The Kiuru MSSP platform comprises of several components which together enable and digital signing and secure authentication for citizens.
- Advanced Electronic Signatures (AdES) support
- Qualified Signature Creation Device (QSCD) support
- Built-in OTA (Alauda OTA)
- LoA4 compliance
- High availability and high performance clustering
- Geo-redundancy support
- Multi-tenancy support
- Robust service administration and monitoring tools
- Supported platforms: Linux (RHEL7+, CentOS), on Bare metal, VMWare, KVM and/or Docker
Kiuru AE MSSP
Kiuru AE (Acquiring Entity) MSSP is a server that links the Application Provider’s service to the Mobile User’s HomeMSSP. Kiuru AE MSSP offers a unified interface for Application Providers to integrate Mobile Signature Services into their service.
AE provides an isolated public ETSI TS 102 204 compliant interface for APs, filters and validates all incoming request before they are allowed into the MSSP Mesh. The AE MSSP may reach the HomeMSSP directly or through the Mesh, an interconnected system of MSSP servers.
For more details, see Kiuru AE MSSP Product Factsheet
Kiuru ME MSSP
Kiuru ME (Management Entity) MSSP is a server that centralizes the registration and administration interfaces for an MSSP system. ME can be used e.g. by Registration Authorities to register and manage user data in the databases that the AE MSSP and HomeMSSP use in request processing. ME allows the shut-down and maintenance of registration processes without interrupting signature services. Additionally, the ME MSSP forwards client management requests to the User’s HomeMSSP for onward delivery to the PKI client.
Kiuru ME MSSP includes a suite of tools for managing a Kiuru MSSP system. The Kiuru Admin CLI (Command Line Interface) provides powerful command line tools that experienced users can use in order to have as few restrictions as possible, while Kiuru Admin GUI (Graphical User Interface) provides a more user-friendly operational environment with configurations for different use-cases.
For more details, see Kiuru ME MSSP Product Factsheet
Kiuru HomeMSSP is a server that provides mobile signature service functionality for trusted service providers. It is used to establish an open, standard based and secure channel between end users and the AE/Mesh.
Kiuru HomeMSSP receives signature requests from the AE/Mesh, converts them into a form that’s usable by the PKI client and sends them to a resident Mobile User’s phone. Additionally, Kiuru HomeMSSP processes client management requests from Kiuru ME MSSP.
Kiuru HomeMSSP comes with the integrated Alauda OTA (Over the Air) server.
The OTA server is used to transmit Applet client requests to the SIM card without being physically connected to the card. The OTA server segments the request received from the Mobile User’s HomeMSSP and transmits it to an SMSC (Short Message Service Center). The server also manages OTA and Alauda encryption keys, which ensure end-to-end encryption between the OTA server and the SIM card.
Similarly, the Kiuru HomeMSSP provides an HTTPS interface to the Kiuru AFE server for transmitting app client requests to the smartphone app.
Kiuru AFE provides a secure communication link between the Kiuru SAM and the app client. Kiuru AFE connects to app platform push notification services (including APNS and FCM) to deliver messages to the app client. It also receives app originated HTTPS calls, authorizes and redirects those messages to web sockets connected to the HomeMSSP.
Optimized for fast low latency communication, all communication through the AFE is protected using TLS and Alauda transport encryption which ensures end-to-end confidentiality of all messages between the Kiuru SAM and the app.
For more details, see Kiuru HomeMSSP Product Factsheet
ETSI 102 204 SOAP API
The AE MSSP provides a ETSI 102 204 standard API interface for Application providers. It is a SOAP API for application providers to:
- Request Signatures (synchronous and asynchronous-client-server modes)
- Request Status information on Signature requests
- