' UIN or RID and the biometrics needed for authentication are captured.
Additionally, a proof of relationship document is uploaded.
Upon successful registration, an acknowledgement receipt containing the registration ID is issued to the parent/guardian.

ID data update/updating individual’s information

Residents can update their information in two ways:
- By visiting the registration centre: The demographic and biometric information can be updated at the centres.
Registration receipt containing the Registration Identity(RID), labels and data in the configured language, and QR code (of the RID) provided to the resident at the centre.
Updated ID credentials were sent to the resident via the country’s configured printing and postal service.
Notifications were sent to the resident using the email ID and mobile number provided as a part of demographic data collection.

De-activate/re-activate individual’s ID

De-activate ID means an individual will not be able to authenticate themselves by using the UIN or VID.
Likewise, a country can also re-activate an individual’s ID as need be.

Finding a lost ID

In the event of loss of the ID, the resident can go to the nearest registration centre and provide his/her biometrics and optionally provide demographic details. The details are sent to the MOSIP server which performs a biometric and demographic match. Upon a successful match, MOSIP provides mechanisms to retrieve the UIN of the resident which may be printed and delivered to the resident. Notifications are sent to the resident's registered email and/or phone.

Correction process

In case the system finds an error in the demographic data, documents or biometric data provided by an individual, the correction flow is triggered.
Before issuing the UIN for the individual, the incorrect or incomplete information provided by the individual is intimated to them.
Once the corrected information is received by the system, a correction procedure is triggered.
Updated ID credentials are sent to the resident via the country’s configured printing and postal service.

ID Schema

Overview

ID Schema is a standard that defines dataset that can be stored in the Identity repository for a resident. The schema allows the adopters to customize the fields that's needed for running the identity program.

Defining the ID Schema is the first step towards creating a foundational ID system. Once defined, all applications built on top of the MOSIP platform must conform to the same.

One should not confuse ID Schema with what is seen on the screen of the Registration client/ Pre-registration. ID Schema is the final data that you would like to store against each user in the final ID Repository. Quite often we collect more data than listed in ID Schema. This is essential to validate the user's claim. We should consider these data as transactional and it will never reach the final ID Repository.

Understanding ID Schema

This guide is intended for adopters who would customize the default ID Schema to suit the needs of a specific deployment.

Terminology

Field: Unit of data collected from residents (eg. fullName, dateOfBirth, proofOfIdentity etc).
Field attribute: Qualification of Field (e.g.: fieldCategory, fieldType, etc).
Definition: Custom data types are defined for collecting different types of data:
- simpleType: Multiple languages.
- documentType: Document metadata.
- biometricType: Biometric file metadata

JSON keys

bioAttributes:
- leftEye, rightEye, leftIndex, leftRing, leftLittle, leftMiddle, rightIndex, rightRing, rightMiddle, rightLittle, rightThumb, leftThumb, face,
fieldCategory
- none: Cannot be used for any purpose. But will be stored in id.json (default subpacket). These are used in exceptional cases when we need to store some data for future reference in case of investigating an ID fraud or if law mandates the storage of such data.
- pvt: Private information, can be used in authentication. A limited data that can be used for authentication & kyc.
- kyc: Information that can be disclosed to partners either as a credential or through the ekyc API's.
- evidence: Field is treated as proof and may be subjected to removal. In certain countries law mandates deletion of such data once the Identity of the user is verified. Marking some of the fields as evidence helps in deleting them without violating the source of truth signatures.
- optional: Field is treated as proof and will be removed after a predefined interval (defined as policy).
format
- lowercased: Value stored in lower case format
- uppercased: Value stored in upper case format
- none: No format applied to the data
validators
- type: Validation engine type. Supported type as of now is regex.
- validator: Based on the type the actual script is placed here. In case the type is regex then the actual regex pattern is used here.
- arguments: Array to hold parameter or dependent field IDs required for validation.
subType
- For every documentType field, document category code must be the value of this key. This document category code is used to validate the provided document types in the ID object.

ID schema is loaded as a part of master data to identity_schema table in mosip_masterdata DB.

Dependencies

If any changes are made to the default ID Schema, make sure the following dependencies are updated as well:

UI Specifications

Versions of ID Schema

ID Schema is identified based on it's version in the MOSIP system. On publishing of an ID Schema, the schema is versioned. Every ID Object stores the ID Schema version which is validated during ID Object validation.

Good Practice

The following is the list of good practices that MOSIP recommends for creating your ID Schema.

As a privacy by design practice, it is recommended that the number of fields is kept to a usable minimum in order to avoid profiling.
Larger number of data results in serious data quality issues.
Keeping the fields minimum ensures everyone is inclusively added to the foundational identity.
As a best guide, limit the total number of fields to be less than 10.
Stick to one version of ID Schema for better compatibility.

Identifiers

Overview

In the context of MOSIP, identifiers are alphanumeric digital handles for identities in the system. While a person's identity is represented as a collection of biographic and biometric attributes that can uniquely identify the person, the identity is referred to using identifiers.

UIN

Unique Identification Number (UIN), as the name suggests, is a unique number assigned to a resident. UIN never changes and is non-revocable. UIN is randomized such that one should not be able to derive any Personal Identifiable Information (PII) from the number itself.

The rules that govern generation of a UIN are listed here.

VID

The VID / Virtual ID is an alias identifier that can be used for authentication transactions. The key characteristic of such an identifier is that it expires. This allows for free disclosure and usage of this identifier in various contexts. It is privacy friendly in a way such that it can be revoked, configured for one time usage and is not linkable. Since these are used for authentication transactions, such identifiers are to be known to the user only or generated with their participation.

RID / AID

The Application ID (AID) refers to the unique identifier given to a resident during any ID lifecycle event, such as ID Issuance, ID Update, or Lost ID retrieval, at the registration center. It serves as a distinguishing factor for each specific event and can later be utilized by the resident to check the progress or status of the event. Previously, in MOSIP, the Application ID was referred to as the RID (Registration ID) and/or PRID (Pre-registration ID).

PRID

The PRID is a specialized RID used in the pre-registration system.

Token ID (PSUT - Partner Specific User Token)

The Token identifier/PSUT is a system provided customer reference number for relying parties to uniquely identify the users in their system. The token identifier is an alias meant for the partner/relying party typically unique (Configured through PMS policy, in case uniqueness is not the need then partner policy can be set to provide random number) to them. This identifier is included in the response of the authentication transactions. One key differentiator is that the PSUT is not accepted as an identifier for authentication transactions. This ensures that the partner who has the PSUT can not reauthneticate.

Anonymous Profiling Support

Overview

When a country is implementing and running the ID program, people at the forefront, like policymakers and other executives, will need to monitor the progress. Progress can be measured with the help of various attributes, like:

total enrollment count
gender profile for enrollment
age group profile
enrollment numbers and profiles per registration centre
quality of biometric data captured

Information like this will allow policymakers to take corrective measures as and when required.

Some examples are given below:

Example 1: If registration centres are setup for enrolling residents and if they see that the number of women enrolling in a particular area is less because of cultural factors, they can introduce a door-to-door enrollment process to increase coverage.

Example 2: The quality of biometrics captured for a particular registration centre or region can be monitored. And if it is found to be unacceptable, they can proceed to replace the biometric devices in that centre.

Example 3: They can compare the total number of enrollments against the total number of UINs issued. If there is a big gap, they can then address this by increasing the capacity of the registration processor module to handle and process more packets.

Design

In order to achieve this, we have published a fixed anonymized profile of the users and ensured the same is accessible to a search engine such as elastic search so that it can be used for analytics. The basic guideline followed to create these profiles is that the limited dataset should not violate the privacy of the person or point to specific individuals. These JSON profiles are not configurable in the current design and a code change is required to change them.
This dataset is called an anonymous profile and is captured at various stages in the ID lifecycle like pre-registration, registration processing, ID issuance and authentication.
As a part of this implementation, a new anonymous_profile table is created in each of these modules and is populated as per the JSON structure given below for each profile.

Note: New DB tables are added for the anonymous profile because data in existing tables (except the pre-registration module) are encrypted and cannot be used to create reports and dashboards.

Anonymous Registration profile

This profile will be used to capture data about enrollment. This suggests that the user has started the registration process.
This data is captured at two stages, i.e., during pre-registration and registration processing.
The same registration profile JSON is re-used to capture data in these two modules.
This profile data is captured in anonymous_profile tables under the mosip_prereg mosip_regprc schemas.
We can configure the stage at which the anonymous profile data in the registration processor needs to be captured. This can be configured as a part of the registration processor camel routes in the mosip-config repository as shown below.

The profile will be available from version 1.2.0 and above.

JSON structure of the registration profile is given below

Below is the image for the Anonymous profile table created in the Pre-registration schema

Below is the image for the Anonymous profile table created in the Registration processor schema

Anonymous Identity issuance profile

This profile data will be captured during the identity issuance process when an entry is made in the ID repository.
The profile data is captured in a anonymous_profile table under the mosip_idrepo schema.

The profile will be available from 1.1.5.5 and above.

JSON structure of the identity issuance profile is given below:

Below is the image for the Anonymous profile table created in the ID repository schema

Anonymous Authentication Profile

This profile data will be captured when the resident performs authentication.
The profile data is captured in an anonymous_profile table under the mosip_IDA schema.

The profile will be available from 1.2.0 and above.

JSON structure of the Authentication profile is given below:

Below is the image for the Anonymous profile table created in the IDA schema

Generating dashboards from Anonymous profile data

ID Authentication

Overview

MOSIP offers identity verification services that enable the usage of identity in various contexts. After the successful issue of the ID, identity verification services become available for the resident. Online identity verification is enabled through MOSIP's ID Authentication (IDA) module. As MOSIP is a foundational ID system, different services (both government and private) may rely on the foundational ID system to validate the identity of a resident rather than implementing multiple authentication systems. A typical authentication flow is illustrated below:

Refer to the video below to learn more!

Authentication types

Yes/No Authentication

MOSIP offers a yes/no API that can be used for the verification of attributes supplied along with authentication factors. The API verifies the identifier and the provided demographic attributes and also validates other authentication factors such as the OTP or biometrics and responds with a yes or a no. Successful verification of the data results in a yes. This kind of API can be typically used to support the verification of a limited set of demographic data about the person or for simple presence verification when biometrics are used.

KYC Authentication

MOSIP additionally offers a KYC API, which can be used to get an authorized set of attributes for the resident in the response of the API. This API is intended for use by authorized relying parties to perform KYC requests. The authentication includes an identifier along with authentication factors such as OTP and biometrics. The information returned is governed by a policy. Different relying parties can be provided with different KYC data based on their needs. The policy helps implement selective disclosure as part of the KYC data. The data thus returned is digitally signed by the server and can be used by the relying party with confidence.

Multifactor authentication

The authentication APIs support multiple factors. These can be:

Biometric: Finger, face, iris
Demographic: Name, date of birth, age, gender etc.
OTP: One-Time Password Based on the level of assurance needed for the transaction, the relying party can decide which factors are sufficient for identity verification.

Biometric authentication is performed using third-party matcher SDK that performs 1:1 matches on a given modality. Each biometric modality is treated as an independent factor in authentication.

VID

All authentications in MOSIP essentially perform 1:1 matches. This essentially requires the authentication call to specify an identifier of the person and the authentication factors to perform the match on the individual referred to by the identifier. MOSIP supports the usage of multiple identifiers for a person. This promotes anonymity and also acts as a deterrent to profiling the individual. The individual can be identified in the authentication transaction by the UIN or other alias identifiers/ VIDs. When a VID is used there are additional checks to see if the VID has not expired or has not been revoked. The expiry of the VID is governed by the policy chosen at the time of its creation of the VID.

For understanding VIDs and their characteristics, read more about VID.

Tokenization

In one-off usage contexts, identity verification can be anonymous. In cases where identity verification is linked to transactions that need identity assurance, there is a need to tie the user identity of the user to the transaction. This is achieved by way of providing such relying parties with a "sticky" token identifier that can be used as a reference ID for the individual in their system. The authentication APIs return a token when the authentication is successful. Based on the type of relying party and their policy, the token is either random or sticky. The expected usage is for the relying party to remember the token returned by the authentication API for referring to their customer and for audit/redressal purposes.

Learn more about the Token ID.

Relying parties and policies

Hotlisting

MOSIP has a provision to help protect against the misuse of identity. For any report of lost identity or detection of fraudulent activity by fraud, the module can require the temporary suspension of authentication activities on a user. This is enabled by the hotlisting feature. The authentication service checks if the identifier used is hotlisted and if so, the authentication process is aborted and fails. The hotlisting service can be used by helpdesk and fraud solutions to list and delist the identifiers that need to be blocked temporarily.

Privacy and Security

MOSIP's fundamental architecture and design incorporate the highest levels of privacy and security.

Security by design

Key security features:

Encryption of data in-flight or rest. (See )
Integration with trusted applications only.
Fraud avoidance - association of authentication only with specific transactions.
Misuse prevention - user can lock or unlock their authentication.
Virtual ID and Tokens to prevent identity theft.
All data sent out of MOSIP will be digitally signed.
All incoming data will be signed by the respective entity.
Any data sent to a relying party will be encrypted.
Protection against internal attacks with every record in DB protected with integrity.
Centralized key management.
All API's are protected with OAUTH 2.0.

Privacy by intent

Key privacy features:

Minimal data with selective disclosure on a need-to-know basis.
Sensitive data protected (not stored or logged in clear form).
Consent support – the user decides who can receive what credentials & what attributes.
No search on the database (You can find a record only if you know the ID).
Clear segregation of Biometric & Demographic data.
De-centralised ID usage and data (cannot profile based on usage).
Users are not limited to one permenant ID - Virtual ID.
All relying party gets a privacy enabled tokens to prevent profiling across transactions. Permenant ID is never shared.
Supports Wallet based decentralized ID issuance and usage.
Face data is not sent to ABIS for deduplication.

Data Protection

The security of user data is given the highest priority in MOSIP. Data is protected in flight and rest using strong cryptographic techniques. All operations on decrypted data are done in memory.

Various flows with encryption are illustrated below. Refer to for all references of the type 'Kx' and 'KPx'.

Registration data flow

The UINs are hashed, encrypted and stored in uin the table of mosip_idrepo DB. (K7.4)
Biometrics are shared and encrypted with the ABIS partner's key (PK1).
Registration processor stores encrypted demographic data in mosip_regprc DB. (K11)

Datashare

Data shared with all partners like ABIS, Print, Adjudication, IDA etc. is encrypted using partners' public key. Note that IDA is also a partner, however, a special partner in the sense that data is additionally zero-knowledge encrypted before sending to IDA (see the section below).

Zero-knowledge encryption

Generate master symmetric encryption key K9.
Generate a 10,000 symmetric keys pool (ZKn). Encrypt each ZKn with K9 and store it in DB. (K12)
Randomly select one key from ZKn, and decrypt using K9.
Derive new key ZKn' = ZKn + UIN/VID/APPID.
Encrypt biometric templates and demographics.
- BIO = encrypt(bio/demo with ZKn').
Encrypt ZKn (this is done to share ZKn with IDA).
- ZKn-IDA = encrypt(ZKn with K22)
Share the following with IDA:
1. ZKn-IDA
2. BIO
3. Random index (0 - 9999)
4. SHA-256 hash of UIN/VID/APPID

Decryption by IDA

Generate master symmetric encryption key K18.
Decrypt data in Step 8 above using PK8.
Decrypt ZKn-IDA with K22 to get ZKn.
Encrypt ZKn with K18 and store it at a random index.
Bio-data is stored as is.

ID authentication flow

The authentication client further encrypts the auth request with IDA-PARTNER public key.

Privacy

Overview

The right to privacy is a fundamental right in many contexts. Privacy protection or preservation can be ensured in an application by adopting a privacy friendly design stance.

What is privacy and privacy protection?

Privacy takes many forms. From an identity system perspective, the confidentiality of identity information and anonymity when using the identity offers privacy.

MOSIP views the identity system as a custodian of the individual's data. This data has to be protected in order to protect the individual from privacy and security risks. Privacy protection measures include , transparency, user control, confidentiality, selective disclosure, user anonymity and intrusion protection.

Privacy design elements

MOSIP addresses privacy design at four levels.

Functional privacy
- Selective disclosure
- Anonymization
- Need to know
- Encryption
- Tokenization
Security
- Trusted applications
- Access control
User centricity
- User control
- Consent
- Usability
- Inclusion
Transparency
- Openness
- Verifiability
- Governance

Biometrics

Overview

MOSIP platform integrates with the following biometric components:

All biometric components need to comply with standard interfaces defined by MOSIP. Test kits to verify compatibility are available.

Vendors who provide biometric systems are of MOSIP.

Modalities

Modalities supported in MOSIP are

ABIS

Overview

Providing a unique identity for a resident is one of the key features of any identity platform. To achieve this, MOSIP interfaces with an Automated Biometric Identification System (ABIS) to perform the de-duplication of a resident's biometric data.

The ABIS system never learns about residents' identities. Any Personally Identifiable Information (PII), such as demographic details or an applicant's AID (application ID), is not shared with the ABIS system. Internally, MOSIP maintains a mapping between the ABIS-specific reference ID and the AID of the resident.

ABIS is used for 1:N deduplication. For 1:1 authentication, is used. MOSIP does not recommend using an ABIS for 1:1 authentication.

MOSIP-ABIS interface

ABIS must support the following types of biometric images:

Individual fingerprint images (segmented)
Iris images (left, right)
Face image

Test kits

ABIS deployment

It is recommended that ABIS be deployed in the same secure zone (military zone) where the registration processor is deployed.
ABIS system is not recommended to connect to any external network.

Biometric SDK

Overview

Applications

Registration Client.
Backend quality check.
Biometric authentication during onboarding (internal auth).
ID Authentications.

Biometric SDK library

The library is used by Registration Client to perform 1:N match, segmentation, extraction etc. For more information on integration with Registration Client, refer to Registration Client Biometric SDK Integration Guide.

A simulation of this library is available as Mock BioSDK. The same is installed in the MOSIP sandbox.

Biometric SDK service

For 1:1 match and quality check of biometrics at the MOSIP backend, the BioSDK must be running as a service that can be accessed by Registration Processor and IDA Internal Services. The service exposes REST APIs specified here.

A simulation (mock) service has been provided. The mock service loads mock BioSDK internally on the startup and exposes the endpoints to perform 1:N match, segmentation, extraction as per IBioAPI.

The service may be packaged as a docker running inside MOSIP Kubernetes cluster or running separately on a server. It is important that the scalability of this service is taken care depending on the load on the system, i.e., the rate of enrolment and ID authentication.

API

BioSDK library: IBioAPI.
BioSDK service: TBD.

Testing kit

BioSDK server request/response may be tested using BioSDK testing kit.

Configuration

The following properties in application-default.properties needs to be updated to integrate the BioSDK library and service with MOSIP.

mosip.fingerprint.provider=io.mosip.kernel.bioapi.impl.BioApiImpl
mosip.face.provider=io.mosip.kernel.bioapi.impl.BioApiImpl
mosip.iris.provider=io.mosip.kernel.bioapi.impl.BioApiImpl
mosip.ida.biosdk-service.url=http://mock-biosdk-service.default:80
mosip.regproc.biosdk-service.url=http://mock-biosdk-service.default:80
mosip.idrepo.biosdk-service.url=http://mock-biosdk-service.default:80

Biometric Devices

Overview

Biometric devices capture individuals' biometric data (fingerprint, iris scan, photo) and send it to a registration client or authentication client (app). The functional architecture of the various entities involved is shown below.

Device types

* An adopter may choose to have different subtypes, however, the certification needs to be adhered to.

Enrolment flow

Authentication flow

SBI test kit

Devices calculator

The following calculator may be used to estimate the number of devices required for a rollout.

Partners

Providers of biometric devices are Partners of MOSIP and need to be onboarded to a given deployment of MOSIP. Specifically,

FTM

Overview

The Foundational Trust Module (FTM) is created using a secure microprocessor capable of performing all required biometric processing and secure storage of keys. The foundational device trust would satisfy the below requirements.

The module has the ability to securely generate, store, and process cryptographic keys.
Generation of asymmetric and symmetric keys with TRNG.
The module has the ability to protect keys from extraction.
The module has to protect the keys from physical tampering, temperature, frequency, and voltage-related attacks.
The module could withstand Hardware cloning.
The module could withstand probing attacks
The module provides memory segregation for cryptographic operations and protection against buffer overflow attacks
The module provides the ability to withstand cryptographic side-channel attacks like Differential Power analysis attacks, and timing attacks.
CAVP validated the implementation of the cryptographic algorithm.
The module has the ability to perform a cryptographically valid, secure boot.
The module has the ability to run trusted applications.

The foundational device trust derived from this module is used to enable trust-based computing for biometric capture. The foundational device trust module provides a trusted execution environment based on the following:

Secure Boot
- Ability to cryptographically verify code before execution.
- Ability to check for integrity violations of the module or device.
- Halt upon failure.
- The ability to securely upgrade and perform forward-only upgrades to thwart downgrade attacks.
- SHA256 hash equivalent or above should be used for all hashing requirements
- All root of trust is provisioned upon first boot or before.
- All upgrades would be considered successful only after a successful boot with proper hash and signature verification.
- The boot should fail upon hash or signature failures and never operate in an intermediary state.
- A maximum of 10 failed attempts should lock the upgrade process and brick the device. However, chip manufacturers can decide to be less than 10.
Secure application
- Ability to run applications that are trusted.
- Protect against the downgrading of applications.
- Isolated memory to support cryptographic operations.
- All trust is anchored during the first boot and not modifiable.

Certification

The FTM should have at least one of the following certifications in each category to meet the given requirement.

Category: Cryptographic Algorithm Implementation

CAVP (RSA, AES, SHA256, TRNG (DRBGVS), ECC)

The supported algorithm and curves are listed here

Category: FTM Chip

(ONE of the following certifications)

FIPS 140-2 L3 or above
PCI PTS 5 or above (Pre-certified)
PCI - PED 2.0 or above (Pre-Certified)
One of the following Common Criteria (CC) certification
- https://www.commoncriteriaportal.org/files/ppfiles/pp0035a.pdf
- https://www.commoncriteriaportal.org/files/ppfiles/pp0084a_pdf.pdf

System/Device Level Tamper (optional)

System/Device Level Tamper Responsiveness is recommended (not mandatory). In this case, FTM should be capable of showcasing Tamper Responsiveness (keys must be erased) against a tamper at the system/device level.

Threats to Protect

The FTM should protect against the following threats.

Hardware cloning attacks - Ability to protect against attacks that could result in a duplicate with keys.
Hardware Tamper attacks
- Physical tamper - No way to physically tamper and obtain its secrets.
- Voltage & frequency related attacks - Should shield against voltage leaks and should prevent low voltage. The FTM should always be in either the state operational normally or inoperable. The FTM should never be operable when its input voltages are not met.
- Temperature attacks on the crypto block - Low or High the FTM are expected to operate or reach an inoperable state. No state in between.
Differential Power Analysis attack.
Probing attacks - FTM should protect its surface area against any probe-related attacks.
Segregation of memory for execution of cryptographic operation (crypto block should be protected from buffer overflow type attacks).
Vulnerability of the cryptographic algorithm implementation.
Attacks against secure boot & secure upgrade.
TEE/Secure processor OS attack.

