Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Digital Infrastructure for Verifiable Open Credentialing
The Digital Infrastructure for Verifiable Open Credentialing or DIVOC is an open-source platform that enables countries to digitally orchestrate large-scale health campaigns such as vaccination and certification programs.
Learn more about the platform on the DIVOC website or Contact us for more details.
Built in India for the world as a digital public good, DIVOC is a flexible and extendable software that can be used across multiple health programs.
Its scalable and data-driven architecture allows it to deal with diverse country-specific scenarios. In a vaccination programme, for example, it gives countries the ability to manage and control vaccines, facilities, and vaccinators systematically across geographies, as well as generate digitally variable certificates that are compliant with international standards.
The platform is modular, enabling countries to use the components together or as an individual standalone solution, according to their need, for end-to-end vaccination and certification.
DIVOC has two core modules:
1. Issue and Verify Certificates
2. Analytics
Reference Implementation: There are other components of DIVOC that countries can customise according to their requirement -
1. Program setup via the orchestration module
2. Facility app
3. Citizen portal
4. Feedback
DIVOC Demo: Click here to play around with the modules.
Acknowledge as a Digital Public Good by the Digital Public Good Alliance (DGPA), the platform has enabled India and four other countries to issue over 2 billion COVID-19 vaccination certificates to its citizens.
Over 2 billion digitally signed vaccinated certificates via Cowin.
DIVOC’s certificate component went
live with digital vaccination certificates
in Sri Lanka in July 2021, in the Philippines in September 2021, and in Jamaica and Indonesia in December 2021.
DIVOC has enabled the Indian Council of Medical Research (ICMR) to
issue digitally-signed
COVID-19 test reports.
Plans are underway to issue COVID-19 test result certificates in both Sri Lanka and Philippines.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This document will tell you what DIVOC can and cannot do. For example, do not expect DIVOC to correct data fraud or mistakes at the source, or store medical history with high data-storage requirements.
Holds information on individual events or claims.
It is not meant to store historical data (for example, a person’s medical history). The size limitation is 1 KB.
It is tamper-proof, and hence, can ease access to welfare funds linked to identity and a claim.
Cannot expect it to rectify data errors at the source.
The output can be hybrid (PDF plus QR code).
Not a good idea if the expected verification to issuance ratio is low.
Modular architecture can support more health credentialing other than COVID-19.
Not suitable if there is no purpose on the demand side.
DIVOC supports multi-lingual use and multi-distribution methods (such as paper, and smartphone).
Not the best option if the issuer and verifier are in the same network (in such cases, we recommend using simpler, and cheaper options).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This section will include the following:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Most useful links:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This page lists all DIVOC releases till date. It covers new features, enhancements, and fixes
Release notes 1.24.0 (on-demand EU-DCC and FHIR-DDCC export)
Release notes 1.23.3 (minor enhancements and UI fixes)
Release notes 1.23.2 (bug fixes and enhancements)
Release notes 1.23.1 (UI enhancements and bug fixes)
Release notes 1.23.0 (secondary dosage flows and design enhancements)
Release notes 1.22.1 (minor enhancements and UI fixes)
Release notes 1.22.0 (design enhancements and bug fixes)
Release notes 1.21.0 (facility application enhancements)
Release notes 1.20.2 (minor enhancements and bug fixes)
Release notes 1.20.1 (minor enhancement on appointment)
Release notes 1.20.0 (registration and appointment)
Release notes 2.0.0 (generic) and 2.0 release features
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
March 25, 2022.
If your country is implementing DIVOC 2.0, it is important to know the additions/changes that we have made as part of this release:
Configuration management via : You can make configuration changes to DIVOC’s certificate module via etcd without needing a new deployment. Click to know more.
Support for EU compliant digital certificates and Smart Health Cards: DIVOC’s EU-DCC and SHC adapter services facilitate easy travel for residents from DIVOC’s adopter countries. Know more about DIVOC’s and adapter services.
Print certificates at the facility: We have added the capability to print vaccination certificates when a beneficiary walks into a facility. Click to know more.
New API for revocation services: A new Revoke API has been introduced that can be used to revoke an issued certificate for manual revocation use cases. Click to know more.
Deployment activities automated reducing installation time:
- Automating our infrastructure setup has reduced our deployment time from about 3 days to 1 day.
- DIVOC’s has been streamlined with the introduction of the new scripts. The details of the scripts are given below:
Install the prerequisites and set up the various hardware clusters.
Push the docker images to the appropriate registry.
Deploy the code from the registry into the Kubernetes cluster.
Enhanced performance of PDF certificate generation: We have fine-tuned our PDF generating algorithms, which has lowered the consumption of system resources.
January 24, 2023
With this release, the DIVOC platform provides a user interface (UI) for tenants to log into the DIVOC platform to create and manage different tenants and schemas required for issuing verifiable credentials (VCs).
A list of the common terms used in this document:
represent information found in physical credentials, such as birth registration and driving license, as well as objects that have no physical equivalent, such as ownership of a bank account. VCs are typically QR codes whose information is being signed and can only be modified by the issuer making it a tamper-proof QR code. The QR codes can be read and verified by the verifiers using the public key issued by the issuer and by using the libraries/algorithms used by the issuer system. When a digital document (for example, a lab test report) has a normal QR code, anyone can modify its value and generate a new QR code and then replace it with another QR code with different information. Whereas the information in a verifiable QR code cannot be replaced as the original data or information cannot be changed without a “private key.”
Issuer: Refers to an issuing authority who can issue claims about a particular entity or individual that can be validated. An issuer gathers the information that needs to be contained in the VC from the entities and sends it across to DIVOC through tenant software. Example: Medical Councils.
Tenant: Refers to any source system of issuers linked to the DIVOC platform to issue VCs. Examples: Council Software, University software, etc.
Source systems: The tenant software that interacts with the DIVOC platform to issue VCs.
Schema: A schema is essentially a template that tells the issuer the content, type, and description required for an attribute that needs to be part of the VC.
All content on this page by is licensed under a .
All content on this page by is licensed under a .
Bug fixes and upgrades
This includes minor changes in certification and management services to support the upgraded Sunbird registry for updating schema and some UI-specific services.
UI for tenant onboarding portal
An interface through which source system administrators can log into the DIVOC platform and connect it with the source system.
UI for credentials management
A UI-based interface through which tenant administrators can regenerate their API keys to connect to the DIVOC platform and generate access tokens.
UI for multiple schema creation and modification
An interface through which tenant administrators can create and manage different schemas required for issuing VCs. This provides functionality to ingest the schema from a JSON or use the user interface to add fields to the schema, as well as set various attributes to them.
UI for schema creation preview
Test and preview the certificate being generated before the schema could be published.
UI for managing certificate templates
Add and modify templates for certificates generated by the DIVOC platform.
Step 1: Install prerequisites and dependencies
Update package list - sudo apt-get update.
Install docker - sudo apt install docker.io.
Install docker-compose - sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose.
Install git - sudo apt install git.
For additional details on Docker, you can find the instructions here.
You can find the basic Docker Compose commands below:
- Starting services docker-compose up.
- Restarting services docker-compose restart.
- Checking the status of services docker-compose ps.
- Monitoring service logs docker-compose logs.
Step 2: Install DIVOC
Clone DIVOC repository onto your local machine - git clone https://github.com/egovernments/DIVOC.
Navigate to DIVOC directory - cd DIVOC.
Configure DIVOC: Configurations are provided as environment variables and a default set of configurations is provided in the ‘.env.example’ file. Make a copy of this file named ‘.env’ that docker will pick up. Edit these configurations as per your need.
Step 3: Start all services in the detached mode.
Verify the state of containers. All containers should be up.
Some services might fail to start because the dependent service may not be ready yet. Restarting the failed service should start it successfully in this case.
On Mac/Windows, services may crash with exit code:137, if sufficient memory is not set for docker. This can be changed in the Docker desktop preferences, resources tab, as shown here.
Step 4: To build docker images locally after making changes, run following commands
Step 5: Explore DIVOC
The following are the routes to access local apps. The remaining routes can be found in nginx/nginx.conf.
localhost
public app
localhost/portal
portal app
localhost/facility_app
facility app
In this section, we will go through the steps involved in a typical flow, starting from setting up facilities to generating a certificate after vaccination.
Login to keycloak console (localhost/auth/admin
) as admin
(password : admin
)
Hover on Master
on the left top corner and click on Add realm.
Click on the Select File
button (import option).
Select realm-export.json
in the keycloak directory. path:DIVOC/keycloak.
Click on create.
admin-api
Login to the keycloak console (localhost/auth/admin
) as admin
(password:admin
).
Click on Clients
in the configure section on the left pane and click on admin-api.
Go to the credentials tab, click on Regenerate Secret
and copy the new secret.
Change the ADMIN_API_CLIENT_SECRET
to the copied secret in docker-compose.yml.
Rebuild and restart the services that use ADMIN_API_CLIENT_SECRET.
“For example - sudo docker-compose up -d --build --no-deps certificate-processor portal-api certificate-api gateway.
DIVOC uses etcd as a configuration store for templates and other configurations. A default set of configurations is available in the default-configuration/etcd folder. The instructions to configure these are available here.
admin
and controller
users in KeycloakLogin to the keycloak console (localhost/auth/admin
) as admin
(password : admin
).
Click on Users
in the Manage section on the left panel and click on Add User.
Give the username as 0000000000 and click on save.
In the Attributes
section, add a new key as mobile_number
and value as 0000000000. Click on Add and save.
Go to the Groups section, select system admin
in the available groups and click on Join.
Similarly, create another user with username
and mobile_number
as 0000000001 and join the controller
group.
Login to the portal as system admin
(Mobile Number : 0000000000, OTP : 1234).
Upload Facilities.csv:
Click on the Facilities tab and click on Download Template .csv.
Click on Upload CSV
button and upload the downloaded csv.
You should see the success message for a facility.
Create a vaccine:
Click on the Vaccines tab. Fill in all the fields on the form, mark the status as Active and click on save.
You should see the new vaccine on the right pane in the list of registered medicines/vaccines.
Create a vaccination program:
Click on the Vaccine Program tab. Fill in all the fields on the form, mark the status as Active, and click on save.
You should see the new vaccine program on the right pane in the list of registered vaccine programs.
Pre-enroll recipients:
Click on the Pre-Enrollment tab and click on Downloaf Template .csv
Click on Upload CSV
and upload a CSV file containing all the fields given in the template.
You should see the number of recipients successfully enrolled and errors if there are any.
Login to the portal as controller
(Mobile Number: 0000000001, OTP: 1234).
Activate facilities for vaccination program:
In the Facility Activation tab, select the vaccination program added in the previous step, select the type of facility as government and mark the status as Active.
You should be able to see at least one facility in the search results.
Click on the checkbox for the relevant facility (make note of facility code) and click on MAKE ACTIVE.
The activated facility should disappear from the search results.
Get admin mobile number for the facility code (noted in the previous step), from the facilities.csv
uploaded.
Login to Facility Admin portal (localhost/portal/facility_admin
) using the mobile number and OTP: 1234.
Add facility_staff user:
Click on the Role Setup tab and click on the add role icon.
Create a role with type facility staff
and mobile number 1111111111
. Set the status as enabled and set the rate of 50 for the vaccination program.
Add Vaccinators:
Click on Vaccinator Details
tab and Click Add Vaccinator.
Fill in all the details. Select the vaccination program previously created in the certification dropdown.
Click on Add and click on Back.
Click on the Make Active
button to activate the vaccinator.
Bulk Certification:
Certificates can also be issued in bulk by the facility admin by uploading a CSV file.
Go to the Upload Vaccination details tab and click on the download CSV template button.
Now upload a CSV file, containing all the fields in the template.
The generated certificates can be viewed on the public app (localhost
).
Login to the Facility app (localhost/facility_app
) (Mobile Number: 1111111111, OTP: 1234).
Enrolling and certifying recipients:
Click on enrol recipient, fill all the details and proceed.
Click on Recipient Queue, to proceed for certification.
Certifying pre-enrolled recipients:
Recipients pre-enrolled by facility admin can be certified by the facility staff.
Go to the app home and click on Verify Recipient
to proceed for vaccination.
In the public app (localhost
), recipients can:
Download
/ vaccination certificates
Verify
certificates by scanning a QR code
Report
any side effects/symptoms after vaccination
For the above operations, you need the recipient mobile number (given during pre-enrollment/vaccination). Use OTP: 1234 for all logins.
Change the admin password of Keycloak console
Go to the admin console, click on the Admin menu in the top right corner and select Manage account.
Change the password in the password section on the right.
This document refers to the revocation of a digital certificate issued to a person. DIVOC’s certificate revocation service will help stakeholders of a program to revoke digital certificates, according to the issuing authority’s predefined policy.
For example, during a COVID-19 vaccination campaign, the vaccination certificate issued to a person, as digitised proof of the event, can get revoked due to multiple reasons like:
errors in the information encoded in the digital certificate.
wilful tampering of the digital certificate (QR or PDF output) by external entities who have gained unauthorized access to the certificate data contents.
or if a specific batch of vaccines is found to be faulty, among others.
The purpose of this document is to provide an overview of the certificate revocation service offered by DIVOC. It describes the steps involved in the revocation process, as well as the maintenance of the revoked certificate list for verifiers.
DIVOC has enabled a “Revoke API” that can be used to revoke an issued certificate for manual revocation use cases.
The API uses a “beneficiary ID/pre-enrollment code” and either the “dose number(s)” or the “all doses” flag as input parameters to search and fetch the certificate(s) that need to be revoked from the certificate registry.
If the “dose number(s)” parameter is passed, it must be a sequential list of doses that includes the latest dose.
DIVOC stores the revoked certificate ID within a centrally-maintained “certificate revocation list (or CRL).”
DIVOC maintains a certificate revocation list to store certificate IDs of the revoked certificates. The revocation list can be hosted by an issuing authority (either inside or outside its central certificate registry) or can be periodically downloaded as a file and stored by a verifier application.
When a revoked certificate’s QR code is scanned using the DIVOC’s online verification service, the service searches the CRL for the certificate ID to check if the certificate is a valid or revoked certificate.
If the certificate ID is found in the CRL of the scanned QR code, the verification screen displays the certificate as revoked.
Each CRL has a serial number, time, and date on which the certificate was revoked.
It includes the date and time when the CRL was published, and when the next update to the CRL will be published.
A revocation is triggered when the revocation API is called by the source system (for example, a vaccination platform), on specific transactions (for example, the correction or update of a certificate).
As input parameters from the source system, the revoke API receives beneficiary ID/enrollment code and dose number(s) or the all doses flag.
The relevant certificate is fetched and DIVOC performs a “soft delete” of the certificate (also referred to as the “revocation” process).
The revoked certificate’s "certificate ID" is then moved to the certificate revocation list.
Certificate IDs of all revoked certificates are maintained in the CRL within the certificate registry. The revoked certificate IDs can be indexed in chronological order against the respective unique certificate ID, along with its revocation date and time.
The certificate revocation list will be regularly updated to support the verification flow by approved domestic and international verifiers.
If the certificate was revoked, the same information will be displayed to the third-party verifier application in real-time. On scanning, the verifier application will display the result as an “Invalid certificate.”
DIVOC’s certificate revocation list can be configured to support both offline and online verifications flows. For instance,
- On scanning a revoked certificate, a third-party verifier application can call the APIs (i.e. fetch APIs provided by DIVOC to the country’s issuing authority) to fetch the certificate revocation list to validate the “revoked” status of the digital certificate.
- The certificate revocation list can be downloaded by the third-party verifier application (in their local system) on a periodic basis.
Developer documents
The guide covers everything developers need to know to set up and run DIVOC on their local machines.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Using the DIVOC certificate generation service, a country can issue a QR code-based digitally verifiable certificate, which serves as proof of the health event, such as the COVID-19 vaccination. It involves an issuer (for example, a government department), a holder (for example, the citizen of a country), and a verifier (for example, security personnel at the airport).
All DIVOC issued digital certificates are based on the globally accepted W3C-Verifiable Credential Data Model 1.0.
DIVOC uses this data model for encoding the event data into the digital certificate’s QR code. DIVOC also uses a PKI mechanism to cryptographically sign all QR codes in the issued digital certificates.
Popular cryptographic signing algorithms (like RSA, EDDSA) are adopted in the DIVOC certificate QR signing process.
A. Holder: Someone who possesses one or more verifiable credentials as a proof of an event/identified use case and is responsible for generating presentations from them. In DIVOC’s vaccination use case, it is the vaccine recipient or beneficiary.
B. Issuer: Reefers to a legal entity that asserts claims about the holder or subject about a verifiable event or an identified use case by issuing a verifiable credential to a holder. Issuers may include central/state governments, authorities, corporations, etc. For instance, in the COVID 19 vaccine scenario, the issuer could be the issuing country or legal authorities.
C. Subject: An entity about which the verifiable claim is made by the issuer, for example, beneficiary or vaccine dose recipient.
D. Verifier: An entity who is responsible for verifying an issued credential. In the COVID-19 travel scenario, verifiers are the arrival country authorities that require a verifiable COVID-19 vaccine proof for allowing access to services and border entries.
E. Verifiable data registry: This refers to a role that a system may perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which may be required to use verifiable credentials.
The purpose of this document is to provide information about the certificate generation service of DIVOC. It has the following sections:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This section describes the key features of DIVOC and how they work.
Countries can use the DIVOC's certificate module to issue digitally verifiable certificates to the entire population at speed and scale in a controlled manner post-vaccination.
This module is responsible for issuing a QR code-based digital certificate for any registered health event. It can be adapted to other areas too where there is a requirement for secure and tamper-proof documents, such as educational certificates.
The certificates can be issued in both digital and physical forms, which includes print, pdf, and other formats.
The module supports multilingual vaccination certificate templates.
Generates WHO-DDCC (World Health Organisation- Digital Documentation of COVID-19 Certificates) compliant digital vaccination certificates with a W3C (World Wide Web Consortium) JSON schema, for every resident after successful inoculation.
To aid travel into other countries, the certificate module supports on-demand services for travellers to export their vaccination certificates to other formats (e.g. EU-DCC, SmartHealthCard), used in the destination countries.
The module supports additional services, including certificate verification, certificate update/correction, and certificate revocation.
The public key of the adopter country can be published using DIVOC’s verification page that can be embedded into the country's vaccination program-specific website/portal.
