RPS Configuration

By default, the configuration file for the Relying Party Service (RPS) resides in: installation-folder/config_rps.py

The table below lists alphabetically the available RPS configuration options. An option is considered required if its absence from the configuration file produces a system error.

Option Name Option Type Option Description
address Optional IP address of the local interface on which the service is listening. A value of means listening on all interfaces. The default listening interface is
accessNumberExpireSeconds Optional Expatriation period in seconds for the Access Number which is displayed in the Browser PIN Pad for Mobile authentication. The default is 60.
accessNumberExtendValiditySeconds Optional Expatriation period in seconds for the Access Number (on top of accessNumberExpireSeconds). The default is 5.
accessNumberUseCheckSum Optional When True, the integrity of the one-time password is protected with a checksum. The default is True.
address Optional IP address of the local interface on which the service is listening. A value of means listening on all interfaces. The default listening interface is
allowOrigin Optional Sets the Access-Control-Allow-Origin header. The default is '*'.
cacheTimePermits Optional When True, the M-Pin Time Permits issued for the Client by D-TAs are stored in the system cache. This allows your M-Pin Core System to take advantage of pre-generated Time Permits, which speeds up operations. When False, the newly requested Time Permits are each time generated by the D-TA (instead of being retrieved from the cache.) The default setting is True.
configFile Optional Path and name of the RPS config file. You can create as many configurations as you want, store each as a separate file, and use the configFile option to switch configurations as needed. The default path and filename is <installation-folder>/config_rps.py.
credentialsFile Optional Credentials File location. The Credentials File is a JSON file containing the credentials with which the Relying Party Service (RPS) authenticates the Relying Party Application (RPA). It is issued upon RPA’s registration in the M-Pin System. The default location of the file is the directory in which the M-Pin System is installed. Example: /opt/mpin/credentials.json
DTALocalURL Required Base URL for making requests (by the RPS) to the Customer D-TA. The default is
dynamicOptionsURL Optional URL from which the new set of the RPS configuration options is returned. The URL is resolved when you need to change the RPS settings dynamically (when the M-Pin Core system is operational). The following is a list of the RPS options that can be configured dynamically:




fileStorageLocation Conditional, Required Path and location of the JSON file to be used as a system storage by the RPS if file storage is used. Required if the storage option is set to json.
EntropySources Optional Entropy source for the service together with the entropy size. The service needs 100 bytes of entropy for performing its authentication function. Entropy retrieval can optionally be distributed among several different sources. For each source there is plugin module with the same name as the source. Further entropy source plugins can be developed to accommodate other sources. The entropy plugins that are supported "out of the box" are the following:

dev_random – reads from the local /dev/random device. It is a good source but might be slow, especially on a virtual machine.

dev_urandom – reads from the local /dev/urandom device. This source is not as good as the local /dev/random device but still reliable enough and doesn't suffer from performance issues.

MIRACL – reads from the MIRACL entropy server.

The following example configures distributed retrieval of 40 bytes of entropy from the MIRACL server and 60 bytes from the local /dev/random source: MIRACL:40,dev_urandom:60.

