Signed certificates are not getting uploaded in database via. websub
Problem
“As part of 1.1.5.1 release of MOSIP when a partner uploads his or her certificate using the partner management, the MOSIP signed certificate needs to be uploaded in the master.ca_cert_store table or ida.ca_cert_store for building the trust store in registration client.”
Now, we have observed frequent issues here like “504 time out” or certificate getting uploaded to server in the key manager database but not in the master database.
We also have observed that there is an error in websub.message_delivery_failed table stating “Root CA Certificate not found.”
Root Cause
After our analysis we have found couple of issues here,
There is performance issue in websub due to frequent resubscription
The message table in websub has less size causing issues in persisting the message (in this case the certificate in websub database, which was introduced in MOSIPv1.1.5.1)
The certificates are not getting uploaded as the MOSIP root certificates are not available in master.ca_cert_store or ida.ca_cert_store
Solution
We should increase the resubscription time for all websub subscribers to once in 24 hours and restart these service.
# id-authentication-mz.properties ida-websub-resubscription-delay-secs=41200 # id-reprository-mz.properties resubscription-delay-secs=43200 # kernel-mz.properties syncdata.websub.resubscription.delay.secs=45200000 # print-mz.properties print-websub-resubscription-delay-secs=47200 # syncdata-mz.properties syncdata.websub.resubscription.delay.secs=45200000 #NOTE: The value here is in millisecond except for ida-websub-resubscription-delay-secs.
The below tables in the below columns in the database needs to be updated so that the messages for larger length can be stored
ALTER TABLE websub.message_store ALTER COLUMN message TYPE text; ALTER TABLE websub.message_delivery_failed ALTER COLUMN delivery_failure_reason TYPE varchar(1024); ALTER TABLE websub.message_delivery_failed ALTER COLUMN delivery_failure_error TYPE varchar(1024);
The root certificates of MOSIP needs to be added in the below data bases taken from the keymgr.ca_cert_store.
master.ca_cert_store
MOSIP ROOT with domain DEVICE
MOSIP PMS with domain DEVICE
ida.ca_cert_store
MOSIP ROOT with domain DEVICE
MOSIP PMS with domain DEVICE
MOSIP ROOT with domain FTM
MOSIP PMS with domain FTM
MOSIP ROOT with domain AUTH
MOSIP PMS with domain AUTH