Digitally verifiable certificates have emerged as a solution to help open up businesses and travel globally during the ongoing COVID-19 pandemic. There are four major COVID-19 certificate schemas popularly used in the world today:
ICAO-VDS
As the interoperability of these certificate schemas is critical to streamline the international travel process, DIVOC has added the ability to issue digital certificates in the EU-DCC and SmartHealthCard formats, in addition to the . This will enable citizens of a country, which is using a DIVOC certificate system, to export their native certificates in a format that is acceptable in the travel destination country.
Note: DIVOC will also add the capability to export the certificates in the ICAO-VDS format in 2022.
All content on this page by is licensed under a .
DIVOC’s W3C-based digital certificate consists of three core components:
Credential metadata (schema version credential/certificate ID, etc).
Claim (vaccination event details).
Proof (issuer details, date of issue, time stamp, signature, etc).
The DIVOC digital certificate QR code includes the following data structure:
To illustrate the data structure of DIVOC certificate outputs, a sample certificate payload is outlined below:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
Credential metadata
Certificate context
Sets the context, which establishes the special terms.
Certificate identifier
Specifies the identifier for the credential.
Credential type
Declares what data to expect in the credential.
2. Claim
Credential subject
Assertion about the subjects of the credentials.
Event block
When the credential was issued.
Issuer details
The entity that issued the credential.
3. Proof
Signature type
Digital proof that makes the credential tamper-evident. Cryptographic signature suite that was used to generate the signature.
Date of signature
When the signature was created.
Digital signature value
Identifier of the public key
That can verify the signature.
The purpose of this document is to outline the features and workflow of DIVOC's “Update Certificate” service.
DIVOC provides an “update certificate” feature to help beneficiaries make changes in a certificate if any information was captured incorrectly during the beneficiary registration or vaccination process.
For this purpose, DIVOC provides an “Update Certificate API,” for a source system (e.g. a vaccination platform) to update the vaccination as well as beneficiary details in digital certificates issued by DIVOC.
There are multiple ways of using this service. The issuing authority can enable a self-service portal, or set up a call centre, or the source system can capture the update requests directly, which can then call the Update API to facilitate the updates/corrections to the specific certificates. The key requirement here is that the “Update Certificate API” is called by the source system(s) to update an issued certificate. Using this API, the source system can update a beneficiary’s latest as well as previously issued digital certificates.
As outlined earlier, DIVOC’s “Update Certificate” API is used by source systems to perform updates to already-issued certificates. You can refer to the update API specification link here.
An issued certificate’s QR code contains the two categories of information:
- Personal information, for example:
Beneficiary name
Gender
Date of Birth
- Event details, for example:
Vaccine type/prophylaxis
Vaccine name/brand
Manufacturer Vaccine batch
Vaccination date
Facility ID/name
Country of issuance
Issuer
Dose number
Total dose count
2. Any or all of the above fields can be corrected/updated by calling the Update Certificate API by a source system.
3. The Update Certificate API requires beneficiary ID/enrollment code and dose number as an input to fetch the right certificate that needs to be updated.
4. Once the certificate is fetched, the update API updates the information against the certificate ID as provided in the API payload input.
5. Once the certificate is updated, a new certificate is issued with a new certificate ID and updated information. The older certificate gets revoked by an automated revocation workflow using DIVOC’s “Revoke API.”
6. The revoked certificate is moved to the Certificate Revocation List (CRL). If the older revoked certificate is scanned by a verifier, the verification screen will show “certificate revoked.”
7. For update scenarios, DIVOC can also enable configuring a custom message for beneficiaries trying to verify the older corrected and revoked certificate as: “certificate revoked, please download the updated certificate from the portal.”
8. Updates/corrections can be made in the provisional and final certificate for any of the fields present in the QR code as per the issuing authority’s requirements and approved flow.
9. It is strongly recommended that an issuing authority should allow information correction/updates only after verifying the required proofs uploaded by the beneficiary.
The verification component of the DIVOC certificate service checks for two things:
An issued certificate is valid (that is, the document is currently ‘live’ and is not a revoked document).
The document is authentic (that is, the document has not been tampered with).
DIVOC supports offline verification of the QR code-based digital certificates to support verification of certificates in connectivity restricted regions and make it more user-friendly.
The QR code can be verified by third-party authorised verifier applications to enable domestic and cross-border verification of DIVOC-issued certificates.
Use the following steps to verify a DIVOC certificate:
Scan to detect the QR code.
The verification component uses the QR code reader libraries to read the contents of the QR code embedded in the certificate.
Once the QR code is detected by the camera, it reads the binary data encoded in the QR code. (the binary data will be in zipped format).
The decompressed Json in the QR code is authenticated using a signing method mentioned in the proof section of the QR code content
After unzipping it, you will get a certificate.json file (certificate.json will have the signed, json-ld formatted VaccineCertificate).
Json-ld signature will be verified against the public key that is issued by the issuing authority.
On successful verification, the revoked API is called to check if a certificate has been revoked or not.
Once the signature and revocation are verified, the success screen is shown with beneficiary and vaccine details.
Since it is offline verification, the verifier will need to download the CRL within the verifier application. The verification service will also go through the CRL and check for the certificate's revoked status.
Please note: In addition to supporting verification by third-party verifiers, DIVOC also provides a verification portal. The portal works on a web browser as well as on a mobile phone browser, and it can be also used by verifying authorities to verify DIVOC-certificates in an “offline” capacity.
DIVOC provides a public portal that allows verifiers (including self-verification by beneficiaries) to verify certificates.
Certificates can be scanned and verified on the following URL: https://demo-divoc.egov.org.in/ and clicking on “Verify.”
Next,
Scan the QR code.
On successful verification, certificate details will be shown on the screen.
On unsuccessful verification (unauthenticated/fraudulent certificates), the message will be shown as “Certificate Invalid.”
When the “Certify API” is called by a vaccinating system, a unique QR code is generated for that specific event. This document specifies the data structure that can be used to generate a QR code-based digitally verifiable certificate for a registered health event.
The payload structure follows the JSON Web Token (JWT) digital signature and is defined in RFC 7519. The payload is transported in a DIVOC certificate. JWT includes the following:
Header
Payload
Signature algorithm
This contains the information about the certificate, which is based on the W3C verifiable credentials data model. The header also indicates the type of certificate being issued.
This is divided into several parts:
The first part contains the details of who is issuing the certificate along with the timestamp.
The second part contains the details of the beneficiary to whom the certificate has been issued.
The final part contains details on the event for which the certificate has been generated. The event part has details of the health event (such as vaccination) along with a timestamp, which includes information on the type of vaccine, dose details, and location of the vaccination.
DIVOC is capable of self-generating a public-private key pair. It also supports a signing configuration where the country has onboarded a CA (certificate authority) responsible for generating the keys. In the latter case, DIVOC will use the private key issued by the CA and sign the QR code.
The DIVOC certificate is flexible and multiple signing algorithms can be used.
Self-generated keys or the keys from a country’s PKI service provider can also be used. DIVOC currently uses two default signature algorithms:
1. PS256 - Using "crit" with "b64"
(https://w3c-ccg.github.io/security-vocab/#RsaSignature2018)
2. ES256
(https://w3c-ccg.github.io/security-vocab/#EcdsaSecp256k1Signature2019)
Click here to see the various versions of the algorithm.
The public key along with the method of signing will be provided to verifiers to authenticate certificates.
Based on the algorithm that is being used for certificate generation, the certificate can be verified by the verifier.
Click here to know more about what data set goes inside the QR code.
This section covers the following:
Certificate generation process
Certify APIs
API structure
It involves the following steps:
Recording of a health event against a unique beneficiary, either in the source eHealth system (or in the DIVOC vaccination module, if used by a country, for their vaccination campaign). This results in the creation of the dataset for the specific event.
The event records all transactions associated with it (e.g. beneficiary demographics, vaccinator/facility details, certificate metadata, and timestamp, among others).
Marking the completion of the "event" in the system triggers a DIVOC certificate generation API (or “Certify” API), with the event data populated as per the defined API structure.
DIVOC’s certificate module receives the event data.
A digital certificate, encompassing both a QR code and a human readable document (e.g. PDF) is then issued, which holds the event data for the beneficiary, along with a unique certificate ID.
The QR code is signed with the issuing authority (e.g. national/provincial health agency) private key.
A summary of the health event is then used to populate the “human readable” part of the digital certificate.
The generated output has two parts:
It has a human-readable document (e.g. the PDF) and the machine-readable QR (the signed QR).
The digital certificate can be presented back to the source system in either of the ways (i.e. either just the signed QR as an image file, or the entire PDF output with the signed QR).
A sample DIVOC certificate output is further illustrated in the image below:
The DIVOC certificate generation service provides a “Certify” API for other eHealth systems, to generate digital certificates for specific events. Currently, DIVOC provides two certify APIs for a “COVID-19 vaccination certificate” and “COVID-19 test result certificate” respectively.
“Certify” for vaccination events
“Certify” for test result events
The API structure for the Certify API includes the following:
Recipient information: This section contains information about the beneficiary of the specific health event (e.g. COVID-19 vaccination or test event).
Vaccination event information: This includes details about the vaccination event such as name, batch, and vaccination date, as well as the vaccinator.
Issuer information: It contains information about the issuing authority.
Certificate information: It includes details such as certificate ID and expiry date, among others.
Meta: This part is used to populate related information about a previous event in the human-readable PDF twin of the digital certificate that can be used by the verifier for cross-reference. It contains additional information, which is not part of the current QR code (the QR code only contains information about the current event), such as the number of past doses taken. For example, If a QR code is generated for the final dose certificate, the QR code will contain all information about the final dose. If a country wants to show information about the previous dose, that can be populated from meta in the certificate PDF.
The purpose of this document is to outline the features of DIVOC's certificate distribution service.
DIVOC offers several ways in which countries can distribute certificates at scale.
The platform is designed to facilitate multiple certificate distribution methods, which includes:
- Printed paper certificate with QR code.
- Digital certificate distribution - download and share QR code via URL link, email attachments, smartphone with user authentication.
- By integrating with a country's vaccination portal, health wallets, PHR, consumer, or travel applications.
- Countries can also distribute certificates for a health event via DIVOC’s Citizen Portal.
After a health event such as vaccination, citizens can log in to the Citizen Portal with their registered mobile number, and they are given the option to securely download the certificate in PDF or other formats with added user authentication.
If using DIVOC’s citizen portal, the home screen of the Citizen Portal has a “Download” button in the “Download your Vaccination Certificate” section. Citizens can click the button and they will be asked to log in using their registered mobile number to download the certificate. To understand how it works, you can check our demo section on downloading certificates.
The DIVOC certificate distribution service provides a get API so that certificates can be downloaded or printed for specific events. For fetching the right certificate, the get service requires a “pre-enrollment code,” and the latest certificate is fetched.
The get certificate receives the preEnrollmentCode (beneficiary id) as input:
GET {domain}/certificate/api/certificatePDF/{beneficaryId}
Once it receives the input, it,
gets all certificates associated with preEnrollmentCode from the database.
gets the latest dose certificate by grouping the certificates by dose, and order them by their timestamps.
creates the QR code from signed certificate data.
using the above-generated QR code and certificate information, it creates a PDF.
Similarly, there are APIs in certificate-api service which can return the QR code as a png image, which follows the same step as above (till the third point):
GET /certificate/api/certificateQRCode/{beneficaryId}
We also have an API to check if a beneficiary has a certificate generated, which follows the same step as above (till the second point):
HEAD {domain}/certificate/api/certificatePDF/{beneficaryId}
Conversion utility for generating EU-DCC compliant QR code
1. DIVOC’s EU-DCC adapter service: Technical details
2. EU’s technical specification for third-countries
DIVOC is an open-source platform that can be used to issue and verify certificates that are consistent with WHO’s minimum data set specifications. Digital certificates issued by DIVOC are based on the globally accepted W3C Verifiable Credential Data Model. Besides the native DIVOC COVID-19 certificate format, DIVOC has enabled an adapter that can convert a native W3C DIVOC issued certificate QR into an EU Digital COVID Certificate (DCC)-compliant QR code.
The EU has published technical and operational specifications for third countries to onboard the EU gateway and facilitate smooth travel for their citizens by enabling digital verification of citizens’ COVID-19 vaccine certificates issued by the home country.
The key design principles on which DIVOC has been built are 'interoperability' and 'coexistence.' The EU-DCC adapter has been developed to ensure interoperability and verifiability of the DIVOC’s natively issued certificates with EU verifier apps.
This utility was required to facilitate restriction-free travel for residents from DIVOC’s adopter countries by enabling conversion of a DIVOC-issued vaccine certificate to an EU-DCC QR code.
The utility is an on-demand service enabled by the DIVOC platform. The service can be triggered by using an “export as” function or calling an API for the EU adapter service. The service uses DIVOC’s “fetch service” to fetch an already issued, digitally signed DIVOC certificate post the holder authentication. Once the W3C JSON is fetched, the adapter takes inputs on holder details, vaccine event, and issuer information from the JSON and converts it into an EU-DCC QR code. The EU-DCC QR payload is then digitally signed using the ECDSA cryptographic signature algorithm. DIVOC facilitates the digital signing of the QR via a self-signing process, by using a DIVOC generated public-private key pair. Alternatively, it also supports signing the QR code using a public-private key pair issued by a country’s root certificate authority.
To generate a valid EU-DCC compliant COVID-19 certificate for travel into the EU member states, the authorised user (certificate holder) can first provide the enrollment code (of his/her COVID-19 certificate that was generated by the issuing authority) via the national system used by the country to download these certificates.
To ensure the privacy and security of the certificate holder, DIVOC authenticates the user via a “mobile OTP” or a “user-password” authentication method.
DIVOC’s certificate fetch service uses the enrollment code to fetch the correct certificate from the certificate registry.
DIVOC then uses the EU-DCC conversion utility to convert the original W3C JSON payload into an EU-DCC compliant payload.
The payload is structured and encoded as a CBOR with a COSE digital signature. This is commonly known as a “CBOR Web Token (CWT)” and is defined in RFC 8392. The payload is transported in a hcert claim.
This payload is encoded in a QR code and signed using the ECDSA signing method.
DIVOC also supports the generation of a PDF template, as defined by the adopter country. Hence, after a successful conversion process, an EU-DCC certificate document (encompassing both, the EU-DCC QR code as well as the PDF template) is generated.
The user can then download the EU-DCC certificate onto their mobile phone or export the same to an integrated digital wallet platform, authorised by the adopter country.
Click on the following URL to see the API details: https://egovernments.github.io/DIVOC/developer-docs/api/admin-api.html#../../main/interfaces/certificate-api.yaml
https://github.com/Path-Check/dcc-sdk.js SDK has been used to generate a CBOR/COSE-based verifiable QR credential from the EU certificate payload.
Click here to know more about the EU digital green certificate.
You can check the EU specifications for onboarding third-countries by clicking on the following link: https://ec.europa.eu/health/system/files/2021-07/covid-certificate_equivalence-decision_en_0.pdf.
Click here to see third country COVID-19 certificate equivalence decision checklist.
List of all EU specifications are given here.
To check the JSON specifications, click on the link mentioned below: https://ec.europa.eu/health/system/files/2021-06/covid-certificate_json_specification_en_0.pdf.
For QR code specifications, click on the following link: https://ec.europa.eu/health/system/files/2022-02/digital-covid-certificates_v3_en_0.pdf.
To know the value sets for EU Digital COVID Certificates, click here.
Guidelines on verifiable vaccination certificates - basic interoperability elements, can be accessed here.
The document will cover steps on how to print certificates at a facility.
The facility/system administrator can print the certificates. The administrator can also create a user type (from the list of available roles) for a person who will print the certificates. Click to add a user type in DIVOC.
Once the user has been created, the person can log in to the portal using the following URL: . Enter the registered mobile number, and the OTP, and click on "login to portal."
Enter the phone number and the date of birth given during registration. Next, click on the search button.
You will see the name(s) displayed on the screen.
Click on 'print' to print the certificate. To save it on your desktop/laptop, click on 'save.'
Log out once you have printed the required certificate(s).
You have likely seen a lot more QR codes over the last two years due to the pandemic. At many restaurants, for example, which are keen not to share physical menus, customers scan a QR code with their phone camera to open a website for the online menu.
Short for Quick Response, a QR code stores all kinds of information that can be scanned and accessed by a digital device such as your smartphone.
The machine-readable format can also be printed on a piece of paper.
While barcodes are one-dimensional, which means that information can be scanned only horizontally, QR codes are two-dimensional. Hence, information on a QR code can be read both horizontally and vertically, allowing it to store more data.
QR codes allow you to download applications, join WiFi networks without having to key in any password, scan coupons, and much more. They can be embedded on a company’s website to gather feedback, facilitate registrations, collect customer data, and order details. QR codes can be used on physical products as a way to provide more information.
QR codes are also used for document verification to check if a credential is genuine. This has gained popularity during the pandemic with some countries opting for QR code-based vaccination certificates to open up travel and business.
All content on this page by is licensed under a .
The document will cover steps on how to add a new user.
Login to keycloak (demo URL: ). Click on the administration console and enter the username and password. Next, click on the "sign in" button.
Go to the 'manage' section, and click on 'users.'
Click on "add user" to create a new user.
Enter your mobile number as the user name, and click on save.
Click on 'attributes' and add the required attribute (mobile_number) by clicking on the 'add' button. Next, click on 'save.'
Click on "role mappings" and select the type of role you want to add from the list of "client roles."
Select the role you want to add from the list of "available roles" and click on "add selected." Once you have completed this step, you will see the new user in the "assigned roles" section.
Conversion utility for issuing a Smart Health Card (SHC) compliant QR code
-
A Smart Health Card (SHC) is a globally popular HL7 FHIR (Fast Healthcare Interoperability Resources) and - based open standard for generating tamper-proof health credentials.
An SHC provides a framework that facilitates the generation, storing and verification of the SHC holder’s clinical information.
To enable people to access a digital record of their COVID-19 vaccine history, SHCs ascertaining an individual’s vaccination and test result status, have been rolled out in US-States (California, Colorado, Connecticut, Delaware, Hawaii, Illinois, New York, and 9 others), Canada, and Japan.
You can find the registry of verified Smart Health Card issuers for vaccinators and .
(Information courtesy )
Besides it’s native COVID-19 certificate schema, the DIVOC platform has also developed an adapter service to convert a native DIVOC W3C-JSON certificate into a Smart Health Card-compliant QR code.
