Deployment

Deployment process for the technical components and modules required to integrate with MOSIP & E-Signet

This section assumes that you are already thoroughly aware of how to deploy OpenCRVS. If you are not, then first complete a basic deployment following the documentation here.

Docker Compose configuration

Take a look at the docker-compose.deploy.yml file in our example configuration.

The mosip-api middleware is configured like this:

mosip-api:
    volumes:
      - '/data/sqlite:/data/sqlite'
    image: ghcr.io/opencrvs/mosip-api:${MOSIP_API_VERSION}
    environment:
      - NODE_ENV=production
      - MOSIP_BIRTH_WEBHOOK_URL=http://mosip-mock:20240/webhooks/opencrvs/birth
      - MOSIP_DEATH_WEBHOOK_URL=http://mosip-mock:20240/webhooks/opencrvs/death
      - OPENCRVS_GRAPHQL_GATEWAY_URL=http://gateway:7070/graphql
      - OPENCRVS_PUBLIC_KEY_URL=http://auth:4040/.well-known
      - LOCALE=en
      - ESIGNET_USERINFO_URL=${ESIGNET_USERINFO_URL}
      - ESIGNET_TOKEN_URL=${ESIGNET_TOKEN_URL}
      - ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
      - OIDP_CLIENT_PRIVATE_KEY_PATH=${OIDP_CLIENT_PRIVATE_KEY_PATH}
      - OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS}
      - DECRYPT_P12_FILE_PATH=${DECRYPT_P12_FILE_PATH}
      - DECRYPT_P12_FILE_PASSWORD=${DECRYPT_P12_FILE_PASSWORD}
      - ENCRYPT_CERT_PATH=${ENCRYPT_CERT_PATH}
      - IDA_AUTH_DOMAIN_URI=${IDA_AUTH_DOMAIN_URI}
      - IDA_AUTH_URL=${IDA_AUTH_URL}
      - PARTNER_APIKEY=${PARTNER_APIKEY}
      - PARTNER_ID=${PARTNER_ID}
      - PARTNER_MISP_LK=${PARTNER_MISP_LK}
      - SIGN_P12_FILE_PATH=${SIGN_P12_FILE_PATH}
      - SIGN_P12_FILE_PASSWORD=${SIGN_P12_FILE_PASSWORD}
      - CLIENT_APP_URL=https://register.{{hostname}}
      - SQLITE_DATABASE_PATH=/data/sqlite/mosip-api.db
      - MOSIP_PACKET_AUTH_CLIENT_ID=${MOSIP_PACKET_AUTH_CLIENT_ID}
      - MOSIP_PACKET_AUTH_CLIENT_SECRET=${MOSIP_PACKET_AUTH_CLIENT_SECRET}
      - MOSIP_WEBSUB_AUTH_CLIENT_ID=${MOSIP_WEBSUB_AUTH_CLIENT_ID}
      - MOSIP_WEBSUB_AUTH_CLIENT_SECRET=${MOSIP_WEBSUB_AUTH_CLIENT_SECRET}
      - MOSIP_AUTH_URL=${MOSIP_AUTH_URL}
      - MOSIP_WEBSUB_CALLBACK_URL=http://mosip-api:2024/websub/callback
      - MOSIP_WEBSUB_HUB_URL=${MOSIP_WEBSUB_HUB_URL}
      - MOSIP_WEBSUB_SECRET=${MOSIP_WEBSUB_SECRET}
      - MOSIP_WEBSUB_TOPIC=${MOSIP_WEBSUB_TOPIC}
      - MOSIP_CREATE_PACKET_URL=${MOSIP_CREATE_PACKET_URL}
      - MOSIP_PROCESS_PACKET_URL=${MOSIP_PROCESS_PACKET_URL}
      - MOSIP_VERIFIABLE_CREDENTIAL_ALLOWLIST=${MOSIP_VERIFIABLE_CREDENTIAL_ALLOWLIST}
      - MOSIP_CENTER_ID=${MOSIP_CENTER_ID}
      - MOSIP_MACHINE_ID=${MOSIP_MACHINE_ID}
    deploy:
      replicas: 1
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.mosip-api.rule=Host(`mosip-api.{{hostname}}`)'
        - 'traefik.http.services.mosip-api.loadbalancer.server.port=2024'
        - 'traefik.http.routers.mosip-api.tls=true'
        - 'traefik.http.routers.mosip-api.tls.certresolver=certResolver'
        - 'traefik.http.routers.mosip-api.entrypoints=web,websecure'
        - 'traefik.http.routers.mosip-api.middlewares=gzip-compression'
        - 'traefik.docker.network=opencrvs_overlay_net'
        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.Pragma=no-cache'
        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.Cache-control=no-store'
        - 'traefik.http.middlewares.mosip-api.headers.customresponseheaders.X-Robots-Tag=none'
        - 'traefik.http.middlewares.mosip-api.headers.stsseconds=31536000'
        - 'traefik.http.middlewares.mosip-api.headers.stsincludesubdomains=true'
        - 'traefik.http.middlewares.mosip-api.headers.stspreload=true'
    networks:
      - overlay_net
    logging:
      driver: gelf
      options:
        gelf-address: 'udp://127.0.0.1:12201'
        tag: 'mosip-api'

Take a look at the docker-compose.qa-deploy.yml file in our example configuration. This configuration is deployed to a QA server.