Foundational Trust Module Identity

Upon the FTM provider's approval by the MOSIP adopters, the FTM provider would submit a self-signed public certificate to the adopter. Let us call this the FTM root. The adopter would use this certificate to seed their device's trust database. The FTM root and their key pairs should be generated and stored in FIPS 140-2 Level 3 or more compliant devices with no possible mechanism to extract the keys. The foundational module upon its first boot is expected to generate a random asymmetric key pair and provide the public part of the key to obtain a valid certificate. The FTM provider would validate to ensure that the chip is unique and would issue a certificate with the issuer set to FTM root. The entire certificate issuance would be in a secured provisioning facility. Auditable upon notice by the adopters or its approved auditors. The certificate issued to the module will have a defined validity period as per the MOSIP certificate policy document defined by the MOSIP adopters. This certificate and private key within the FTM chip are expected to be in its permanent memory.

The validity of the chip certificate can not exceed 20 years from the date of manufacturing.

The FTM should have at least one of the following certifications in each category to meet the given requirement.

Secure Provisioning

Secure provisioning applies to both the FTM and the Device providers.

The devices and FTM should have a mechanism to protect against fraudulent attempts to create or replicate.
The device and FTM trust should be programmed in a secure facility which is certified by the respective MOSIP adopters.
The organization should have a mechanism to segregate the FTMs and Devices built for MOSIP using a cryptographically valid and repeatable process.
All debug options within the FTM or device should be disabled permanently
All key creations needed for provisioning should happen automatically using FIPS 140-2 Level 3 or higher devices. No individual or group or organization should have a mechanism to influence this behaviour.
Before the devices/FTM leaves the secure provisioning facility all the necessary trust should be established and should not be re-programmable.

As there is no adopter-specific information being exchanged at the management server or the FTM provisioning server, there are no mandates from MOSIP where these are located globally. However, the adopter is recommended to have an audit and contractual mechanisms to validate the compliance of these components at any point in time.

Partners

Overview

The MOSIP platform requires integration with several other systems. Typically, a System Integrator (SI) would assemble all the pieces together to build a complete national ID solution. All entities that participate in providing the external components are called MOSIP Partners.

Partner types

* Label: Reference in partner_type table of mosip_pms database.

Partner policies

Partner onboarding

Onboarding of a partner refers to registering a partner in a particular deployment of MOSIP. Partners need to be onboarded to establish trust. The onboarding process consists of loading partner details in the database, exchanging certificates etc, detailed in the later sections. Such onboarding is required to be done on any fresh MOSIP installation. For instance, if you install a sandbox, you would need to follow the onboarding process for each partner.

The sections below describe the onboarding process for each type of partner.

MISP

MISP should have a trusted X.509 certificate with a chain of CA certificates.
MISP self-registers on the PMS portal providing partner id, name, organisation name (same as in certificate), partner type (MISP_type) (This functionality will be available on the portal in the 1.2.x version of MOSIP)
MISP uploads all certificates.
MOSIP Admin generates the MISP license key and provides it to MISP.

Authentication Partner (AP)

AP should have a trusted X.509 certificate with a chain of CA certificates.
AP registers with MISP and obtains the MISP license key (this setup is outside of the MOSIP system).
The MISP used by AP should have been already onboarded onto MOSIP.
AP self-registers on the PMS portal providing partner id, name, organisation name (same as in certificate), partner type (Auth_Partner) etc.
AP uploaded all certificates.
AP selects the policy group and policy. This request is sent to MOSIP Admin for approval.
On approval, AP generates an API key that can be used along with the MISP license key to interact with the IDA system.

Device Provider (DP)

DP should have a trusted X.509 certificate with a chain of CA certificates.
DP self-registers on the PMS portal providing partner id, name, organisation name (same as in certificate), partner type (Device_Provider) etc.
DP uploads all certificates.
Any approval from MOSIP? (TODO)

FTM Provider (FTMP)

FTMP should have a trusted X.509 certificate with a chain of CA certificates.
FTMP self-registers on the PMS portal providing partner id, name, organisation name (same as in certificate), partner type (FTM_Provider) etc.
FTMP uploads all certificates.
TODO

Credential Partner (CP)

CP should have a trusted X.509 certificate with chain of CA certificates.
CP self-registers on PMS portal providing partner id, name, organisation name (same as in certificate), partner type (Credential_Partner) etc.
CP uploades all certificates.
CP selects the policy group and policy.
CP adds biometric extractors for the policy.

Online Verification Partner (OVP)

OVP should have a trusted X.509 certificate with a chain of CA certificates.
OVP self-registers on the PMS portal providing partner id, name, organisation name (same as in certificate), partner type (Credential_Partner) etc. (Using APIs, as OVP support on PMS Portal is available in the later version of MOSIP.)
OVP uploads all certificates.
OVP selects the policy group and policy.
OVP adds biometric extractors for the policy.

MOSIP Partner Program

The MOSIP Partner Programme (MPP) was initiated to help stakeholders connect with MOSIP, and become part of an ecosystem invested in building foundational digital ID systems that are trustworthy, secure, efficient, and interoperable while being customised to specific needs.

PMS module

Modules

Administration

Overview

The MOSIP platform is configured via the Admin application. This application can be accessed only by a privileged group of administration personnel. The admin module provides the following functions:

Management of resources via CRUD operations:
1. Zone
2. Centers (registration centers)
3. Device
4. Machine
5. Users (Admin, registration staff)
Registration administration
1. Packet status
2. Retrieve lost RID
3. Resume RID

Administrative zones

Administrative zones are virtual boundaries which a country can define to better manage their resources that are used during registrations. These resources includes Centers, Users, Machines and Devices. These zones can be defined in a hierarchical fashion and a country can allocate resources to such zones based on their requirements.
Resources under each zone is managed by a Zonal Admin. This is done by assigning an Administrative zone to the Zonal Admin during user creation.
These Zonal Admins can exist at any zonal hierarchy. (For e.g, a Zonal Admin can directly be mapped to the whole country as a Zone or can be mapped to a significantly smaller zone such as a city). Thus, these resources when mapped to an Administrative zone can only be managed by the Admin of that zone.

Activate/deactivate/decommission resources

What is deactivation of a resource?

Deactivation refers to a temporary shutdown. This means that the resource will not be available for use unless and until it is activated later through the admin portal as required by the country.

What is decommissioning a resource?

Decommission refers to a permanent shut down of the resource. This also automatically deactivates it.
The primary difference being that a decommissioned resource cannot be bought into commission again as decommission refers to a permanent shutdown.
Also, in cases where a center has some resources mapped to it (e.g. machines, devices or users), the portal will not allow the admin to decommission such a center.

Note- Activation/Deactivation/Decommission of a center in one language will be applied to the same center created in all the languages.

Services

Frontend- Admin portal

Developer Guide

API

Source code

Admin Portal User Guide

Overview

Admin application is a web-based application used by a privileged group of administrative personnel to manage various master data. The various resources that can be managed by an Admin are:

Center (Registration centers)
Device
Machine
Users (Admin, Registration staff)

Along with the resource and data management, the admin can generate master keys, check registration status, retrieve lost RID, resume processing of paused packets. To start using the Admin portal, an admin user must be assigned to a zone.

To learn more, refer the videos below!

Session1

Session2

First Admin user

Setup of hierarchial zones
Create Admin roles in KeyCloak
Create first admin user in KeyCloak and assign "GLOBAL_ADMIN" role

Note- On login of first admin user, user zone mapping is handled automatically.

The above are done automatically as part of default sandbox installation.

Select the preferred language.
Login with KeyCloak credentials.

Actions

Map the other users(admins/registration operators/supervisors) to respective zones
Create centers and assign the users to a particular center
Highly recommended: Ensure to revoke the first super user's zone mapping and role after first user actions are completed.

Admin roles and their default accessibility matrix

GLOBAL_ADMIN
ZONAL_ADMIN
REGISTRATION_ADMIN
MASTERDATA_ADMIN
KEY_MAKER

Center

This portal allows an Admin to view, create, edit, activate, deactivate and decommission registration centers.
An Admin can manage only centers under their administrative zones.

The administrator can filter the list of registration centers based on parameters like Center name, Center type, Status, Location code.

The system does not fetch the details of decommissioned registration centers but only active and inactive centers are displayed.
If the admin does not find a center, they can click the Center not available in logged in language button. Clicking on this button, displays the list of centers that are already created in other languages. On selecting a particular center, the information will be auto-populated in the Create page and be made available to the admin for modifications.
Language specific fields can be modified to create a center with the currently logged in language.

Create center

A center is created with multiple attributes and is mapped to the administrative zone that it belongs to.
A center can only be mapped to the configured location hierarchy level.
While defining centers, an admin can also define the working days of the week for a center and any exceptional holidays that might be applicable for a particular center.

Update center

An admin can update a center even after it has been created. The updates can include adding the details that were missed during creation of the center or changing the details of a center as required.
To update, click the Edit option from the Actions menu against a center name.

Note- Updates made to language specific fields updates data only for that language in the database while updates made to non-language dependent fields updates data against all the language entries for that center.

Activate/deactivate/decommission center

Select the Deactivate/Decommission option from the Actions menu against the center.
Activation/Deactivation/Decommission of a center in one language will be applied to the same center created in all the languages.

To know more, refer Activate/deactivate/decommission resources

Devices

Using this portal, an admin can manage the devices a country will use for registering residents like devices used for bio-metric capture (Fingerprint, Iris, Web camera, etc.), printers, scanners.
This portal allows an Admin to view, create, edit, activate, deactivate and decommission registration centers.
The admin portal allows an admin to view the list of all the devices available in the jurisdiction of their administrative zone.
The system does not fetch the details of decommissioned devices but only the active and inactive devices.

Note

Device entity is language agnostic (independent of languages).
The data collected about Devices is used only for book keeping, i.e., MOSIP system does not use this data for any validation.

The Admin can filter the list of Registration centers based on parameters like Device Name, Mac Address, Serial Number, Status, Map Status, Device Type, Device Spec ID.

Create devices

A Device can be created with the multiple attributes and be mapped to the Administrative Zone it belongs to.

Update devices

An admin can update missing information or change device details even after it is created.
To update, click the Edit option from the Actions menu against a device.

Activate/deactivate/decommission device

Select the Deactivate/Decommission option from the Actions menu against the device.

Map/un-map/re-map device to a center

Admin portal allows an Admin to map/un-map each device to a center.
This mapping specifies as to which center the device will be used in.
A device can only be mapped to a center which belongs under the device’s Administrative Zone.
To do so, select the device and choose a Center Name from the dropdowm.

Machines

Admin portal allows an administrator to manage the machines a country will use for registering residents.
This portal allows an Admin to view, create, edit, activate, deactivate and decommission machines.
The admin portal allows an admin to view the list of all the machines available in the jurisdiction of their administrative zone.
The system does not fetch the details of decommissioned machines but only shows the active and inactive machines.

Note:

Machine entity is also language agnostic.

The administrator can filter the list of machines based on parameters like Machine name, Mac address, Serial number, Status, Machine type.

Create machines

A machine can be created with the attributes like Machine ID, machine name, mac address, serial number, machine spec ID and administrative zone the machine belongs to.
A machine needs to be mapped to an administrative zone.

Update machines

An admin can update missing details or make changes to machine details even after it is created.
To update, click the Edit option from the Actions menu against a machine.

Note- Updates made to language specific fields updates data only for that language in the database while updates made to non-language dependent fileds updates data against all the language entries for that center.

Activate/deactivate/decommission machine

An admin can deactivate or decommission a machine through the admin portal.

Map/un-map/re-map machine to a center

Admin portal allows an Admin to map/un-map each machine to a center.
This mapping specifies as to which center the machine will be used in.
A machine can only be mapped to a center which belongs under the machine’s Administrative Zone.
To do so, select the machine and choose a Center Name from the dropdowm.

Users

MOSIP uses Keycloak as an IAM (Identity access management tool) for managing Users. These users are internal users of MOSIP including Registration Officers, Registration Supervisors, Zonal Admins, Global Admins etc.
using this portal, an Admin can map the users to a zone and a center.

User Zone Mapping

Once the user is created in KeyCloak, they need to be mapped to a zone to get access to specific information available in that zone.
Admin portal allows an admin to map users to a zone. This mapping specifies as to which zone the user will belong to.
A user can only be mapped to a zone which belongs under the user’s Administrative Zone.
A user can later be un-mapped from the zone in case a user needs to be moved to another zone. In such cases, the user will later need to be mapped to the new zone. Below image displays the list of users that are mapped to a zone.

Map/Un-map/re-map user to a zone

To map a user to a zone,

Click Resources-> User Zone mapping
Click +Map Zone
Select the User Name, Administrative Zone from the dropdown.
Click Save.

To re-map a user to a zone,

Click Resources-> User Zone mapping
Select Remap from the Actions menu against the mapped user.
Update the User Name/ Administrative Zone from the dropdown.
Click Save.

Note- If the center is already mapped, the admin needs to unmap the center to remap the zone.

User Center Mapping

Once the user is mapped to a zone, they will be listed in the screen below. Now, the user will be mapped to a center to be able to manage their assigned center.
Admin portal allows an admin to map users to a center. This mapping specifies as to which center the user will be used in.
A user can only be mapped to a center which belongs under the user’s Administrative Zone.
A user can later be un-mapped from the Center in cases where a User is needed to be moved to another Center. In such cases, the user will later need to be mapped to the new center. In case the user is required to be mapped to a Registration center outside the Administrative Zonal restriction, the Administrative Zone of the user must be changed.

Map/un-map/re-map user to a registration center

To map a user to a center,

Click Resources-> User Center Mapping
Select Map from the Actions menu against the mapped user.
Select the Center Name from the dropdown against the User Name, Administrative Zone.
Click Save.

Search and dropdowns

To get the results starting with specific character/ set of characters, prepend that specific character/set of characters with asterisk symbol.
Similarly to get the results ending with specific character/ set of characters, append that specific character/ set of characters with asterisk.
For the results containing a specific character/ set of characters, prepend and append that specific character/ set of characters with asterisk.

Below is the image illustrating the same.

Packet status (based on RID)

A Registration packet generated in Registration client is sent to Registration Processor for further processing and UIN generation.
Using this Portal, A Registration Admin can view the status of a packet by entering the RID of the packet.
The packet status will contain all the stages the packet has passed through along with the last stage the packet is in.
In case the packet has not been processed or is marked for Re-Send/Re-Register, the admin will be able to view specific comments indicating the reason for that particular status.

Pause/Resume RID

The Registration Admin has the privilege to view the registration packets that are in a paused state.
Admin can use this portal to resume or reject paused packets. They would have 3 options:
- Resume processing (from where it was paused)
- Resume from the beginning
- Reject

Once processing of a packet is resumed, it will be removed from this list

Retrieve lost RID

The Registration Admin can use this feature to retrieve lost RID.
For instance, if the resident did not provide any valid email and/or phone number and has lost the RID slip received during the registration, in order to find their RID details, the resident contact MOSIP helpline and share details such as name, centre name, registration date and postal code to the admin, who will use the lost RID feature and try to retrieve the RID number.

A few filters may be applied to retrieve the RID.

Note: This feature is currently under development.

Master Data

Admin portal allows an Admin to manage the Masterdata applicable for a country.
These data includes list of Genders, list of Holidays, Templates, Center Types, Machine Types etc.

To know more, refer to Masterdata guide.

Bulk upload

If a country decides to uplaod the data through the .csv files, they could use this feature to upload the existing data into the MOSIP platform.
The listing screen displays the uploaded data transaction information.
As the information inside .csv files may be huge, it would go through the batch job to process the information and store it in the tables. Also, it may take time to get unique transaction ID against the particular action.

Master Data

To upload Master data using Admin portal,

Go to Bulk Upload > Master Data
On the master data dashboard, click Upload Data.
Select the operation (insert/update/delete)
Select the table name into which the data needs to be uploaded into.
Click Choose file to select the data and click Upload

To view the format for inserting data in a particular table, click on the Download icon.
A CSV file gets downloaded in which the first row represents the column names and the rest of the rows are the data which will be inserted into the table(sample).
From 1.2.0.1-B2 version, apart from comma, other special characters (i.e., '|','$'etc.) can also be used as a separator in the csv file used for masterdata bulk upload. This can be done by updating the property mosip.admin.batch.line.delimiter with the same special character.

Note: While editing CSV files, it is recommended to keep track of the Date format and Time format to be the same as the acceptable formats. The acceptable Date format is YYYY-MM-DD and the acceptable Time format is HH:MM:SS. Any other Date and Time formats in CSV files will result in a DataType Mismatch Error.

Packets

To upload packets using Admin portal,

Go to Bulk Upload > Packets
On the packet upload dashboard, click Upload Packet.
Select the following from the dropdown:
- Center name
- Source (currently displays Registration Client)
- Process (New, Update UIN, Lost, Biometric correction)
- Supervisor status (Approved/Rejected)
These details are important if the packet needs to be synced before upload.
Click Choose file to select the packets and click Upload.

How is the packet upload performed with or without DATA_READ role?

For uploading the packets through the Admin portal, ensure that the packets are available in the machine or the external hard disk connected from where the Admin Portal is being used.

Key Manager

With the help of this feature, the Admin user can generate and manage the keys required in MOSIP.

GenerateMasterKey

The logged in user with KEY_MAKER role will have access to view and generate the master key in the Admin portal.
Using this option, the logged in user will be able to generate only the Root key and Module master key. To generate the key, the user has to select the Application ID from the options available in the drop down, leave the Reference ID as blank for Root and Module master key and provide other certificate attributes to be used at the time of generation of certificate for the key.
This certificate attributes in the portal are optional, if not provided, default values configured in Key Manager service will be used.
For Kernel signature key (which is considered as the master key and stored in HSM), Reference ID needs to be provided and the value has to be SIGN.
Force flag option is available in key generation. The logged in user can select option value True to force invalidating existing key and generate new key in Key Manager service.
The logged in user has to select the return object after the generation of key.
The user can select either Certificate or CSR (Certificate Signing Request). The key will be generated only when the key is not available in Key Manager service otherwise already generated key certificate will be returned for the generation request.

GenerateCSR

CSR (certificate signing request) is required when there is a need to procure a valid certificate from a valid CA.
GenerateCSR option can be used to request for a CSR and this option will be visible to all the users who log in to the Admin portal.
The logged in user can request for generation of CSR for any key generated in Key Manager service.
The user has to provide the Application ID and Reference ID to get a CSR.
New key will be auto-generated in case the key does not exist and the already existing key has expired for the Module Encryption keys.
Whereas, for Module master key or Root key, new key will not get auto-generated in case the key does not exist, but new key will get auto generated if the key exists and has expired. Current valid key will always be used to generate a CSR.

GetCertificate

The user can get certificate for all the keys generated in Keymanager and any partner certificates uploaded in Keymanager service for partner data share purpose.
GetCertificate option is visible to all the users who log in to the Admin portal.
The user has to provide the Application ID and Reference ID to get a certificate.
New key will be auto generated in case the key does not exist and the already existing key has expired for Module encryption keys.
Whereas, for Module master key or Root key, new key will not get auto-generated in case the key does not exist, but new key will get auto-generated if the key exists and has expired. For partner certificate, new key will not get generated in Key Manager service.
Only current valid certificates will be returned when the user requests for a certificate.

UploadCertificate

The logged in user can use this option to update the certificate for all the keys generated in Key Manager service.
This option is used in scenarios where a valid CA certificate has been procured for a key available in Key Manager service.

UploadOtherDomainCertificate

The logged in use can use this option to upload partner certificate in Key Manager service.
Partner certificates will be used in Key Manager service to encrypt any sharable data using the partner certificate required in datashare from MOSIP to any partner.
Partner certificates can also be used in Key Manager service for signature verification purpose.

Admin Services Developers Guide

Overview

The admin application is a web-based application used by a privileged group of administrative personnel to manage various master data. The various resources that can be managed by an administrator are:

Center (Registration centers)
Device
Machine
User (Admin, Registration staff)

Along with resource and data management, the admin can generate master keys, check registration status, retrieve lost RIDs, and resume processing of paused packets.

Masterdata Service exposes API to perform CRUD operations on masterdata through Admin service.
Hotlist Service provides functionality to block/unblock any IDs with option of expiry. This hotlisted information will also be published to MOSIP_HOTLIST WebSub topic.
Sync Data Service can be accessed only by the privileged group of admin personnel and enables default configurations and seed data to be setup when the MOSIP platform gets initialized.

The admin module has four services:

Admin service
Kernel Masterdata service
Kernel Syncdata service
Hotlist service

The documentation here will guide you through the pre-requisites required for the developer' setup.

Software setup

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
pgAdmin
Postman
Git/GitHub Desktop
Notepad++ (optional)
lombok.jar (file)
settings.xml

Follow the steps below to set up Admin Services on your local system:

Download lombok.jar and settings.xml.
Unzip Apache Maven and move the unzipped folder in C:\Program Files and settings.xml to conf folder C:\Program Files\apache-maven-3.8.4\conf.
Install Eclipse, open the lombok.jar file and wait for some time until it completes the scan for Eclipse IDE and then click Install/ Update.

Check the Eclipse installation folder C:\Users\userName\eclipse\jee-2021-12\eclipse to see if the lombok.jar is added. By doing this, you don't have to add the dependency of lombok in your pom.xml file separately as it is auto-configured by Eclipse.
Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Code setup

For the code setup, clone admin-services repository and follow the guidelines mentioned in the Code Contributions.

Importing and building of a project

Open the project folder where pom.xml is present.
Open command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project and wait for the build to complete successfully.
After building of a project, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successful importing of project, update the project by right-click on Project → Maven → Update Project.

Environment setup

For the environment setup, you need an external JAR that is available here with different versions. (E.g.: You can download kernel-auth-adapter.jar and add to project Libraries → Classpath → Add External JARs → Select Downloaded JAR → Add → Apply and Close).

Clone admin-services repository.
Any changes in the properties for Masterdata and Admin services should be done in application-local1.properties file.
By default the Admin-services is connected to dev environment.
To run the specific service from IDE, Open IDE -> Specific service -> src/main/java/io.mosip.specific service -> Right click on the file and select run as Java Application.

For example, to run the Admin service, open IDE -> admin-service -> src/main/java/io.mosip.admin -> Right click on AdminBootApplication.java and select run as Java Application.

To run the specific service from Command Prompt, Open Project folder -> open command prompt from same folder -> Execute java -jar target/specific-service-1.2.0.jar.

For example, to run the admin service, Open Project folder -> open command prompt from same folder -> Execute java -jar target/admin-service-1.2.0-SNAPSHOT.jar.

The service should now be up and running.

Admin services API

For API documentation, refer here.
The APIs can be tested with the help of Swagger-UI and Postman.
Swagger is an interface description language for describing restful APIs expressed using JSON. You can access Swagger-UI of admin-services for dev-environment from:

Admin service– http://dev.mosip.net/v1/admin/swagger-ui/index.html?configUrl=/v1/admin/v3/api-docs/swagger-config#/ and localhost from http://localhost:8098/v1/admin/swagger-ui/index.html?configUrl=/v1/admin/v3/api-docs/swagger-config#/.

