Management Server & Management Client
Happy to announce that NPrime has deployed MOSIP Management Server and Client solution in two national ID projects. One in Asia and second in West Africa, more in pipeline.
MOSIP Management Server:
The management server is hosted in a datacentre. The management server exposes only 443 port. The server is equipped with a FIPS 140-2 Level 3 compliant HSM, the server has ability to register and de-register the devices from the management portal. End to end encryption over SSL. Allows only securely provisioned and whitelisted devices. Key rotation and expiry of the key shall be checked once in a day with the management server. Depending on the policy available at management server device key expiry will be set and rotated.
The management server does following
- Validate the devices to ensure its a genuine device from the respective device provider.
- Register the genuine device with the MOSIP device server.
- Manage/Sync time between the end device the server. The time to be synced should be the only trusted time accepted by the device.
- Ability to issue commands to the end device for
- De-registration of the device (Device Keys)
- Collect device information to maintain, manage, support and upgrade a device remotely.
- A central repository of all the approved devices from the device provider.
- Safe storage of keys using HSM FIPS 140-2 Level 3. These keys are used to issue the device certificate upon registration.
- Should have the ability to push updates from the server to the client devices
MOSIP Management Client:
Management client is the interface that connects the device with the respective management server.
- Auto register device with the Management server with device identification and validation
- All communication to the server and from the server should follow that below properties.
- All communication is digitally signed
- All communication to the server are encrypted using public key cryptography.
- All request has timestamps in ISO format to the milliseconds inside the signature.
- All communication will have signed digital id as one of the attribute
- Key rotation will be triggered from the server through telemetry.
- Detects if its communicating to the right management server.
- Will not expose any API to capture biometric. The management server will have no ability to trigger a capture request.
- Biometric data will not be logged either in the encrypted or unencrypted format
Specifications on MOSIP website: https://www.mosip.io/