This utility was required to facilitate restriction-free international travel for residents from DIVOC’s adopter countries by enabling conversion of a DIVOC issued vaccine certificate to an SHC-QR code.
The key design principles on which DIVOC has been built are “interoperability” and “coexistence.” The SHC adapter service has been developed to ensure interoperability and verifiability of the DIVOC’s natively issued certificates with the multiple verifier apps used in the SHC adopter countries.
DIVOC’s adapter issues a digital certificate, as per the SHC data model, and is presented as a signed-QR code. When a source system calls DIVOC’s SHC adapter API, the following steps are undertaken;
DIVOC first checks within the certificate registry (using the beneficiary enrolment code, passed from the source system) to see if a certificate is present for the given beneficiary.
It returns the generated QR code or the full-certificate PDF (including the signed-QR), based on type parameters.
The source system can then allow the download of the generated SHC-QR certificate onto a beneficiary’s mobile phone or allow the export to a beneficiary’s digital wallet platform.
This is a list of COVID-19 vaccines approved by the World Health Organisation (WHO) and used by DIVOC's adopter countries.
All content on this page by is licensed under a .
A vaccination certificate is a proof that a person has received the shot to protect them from an infectious disease such as COVID-19 or the flu. We have given below the type of information (mandatory and optional) that should be there in a QR code-based COVID-19 vaccination certificate, as specified by the World Health Organisation (WHO).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
All content on this page by is licensed under a .
To understand how they work and where they can be used, click and .
If present within the certificate registry, it fetches the respective certificate and then converts the native DIVOC W3C certificate to a SHC-certificate () using a custom-built npm module.
This SHC-certificate payload is then signed and the resulting JWS is used to create a QR code (using the open-source library).
To know more on SHC specification, click .
You can check the SHC vaccination and testing implementation guide .
All content on this page by is licensed under a .
All content on this page by is licensed under a .
Mandatory
Name
recipientName
The full name of the vaccinated person.
String
John Tom Brown
Mandatory
Date of birth
recipientDOB
The vaccinated person's date of birth (DOB) if known. If unknown, use the assigned DOB for administrative purposes.
Date
1998-01-05
Mandatory
Unique identifier (primary identifier of the beneficiary)
preEnrollmentCode
Unique identifier for the vaccinated person, according to the policies applicable in each country. There can be more than one unique identifier used to link records (example: national ID, health ID, immunisation information system ID, and medical record ID). All the certificate IDs will be linked to the beneficiary's preEnrollmentCode.
UUID
Optional
recipientIdentity
To be used only if there is a need to share/print an additional national ID. By default, it is set as 'null' in DIVOC's case. The above field covers this as well.
Alpha number
Driving license
Optional
Sex
recipientGender
Documentation of a specific instance of sex information for the vaccinated person.
Male/female/other
Optional
recipientMobileNumber
Numeric
18767778888
Mandatory
Vaccine type or prophylaxis
Need to incorporate in the payload.
Generic description of the vaccine or vaccine sub-type, such as COVID-19 mRNA vaccine, HPV vaccine.
Coding - ICD 11
Mandatory
Vaccine brand
vaccinationName
The brand or trade name used to refer to the vaccine received.
String
Pfizer
Optional
Vaccine manufacturer
vaccinationManufacturer
Name of the manufacturer of the vaccine received, such as Serum institute of India, or AstraZeneca. If the vaccine manufacturer is unknown, a market authorisation holder is needed.
String
ABC company
Optional
Vaccine market authorisation holder
Name of the market authorisation holder of the vaccine received. If the market authorisation holder is unknown, a vaccine manufacturer is required. This is needed only if the manufacturer is not listed in the WHO EUL (Emergency Use Listing Procedure) list.
String
Mandatory
Vaccine batch number
vaccinationBatch
Batch number or lot number of the vaccine.
String
4121Z104
Mandatory
Date of vaccination
vaccinationDate
Date on which the vaccine was administered.
Date
2021-11-30
Mandatory
Dose number
vaccinationDose
Vaccine dose number.
Quantity
1, 2
Mandatory
Total doses
vaccinationTotalDoses
Total expected doses as defined by a member state's care plan and immunisation programme policies.
Quantity
For Pfizer and BioNTech, the total expected doses are two.
Mandatory
Country of vaccination
facilityCountry
The country where a person was vaccinated.
Code
JAM = Jamaica
Optional
Administering centre
facilityName
The name or identifier of the vaccination facility responsible for administering the vaccination.
String
Falmouth Health Centre
Optional
Health worker identifier
vaccinatorName/ID
If the country does not have a national identifier, you can share the name of the vaccinator.
ID
National ID of the vaccinator
Optional
Disease or agent targeted
Available as a certificate header and not as a data element in the current certificate API payload.
Name of the disease vaccinated against (such as COVID-19). We recommend that you can have it as a data element within the payload.
Coding
Certificate header: COVID-19 Vaccination Certificate.
Optional
Due date of the next dose
Only implemented for India.
Date - YYYYMM/DD
Mandatory
Certificate issuer
Issuer (available in the output)
The authority or authorised organisation that issued the vaccination certificate.
String
Ministry of Health & Wellness, Jamaica
Mandatory
Health certificate identifier
Certificate ID (available in the output)
Unique identifier used to associate the vaccination status represented in a paper vaccination card.
ID
378855845
Optional
Certificate valid from
vaccinationEffectiveStart
Date on which the certificate became valid. No health or clinical inferences should be made from this date.
Date
2021-11-30
Optional
Certificate valid to
vaccinationEffectiveEnd
Last date on which the certificate is valid. No health or clinical inferences should be made from this date.
Date
2022-11-30
Optional
Certificate schema version
Only if schema versions are maintained.
Legal name and date of birth
Phone number
Clinical information
Address
Tests: Date, manufacturer, and result
Government-issued identifier
Vaccinations: type, date, and location
Any other health information
The technical skills required by DIVOC adopters vary and are based on the level of changes they intend to make to the core DIVOC platform.
Skills needed for a simple setup scenario
Skills needed for a complex setup scenario
This includes:
Setting up infrastructure on cloud or on-premise.
Deployment of application components/services.
Configuration of components to connect to work as a single system:
- Configure templates, such as data import templates for facility registry.
- Keycloak to change OTP-based login in keycloak to password-based login.
- Configuration of certificate templates.
Experience in setting up Kubernetes cluster / Docker-based deployment.
Experience in setting up and configuring platforms such as Kafka, Redis, Postgres, and Keycloak.
Experience in HTML templates design.
Customise DIVOC as per the country-specific requirements and its implementation need, such as:
Changes in registry schema: This includes changes in the type of information being captured on various events.
UI: This includes applying country-specific branding on the various UI pages of the portal.
Add and Update APIs: This includes the introduction of new API calls within as well as with third-party applications, such as integration with the supply chain system to provide updates on the stock used at the facility level. It also involves updating existing APIs, such as changing mandatory fields to non-mandatory in API payloads and changing response structure, among others.
Experience in technologies such as HTML, Jquery, React, JavaScript for UI level changes.
Experience in technologies such as Go for API-related changes.
Experience in OpenSaber and Postgres for registry-related changes.
Experience in integrating platform services used in selected components for customisation and implementation.
Setting up DIVOC in your country to orchestrate a new health programme? The guide covers everything you need to know to implement DIVOC. The different sections are meant for people who are involved in planning and managing the various aspects of the implementation process, as well as those involved in the technical work. The documents cover the various steps and configurations required.
Each country will have its own set of requirements in line with globally accepted standards for issuing certificates. The guides will walk you through:
This checklist can help you plan your implementation. Besides technical and operational details, it covers server setup, QR code, certificate template changes, and updating and verifying certificates.
Create QR code
Change the value in context section.
This value indicates the release version of the certificate schema. This versioning will support in introducing validations (if required) on certificates generated in previous schemas such as "revoking/invalidating certificates with previous schema."
For example: For release 1 - It could be "https://moh.prod/credentials/vaccination/v1" and for release 2 - It could be "https://moh.prod/credentials/vaccination/v2"
Create QR code
The Id field in "credentialSubject" should be in a URI format.
If certify request payload contains “identity,” set it to “did::”
Else, use the “preEnrollmentCode” and set it to “did::”
Create QR code
The date value passed in the payload in the 'vaccination' section should match with the value in the 'evidence' section of the QR code and it should follow the YYYY-MM-DD format.
The format is as per the WHO-DDCC data standard.
Validate the date value as it may have impact due to the vaccination system (external), and DIVOC is deployed in servers with a different timezone (UTC). Border cases to be checked as day/date may change.
Create QR code
The 'issuer' is mapped correctly as per the requirement.
Create QR code
The vaccine list provided by a country is available in the master list.
Create QR code
The vaccine and prophylaxis mapping is as per the country requirements.
Create QR code
Vaccine 'manufacturer,' 'batch' values shared in the payload are getting reflected in the QR code.
Create QR code
The addressCountry value in the evidence section captures the 3-digit country code from here.
Create QR code
'dose' and "totalDoses" value shared in the payload are getting reflected in the QR code.
Create QR code
The 'Id' part in the evidence section is in a URI format.
Update a certificate
Revoke a certificate
The system should be able to generate a certificate for a revoked dose.
Revoke a certificate
The system is only revoking the earlier certificate which existed for the specified dose value.
For example, If dose 2 certificate has been removed from the system, the user should be allowed to generate another/correct dose 2 certificate.
Create certificate template
QR code size is 2.5x2.5 inch on a printed A4 size paper.
Create certificate template
Does the printed certificate show the minimal values based on the WHO-DDCC standard?
Create certificate template
If the certificate template has a table which shows the current and the previous dose details (if available), then the table should be configured to be scalable to capture details of both the current and the previous dose details in required combinations.
For example, the certificate template should have only one template file to refer to for the generation of certificates with a combination of dose 1, dose 1 and 2, dose 1, 2, and 3, etc. This should be up to a maximum feasible limit based on the template design.
Verify a certificate
SSL certificate has been applied to the verification page.
The SSL certificate is required to open the camera in the browser.
Verify a certificate
The verification page has been configured to provide the necessary guidance to the user for the verification component.
For example, the verification page should include following messaging/guidelines/ information:
How to scan the QR code?
The possible reason for showing a certificate as invalid or revoked?
What steps to follow if a certificate is shown as invalid or revoked, such as information of the contact person.
Server setup
Infrastructure estimation guide.
For example, if the load goes up, then the system should be configured for scalability.
Server setup
The production environment should support the following recommendations:
Data backup policy.
Authentication and password management.
Error handling and logging.
System configurations.
Server setup
System is configured to handle network crash or infrastructure crash.
Server setup
Back up of the following:
DB/server setup.
Online/offline line.
Server setup
The section should cover activities to be performed to ensure security of data and application.
For example,
Firewall controls should also be in place, such as user management, for better access control.
Sign key generation
It is done as per the standard.
Sign key generation
Keycloak configuration related to DIVOC.
Privacy policy
Privacy policies are based on the recommendations made to implementing partners. They are advised to share it with citizens regarding their personally identifiable information and how it is managed in DIVOC.
This is the minimum list of hardening and other steps that need to be performed to secure the Linux server containing the DIVOC platform. The assumption is that the installation happens on a bare metal setup. While the concepts remain the same, the methodology might differ for commercial cloud setups.
Identifying open connections to the internet is a critical mission.
netstat -antp
Once you have identified the open ports, you can stop/purge the applications which keep unnecessary ports open.
The only acceptable open ports are 22 and 443. Access to the other ports outside the Kubernetes network should be prohibited.
All ingress should be routed through the 443 port only as needed.
SSH is secure, but we need to harden this service as well. If we can disable SSH, then the problem is solved. However, if we want to use it, we have to change the default configuration of SSH. Password-based authentication should be disabled and only key-based authentication should be allowed. The steps for creating sudo users with public and private keys are as follows:
Create a non-root sudo user
adduser <user>
Add the user to sudo users group
usermod -aG sudo <user>
Login to the machine as the user
su - <user>
Create SSH directory with appropriate permissions
mkdir -p $HOME/.ssh chmod 0700 $HOME/.ssh
Generate a key pair for the protocol, and run:
ssh-keygen -t ed25519 -C "My key for DIVOC server"
Share the public key created with users you expect to connect to the server
$HOME/.ssh/id_ed25519.pub
You can modify your SSH configuration to be more secure by performing the following changes to the configuration file:
nano /etc/ssh/sshd_config
Make sure that root cannot login remotely through SSH
PermitRootLogin no
Allow some specific users
AllowUsers [username]
Enable public key-based authentication and disable password-based authentication
PubkeyAuthentication yes PasswordAuthentication no
There are some additional options that must exist in the “sshd_config” file: MaxAuthTries 5
Finally, set the permissions on the sshd_config file so that only root users can change its contents:
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
Use a Debian-based Linux distribution (preferably Ubuntu)
Experience in running simple shell and bash commands
Debian-based OS (Ubuntu)
sshpass
Ansible
GIT
kubectl
List of servers and ability to access them using key-based authentication
Server map to list servers against software
Access to the DIVOC installer repository
Access to the implementation-specific DIVOC code
The sizing and count of the servers can change based on the load requirements. However, for a truly HA setup, the following are the minimum requirements:
3 servers for HA setup: one master and 2 replicas. The etcd cluster can also be set up on the same servers.
6 servers: 3 for control plane (or master node can be relatively smaller sized instances) and 3 worker nodes (for deploying the application).
3 servers containing both Zookeeper and Kafka (Ideally Zookeeper and Kafka need to be installed on separate servers but we should be fine to install both on the same machine).
3 servers
3 servers
1 server
There are three scripts that need to be run to complete the DIVOC installation process:
Installing the prerequisites and setting various hardware clusters as detailed above.
Building the pushing the docker images to the appropriate registry.
Deploying code from the registry into Kubernetes cluster.
Add the inventory details as per the comments present in the file.
Run the install.sh present within the divoc-installer with the elevated privileges (we can also use nohup for running in the background):
sudo sh install.sh -i <path to inventory file>
It will install the dependencies like python3, ansible, etc.
It will install the applications and configure them on the servers mentioned in the inventory file.
Run the build.sh file with elevated privileges.
sudo sh build.sh -d <IP Address of Docker Registry> -r <GIT REPO URL>
Default values for the Docker repository are from dockerhub.
Make a copy of the folder and change the internal script files to have the following configurations. It is recommended that you maintain your own configuration in a separate Github repository so that you have version control and backup (you require only the example folder, not the full repository).
a. Within the divoc-installer director, open the divoc-config.yaml file present within the deployment configuration directory and make the following changes:
- DB_HOST
- DB_USER
- DB_PASS
- DB_PORT
- KAFKA_BOOTSTRAP_SERVERS
- REDIS_URL
- CLICKHOUSE_URL
- AUTH_PRIVATE_KEY
- AUTH_PUBLIC_KEY
- CERTIFICATE_NAMESPACE
- CERTIFICATE_NAMESPACE_V2
- CERTIFICATE_CONTROLLER_ID
- CERTIFICATE_PUBKEY_ID
- CERTIFICATE_DID
- CERTIFICATE_ISSUER
- CERTIFICATE_BASE_URL
- CERTIFICATE_FEEDBACK_BASE_URL
- CERTIFICATE_INFO_BASE_URL
- CERTIFICATE_PUBLIC_KEY
- CERTIFICATE_PRIVATE_KEY
- CITIZEN_PORTAL_URL
b. Modify registry-deployment.yaml to change the following:
- connectionInfo_password
- connectionInfo_uri
- connectionInfo_username
- elastic_search_enabled
- registry_base_apis_enable
- taskExecutor_index_queueCapacity
- auditTaskExecutor_queueCapacity
- Signature_enabled
c. Modify keycloak-deployment.yaml to add the following information:
- DB_ADDR
- DB_DATABASE
- DB_PASSWORD
- DB_PORT
- DB_USER
- DB_VENDOR
- KEYCLOAK_USER
- KEYCLOAK_PASSWORD
- ENABLE_OTP_MESSAGE
- KAFKA_BOOTSTRAP_SERVERS
3. Run the deploy script to deploy the application on Kubernetes.
sudo sh deploy.sh -i <path to inventory file> -p <Directory containing Kubernetes Config files> -d <Private Docker Registry IP> -k <Kube Master Node IP> -s <Key file to access Kube Master>
The indexes for efficient querying of the database tables do not get automatically created and hence need to be created manually. Execute registry_index.sql is present within the DIVOC codebase on the database. A restart of the registry service is required for this change to reflect.
Note: Database tables are only created when the first API request is received.
A normal QR code contains information that can be read and understood by any QR code viewer. They typically carry a URL and a scan of such QR codes reroutes to a separate site.
A signed QR code encodes the verifiable data set or information within the QR itself, rather than on any website.
In a normal QR code, information can be edited and altered, making the verification process untrustworthy and vulnerable to hacking. To address this issue, a signed or verifiable QR code is used, particularly in the case of sensitive information. Sensitive data could be your bank details, educational details, and medical information, among others.
The information is secure and cannot be altered or tampered with, nor can it be scanned and accessed by everyone. This is because the original data/information in the QR code is digitally signed.
Example: In the case of COVID-19 vaccination certificates, for example, data identifying the vaccination event and the beneficiary is encoded within a QR code and then digitally signed, making it tamper-proof. Only a verifying authority with a secure key can validate this information accurately by matching it with the signing key of the QR code.
Zycov-D
Cadila Healthcare
XM6AT1
COVID-19 vaccine, DNA-based
Covaxin
Bharat-Biotech
XM1NL1
COVID-19 vaccine, inactivated virus
Covishield
Serum Institute Of India
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Sputnik V
Gamaleya-Research-Institute
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Pfizer-BioNTech or Comirnaty
Biontech Manufacturing GmbH
XM0GQ8
COVID-19 vaccine, RNA-based
Janssen
Janssen-Cilag International
XM0CX4
COVID-19 vaccine, replicating viral vector
Moderna or Modema or Spikevax
Moderna Biotech Spain S.L.