Masterdata- http://dev.mosip.net/v1/masterdata/swagger-ui/index.html?configUrl=/v1/masterdata/v3/api-docs/swagger-config#/ and localhost from http://localhost:8086/v1/masterdata/swagger-ui/index.html?configUrl=/v1/masterdata/v3/api-docs/swagger-config#/.

Syncdata- http://dev.mosip.net/v1/syncdata/swagger-ui/index.html?configUrl=/v1/syncdata/v3/api-docs/swagger-config#/ and localhost from http://localhost:8089/v1/syncdata/swagger-ui/index.html?configUrl=/v1/syncdata/v3/api-docs/swagger-config#/.

Hotlist- http://dev.mosip.net/v1/hotlist/swagger-ui/index.html?configUrl=/v1/hotlist/v3/api-docs/swagger-config#/ and localhost from http://localhost:8095/v1/hotlist/swagger-ui/index.html?configUrl=/v1/hotlist/v3/api-docs/swagger-config#/

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster. It is widely used tool for API testing.
Create an environment as shown in the image below.

This environment is created for dev. Give the variable name as url and set both the values as https://dev.mosip.net.

In the similar way, create another environment for localhost as shown below.

This environment is created for localhost. Give the variable name as url and set both the values as http://localhost:8099.

Masterdata Guide

Overview

Masterdata is the necessary base data to run MOSIP services. The data resides in . This data needs to be customized for a country specific deployment.

Populating masterdata

Masterdata may be uploaded in the following manner:

One-time bulk upload:
1. (for sandbox installation): Using . The default data uploaded during sandbox installation is available in .
2. Country specific data: Using .
Updates: Updates to tables may be done using the .

Creating country specific data

The tables that need to be modified for country specific data are listed below. Other tables in mosip_master DB are either system-filled or pre-filled and not to be modified.

Common guidelines

Copy Excel files from to a folder.
For all tables listed below modify lang_code and add corresponding rows for your .
Modify the files for your deployment as per guide below.
Upload first time using scripts given .
Subsequently, update data ONLY using .

Tables to be updated

Android Registration Client

Overview

The Android Registration Client is a tablet application that serves as a portable version of the existing desktop . It has been developed to support accessibility on all Android devices. The existance of Android Registration Client came about in order to meet the mobility requirements of countries adopting MOSIP.

The primary objective of the tablet version is to facilitate the registration process for residents, specifically those who are unable to physically visit registration centres and also serve remote locations where setting up Registration centres is not feasible. To address this challenge, the Android Registration Client was created, enabling Operators/ Supervisors to easily reach the remote areas and maximise resident registrations across the country.

To have a quick glance at the features, refer the video below!

Features

The first developer release of Android Registration Client offers the following key features:

Operator/ Supervisor Login (offline and online): Operators can securely log in using their credentials, whether in offline or online mode, to carry out various registration transactions. To enable offline login, the Operator must have previously logged in and synchronized their data over a network.
Multi-language support: The Android Registration Client supports multiple languages for content display and data entry.
- Display Language: Display Language refers to the language used for rendering UI elements such as labels and headings. With the Android Registration Client, Operators have the option to choose their preferred language for UI display. This language selection can be made on the login screen. Currently, the supported display languages include Arabic, French, English.
  New languages can be added by following the below steps:
  i. Additional languages can be configured by adding localisation files in lib/l10n folder present in the root project directory("android_registration_client").
  ii. The languages that are rendered on the UI will be based on the country configuration (after master data sync). The default display language is English. The other languages will be available in the UI after master data sync.
- Data Entry Language: The Data Entry Language refers to the specific language utilized by the Operator while gathering data, which is then stored on the server in that selected language. During the registration process, the Operator can choose the language preference for the data collected, allowing applicants to provide information in their desired language. This language selection option becomes available upon initiating a new registration. The responsibility for managing the data entry language lies within the UI Spec, and any modifications or changes can be made through that specification.
Auto-Sync/ manual sync: On launching the Android Registration Client and logging in for the first time, the system automatically syncs the following data:
- Configuration sync: Sync of properties which drives in deciding the ARC UI functionality. For example: Invalid login attempts, idle timeout, thresholds, etc.
- Masterdata sync: As a part of this sync, supporting information like Dynamic fields data, templates, locations, screen authorization, blocklisted words, etc. are pulled in.
- UserDetails sync: userID, along with their status is synced. Only the user details belonging to machine mapped center will be synced.
- Certificate sync: Certificates used to validate the server signatures, device CA certificates, public key (specific to a center and machine, also called as policy key) used to encrypt the registration packet will be synced.
- Consent: Prior to the registration process, applicants must provide consent to the terms and conditions presented on the consent screen. This explicitly asks the applicant to grant permission for storing and using their Personally Identifiable Information (PII).
- Demographic Details: Once the consent is obtained, the Operator will enter the demographic data of the applicant in the language preferred by the applicant. This includes details such as their name, gender, date of birth, and residential address.
- Documents Upload: Following the completion of the demographic details, the Operator can select the document type, input the reference, and upload the supporting documents provided by the applicant. Supporting documents may include Proof of Address, Proof of Identity, and Proof of Birth, based on the country-specific requirements.
- Biometrics: After the documents have been uploaded, the Operator will proceed to capture the applicant's biometrics. The biometrics captured are as follows:
The acquisition of biometric data is regulated by the country. The country has control over the capture of each type of biometric (fingerprint, iris, or face) through the global configuration. When the Operator selects the Capture button, the biometric SBI application is accessed to capture the biometrics. Once the biometrics are obtained, the data and control are returned to the Android Registration Client. To obtain the resident's biometrics, the quality of the captured image must exceed the threshold specified by the country. The biometrics can be captured set number of times if necessary to meet the quality threshold. In situations where none of the captured images meet the threshold, the image with the highest quality score will be saved.
If the resident has a biometric exception (such as a missing finger/eye or very poor finger/iris quality), the Operator can designate that particular biometric as an exception. However, the Operator must still capture the resident's exception photo.
- Preview section: The Operator has the ability to review the data entered by the applicant, including demographic information, uploaded documents, and captured biometrics. This preview allows the Operator to ensure the accuracy of the entered data. If any mistakes are found, the Operator can easily go back to the corresponding section and make the necessary corrections. If the data is correct, the Operator can proceed to the next step, which is to authenticate themselves.
- Operator authentication: Once both the Operator and applicant have confirmed that the data is accurately filled, the Operator is required to authenticate themselves using their credentials. After a successful authentication, the data packets are created and only then the sync and upload operations can be performed.
- Packet sync: After the applicant's registration form has been completed and the Operator has authenticated themselves, a packet sync must be performed. This can be done either manually or as a background job(auto sync and uplaod of packets). Packet sync ensures that the packet is prepared for uploading and the status of the uploaded packet is synchronized with the server.
- Packet Upload: Once the packet sync is successfully completed, the system will proceed to upload the packet to the server when an internet connection is available. If there is no network access, the system will attempt to upload the packet as soon as connectivity is established.
- Acknowledgment section: Following the completion of the new registration process, an acknowledgment receipt is generated. This receipt includes the AID(Application ID), captured demographic data in the selected language, a photograph of the resident, and a ranking of each finger from 1 to 10, with 1 representing the finger with the best quality. The receipt is designed to be easily printed.

How to install Android Registration Client (ARC)

Download and install the APK on Android tablet.
Once ARC is installed, long press on the logo to copy the machine details.
- Go to Resources/Machine and click on Create machine
- Add a new machine and enter the machine details:
  - Add the specs as Android
  - Map it to a Zone and Center
  - Add the Machine spec ID as Android
  - Enter Device name
  - Enter Public Key
  - Enter Sign Public Key
- Create the role Default in KeyCloak with all the other roles.
- Create the Operator’s user account in KeyCloak and set the password and assign the role as Default, REGISTRATION_OFFICER, Registration Operator, REGISTRATION_SUPERVISOR
- Login into Admin Portal to perform the following and add the user:
  - After login into Admin Portal, go to User Zone Mapping and add the zone for the user and activate the zone.
  - Go to User Center Mapping and add the center for the user and activate it.

Note: The user should be assigned to the same Zone and Center as the device.

Configuration Guide

UI Specifications

Compatibility

The Android Registration Client is compatible with the following MOSIP platform versions:

1.1.5.x
LTS 1.2.0 and above

Configuration Guide

This guide provides a comprehensive list of configurable properties for the Android Registration Client. Please note that this list is not exhaustive but serves as a helpful checklist for reviewing commonly configured properties.

It is important to acknowledge that all properties listed in this guide are automatically synchronized with the Android Registration Client. These properties are sourced from the registration-default.properties file.

Configuration files

application-default.properties
registration-default.properties

Timeouts in milliseconds set during any http calls to SBI.

Quality score threshold based on modality, Possible values 1 to 100

Retry attemps, Possible values 1 to 10

Quality score threshold based on modality for operator authentication, Possible values 1 to 100`

Batch Size

Jobs like RID sync, packet upload, status sync is carried out in batches, number of registration records to be executed in a batch on every trigger.

Scheduled Jobs

Default CRON expression for scheduling the Jobs.

mosip.registration.sync_jobs_restart_freq=0 0 */11 ? * *

Other Configurations

Enables / disables reviewer authentication on any biometric exception during registration
mosip.registration.reviewer_authentication_configuration=Y
If enabled, cross-checks of residents biometrics with locally stored operator biometric templates.
mosip.registration.mds.deduplication.enable.flag=N
Minimum disk space required to create a packet - in MB
mosip.registration.disk_space_size=5
Maximum no. of days for approved packet pending to be synced to server beyond which Registration Client is frozen for registration
mosip.registration.last_export_registration_config_time=100
No. of days beyond audit creation date to delete audits
mosip.registration.audit_log_deletion_configured_days=10
Maximum duration to which registration is permitted without sync of master data
mosip.registration.sync_transaction_no_of_days_limit=5
Allowed number of invalid login attempts
mosip.registration.invalid_login_count=50
Configuration used to check if any sync job is missed/ failed beyond expected days, this configuration is checked everytime operator clicks on any registration process. We follow below convention to create this config key.
mosip.registration.job api name as in sync_job_def table.frequency=value in days

Date formats

Date format to be displayed on acknowledgement slip, default value - dd/MM/yyyy hh:mm a
mosip.registration.application_date_format
Date format to be displayed on Registration Client dashboard, default format - dd MMM hh:mm a
mosip.registration.dashboard_date_format

Supporting properties for 1.1.5.x server compatibility

Due to the absence of UI specifications in the 1.1.5.x versions, the android regclient addresses backward compatibility by migrating the schema of these versions to the LTS UI Spec structure.

In order to facilitate this migration, certain configurations and templates have been incorporated to ensure compatibility with the 1.1.5.x server. The list of these configurations is provided below.

mosip.registration.consent-screen-template-name=reg-consent-screen-content-template
Consent screen is not a part of 1.1.5.x schema structure. So, we are completely fetching this consent screen content from master.template table, and the templateTypeCode for the consent screen content is mentioned in the above configuration.
mosip.registration.individual-biometrics-id=individualBiometrics
The id of individual biometrics should be mentioned in the above property according to the configured 1.1.5.x schema.
mosip.registration.introducer-biometrics-id=guardianBiometrics
The id of guardian/ introducer biometrics should be mentioned in the above property according to the configured 1.1.5.x schema.
mosip.registration.infant-agegroup-name=INFANT
The age-group name for infants (aged below 5 years) which is configured in the configured server should be mentioned in the above property.
mosip.registration.agegroup-config={"INFANT":{"bioAttributes":["face"],"isGuardianAuthRequired":true},"ADULT":{"bioAttributes":["leftEye","rightEye","rightIndex","rightLittle","rightRing","rightMiddle","leftIndex","leftLittle","leftRing","leftMiddle","leftThumb","rightThumb","face"],"isGuardianAuthRequired":false},"SENIOR_CITIZEN":{"bioAttributes":["leftEye","rightEye","rightIndex","rightLittle","rightRing","rightMiddle","leftIndex","leftLittle","leftRing","leftMiddle","leftThumb","rightThumb","face"],"isGuardianAuthRequired":false}}
The above property indicates list of age-groups, required bio-attributes, and a flag which indicates guardian authentication is required or not. This property should be changed according to the server configuration and requirements.
mosip.registration.allowed-bioattributes=leftEye,rightEye,rightIndex,rightLittle,rightRing,rightMiddle,leftIndex,leftLittle,leftRing,leftMiddle,leftThumb,rightThumb,face
The above property defines the list of bio-attributes that are allowed for scanning during registration. If there are any changes in the server, it should be changed accordingly.
mosip.registration.default-app-type-code=000

The above property defines the default applicantTypeCode. In LTS, we have applicanttype.mvel script to fetch the documents according to the age, gender and some other attributes. Based on the applicant details, the script returns an applicantTypeCode which can be any value from “000” to “014”, and respective documents will be fetched from master.applicant_valid_document table. Since we do not have this script defined in 1.1.5.x to handle this, we have added a default applicantTypeCode.

Developer Guide

The documentation here will guide you through the pre-requisites and the other necessary details required for Android Registration Client developer setup.

The android-registration-client repository contains the Android Registration Client software for MOSIP. The feature-flutter branch focuses on integrating Flutter into the client.

Setup

To set up the Android Registration Client with Flutter and Android Studio, follow the steps below:

Pre-requisites

Flutter SDK (>3.10): Install Flutter by following the official Flutter installation guide.
Android Studio (or Any IDE of your choice): Download and install Android Studio from the official Android Studio website.

Step 1: Clone the Repository

The feature-flutter branch of android-reg-client is currently being actively developed. If you wish to access this branch, you can clone the repository by executing the following command in your terminal. Alternatively, you can download one of the releases available in the repository's release section.

git clone -b feature-flutter https://github.com/mosip/android-registration-client.git

Active Branches:

developer-release/flutter/0.9.x (developer release branch)
feature-flutter (active development branch)

Step 2: Set up Flutter in Android Studio

To begin, launch Android Studio.
Next, select Open an existing Android Studio project and navigate to the cloned repository.
Open the android-registration-client directory as a project in Android Studio.
In order to integrate Flutter with Android Studio, install the Flutter plugin by accessing File > Settings > Plugins and searching for Flutter. Proceed to click on Install to install the plugin.
To ensure proper functionality, configure the Flutter SDK path by navigating to File > Settings > Languages & Frameworks > Flutter and specifying the Flutter SDK path as the location where you have installed Flutter.
Finally, save the changes by clicking on the "Apply" button.

Customising the Registration Client

Styling of the application can be configured by modifying these files lib/utils/app_style.dart, lib/utils/app_config.dart
Application language bundles can be added to this path lib/l10n.
Label and application logo can be changed here android/app/src/main/AndroidManifest.xml

Step 3: Build and Run the Application

The pigeon.sh file consists of the necessary commands for downloading dependencies and generating Flutter - Android native communication code. Please execute the pigeon.sh file or execute the commands within the file separately.
Ensure you have connected an Android device or initiated an Android emulator.
Open the terminal within Android Studio or use an external terminal.
Navigate to the android-registration-client directory.
Run the following command in order to build and execute the application:

flutter run

Step 4: Build, debug and release APK

Excecute the commands below to debug and release the APK

// Debug APK
flutter build apk --debug

// Release APK
flutter build apk --release

Set up Mock MDS for Biometric Scan

The Mock MDS tool can be utilized to simulate the functionalities of biometric devices. The Mock MDS application is compliant with CTK standards and can serve as a substitute for Android SBI modules during testing and validation.

Install the Mock MDS application.
Access the Settings menu.
Under Device Configuration, choose Registration from the dropdown menu.
In P12 Configuration:
- Enter the necessary credentials for the Device Key and upload the Device P12 file.
- Enter the required credentials for the FTM Key and upload the FTM P12 file.
- Complete all fields in MOSIP IDA Configuration.
In Modality Configuration, specify the quality score for Face, Finger, and Iris scans(these values can also be adjusted during testing).
Click on the Save button.
Go back to the Home Page and select LOAD AND VALIDATE CERTIFICATES.

A toast message will be displayed indicating the success of the validation process.

Note: To view the released version of the Mock SBI APK, click here.

To download the Mock SBI APK, click on camera-mds.zip.

Contributions

If you would like to contribute to the Android Registration Client, please follow the guidelines outlined here.

License

The Android Registration Client is licensed under the MIT License.

Support

If you encounter any issues or have any questions, please open an issue on the GitHub repository.

Sources

GitHub- mosip/android-registration-client: Reference Android Registration Client Software - WIP
Flutter- Get started: Install
Android Studio- Download

Automation Testing

Overview

MOSIP provides automation test repositories for the following:

Admin UI

Selenium webdriver-based Admin Portal Automation covers CRUD (create, read, update and delete) operation performed via UI with Chrome driver.

Registration Client

Registration test automation covers these flows: New, Update, Correction, and Lost flows.

To know more about each, click here.

Functional Tests

This repository contains API automation tests. The automation is written using Java REST Assured and TestNG framework. The following modules are covered:

Pre-registration
Masterdata
Partner Management
ID Repository
IDA
Resident

Functional tests support multi-languages, i.e., the input can be provided in any of the languages configured in a given MOSIP installation.

Automation Tests

This repository contains a test framework for end-to-end testing of MOSIP functionality. The following functionalities are covered:

Registration
Pre-registration + Registration
Authentication

Artifactory

Overview

The artifactory contains miscellaneous libraries that are downloaded at runtime by modules. The contents of the artifactory may be updated based on a specific installation.

Commons

Overview

As the name suggests, Commons refers to all the common services (also called "kernel") that are used by other modules of MOSIP. The Kernel services are listed below:

API

Refer API Documentation.

Developer Guide

To know more about the developer setups, read:

Audit Manager Developers Guide

Overview

module provides audit-related functionalities.

Below is a list of tools required for auditing:

JDK 11
Any IDE (like Eclipse, IntelliJ IDEA)
Apache Maven (zip folder)
PostgreSQL
Any DB client (like DBeaver, pgAdmin)
Postman (any HTTP Client)
Git
Any Editor (like Vscode, Notepad++ etc optional)
lombok.jar (jar file)
settings.xml (document)

Software setup

1. Download and .

2. Unzip Apache Maven and move settings.xml to the "conf" folder <apache maven unzip path>\conf.

4. Check the Eclipse installation folder to see if the lombok.jar is added.

5. Configure the JDK (Standard VM) with your Eclipse by traversing through Preferences → Java → Installed JREs.

Source code setup

Importing and building

Open the project folder where pom.xml is present.
Open the command prompt from the same folder.
Run the command mvn clean install -Dgpg.skip=true -DskipTests=true to build the project.
After building, open Eclipse and select Import Projects → Maven → Existing Maven Projects → Next → Browse to project directory → Finish.
After successfully importing of project, update the project by right-clicking on Project → Maven → Update Project.

Environment setup

4. The audit uses two property files, kernel-default and application-default. Please configure them as needed. For instance,

Update the mosip.kernel.auditmanager-service-logs-location property to update the location of log files.
Update URL's in property files.(It can be either pointed to any remotely or locally deployed services)

java -jar -Dspring.profiles.active=native -Dspring.cloud.config.server.native.search-locations=file:{mosip-config-mt_folder_path}/config -Dspring.cloud.config.server.accept-empty=true -Dspring.cloud.config.server.git.force-pull=false -Dspring.cloud.config.server.git.cloneOnStart=false -Dspring.cloud.config.server.git.refreshRate=0 {jarName} .

6. Run the server by opening the config-server-start.bat file.

7. To verify the config-server, hit the below URL:

http://localhost:51000/config/{spring.profiles.active}/{spring.cloud.config.name}/{spring.cloud.config.label} for instance http://localhost:51000/config/kernel/env/master.

Initialization and utilization of module

Audit REST service consist of bootstrap.properties file in src/main/resources.
Below properties needed to be modified in order to connect to the config server:
Services can be run using Run As -> Spring Boot App/Java Application.
The API's can be tried with the help of Swagger-UI and Postman.
Swagger-UI of service can be accessed from (https/http)://(<domain>/<host>:<port>)/<context-path>/swagger-ui/index.html?configUrl=<contect-path>/v3/api-docs/swagger-config for instance https://dev2.mosip.net/v1/auditmanager/swagger-ui/index.html?configUrl=/v1/auditmanager/v3/api-docs/swagger-config.
The API's can be tried using postman by copying CURL command below, updating host and importing in Postman.

Datashare

Overview

The DataShare service is used to share data with other entrusted services and partners. The mechanism shares are the following:

Retrieves and stores data to be shared in and returns a Datashare URL.
It fetches data from the Object Store when the Datashare URL is called.

The sharing of data is controlled by the .

Data is encrypted before sharing it with partners. Learn more about .

The relationship of Datashare Service with other services is explained here. NOTE: The numbers do not signify the sequence of operations or control flow. Arrows indicate the data flow.

ABIS Handler Stage creates datashare for ABIS.
Manual Adjudication Stage creates datashare for adjudication.
Verification Stage creates datashare for verification.
Retrieves datashare from the object store when the datashare URL is called.
Print Service creates UIN PDF and uploads to datashare through Credential.
Printing Stage creates credentials for printing systems and sends the data through datashare.

Deployment

Resident Portal Configuration Guide

The provided guide presents a list of essential properties that can be customised according to a specific installation. Please note that this list is not exhaustive but rather acts as a checklist to review properties that are expected to differ from their default settings. If you require access to all properties, please refer to the files mentioned below.

