Signed certificates are not getting uploaded in database via. websub

Owned by Rounak Nayak (Unlicensed), created
Last updated: Aug 09, 2021
2 min read

Problem

“As part of 1.1.5.1 release of MOSIP when a partner uploads his or her certificate using the partner management, the MOSIP signed certificate needs to be uploaded in the master.ca_cert_store table or ida.ca_cert_store for building the trust store in registration client.”

Now, we have observed frequent issues here like “504 time out” or certificate getting uploaded to server in the key manager database but not in the master database.

We also have observed that there is an error in websub.message_delivery_failed table stating “Root CA Certificate not found.”

Root Cause

After our analysis we have found couple of issues here,

  1. There is performance issue in websub due to frequent resubscription

  2. The message table in websub has less size causing issues in persisting the message (in this case the certificate in websub database, which was introduced in MOSIPv1.1.5.1)

  3. The certificates are not getting uploaded as the MOSIP root certificates are not available in master.ca_cert_store or ida.ca_cert_store

Solution

  1. We should increase the resubscription time for all websub subscribers to once in 24 hours and restart these service.

    # id-authentication-mz.properties ida-websub-resubscription-delay-secs=41200 # id-reprository-mz.properties resubscription-delay-secs=43200 # kernel-mz.properties syncdata.websub.resubscription.delay.secs=45200000 # print-mz.properties print-websub-resubscription-delay-secs=47200 # syncdata-mz.properties syncdata.websub.resubscription.delay.secs=45200000 #NOTE: The value here is in millisecond except for ida-websub-resubscription-delay-secs.

  2. The below tables in the below columns in the database needs to be updated so that the messages for larger length can be stored

    ALTER TABLE websub.message_store ALTER COLUMN message TYPE text; ALTER TABLE websub.message_delivery_failed ALTER COLUMN delivery_failure_reason TYPE varchar(1024); ALTER TABLE websub.message_delivery_failed ALTER COLUMN delivery_failure_error TYPE varchar(1024);

  3. The root certificates of MOSIP needs to be added in the below data bases taken from the keymgr.ca_cert_store.

    1. master.ca_cert_store

      1. MOSIP ROOT with domain DEVICE

      2. MOSIP PMS with domain DEVICE

    2. ida.ca_cert_store

      1. MOSIP ROOT with domain DEVICE

      2. MOSIP PMS with domain DEVICE

      3. MOSIP ROOT with domain FTM

      4. MOSIP PMS with domain FTM

      5. MOSIP ROOT with domain AUTH

      6. MOSIP PMS with domain AUTH