XM0GQ8
COVID-19 vaccine, RNA-based
AstraZeneca or Vaxzevria
AstraZeneca AB
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Sinovac or Coronavac
Sinovac-Biotech
XM1NL1
COVID-19 vaccine, inactivated virus
BBIBP- CorV or Sinopharm
China Sinopharm International Corp. - Beijing location
XM1NL1
COVID-19 vaccine, inactivated virus
Convidecia
CanSino Biologics
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Corbevax
Biological E. Limited (BioE)
XM5JC5
COVID-19 vaccine, virus protein subunit
Novavax/Covovax NVX - CoV2373
Novavax
XM5JC5
COVID-19 vaccine, virus protein subunit
Gemcovac-19
Gennova Biopharmaceuticals Limited
XM0GQ8
COVID-19 Vaccine, Lyophilized mRNA vaccine
This section will cover the following:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Highly flexible and configurable, DIVOC’s architecture is designed to accommodate changes and allow the addition of new capabilities and functionalities. For example, during a vaccination campaign, you can configure vaccines, vaccination frequency, approved facilities, trained vaccinators, certificate templates, and authentication mechanisms, among others. Built on open source and open standards, the DIVOC architecture ensures privacy and security by design.
DIVOC has been built using a micro-services architecture with open API integration capabilities. It can be hosted on the cloud and on-premise cloud.
It is built on top of the generalised electronic registry and the credentialing framework is available under Sunbird Registry and Credentialing, as well as on-premise bare metal servers.
DIVOC’s modules can work in various combinations based on a country’s requirements as well as end-user needs. Accordingly, countries can use specific or all micro-services.
It is designed to plug and play with different certificate distribution schemes, such as printed with QR code, digital using smartphones, SMS/email attachments, digital lockers, etc.
Allows interoperability with various ID, payment, and other systems.
DIVOC is designed to cater to the diversity of use cases in terms of the choice of the facility (such as government and to private facilities) across geographies within a country; choice of payment (government funding, employer funding, or individual funding, among others); and choice of IDs (digital IDs, and mobile numbers.
The platform is extensible. For example, many parts of the software can be extended, as well as replaced with country-specific components without having to customise. This, in turn, facilitates easy upgradability.
This is a list of COVID-19 vaccines approved by the European Union (EU) and used by DIVOC's adopter countries.
COVID-19 vaccine
J07BX03
Zycov-D vaccine
Not in the EU list
Cadila Healthcare
Not in the EU list
COVID-19 vaccine
J07BX03
Covaxin
Covaxin
Bharat-Biotech
Bharat-Biotech
COVID-19 vaccine
J07BX03
Covishield
Covishield
Serum Institute Of India
ORG-100001981
COVID-19 vaccine
J07BX03
Sputnik V
Sputnik V
Gamaleya-Research-Institute
Gamaleya-Research-Institute
COVID-19 vaccine
J07BX03
Pfizer-BioNTech or Comirnaty
EU/1/20/1528
Biontech Manufacturing GmbH
ORG-100030215
COVID-19 vaccine
J07BX03
Janssen
EU/1/20/1525
Janssen-Cilag International
ORG-100001417
COVID-19 vaccine
J07BX03
Moderna or Modema or Spikevax
EU/1/20/1507
Moderna Biotech Spain S.L.
ORG-100031184
COVID-19 vaccine
J07BX03
AstraZeneca or Vaxzevria
EU/1/21/1529
AstraZeneca AB
ORG-100001699
COVID-19 vaccine
J07BX03
Sinovac or Coronavac
CoronaVac
Sinovac-Biotech
Sinovac- Biontech
COVID-19 vaccine
J07BX03
BBIBP- CorV
BBIBP- CorV
China Sinopharm International Corp. - Beijing location
ORG-100020693
COVID-19 vaccine
J07BX03
Convidecia
Convidecia
CanSino Biologics
ORG-100013793
COVID-19 vaccine
J07BX03
Corbevax
Not in the EU list
Biological E. Limited (BioE)
Not in the EU list
COVID-19 vaccine
J07BX03
Novavax/Covovax NVX - CoV2373
NVX - CoV2373
Novavax
ORG-100032020
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This section contains documents and information required to configure DIVOC
Learn how to configure DIVOC:
All content on this page by is licensed under a .
DIVOC’s certificate module has been adopted for the ongoing COVID-19 vaccination programs in multiple countries. The guide and its different sections describe the various steps that you have to follow when implementing one or more features of the certification and verification component, depending on your country’s needs.
1. Certificate Component -
Generate certificates
Update certificates
Revoke fake or incorrect certificates
Fetch certificates
Fetch QR code
Notify beneficiaries
2. Verification component
To recover from broken nodes in the control plane, use the "" playbook.
Back up what you can.
Provision new nodes to replace the broken ones.
Place the surviving nodes of the control plane first in the "etcd" and "kube_control_plane" groups.
Add the new nodes below the surviving control plane nodes in the "etcd" and "kube_control_plane" groups.
One or more bare metal node(s) suffer from unrecoverable hardware failure.
One or more node(s) fail during patching or upgrading.
Etcd database corruption.
Other node-related failures that leave your control plane degraded or nonfunctional.
Note: You need at least one functional control plane node to be able to recover using this method. If all control planes go down, there is no scope of recovery, and you will have to reinstall Kubernetes. Typically, even if the control plane goes down, the application still functions. Kubernetes functions like scaling, creating new pods, upgrading deployments, etc. will not work. The application, as is available, will continue to function.
Move any broken etcd nodes into the "broken_etcd" group, make sure the "etcd_member_name" variable is set.
Move any broken control plane nodes into the "broken_kube_control_plane" group.
Run the playbook with --limit etcd,kube_control_plane, and increase the number of etdc retries by setting -e etcd_retries=10 or something even larger. The amount of retries required is difficult to predict.
Once you are done, you should have a fully working control plane again.
The playbook attempts to figure out if the etcd quorum is intact. If the quorum is lost, it will attempt to take a snapshot from the first node in the "etcd" group and restore from that.
To restore from an alternate snapshot, set the path to that snapshot in the "etcd_snapshot" variable: -e etcd_snapshot=/tmp/etcd_snapshot.
Currently, you cannot remove the first node in your kube_control_plane and etcd-master list. If you still want to remove this node, you have to do the following:
Modify the order of your control plane list by pushing your first entry to any other position, such as if you want to remove node-1 of the following example:
children: kube_control_plane: hosts: node-1: node-2: node-3: kube_node: hosts: node-1: node-2: node-3: etcd: hosts: node-1: node-2: node-3:
2. Run upgrade-cluster.yml or cluster.yml. After this, you are good to go on with the removal.
Add a new node to the inventory.
Run scale.yml. You can use --limit=NODE_NAME to limit Kubespray to avoid disturbing other nodes in the cluster. Before using --limit, run playbook facts.yml without the limit to refresh facts cache for all nodes.
Remove an old node with remove-node.yml. With the old node still in the inventory, run remove-node.yml. You need to pass -e node=NODE_NAME to the playbook to limit the execution to the node being removed. If the node you want to remove is not online, you should add reset_nodes=false and allow_ungraceful_removal=true to your extra-vars: -e node=NODE_NAME -e reset_nodes=false -e allow_ungraceful_removal=true. Use this flag even when you remove other types of nodes like a control plane or etcd nodes.
Remove node from the inventory.
Append the new host to the inventory and run cluster.yml. You cannot use scale.yml for that.
In all hosts, restart nginx-proxy pod. This pod is a local proxy for the apiserver. Kubespray will update its static config, but it needs to be restarted to reload:
docker ps | grep k8s_nginx-proxy_nginx-proxy | awk '{print $1}' | xargs docker restart
3. With the old node still in the inventory, run remove-node.yml. You need to pass -e node=NODE_NAME to the playbook to limit the execution to the node being removed. If the node you want to remove is not online, you should add reset_nodes=false and allow_ungraceful_removal=true to your extra-vars.
This is the generic solution for backup and restore. Depending on the backup strategy used, the tools might change.
The Ansible script will automatically configure pg_basebackup, pgbackrest, wal-g and other recovery tools. For the sake of simplicity, we can use pg_dump and pg_restore.
The following command takes a backup. This will create a compressed tarball backup in the directory mentioned:
pg_dump -h 192.168.0.100 -U postgres -F c remote_db1 > remote_db1.tar
This can be scheduled using a cron as shown below:
0 0 * * * <path to backup script>
Pg_basebackup is installed along with psql client
sudo apt install postgresql-client
You can restore from pg_dump as follows:
pg_restore -h 192.168.0.100 -U postgres -F -C -d db1 < db1.tar
The plan is to use , which is open sourced under the liberal MIT license. This tool has the ability to create archived backups and upload them to NFS, S3, GCS, AZBlob, SFTP and other remote data repositories.
Untar the archive
tar -zxvf clickhouse-backup.tar.gz
Create a configuration file as follows, call it config.ini
general: remote_storage: none # REMOTE_STORAGE, if `none` then `upload` and `download` command will fail max_file_size: 1073741824 # MAX_FILE_SIZE, 1G by default, useless when upload_by_part is true, use for split data parts files by archives disable_progress_bar: true # DISABLE_PROGRESS_BAR, show progress bar during upload and download, have sense only when `upload_concurrency` and `download_concurrency` equal 1 backups_to_keep_local: 0 # BACKUPS_TO_KEEP_LOCAL, how much newest local backup should keep, 0 mean all created backups will keep on local disk # you shall to run `clickhouse-backup delete local <backup_name>` command to avoid useless disk space allocations backups_to_keep_remote: 0 # BACKUPS_TO_KEEP_REMOTE, how much newest backup should keep on remote storage, 0 mean all uploaded backups will keep on remote storage. # if old backup is required for newer incremental backup, then it will don't delete. Be careful with long incremental backup sequences.
log_level: info # LOG_LEVEL allow_empty_backups: false # ALLOW_EMPTY_BACKUPS download_concurrency: 1 # DOWNLOAD_CONCURRENCY, max 255 upload_concurrency: 1 # UPLOAD_CONCURRENCY, max 255 restore_schema_on_cluster: "" # RESTORE_SCHEMA_ON_CLUSTER, execute all schema related SQL queryes with `ON CLUSTER` clause as Distributed DDL, look to `system.clusters` table for proper cluster name upload_by_part: true # UPLOAD_BY_PART download_by_part: true # DOWNLOAD_BY_PART clickhouse: username: default # CLICKHOUSE_USERNAME password: "" # CLICKHOUSE_PASSWORD host: localhost # CLICKHOUSE_HOST port: 9000 # CLICKHOUSE_PORT, don't use 8123, clickhouse-backup doesn't support HTTP protocol disk_mapping: {} # CLICKHOUSE_DISK_MAPPING, use it if your system.disks on restored servers not the same with system.disks on server where backup was created skip_tables: # CLICKHOUSE_SKIP_TABLES - system.* - INFORMATION_SCHEMA.* - information_schema.* timeout: 5m # CLICKHOUSE_TIMEOUT freeze_by_part: false # CLICKHOUSE_FREEZE_BY_PART secure: false # CLICKHOUSE_SECURE, use SSL encryption for
connect
skip_verify: false # CLICKHOUSE_SKIP_VERIFY sync_replicated_tables: true # CLICKHOUSE_SYNC_REPLICATED_TABLES log_sql_queries: true # CLICKHOUSE_LOG_SQL_QUERIES, enable log clickhouse-backup SQL queries on `system.query_log` table inside clickhouse-server debug: false # CLICKHOUSE_DEBUG config_dir: "/etc/clickhouse-server" # CLICKHOUSE_CONFIG_DIR restart_command: "systemctl restart clickhouse-server" # CLICKHOUSE_RESTART_COMMAND, this command use when you try to restore with --rbac or --config options ignore_not_exists_error_during_freeze: true # CLICKHOUSE_IGNORE_NOT_EXISTS_ERROR_DURING_FREEZE, allow avoiding backup failures when you often CREATE / DROP tables and databases during backup creation, clickhouse-backup will ignore `code: 60` and `code: 81` errors during execute `ALTER TABLE ... FREEZE` azblob: endpoint_suffix: "core.windows.net" # AZBLOB_ENDPOINT_SUFFIX account_name: "" # AZBLOB_ACCOUNT_NAME account_key: "" # AZBLOB_ACCOUNT_KEY sas: "" # AZBLOB_SAS use_managed_identity: false # AZBLOB_USE_MANAGED_IDENTITY container: "" # AZBLOB_CONTAINER path: "" # AZBLOB_PATH compression_level: 1 # AZBLOB_COMPRESSION_LEVEL compression_format: tar # AZBLOB_COMPRESSION_FORMAT sse_key: "" # AZBLOB_SSE_KEY buffer_size: 0 # AZBLOB_BUFFER_SIZE, if less or eq 0 then calculated as max_file_size / 10000, between 2Mb and 4Mb max_buffers: 3 # AZBLOB_MAX_BUFFERS s3: access_key: "" # S3_ACCESS_KEY secret_key: "" # S3_SECRET_KEY bucket: "" # S3_BUCKET endpoint: "" # S3_ENDPOINT region: us-east-1 # S3_REGION acl: private # S3_ACL assume_role_arn: "" # S3_ASSUME_ROLE_ARN force_path_style: false # S3_FORCE_PATH_STYLE path: "" # S3_PATH disable_ssl: false # S3_DISABLE_SSL compression_level: 1 # S3_COMPRESSION_LEVEL compression_format: tar # S3_COMPRESSION_FORMAT sse: "" # S3_SSE, empty (default), AES256, or aws:kms disable_cert_verification: false . # S3_DISABLE_CERT_VERIFICATION storage_class: STANDARD # S3_STORAGE_CLASS concurrency: 1 # S3_CONCURRENCY part_size: 0 # S3_PART_SIZE, if less or eq 0 then calculated as max_file_size / 10000 debug: false # S3_DEBUG gcs: credentials_file: "" # GCS_CREDENTIALS_FILE credentials_json: "" # GCS_CREDENTIALS_JSON bucket: "" # GCS_BUCKET path: "" # GCS_PATH compression_level: 1 # GCS_COMPRESSION_LEVEL compression_format: tar # GCS_COMPRESSION_FORMAT debug: false # GCS_DEBUG cos: url: "" # COS_URL timeout: 2m # COS_TIMEOUT secret_id: "" # COS_SECRET_ID secret_key: "" # COS_SECRET_KEY path: "" # COS_PATH compression_format: tar # COS_COMPRESSION_FORMAT compression_level: 1 # COS_COMPRESSION_LEVEL ftp: address: "" # FTP_ADDRESS timeout: 2m # FTP_TIMEOUT username: "" # FTP_USERNAME password: "" # FTP_PASSWORD tls: false # FTP_TLS path: "" # FTP_PATH compression_format: tar # FTP_COMPRESSION_FORMAT compression_level: 1 # FTP_COMPRESSION_LEVEL debug: false # FTP_DEBUG sftp: address: "" # SFTP_ADDRESS username: "" # SFTP_USERNAME password: "" # SFTP_PASSWORD key: "" # SFTP_KEY path: "" # SFTP_PATH concurrency: 1 # SFTP_CONCURRENCY compression_format: tar # SFTP_COMPRESSION_FORMAT compression_level: 1 # SFTP_COMPRESSION_LEVEL debug: false # SFTP_DEBUG api: listen: "localhost:7171" # API_LISTEN enable_metrics: true # API_ENABLE_METRICS enable_pprof: false # API_ENABLE_PPROF username: "" # API_USERNAME, basic authorization for API endpoint password: "" # API_PASSWORD secure: false # API_SECURE, use TLS for listen API socket certificate_file: "" # API_CERTIFICATE_FILE private_key_file: "" # API_PRIVATE_KEY_FILE create_integration_tables: false # API_CREATE_INTEGRATION_TABLES allow_parallel: false # API_ALLOW_PARALLEL, could allocate much memory and spawn go-routines, don't enable it if you not sure
Ensure configuration under clickhouse and general section of the configuration file. The rest are not mandatory.
If automated remote upload functionality is needed, the appropriate section needs to be filled in: sftp, ftp, s3, GCS, AZBlob, etc.
The following command can be run:
sh <path-to-cllickhouse-backup-dir>/bin/clickhouse-backup create -C <path to config.ini>
The following is the list of possible commands which can be executed:
COMMANDS: tables Print list of tables create Create new backup create_remote Create and upload upload Upload backup to remote storage list Print list of backups download Download backup from remote storage restore Create schema and restore data from backup restore_remote Download and restore delete Delete specific backup default-config Print default config print-config Print current config clean Remove data in 'shadow' folder from all `path` folders available from `system.disks` server Run API server help, h Shows a list of commands or help for one command
Backup zookeeper state data
- Go to file
kafka/config/zookeeper.properties
- Copy location of dataDir property (typically, /tmp/zookeeper)
- Run the following command:
tar -czf /home/kafka/zookeeper-backup.tar.gz /tmp/zookeeper/*
Backup Kafka topics and messages
- Go to the file kafka/config/server.properties
- Copy location of log.dirs (typically, /tmp/kafka-logs)
- Stop Kafka:
sudo systemctl stop kafka
- Login as kafka user:
sudo -iu kafka
- Run the following command:
tar -czf /home/kafka/kafka-backup.tar.gz /tmp/kafka-logs/*
Restore zookeeper
- sudo systemctl stop kafka
- sudo systemctl stop zookeeper
- sudo -iu kafka
- rm -r /tmp/zookeeper/*
- tar -C /tmp/zookeeper -xzf /home/kafka/zookeeper-backup.tar.gz
--strip-components 2
Restore kafka
- rm -r /tmp/kafka-logs/*
- tar -C /tmp/kafka-logs -xzf /home/kafka/kafka-backup.tar.gz --strip-components 2
- sudo systemctl start kafka
- sudo systemctl start zookeeper
Verification of Restoration
- ~/kafka/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic
BackupTopic --from-beginning
Redis provides an in-built command to save a backup.
Install redis-cli using
sudo apt install redis-cli
The following command takes a backup of the redis-server:
echo save | redis-cli -u redis://<user>:<pass>@<host>:<port> >> /tmp/redis-backup.log
This will save the backup as dump.rdb within:
/var/lib/redis
Restoration can be done in the following way:
Locate the redis data directory, typically:
/var/lib/redis
Move the dump.rdb file into this folder
Start redis server
This will ensure that data is restored automatically
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
For more details and sample QR code content, click .
This value indicates the certificate issuing authority. The issuer field is configured in the platform. For more details, click .
The value of this change to be added here: .
The vaccines provided in the platform are listed .
Validate and add to the list if a new vaccine needs to be added in the list - and .
The vaccines provided in the platform are listed .
Validate and add to the list if a new vaccine need to be added in the list - and .