Configuration files

Resident Service uses the following configuration files:

application-default.properties
resident-default.properties
resident-ui-personalized-card-schema.json
resident-ui-share-credential-schema.json
resident-ui-update-demographics-schema.json

Database

Properties used for configuring the database.

mosip.resident.database.hostname=postgres-postgresql.postgres
mosip.resident.database.port=5432
javax.persistence.jdbc.driver=org.postgresql.Driver
javax.persistence.jdbc.url=jdbc:postgresql://${mosip.resident.database.hostname}:${mosip.resident.database.port}/mosip_resident
javax.persistence.jdbc.user=residentuser
javax.persistence.jdbc.password=******

Token generation

resident.appid=resident
resident.clientId=******
resident.secretKey=******
token.request.issuerUrl=${mosip.keycloak.issuerUrl}

Online Verification Partner

ida.online-verification-partner-id=******

DB properties to skip automatic table creation in startup

hibernate.show_sql=false
hibernate.hbm2ddl.auto=none
hibernate.temp.use_jdbc_metadata_defaults=false
hibernate.jdbc.lob.non_contextual_creation = true
spring.jpa.properties.hibernate.temp.use_jdbc_metadata_defaults=false

Allowed Authentication types and default unlock duration

These are the authentication types allowed for a resident and default unlock duration.

auth.types.allowed=otp-email,otp-phone,demo,bio-FINGER,bio-IRIS,bio-FACE
resident.auth-type.default.unlock.duration.seconds=100

Template type codes for allowed Auth-type list (auth.types.allowed)

Templates type codes for authentication types:

resident.otp-email.template.property.attribute.list=mosip.otp-email.template.property
resident.otp-phone.template.property.attribute.list=mosip.otp-phone.template.property
resident.demo.template.property.attribute.list=mosip.demo.template.property
resident.bio-FINGER.template.property.attribute.list=mosip.bio-finger.template.property
resident.bio-IRIS.template.property.attribute.list=mosip.bio-iris.template.property
resident.bio-FACE.template.property.attribute.list=mosip.bio-face.template.property

Validation properties

Below are the properties used for validation purpose:

mosip.id.validation.identity.phone=^([6-9]{1})([0-9]{9})$
mosip.id.validation.identity.email=^[\\w-\\+]+(\\.[\\w]+)*@[\\w-]+(\\.[\\w]+)*(\\.[a-zA-Z]{2,})$
resident.grievance-redressal.alt-email.chars.limit=128
resident.grievance-redressal.alt-phone.chars.limit=64
resident.grievance-redressal.comments.chars.limit=1024
resident.share-credential.purpose.chars.limit=1024
mosip.resident.eid.length=16
mosip.resident.eventid.searchtext.length=${mosip.resident.eid.length}
resident.message.allowed.special.char.regex=^[A-Za-z0-9 .,-]+$
resident.purpose.allowed.special.char.regex=^[A-Za-z0-9 .,-]+$
resident.id.allowed.special.char.regex=^[0-9]+$
resident.document.validation.transaction-id.regex=^[0-9]{10}$
resident.document.validation.document-id.regex=^[A-Za-z0-9-]{20,}$
resident.validation.is-numeric.regex=^[0-9]+$
resident.otp.validation.transaction-id.regex=^[0-9]{10}$
resident.validation.event-id.regex=^[0-9]{${mosip.resident.eid.length}}$

Security

mosip.security.csrf-enable:false
mosip.security.secure-cookie:false

Keycloak authentication client

token.request.appid=resident
token.request.clientId=******
token.request.secretKey=******

Keycloak authentication allowed audience

auth.server.admin.allowed.audience=mosip-resident-client,mosip-reg-client,${mosip.iam.module.clientID}

Identity mapping json file

Property used to get the identity mapping json

registration.processor.identityjson=identity-mapping.json
identity-mapping-file-name=identity-mapping.json
identity-mapping-file-url=${config.server.file.storage.uri}${identity-mapping-file-name} 
identity-mapping-file-source=url:${identity-mapping-file-url}

Machine creation and search configurations

Properties used for machine specification and center:

resident.update-uin.machine-name-prefix = resident_machine_
resident.update-uin.machine-spec-id = RESIDENT-1
resident.update-uin.machine-zone-code = MOR
resident.center.id=10007
resident.machine.id=10011

Auth Adapter rest template authentication configurations

mosip.iam.adapter.appid=resident
mosip.iam.adapter.clientid=******
mosip.iam.adapter.clientsecret=******

Exclusion list

This is an exclusion list of URL patterns that should not be a part of authentication and authorization.
Properties used to define the endpoints that should not be part of authentication.

mosip.service.end-points=/**/req/otp,/**/proxy/**/*,/**/validate-otp,/**/channel/verification-status,/**/req/credential/**,/**/req/card/*,/**/req/auth-history,/**/rid/check-status,/**/req/auth-lock,/**/req/auth-unlock,/**/req/update-uin,/**/req/print-uin,/**/req/euin,/**/credential/types,/**/req/policy/**,/**/aid/status,/**/individualId/otp,/**/mock/**,/**/callback/**,/**/download-card,/**/download/registration-centers-list/**,/**/download/supporting-documents/**,/**/vid/policy,/**/vid,/vid/**,/**/download/nearestRegistrationcenters/**,/**/authorize/admin/validateToken,/**/logout/user,/**/aid-stage/**

Configuration for re-captcha

mosip.resident.captcha.enable=true
mosip.resident.captcha.id.validate=mosip.resident.captcha.id.validate
mosip.resident.captcha.sitekey=******
mosip.resident.captcha.secretkey=******
mosip.resident.captcha.resourse.url=http://resident-captcha.resident/resident/v1/captcha/validatecaptcha
mosip.resident.captcha.recaptcha.verify.url=https://www.google.com/recaptcha/api/siteverify

Resident UI properties

These properties (comma separated values) are used to define the keys of the properties to be exposed to UI.

resident.ui.propertyKeys=mosip.mandatory-languages,mosip.optional-languages,mosip.utc-datetime-pattern,mosip.iam.adapter.clientid,resident.datetime.pattern,mosip.resident.api.id.otp.request,mosip.resident.api.id.auth,mosip.resident.api.version.otp.request,mosip.resident.api.version.auth,mosip-prereg-host,mosip-prereg-ui-url,auth.types.allowed,resident.template.tnc.order-a-physical-card,resident.template.tnc.share-cred-with-partner,resident.template.tnc.update-demo,resident.view.history.serviceType.filters,resident.view.history.status.filters,resident.auth-type.default.unlock.duration.seconds,mosip.resident.grievance.url,mosip.api.public.host,mosip.resident.captcha.sitekey,mosip.resident.captcha.secretkey,mosip.webui.auto.logout.idle,mosip.webui.auto.logout.ping,mosip.webui.auto.logout.timeout,mosip.resident.download.registration.centre.file.name.convention,mosip.resident.download.supporting.document.file.name.convention,mosip.resident.download.personalized.card.naming.convention,mosip.resident.ack.manage_my_vid.name.convention,mosip.resident.ack.secure_my_id.name.convention,mosip.resident.ack.personalised_card.name.convention,mosip.resident.ack.update_my_data.name.convention,mosip.resident.ack.share_credential.name.convention,mosip.resident.ack.order_physical_card.name.convention,mosip.resident.ack.name.convention,mosip.resident.uin.card.name.convention,mosip.resident.vid.card.name.convention,mosip.resident.download.service.history.file.name.convention,mosip.resident.download.nearest.registration.centre.file.name.convention,auth.internal.id,auth.internal.version,mosip.registration.processor.print.id,mosip.registration.processor.application.version,vid.create.id,mosip.resident.create.vid.version,resident.vid.version,resident.vid.version.new,resident.revokevid.version,resident.revokevid.version.new,resident.vid.id,resident.vid.id.generate,resident.vid.policy.id,resident.vid.get.id,auth.type.status.id,resident.authlock.id,resident.checkstatus.id,resident.checkstatus.version,resident.euin.id,resident.printuin.id,resident.uin.id,resident.rid.id,resident.updateuin.id,resident.authunlock.id,resident.authhistory.id,resident.authLockStatusUpdateV2.id,resident.authLockStatusUpdateV2.version,resident.service.history.id,resident.service.history.version,resident.document.upload.id,resident.document.get.id,resident.document.get.version,resident.document.list.id,resident.document.list.version,resident.service.pin.status.id,resident.service.pin.status.version,resident.service.unpin.status.id,resident.service.unpin.status.version,resident.document.delete.id,resident.document.delete.version,resident.contact.details.update.id,resident.contact.details.send.otp.id,mosip.resident.service.status.check.id,mosip.resident.service.status.check.version,resident.service.unreadnotificationlist.id,resident.service.event.id,resident.service.event.version,resident.identity.info.id,resident.identity.info.version,resident.share.credential.id,resident.share.credential.version,mosip.resident.request.response.version,vid.revoke.id,resident.revokevid.id,mosip.resident.revokevid.id,mosip.resident.grievance.ticket.request.id,mosip.resident.grievance.ticket.request.version,resident.channel.verification.status.id,resident.channel.verification.status.version,resident.event.ack.download.id,resident.event.ack.download.version,resident.download.card.eventid.id ,resident.download.card.eventid.version,mosip.resident.request.vid.card.id,mosip.resident.request.vid.card.version,mosip.credential.request.service.id,mosip.credential.request.service.version,mosip.resident.checkstatus.individualid.id,mosip.resident.checkstatus.individualid.version,mosip.resident.download.personalized.card.id,mosip.resident.transliteration.transliterate.id,resident.ui.properties.id,resident.ui.properties.version,resident.nearby.centers.distance.meters,resident.ui.notification.update.interval.seconds,mosip.kernel.otp.expiry-time,resident.grievance-redressal.alt-email.chars.limit,resident.grievance-redressal.alt-phone.chars.limit,resident.grievance-redressal.comments.chars.limit,resident.share-credential.purpose.chars.limit,mosip.resident.eventid.searchtext.length,mosip.kernel.uin.length,mosip.kernel.vid.length,mosip.kernel.rid.length,mosip.resident.eid.length,mosip.kernel.otp.default-length,resident.message.allowed.special.char.regex,resident.purpose.allowed.special.char.regex,resident.id.allowed.special.char.regex,resident.version.new,mosip.resident.identity.auth.internal.id,resident.validation.event-id.regex,resident.document.validation.transaction-id.regex,resident.document.validation.document-id.regex,resident.validation.is-numeric.regex,resident.otp.validation.transaction-id.regex,,mosip.resident.captcha.enable,resident.download.reg.centers.list.id,resident.download.nearest.reg.centers.id,resident.download.supporting.documents.id,resident.send.card.id,resident.pinned.eventid.id,resident.unpinned.eventid.id,resident.auth.proxy.partners.id,resident.events.eventid.id,resident.notification.id,resident.profile.id,resident.notification.click.id,mosip.credential.store.id,resident.vids.id

MOSIP e-Signet configuration

mosip.iam.module.clientID=******
mosip.iam.module.clientsecret=
mosip.iam.base.url=https://${mosip.esignet.host}/v1/esignet
mosip.iam.authorization_endpoint=https://${mosip.esignet.host}/authorize
mosip.iam.token_endpoint=${mosip.iam.base.url}/oauth/token
mosip.iam.userinfo_endpoint=${mosip.iam.base.url}/oidc/userinfo
mosip.iam.certs_endpoint=${mosip.iam.base.url}/oauth/.well-known/jwks.json
auth.server.admin.issuer.uri=${mosip.iam.base.url}
auth.server.admin.issuer.domain.validate=true
auth.server.admin.oidc.userinfo.url=${mosip.iam.userinfo_endpoint}
mosip.iam.module.token.endpoint.private-key-jwt.auth.enabled=true
mosip.iam.module.token.endpoint.private-key-jwt.expiry.seconds=7200
mosip.resident.oidc.userinfo.jwt.signed=true

Auth Adapter ValidateTokenHelper

This property will directly apply the certs URL without the need for constructing the path from issuer URL. This is useful for keeping different certs URL for integrating with MOSIP e-Signet for offline token validation.

auth.server.admin.oidc.certs.url=${mosip.iam.certs_endpoint}
mosip.iam.logout.offline=true
auth.server.admin.validate.url=
mosip.resident.oidc.userinfo.jwt.verify.enabled=false

mosip.iam.module.redirecturi=${mosip.api.internal.url}/resident/v1/login-redirect/
mosip.iam.module.login_flow.name=authorization_code
mosip.iam.module.login_flow.scope=openid profile Manage-Identity-Data Manage-VID Manage-Authentication Manage-Service-Requests Manage-Credentials
mosip.iam.module.login_flow.claims={"userinfo":{"name":{"essential":true},"picture":{"essential":true},"email":{"essential":true},"phone_number":{"essential":true},"individual_id":{"essential":true}}}
mosip.iam.module.login_flow.response_type=code
mosip.iam.module.admin_realm_id=mosip

User-info claim attributes

Used in open-id-connect based login with UIN/VID in MOSIP e-Signet(IDP)

mosip.resident.identity.claim.individual-id=individual_id
mosip.resident.identity.claim.ida-token=ida_token

Scopes

Used for login purpose:

mosip.scope.resident.getinputattributevalues=Manage-Identity-Data
mosip.scope.resident.patchrevokevid=Manage-VID
mosip.scope.resident.postgeneratevid=Manage-VID
mosip.scope.resident.getvids=Manage-VID
mosip.scope.resident.getAuthTransactions=Manage-Service-Requests
mosip.scope.resident.postAuthTypeUnlock=Manage-Authentication
mosip.scope.resident.postAuthTypeStatus=Manage-Authentication
mosip.scope.resident.getAuthLockStatus=Manage-Authentication
mosip.scope.resident.patchUpdateUin=Manage-Identity-Data
mosip.scope.resident.getServiceAuthHistoryRoles=Manage-Service-Requests
mosip.scope.resident.postSendPhysicalCard=Manage-Credentials
mosip.scope.resident.getUnreadServiceList=Manage-Service-Requests
mosip.scope.resident.getNotificationCount=
mosip.scope.resident.getNotificationClick=Manage-Service-Requests
mosip.scope.resident.getupdatedttimes=Manage-Service-Requests
mosip.scope.resident.postRequestDownloadPersonalizedCard=Manage-Credentials
mosip.scope.resident.postRequestShareCredWithPartner=Manage-Credentials
mosip.scope.resident.postUnPinStatus=Manage-Service-Requests
mosip.scope.resident.postPinStatus=Manage-Service-Requests
mosip.scope.resident.getDownloadCard=Manage-Credentials
mosip.scope.resident.postPersonalizedCard=Manage-Credentials
mosip.scope.resident.getOrderRedirect=Manage-Credentials

Key manager encryption/ decryption configuration

Properties used to define application and reference id.

APPLICATION_Id=RESIDENT
PARTNER_REFERENCE_Id=mpartner-default-resident
mosip.resident.keymanager.application-name=RESIDENT
mosip.resident.keymanager.reference-id=resident_document
mosip.datashare.application.id=PARTNER
mosip.datashare.reference.id=mparter-default-euin
mosip.resident.oidc.keymanager.reference.id=IDP_USER_INFO
mosip.resident.sign.pdf.application.id=KERNEL
mosip.resident.sign.pdf.reference.id=SIGN

Object Store configuration

For Minio: object.store.s3.url=http://minio.minio:9000

For AWS: object.store.s3.url=s3.${s3.region}.amazonaws.com

mosip.resident.object.store.account-name=resident
mosip.resident.object.store.bucket-name=resident
mosip.resident.object.store.adapter-name=s3Adapter
object.store.s3.use.account.as.bucketname=true
object.store.s3.accesskey=******
object.store.s3.secretkey=******
object.store.s3.url=http://minio.minio:9000
object.store.s3.region=${s3.region}
object.store.s3.readlimit=10000000

Virus Scanner configuration

Property used to enable virus scanner flag

mosip.resident.virus-scanner.enabled=true

VID Policy URL

Property used to get the vid policy json:

mosip.resident.vid-policy-url=${config.server.file.storage.uri}mosip-vid-policy.json

Resident UI Schema JSON file

Property used to get the UI schema json

resident-ui-schema-file-name-prefix=resident-ui
resident-ui-schema-file-url=${config.server.file.storage.uri}${resident-ui-schema-file-name-prefix}
resident-ui-schema-file-source-prefix=url:${resident-ui-schema-file-url}

Credential Data format MVEL file name

This property is used to get the data format from MVEL file:

resident-data-format-mvel-file-name=credentialdata.mvel
resident-data-format-mvel-file-url=${config.server.file.storage.uri}${resident-data-format-mvel-file-name} 
resident-data-format-mvel-file-source=url:${resident-data-format-mvel-file-url}

WebSub Topic and callback properties for auth-type status event

Below websub properties are used for authentication type status event:

resident.websub.authtype-status.secret=******
resident.websub.authtype-status.topic=AUTH_TYPE_STATUS_UPDATE_ACK
resident.websub.callback.authtype-status.relative.url=${server.servlet.context-path}/callback/authTypeCallback
resident.websub.callback.authtype-status.url=${mosip.api.internal.url}${resident.websub.callback.authtype-status.relative.url}

WebSub Topic and callback properties for auth-transaction status event

Below websub properties used for authentication transaction status event:

resident.websub.authTransaction-status.secret=******
resident.websub.authTransaction-status.topic=AUTHENTICATION_TRANSACTION_STATUS
resident.websub.callback.authTransaction-status.relative.url=${server.servlet.context-path}/callback/authTransaction
resident.websub.callback.authTransaction-status.url=${mosip.api.internal.url}${resident.websub.callback.authTransaction-status.relative.url}

WebSub Topic and callback properties for credential status event

Below websub properties used for credential status event:

resident.websub.credential-status.secret=******
resident.websub.credential-status.topic=CREDENTIAL_STATUS_UPDATE
resident.websub.callback.credential-status.relative.url=${server.servlet.context-path}/callback/credentialStatusUpdate
resident.websub.callback.credential-status.url=${mosip.api.internal.url}${resident.websub.callback.credential-status.relative.url}

TokenId generator

mosip.kernel.tokenid.uin.salt=******
mosip.kernel.tokenid.partnercode.salt=******

Mask functions

Properties used to get the data format from MVEL file.

resident.email.mask.function=maskEmail
resident.phone.mask.function=maskPhone
resident.data.mask.function=convertToMaskData

Batch job configuration for credential status update

mosip.resident.update.service.status.job.enabled=false
mosip.resident.update.service.status.job.initial-delay=60000
#Interval for checking the credential status for async requests. Note, this is done as a fallback though credential status update is hanlded in resident service via websub notification.
mosip.resident.update.service.status.job.interval.millisecs=600000

Template type codes for terms and conditions

resident.template.tnc.order-a-physical-card=tnc-order-a-physical-card
resident.template.tnc.share-cred-with-partner=tnc-share-cred-with-partner
resident.template.tnc.update-demo=tnc-update-demo

Template type codes for email subject

resident.template.email.subject.request-received.cust-and-down-my-card=cust-and-down-my-card-request-received-email-subject
resident.template.email.subject.success.cust-and-down-my-card=cust-and-down-my-card-success-email-subject
resident.template.email.subject.failure.cust-and-down-my-card=cust-and-down-my-card-failure-email-subject

resident.template.email.subject.request-received.order-a-physical-card=order-a-physical-card-request-received-email-subject
resident.template.email.subject.success.order-a-physical-card=order-a-physical-card-success-email-subject
resident.template.email.subject.failure.order-a-physical-card=order-a-physical-card-failure-email-subject

resident.template.email.subject.request-received.share-cred-with-partner=share-cred-with-partner-request-received-email-subject
resident.template.email.subject.success.share-cred-with-partner=share-cred-with-partner-success-email-subject
resident.template.email.subject.failure.share-cred-with-partner=share-cred-with-partner-failure-email-subject

resident.template.email.subject.request-received.lock-unlock-auth=lock-unlock-auth-request-received-email-subject
resident.template.email.subject.success.lock-unlock-auth=lock-unlock-auth-success-email-subject
resident.template.email.subject.failure.lock-unlock-auth=lock-unlock-auth-failure-email-subject

resident.template.email.subject.request-received.update-demo-data=update-demo-data-request-received-email-subject
resident.template.email.subject.success.update-demo-data=update-demo-data-success-email-subject
resident.template.email.subject.failure.update-demo-data=update-demo-data-failure-email-subject

resident.template.email.subject.request-received.gen-or-revoke-vid=gen-or-revoke-vid-request-received-email-subject
resident.template.email.subject.success.gen-or-revoke-vid=gen-or-revoke-vid-success-email-subject
resident.template.email.subject.failure.gen-or-revoke-vid=gen-or-revoke-vid-failure-email-subject

resident.template.email.subject.request-received.vid-card-download=vid-card-download-request-received-email-subject
resident.template.email.subject.success.vid-card-download=vid-card-download-success-email-subject
resident.template.email.subject.failure.vid-card-download=vid-card-download-failure-email-subject

resident.template.email.subject.request-received.get-my-uin-card=get-my-uin-card-request-received-email-subject
resident.template.email.subject.success.get-my-uin-card=get-my-uin-card-success-email-subject
resident.template.email.subject.failure.get-my-uin-card=get-my-uin-card-failure-email-subject

resident.template.email.subject.request-received.verify-my-phone-email=verify-my-phone-email-request-received-email-subject
resident.template.email.subject.success.verify-my-phone-email=verify-my-phone-email-success-email-subject
resident.template.email.subject.failure.verify-my-phone-email=verify-my-phone-email-failure-email-subject

resident.template.email.subject.success.send-otp=receive-otp-mail-subject
resident.template.email.subject.success.validate-otp=validate-otp-mail-subject

Template type codes for email content

resident.template.email.content.request-received.cust-and-down-my-card=cust-and-down-my-card-request-received-email-content
resident.template.email.content.success.cust-and-down-my-card=cust-and-down-my-card-success-email-content
resident.template.email.content.failure.cust-and-down-my-card=cust-and-down-my-card-failure-email-content

resident.template.email.content.request-received.order-a-physical-card=order-a-physical-card-request-received-email-content
resident.template.email.content.success.order-a-physical-card=order-a-physical-card-success-email-content
resident.template.email.content.failure.order-a-physical-card=order-a-physical-card-failure-email-content

resident.template.email.content.request-received.share-cred-with-partner=share-cred-with-partner-request-received-email-content
resident.template.email.content.success.share-cred-with-partner=share-cred-with-partner-success-email-content
resident.template.email.content.failure.share-cred-with-partner=share-cred-with-partner-failure-email-content

resident.template.email.content.request-received.lock-unlock-auth=lock-unlock-auth-request-received-email-content
resident.template.email.content.success.lock-unlock-auth=lock-unlock-auth-success-email-content
resident.template.email.content.failure.lock-unlock-auth=lock-unlock-auth-failure-email-content

resident.template.email.content.request-received.update-demo-data=update-demo-data-request-received-email-content
resident.template.email.content.success.update-demo-data=update-demo-data-success-email-content
resident.template.email.content.failure.update-demo-data=update-demo-data-failure-email-content

resident.template.email.content.request-received.gen-or-revoke-vid=gen-or-revoke-vid-request-received-email-content
resident.template.email.content.success.gen-or-revoke-vid=gen-or-revoke-vid-success-email-content
resident.template.email.content.failure.gen-or-revoke-vid=gen-or-revoke-vid-failure-email-content

resident.template.email.content.request-received.vid-card-download=vid-card-download-request-received-email-content
resident.template.email.content.success.vid-card-download=vid-card-download-success-email-content
resident.template.email.content.failure.vid-card-download=vid-card-download-failure-email-content

resident.template.email.content.request-received.get-my-uin-card=get-my-uin-card-request-received-email-content
resident.template.email.content.success.get-my-uin-card=get-my-uin-card-success-email-content
resident.template.email.content.failure.get-my-uin-card=get-my-uin-card-failure-email-content

resident.template.email.content.request-received.verify-my-phone-email=verify-my-phone-email-request-received-email-content
resident.template.email.content.success.verify-my-phone-email=verify-my-phone-email-success-email-content
resident.template.email.content.failure.verify-my-phone-email=verify-my-phone-email-failure-email-content

resident.template.email.content.success.send-otp=receive-otp-mail-content
resident.template.email.content.success.validate-otp=validate-otp-mail-content

