3.2 Setting the configuration options
This section contains information about setting the MyID configuration options to enable you to provision mobile identity documents.
3.2.1 Web service location
Within MyID, you must set the location of the MyID web service that allows a mobile device to collect a mobile identity document.
To set the location of the web service:
- From the Configuration category, select the Operation Settings workflow.
- Click the Certificates tab.
-
Set the Mobile Certificate Recovery Service URL option to the location of the MyID Process Driver web service host.
Note: This option is used for more operations than just certificate recovery, despite the name.
For example, set the option to:
https://myserver
Replace myserver with the name of the server on which the web service is installed.
You are recommended to use SSL on this connection. Make sure you specify the correct protocol: http or https.
Note: The users' mobile devices must be able to access this URL. To be able to access the other MyID web services, all MyID web services must be installed on the same server.
-
If you have installed MyID in a distributed network where the web server is in a separate domain, you may have to supply a separate URL for your MyID client workstations to retrieve a QR code for mobile provisioning. In this case, set the Web Server External Address option to the URL of the MyID web services server that hosts the ProcessDriver web service. Make sure this URL is accessible to your MyID clients.
In the majority of network configurations, you can leave this option blank.
- Click Save changes.
3.2.2 Setting the authentication code complexity
To set up the single-use authentication code that is used to secure mobile identity documents sent to the mobile device, you must use the Certificate Recovery Password Complexity configuration option to require numeric characters only.
To set the password complexity:
- From the Configuration category, select the Operation Settings workflow.
- Click the Certificates tab.
-
Set the Certificate Recovery Password Complexity option.
The format is xx-yyN, which is made up of:
-
xx = minimum length.
-
yy = maximum length.
The default is 04-08N which means a code of 4 to 8 numbers.
-
- Click Save changes.
3.2.3 Biometric authentication
MyID PIV systems support biometric authentication when updating and unlocking credentials. These features are not supported for mobile devices, therefore, on PIV systems, you must disable them before you can issue mobile identities successfully.
To set the biometric authentication options:
- From the Configuration category, select the Operation Settings workflow.
- Click the Biometrics tab.
-
Set the following options:
-
Set the Verify fingerprints during card update option in the Operation Settings workflow set to No.
If this option is set to Yes, provisioning a mobile identity will fail with an error similar to:
Your mobile device is not compatible with biometric authentication
-
Set the Verify fingerprints during card unlock option in the Operation Settings workflow set to No.
If this option is set to Yes, unlocking a mobile identity will fail with an error similar to:
Your mobile device is not compatible with biometric authentication
-
- Click Save changes.
Note: When you set these options to No, you are removing the requirement to use biometrics when unlocking or updating smart cards as well as mobile identities.
3.2.4 Configuring the image location
To allow MyID to send badge images to the mobile device, you must make sure that the Image Upload Server configuration option (on the Video page of the Operation Settings workflow) is set to a value that can be resolved (to the name or IP address of the MyID web server) from the MyID Web Services server. For more information, see the Configuring the image location section in the Administration Guide.
3.2.5 Maximum session count
If too many clients (whether mobile clients, or other clients such as MyID Desktop, the Self-Service App, or the Self-Service Kiosk) access the server at the same time for issuance or update processes, you may experience performance issues, and end users may experience errors.
If too many clients overload the server infrastructure, the errors may be generated from various points in the system (for example, from the database or the web server) and there may be a wide variety in the messages displayed; some error messages may be generic errors, with the details visible only in the MyID server logs.
If a user sees an "unexpected" error on the mobile device:
- Review the MyID server logs for the time period involved. Check for timeout issues.
- Review your infrastructure for high resource usage; for example, CPU, RAM, and so on.
- Consider restricting the number of mobile sessions using the Maximum session count configuration option.
To set the maximum number of mobile sessions allowed.
- From the Configuration category, select the Operation Settings workflow.
- Click the Identity Agent Policy tab.
-
Set the following option:
-
Maximum session count
This determines the number of concurrent sessions (whether from mobile clients or other clients such as MyID Desktop, the Self-Service App, or the Self-Service Kiosk) that are allowed by the server while still allowing mobile issuance and update operations.
Values:
0 – Do not allow mobile issuances or updates.
-1 – No limits.
Any other number determines the number of client sessions allowed. If this number is exceeded, the server returns HTTP 503 – service unavailable – to all mobile clients. This will also be recorded in the local event log.
Only mobile clients are prevented from connecting.
You are recommended to tailor this value to your hardware: too high a value, and your server may experience performance issues; too low and your server will be under-used.
As server deployments differ in computing capability, functionality usage, and data load, it is impossible to recommend precise values. You are recommended to try various values on a test system that mirrors the resources and data load of your production system.
-
- Click Save changes.