The sample payload and the QR code is mentioned .
The values are set here: .
For more details, click .
For example, 'id' - "<certificateId>" Where - certificateId is unique for each certificate. If the certificate gets updated, a new certificate will be generated with a new certificate Id for the same event. For more details, click .
Update limits are set according to a country's requirement. The details to configure the update limit are available .
For example, if the dose 2 certificate has been removed from the system, the user should be allowed to generate another/correct dose 2 certificate. Click to know more on DIVOC's revocation services.
Click to see a sample certificate.
Click to see the list of minimal data set as per the WHO-DDCC standard.
The possible reason if the verification component is not able to scan the QR code? Click for more details.
Click to know more.
For example, if the master/slave nodes go down, are they configured to autostart/auto-deploy? Click to know more.
The system should be configured to backup. Click to know more.
Click to read the server hardening guidelines.
Restrict all the non-essential ports on the public network. Ports of DB/other inter-components should only be accessible within the application. Click for the list of ports.
Click for more details.
Click for more details.
As the application contains citizen data, access rights (read/write) should be agreed between parties for staging/production/other environments. Click to know more.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
Clone the repository available at .
Create an inventory file from the sample inventory file located at .
The Default value for the GIT repo is the master branch of the .
The sample default Kubernetes deployment files are available at .
All content on this page by is licensed under a .
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
All content on this page by is licensed under a .
Download the latest release from
All content on this page by is licensed under a .
The template for the QR code generation is provided here under vaccination-context. The QR code structure must match the vaccination-context. Any updates made in the QR code content must reflect in the vaccination-context.js file.
Steps:
a. Open the file main.js.
b. Go to the function transformW3 and add the fields according to your requirement. This function will read the data received from the certificate generation API call and convert it into QR code Json format.
c. Add the newly-added field to the data variable
Note:
Certain constant values are also listed in the main.js. If you want to update any of the constant values such as “certificate controller,” please refer to the DockerFile.
Each country will have a separate certificate template with country-specific branding, and language.
Steps:
a. The DIVOC certificate template has been designed in the HTML format. To configure the HTML-based certificate template according to your country’s requirement, open certificate_template.html and map the dynamic fields in the certificate template.
b. Any modifications that you make (such as combining address fields as a single string) to the address value must be performed in controller.js. The dynamic values will be sent from controller.js.
Note:
To check the PDF/print version, which will be generated after an update, open the HTML file in the browser and check for the print preview.
The page size should be A4 as the HTML is developed according to A4 dimensions.
Include the beneficiary’s parent name in the certificate. The parent’s name is “Sam Mandosa.” This is a mandatory field.
Step 1: Create a certification generation request
a. Open this file: https://github.com/egovernments/DIVOC/blob/main/backend/vaccination_api/pkg/certify_handler.go
b. Add a parameter in the function “convertToCertifyUploadFields” called RecipientParentName.
c. Add RecipientParentName in the function “createCertificate” to make the field mandatory.
d. If the data is uploaded via CSV, then add this column to the CSV template for this field. Open “application-default.yml” and update the certificate section in this file.
Note:
As a standard practice, we recommend you to update the informative files mentioned in step 1 of this section.
Make sure the name matches exactly with the name convertToCertifyUploadFields function that you edited in step 1.
Supported key types
RSA (default)
ED25519 (recommended for performance)
Environment variable configuration
SIGNING_KEY_TYPE (possible values: RSA or ED25519)
Environment variables
CERTIFICATE_SIGNER_PRIVATE_KEY, CERTIFICATE_SIGNER_PUBLIC_KEY
The expected values for these configurations change depending on the type of key in use:
RSA -
Private key format: 2048 bit, PEM
Public key format: PEM
ED25519 -
Private
DER
PKCS#8
Base58
Public
DER
SPKI
Base58
RSA key generation using openssl
openssl genrsa -out privatekey.pem 2048
openssl rsa -in privatekey.pem -out publickey.pem -pubout -outform PEM
ED25519
Use an external library such as ed25519-verification-key-2018 to generate a key-pair in the required format.
Generation of key pair for signing an EU certificate:
Copy the certificate generation script file gen-dsc.sh and put it in the desired location.
Copy the certificate configuration file cert.conf and put it in the same folder where the certificate generation script was copied to.
Open the cert.conf file and edit it according to your requirement.
C - Country name (2 letter code)
The two-letter country code where your company is legally located.
ST - State or province name (full name)
The state/province where your company is legally located.
L - Locality name (for example, city)
The city where your company is legally located.
O - Organisation name (for example, company)
The legally registered name of your company (for example, YourCompany, Inc.).
OU - Organisational unit name (for example, section)
The name of your department within the organisation. (You can leave this option blank; simply press *Enter*.)
CN - Common name (for example, server FQDN)
Run the gen-dsc.sh file to generate the key pair for signing the EU certificate.
For generation of RSA key pair: ./gen-dsc.sh RSA CSR
For generation of ECDSA key pair: ./gen-dsc.sh ECDSA CSR
The script will generate the following 3 files:
private key filename - DSC01privkey.key
CSR filename - DSC01csr.pem CERTIFICATE key filename - DSC01cert.pem
Public key format: PEM
Generate the key pair required for signing the EU certificate and share the CSR file for signing with CA.
In the divoc-config
configMap, set the following environment variables:
EU_CERTIFICATE_PRIVATE_KEY
- Private key for signing the EU payload (in PKCS8 format).
EU_CERTIFICATE_PUBLIC_KEY
- The certificate provided by CA after signing the CSR.
EU_CERTIFICATE_EXPIRY
- Expiry of the certificate in months (for example, 12).
This document will help an implementer configure a certificate (template and QR code) for a health event such as vaccination. This section includes configuring:
The DIVOC platform provides API services for generating digitally verifiable QR code-based vaccination certificates. The API for certificate generation has 6 sections:
PreEnrollmentCode: This section is linked to the 'dose' in the vaccination section to uniquely identify an event. For example, beneficiary registration number (R101) and dose number (1) as (R101-1) will be used to identify the first dose event uniquely. Similarly, beneficiary registration number (R101) and dose number (2) as (R101-2) will be used to identify the second dose event uniquely.
Recipient: It contains information about the beneficiary.
Vaccination: It contains details about the vaccination event such as name, batch, and vaccination date.
Vaccinator: It contains details about the vaccinator.
Facility: It contains details about the facility where beneficiaries will get vaccinated.
Meta: It contains additional information, which is not part of the QR code, such as the number of past doses taken.
You can refer to the API service call with sample data below:
Refer to the /v3/certify service here for details.
Click here if you want to understand the mandatory and non-mandatory information that should be there in a vaccination certificate, according to global standards.
Generate configured QR code
Generate configured certificate template
a. Please refer to the existing service details in the ‘certification’ section (/v3/certify): https://egovernments.github.io/DIVOC/developer-docs/api/admin-api.html#../../india/interfaces/vaccination-api.yaml
b. The detailed field validations are mentioned here: https://github.com/egovernments/DIVOC/blob/4076e69cf152fd76dafa8a0565777895f55b1245/interfaces/vaccination-api.yaml
Click the following to see how you can make the changes:
The document will help an implementer make changes to DIVOC’s verification component in line with any changes made to the certificate. It could include changes in the QR code section of the certificate or the logo, among others.
This section will cover the steps to update the verification component by configuring:
Verification portal home page
Verification confirmation page
The user will be directed to the verification page according to the route defined in this file:
2. You can configure the timeout period for the camera to read the QR code in config.CERTIFICATE_SCAN_TIMEOUT.
3. If the camera is unable to read the QR code content, the timeout can be set to retry.
4. The QR code scan is triggered from the ‘VerifyCertificate’ method. Once the QR code is read by the application, it is unzipped using the jsZip library.
The required UI changes, including messaging and branding, can be configured on this file.
You can refer to this file as an example of a country-specific configuration (https://verify.icmr.org.in/).
Example: Include the beneficiary’s parent name as a mandatory field in the verification confirmation page.
Add a parameter in the function “vaccinationContextV2” to set the schema.
Add recipientParentName in the certificate variable inside the function createCertificate.
Build and deploy your changes.
Click here to know what information is included in the DIVOC certificate.
Note:
The ‘recipientParentName’ should match with the key in the QR code Json file available in the main.js.
To remove any value (such as “vaccine type”) from the UI screen, you can remove that parameter in the certification field.
Environment variables are added in divoc-config.yml in the orchestration node.
To display the config map, run the following command:
If multiple config maps exist, add environment variables to all the config maps.
To edit the config map, run the following command:
Next, add the variables under ‘data.’ Save and exit.
Restart the services where environment variables have been used by running the following command:
All content on this page by is licensed under a .
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
The fully-qualified domain name (FQDN) (for example, ).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This section will help an implementer configure the DIVOC “Update Certificate” API.
Implementers can use the “Update Certificate” API to process the requested updates - both in the QR code and human-readable sections of a specific certificate.
The DIVOC platform provides API services for updating vaccination certificates. You can refer to the API service call ‘/v3/certificate’ for the method PUT here.
The payload of the update service is the same as that of the certificate generation request. Click here to know more.
The platform provides flexibility to update values in the ‘recipient,’ ‘vaccination,’ ‘vaccinator,’ and ‘facility’ sections. Click here if you want to understand the mandatory and non-mandatory information that should be there in a vaccination certificate, according to global standards.
a. The update certificate request is processed in this function. The pre-enrollment code and dose-wise certificates will be searched in the system to make an update request. The function will trigger the subsequent process to update the certificates.
b. An implementer has the provision to restrict the number of update requests against a specific certificate in order to avoid the misuse of this functionality (that is, fraudulent generation of multiple certificate copies). For instance, the implementer can configure the “Update Limit” to only “5,” in which case the certificate can only be updated five times. The following steps are needed to enable this configuration:
Step 1: Open this file and check the function that will limit the number of certificates being updated.
Step 2: Open this file and update the limit by configuring CERTIFICATE_UPDATE_LIMIT.
Click here to understand how DIVOC's “Update Certificate” service works.
Any template-related changes can be done by updating the HTML template in the etcd manager. Supported fields include the following:
name
vaccine
vaxEvents[].dateOfVax
age
vaccinationDate
vaxEvents[].doseType
gender
vaccineBatch
vaxEvents[].vaxName
identity (masked value)
vaccineICD11Code
vaxEvents[].vaxType
nationality
vaccineProphylaxis
vaxEvents[].vaxBatch
beneficiaryId
vaccineType
vaxEvents[].countryOfVax
recipientAddress
vaccineManufacturer
vaccineValidDays
vaccinatedBy
vaccinatedAt
certificateId
dose
totalDoses
Go to the Manage keys in the etcd-manager.
Go to the “vaccineCertificateTemplate” key and click on the Edit key to update the template. In this case, the ‘nationality’ field is being added. The value expected for the “vaccineCertificateTemplate” configuration is html and can be customised as per your needs.
The same will be reflected in the PDF of the vaccination certificate. Click on Save. A popup will appear as “operation successful.” Click on Close.
Call “GET VaccineCertificate API,” which will return the PDF certificate template. Verify if the new field ‘nationality’ is getting reflected.
Using ETCD CLI, the same can be dynamically updated in two files (VACCINE_ICD.json and ICD.json) without any service deployments.
Go to the specific folder where etcd files are available.
Open the files to add the new vaccine.
Run the command: vim VACCINE_ICD.json.
Run the command: vim ICD.json.
To reflect the change, run the command: ./updateConfigs.sh. It shows "OK OK OK...." This means that the etcd has been updated with new vaccine list successfully.
Create the certificate and generate the PDF with the new vaccine.
There are different International Classification of Diseases (ICD) codes based on the category of vaccines. To add a new vaccine, identify the ICD-11 code to which the vaccine belongs. Once you have mapped the vaccine to the relevant ICD-11 code, you can update the vaccine name and its ICD-11 mapping in etcd.
Go to the Manage keys tab of the etcd-manager app. To add or update mappings, two keys must be updated: “VACCINE_ICD” and “ICD.”
To add the vaccine name, ICD-11 code, and description VACCINE_ICD, go to VACCINE_ICD and click on the Edit key.
- Example of VACCINE_ICD value for Covaxin:
{“vaccineName”: “covaxin”, “icd11Code”: “XM1G90”}
Click on Save. A popup will appear as “operation successful.” Click on Close.
Click on the edit button of the “ICD” key to add ICD-11 code and click on the Edit key.
- Example of ICD value for Covaxin:
{“XM1G90”: {“vaccineType”: “inactivated virus”, “icd11Term”: “COVID-19 vaccine, inactivated virus”}}
Click on Save. A popup will appear as “operation successful.” Click on Close.
Make the certificate generation request call and fetch the certificate to test the changes. Once updated, any new certificate can be issued using the new vaccine name.
We have added etcd as a configuration management tool for DIVOC. This makes it easier for implementing partners to add new vaccines, edit templates or the QR code payload, as well as add new configurations without deploying any components. Use any etcd client that you like - for example, the etcd-manager. Following are the steps to set up the etcd-manager:
Open the URL: https://www.electronjs.org/apps/etcd-manager and click on Download.
To configure the host and port number: open the etcd manager app → go to settings → click on etcd → enter the respective host IP and port.
If authentication is configured for etcd, enter the authentication credentials. Go to Settings -> Auth -> enter username and password.
Click on the test connection to confirm connectivity and click on save.
Next, go to the Manage keys tab on the left. You should be able to see the configurations already setup.
Once the etcd manager app is installed, the following can be seamlessly managed within DIVOC:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Any template-related changes can be done by updating the HTML template using ETCD CLI. Before making any change, the PDF template will look like:
Go to the specific path where etcd is configured.
Open the file to add the new field that will get displayed in the template (vim vaccineCertificateTemplate.html).
To reflect the change, run the updateConfigs shell script using the command: ./updateConfigs.sh. It shows "OK OK OK...." This means that etcd has been updated with the new template successfully.
Generate the PDF again using GET API.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
To add a new vaccine to an EU certificate, a country must identify the EU code to which the vaccine belongs. The coded value sets used in EU vaccination certificates include:
vp: COVID-19 vaccine or prophylaxis
mp: COVID-19 vaccine product
ma: COVID-19 vaccine marketing authorisation holder or manufacturer
Go to the specific path where etcd is configured.
To add the extra field in the template, go to the Manage keys where etcd is configured.
To add the vaccine code, go to euVaccineCode and click on the Edit key to add the vaccine name and code.
- Example for Covaxin:
{“covaxin”: “Covaxin”}
Click on Save. A popup will appear as “operation successful.” Click on Close.
To add the prophylaxis, go to euVaccineProph and click on the Edit key to add the vaccine name and code.
- Example for Covaxin:
{“covaxin”: “J07BX03”}
Click on Save. A popup will appear as “operation successful.” Click on Close.
To add the manufacturer, go to euVaccineManuf. Click on the Edit key to add the new manufacturer.
- Example for Covaxin:
{“bharat”: “Bharat-Biotech”}
Click on Save. A popup will appear as “operation successful.” Click on Close.
Once the mappings are available in etcd, you can create the certificate and generate the PDF with the new vaccine.
With the ETCD CLI, the same can be dynamically updated in the files (euVaccineProph.json and euVaccineCode.json) without any service deployments.
Go to the specific path where etcd is configured.
Open the files to add the new vaccine or update the existing vaccine.
Run the command: vim euVaccineCode.json.
Run the command:vim euVaccineProph.json.
To reflect the change, run the command: ./updateConfigs.sh. It shows "OK OK OK...."This means that etcd has been updated with the new vaccine list successfully.
Create the certificate and generate the PDF with the new vaccine.
DIVOC certificates are natively digital, verifiable, digitally signed, and also printable with a secure and tamper-proof .
The QR structure is based on the .
Previously, any changes in the QR payload required changing it in the certificate-signer service and subsequent deployment.
With DIVOC 2.0, QR payload changes can now be made by changing it in etcd without any deployments.
Currently, only the optional fields that already exist can be removed. New fields cannot be added as of now.
Note: Do not remove the fields.
Go to DDCC_TEMPLATE. Click on the Edit key if you want to remove an optional field.
Click on Save. A popup will appear as “operation successful.” Click on Close.
Currently, only the optional fields that already exist can be removed. New fields cannot be added as of now.
Note: Do not remove the fields.
Run the command: vim DDCC_TEMPLATE.template.
To reflect the change, run the command: ./updateConfigs.sh. It shows "OK OK OK...." This means that etcd has been updated with the new QR Code template successfully.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Run the command:vim .
All content on this page by is licensed under a .
All content on this page by is licensed under a .
All content on this page by is licensed under a .
The guide covers some of the most common issues we have encountered while working with our partners. It includes the following:
Vaccination events are successful.
Certificates are not being generated.
All other DIVOC services are functioning.
Verification app is functioning.
Download of certificates is functioning.
All DIVOC services are running on the Kubernetes cluster.
The most probable cause of this issue can be that the Redis server has stopped responding. This can be confirmed by running the following tests:
Check the status of Redis
- To get into the Redis container, use the command “redis-cli”.
- Inside Redis, use the command ‘PING’ -
1. If the response is ‘PONG,’ then the server is running.
2. If the response is blank or anything else other than ‘PONG,’ the server is not running.
- To get out of the Redis container, type ‘exit’.
Restart Redis if it is unresponsive or down.
- Restarting the service mainly involves killing the service and starting it again.
- Procedure to kill a service:
1. For killing any service on a Linux machine, we need the process_id of the service. The process_id that we get as the output number for further steps in killing the service by running the command is: $ ps aux|grep redis.
2. For killing an unresponsive service on a Linux machine, replace the process_id_of_service with the value that you have noted down in the above step: sudo kill -9 process_id_of_service.
- Procedure to start a service:
1. After successfully killing the service, to start the service, run the command: $ sudo service redis-server start.
2. To check the status of the service, run: $ sudo service redis-server status.
- Note: Check the status of the redis-server as mentioned above.
This problem occurs frequently when the resources allocated to the Redis cluster is very less. To ensure that the problem does not occur in the future, we advise to increase the server configuration to have atleast 16GB or more memory depending on the population that the installation serves. Another thing to consider is to have Redis run on its own server infrastructure instead of sharing resources with other software.
All servers are accessible through SSH.
Infrastructure is configured correctly - Kafka, Elasticsearch, Postgres, Redis.
Kubernetes worker nodes are running DIVOC services.
DIVOC services are not accessible through API endpoints.