Template type codes for sms content

resident.template.sms.request-received.cust-and-down-my-card=cust-and-down-my-card-request-received_SMS
resident.template.sms.success.cust-and-down-my-card=cust-and-down-my-card-success_SMS
resident.template.sms.failure.cust-and-down-my-card=cust-and-down-my-card-failure_SMS

resident.template.sms.request-received.order-a-physical-card=order-a-physical-card-request-received_SMS
resident.template.sms.success.order-a-physical-card=order-a-physical-card-success_SMS
resident.template.sms.failure.order-a-physical-card=order-a-physical-card-failure_SMS

resident.template.sms.request-received.share-cred-with-partner=share-cred-with-partner-request-received_SMS
resident.template.sms.success.share-cred-with-partner=share-cred-with-partner-success_SMS
resident.template.sms.failure.share-cred-with-partner=share-cred-with-partner-failure_SMS

resident.template.sms.request-received.lock-unlock-auth=lock-unlock-auth-request-received_SMS
resident.template.sms.success.lock-unlock-auth=lock-unlock-auth-success_SMS
resident.template.sms.failure.lock-unlock-auth=lock-unlock-auth-failure_SMS

resident.template.sms.request-received.update-demo-data=update-demo-data-request-received_SMS
resident.template.sms.success.update-demo-data=update-demo-data-success_SMS
resident.template.sms.failure.update-demo-data=update-demo-data-failure_SMS

resident.template.sms.request-received.gen-or-revoke-vid=gen-or-revoke-vid-request-received_SMS
resident.template.sms.success.gen-or-revoke-vid=gen-or-revoke-vid-success_SMS
resident.template.sms.failure.gen-or-revoke-vid=gen-or-revoke-vid-failure_SMS

resident.template.sms.request-received.vid-card-download=vid-card-download-request-received_SMS
resident.template.sms.success.vid-card-download=vid-card-download-success_SMS
resident.template.sms.failure.vid-card-download=vid-card-download-failure_SMS

resident.template.sms.request-received.get-my-uin-card=get-my-uin-card-request-received_SMS
resident.template.sms.success.get-my-uin-card=get-my-uin-card-success_SMS
resident.template.sms.failure.get-my-uin-card=get-my-uin-card-failure_SMS

resident.template.sms.request-received.verify-my-phone-email=verify-my-phone-email-request-received_SMS
resident.template.sms.success.verify-my-phone-email=verify-my-phone-email-success_SMS
resident.template.sms.failure.verify-my-phone-email=verify-my-phone-email-failure_SMS

resident.template.sms.success.send-otp=receive-otp
resident.template.sms.success.validate-otp=validate-otp

Template type codes for purpose (success) content

resident.template.purpose.success.cust-and-down-my-card=cust-and-down-my-card-positive-purpose
resident.template.purpose.success.order-a-physical-card=order-a-physical-card-positive purpose
resident.template.purpose.success.share-cred-with-partner=share-cred-with-partner-positive-purpose
resident.template.purpose.success.lock-unlock-auth=lock-unlock-auth-positive-purpose
resident.template.purpose.success.update-demo-data=update-demo-data-positive-purpose
resident.template.purpose.success.gen-or-revoke-vid=gen-or-revoke-vid-positive-purpose
resident.template.purpose.success.get-my-uin-card=get-my-uin-card-positive-purpose
resident.template.purpose.success.verify-my-phone-email=verify-my-phone-email-positive-purpose
resident.template.purpose.success.vid-card-download=vid-card-download-positive-purpose

Template type codes for purpose (in-progress/failure) content

resident.template.purpose.failure.cust-and-down-my-card=cust-and-down-my-card-negative-purpose
resident.template.purpose.failure.order-a-physical-card=order-a-physical-card-negative purpose
resident.template.purpose.failure.share-cred-with-partner=share-cred-with-partner-negative-purpose
resident.template.purpose.failure.lock-unlock-auth=lock-unlock-auth-negative-purpose
resident.template.purpose.failure.update-demo-data=update-demo-data-negative-purpose
resident.template.purpose.failure.gen-or-revoke-vid=gen-or-revoke-vid-negative-purpose
resident.template.purpose.failure.get-my-uin-card=get-my-uin-card-negative-purpose
resident.template.purpose.failure.verify-my-phone-email=verify-my-phone-email-negative-purpose
resident.template.purpose.failure.vid-card-download=vid-card-download-negative-purpose

Template type codes for summary (success) content

resident.template.summary.success.cust-and-down-my-card=cust-and-down-my-card-success-summary
resident.template.summary.success.order-a-physical-card=order-a-physical-card-success-summary
resident.template.summary.success.share-cred-with-partner=share-cred-with-partner-success-summary
resident.template.summary.success.lock-unlock-auth=lock-unlock-auth-success-summary
resident.template.summary.success.update-demo-data=update-demo-data-success-summary
resident.template.summary.success.gen-or-revoke-vid=gen-or-revoke-vid-success-summary
resident.template.summary.success.get-my-uin-card=get-my-uin-card-success-summary
resident.template.summary.success.verify-my-phone-email=verify-my-phone-email-success-summary
resident.template.summary.success.vid-card-download=vid-card-download-positive-summary

Template type codes for acknowledgement PDFs

resident.template.ack.share-cred-with-partner=acknowledgement-share-cred-with-partner
resident.template.ack.manage-my-vid=acknowledgement-manage-my-vid
resident.template.ack.order-a-physical-card=acknowledgement-order-a-physical-card
resident.template.ack.download-a-personalized-card=acknowledgement-download-a-personalized-card
resident.template.ack.update-demographic-data=acknowledgement-update-demographic-data
resident.template.ack.verify-email-id-or-phone-number=acknowledgement-verify-email-id-or-phone-number
resident.template.ack.secure-my-id=acknowledgement-secure-my-id
resident.template.ack.authentication.request=acknowledgment-authentication-request
resident.template.ack.get.my.id=acknowledgment-get-my-id
resident.template.ack.vid.card.download=acknowledgment-vid-card-download

Template type codes for supporting documents, service history, registration centers and VID card

resident.template.support-docs-list=supporting-docs-list
mosip.resident.service.history.template.type.code=service-history-type
resident.template.registration.centers.list=registration-centers-list
mosip.resident.vid.card.template.property=vid-card-type

Template required properties

resident.template.date.pattern=dd-MM-yyyy
resident.template.time.pattern=HH:mm:ss
resident.ui.track-service-request-url=https://${mosip.resident.host}/#/uinservices/trackservicerequest?eid=

View history filters

resident.view.history.serviceType.filters=ALL,AUTHENTICATION_REQUEST,SERVICE_REQUEST,DATA_UPDATE_REQUEST,ID_MANAGEMENT_REQUEST,DATA_SHARE_REQUEST
resident.view.history.status.filters=all,Success,In Progress,Failed

Maximum data to download in a PDF

resident.service-history.download.max.count=100
resident.registration-centers.download.max.count=100

Registration Center search configuration

The Registration centers will be searched based on the distance value in meters from the Geo location identified

resident.nearby.centers.distance.meters=2000

Page size in Bell Icon Notification list and view history

resident.notifications.default.page.size=100
resident.view-history.default.page.size=10

auth.validate.id-token=true
idToken=id_token
auth.token.header=Authorization
mosip.resident.access_token.auth_mode.claim-name=acr
mosip.resident.oidc.id_token.ida_token.claim-name=sub
mosip.resident.oidc.auth_token.expiry.claim-name=exp
mosip.resident.oidc.userinfo.encryption.enabled=false
mosip.client.assertion.reference.id=
mosip.include.payload=true
mosip.include.certificate=true
mosip.include.cert.hash=false

Rectangle coordinates for PDF signed data

mosip.resident.service.uincard.lowerleftx=73
mosip.resident.service.uincard.lowerlefty=100
mosip.resident.service.uincard.upperrightx=300
mosip.resident.service.uincard.upperrighty=300
mosip.resident.service.uincard.signature.reason="Digitally Signed"

File name for the downloaded PDFs

mosip.resident.download.registration.centre.file.name.convention=Registration_centers_{timestamp}
mosip.resident.download.supporting.document.file.name.convention=Supporting_documents_{timestamp}
mosip.resident.download.personalized.card.naming.convention=Personalised_card_{eventId}_{timestamp}
mosip.resident.ack.manage_my_vid.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.secure_my_id.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.personalised_card.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.update_my_data.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.share_credential.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.order_physical_card.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.ack.name.convention=Ack_{featureName}_{eventId}_{timestamp}
mosip.resident.uin.card.name.convention=UIN_{eventId}_{timestamp}
mosip.resident.vid.card.name.convention=VID_{eventId}_{timestamp}
mosip.resident.download.service.history.file.name.convention=View_history_{timestamp}
mosip.resident.download.nearest.registration.centre.file.name.convention=Registration_centers_{timestamp}
mosip.resident.download.card.naming.convention=Get_my_UIN_{timestamp}

Credential request configuration

mosip.resident.request.credential.credentialType=euin
mosip.resident.request.credential.isEncrypt=true
mosip.resident.request.credential.encryption.key=******

mosip.digital.card.credential.type=PDFCard
mosip.credential.issuer=******

Claim names

mosip.resident.name.token.claim-name=name
mosip.resident.photo.token.claim-photo=picture
mosip.resident.individual.id.claim.name=individual_id
mosip.resident.email.token.claim-email=email
mosip.resident.phone.token.claim-phone=phone_number

OTP Flooding

Configure Time limit for OTP Flooding scenario (in minutes).

otp.request.flooding.duration=1
otp.request.flooding.max-count=10

Maximum file size and types for uploading document

mosip.max.file.upload.size.in.bytes=2306867
mosip.allowed.extension=pdf,jpeg,png,jpg

Reg-proc packet status codes

resident.success.packet-status-code.list=PROCESSED,SUCCESS,UIN_GENERATED
resident.in-progress.packet-status-code.list=PROCESSING,REREGISTER,RESEND,RECEIVED,UPLOAD_PENDING,AWAITING_INFORMATION,REPROCESS
resident.failure.packet-status-code.list=REJECTED,FAILED,REPROCESS_FAILED

Reg-proc packet transaction type codes

resident.REQUEST_RECEIVED.packet-transaction-type-code.list=PACKET_RECEIVER,VIRUS_SCAN,SECUREZONE_NOTIFICATION,UPLOAD_PACKET,VALIDATE_PACKET,PACKET_CLASSIFICATION
resident.VALIDATION_STAGE.packet-transaction-type-code.list=CMD_VALIDATION,OPERATOR_VALIDATION,QUALITY_CLASSIFIER,SUPERVISOR_VALIDATION,INTRODUCER_VALIDATION,BIOMETRIC_AUTHENTICATION,EXTERNAL_INTEGRATION
resident.VERIFICATION_STAGE.packet-transaction-type-code.list=DEMOGRAPHIC_VERIFICATION,MANUAL_ADJUDICATION,VERIFICATION,BIOGRAPHIC_VERIFICATION
resident.UIN_GENERATION_STAGE.packet-transaction-type-code.list=UIN_GENERATOR,BIOMETRIC_EXTRACTION,NOTIFICATION,FINALIZATION,PACKET_REPROCESS
resident.CARD_READY_TO_DOWNLOAD.packet-transaction-type-code.list=PRINT_SERVICE,PRINT_POSTAL_SERVICE,PRINT

Synchronous events

resident.request.success.status.list.AUTHENTICATION_REQUEST=AUTHENTICATION_SUCCESSFUL,Y
resident.request.failed.status.list.AUTHENTICATION_REQUEST=AUTHENTICATION_FAILED,N

resident.request.new.status.list.DOWNLOAD_PERSONALIZED_CARD=NEW
resident.batchjob.process.success.status.list.DOWNLOAD_PERSONALIZED_CARD=CARD_DOWNLOADED
resident.request.failed.status.list.DOWNLOAD_PERSONALIZED_CARD=FAILED

resident.request.new.status.list.GET_MY_ID=NEW
resident.request.in-progress.status.list.GET_MY_ID=OTP_REQUESTED
resident.request.success.status.list.GET_MY_ID=CARD_DOWNLOADED,OTP_VERIFIED
resident.request.failed.status.list.GET_MY_ID=FAILED

resident.request.new.status.list.BOOK_AN_APPOINTMENT=
resident.request.success.status.list.BOOK_AN_APPOINTMENT=
resident.request.failed.status.list.BOOK_AN_APPOINTMENT=

resident.request.new.status.list.GENERATE_VID=NEW
resident.request.success.status.list.GENERATE_VID=VID_GENERATED
resident.request.failed.status.list.GENERATE_VID=FAILED

resident.request.new.status.list.REVOKE_VID=NEW
resident.request.success.status.list.REVOKE_VID=VID_REVOKED
resident.request.failed.status.list.REVOKE_VID=FAILED

resident.request.new.status.list.SEND_OTP=
resident.request.success.status.list.SEND_OTP=
resident.request.failed.status.list.SEND_OTP=

resident.request.new.status.list.VALIDATE_OTP=OTP_REQUESTED
resident.request.success.status.list.VALIDATE_OTP=OTP_VERIFIED
resident.request.failed.status.list.VALIDATE_OTP=OTP_VERIFICATION_FAILED

resident.request.new.status.list.DEFAULT=
resident.request.success.status.list.DEFAULT=
resident.request.failed.status.list.DEFAULT=

Asyc Request Types

resident.async.request.types=VID_CARD_DOWNLOAD,ORDER_PHYSICAL_CARD,SHARE_CRED_WITH_PARTNER,UPDATE_MY_UIN

Asynchronous events

resident.request.new.status.list.SHARE_CRED_WITH_PARTNER=NEW
resident.request.in-progress.status.list.SHARE_CRED_WITH_PARTNER=ISSUED
resident.request.success.status.list.SHARE_CRED_WITH_PARTNER=RECEIVED,DATA_SHARED_SUCCESSFULLY,STORED
resident.request.failed.status.list.SHARE_CRED_WITH_PARTNER=FAILED
resident.request.notification.status.list.SHARE_CRED_WITH_PARTNER=FAILED,RECEIVED,DATA_SHARED_SUCCESSFULLY,STORED

resident.request.new.status.list.ORDER_PHYSICAL_CARD=NEW
resident.request.in-progress.status.list.ORDER_PHYSICAL_CARD=PAYMENT_CONFIRMED,ISSUED,PRINTING,IN_TRANSIT
resident.request.success.status.list.ORDER_PHYSICAL_CARD=CARD_DELIVERED
resident.request.failed.status.list.ORDER_PHYSICAL_CARD=FAILED,PAYMENT_FAILED
resident.request.notification.status.list.ORDER_PHYSICAL_CARD=PAYMENT_CONFIRMED,ISSUED,PRINTING,IN_TRANSIT,CARD_DELIVERED,FAILED,PAYMENT_FAILED,CARD_DELIVERED

resident.request.new.status.list.UPDATE_MY_UIN=NEW
resident.request.in-progress.status.list.UPDATE_MY_UIN=PROCESSING,PAUSED,RESUMABLE,REPROCESS,PAUSED_FOR_ADDITIONAL_INFO
resident.request.success.status.list.UPDATE_MY_UIN=PROCESSED,DATA_UPDATED,STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED
resident.request.failed.status.list.UPDATE_MY_UIN=FAILED,REJECTED,REPROCESS_FAILED
resident.request.notification.status.list.UPDATE_MY_UIN=PROCESSED,DATA_UPDATED,STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED,FAILED,REJECTED,REPROCESS_FAILED

resident.request.new.status.list.AUTH_TYPE_LOCK_UNLOCK=NEW
resident.request.in-progress.status.list.AUTH_TYPE_LOCK_UNLOCK=
resident.request.success.status.list.AUTH_TYPE_LOCK_UNLOCK=COMPLETED
resident.request.failed.status.list.AUTH_TYPE_LOCK_UNLOCK=FAILED
resident.request.notification.status.list.AUTH_TYPE_LOCK_UNLOCK=COMPLETED,FAILED

resident.request.new.status.list.VID_CARD_DOWNLOAD=NEW
resident.request.in-progress.status.list.VID_CARD_DOWNLOAD=ISSUED
resident.request.success.status.list.VID_CARD_DOWNLOAD=STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED
resident.request.failed.status.list.VID_CARD_DOWNLOAD=FAILED
resident.request.notification.status.list.VID_CARD_DOWNLOAD=STORED,CARD_READY_TO_DOWNLOAD,CARD_DOWNLOADED,FAILED

Attributes name based template type codes

Define property name in below format-

resident..template.property.attribute.list

resident.fullName.template.property.attribute.list=mosip.full.name.template.property
resident.dateOfBirth.template.property.attribute.list=mosip.date.of.birth.template.property
resident.UIN.template.property.attribute.list=mosip.uin.template.property
resident.perpetualVID.template.property.attribute.list=mosip.perpetual.vid.template.property
resident.phone.template.property.attribute.list=mosip.phone.template.property
resident.email.template.property.attribute.list=mosip.email.template.property
resident.fullAddress.template.property.attribute.list=mosip.address.template.property
resident.addressLine1.template.property.attribute.list=mosip.address.line1.template.property
resident.addressLine2.template.property.attribute.list=mosip.address.line2.template.property
resident.addressLine3.template.property.attribute.list=mosip.address.line3.template.property
resident.province.template.property.attribute.list=mosip.province.template.property
resident.city.template.property.attribute.list=mosip.city.template.property
resident.zone.template.property.attribute.list=mosip.zone.template.property
resident.postalCode.template.property.attribute.list=mosip.postal.code.template.property
resident.region.template.property.attribute.list=mosip.region.template.property
resident.gender.template.property.attribute.list=mosip.gender.template.property
resident.photo.template.property.attribute.list=mosip.photo.template.property
resident.preferredLang.template.property.attribute.list=mosip.preferred.language.template.property
resident.default.template.property.attribute.list=mosip.defualt.template.property

Class name of the referenceValidator

Commenting or removing this property will disable reference validator.

mosip.kernel.idobjectvalidator.referenceValidator=io.mosip.kernel.idobjectvalidator.impl.IdObjectReferenceValidator

Cache expiration time (in milliseconds)

template.cache.expiry.time.millisec=86400000

Request time validation

For validating request time as per before and after time limit (in seconds) in contact-details/update API.

resident.future.time.limit=60
resident.past.time.limit=60

Date time formatting styles

The java.time.format.FormatStyle enum to use for date time formatting based on locale. Allowed values with examples are:

FULL ('Tuesday, April 12, 1952 AD' or '3:30:42pm PST')
LONG('January 12, 1952')
MEDIUM ('Jan 12, 1952')
SHORT ('12.13.52' or '3:30pm')

Current value is MEDUIM. For more details refer to the enum.

resident.date.time.formmatting.style=MEDIUM
resident.date.time.replace.special.chars={" ": "_", "," : "", ":" : "."}

URL pattern for logging filter. For example, "/callback/" .Defaults to "/".

logging.level.root=INFO
logging.level.io.mosip.resident.batch=INFO
logging.level.io.mosip.resident.filter=DEBUG
resident.logging.filter.enabled=false
resident.logging.filter.url.pattern=/*

Rest template logger filter

This will print the request details such as URL, headers and body for debugging purpose. Default is false.

logging.level.io.mosip.resident.config.LoggingInterceptor=DEBUG
resident.rest.template.logging.interceptor.filter.enabled=false

Websub properties

subscriptions-delay-on-startup_millisecs=120000
re-subscription-interval-in-seconds=43200
resident.websub.request.decorator.filter.enabled=true

Resident Portal User Guide

The Resident Portal is a user-friendly web-based platform designed to assist residents in accessing various services associated with their Unique Identification Number (UIN). This portal offers a range of essential services such as:

UIN services using UIN/VID (through e-Signet):
- View My History
- Manage My VID
- Secure My ID
- Track My Requests
- Get Personalised Card
- Share My Data
- Logout
Get Information
- About Registration Centers
- List of supporting documents
Get My UIN (using UIN/ VID/ AID)
Verify email ID and/ or phone number
Responsive UI support- Support for the application to work seamlessly on various resolutions.
Book an appointment for new enrolment (via the pre-registration portal)
Ancillary features
- Font size
- Get Notifications (email and bell notifications)
- View profile details of the logged in user (name, photo, and last login details)

Below is the detailed explanation of each of the features mentioned above.

UIN Services

Residents can use these services to view, update, change, manage or share their data. They can also report an issue in case of a grievance.

Pre-requisites: To login into the Resident Portal, the resident should have their unique virtual ID (VID) or Unique Identification Number (UIN) and also have access to the registered email ID/ phone number to be able to receive the OTP.

Resident accesses the Resident Portal dashboard page.
Resident clicks on UIN Services.
The login screen appears and the resident can choose one of the options to log in.
To login with OTP authentication, the resident clicks on Log in here> More ways to login > Login with OTP.
Resident needs to enter valid VID in the Enter Your VID text field and check the box I'm not a robot.
Next, the resident clicks on the Get OTP button.
- The resident receives the OTP on the registered phone number and email ID.
- The resident needs to enter the valid OTP received within stipulated time and click the Verify button.
The resident is then navigated to the Consent page. On this page, the Essential and Voluntary claims are displayed. Additionally, they will also have to allow access to their data in Authorize Scope section to avail various services. Based on the consent provided by the resident, the services will be made available for modification.

The resident has the choice to select from the list of Voluntary claims while the Essential claims are mandatory.

The resident should now click the Continue button. The system navigates the resident to the UIN Services menu page from where they can avail various services.
Note: Consent page will be available only for first time login.

View My History

The residents can view the history of all the transactions associated with their logged-in UIN/ VID. They can also view their details and if any unaccounted entry is found, a report can be raised against the same.

The residents can perform the following:

Search: The residents can enter an Event ID to search a particular event.
Filter based on date (From date and To date): The Residents can put a “from” and “to” date in order to get the list of all the events performed in the chosen date range.
Filter based on status (Success/ In Progress/ Failure): The Residents can filter based on the status of the event. E.g.: If they want to view all “In Progress” events, they can choose the status as “In Progress”. Additionally, they can also select any combination of the above three options.
Filter based on History Type (Authentication, ID Management, Data Update, Data Share, Service Requests): The Residents can filter based on the type of event. Additionally, they can also choose any combination of the above five options.
- Authentication Request: This includes all the authentication and e-KYC requests.
- ID Management Request: This includes the below services:
  - Manage My VID (Generate/Revoke VID)
  - Verify phone number/email ID
  - Secure My ID (Lock/unlock various authentication types)
- Data Update Request: This includes the below services:
  - Update my UIN (demographic data and contact data)
- Data Share Request: This includes the below services:
  - Share with a partner
- Service Request: This includes the below services:
  - Download configured card
  - Physical card
  - Get my UIN
  - Book an appointment (lost UIN, Update UIN, Pre-registration, other)
Go button: Residents can click on the Go button once they are done selecting all the required filters.
Download the PDF of the results: The residents can download the PDF version of the search result populated.
Clicking on the accordion/ the caret of a particular event, the following options will appear:
a. View Details: The residents can view the details about an event by clicking on View Details. They will be redirected to Track My Request page with pre-filled EID where they can see further details about the event.
b. Pin Event to the top: The residents can pin the events to the top of the list based on their preference. Currently, this is configured for up to 3 events but it can be customized as per country’s requirements. Also, the resident can unpin the pinned events by clicking Unpin from Top.
c. Report a grievance: The residents can report a grievance in case of fraud or for any event not initiated by them. On clicking Report an Issue, the resident will be redirected to the Grievance Redressal Form page where they will see a set of pre-filled data as well as a set of data to be filled.
- Pre-filled data:
  - Name
  - Event ID (EID)
  - Registered Email ID
  - Registered Mobile Number
- Data to be filled:
  - Alternate Email ID
  - Alternate Mobile Number
  - Comments

Once the event is completed, a message is displayed containing the grievance tracking ID.

Below are the images with different filters on this page.

Manage My VID

On clicking Manage My VID, the resident will be taken to a page where they can view details of the existing VIDs, generate new VID, revoke existing VID or download a VID card.

The following types of VIDs can be seen based on the VID policy:

Perpetual VID
Temporary VID
One-time VID

Note: The resident can get to know about the features of a particular VID by hovering over the “i” symbol.

