3.2 Setting the configuration options

3.2.1 Web service location

Within MyID, you must set the location of the MyID web service that allows a mobile device to collect a mobile ID.

To set the location of the web service:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Certificates tab.

  3. Set the Mobile Certificate Recovery Service URL option to the location of the MyID Process Driver web service host.

    Note: This option is used for more operations than certificate recovery, despite the name.

    For example:

    https://myserver

    Replace myserver with the name of the server on which the web service is installed.

    You are recommended to use SSL on this connection. Make sure you specify the correct protocol: http or https.

    Note: The users' mobile devices must be able to access this URL. To be able to access the other MyID web services, all three MyID web services must be installed on the same server.

  4. If you have installed MyID in a distributed network where the web server is in a separate domain, you may have to supply a separate URL for your MyID client workstations to retrieve a QR code for mobile issuance. In this case, set the Web Server External Address option to the URL of the MyID web services server that hosts the ProcessDriver web service. Make sure this URL is accessible to your MyID clients.

    In the majority of network configurations, you can leave this option blank.

  5. Click Save changes.

3.2.2 Setting the authentication code complexity

To set up the single-use authentication code that is used to secure mobile IDs sent to the mobile device, you must use the Certificate Recovery Password Complexity configuration option to require numeric characters only.

To set the password complexity:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Certificates tab.

  3. Set the Certificate Recovery Password Complexity option.

    The format is xx-yyN, which is made up of:

    • xx = minimum length.

    • yy = maximum length.

    The default is 04-08N which means a code of 4 to 8 numbers.

  4. Click Save changes.

3.2.3 Biometric authentication

MyID PIV systems support biometric authentication when updating and unlocking credentials. These features are not supported for mobile devices, therefore, on PIV systems, you must disable them before you can issue mobile identities successfully.

To set the biometric authentication options:

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Biometrics tab.

  3. Set the following options:

    • Set the Verify fingerprints during card update option in the Operation Settings workflow set to No.

      If this option is set to Yes, provisioning a mobile identity will fail with an error similar to:

      Your mobile device is not compatible with biometric authentication

    • Set the Verify fingerprints during card unlock option in the Operation Settings workflow set to No.

      If this option is set to Yes, unlocking a mobile identity will fail with an error similar to:

      Your mobile device is not compatible with biometric authentication

  4. Click Save changes.

Note: When you set these options to No, you are removing the requirement to use biometrics when unlocking or updating smart cards as well as mobile identities.

3.2.4 Configuring the image location

To allow MyID to send badge images to the mobile device, you must make sure that the Image Upload Server configuration option (on the Video page of the Operation Settings workflow) is set to a value that can be resolved (to the name or IP address of the MyID web server) from the MyID Web Services server. For more information, see the Configuring the image location section in the Administration Guide.

3.2.5 Maximum session count

If too many clients (whether mobile clients, or other clients such as MyID Desktop, the Self-Service App, or the Self-Service Kiosk) access the server at the same time for issuance or update processes, you may experience performance issues, and end users may experience errors.

If too many clients overload the server infrastructure, the errors may be generated from various points in the system (for example, from the database or the web server) and there may be a wide variety in the messages displayed; some error messages may be generic errors, with the details visible only in the MyID server logs.

If a user sees an "unexpected" error on the mobile device:

  1. Review the MyID server logs for the time period involved. Check for timeout issues.
  2. Review your infrastructure for high resource usage; for example, CPU, RAM, and so on.
  3. Consider restricting the number of mobile sessions using the Maximum session count configuration option.

To set the maximum number of mobile sessions allowed.

  1. From the Configuration category, select the Operation Settings workflow.
  2. Click the Identity Agent Policy tab.

  3. Set the following option:

    • Maximum session count

      This determines the number of concurrent sessions (whether from mobile clients or other clients such as MyID Desktop, the Self-Service App, or the Self-Service Kiosk) that are allowed by the server while still allowing mobile issuance and update operations.

      Values:

      0 – Do not allow mobile issuances or updates.

      -1 – No limits.

      Any other number determines the number of client sessions allowed. If this number is exceeded, the server returns HTTP 503 – service unavailable – to all mobile clients. This will also be recorded in the local event log.

      Only mobile clients are prevented from connecting.

      You are recommended to tailor this value to your hardware: too high a value, and your server may experience performance issues; too low and your server will be under-used.

      As server deployments differ in computing capability, functionality usage, and data load, it is impossible to recommend precise values. You are recommended to try various values on a test system that mirrors the resources and data load of your production system.

  4. Click Save changes.

3.2.6 Setting up support for historic certificates

You can set up MyID to provide historic encryption certificates for mobile identities. This feature allows users to decrypt their old email messages on their mobile device. The historic encryption certificates are delivered to the mobile device when the mobile identity is issued.

To configure MyID to provide historic certificates, you must use the certificate options in the credential profile. See the Selecting certificates section in the Administration Guide for details of the Issue new, Use existing, and Historic Only options.

Note: Due to a limitation of 50 characters on certificate names on Samsung Android devices, if you attempt to issue historic certificates with names longer than 45 characters, the additional characters added to the name to indicate that they are historic certificates cause the names to exceed this length and to overwrite the existing certificates. If you are issuing historic certificates to Samsung Android devices, you must ensure that the certificates you use have names with a maximum of 45 characters.

3.2.7 Configuring MyID for 3DES encryption

New installations of MyID are configured for AES encryption for low level processes; for example, secure communication between MyID clients and servers.

If you are issuing mobile identities using the following versions of the mobile apps (or earlier):

you must configure MyID to use 3DES instead; a later update for these mobile apps will provide support for AES.

To configure MyID to use 3DES:

  1. From the Configuration category, select the Security Settings workflow.
  2. Click the Server tab.

  3. Set the following option:

    • Envelope Transport Key Algorithm – make sure this option is set to 3DES.

  4. Click Save changes.

Note: Apps developed using Identity Agent Framework version 3.9 or later, which use the rest.provision mobile provisioning API, can support AES; for apps developed using earlier versions, set the option to 3DES.