The most probable cause of this incident is that the Kubernetes client certificates have expired. Currently, to enable communication between the Master and worker nodes, Kubernetes certificate is set to 1 year. What this means is that every year we need to renew this certificate for continued delivery of the platform. This can be confirmed by running the following tests:
Master and slave nodes of the cluster are reachable.
On running “kubectl get pods -n divoc” command on the master node, you can an error saying “Client Certificates generated by kubeadm are expired. Can’t reach the cluster.”
Execute “kubeadm certs check-expiration” command on the master node to check the expiration of certificates.
This will identify that since the certificate has expired, kube-apiserver, kube-scheduler, kube-controller-manager services were not able to manage DIVOC services deployed on worker nodes.
Run the following commands on the master node to resolve the incident:
Take backup of the older config
- cp ~/.kube/config ~/.kube/dec-11-2022-expired-config
Renew the certificates
- kubeadm certs renew all
Restart Kubelet
- systemctl restart kubelet
Restart Kube-apiserver, kube-controller-manager, kube-scheduler, etcd so that they can use newly generated certificates.
- List all the running services in default namespace on Master node: docker ps.
- Stop & remove Kube-apiserver, kube-controller-manager, kube-scheduler and etcd services so that the services get restarted again -
1. docker stop <containerId>
2. docker rm <containerId>
As soon as these services are restarted, they will be able to restart the services (certificate-api) which went down on the slave node.
In a managed kubernetes service, the certificates are auto-renewed upon expiry. In case of self-hosted/on-prem deployments of k8s cluster, the kube certificates have to be renewed manually. It is also possible to set the expiry to a time greater than a year, but this is not recommended. The best practice is to have calendar alerts for the appropriate dates.
All DIVOC services are up and running.
All infrastructure services are up and running.
All servers are accessible over SSH.
DIVOC REST services are successful, but take a long time to execute.
The most probable cause of this issue is that indexes are not present in the Postgres database table. This can be confirmed by the following steps:
Connect directly to the Postgres database using psql.
Check if the following indexes are present for the following columns in V_VaccinationCertificate table in the database:
- OSID
- certificateId
- Contact
- Mobile
- preEnrollmentCode
After connecting to the Postgres registry database, run the following SQL commands to add Indexes on the columns.
CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_preEnrollmentCode_sqlgIdx" ON "public"."V_VaccinationCertificate" ("preEnrollmentCode");
CREATE UNIQUE CONCURRENTLY INDEX "public_V_VaccinationCertificate_certificateId_sqlgIdx" ON "public"."V_VaccinationCertificate" ("certificateId");
CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_contact_sqlgIdx" ON "public"."V_VaccinationCertificate" ("contact");
CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_mobile_sqlgIdx" ON "public"."V_VaccinationCertificate" ("mobile");
CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_osid_sqlgIdx" ON "public"."V_VaccinationCertificate" ("osid");
This is a one-time activity that needs to be done as soon as the database tables/registry is created. This dependency exists because Sunbird-RC does not have the capability to add indexes on schema creation.
Sometimes DIVOC services return non 2XX status codes. We have split this section into sub-sections depending on the various non 2XX status codes received.
You will get a 401 status code when the Authentication/Authorisation Bearer token being used has expired.
Open postman.
Create a POST request to /auth/realms/divoc/protocol/openid-connect/token endpoint.
Add the following parameters:
- client-id as admin-api
- Grant-type as client-credentials
- Client_secret as <Value provided to you during installation>
Once the request is sent, you will receive the auth_token as part of the payload.
Modify the ADMIN_API_SECRET parameter within the divoc-config.yaml file.
Restart all the services using: kubectl rollout restart deployments -n <namespace of divoc installation>
Check if the Content-Type in the header section is set as ‘application/json’
If not, set the Content-Type as ‘application/json’
Check if the payload is missing any parameter value like ‘preEnrollmentCode’, ‘recipient.name’, etc.
If yes, add the missing parameter and check.
Check if the format of value in the payload or the json structure is as per the expected structure. For example, the format of date value, dose count is number or string, etc.
If not, correct the value type in the payload.
Check if the DIVOC system is reachable from the source system or if IP/domain of the DIVOC system is mapped correctly.
If not, correct the IP/Domain name or check the network
Check if all the DIVOC services required for the generation of certificates are up and running.
Steps to be followed to check if required services are running:
- Login in to the DIVOC orchestration server.
- Run this command: kubectl get pods -n <divoc namespace>
If any of the pods are down and dont have a active running container, do the following:
- Restart the pod with this command: kubectl rollout restart deployment <name of the deployment which is down> -n <divoc namespace>
- Run this command again: kubectl get pods -n <divoc namespace>
- Validate if all the deployments are up again.
- Check if you are able to generate the certificate.
If you are still not able to generate certificate, then check the logs of deployments one by one using this command: kubectl logs -f deployment/<deployment_name> -n <divoc_namespace>
If you run kubectl get pods -n <divoc-namespace> and see that the number of pod restarts is high. There can be multiple reasons to pod restarts:
- CPU limit is exceeded by pods: In this case, modify the deployment by increasing the requests and limits on the CPU.
- Memory limit is exceeded by pods: In this case, modify the deployment by increasing the requests and limits on memory.
- Memory issue in the machine on which Kubernetes (worker node) is installed: To address this, one can increase the number of worker nodes or increase the memory of worker nodes and then recreate pods if necessary.
- Code issue: Sometimes there can be an issue with the code or the configuration might be missing. In such cases, one needs to fix the bug.
Typically, DIVOC infrastructure is built over a cluster of Kubernetes, Kafka, and Postgres. As part of the operations, one of the key tasks of the infrastructure team is to apply security patches and updates to the OS.
Note: One should never directly log into a machine and apply a patch directly on a cluster of nodes. This should be done only for standalone servers and not cluster-based servers. This problem does not occur in Cloud-managed infrastructure. This is an issue only on self-managed or on-premise infrastructure.
In this section, we will discuss how to apply patches to the cluster without bringing down the application.
The general guidelines when dealing with the cluster are the following:
Disconnect the server from the cluster.
Apply patches to the server.
Rejoin the server back to the cluster.
The following is the Gatling report on the TPS system that was processed with the suggested infrastructure for production:
Country-specific implementation details
Each section will cover the different features and services of DIVOC that were implemented by the following countries and the standards used:
All content on this page by is licensed under a .
DIVOC collaborated with the Indian Council of Medical Research (ICMR) to launch the COVID-19 report portal. The test report certificates went live in October 2021.
We will give you an overview of the features and services that have been implemented.
1.23
Certificate generation: DIVOC generates certificates of RTPCR tests on demand when a citizen requests it on the ICMR portal. The portal allows citizens to easily access and download their COVID-19 test reports.
The Philippines went live with DIVOC in September 2021. DIVOC was integrated with the country’s vaccine-related information system (VIMS).
Under the guidance of the Department of Health, the Department of Information and Communications Technology (DICT) along with SGV (EY) Philippines has implemented DIVOC in the country.
2.0
DIVOC provides the latest COVID-19 certificate on demand for any Philippines citizen.
All COVID-19 certificates issued in the Philippines are compliant with the WHO-Digital Documentation of COVID-19 Certificates (DDCC) data specification.
Sri Lanka went live with DIVOC in July 2021. DIVOC has been integrated with an existing platform in Sri Lanka - the District Health Information Software (DHIS2) - to generate COVID-19 certificates for its citizens. DIVOC has also set up a portal to verify these certificates.
Sri Lanka’s Information and Communication Technology Agency (ICTA) in collaboration with the Department of Health (DOH) has implemented DIVOC. The integration of DIVOC with DHIS2 was a collaborative effort by HISP Sri Lanka (local DHIS2 partner) and the ICTA.
We will give you an overview of the different features and services of DIVOC that have been implemented in Sri Lanka and the standard used.
1.23.3 - generic. We are in the process of upgrading it to version 2.0.
DIVOC provides the latest COVID-19 certificate on demand for any Sri Lankan citizen, mostly those who are traveling abroad so that they can confirm their vaccination status. So far, 3,68,490 certificates have been generated on demand. DIVOC supports the generation of multi-lingual certificates in Sri Lanka.
The verification portal can be used to verify the QR code-based certificates after they are generated by the system.
All COVID-19 certificates issued in Sri Lanka are compliant with the WHO-Digital Documentation of COVID-19 Certificates (DDCC) data specification.
The Government of India launched the COVID-19 vaccination program in January 2021. The roll-out of the Co-WIN application was key to this. While the cloud-based platform covered all the major modules that a vaccination program of this scale should have, it lacked the digital credentialing feature that was critical to open up travel and economy amid the COVID-19 pandemic. DIVOC was integrated with Co-WIN in January 2021, making India the first country where the digital verifiable credentialing was implemented. Over 1.9 billion vaccination certificates have been issued in India so far.
Since India was the first country to implement DIVOC, a component-wise release was done as there was no generic version available back then. Hence, the release versions are component-specific:
A certificate is generated in real-time every time a person’s vaccination record is created in Co-WIN. Citizens get the latest dose certificate, which could be provisional, final, or the precaution dose. Two types of certificates are issued: domestic (age is mandatory) and international travel certificates (date of birth is mandatory). Further, DIVOC certificates (domestic) can be generated in 22 languages in India.
Besides Co-WIN, DIVOC’s certificate module has been integrated with , , and , so that citizens can download their certificates after vaccination from any of these portals/apps by using their registered mobile number.
Reconciliation service: This service was introduced in India to resolve any initial (bulk) data entry discrepancy such as date of vaccination.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Link to the map is .
All content on this page by is licensed under a .
Verifying test reports: The verifiable QR code on each test report enables citizens to carry/show their latest COVID-19 test results securely. DIVOC has set up a that can be used to verify a test certificate by scanning the QR code. These reports can also be verified offline by third-party apps.
All content on this page by is licensed under a .
Using DIVOC’s reference code, DICT along with SGV has built the verification service.
DIVOC’s certificate generation service has enabled a “fetch certify” service that can be used to download certificates. This feature is also used in the Philippines.
All content on this page by is licensed under a .
Any mistakes or changes in the certificate (dose 1, 2, 3) are done through this service when a citizen requests it.
This service will be provided to Sri Lanka after we upgrade the platform to version 2.0.
All content on this page by is licensed under a .
DIVOC’s integration with CoWIN enables verification of the QR code-based vaccination certificates by using DIVOC’s verification utility embedded within Co-WIN.
This feature can be used by citizens if the name, age, gender, date of vaccination, or other details on their vaccination certificate are incorrect.
This feature is also used in India.
DIVOC has set up a for India, which gives a snapshot of the total number of certificates issued, and accessed.
The international certificates issued in India for citizens traveling abroad are based on the data specification.
All content on this page by is licensed under a .
Certificate generation services: dockerhub/divoc-certification-ack
1.0.16
Certificate generation services: dockerhub/certificate_processor
1.0.16
Certificate generation services: dockerhub/certificate_signer
1.0.22
Certificate generation services: dockerhub/vaccination_api
1.0.27
Certificate generation services - Commonly-used component: dockerhub/registry
1.0.19
Certificate generation services - Commonly-used component: dockerhub/caching-dash-server
1.0.20
Verification component: dockerhub/verification
1.0.29
Certificate reconciliation services: dockerhub/reconciliation
1.0.3
Fetch certificate services: dockerhub/digilocker_support_api
1.0.59
Fetch certificate services: dockerhub/registry
1.0.19
Dashboard: dockerhub/analytics_feed
1.0.17
Introduction to DIVOC Modules
Each module or component of DIVOC can be used independently or together and integrated with existing systems. This makes it easy for countries to choose, customise and pick up components as per their needs.
The tutorials will guide you on how to use DIVOC:
There are 6 sections and you can play around with each to understand how they work as per your specific needs.
Or,
You can go step-by-step as shown below: Program setup (via orchestration module) - Facility app - Issue and Verify Certificates - Citizen portal - Feedback module - Analytics.
Before you start any public health program in your country, the orchestration module helps you establish multiple registries for the program, set up appointment schedules, and add vaccinators, among others.
Enables walk-in registrations, verification, queue management, and vaccination. The app lets you:
Enrol/register beneficiaries who walk into the facility for on-the-spot registration. The process to register is the same as shown for the citizen portal. Pre-enrolled recipients can also walk into a facility.
Verification of beneficiaries via offline or online mode.
Recipient queue to view and manage the list of beneficiaries enrolled into the system.
Vaccination event recording and generation of an “immutable vaccination record.”
The certificate/credentialing module is an integral part of DIVOC, which can be used to issue certificates after a vaccination event. The module can also be integrated with the vaccination system of the country.
DIVOC provides a public portal that can be used for citizen-specific activities such as self-registration and appointment booking for one or multiple programs. It can also be used to download and verify certificates.
Enables digital administrative feedback and reporting of side-effects by beneficiaries or their caretakers. The feedback module can be integrated with a country's analytics system or even with an AEFI (adverse event following immunisation) system for research and analysis of the reported side-effects.
The performance monitoring dashboard gives day-to-day details about an ongoing public health event such as vaccination.
Each section presents a demonstration of various modules and features of DIVOC.
It is an illustration of a sample use case and not a part of any vaccination certification program.
The system resets itself periodically. If it is temporarily unavailable, please try again in a few minutes.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
It will be typically used by facility staff, including vaccinators and registration desk users, to carry out day-to-day tasks around a particular vaccination program. The app can be used both in offline and online modes. This is a multilingual application and the staff can choose the language according to their convenience.
This function can be used to verify a beneficiary against the photo/national ID proof submitted by the beneficiary at the time of registration. If a country has an online ID system (such as Aadhaar in the case of India), the module can be integrated with the national ID system and can perform an online verification.
Step 1: Log in
Click on the following URL to use the facility app: https://demo-divoc.egov.org.in/facility_app/. Log in using 9876543210 and OTP 1234. Next, click on Verify Beneficiary.
Step 2: Verify
Scan the QR code or enter the enrolment number. Press Continue to complete the verification process.
The facility app supports the registration of walk-in patients who may or may not have booked an appointment before the visit.
Click on New Beneficiary. Follow the same steps as outlined for users of the Citizen Portal to add members.
All the beneficiaries who have been registered and verified, and are waiting to be vaccinated, will be seen in the recipient queue.
Click on Beneficiary Queue to check how many patients are in queue for vaccination.
After a vaccination event, the facility app generates a digital certificate in real-time.
Countries that have their own vaccination systems can use the DIVOC certification module to issue certificates that will be auto-generated and stored in DIVOC’s certificate registry.
If configured, the issued certificates will be seen under the “certificate issued” section on the app. They can also be distributed to vaccinated beneficiaries at a facility after they are printed by the facility staff.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Using this module you can create and maintain program, facility, vaccine, and vaccinator registries. Countries that do not have digital health registries can use this module to create digital infrastructure/resources for any kind of public health program. Countries can also create appointment schedules and daily rates of vaccination for different facilities.
DIVOC comes with three default roles:
A system admin can be a user from the IT department of the country responsible for setting up initial rules, configuration, and master data upload for a specific program/programs in question.
A. Program setup
1. Click on Vaccine Programs. Register a new vaccine/immunisation program by clicking on REGISTER NEW VACCINE PROGRAM.
2. Add the program name, program description, program logo, start and end dates, and select vaccine. Click on SAVE. You will see a list of all vaccine programs currently active in your country.
B. Vaccine registration
1. Click on Vaccines. You can register a new vaccine, as well as existing ones by clicking on REGISTER NEW VACCINE.
2. Fill in details such as the name of the vaccine, manufacturer, administration type, price, duration dose (if there are multiple doses), and vaccine validity. Next, click on SAVE. It will show all the vaccines active in your country.
C. Facility setup
1. Click on Facilities. Create a list of vaccination centres as per the given CSV template and save it on your laptop/desktop. You can add details such as facility code, facility name, contact, email, operating hour (start/end), category, type, status, address, website URL, admin name, and admin mobile.
2. Click on UPLOAD CSV to upload this list.
D. Recipient pre-enrollment
1. Click on Pre-Enrollment. Create a list of the number of recipients successfully enrolled as per the given CSV template. You can add details such as phone number, identity, date of birth, gender, name, email, address, and dose number, among others. Once the list is ready, save it on your laptop/desktop. Click on Select a Program.
2. Next, click on UPLOAD CSV to upload the list.
E. Set up vaccinators
1. Click on Vaccinators. Create and save a list of vaccinators that have been identified and trained for the vaccination program/campaign as per the suggested CSV template on your laptop/desktop. Add details such as code, name, mobile number, email id, status, and facility id.
2. Click on UPLOAD CSV to upload the list.
A program administrator manages facility enrollment and oversees the facility operations aligned with the program objective. The person would be responsible for setting up per day facility vaccination rate, and activating/deactivating the facilities, etc.
A. Facility activation/deactivation
Go to Facility Activation. Select Program, Region, and Type of Facility. Select the facilities you want to activate from the list. Click on Make Active. To deactivate a facility, follow the same steps and select the facilities you want to deactivate. Click on Make Inactive to deactivate a facility.
B. Adjusting vaccination rate
Go to Adjusting Rate. Select Program Name, Region, Type of Facility. Select one or more facilities to set/modify daily vaccination rates. Click on SET RATES.
C. Notify Facilities
1. Go to All Facilities. Select Program, Region, Type of Facility. Select the facility. Click on NOTIFY.
2. Write the subject matter and the message. Click on SEND.
A. Set up appointment schedules
1. Go to Program Overview. Click on CONFIGURE SLOTS.
2. Select Appointment Hours to set/change the timings, and set up/change the Maximum number of appointments allowed. Select Walk-in Hours to set up /change the timings, and set up/change the Walk-in Days. Click on SAVE.
B. Add/Remove Vaccinators
1. Go to Vaccinator Details. Click on ADD NEW VACCINATOR.
2. Enter details such as name, mobile number, email id, license number, and certification, if any. Click on ADD.
C. Setup facility staff role
1. Go to Role Setup. Mention role type, name, mobile number, and employee id. Select Enabled to activate status. Click on SAVE.
D. Create recipient vaccination details
1. Go to Upload Vaccination Details. Create a list of recipients as per the given CSV template and save it on your laptop/desktop. You can add details such as pre-enrollment code, recipient name, mobile number, age, gender, identity, address, vaccination batch, vaccination date, vaccination dose, vaccination name, vaccinator name, facility name, and address, among others.