For the countryconfig microservice, the following environment variables are set:

- ESIGNET_REDIRECT_URL=${ESIGNET_REDIRECT_URL}
- OPENID_PROVIDER_CLIENT_ID=${OPENID_PROVIDER_CLIENT_ID:-}
- OPENID_PROVIDER_CLAIMS=${OPENID_PROVIDER_CLAIMS:-}
- MOSIP_API_USERINFO_URL=${MOSIP_API_USERINFO_URL}

A volume is shared with the mosip-api Docker container containing the static certificate key files that MOSIP will be required to share with you.

 mosip-api:
    volumes:
      - /certs:/certs:ro

Environment secrets (variables)

You will need to manually add the environment variables used for the MOSIP and E-Signet integration into the Gthub environment of choice. In our example, it is a QA environment.

Environment secrets

Click "Add environment secret" and enter the following secrets:

secret
description

DECRYPT_P12_FILE_PASSWORD

A password that is supplied by MOSIP to decrypt the file below.

DECRYPT_P12_FILE_PATH

The same path within the shared volume of the mosip-api service to the MOSIP "keystore.p12" file supplied by MOSIP used when interacting with the MOSIP ID Auth SDK and when validating the returned credential. It is configurable that these can be 2 different files, hence the duplication with SIGN_P12_FILE_PATH

ENCRYPT_CERT_PATH

The path within the shared volume of the mosip-api service to the MOSIP "ida-partner.crt" file supplied by MOSIP used when interacting with the MOSIP ID Auth SDK

ESIGNET_USERINFO_URL

The E-Signet User Info API endpoint used by the mosip-api service to retrieve details of the individual from E-Signet using an authorised E-Signet token that is returned from the authentication process.

IDA_AUTH_DOMAIN_URI

API endpoint variables supplied by MOSIP when interacting with the MOSIP ID Auth SDK

IDA_AUTH_URL

API endpoint variables supplied by MOSIP when interacting with the MOSIP ID Auth SDK

OIDP_CLIENT_PRIVATE_KEY_PATH

The path within the shared volume of the mosip-api service to the E-Signet "esignet-jwk.txt" file supplied by MOSIP

OPENID_PROVIDER_CLAIMS

A comment separated list of available E-Signet data that can be used as initialValues (pre-population) for form fields. E.G. name,family_name,given_name,middle_name,birthdate,address

PARTNER_APIKEY

A variable supplied by MOSIP when interacting with the MOSIP ID Auth SDK

PARTNER_ID

A variable supplied by MOSIP when interacting with the MOSIP ID Auth SDK

PARTNER_MISP_LK

A variable supplied by MOSIP when interacting with the MOSIP ID Auth SDK

SIGN_P12_FILE_PASSWORD

A password that is supplied by MOSIP to decrypt the file below.

SIGN_P12_FILE_PATH

The same path within the shared volume of the mosip-api service to the MOSIP "keystore.p12" file supplied by MOSIP used when interacting with the MOSIP ID Auth SDK and when validating the returned credential. It is configurable that these can be 2 different files, hence the duplication with DECRYPT_P12_FILE_PATH

Environment variables

Click "Add environment variable" and enter the following variables:

variable
description

ESIGNET_REDIRECT_URL

The E-Signet login URL that OpenCRVS redirects to.

ESIGNET_TOKEN_URL

​The authorized "code" from an E-Signet login is used to retrieve an API OAuth token from this API endpoint in order to interact with the E-Signet User Info API.

MOSIP_API_USERINFO_URL

The mosip-api service URL configured in the form esignetConfig that is triggered by the callback to retrieve details of the individual from E-Signet's ESIGNET_USERINFO_URL.

MOSIP_API_VERSION

The released version tag of the mosip-api service

MOSIP_CENTER_ID

Used in the following prop when submitting the payloads to the MOSIP Packet Manager API

refId: `${env.MOSIP_CENTER_ID}_${env.MOSIP_MACHINE_ID}`

MOSIP_MACHINE_ID

As above

MOSIP_AUTH_URL

URL used to authenticate with MOSIP Packet Manager API and WebSub

MOSIP_PACKET_AUTH_CLIENT_ID

Credentials used to authenticate with MOSIP Packet Manager API

MOSIP_PACKET_AUTH_CLIENT_SECRET

Credentials used to authenticate with MOSIP Packet Manager API

MOSIP_CREATE_PACKET_URL

Create packet URL for the MOSIP Packet Manager API

MOSIP_PROCESS_PACKET_URL

MOSIP workflow manager, workflow instance URL to be called immediately after the packet is created.

MOSIP_VERIFIABLE_CREDENTIAL_ALLOWLIST

Not currently in use in this phase. Awaiting MOSIP direction on it's use in future releases.

MOSIP_WEBSUB_AUTH_CLIENT_ID

Credentials used to authenticate with MOSIP WebSub

MOSIP_WEBSUB_AUTH_CLIENT_SECRET

Credentials used to authenticate with MOSIP WebSub

MOSIP_WEBSUB_HUB_URL

URL to subscribe to MOSIP WebSub

MOSIP_WEBSUB_SECRET

hub.secret value for MOSIP WebSub

MOSIP_WEBSUB_TOPIC

hub.topic value for MOSIP WebSub

Static certificate key files

You will need to make a directory on your server for the shared volume that stores the static certificate key files used by the mosip-api. In our example, the path to this drectory is:

/certs

You will be given static files from MOSIP. The files are:

  • keystore.p12

  • ida-partner.crt

  • esignet-jwk.txt

PreviousIn-form authentication / verification & E-SignetNextIntro to Farajaland

Last updated