Below are instructions for temporarily delaying key rotation in Mosip 1.1.5 when the Mosip Module keys are set to expire.

This will only work if there is no trust validation enabled for Biometric devices and IDA key-rotation is not required.

(blue star) Instructions

Create a step-by-step guide:

  1. Identify which packets will be expiring in the kernel key manager by running the following query

    select * from key_alias ka 
where key_expire_dtimes >= current_date and key_expire_dtimes < current_date + 30
and(ref_id='' or app_id='KERNEL');

  2. Now, set the key_expire_dtimes to a future date for all the keys that are returned from the query in step #1 except for the key with app_id KERNEL. Do not modify the expiry of the kernel key.

  3. On the day of expiry, when a request is made to the key manager, the system will automatically generate a new KERNEL SIGN key with an expiry date of 3 years.

This is not a replacement for a proper key-rotation technique. It’s a rather temporary solution so as not to disrupt the flow of operation.

(blue star) Related articles

The content by label feature automatically displays related articles based on labels you choose. To edit options for this feature, select the placeholder and tap the pencil icon.