2. Click on UPLOAD CSV to upload this list.
E. Check beneficiary list (past, current and upcoming)
Go to Beneficiaries. Select Program, Start Date, and End Date. Click on SEARCH.
Use the following URL: . Log in using 2111111111 and OTP 1234
Use the following URL: . Log in using 1111111170 and OTP 1234
Use the following URL: . Log in using 3333333341 and OTP 1234.
All content on this page by is licensed under a .
Vaccination programs
Approved vaccines
Approved facilities
Trained
vaccinators
Active status
Active status
Location
Active status
Allowed vaccines
Vaccination schedule
Active status
Training
certificate
Start and end dates
Batch deny list
Vaccination daily rate
Associated
facilities
Certificate templates
Max retail price
Total supply
Rating and
feedback
Vaccination method
Rating and feedback
Redis service
To check the status of the Redis server:
For getting into the Redis container, use the command “redis-cli”.
Inside Redis, use the command “PING” -
- If the response is “PONG” then the server is running.
- If the response is blank or anything else other than “PONG,” the server is not running.
To get out of the Redis container: “exit”.
Restarting service mainly involves killing the service and starting it again.
Procedure to kill a service:
For killing any service on a Linux machine, we need the process_id of the service. The process_id which we get as the output number for further steps in killing the service by running the command is: $ ps aux|grep redis.
For killing an unresponsive service on a Linux machine, replace the process_id_of_service with the value that you have noted down in the above step:
$ sudo kill -9 process_id_of_service.
To confirm if the service is killed: $ sudo service redis-server status.
Procedure to start a service:
After successfully killing the service, to start the service: $ sudo service redis-server start.
To check the status of the service: $ sudo service redis-server status.
Note: Check the status of the redis-server as mentioned above.
Jamaica went live with DIVOC in December 2021. It was implemented by Jamaica's Ministry of Health & Wellness.
DIVOC has set up the “Digital Vaccination Certificate Portal,” which also serves as the citizen portal, as well as a system admin portal for Jamaica. The vaccination data has been integrated with CommCare.
1.24.0-generic
Certificate generation: This is in sync with the country’s COVID-19 vaccination event. Once a person gets vaccinated, information is sent to Jamaica’s vaccination system and a certificate is automatically generated via DIVOC.
Certificate verification: The citizen portal can be used to verify the QR code-based certificates that are issued after vaccination.
Updating certificates: DIVOC has enabled a certificate update/correction API that can be used to update or correct an issued certificate if a citizen requests it.
Revoking certificates: This feature has been provided to Jamaica and will be implemented soon.
SMS service: DIVOC’s certificate module has been integrated with the SMS gateway service facilitated by Jamaica. As part of this service, a notification is sent to every citizen after they get vaccinated, informing them to download their certificates from the citizen portal.
Downloading certificates: Beneficiaries of the vaccination program can log in to the citizen portal using the 10-digit mobile number that they had used during registration and then click on “download your vaccination certificate” to view and download certificates.
Print facility: The staff or administrator at a facility will be provided with a login to use this feature to search for certificates and print them on behalf of the citizens. When a citizen walks into a facility, the staff will use the information (mobile number or date of birth) provided by him/her to search for the vaccination certificate. Once they find the certificate on the portal, the staff can download and print it.
All COVID-19 certificates are generated as per the WHO-Digital Documentation of COVID-19 Certificates (DDCC) data specification.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Citizens can use this portal before and after a vaccination event.
Step 1: Log in to the portal
Use the following URL for the citizen portal: https://demo-divoc.egov.org.in/citizen. Log in using your own mobile number and OTP 123456. Click on Verify.
Step 2: Add a member
Click on +Member to add members (you can register yourself and 3 more with a single mobile number).
Step 3: Register to a program
Select the program for which you want to register (if there are multiple programs listed). Click on Continue.
Step 4: Check eligibility
Enter the beneficiary’s year of birth and mention if the person has any commodities from among those listed. Click on Continue.
Step 5: Add details
Mention ID type, ID number, name, gender, residence details, contact information, and email ID among others. Once you have added all the details, click on Continue. You can book your appointment once you have registered yourself.
Step 1: Log in
Click on the following URL to log into the citizen portal: https://demo-divoc.egov.org.in/. Go to Download your Vaccination Certificate section. Click on Download.
Log in with 1234567890 and OTP 1234.
Step 2:
Select the person whose certificate you want to download or print.
Step 3:
Once the certificate is displayed, click on Download / Print.
Step 1:
Click on the following URL: https://demo-divoc.egov.org.in/. Go to Verify your Vaccination Certificate section. Click on Verify.
Step 2:
Click on SCAN WITH QR to verify the certificate.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
It allows issuing authorities to issue digitally verifiable certificates.
The facility app can be used to generate digital certificates, as well as distribute them.
The staff of a particular facility can use the facility app to verify a beneficiary.
Certificates can also be verified and downloaded via the citizen portal.
If the country has an authorised third-party app, it can be integrated with DIVOC's credentialing module to fetch certificates from the certificate registry and view/download them.
Click here to know more on the certificate generation service of DIVOC.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
DIVOC has a feedback module that can be configured by countries to receive feedback on facilities that are running health campaigns. It can also configure a list of side-effects that can be reported by beneficiaries with a single click after authenticating themselves with a user ID password or mobile OTP via the .
A citizen interface via DIVOC’s citizen portal has been enabled that can be used to provide feedback against the facility or report side-effects experienced after leaving the facility.
Step 1:
Click on the URL to open the feedback page:
Step 2:
Go to the Report symptoms section, and click on Report Side-effects.
Step 3:
A page will be displayed with a list of symptoms that users can choose from. After selecting the symptoms, click on Confirm Symptoms.
Step 4:
Log in with 1234567890 and OTP 1234.
Step 5:
On successful login, a patient verification page will be displayed. Select the patient who has these symptoms and click on Submit.
Step 6:
Click on Confirm Patient after verifying the details.
Note:
Once the feedback is submitted, a notification is sent to the healthcare facility where the patient was vaccinated. The screen will also display details of the nearest health facility that the patient can visit if the symptoms worsen. Click on Continue if you want to report the symptoms of another person.
All content on this page by is licensed under a .
During any major health event, countries need powerful visual analytics to manage the rollout, distribution, certification, and other processes. DIVOC’s analytics dashboard empowers health departments of countries to harness their data and find insights that are required to manage future challenges.
It uses an open-source visualisation dashboard called “Redash,” which can be configured by countries.
It is integrated with DIVOC’s certificate module. Redash can be configured for other modules of DIVOC as well as per a country's requirements.
Countries can generate customised analytical reports without hampering the actual production database via ClickHouse, an open-source database management system that has been implemented by DIVOC.
You can also see details on certificate generation and its distribution for further analysis on parameters such as geographical region, age, gender, type of facility, type of fund, and other customised indicators.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
The DIVOC roadmap is a snapshot of our upcoming features and tools.
Click below to view the DIVOC roadmap:
Manage multiple tenants
Services to manage multiple tenants and their respective schema.
Create verifiable credentials (VCs) from multiple issuers
Ability to create VCs with different schemas for one tenant and to create VCs from multiple issuers.
Ability to update schema
Ability to make changes or updates to available schemas.
Service to generate and send only QR code (SVG) with provided dimensions
The tenant/issuer system can fetch images of QR codes in provided dimensions. The image can be shared with the beneficiary directly or can be embedded in the certificate template designed by the issuer/tenant system.
Services to update certificate
Capability to update/modify already generated certificates.
Revocation and suspension
Capability to revoke or suspense already issued certificates upon expiry, issuance of a newer version, or violation of terms and conditions.
Notification services
Capability to notify beneficiaries on the generation of certificates.
Enabling multi-lingual certificate
Functionality to manage certificate templates in multiple languages and generate certificates based on selected templates.
Common verification portal
A common verifier portal for verifying VCs created by multiple schemas and from multiple issuers. The portal will have a UI that will be accessible to the public, or those with credentials to access them. For example, a doctor with a VC for council registration created by the DIVOC platform submits the same to an employer (a hospital). The hospital can then go to the common verification portal URL and verify the VC.
The verification portal can verify the following:
1. Authenticity (If the certificate has been tampered with).
2. Status (The certificate is revoked/suspended/is valid/is not valid).
Tenant onboarding user interface
A use interface through which the source system admin can:
1. Log in to the DIVOC platform with the credentials received.
2. Reset the password if not accessible.
3. Generate tokens to connect the source system and DIVOC platform.
Tenant creates schema user interface
A user interface through which the source system admin can define and create schemas for different provider types, and also test and publish the schemas.
Verification app
Telemetry capability for the platform
Capability to issue multiple key pairs for different tenants
Building trust network for key management
Proof of concept of the VC capability
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This website/ (“Website”) has been developed and is being maintained by eGov Foundation (“eGov”). This Website provides information related to the digital infrastructure called DIVOC developed by eGov. The Website is an invitation for users to learn about DIVOC, its building blocks, various use-cases, access technical documentation, and engage with the DIVOC community to learn how to use and/or adopt eGov Foundation (“Purpose”).
eGov Foundation is a not-for-profit registered as a Trust, having its office at 147/J , first floor, 10th Cross, 12th Main, Koramangala 3rd Block, Bangalore 560034.
By using the Website, you have accepted and agree to be governed by these Terms of Use (“Terms”), as may be amended from time to time. The terms ‘you’, ‘your’ refer to anyone who accesses, views or uses the Website. The terms "we", "us", "our" refer to the eGov Foundation.
Set out below are the Terms of Use of this Website:
“Asset” means and refers to a piece of content or software code. A piece of content can be expressed as text, documents, presentations, scripts, graphics, photos, sounds, music, videos, audiovisual combinations, RLO (reusable learning object) or other such mediums of expression and other materials you may view on, access through, or contribute to the Website, and includes all postings on the Website by Users.
"Intellectual Property" shall singly or collectively mean to include, as the case may be, all patents, copyrights, trademarks, trade names, service marks, service names, designs and any other proprietary information or other similar right arising or enforceable under Indian law.
“DIVOC” (The Digital Infrastructure for Vaccination Open Credentialing) is an open-source platform that enables countries to digitally orchestrate large-scale health campaigns such as vaccination and certification programs.
“User” means and refers to all users of the Website who access the Website and Use the Assets on the Website in accordance with these Terms.
“Use” or “Using” means and refers to learning, finding, viewing, using, contributing to, modifying, replicating, downloading, and sharing Assets with other Users, through the Website.
As a User you represent and warrant that you are of legal age and are legally competent to consent to these terms (or if not, you've received your parent's or guardian's permission to Use the Website and they have agreed to these Terms on your behalf). If you’re agreeing to these Terms on behalf of a department, institution, organisation or legal entity, you represent and warrant that you are duly authorised to agree to these Terms on behalf of that department, institution, organisation or entity and these Terms are binding on them.
All Users shall have access to all the Assets available on the Website for the purpose of learning, finding, viewing, Using, contributing to, modifying, replicating, downloading, and sharing Assets with other Users, through the Website. It is possible that your access and Use of Assets on the Website may be disrupted due to technical or operational difficulties and with no prior notice of downtime. eGov Foundation makes no guarantee as to the continuous uptime and availability of the Website or the quality of Assets on the Website.
You access the Website only to Use the Assets. You will be responsible and liable for any activity on the Website by you. You will not attempt any activity with respect to the Website that is in contravention of the laws of India and/or the laws of the jurisdiction in which you are presently located. You will follow these Terms of Use and all the policies of the Website.
The Website contains copyrighted material, trademarks and other Intellectual Property owned by the eGov Foundation. All our website content is licensed under the CC BY-ND 4.0 License. It allows users to share, copy and redistribute the material on giving appropriate credit to eGov Foundation without any changes or transformations of the content. You agree to abide by all licenses and copyright notices accompanying any Asset published on the Website. Any Asset (other than software code) you contribute to DIVOC or the Website is licensed under the Creative Commons Attribution-ShareAlike 4.0 International - CC BY-SA License.
You can share and adapt the licensed Assets under the terms of the same license, provided you cite the creator as eGov Foundation, or the relevant party if the creator is not eGov Foundation, include a link to the original publication on the Website with copyright notice, license notice and disclaimer notice, and indicate if changes were made. You may do so in any reasonable manner, but not in any way which suggests that eGov Foundation endorses you or your Use. For any assistance with contributing to DIVOC or the Website or understanding any license, please contact us at support.divoc@egovernments.org.
Assets that are software code and are released under DIVOC and made available on/through the Website are licensed under the MIT license reproduced below:
Copyright (c) 2022 eGov Foundation: Permission is hereby granted, free of charge, to any person obtaining a copy of all software and associated documentation files (the "Software") listed on this website under this ______, to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
By Using the Website and/or by providing your information, if applicable, you consent to the collection and use of the information you disclose on the Website in accordance with our Privacy Policy. eGov Foundation takes the privacy of its Users very seriously. Please refer to our Privacy Policy for complete details.
We do not guarantee the accuracy, veracity, correctness, validity, usability, currency, of any Assets made available on or linked through the Website. We shall not be held responsible for any offensive or unlawful Asset posted, transmitted, sent or communicated through the Website.
eGOV FOUNDATION PROVIDES THE WEBSITE ON AN "AS IS" BASIS AND GRANTS NO WARRANTIES OF ANY KIND WITH RESPECT TO THE WEBSITE. eGOV FOUNDATION SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, OR OF NON-INFRINGEMENT. ACCESS AND USE OF THE WEBSITE (INCLUDING ANY ASSET OR INFORMATION AVAILABLE ON/THROUGH THE WEBSITE) IS ENTIRELY AT YOUR OWN RISK.
You hereby agree to keep and hold the eGov Foundation, its directors, officers, employees and agents, fully indemnified and harmless from and against all claims, proceedings, penalties, damages, losses, actions, costs and expenses arising out of or in relation to your Use of the Website, your breach of these Terms, violation of any law, rules or regulations in relation to your Use of the Website.
Any violation or breach of the Terms may lead to automatic suspension or termination of your access to the Website, including while investigating complaints or alleged violation of these Terms, or for use or attempt to use the Website for any purpose other than to share Assets.
This document is a written agreement and an electronic record and valid and enforceable electronic agreement / contract under Information Technology Act, 2000 (as applicable in Republic of India) and rules there under as applicable and the amended provisions pertaining to electronic records in various statutes under applicable Indian laws. This electronic record is generated by a computer system and does not require any physical or digital signatures. Your usage of the Website shall be your deemed acceptance of these Terms and all the modifications and updates thereto.
These Terms shall be governed by the laws of India and any disputes or proceedings arising hereunder shall be subject to the jurisdiction of the courts in Bangalore.
DIVOC’s certificate generation service went live in Indonesia in December 2021. It was implemented by Indonesia’s Ministry of Health.
DIVOC has been integrated with an existing mobile application in Indonesia - PeduliLindungi - to generate COVID-19 certificates for its citizens.
1.24
Features and services
Certificate generation: DIVOC issues the latest COVID-19 vaccination certificate to citizens on demand. DIVOC supports the generation of multi-lingual certificates in Indonesia.
Certificate verification: The verification portal set up by DIVOC can be used to verify the QR code-based certificates online after they are generated by the system. Third-party verification apps can also be used to verify the certificates, both online and offline.
Updating certificates: This service is also available in Indonesia.
COVID-19 certificates issued in Indonesia are compliant with the WHO-Digital Documentation of COVID-19 Certificates (DDCC) data specification.
COVID-19 certificates issued to those who are travelling to EU countries are compliant with the EU-DCC data specification.
DIVOC is an open source project (MIT license), and it is maintained by eGov Foundation.
Documentation is available at https://divoc.egov.org.in/ and source code is available at https://github.com/egovernments/DIVOC.
If you have questions, please visit our project discussions page.
Click here to know about the terms and conditions of using the DIVOC site.
Click here to know about DIVOC's privacy policy - short version for display.
Click here to know about DIVOC's privacy policy - detailed.
Click here to know about platform policy guidelines.
Click here to know about privacy policy recommendations.
Click here to know more about common infrastructure issues and their recovery.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
At DIVOC (“we” or “us” or “our”) we respect the privacy of our users (“user” or “you” also referred to as ‘your’) and are committed to protecting it. Hence, we maintain the highest standards for secure activities, user information/data privacy and security. This Privacy Policy explains what information we collect about you and why.
We hope you read this entire privacy policy. However, if you are in a hurry, here is a brief overview of the most important point:
Primarily we provide recommendations to implementing partners or service providers (include any governmental organisation, agency, department as well as private or corporate bodies) on certain privacy protecting principles and practices. They are advised to share it with citizens regarding their personally identifiable Information and how it is managed in DIVOC.
DIVOC services follow the WHO DDCC:VS which includes compliance with principles of legitimate use, fair processing, accountability, transparency, purposeful, proportional, minimal and lawful collection, usage, storage and disclosure of personally identifiable information (“PII”), confidentiality and security of data.
Through DIVOC any implementing partner (national governmental bodies, department, local bodies & their agencies) corporate/private bodies (utility services) (Service Providers) could collect the following datasets -
first name, last name, parent’s / guardian’s name, address, unique identifier, nationality, date of birth, mobile number (optional dataset), age, gender (optional dataset), identification documents (for example passport number), vaccine details (batch number, dosage number, date of vaccination, total number of doses, country of vaccination), payment information (https://divoc.digit.org/platform/divocs-verifiable-certificate-features/what-information-goes-into-a-qr-code).
The service provider may collect data such as vaccine manufacturer, vaccine market authorisation holder, vaccine administering centre, health worker identifier, due date of next dose, certificate valid from, certificate valid from and to period, certificate issuer, and health certificate identifier (certificate id).
For the upkeep and working of our website we collect information such as Internet Protocol (IP) addresses, domain name, browser type, Operating System, Date and Time of the visit, pages visited, IMEI/IMSI number, device ID, location information, language settings, handset make & model etc. However, no attempt is made to link these with the true identity of individuals visiting our website, implementing partner or service providers application or platform.
The information collected by us shall depend on the need of the service providers and interests of the users. Datasets collected shall be subject to change from time to time, (please check our privacy policy for any updates/changes as well as changes in the service providers privacy policy).
We provide a checklist to service providers for data protection , only after which they can install and use DIVOC. Click here to see the checklist. We also provide them with recommendations and guidelines to create privacy policies for their frontend applications.
We do not store any of your data (for example, we do not store any persons medical history).