The residents can perform the following:

Create a new VID : The residents can click on the Create button against any of the VID type selected. They can click on Yes to proceed. Once the event is completed, a message is displayed containing the Event ID along with a link to track the service.

Revoke an existing VID: The residents can click on the Delete icon to revoke an existing VID. They can click on Yes to proceed. Once the event is completed, a message is displayed containing the Event ID along with a link to track the service.

Download a VID card:
a. The residents can click on the Download icon to initiate the download process. They can click on Download to proceed. Once the event is completed, a message is displayed containing the Event ID, a link to track the service and the password combination.
b. Once the card is ready to download, they will receive a notification for the same under the bell icon displayed on the top right corner of the screen and as an Email notification.
c. On clicking on the notification, the resident will be taken to Track My Request page with pre-filled EID.
d. On this screen, the resident will be able to download the card by clicking on Download My VID card button on the bottom left corner of the screen.
e. The downloaded card will be a password protected PDF. The residents can view the downloaded VID card by entering the password combination displayed on the screen.

View VID number: All the VID numbers will be masked by default. The residents can view the unmasked version of VID by clicking on eye icon next to the VID number.

Secure My ID

On clicking Secure My ID, the residents can view the status of all the authentication types. They can choose to lock or unlock authentication types like the following:

Email authentication
Mobile authentication
Demographic authentication
Fingerprint authentication
Iris authentication
Face authentication

The residents can perform the following,

View the current status of authentication types: The lock icon on each card indicates the current status of the authentication type. E.g.: If the lock is open, the authentication type is unlocked which means the residents can authenticate themselves using that particular authentication type and vice versa.

Lock/ unlock the authentication types: To lock/ unlock a particular authentication type, the residents can click on lock/ unlock button. Once the preferences of each authentication type is selected, the residents can click on Submit to save the changes and click Yes to proceed. Once the event is completed, a message is displayed containing the Event ID along with a link to track the service.

Track My Requests

On clicking Track My Requests, the residents can track the status of an EID associated with the logged-in UIN/ VID. They can also view and download the detailed information about the entered EID like:

Event ID- This is the unique ID provided against each event
Event Type- This is the feature that is being availed. E.g.: Lock/unlock authentication types
Event Status- This is the status of the event which can hold values like Success, Failure or In-Progress
Individual ID- This is the type of individual ID that was used to login. E.g.: VID or UIN
Summary- This the the detailed description of the event.
Timestamp- This the time when the event occurred.
Authentication Mode- This is the authentication mode used to login. E.g.: OTP or Biometric or QR code
Partner Logo- This is the logo of the registered partner.
Partner Name- This is the name of the registered partner.
Attribute List- This is the list of attributes shared with the registered partner.
Purpose- This is the purpose of sharing data with the registered partner as input by the resident.

The resident can reach Track My Requests page by the following ways:

UIN services > View history > Click on the event tile > View details
By clicking the bell icon
UIN services > Track My Requests

Note:

Residents can download their updated UIN /VID card.
Report a grievance: The residents can report a grievance in case of fraud or for any event not initiated by them. On clicking Report an Issue, the resident will be redirected to the Grievance Redressal Form page where they will see a set of pre-filled data as well as a set of data to be filled.

Get Personalised Card

On clicking Get Personalised Card, the residents can select the data to be added to their credential. They can preview the chosen data and download it. To be able to download the card, residents should select at least 3 attributes from the list mentioned below:

Name- Name of the resident. They can choose the format in which they want the name to be displayed.
Date of Birth- Date of birth of the resident. They can choose the format in which they want the date of birth to be displayed.
UIN- Unique Identification Number. They can choose to mask or unmask the UIN.
Perpetual VID- Perpetual Virtual ID. They can choose to mask or unmask the VID.
Phone number- Registered phone number of the resident. They can choose to mask or unmask the phone number.
Email ID- Registered email ID of the resident. They can choose to mask or unmask the email ID.
Address- Address of the resident. They can choose the format in which they want the address to be displayed.
Gender
Photo

These details can be previewed as and when the attributes are chosen.

Once the event is completed, a message is displayed containing the Event ID along with a link to track the service.

On clicking Share My Data, the residents can choose the data to be shared with any of the registered partners to avail various third party services.

To share the data, residents should select at least 3 attributes from the list mentioned below:

Name- Name of the resident. They can choose the format in which they want the name to be displayed.
Date of Birth- Date of birth of the resident. They can choose the format in which they want the date of birth to be displayed.
UIN- Unique Identification Number. They can choose to mask or unmask the UIN.
Perpetual VID- Perpetual Virtual ID. They can choose to mask or unmask the VID.
Phone number- Registered phone number of the resident. They can choose to mask or unmask the phone number.
Email ID- Registered email ID of the resident. They can choose to mask or unmask the email ID.
Address- Address of the resident. They can choose the format in which they want the address to be displayed.
Gender
Photo

These details can be previewed as and when the attributes are chosen.

Additionally, the residents have to:

Select the partner with whom they want to share their data from a dropdown list of registered partners.
Enter the purpose of sharing the data with the registered partner.
On clicking the Share button, the resident will have to provide consent to share their data with the external partner.
Once the event is completed, a message is displayed containing the Event ID along with a link to track the service.

The Resident Portal menu bar contains the following:

Font Size- Residents can alter the size of the font based on their preferences.
Language- Residents can select the language of preference.
Bell icon Notification- Residents can view the notifications of all the asynchronous events in chronological order.
Profile Icon- Residents can view the following:
- Name of the logged in user
- Photo of the logged in user
- Last login details
- Logout option

Book an Appointment

The residents can book an appointment for registration using the pre-registration portal. To do so, they can click on Book an appointment tile which will redirect them to the pre-registration portal. To know more about pre-registration portal, refer to this link Pre-registration.

Verify email ID/ phone number

The residents can use this feature to verify their registered email ID or phone number.

Steps to verify email ID/ phone number:

Resident clicks either on Verify email ID or Verify phone number option
Enter the UIN/VID.
Select I’m not a robot against the captcha and click on Send OTP.
Resident enters the OTP received on the requested channel and clicks on Submit.
Based on the scenario, any of the below three messages will be displayed:
a. Email ID/ phone number successfully verified: On successful verification, a message is displayed on the screen saying that the phone number/ email ID has been successfully verified.
b. Email ID/ phone number was already verified: If the verification has been previously completed, a message is displayed saying the email ID/ phone number was already verified.
c. Email ID/ phone number does not exist: If there is no email ID/ phone number linked to the UIN/VID, a message is displayed saying no email ID/ phone number was found associated to this UIN/VID.

Get My UIN

The residents can use this feature for one of the following:

Download their UIN card
Check the status of their Application ID (AID)

Steps to download the UIN:

Resident clicks on Get My UIN
Enter the AID/UIN/VID.
Select I’m not a robot against the captcha and click on Send OTP.
Resident enters the OTP received on the registered email ID/ phone number and clicks on Submit.
The default PDF of UIN card will be downloaded and a success message is seen stating that the UIN has been successfully downloaded.

Steps to check the status of the AID:

Note: If the UIN is not ready, then the AID is used to get status else UIN card will be downloaded using AID too.

Resident clicks onGet My UIN.
Enter the AID.
Select I’m not a robot against the captcha and click on Send OTP.
Resident enters the OTP received on the registered email ID/ phone number and clicks on Submit.
The status of the AID will be shown.

Get Information

List of supporting documents

Residents can view the list of supported documents in the PDF format and download the same. Also, some sample documents are available for reference.

List of Registration Centers

Residents can search for Registration Centres on the basis of below two mechanisms:

Nearby centers: The resident will be asked to allow permission for location access in order to enable the system to suggest the nearest Registration Centres.

Manually look for centers: If the Resident wants to manually look for a center, they can do so by choosing a level in location hierarchy from the drop-down (e.g.: Region, Province, Postal Code) and entering the value against the same.

They can also download the PDF version of the result displayed on the screen for reference.

AWS Installation Guidelines

Overview

MOSIP modules are deployed in the form of microservices in a Kubernetes cluster.
is used as a trust network extension to access the admin, control, and observation pane
It is also used for on-the-field registrations.
MOSIP uses AWS load balancers for:
- SSL termination
- Reverse Proxy
- CDN/Cache management
- Loadbalancing
Kubernetes cluster is administered using the and
In V3, we have two Kubernetes clusters:
- Observation Cluster - This cluster is a part of the observation plane and it helps in administrative tasks. By design, this is kept independent of the actual cluster as a good security practice and to ensure clear segregation of roles and responsibilities. As a best practice, this cluster or its services should be internal and should never be exposed to the external world.
  - is used for managing the Mosip cluster.
  - in this cluster is used for cluster user access management.
  - It is recommended to configure log monitoring and network monitoring in this cluster.
  - In case you have a internal container registry, then it should run here.
- MOSIP Cluster - This cluster runs all the MOSIP components and certain third party components to secure the cluster, API’s and Data.

Deployment Repos

Pre-requisites:

Hardware Requirements

VM’s required have any Operating System and can be selected as per convenience. In this installation guide, we are referring to Ubuntu OS throughout.

Network Requirements

All the VM's should be able to communicate with each other.
Need stable Intra network connectivity between these VM's.
All the VM's should have stable internet connectivity for docker image download (in case of local setup ensure to have a locally accesible docker registry).
During the process, we will be creating two loadbalancers as mentioned in the first table below:
Server Interface requirement as mentioned in the second table:

DNS Requirements

Note:

Only proceed to DNS mapping after the ingressgateways are installed and the load balancer is already configured.
The above table is just a placeholder for hostnames, the actual name itself varies from organisation to organisation.

Certificate requirements

As only secured https connections are allowed via nginx server, you will need the below mentioned valid ssl certificates:

Prerequisite for complete deployment in Personal Computer

AWS account and credentials with permissions to create EKS cluster.
Save ~/.kube/config file with another name. (IMPORTANT. As in this process your existing ~/.kube/config file will be overridden).
Save .pem file from AWS console and store it in ~/.ssh/ folder. (Generate a new one if you do not have this key file).
Create a directory as mosip in your PC and
- clone k8’s infra repo with tag : 1.2.0.1-B2 inside mosip directory. git clone https://github.com/mosip/k8s-infra -b v1.2.0.1-B2
- clone mosip-infra with tag : 1.2.0.1-B2 inside mosip directory git clone https://github.com/mosip/mosip-infra -b v1.2.0.1-B2
- Set below mentioned variables in bashrc
  - source .bashrc Note: Above mentioned environment variables will be used throughout the installation to move between one directory to other to run install scripts.

Installation

A Wireguard bastion host (Wireguard server) provides secure private channel to access MOSIP cluster. The host restricts public access, and enables access to only those clients who have their public key listed in Wireguard server. Wireguard listens on UDP port 51820.

Architecture diagram

Setup Wirguard VM and wireguard bastion server:

Create a Wireguard server VM in aws console with above mentioned Hardware and Network requirements.
Edit the security group and add the following inbound rules in aws console
- type ‘custom TCP', port range ‘51820’ and source '0.0.0.0/0’
- type ‘custom UDP', port range ‘51820’ and source '0.0.0.0/0’
Setup Wireguard server
- SSH to wireguard VM
- Create directory for storing wireguard config files. mkdir -p wireguard/config
- Install and start wireguard server using docker as given below:
  Note: * Increase the no of peers above in case needed more than 30 wireguard client confs. (-e PEERS=30) * Change the directory to be mounted to wireguard docker in case needed. All your wireguard confs will be generated in the mounted directory. (-v /home/ubuntu/wireguard/config:/config)

Setup Wireguard Client in your PC

Assign wireguard.conf:
- SSH to the wireguard server VM.
- cd /home/ubuntu/wireguard/config
- assign one of the PR for yourself and use the same from the PC to connect to the server.
  - create assigned.txt file to assign the keep track of peer files allocated and update everytime some peer is allocated to someone.
  - Use ls cmd to see the list of peers.
  - get inside your selected peer directory, and add mentioned changes in peer.conf:
    cd peer1
    nano peer1.conf
    Delete the DNS IP.
    Update the allowed IP's to subnets CIDR ip . e.g. 10.10.20.0/23
    Share the updated peer.conf with respective peer to connect to wireguard server from Personel PC.
add peer.conf in your PC’s /etc/wireguard directory as wg0.conf.
start the wireguard client and check the status:
Once Connected to wireguard you should be now able to login using private ip’s.

Observation K8s Cluster setup and configuration

Observation K8s Cluster setup

Setup rancher cluster,
- cd $K8_ROOT/rancher/aws
- Copy rancher.cluster.config.sample to rancher.cluster.config.
- Review and update the below mentioned parameters of rancher.cluster.config carefully.
  - name
  - region
  - version: “1.24“
  - instance related details
    instanceName
    instanceType
    desiredcapacity
    volumeSize
    volumeType
    publicKeyName.
  - update the details of the subnets to be used from vpc
- Install
  - eksctl create cluster -f rancher.cluster.config
- Wait for the cluster creation to complete, generally it takes around 30 minutes to create or update cluster.
- Once EKS K8 cluster is ready below mentioned output will be displayed in the console screen. EKS cluster "my-cluster" in "region-code" region is ready
- The config file for the new cluster will be created on ~/.kube/config
- Make sure to backup and store the ~/.kube/config with new name. e.g. ~/.kube/obs-cluster.config.
- Change file permission using below command: chmod 400 ~/.kube/obs-cluster.config
- Set the KUBECONFIG properly so that you can access the cluster. export KUBECONFIG=~/.kube/obs-cluster.config
- Test cluster access:
  - kubect get nodes
    Command will result in details of the nodes of the rancher cluster.

Observation K8s Cluster’s Ingress and Storage class setup

Once the rancher cluster is ready we need ingress and storage class to be set for other applications to be installed.

Check the following on AWS console:
- An NLB has been created. You may also see the DNS of NLB with
- Edit listner "443". Select "TLS".
- Note, the target group name of listner 80. Set target group of 443 to target group of 80. Basically, we want TLS termination at the LB and it must forward HTTP traffic (not HTTPS) to port 80 of ingress controller. So
  - Input of LB: HTTPS
  - Output of LB: HTTP --> port 80 of ingress nginx controller
- Enable "Proxy Protocol v2" in the target group settings
- Make sure all subnets are selected in LB -->Description-->Edit subnets.
- Check health check of target groups.
- Remove listner 80 from LB as we will receive traffic only on 443.
Storage class setup:
- Default storage class on EKS is gp2 . GP2 by default is in Delete mode which means if PVC is deleted, the underlying storage PV is also deleted.
- To enable volume expansion for the existing gp2 storage class, modify the YAML configuration by adding allowVolumeExpansion: true to the gp2 storage class configuration.
  - kubectl edit sc gp2 : to edit the yaml configuration.
- Create storage class gp2-retain by running sc.yaml for PV in Retain mode. Set the storage class as gp2-retain in case you want to retain PV.

Domain name

Create the following domain names:

Rancher: rancher.xyz.net
Keycloak: keycloak.xyz.net

Rancher K8s Cluster Apps Installation

Rancher UI : Rancher provides full CRUD capability of creating and managing kubernetes cluster.
- Install rancher using Helm, update hostname in rancher-values.yaml and run the following command to install.
- Login:
  - Open Rancher page https://rancher.org.net.
  - Get Bootstrap password using
  - Assign a password. IMPORTANT: makes sure this password is securely saved and retrievable by Admin.
- keycloak_client.json: Used to create SAML client on Keycloak for Rancher integration.
Keycloak - Rancher Integration
- Login as admin user in Keycloak and make sure an email id, and first name field is populated for admin user. This is important for Rancher authentication as given below.
- In Keycloak add another Mapper for the rancher client (in Master realm) with following fields:
  - Protocol: saml
  - Name: username
  - Mapper Type: User Property
  - Property: username
  - Friendly Name: username
  - SAML Attribute Name: username
  - SAML Attribute NameFormat: Basic
- Specify the following mappings in Rancher's Authentication Keycloak form:
  - Display Name Field: givenName
  - User Name Field: email
  - UID Field: username
  - Groups Field: member
RBAC :
- For users in Keycloak assign roles in Rancher - cluster and project roles. Under default project add all the namespaces. Then, to a non-admin user you may provide Read-Only role (under projects).
- Add a member to cluster/project in Rancher:
  - Give member name exactly as username in Keycloak
  - Assign appropriate role like Cluster Owner, Cluster Viewer etc.
  - You may create new role with fine grained acccess control.
Certificates expiry
- In case you see certificate expiry message while adding users, on local cluster run these commands:

MOSIP K8s Cluster setup

Setup mosip cluster
- cd $K8_ROOT/mosip/aws
- Copy cluster.config.sample to mosip.cluster.config.
- Review and update the below mentioned parameters of cluster.config.sample carefully.
  - name
  - region
  - version: “1.24“
  - instance related details
    instanceName
    instanceType
    desiredcapacity
    volumeSize
    volumeType
    publicKeyName.
  - update the details of the subnets to be used from vpc
- Install
eksctl create cluster -f mosip.cluster.config
- Wait for the cluster creation to complete, generally it takes around 30 minutes to create or update cluster.
- Once EKS K8 cluster is ready below mentioned output will be displayed in the console screen. EKS cluster "my-cluster" in "region-code" region is ready
- The config file for the new cluster will be created on ~/.kube/config
- Make sure to backup and store the ~/.kube/config with new name. e.g. ~/.kube/mosip-cluster.config.
- Change file permission using below command: chmod 400 ~/.kube/mosip-cluster.config
- Set the KUBECONFIG properly so that you can access the cluster. export KUBECONFIG=~/.kube/mosip-cluster.config
- Test cluster access:
  - kubect get nodes
    Command will result in details of the nodes of the MOSIP cluster.

Import Mosip Cluster into Rancher UI

Login as admin in Rancher console
Select Import Existing for cluster addition.
Select the Generic as cluster type to add.
Fill the Cluster Name field with unique cluster name and select Create.
You will get the kubectl commands to be executed in the kubernetes cluster. Copy the command and execute from your PC. (make sure your kube-config file is correctly set to Mosip cluster)

Wait for few seconds after executing the command for the cluster to get verified.
Your cluster is now added to the rancher management server.

MOSIP K8 Cluster Global configmap, Ingress and Storage Class setup

Global configmap: Global configmap contains list of necesary details to be used throughout the namespaces of the cluster for common details.
- cd $K8_ROOT/mosip
- Copy global_configmap.yaml.sample to global_configmap.yaml.
- Update the domain names in global_configmap.yaml and run.
- kubectl apply -f global_configmap.yaml
Storage class setup:
- Default storage class on EKS is gp2 . GP2 by default is in Delete mode which means if PVC is deleted, the underlying storage PV is also deleted.
- To enable volume expansion for the existing gp2 storage class, modify the YAML configuration by adding allowVolumeExpansion: true to the gp2 storage class configuration.
  - kubectl edit sc gp2 : to edit the yaml configuration.
- Create storage class gp2-retain by running sc.yaml for PV in Retain mode. Set the storage class as gp2-retain in case you want to retain PV.
Ingress and load balancer (LB) :
- Install ingresses as given here:
Load Balancers setup for istio-ingress.
- These may be also seen with
- You may view them on AWS console in Loadbalancer section.
- TLS termination is supposed to be on LB. So all our traffic coming to ingress controller shall be HTTP.
- Add the certificates and 443 access to the LB listener.
- Update listener TCP->443 to TLS->443 and point to the certificate of domain name that belongs to your cluster.
- Forward TLS->443 listner traffic to target group that corresponds to listener on port 80 of respective Loadbalancers. This is because after TLS termination the protocol is HTTP so we must point LB to HTTP port of ingress controller.
- Update health check ports of LB target groups to node port corresponding to port 15021. You can see the node ports with
- Enable Proxy Protocol v2 on target groups.
- Make sure all subnets are included in Availability Zones for the LB. Description --> Availability Zones --> Edit Subnets
- Make sure to delete the listeners for port 80 and 15021 from each of the loadbalancers as we restrict unsecured port 80 access over http.
DNS mapping:
- Initially all the services will be accesible only over the internal channel.
- Point all your domain names to internal LoadBalancers DNS/IP intially till testing is done.
- On AWS this may be done on Route 53 console.
Check Overall if nginx and istio wiring is set correctly
- Install httpbin: This utility docker returns http headers received inside the cluster. You may use it for general debugging - to check ingress, headers etc.
  - To see what's reaching httpbin (example, replace with your domain name):

Monitoring Module deployment

Prometheus and Grafana and Alertmanager tools are used for cluster monitoring.

Select 'Monitoring' App from Rancher console -> Apps & Marketplaces.
In Helm options, open the YAML file and disable Nginx Ingress.
Click on Install.

Alerting Setup

Alerting is part of cluster monitoring, where alert notifications are sent to the configured email or slack channel.

Monitoring should be deployed which includes deployment of prometheus, grafana and alertmanager.
After setting slack incoming webhook update slack_api_url and slack_channel_name in alertmanager.yml.
- cd $K8_ROOT/monitoring/alerting/
- nano alertmanager.yml
- Update
Update Cluster_name in patch-cluster-name.yaml.
- cd $K8_ROOT/monitoring/alerting/
- nano patch-cluster-name.yaml
- Update
Install Default alerts along some of the defined custom alerts:
Alerting is Installed.

Logging Module Setup and Installation

Mosip uses Rancher Fluentd and elasticsearch to collect logs from all services and reflect the same in Kibana Dashboard.

Install Rancher FluentD system : for screpping logs outs of all the microservices from Mosip k8 cluster.
- Install Logging from Apps and marketplace within the Rancher UI.
- Select Chart Version 100.1.3+up3.17.7 from Rancher console -> Apps & Marketplaces.
Configure Rancher FluentD
- Create clusteroutput :
  - kubectl apply -f clusteroutput-elasticsearch.yaml
- start clusterFlow
  - kubectl apply -f clusterflow-elasticsearch.yaml
Install elasticsearch, kibana and Istio addons
- cd $K8_ROOT/logging
- ./intall.sh
set min_age in elasticsearch-ilm-script.sh and execute the same. min_age : is the min no. of days for which indices will be stored in elasticsearch.
- cd $K8_ROOT/logging
- ./elasticsearch-ilm-script.sh
Mosip provides set of Kibana Dashboards for checking logs and throughputs .
- Brief description of these dashboards are as follows:
- Import dashboards:
  - cd K8_ROOT/logging/dashboard
  - ./load_kibana_dashboards.sh ./dashboards <cluster-kube-config-file>
- View dashbords
  - Open kibana dashboard from: https://kibana.sandbox.xyz.net.
  - Kibana --> Menu (on top left) --> Dashboard --> Select the dashboard.

Mosip External Dependencies setup

External Dependencies: are set of external requirements needed for funtioning of MOSIP’s core services like DB, object store, hsm etc.

MOSIP Modules Deployment

Now that all the Kubernetes cluster and external dependencies are already installed, you can continue with MOSIP service deployment.

API Testrig

MOSIP’s successfull deployment can be verified by comparing the results of api testrig with testrig benchmark.
- - When prompted input the hour of the day to execute the api-testrig.
  - Daily api testrig cron jon will be executed at the very opted hour of the day.