The default setting is dev_urandom:100.
logLevel Optional Level of detail for the messages logged to the service's log file. Increasing the level of detail might be necessary for the development/integration of the Relying Party Application (RPA). The valid settings (in increasing level of detail) are ERROR, WARN, INFO, DEBUG. The default is ERROR.
logoutURL Required Logout URL for the Mobile App; enables logging out end-users remotely. The logout functionality is entirely customer-implemented as it depends on the RPA's session management mechanism and, therefore, is typically an RPA endpoint. If provided, in order to log-out the end-user, the Mobile App will make a request to this endpoint. Example setting:
maxInvalidLoginAttempts Optional Maximum number of allowed invalid login attempts. Once this limit is reached, the end-user is blocked and should re-register. (The counter of the invalid attempts is reset after a successful login.) The default is 3.
mobileUseNative Optional When True, the native Mobile App is used; when False – the Javascript client. The default is False.
port Optional Port on which the service is listening. The default port is 8011.
redisDB Conditional, Required Redis database to use, indicated as an integer. Example: 0. Required if the storage option is set to redis.
redisHost Conditional, Required IP address of the Redis storage. Example: Required if the storage option is set to redis.
redisPassword Conditional, Required Password for the Redis connection. For no password, set to None. Required if the storage option is set to redis.
redisPort Conditional, Required Communication port of the Redis storage. Example: 6379. Required if the storage option is set to redis.
redisPrefix Conditional, Required Data transfer prefix indicating that the element should be routed to the Redis storage. The default is mpin. Required if the storage option is set to redis.
RegisterForwardUserHeaders Required List of headers to be forwarded. Used together with the RPAVerifyUserURL property to verify whether the end-user hasn’t already been authenticated through another authentication platform (if multiple authentication are supported by your system). The list is in CSV format. To disable headers forwarding, leave an empty string (default); to forward all headers, use the star character(*).
RequestOTP Optional When True, two-factor authentication is enabled (in the form of on-time password send to the user's mobile device) as an option. This allows end-users to choose whether to authenticate with their M-Pin only or use two-factor authentication. The default setting is False.
RPAAuthenticateUserURL Required Endpoint of the Relying Party Application (RPA) for end-user authentication validation. Example: /mpinAuthenticate.
RPAPermitUserURL Required Endpoint of the Relying Party Application (RPA) for end-user revocation. Example:
RPAVerifyUserURL Required Endpoint of the Relying Party Application (RPA) for end-user identity verification. Example:
rpsBaseURL Required Base URL of the RPS service. This URL is used to assemble the correct URLs for the client settings provided to the Client. The default is
rpsPrefix Optional Prefix for the "external" requests to the RPS. (“External” requests are those that come from the Client to the RPA and are supposed to be re-routed by the RPA to the RPS.) The Proxy must be configured to forward requests with this prefix to the RPS. The default setting is rps.
seedValueLength Optional Length (in number of characters) of the seed for the Client. (Used for entropy generation.) The default is 100.
setDeviceName Optional When True, the Client allows setting of a Device Name together with the end-user Identity. This setting is sent to the Client through the client settings. If True, the Client will obtain a default device name and will display it to the end-user who will be able to optionally modify it. The device name is then sent to the RPS together with the registration request and the RPS feeds it to the RPA within the end-user verification request. The RPA uses this information to map end-users to their devices (i.e. to map M-Pin IDs to Device Names). The default setting is False.
storage Optional Indicates the kind of Storage used by the RPS. (The RPS uses the Storage to keep Time Permits and some temporary authentication tokens). The valid settings are: json - the RPS stores its content in a JSON file. (The file path and name are specified in the fileStorageLocation option). memory (default) - the RPS stores its contents in the machine's RAM. redis (recommended) - the RPS stores its content in a Redis database. (Redis storage provides solutions suitable for High Availability Deployments and for scaling up an existing deployment). This setting makes all options beginning with redis, required.
syncTime Optional When True, the service syncs its time with the MIRACL servers; if synchronization fails, an attempt will be made every 5 seconds until success is achieved. When False (recommended), this time synchronization is disabled and the service will rely on the system time. The default is False. Time synchronization is needed to perform time-based verification. Consequently, if you disable the syncing of the service with the MIRACL servers, you should then be syncing your system with an NTP server to ensure that correct and precise system time is maintained.
timePeriod Conditional, Required Time interval (in ms) at which the service syncs with the MIRACL's time servers. Required if the syncTime option is enabled. The default setting is 86400000, which amounts to one synchronization a day.
VerifyUserExpireSeconds Optional Time interval (in seconds) after which the User verification expires due to inactivity of the User. The default is 3600 (1 hour).
waitForLoginResult Optional When True, the Mobile App will wait for browser login confirmation before showing the Done/Logout button. When False, the the Done/Logout button is displayed irrespective of the User's.
certivoxServerSecret parameter Optional M-Pin Core Configuration - Manually Applying a Server Secret