We do not and will not share your information with third parties which you would have not been aware of and consented to sharing.
We only collect data which you provide to us through the service provider or when you access our website (for example, data supplied by you on subscribing to our emailing list, or any grievance/complaint data).
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
At DIVOC (“we” or “us” or “our”) we respect the privacy of our users (“user” or “you” also referred to as ‘your’) and are committed to protecting it. Hence, we maintain the highest standards for secure activities , user information/data privacy and security.
This Privacy Policy explains what information we collect about you and why.
DIVOC (Digital Infrastructure for Verifiable Open Credentialing) is an open-source digital platform that has enabled governments across the world to issue, distribute and verify secure and tamper-proof COVID-19 vaccination and test result digital certificates, at scale. DIVOC, a Digital Public Good (DPG) by eGov Foundation, is designed in accordance with precise international specifications, is recognised by 120 countries globally and is compliant with WHO and EU standards.
DIVOC refers to the services being provided through the DIVOC platform. To know more about the services provided, please refer to our .
Through DIVOC, any implementing partner (national governmental bodies, department, local bodies & their agencies) corporate/private bodies (utility services) (Service Providers) can use DIVOC website/application/services in different ways such as for issuing and verifying certificates, set up registries for streamlines public health program executions, etc.
The DIVOC data dictionary follows the which includes compliance with principles of legitimate use, fair processing, accountability, transparency, purposeful, proportional, minimal and lawful collection, usage, storage and disclosure of personally identifiable information (“PII”), confidentiality and security of data.
DIVOC collects information/data (“data”) to improve and provide better public health programme execution. We collect and process PII such as your first name, last name, parent’s/guardian’s name, address, unique identifier, nationality, date of birth, mobile number, age, gender, identification documents, vaccine details (batch number, dosage number, date of vaccination, total number of doses, country of vaccination).
We may collect data such as vaccine manufacturer, vaccine market authorisation holder, vaccine administering centre, health worker identifier, due date of next dose, certificate valid from, certificate valid from and to period, certificate issuer and health certificate identifier ( certificate id).
We collect information such as Internet Protocol (IP) addresses, domain name, browser type, operating system, date and time of the visit, pages visited, IMEI/IMSI number, device ID, location information, language settings, handset make & model etc. However, no attempt is made to link these with the true identity of individuals visiting the relevant our website, implementing partner or service providers application or platform.
The information collected by us shall depend on the need of the service providers and interests of the users. Datasets collected shall be subject to change from time to time. Such changes shall be reflected in the privacy policy of the service provider (if nature of data changes from the service provider perspective) or our website’s privacy policy (if we change the nature of data collected).
The internet address associated with your computer, the type of web browser you use, your operating system, the site that referred you to us, the pages you visited, and the dates and times of those visits.
DIVOC collects data directly from the user (when the user uses our services) as and when you register and login into the service providers app/website. DIVOC may also collect data from national governments (union, state, and local governments or any other governing body, including their agents/employees), private bodies (only after our data protection and privacy guidelines are adhered to) as well as receive data that is available openly for public use.
We also collect data that any visitor to our website consensually provide to us (for example, data provided to make a complaint, customer query, or to subscribe to our emailing list).
Your data is stored in a secure manner on the implementation partner provided space. It does not allow your data to be visible to anyone, except persons who are authorised to do so by virtue of their official role. Unless indicated otherwise, this data will be retained for a minimum period as per implementing countries laws and a maximum period of as per implementing countries' laws. You can review and edit your data, as well as delete your data from the app/website by following the procedures as per implementing countries laws.
You may delete your account any time you wish. In case of deletion, we will remove all your PII from the system, so that it is not visible and/or accessible from any regular operation.
After deletion, in case you wish to recreate your profile, the same is permissible and none of the previously captured information will be populated automatically. You need to register as a fresh user.
If you simply delete/remove the application from your mobile device but do not delete your profile or unregister yourself from the app/website, you shall continue to be a registered user of the app and we shall continue to send you all communications that you have opted for unless and until you opt-out of such communications, or as per implementing countries laws.
In case you surrender/disconnect your registered mobile number it is recommended to delete your profile or unregister yourself from the application also.
We collect only such data as serves these objectives. Specifically:
We process this data as necessary to provide you with the services you are requesting (for example, to get your vaccination certificate issued or verified) through the service providers application (for example, in India, the CoWin app is the national government’s application used by citizens for issuance of vaccination certificates).
We may process, disclose, or share certain metadata, as well as aggregated and anonymised data, in order to assess and improve the status of such service delivery over time.
We may disclose or share this data to/with employees and/or contractors of the government agencies, service providers, whose role requires them to view or use this information in order to perform their official duties, including providing you the service(s) you are requesting.
Resolving any disputes that may arise with respect to the transactions/deals that you may conduct using the service providers app/website.
Detecting, investigating and preventing activities that may violate our policies or that may be illegal or unlawful.
Conducting research or analysing the user preferences and demographics as statistical data and not as individual data.
We may disclose or share this data in order to comply with the law or any legal process, including when required in judicial, arbitral, or administrative proceedings.
Payments made through the government’s or service providers App/website are processed via secure payment gateways.
We will not process, disclose, or share your data except as described in this policy or as otherwise authorised by you.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
L1: It is the initial level of support provided by the user help desk. They help to screen the issues and typically handle queries like "how to," FAQs, user creation, password resets, etc.
L2: It deals with support tickets that can be resolved by doing basic configuration in the application or suggesting workarounds. Other activities typically include environment management e.g. server monitoring, server management etc. For L2 support, we expect a team of infrastructure management-related skill sets.
L3: It deals with tickets typically requiring minor country-specific code changes (certificate templates, logo, UI, and not core platform code), analysis of changes in new/patch versions, data queries, handling environment issues that cannot be resolved by L2 staff. For L3 support, we expect a team of software engineering-related skill sets.
L4: It deals with tickets related to product enhancements or product defects. This would typically be worked on by the DIVOC team, which, in turn, will either release a hotfix, patch release, or bundle it in the next release, or defer/deprioritise.
Possible causes: Token has expired.
- Check access token is valid or correct for API call.
Action to be taken:
- Open postman.
- Create a POST request to /auth/realms/divoc/protocol/openid-connect/token endpoint.
- Add the following parameters:
client-id as admin-api
Grant-type as client-credentials
Client_secret as
- Once the request is sent, you will receive the auth_token as part of the payload.
- Modify the ADMIN_API_SECRET parameter within divoc-config.yaml file.
- Restart all the services using: kubectl rollout restart deployments -n <namespace of divoc installation>
Action to be taken:
- Check if the Content-Type in the header section is set as ‘application/json’
- If not, set the Content-Type as ‘application/json’
Action to be taken:
- Check if the payload is missing any parameter value like ‘preEnrollmentCode’, ‘recipient.name’, etc.
- If yes, add the missing parameter and check.
Action to be taken:
- Check if the format of value in payload or json structure is as per the expected structure. For example - format of date value, dose count is number or string, etc.
- If not, correct the value type in the payload.
Action to be taken:
- Check if the DIVOC system is reachable from the source system, or if the IP/domain of the DIVOC system is mapped correctly.
- If not, correct the IP/domain name or check the network.
Action to be taken:
- Check if all the DIVOC services required for the generation of certificates are up and running.
- Steps to be followed to check if required services are running:
Login in to the DIVOC server.
Go to the deployment folder.
Run this command: kubectl get pods -n <divoc namespace>
- If any of the pods are down and do not have an active running container:
Restart the pod with this command: kubectl rollout restart deployment
<name of the deployment which is down> -n <divoc namespace>
Run this command again: kubectl get pods -n <divoc namespace>
Validate if all the deployments are up again.
Check if you are able to generate the certificate.
- If you are still not able to generate the certificate, then check the logs of deployments one by one using this command: kubectl logs -f deployment/<deployment_name> -n <divoc_namespace>
- If you find any errors in the logs or if the logs are not clear to you, share the logs with the L3 team for resolution of the issue.
Action to be taken:
- Try restarting the gateway service: kubectl rollout restart deployment gateway -n <divoc_namespace>
- If the service does not start, look at the deployment logs and pass on the information to the L3 team: kubectl logs -f deployment gateway -n <divoc_namespace>
Action to be taken:
- Try restarting the vaccination api service: kubectl rollout restart deployment vaccination-api -n <divoc_namespace>
- If the service does not start, look at the deployment logs and pass on the information to the L3 team: kubectl logs -f deployment vaccination-api -n <divoc_namespace>
Action to be taken:
- Try restarting the certificate signer service: kubectl rollout restart deployment certificate-signer -n <divoc_namespace>
- If the service does not start, look at the deployment logs and pass on the information to the L3 team: kubectl logs -f deployment certificate-signer -n <divoc_namespace>
Action to be taken:
- Try restarting the registry service: kubectl rollout restart deployment registry -n <divoc_namespace>
- Try connecting to the database directly using the following command: psql -h <DB_ADDRESS> -U
a. If you are able to access the registry, look at the deployment logs and pass on the information to the L3 team: kubectl logs -f deployment registry -n <divoc_namespace>
b. If you are unable to connect to the database, restart the database and try connecting again. If the problem persists, reach out to the L3 team.
Action to be taken:
- Try restarting the certificate api service: kubectl rollout restart deployment certificate-api -n <divoc_namespace>
- If the service does not start, look at the deployment logs and pass on the information to the L3 team: kubectl logs -f deployment certificate-api -n <divoc_namespace>
Action to be taken:
- Regenerate a new SMS Auth Key from the SMS provider.
- Update SMS_AUTH_KEY property in divoc-config.yaml.
- Restart notification service: kubectl rollout restart deployment notification-service -n <divoc_namespace>
Possible causes: Indexes not present in database.
Action to be taken:
- Check if the following indexes are present for the following columns in VaccinationCertificate DB table in the database:
a. OSID
b. certificateId
c. Contact
d. Mobile
e. preEnrollmentCode in
- If they are not present, run the following commands:
a. CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_preEnrollmentCode_sqlgIdx" ON "public"."V_VaccinationCertificate" ("preEnrollmentCode");
b. CREATE UNIQUE CONCURRENTLY INDEX "public_V_VaccinationCertificate_certificateId_sqlgIdx" ON "public"."V_VaccinationCertificate" ("certificateId");
c. CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_contact_sqlgIdx" ON "public"."V_VaccinationCertificate" ("contact");
d. CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_mobile_sqlgIdx" ON "public"."V_VaccinationCertificate" ("mobile");
e. CREATE INDEX CONCURRENTLY "public_V_VaccinationCertificate_osid_sqlgIdx" ON "public"."V_VaccinationCertificate" ("osid");
Possible causes: Redis server is down.
Possible actions:
- Check if you are able to connect to redis server using redis-cli: redis-cli -h <IP ADDR of server>
- If you are not able to connect, then restart the server.
a. SSH into the redis server.
b. List the redis-server process: sudo service redis-server status.
c. Fetch the process-id of redis-server.
d. Kill the redis-server process (sudo kill -9).
e. Restart redis-service process (sudo systemctl restart redis).
f. Confirm that we are now able to connect to redis-server using “redis-cli” command.
Increase the limit on the number of times a certificate could be updated:
Update the “divoc-config.yml” file with a new value (greater than the default value of 100) for “CERTIFICATE_UPDATE_LIMIT” property and apply it. Kubectl rollout restart deployment vaccination-api -n <divoc-namespace>
2. Pod is restarting frequently - If you run kubectl get pods -n and see that the number of pod restarts is high:
There can be multiple reasons why a pod restarts -
CPU limit is exceeded by pods: Modify the deployment by increasing the requests and limits on CPU.
Memory limit is exceeded by pods: Modify the deployment by increasing the requests and limits on memory.
Memory issue in the machine on which Kubernetes (worker node) is installed. We can increase the number of worker nodes or increase the memory of the worker nodes and then recreate pods if necessary.
Code issue: Sometimes there can be an issue with the code or the config might be missing. In such cased, we need to fix the bug.
3. Kubernetes cluster is not reachable from Kubeadm master node as SSL certs have expired:
If you encounter the following error:
#> kubectl version Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T21:07:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"} The connection to the server 135.122.6.50:6443 was refused - did you specify the right host or port?
Recovery steps are as follows:
Check if certs have expired: kubeadm alpha certs check-expiration --config=/root/kubernetes/kubeadm-config.yaml
Renew Certs:
cd /etc/kubernetes/pki/
mv
{apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} ~/
kubeadm init phase certs all --apiserver-advertise-address <Specify Master node LAN IP addr>
cd /etc/kubernetes/
mv {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf} ~/
kubeadm init phase kubeconfig al
3. Reboot server: reboot
4. After reboot ensure docker and all Kube* daemons are up docker ps | grep kube-apiserver
5. Mandatorily replace the config file with newly created one, to resolve “kubectl localhost:8080 connection refused” issue -
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
6. Issue Kubectl commands
Source Code - https://github.com/egovernments/DIVOC
Documentation: https://divoc.digit.org/
Report issues: https://github.com/egovernments/DIVOC/issues
Discussion forum: https://github.com/egovernments/DIVOC/discussions
Join us on slack: https://app.slack.com/client/T109J61DY/C03EC8C65SN
We recommend that you include the privacy notice in the platform. This information should be shared by implementing countries with their citizens. The privacy notice should have the following sections:
Purpose of processing
What information is collected
Retention of information
Grievance officer details
Sharing of information with third parties
Usage of cookies, what information is stored in cookies
Security measures taken for processing/storing information
Rights of individuals
We recommend that the following guidelines should be followed by a country that is implementing DIVOC:
A citizen's consent should be collected against the privacy notice and a centralised database should be maintained to log consent provided by the citizen (wherever applicable).
The privacy notice should ask people to connect with the privacy officer/grievance officer to exercise his/her right to withdraw their consent.
Personal data should only be accessible to limited individuals. In case third parties require access to the application for administrative purposes, we recommend you de-identify personal information.
Organisations should not retain the information for longer than it is required for the purpose for which the information was originally collected.
A formal document should be created to define the roles and responsibilities of personnel having access to personal data stored in the application.
Document an access matrix for the application. Ensure that regular reviews are conducted on the access matrix.
Review user access rights vis-à-vis the roles defined regularly.
Platform end-users (citizens) should be informed about the mechanisms to update their information through the privacy notice.
Platform end-users (citizens) should be informed about the mechanisms to update their information through the privacy notice.
Perform security testing on the application regularly. We also recommend that you fix all the vulnerabilities after the testing is performed, on-time.
Sign agreements/contracts with third parties, wherever applicable, including relevant security and privacy clauses.
Obtain explicit consent against the privacy notice from the individuals whenever sensitive personal data is processed.
The following checklist should be followed for data protection:
Implement least privilege, restrict users to only data and system information that is required to perform their tasks.
The full backup of data should be taken once a day:
- Postgres DB
- Redis cache
- Kafka
- ETCD
The full backups are retained for two weeks.
Incremental backups (hourly) are retained for one day.
Once the full backup is taken successfully, incremental backups can be purged.
Backup files will be kept in a separate environment.
Backup files will be encrypted before storing on another environment/server.
Authenticating the identity of a principal and verifying its authorisation to act are foundational controls that other security controls are built upon. Organisations should standardise on an approach to both authentication and authorisation. Consider the following authentication and password management:
The communication channels need to be encrypted to protect authentication tokens. Use only HTTPS POST/GET requests to transmit authentication credentials.
All keys, passwords, and certificates must be properly stored and protected.
Disk level encryption should be implemented.
All authentication controls must be enforced on a trusted system (such as the server). Partition site by anonymous, identified, and authenticated areas.
Establish and use standard, tested, authentication services whenever possible.
Use a centralised implementation for all authentication controls, including libraries that call external authentication services.
Exception handling is a programming concept that allows an application to respond to different error states (such as network down, database connection failure, etc.) in various ways. Handling exceptions and errors correctly are critical to making your code reliable and secure.
Error and exception handling occur in all areas of an application, including critical business logic as well as security features and framework code. Error handling is also important from an intrusion detection perspective. Certain attacks against your application may trigger errors, which can help detect attacks in progress. Consider the following:
All logging controls should be implemented on a trusted system (such as the server).
Restrict access to logs to only authorised individuals.
All the system and system access logs should be enabled.
The following checklist should be followed for system configurations:
Ensure servers, frameworks, and system components are running the latest approved version.
Ensure servers, frameworks, and system components have all patches issued for the version in use.
Restrict the web server, process, and service accounts to the least privileges possible.
When exceptions occur, fail securely.
Remove unnecessary functionality and files.
Remove test code or any functionality not intended for production, before deployment.
Remove unnecessary information from HTTP response headers related to the OS, web-server version, and application frameworks.
Implement a software change control system to manage and record changes to the code/ configuration/scripts in both development and production.
Watch out for this space for updates in the future.
All content on this page by is licensed under a .
When: Join us on Tuesday, January 17, 2023, to get an insight into the new features of DIVOC 3.0.
Time: 2:00 PM - 3.00 PM IST
Click to register for the webinar.
The release provides the platform with the ability to generate different types of verifiable credentials. New features also include multi-tenancy capabilities, where multiple tenants can issue VCs with their own schemas and templates; the capability to update/modify certificate content; and the ability to revoke/suspend certificates.
Benefits and features of DIVOC 3.0:
- Multi-tenancy capabilities [VC as a service].
- Multi-schema capabilities by multiple tenants.
- Universal verifier for all schema.
- Generate/update/revoke/suspend services for certificates
Explore how DIVOC 3.0 can fasttrack a nation’s digital health strategy.
When: Join us on Wednesday, March 30, 2022, to understand the use of digital health credentials for COVID-19 vaccination and testing campaigns, and beyond.
Time: 2 pm Manila time / 11.30 am IST.
Register at:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
All content on this page by is licensed under a .
All content on this page by is licensed under a .
All content on this page by is licensed under a .
Welcome address: Thiam Hee Ng, Director, SARC
2 mins
Opening Remarks: Sungsup Ra, Chief Sector Officer, SDCC
3 mins
Presentation:
Viraj Tyagi, CEO, eGov Foundation
Pradipta Kundu, Health Mission Lead, eGov Foundation
30 mins
Comments and Discussion:
Patrick Osewe, Chief of Health Sector Group, SDSC
Thiam Hee Ng, Director, SARC
23 mins
Closing Remarks: Gi Soon Song, OIC, SAHS
2 mins