Complete Server-Side Verification

While it's true that all authenticity checks can be successfully completed on smartphones and edge devices, they alone might not suffice. There's a potential risk of verification results being intercepted and modified by fraudsters directly on the same device. In the "zero trust to mobile" approach, Regula applies an additional layer of protection against such a fraud through Complete Server-Side Verification.

Steps to set up Server-Side Verification:

Enable Server-Side Verification
Connect Database
Connect Storage
Configure RFID Chip Reprocessing (optional)
Configure Mobile Side

Step 1: Enable Server-Side Verification

To enable the Server-Side Verification functionality, use:

config.yaml

service:
  sessionApi:
    enabled: true

Also, you can configure the location of transaction records as described below:

config.yaml

service:
  sessionApi:
    enabled: true
    transactions:
      location:
        bucket: "docreader-transactions"
        container: "docreader-transactions"
        folder: "docreader-transactions"
        prefix: "session-api"

Parameter	Type	Default	Description
`enabled`	boolean	`false`	Whether to enable the Session API too.
`bucket`	string	`docreader-transactions`	Location (bucket) where to save encrypted processing results packages in the case of the Google Cloud Storage or Amazon S3.
`container`	string	`docreader-transactions`	Location (container) where to save encrypted processing results in the case of the Microsoft Azure.
`folder`	string	`docreader-transactions`	Location (folder) where to save processing encrypted results in the case of the local file system. May represent an absolute path.
`prefix`	string	—	Single prefix line for all defined locations. When set, gives ability to keep the stored processing results in a more organized way regardless of the selected storage type.

Step 2: Connect Database

A database is used to collect the transaction information, public and private keys. It is required to be configured in case of the Server-Side Verification.

Supported database management systems:

PostgreSQL v14 and higher. If you use v13 and older, you need to add an extension by invoking the following script:

CREATE EXTENSION pgcrypto;

MariaDB Server (and its predecessor MySQL) v10.7 and higher (and its predecessor MySQL v8 and higher)
MS SQL Server 2016 and higher
Oracle v19c and higher
SQLite (not recommended for production solutions). For using SQLite on Linux, make sure to install libsqlite3-dev package.

To set up the database, use:

PostgreSQLMariaDBMySQLOracleSQLiteMicrosoft SQL

config.yaml

service:
  database:
    connectionString: "postgresql://<username>:<password>@127.0.0.1:5432/regula_docreader_db"

config.yaml

service:
  database:
    connectionString: "mysql+pymysql://<username>:<password>@127.0.0.1:3306/regula_docreader_db"

config.yaml

service:
  database:
    connectionString: "mysql+pymysql://<username>:<password>@127.0.0.1:3306/regula_docreader_db"

config.yaml

service:
  database:
    connectionString: "oracle+oracledb://system:admin@localhost:1521/FREE"

Linux:

config.yaml

service:
  database:
    connectionString: "sqlite:////opt/regula/document-reader-webapi/regula_docreader.db"

Windows:

config.yaml

service:
  database:
    connectionString: "sqlite:///С:/regula_docreader.db"

config.yaml

service:
  database:
    connectionString: "mssql+pymssql://<username>:<password>@127.0.0.1:1433/regula_docreader_db"

Parameter	Type	Default	Description
`connectionString`	string	—	The connection string to the database by the pattern `dialect://user:password@host/dbname[?key=value..]`. Due to security reasons, has different order of precedence.

Step 3: Connect Storage

A storage is used to collect the request, response, document images, metadata, session keys and challenges of the RFID chip processing.

It is required to be configured in case of the Server-Side Verification.

How to connect Storage

Step 4: Configure RFID Chip Reprocessing (Optional)

Chip Verification

Chip Verification as part of RFID chip reprocessing includes Chip Authentication and Active Authentication.

To set up the Chip Verification, use:

config.yaml

sdk:
  rfid:
    chipVerification:
      enabled: true

Parameter	Type	Default	Description
`enabled`	boolean	`false`	Whether to enable the server-side chip verification

Passive Authentication

To enable the Passive Authentication as the part of RFID chip reprocessing, define the path to the directory where you placed the certificates:

LinuxWindows

config.yaml

sdk:
  rfid:
    PKD_PA: "rfid_pkd"

config.yaml

sdk:
  rfid:
    PKD_PA: "C:\\Program Files\\Regula\\Document Reader Web API\\rfid_pkd"

Also, you can configure the additional processing parameters of RFID Passive Authentication as described below:

LinuxWindows

config.yaml

sdk:
  rfid:
    PKD_PA: "rfid_pkd"
    paSensitiveCodes:
      - -1879048190
      - -1879048189
    paIgnoreNotificationCodes:
      - -1879047913
      - -1879047667

config.yaml

sdk:
  rfid:
    PKD_PA: "C:\\Program Files\\Regula\\Document Reader Web API\\rfid_pkd"
    paSensitiveCodes:
      - -1879048190
      - -1879048189
    paIgnoreNotificationCodes:
      - -1879047913
      - -1879047667

Parameter	Type	Default	Description
`PKD_PA`	string	—	Custom folder prepopulated with master lists for the RFID public key directory. If the parameter is present, the corresponding checks are performed. Note, that Windows requires the fully-qualified absolute path, while for Linux you can use either absolute or relative.
`paSensitiveCodes`	array of integers	—	List of error codes, considered as critical during processing. See the full list of available notification codes by the link: eLDS_ParsingErrorCodes enumeration.
`paIgnoreNotificationCodes`	array of integers	—	List of notification codes that should be ignored during passive authentication (PA). See the full list of available notification codes by the link: eLDS_ParsingNotificationCodes enumeration.

Step 5: Configure Mobile Side

After the Web Service is set up, you need to configure the Document Reader Mobile SDK. Refer to the Mobile SDK section for instructions on how to do that.

Example

Below, see the contents' example of the config.yaml file or download it.

config.yaml

sdk:
  rfid:
    chipVerification:
      enabled: true

service:
  webServer:
    port: 8080
    workers: 1
    timeout: 30

    demoApp:
      enabled: true

    cors:
      origins: "*"
      headers: "Content-Type"
      methods: "POST,PUT,GET,DELETE,PATCH,HEAD"

    ssl:
      enabled: false
      cert: certs/tls.crt
      key: certs/tls.key
      tlsVersion: 1.2

    logging:
      level: INFO
      formatter: text

      access:
        console: true
        path: logs/docreader-access.log

      app:
        console: true
        path: logs/docreader-app.log

  processing:
    enabled: true
    results:
      location:
        bucket: docreader-processing
        container: docreader-processing
        folder: docreader-processing
        prefix: ""

  sessionApi:
    enabled: true
    saveRequest: true
    transactions:
      location:
        bucket: "docreader-transactions"
        container: "docreader-transactions"
        folder: "docreader-transactions"
        prefix: ""

  storage:
    type: s3

    s3:
      accessKey: minioadmin
      accessSecret: minioadmin
      endpointUrl: http://s3-storage:9000
      region: eu-central-1
      secure: true

  database:
    connectionString: postgresql://regula:Regulapasswd#1@db-postgres:5432/regula_docreader_db

If you use Docker Compose, you can mount the config.yaml in the docker-compose.yml file. See the example below or download it.

docker-compose.yml

version: "3.7"

services:
  docreader:
    container_name: docreader
    image: regulaforensics/docreader:latest
    volumes:
      - ./regula.license:/app/extBin/unix/regula.license
      - ./config.yaml:/app/config.yaml
    networks:
      - docreader-network
    healthcheck:
      test: curl -f http://127.0.0.1:8080/api/ping
      interval: 60s
      start_period: 60s
      timeout: 30s
      retries: 5
    depends_on:
      - s3-storage
      - db-postgres
    ports:
      - "8080:8080"

  # Storage
  s3-storage:
    image: quay.io/minio/minio:RELEASE.2023-10-25T06-33-25Z
    command: server --console-address ":9001" /data
    ports:
      - "9000:9000"
      - "9001:9001"
    environment:
      MINIO_ACCESS_KEY: minioadmin
      MINIO_SECRET_KEY: minioadmin
    volumes:
      - minio-data:/data
    networks:
      - docreader-network
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost:9000/minio/health/live" ]
      interval: 30s
      timeout: 20s
      retries: 3

  # Database
  db-postgres:
    image: postgres:latest
    restart: always
    volumes:
      - postgre-data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: "regula_docreader_db"
      POSTGRES_USER: "regula"
      POSTGRES_PASSWORD: "Regulapasswd#1"
    networks:
      - docreader-network
    ports:
      - "5432:5432"

volumes:
  minio-data:
  postgre-data:

networks:
  docreader-network:
    driver: bridge

To set the license, place the regula.license file into the same folder where the downloaded docker-compose.yml is located.

To start the Docker container, invoke:

sudo docker-compose up -d

To check the status, run:

sudo docker-compose ps