On-Prem without DNS Installation Guidelines

Overview

MOSIP modules are deployed in the form of microservices in kubernetes cluster.
is used as a trust network extension to access the admin, control, and observation pane.
It is also used for the on-the-field registrations.
MOSIP uses server for:
- SSL termination
- Reverse Proxy
- CDN/Cache management
- Loadbalancing
Kubernetes cluster is administered using the and tools.
In V3, we have two Kubernetes clusters:

Observation cluster - This cluster is a part of the observation plane and it helps in administrative tasks. By design, this is kept independent of the actual cluster as a good security practice and to ensure clear segregation of roles and responsibilities. As a best practice, this cluster or it's services should be internal and should never be exposed to the external world.

is used for managing the MOSIP cluster.
in this cluster is used for cluster user access management.
It is recommended to configure log monitoring and network monitoring in this cluster.
In case you have an internal container registry, then it should run here.

MOSIP cluster - This cluster runs all the MOSIP components and certain third party components to secure the cluster, API’s and data.

Architecture diagram

Deployment repos

Pre-requisites

Hardware requirements

VM’s required can be with any OS as per convenience.
Here, we are referring to Ubuntu OS throughout this installation guide.

Network requirements

All the VM's should be able to communicate with each other.
Need stable Intra network connectivity between these VM's.
All the VM's should have stable internet connectivity for docker image download (in case of local setup ensure to have a locally accessible docker registry).
Server Interface requirement as mentioned in below table:

DNS requirements

Certificate requirements

As only secured https connections are allowed via nginx server will need below mentioned valid ssl certificates:

One valid wildcard ssl certificate related to domain used for accessing Observation cluster, this needs to be stored inside the nginx server VM for Observation cluster. In above e.g.: *.org.net is the similar example domain.
One valid wildcard ssl certificate related to domain used for accesing Mosip cluster, this needs to be stored inside the nginx server VM for mosip cluster. In above e.g.: *.sandbox.xyz.net is the similar example domain.

Tools to be installed in Personel Computers for complete deployment

[Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html: version > 2.12.4
Create a directory as MOSIP in your PC and:
- clone k8’s infra repo with tag : 1.2.0.1-B2 (whichever is the latest version) inside mosip directory. git clone https://github.com/mosip/k8s-infra -b v1.2.0.1-B2
- clone mosip-infra with tag : 1.2.0.1-B2 (whichever is the latest version) inside mosip directory. git clone https://github.com/mosip/mosip-infra -b v1.2.0.1-B2
- Set below mentioned variables in bashrc
source .bashrc
Note: Above mentioned environment variables will be used throughout the installation to move between one directory to other to run install scripts.

Installation

Wireguard

Setup Wireguard VM and wireguard bastion server

Create a Wireguard server VM with above mentioned Hardware and Network requirements.
Open ports and Install docker on Wireguard VM.
- cd $K8_ROOT/wireguard/
- create copy of hosts.ini.sample as hosts.ini and update the required details for wireguard VM\
  cp hosts.ini.sample hosts.ini
- execute ports.yml to enable ports on VM level using ufw:
  ansible-playbook -i hosts.ini ports.yaml

Note:
Permission of the pem files to access nodes should have 400 permission. sudo chmod 400 ~/.ssh/privkey.pem
These ports are only needed to be opened for sharing packets over UDP.
Take necessary measure on firewall level so that the Wireguard server can be reachable on 51820/udp.

Setup Wireguard server
- SSH to wireguard VM
- Create directory for storing wireguard config files. mkdir -p wireguard/config
- Install and start wireguard server using docker as given below:

Note:

Increase the no. of peers above in case more than 30 wireguard client confs (-e PEERS=30) are needed.
Change the directory to be mounted to wireguard docker as per need. All your wireguard confs will be generated in the mounted directory (-v /home/ubuntu/wireguard/config:/config).

Setup Wireguard Client in your PC

Install Wireguard client in your PC.
Assign wireguard.conf:
- SSH to the wireguard server VM.
- cd /home/ubuntu/wireguard/config
- assign one of the PR for yourself and use the same from the PC to connect to the server.
  - create assigned.txt file to assign the keep track of peer files allocated and update every time some peer is allocated to someone.
  - use ls cmd to see the list of peers.
  - get inside your selected peer directory, and add mentioned changes in peer.conf:
    cd peer1
    nano peer1.conf
    Delete the DNS IP.
    Update the allowed IP's to subnets CIDR ip . e.g. 10.10.20.0/23
    Share the updated peer.conf with respective peer to connect to wireguard server from Personel PC.
add peer.conf in your PC’s /etc/wireguard directory as wg0.conf.
start the wireguard client and check the status:

Once connected to wireguard, you should be now able to login using private IP’s.

Observation K8s Cluster setup and configuration

Observation K8s Cluster setup

Install all the required tools mentioned in pre-requisites for PC.
- kubectl
- helm
- ansible
- rke (version 1.3.10)
Setup Observation Cluster node VM’s as per the hardware and network requirements as mentioned above.
Setup passwordless SSH into the cluster nodes via pem keys. (Ignore if VM’s are accessible via pem’s).
- Generate keys on your PC ssh-keygen -t rsa
- Copy the keys to remote observation node VM’s ssh-copy-id <remote-user>@<remote-ip>
- SSH into the node to check password-less SSH ssh -i ~/.ssh/<your private key> <remote-user>@<remote-ip>

Note:
Make sure the permission for privkey.pem for ssh is set to 400.

Run env-check.yaml to check if cluster nodes are fine and do not have known issues in it.
- cd $K8_ROOT/rancher/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for Observation k8 cluster nodes.
  - cp hosts.ini.sample hosts.ini
  - ansible-playbook -i hosts.ini env-check.yaml
  - This ansible checks if localhost mapping is already present in /etc/hosts file in all cluster nodes, if not it adds the same.
Open ports and install docker on Observation K8 Cluster node VM’s.
- cd $K8_ROOT/rancher/on-prem
- Ensure that hosts.ini is updated with nodal details.
- Update vpc_ip variable in ports.yaml with vpc CIDR ip to allow access only from machines inside same vpc.
- Execute ports.yml to enable ports on VM level using ufw:
  - ansible-playbook -i hosts.ini ports.yaml
- Disable swap in cluster nodes. (Ignore if swap is already disabled)
  - ansible-playbook -i hosts.ini swap.yaml
- execute docker.yml to install docker and add user to docker group:
  - ansible-playbook -i hosts.ini docker.yaml
Creating RKE Cluster Configuration file
- rke config
- Command will prompt for nodal details related to cluster, provide inputs w.r.t below mentioned points:
  - SSH Private Key Path :
  - Number of Hosts:
  - SSH Address of host :
  - SSH User of host :
  - Make all the nodes Worker host by default.
  - To create an HA cluster, specify more than one host with role Control Plane and etcd host.
- Network Plugin Type : Continue with canal as default network plugin.
- For rest of other configurations, opt the required or default value.
As result of rke config command cluster.yml file will be generated inside same directory, update the below mentioned fields:
- nano cluster.yml
  - Remove the default Ingress install
- Add the name of the kubernetes cluster
  - cluster_name: sandbox-name
Setup up the cluster:
- Once cluster.yml is ready, you can bring up the kubernetes cluster using simple command.
  - This command assumes the cluster.yml file is in the same directory as where you are running the command.
  - rke up
- As part of the Kubernetes creation process, a kubeconfig file has been created and written at kube_config_cluster.yml, which can be used to start interacting with your Kubernetes cluster.
- Copy the kubeconfig files
- To access the cluster using kubeconfig file use any one of the below method:
  - cp $HOME/.kube/<cluster_name>_config $HOME/.kube/config Alternatively
  - export KUBECONFIG="$HOME/.kube/<cluster_name>_config
- Test cluster access:
  - kubect get nodes
    Command will result in details of the nodes of the Observation cluster.
- Save your files
  - Save a copy of the following files in a secure location, they are needed to maintain, troubleshoot and upgrade your cluster.
    cluster.yml: The RKE cluster configuration file.
- In case not having Public DNS system add the custom DNS configuration for the cluster.
  - Check whether coredns pods are up and running in your cluster via the below command:
  - Update the IP address and domain name in the below DNS hosts template and add it in the coredns configmap Corefile key in the kube-system namespace.
  - Update coredns configmap via below command.
  - Check whether the DNS changes are correctly updated in coredns configmap.
  - Restart the coredns pod in the kube-system namespace.
  - Check status of coredns restart.

Observation K8s Cluster Ingress and Storage class setup

Once the rancher cluster is ready, we need ingress and storage class to be set for other applications to be installed.

this will install ingress in ingress-nginx namespace of rancher cluster.

Pre-requisites:

Install Longhorn via helm

./install.sh
Note: Values of below mentioned parameters are set as by default Longhorn installation script:
- PV replica count is set to 1. Set the replicas for the storage class appropriately.
- Total available node CPU allocated to each instance-manager pod in the longhorn-system namespace.
- The value "5" means 5% of the total available node CPU.
- This value should be fine for sandbox and pilot but you may have to increase the default to "12" for production.
- The value can be updated on Longhorn UI after installation.
Access the Longhorn dashboard from Rancher UI once installed.

Setting up nginx server for Observation K8s Cluster

For Nginx server setup we need ssl certificate, add the same into Nginx server.
SSL certificates can be generated in multiple ways. Either via lets encrypt if you have public DNS or via openssl certs when you don't have Public DNS.
- Letsencrypt: Generate wildcard ssl certificate having 3 months validity when you have public DNS system using below steps.
  - SSH into the nginx server node.
  - Install Pre-requisites
  - Generate wildcard SSL certificates for your domain name.
  - sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.org.net
  - replace org.net with your domain.
  - The default challenge HTTP is changed to DNS challenge, as we require wildcard certificates.
  - Create a DNS record in your DNS service of type TXT with host _acme-challenge.org.net, with the string prompted by the script.
  - Wait for a few minutes for the above entry to get into effect. Verify: host -t TXT _acme-challenge.org.net
  - Press enter in the certbot prompt to proceed.
  - Certificates are created in /etc/letsencrypt on your machine.
  - Certificates created are valid for 3 months only.
- Openssl : Generate wildcard ssl certificate using openssl in case you don't have public DNS using below steps. (Ensure to use this only in development env, not suggested for Production env).
  - Install docker on nginx node.
  - Generate a self-signed certificate for your domain, such as *.sandbox.xyz.net.
  - Execute the following command to generate a self-signed SSL certificate. Prior to execution, kindly ensure to update environmental variables & rancher domain passed to openssl command:
  - Above command will generate certs in below specified location. Use it when prompted during nginx installation.
    fullChain path: /etc/ssl/certs/tls.crt.
    privKey path: /etc/ssl/private/tls.key.
Install nginx:
- Login to nginx server node.
- Provide below mentioned inputs as and when promted
  - Rancher nginx ip : internal ip of the nginx server VM.
  - SSL cert path : path of the ssl certificate to be used for ssl termination.
  - SSL key path : path of the ssl key to be used for ssl termination.
  - Cluster node ip's : ip’s of the rancher cluster node
Restart nginx service.

Post installation check:
- sudo systemctl status nginx
Steps to Uninstall nginx (in case required) sudo apt purge nginx nginx-common
DNS mapping:
- Once nginx server is installed successfully, create DNS mapping for rancher cluster related domains as mentioned in DNS requirement section. (rancher.org.net, keycloak.org.net)
- In case used Openssl for wildcard ssl certificate add DNS entries in local hosts file of your system.
  - For example: /etc/hosts files for Linux machines.

Observation K8's Cluster Apps Installation

Rancher UI: Rancher provides full CRUD capability of creating and managing kubernetes cluster.

Install rancher using Helm, update hostname, & add privateCA to true in rancher-values.yaml, and run the following command to install.

Login:
- Get Bootstrap password using
Assign a password. IMPORTANT: makes sure this password is securely saved and retrievable by Admin.

keycloak_client.json: Used to create SAML client on Keycloak for Rancher integration.

Keycloak - Rancher UI Integration

Login as admin user in Keycloak and make sure an email id, and first name field is populated for admin user. This is important for Rancher authentication as given below.
In Keycloak add another Mapper for the rancher client (in Master realm) with following fields:
- Protocol: saml
- Name: username
- Mapper Type: User Property
- Property: username
- Friendly Name: username
- SAML Attribute Name: username
- SAML Attribute NameFormat: Basic
- Specify the following mappings in Rancher's Authentication Keycloak form:
  - Display Name Field: givenName
  - User Name Field: email
  - UID Field: username
  - Entity ID Field: https://your-rancher-domain/v1-saml/keycloak/saml/metadata
  - Rancher API Host: https://your-rancher-domain
  - Groups Field: member

RBAC :

For users in Keycloak assign roles in Rancher - cluster and project roles. Under default project add all the namespaces. Then, to a non-admin user you may provide Read-Only role (under projects).
Add a member to cluster/project in Rancher:
- Give member name exactly as username in Keycloak
- Assign appropriate role like Cluster Owner, Cluster Viewer etc.
- You may create new role with fine grained access control.

Certificates expiry

In case you see certificate expiry message while adding users, on local cluster run these commands:

MOSIP K8s Cluster setup

Pre-requisites:
Install all the required tools mentioned in Pre-requisites for PC.
- kubectl
- helm

ansible
rke (version 1.3.10)
Setup MOSIP K8 Cluster node VM’s as per the hardware and network requirements as mentioned above.
Run env-check.yaml to check if cluster nodes are fine and don't have known issues in it.
- cd $K8_ROOT/rancher/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for MOSIP k8 cluster nodes.
  - cp hosts.ini.sample hosts.ini
  - ansible-playbook -i hosts.ini env-check.yaml
  - This ansible checks if localhost mapping is already present in /etc/hosts file in all cluster nodes, if not it adds the same.
Setup passwordless ssh into the cluster nodes via pem keys. (Ignore if VM’s are accessible via pem’s).
- Generate keys on your PC
  - ssh-keygen -t rsa
- Copy the keys to remote rancher node VM’s:
  - ssh-copy-id <remote-user>@<remote-ip>
- SSH into the node to check password-less SSH
  - ssh -i ~/.ssh/<your private key> <remote-user>@<remote-ip>
- Rancher UI : (deployed in Rancher K8 cluster)
Open ports and Install docker on MOSIP K8 Cluster node VM’s.
- cd $K8_ROOT/mosip/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for wireguard VM.
  - cp hosts.ini.sample hosts.ini
- Update vpc_ip variable in ports.yaml with vpc CIDR ip to allow access only from machines inside same vpc.
- execute ports.yml to enable ports on VM level using ufw:
  - ansible-playbook -i hosts.ini ports.yaml
- Disable swap in cluster nodes. (Ignore if swap is already disabled)
  - ansible-playbook -i hosts.ini swap.yaml
- execute docker.yml to install docker and add user to docker group:
  - ansible-playbook -i hosts.ini docker.yaml
Creating RKE Cluster Configuration file
- rke config
- Command will prompt for nodal details related to cluster, provide inputs w.r.t below mentioned points:
  - SSH Private Key Path :
  - Number of Hosts:
  - SSH Address of host :
  - SSH User of host :
  - Make all the nodes Worker host by default.
  - To create an HA cluster, specify more than one host with role Control Plane and etcd host.
- Network Plugin Type : Continue with canal as default network plugin.
- For rest for other configuration opt the required or default value.
As result of rke config command cluster.ymlfile will be generated inside same directory, update the below mentioned fields:
- nano cluster.yml
- Remove the default Ingress install
- Add the name of the kubernetes cluster
Setup up the cluster:
- Once cluster.yml is ready, you can bring up the kubernetes cluster using simple command.
  - This command assumes the cluster.yml file is in the same directory as where you are running the command.
    rke up
  - The last line should read Finished building Kubernetes cluster successfully to indicate that your cluster is ready to use.
  - Copy the kubeconfig files
- To access the cluster using kubeconfig filr use any one of the below method:
- cp $HOME/.kube/<cluster_name>_config $HOME/.kube/config

Alternatively

Test cluster access:
- kubect get nodes
- Command will result in details of the nodes of the rancher cluster.
Save Your files
- Save a copy of the following files in a secure location, they are needed to maintain, troubleshoot and upgrade your cluster.:
  - cluster.yml: The RKE cluster configuration file.
In case not having Public DNS system add the custom DNS configuration for the cluster.
- Check whether coredns pods are up and running in your cluster via the below command:
- Update the IP address and domain name in the below DNS hosts template and add it in the coredns configmap Corefile key in the kube-system namespace.
- Update coredns configmap via below command.
- Check whether the DNS changes are correctly updated in coredns configmap.
- Restart the coredns pod in the kube-system namespace.
- Check status of coredns restart.

MOSIP K8 Cluster Global configmap, Ingress and Storage Class setup

Global configmap: Global configmap contains the list of neccesary details to be used throughout the namespaces of the cluster for common details.

cd $K8_ROOT/mosip
Copy global_configmap.yaml.sample to global_configmap.yaml.
Update the domain names in global_configmap.yaml and run.
kubectl apply -f global_configmap.yaml
- cd $K8_ROOT/mosip/on-prem/istio
- ./install.sh
- This will bring up all the Istio components and the Ingress Gateways.
- Check Ingress Gateway services:
  - kubectl get svc -n istio-system
    istio-ingressgateway: external facing istio service.
    istio-ingressgateway-internal: internal facing istio service.
    istiod: Istio daemon for replicating the changes to all envoy filters.
Storage class setup: Longhorn creates a storage class in the cluster for creating pv (persistence volume) and pvc (persistence volume claim).
- Pre-requisites:
- Install Longhorn via helm
  - ./install.sh
  - Note: Values of below mentioned parameters are set as by default Longhorn installation script:
    PV replica count is set to 1. Set the replicas for the storage class appropriately.
    Total available node CPU allocated to each instance-manager pod in the longhorn-system namespace.
    The value "5" means 5% of the total available node CPU
    This value should be fine for sandbox and pilot but you may have to increase the default to "12" for production.
    The value can be updated on Longhorn UI after installation.

Import MOSIP Cluster into Rancher UI

Login as admin in Rancher console
Select Import Existing for cluster addition.
Select Generic as cluster type to add.
Fill the Cluster Name field with unique cluster name and select Create.
You will get the kubecl commands to be executed in the kubernetes cluster. Copy the command and execute from your PC (make sure your kube-config file is correctly set to MOSIP cluster).

Wait for few seconds after executing the command for the cluster to get verified.
Your cluster is now added to the rancher management server.

MOSIP K8 cluster Nginx server setup

For Nginx server setup, we need ssl certificate, add the same into Nginx server.
SSL certificates can be generated in multiple ways. Either via lets encrypt if you have public DNS or via openssl certs when you don't have Public DNS.
- Letsencrypt: Generate wildcard ssl certificate having 3 months validity when you have public DNS system using below steps.
  - SSH into the nginx server node.
  - Install Pre-requisites
  - Generate wildcard SSL certificates for your domain name.
  - sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.org.net
  - replace org.net with your domain.
  - The default challenge HTTP is changed to DNS challenge, as we require wildcard certificates.
  - Create a DNS record in your DNS service of type TXT with host _acme-challenge.org.net, with the string prompted by the script.
  - Wait for a few minutes for the above entry to get into effect. Verify: host -t TXT _acme-challenge.org.net
  - Press enter in the certbot prompt to proceed.
  - Certificates are created in /etc/letsencrypt on your machine.
  - Certificates created are valid for 3 months only.
- Openssl : Generate wildcard ssl certificate using openssl in case you don't have public DNS using below steps. (Ensure to use this only in development env, not suggested for Production env).
  - Install docker on nginx node.
  - Generate a self-signed certificate for your domain, such as *.sandbox.xyz.net.
  - Execute the following command to generate a self-signed SSL certificate. Prior to execution, kindly ensure that the environmental variables passed to the OpenSSL Docker container have been properly updated:
  - Above command will generate certs in below specified location. Use it when prompted during nginx installation.
    fullChain path: /etc/ssl/certs/nginx-selfsigned.crt.
    privKey path: /etc/ssl/private/nginx-selfsigned.key.
Install nginx:
- Login to nginx server node.
- Provide below mentioned inputs as and when prompted
  - MOSIP nginx server internal ip
  - MOSIP nginx server public ip
  - Publically accessible domains (comma separated with no whitespaces)
  - SSL cert path
  - SSL key path
  - Cluster node ip's (comma separated no whitespace)
When utilizing an openssl wildcard SSL certificate, please add the following server block to the nginx server configuration within the http block. Disregard this if using SSL certificates obtained through letsencrypt or for publicly available domains. Please note that this should only be used in a development environment and is not recommended for production environments.
- nano /etc/nginx/nginx.conf
- Note: HTTP access is enabled for IAM because MOSIP's keymanager expects to have valid SSL certificates. Ensure to use this only for development purposes, and it is not recommended to use it in production environments.
- Restart nginx service.
Post installation check:
- sudo systemctl status nginx
Steps to Uninstall nginx (in case required) sudo apt purge nginx nginx-common
DNS mapping:
- Once nginx server is installed successfully, create DNS mapping for rancher cluster related domains as mentioned in DNS requirement section. (rancher.org.net, keycloak.org.net)
- In case used Openssl for wildcard ssl certificate add DNS entries in local hosts file of your system.
  - For example: /etc/hosts files for Linux machines.
Check Overall if nginx and istio wiring is set correctly
- Install httpbin: This utility docker returns http headers received inside the cluster. You may use it for general debugging - to check ingress, headers etc.
- To see what is reaching the httpbin (example, replace with your domain name):

Monitoring module deployment

Prometheus and Grafana and Alertmanager tools are used for cluster monitoring.
Select 'Monitoring' App from Rancher console -> Apps & Marketplaces.
In Helm options, open the YAML file and disable Nginx Ingress.
Click on Install.

Alerting setup

Alerting is part of cluster monitoring, where alert notifications are sent to the configured email or slack channel.

Monitoring should be deployed which includes deployment of prometheus, grafana and alertmanager.
After setting slack incoming webhook update slack_api_url and slack_channel_name in alertmanager.yml.
- cd $K8_ROOT/monitoring/alerting/
- nano alertmanager.yml
- Update:
Update Cluster_name in patch-cluster-name.yaml.
cd $K8_ROOT/monitoring/alerting/
nano patch-cluster-name.yaml
Update:

Install Default alerts along some of the defined custom alerts:

Alerting is installed.

Logging module setup and installation

Install Rancher FluentD system : for scraping logs outs of all the microservices from MOSIP k8 cluster.
- Install Logging from Apps and marketplace within the Rancher UI.
- Select Chart Version 100.1.3+up3.17.7 from Rancher console -> Apps & Marketplaces.
Configure Rancher FluentD
- Create clusteroutput
  - kubectl apply -f clusteroutput-elasticsearch.yaml
- Start clusterFlow
  - kubectl apply -f clusterflow-elasticsearch.yaml
- Install elasticsearch, kibana and Istio addons\
- set min_age in elasticsearch-ilm-script.sh and execute the same.
- min_age : is the minimum no. of days for which indices will be stored in elasticsearch.
- MOSIP provides set of Kibana Dashboards for checking logs and throughputs.
  - Brief description of these dashboards are as follows:
Import dashboards:
- cd K8_ROOT/logging
- ./load_kibana_dashboards.sh ./dashboards <cluster-kube-config-file>
View dashboards

Open kibana dashboard from https://kibana.sandbox.xyz.net.

Kibana --> Menu (on top left) --> Dashboard --> Select the dashboard.

MOSIP External Dependencies setup

External Dependencies are set of external requirements that are needed for functioning of MOSIP’s core services like DB, Object Store, HSM etc.

Configurational change in case using Openssl wildcard ssl certificate. (Only advised in development env, not recommended for Production setup)

Add/ Update the below property in application-default.properties and comment on the below property in the *-default.properties file in the config repo.

Add/ Update the below property in the esignet-default.properties file in the config repo.

MOSIP Modules Deployment

Now that all the Kubernetes cluster and external dependencies are already installed, will continue with MOSIP service deployment.
While installing a few modules, installation script prompts to check if you have public domain and valid SSL certificates on the server. Opt option n as we are using self-signed certificates. For example:

Start installing mosip modules:

On-Prem Installation Guidelines

Overview

MOSIP modules are deployed in the form of microservices in kubernetes cluster.
is used as a trust network extension to access the admin, control, and observation pane.
It is also used for the on-the-field registrations.
MOSIP uses server for:
- SSL termination
- Reverse Proxy
- CDN/Cache management
- Loadbalancing
Kubernetes cluster is administered using the and tools.
In V3, we have two Kubernetes clusters:

is used for managing the MOSIP cluster.
in this cluster is used for cluster user access management.
It is recommended to configure log monitoring and network monitoring in this cluster.
In case you have an internal container registry, then it should run here.

MOSIP cluster - This cluster runs all the MOSIP components and certain third party components to secure the cluster, API’s and data.

Architecture

Deployment repos

Pre-requisites

Hardware requirements

VM’s required can be with any OS as per convenience.
Here, we are referting to Ubuntu OS throughout this installation guide.

Network requirements

All the VM's should be able to communicate with each other.
Need stable Intra network connectivity between these VM's.
All the VM's should have stable internet connectivity for docker image download (in case of local setup ensure to have a locally accesible docker registry).
Server Interface requirement as mentioned in below table:

DNS requirements

Certificate requirements

As only secured https connections are allowed via nginx server will need below mentioned valid ssl certificates:

One valid wildcard ssl certificate related to domain used for accessing Observation cluster, this needs to be stored inside the nginx server VM for Observation cluster. In above e.g.: *.org.net is the similiar example domain.
One valid wildcard ssl certificate related to domain used for accesing Mosip cluster, this needs to be stored inside the nginx server VM for mosip cluster. In above e.g.: *.sandbox.xyz.net is the similiar example domain.

Tools to be installed in Personel Computers for complete deployment

[Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html: version > 2.12.4
Create a directory as mosip in your PC and:
- clone k8’s infra repo with tag : 1.2.0.1-B2 (whichever is the latest version) inside mosip directory. git clone https://github.com/mosip/k8s-infra -b v1.2.0.1-B2
- clone mosip-infra with tag : 1.2.0.1-B2 (whichever is the latest version) inside mosip directory. git clone https://github.com/mosip/mosip-infra -b v1.2.0.1-B2
- Set below mentioned variables in bashrc
source .bashrc
Note: Above mentioned environment variables will be used throughout the installation to move between one directory to other to run install scripts.

Installation

Wireguard

Setup Wireguard VM and wireguard bastion server

Create a Wireguard server VM with above mentioned Hardware and Network requirements.
Open ports and Install docker on Wireguard VM.
- cd $K8_ROOT/wireguard/
- create copy of hosts.ini.sample as hosts.ini and update the required details for wireguard VM\
  cp hosts.ini.sample hosts.ini
- execute ports.yml to enable ports on VM level using ufw:
  ansible-playbook -i hosts.ini ports.yaml

Note:
Permission of the pem files to access nodes should have 400 permission. sudo chmod 400 ~/.ssh/privkey.pem
These ports are only needed to be opened for sharing packets over UDP.
Take necessary measure on firewall level so that the Wireguard server can be reachable on 51820/udp.

Setup Wireguard server
- SSH to wireguard VM
- Create directory for storing wireguard config files. mkdir -p wireguard/config
- Install and start wireguard server using docker as given below:

Note:

Increase the no. of peers above in case more than 30 wireguard client confs (-e PEERS=30) are needed.
Change the directory to be mounted to wireguard docker as per need. All your wireguard confs will be generated in the mounted directory (-v /home/ubuntu/wireguard/config:/config).

Setup Wireguard Client in your PC

Install Wireguard client in your PC.
Assign wireguard.conf:
- SSH to the wireguard server VM.
- cd /home/ubuntu/wireguard/config
- assign one of the PR for yourself and use the same from the PC to connect to the server.
  - create assigned.txt file to assign the keep track of peer files allocated and update everytime some peer is allocated to someone.
  - use ls cmd to see the list of peers.
  - get inside your selected peer directory, and add mentioned changes in peer.conf:
    cd peer1
    nano peer1.conf
    Delete the DNS IP.
    Update the allowed IP's to subnets CIDR ip . e.g. 10.10.20.0/23
    Share the updated peer.conf with respective peer to connect to wireguard server from Personel PC.
add peer.conf in your PC’s /etc/wireguard directory as wg0.conf.
start the wireguard client and check the status:

Once connected to wireguard, you should be now able to login using private IP’s.

Observation K8s Cluster setup and configuration

Observation K8s Cluster setup

Install all the required tools mentioned in pre-requisites for PC.
- kubectl
- helm
- ansible
- rke (version 1.3.10)
Setup Observation Cluster node VM’s as per the hardware and network requirements as mentioned above.
Setup passwordless SSH into the cluster nodes via pem keys. (Ignore if VM’s are accessible via pem’s).
- Generate keys on your PC ssh-keygen -t rsa
- Copy the keys to remote observation node VM’s ssh-copy-id <remote-user>@<remote-ip>
- SSH into the node to check password-less SSH ssh -i ~/.ssh/<your private key> <remote-user>@<remote-ip>

Note:
Make sure the permission for privkey.pem for ssh is set to 400.

Run env-check.yaml to check if cluster nodes are fine and do not have known issues in it.
- cd $K8_ROOT/rancher/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for Observation k8 cluster nodes.
  - cp hosts.ini.sample hosts.ini
  - ansible-playbook -i hosts.ini env-check.yaml
  - This ansible checks if localhost mapping is already present in /etc/hosts file in all cluster nodes, if not it adds the same.
Open ports and install docker on Observation K8 Cluster node VM’s.
- cd $K8_ROOT/rancher/on-prem
- Ensure that hosts.ini is updated with nodal details.
- Update vpc_ip variable in ports.yaml with vpc CIDR ip to allow access only from machines inside same vpc.
- Execute ports.yml to enable ports on VM level using ufw:
  - ansible-playbook -i hosts.ini ports.yaml
- Disable swap in cluster nodes. (Ignore if swap is already disabled)
  - ansible-playbook -i hosts.ini swap.yaml
- execute docker.yml to install docker and add user to docker group:
  - ansible-playbook -i hosts.ini docker.yaml
Creating RKE Cluster Configuration file
- rke config
- Command will prompt for nodal details related to cluster, provide inputs w.r.t below mentioned points:
  - SSH Private Key Path :
  - Number of Hosts:
  - SSH Address of host :
  - SSH User of host :
  - Make all the nodes Worker host by default.
  - To create an HA cluster, specify more than one host with role Control Plane and etcd host.
- Network Plugin Type : Continue with canal as default network plugin.
- For rest of other configurations, opt the required or default value.
As result of rke config command cluster.yml file will be generated inside same directory, update the below mentioned fields:
- nano cluster.yml
  - Remove the default Ingress install
- Add the name of the kubernetes cluster
  - cluster_name: sandbox-name
Setup up the cluster:
- Once cluster.yml is ready, you can bring up the kubernetes cluster using simple command.
  - This command assumes the cluster.yml file is in the same directory as where you are running the command.
  - rke up
- As part of the Kubernetes creation process, a kubeconfig file has been created and written at kube_config_cluster.yml, which can be used to start interacting with your Kubernetes cluster.
- Copy the kubeconfig files
- To access the cluster using kubeconfig file use any one of the below method:
  - cp $HOME/.kube/<cluster_name>_config $HOME/.kube/config Alternatively
  - export KUBECONFIG="$HOME/.kube/<cluster_name>_config
- Test cluster access:
  - kubect get nodes
    Command will result in details of the nodes of the Observation cluster.
- Save your files
  - Save a copy of the following files in a secure location, they are needed to maintain, troubleshoot and upgrade your cluster.
    cluster.yml: The RKE cluster configuration file.

Observation K8s Cluster Ingress and Storage class setup

Once the rancher cluster is ready, we need ingress and storage class to be set for other applications to be installed.

this will install ingress in ingress-nginx namespace of rancher cluster.

Storage classes

The following storage classes can be used:

[ceph-csi](TODO Implementation in progress)

Pre-requisites:

Install Longhorn via helm

./install.sh
Note: Values of below mentioned parametrs are set as by default Longhorn installation script:
- PV replica count is set to 1. Set the replicas for the storage class appropriately.
- Total available node CPU allocated to each instance-manager pod in the longhorn-system namespace.
- The value "5" means 5% of the total available node CPU.
- This value should be fine for sandbox and pilot but you may have to increase the default to "12" for production.
- The value can be updated on Longhorn UI after installation.
Access the Longhorn dashboard from Rancher UI once installed.

Setting up nginx server for Observation K8s Cluster

For Nginx server setup we need ssl certificate, add the same into Nginx server.
Incase valid ssl certificate is not there generate one using letsencrypt:
- SSH into the nginx server
- Install Pre-requisites
Generate wildcard SSL certificates for your domain name.
- sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.org.net
  - replace org.net with your domain.
  - The default challenge HTTP is changed to DNS challenge, as we require wildcard certificates.
  - Create a DNS record in your DNS service of type TXT with host _acme-challenge.org.net, with the string prompted by the script.
  - Wait for a few minutes for the above entry to get into effect.
Verify:
host -t TXT _acme-challenge.org.net
- Press enter in the certbot prompt to proceed.
- Certificates are created in /etc/letsencrypt on your machine.
- Certificates created are valid for 3 months only.
Provide below mentioned inputs as and when promted
- Rancher nginx ip : internal ip of the nginx server VM.
- SSL cert path : path of the ssl certificate to be used for ssl termination.
- SSL key path : path of the ssl key to be used for ssl termination.
- Cluster node ip's : ip’s of the rancher cluster node
Post installation check:
- sudo systemctl status nginx
- Steps to Uninstall nginx (in case required)
sudo apt purge nginx nginx-common
DNS mapping: Once nginx server is installed sucessfully, create DNS mapping for rancher cluster related domains as mentioned in DNS requirement section. (rancher.org.net, keycloak.org.net)

Observation K8's Cluster Apps Installation

Rancher UI

Rancher provides full CRUD capability of creating and managing kubernetes cluster.
Install rancher using Helm, update hostname in rancher-values.yaml and run the following command to install.

Login:
- Get Bootstrap password using
Assign a password. IMPORTANT: makes sure this password is securely saved and retrievable by Admin.

Keycloak

keycloak_client.json: Used to create SAML client on Keycloak for Rancher integration.

Keycloak - Rancher UI Integration

Login as admin user in Keycloak and make sure an email id, and first name field is populated for admin user. This is important for Rancher authentication as given below.
In Keycloak add another Mapper for the rancher client (in Master realm) with following fields:
- Protocol: saml
- Name: username
- Mapper Type: User Property
- Property: username
- Friendly Name: username
- SAML Attribute Name: username
- SAML Attribute NameFormat: Basic
- Specify the following mappings in Rancher's Authentication Keycloak form:
  - Display Name Field: givenName
  - User Name Field: email
  - UID Field: username
  - Entity ID Field: https://your-rancher-domain/v1-saml/keycloak/saml/metadata
  - Rancher API Host: https://your-rancher-domain
  - Groups Field: member

RBAC for Rancher using Keycloak

For users in Keycloak assign roles in Rancher - cluster and project roles. Under default project add all the namespaces. Then, to a non-admin user you may provide Read-Only role (under projects).
Add a member to cluster/project in Rancher:
- Navigate to RBAC cluster members
- Add member name exactly as username in Keycloak
- Assign appropriate role like Cluster Owner, Cluster Viewer etc.
- You may create new role with fine grained acccess control.
Add group to to cluster/project in Rancher:
- Navigate to RBAC cluster members
- Click on Add and select a group from the displayed drop-down.
- Assign appropriate role like Cluster Owner, Cluster Viewer etc.
- To add groups, the user must be a member of the group.
Creating a Keycloak group involves the following steps:
- Go to the "Groups" section in Keycloak and create groups with default roles.
- Navigate to the "Users" section in Keycloak, select a user, and then go to the "Groups" tab. From the list of groups, add the user to the required group.

Certificates expiry

In case you see certificate expiry message while adding users, on local cluster run these commands:

MOSIP K8s Cluster setup

Pre-requisites:
Install all the required tools mentioned in Pre-requisites for PC.
- kubectl
- helm

ansible
rke (version 1.3.10)
Setup MOSIP K8 Cluster node VM’s as per the hardware and network requirements as mentioned above.
Run env-check.yaml to check if cluster nodes are fine and dont have known issues in it.
- cd $K8_ROOT/rancher/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for MOSIP k8 cluster nodes.
  - cp hosts.ini.sample hosts.ini
  - ansible-playbook -i hosts.ini env-check.yaml
  - This ansible checks if localhost mapping ia already present in /etc/hosts file in all cluster nodes, if not it adds the same.
Setup passwordless ssh into the cluster nodes via pem keys. (Ignore if VM’s are accessible via pem’s).
- Generate keys on your PC
  - ssh-keygen -t rsa
- Copy the keys to remote rancher node VM’s:
  - ssh-copy-id <remote-user>@<remote-ip>
- SSH into the node to check password-less SSH
  - ssh -i ~/.ssh/<your private key> <remote-user>@<remote-ip>
- Rancher UI : (deployed in Rancher K8 cluster)
Open ports and Install docker on MOSIP K8 Cluster node VM’s.
- cd $K8_ROOT/mosip/on-prem
- create copy of hosts.ini.sample as hosts.ini and update the required details for wireguard VM.
  - cp hosts.ini.sample hosts.ini
- Update vpc_ip variable in ports.yaml with vpc CIDR ip to allow access only from machines inside same vpc.
- execute ports.yml to enable ports on VM level using ufw:
  - ansible-playbook -i hosts.ini ports.yaml
- Disable swap in cluster nodes. (Ignore if swap is already disabled)
  - ansible-playbook -i hosts.ini swap.yaml
- execute docker.yml to install docker and add user to docker group:
  - ansible-playbook -i hosts.ini docker.yaml
Creating RKE Cluster Configuration file
- rke config
- Command will prompt for nodal details related to cluster, provide inputs w.r.t below mentioned points:
  - SSH Private Key Path :
  - Number of Hosts:
  - SSH Address of host :
  - SSH User of host :
  - Make all the nodes Worker host by default.
  - To create an HA cluster, specify more than one host with role Control Plane and etcd host.
- Network Plugin Type : Continue with canal as default network plugin.
- For rest for other configuration opt the required or default value.
As result of rke config command cluster.ymlfile will be generated inside same directory, update the below mentioned fields:
- nano cluster.yml
- Remove the default Ingress install
- Add the name of the kubernetes cluster
Setup up the cluster:
- Once cluster.yml is ready, you can bring up the kubernetes cluster using simple command.
  - This command assumes the cluster.yml file is in the same directory as where you are running the command.
    rke up
  - The last line should read Finished building Kubernetes cluster successfully to indicate that your cluster is ready to use.
  - Copy the kubeconfig files
- To access the cluster using kubeconfig filr use any one of the below method:
- cp $HOME/.kube/<cluster_name>_config $HOME/.kube/config

Alternatively

Test cluster access:
- kubect get nodes
- Command will result in details of the nodes of the rancher cluster.
Save Your files
- Save a copy of the following files in a secure location, they are needed to maintain, troubleshoot and upgrade your cluster.:
  - cluster.yml: The RKE cluster configuration file.

MOSIP K8 Cluster Global configmap, Ingress and Storage Class setup

Global configmap: Global configmap contains the list of neccesary details to be used throughout the namespaces of the cluster for common details.

cd $K8_ROOT/mosip
Copy global_configmap.yaml.sample to global_configmap.yaml.
Update the domain names in global_configmap.yaml and run.
kubectl apply -f global_configmap.yaml
- cd $K8_ROOT/mosip/on-prem/istio
- ./install.sh
- This will bring up all the Istio components and the Ingress Gateways.
- Check Ingress Gateway services:
  - kubectl get svc -n istio-system
    istio-ingressgateway: external facing istio service.
    istio-ingressgateway-internal: internal facing istio service.
    istiod: Istio daemon for replicating the changes to all envoy filters.

Storage classes

The following storage classes can be used:

[ceph-csi](TODO Implementation in progress)

For time being, we are considering Longhorn as a storage class.

Storage class setup: Longhorn creates a storage class in the cluster for creating pv (persistence volume) and pvc (persistence volume claim).
- Pre-requisites:
- Install Longhorn via helm
  - ./install.sh
  - Note: Values of below mentioned parameters are set as by default Longhorn installation script:
    PV replica count is set to 1. Set the replicas for the storage class appropriately.
    Total available node CPU allocated to each instance-manager pod in the longhorn-system namespace.
    The value "5" means 5% of the total available node CPU
    This value should be fine for sandbox and pilot but you may have to increase the default to "12" for production.
    The value can be updated on Longhorn UI after installation.

Import MOSIP Cluster into Rancher UI

Login as admin in Rancher console
Select Import Existing for cluster addition.
Select Generic as cluster type to add.
Fill the Cluster Name field with unique cluster name and select Create.
You will get the kubecl commands to be executed in the kubernetes cluster. Copy the command and execute from your PC (make sure your kube-config file is correctly set to MOSIP cluster).

Wait for few seconds after executing the command for the cluster to get verified.
Your cluster is now added to the rancher management server.

MOSIP K8 cluster Nginx server setup

For Nginx server setup, we need ssl certificate, add the same into Nginx server.
Incase valid ssl certificate is not there generate one using letsencrypt:
- SSH into the nginx server
- Install Pre-requisites:
- Generate wildcard SSL certificates for your domain name.
  - sudo certbot certonly --agree-tos --manual --preferred-challenges=dns -d *.sandbox.mosip.net -d sandbox.mosip.net
    replace sanbox.mosip.net with your domain.
    The default challenge HTTP is changed to DNS challenge, as we require wildcard certificates.
    Create a DNS record in your DNS service of type TXT with host _acme-challenge.sandbox.xyz.net, with the string prompted by the script.
    Wait for a few minutes for the above entry to get into effect. ** Verify**: host -t TXT _acme-challenge.sandbox.mosip.net
    Press enter in the certbot prompt to proceed.
    Certificates are created in /etc/letsencrypt on your machine.
    Certificates created are valid for 3 months only.
Clone k8s-infra
Provide below mentioned inputs as and when prompted
- MOSIP nginx server internal ip
- MOSIP nginx server public ip
- Publically accessible domains (comma seperated with no whitespaces)
- SSL cert path
- SSL key path
- Cluster node ip's (comma seperated no whitespace)
Post installation check\
- sudo systemctl status nginx
- Steps to uninstall nginx (incase it is required) sudo apt purge nginx nginx-common
- DNS mapping: Once nginx server is installed sucessfully, create DNS mapping for observation cluster related domains as mentioned in DNS requirement section.
Check Overall if nginx and istio wiring is set correctly
- Install httpbin: This utility docker returns http headers received inside the cluster. You may use it for general debugging - to check ingress, headers etc.
- To see what is reaching the httpbin (example, replace with your domain name):

Monitoring module deployment

Prometheus and Grafana and Alertmanager tools are used for cluster monitoring.
Select 'Monitoring' App from Rancher console -> Apps & Marketplaces.
In Helm options, open the YAML file and disable Nginx Ingress.
Click on Install.

Alerting setup

Alerting is part of cluster monitoring, where alert notifications are sent to the configured email or slack channel.

Monitoring should be deployed which includes deployment of prometheus, grafana and alertmanager.
After setting slack incoming webhook update slack_api_url and slack_channel_name in alertmanager.yml.
- cd $K8_ROOT/monitoring/alerting/
- nano alertmanager.yml
- Update:
Update Cluster_name in patch-cluster-name.yaml.
cd $K8_ROOT/monitoring/alerting/
nano patch-cluster-name.yaml
Update:

Install Default alerts along some of the defined custom alerts:

Alerting is installed.

Logging module setup and installation

Install Rancher FluentD system : for screpping logs outs of all the microservices from MOSIP k8 cluster.
- Install Logging from Apps and marketplace within the Rancher UI.
- Select Chart Version 100.1.3+up3.17.7 from Rancher console -> Apps & Marketplaces.
Configure Rancher FluentD
- Create clusteroutput
  - kubectl apply -f clusteroutput-elasticsearch.yaml
- Start clusterFlow
  - kubectl apply -f clusterflow-elasticsearch.yaml
- Install elasticsearch, kibana and Istio addons\
- set min_age in elasticsearch-ilm-script.sh and execute the same.
- min_age : is the minimum no. of days for which indices will be stored in elasticsearch.
- MOSIP provides set of Kibana Dashboards for checking logs and throughputs.
  - Brief description of these dashboards are as follows:
Import dashboards:
- cd K8_ROOT/logging
- ./load_kibana_dashboards.sh ./dashboards <cluster-kube-config-file>
View dashboards

Open kibana dashboard from https://kibana.sandbox.xyz.net.

Kibana --> Menu (on top left) --> Dashboard --> Select the dashboard.

MOSIP External Dependencies setup

External Dependencies are set of external requirements that are needed for functioning of MOSIP’s core services like DB, Object Store, HSM etc.

MOSIP Modules Deployment

Now that all the Kubernetes cluster and external dependencies are already installed, will continue with MOSIP service deployment.

MOSIP Docs 1.2.0

Home

About MOSIP

Releases

Resources

Overview

What is Digital Identification?

What is a foundational ID system?

What is MOSIP?

Privacy and security

MOSIP modules

MOSIP ecosystem

MOSIP offerings

Building a national ID system using MOSIP

Architecture

Overview

High-Level Reference Functional Architecture

ID Lifecycle Management

Overview

New ID issuance

Pre-registration

Registration (enrolment)

For adults

For infants/children

ID data update/updating individual’s information

De-activate/re-activate individual’s ID

Finding a lost ID

Correction process

ID Schema

Overview

Understanding ID Schema

Terminology

JSON keys

Dependencies

Versions of ID Schema

Good Practice

Identifiers

Overview

UIN

VID

RID / AID

PRID

Token ID (PSUT - Partner Specific User Token)

Anonymous Profiling Support

Overview

Design

Anonymous Registration profile

Anonymous Identity issuance profile

Anonymous Authentication Profile

Generating dashboards from Anonymous profile data

ID Authentication

Overview

Authentication types

Yes/No Authentication

KYC Authentication

Multifactor authentication

VID

Tokenization

Relying parties and policies

Consent

Hotlisting

Privacy and Security

Security by design

Privacy by intent

Data Protection

Registration data flow

Datashare

Zero-knowledge encryption

Encryption and sharing by Credential Service

Decryption by IDA

ID authentication flow

Privacy

Overview

What is privacy and privacy protection?

Privacy design elements

Biometrics

Overview

Modalities

ABIS

Overview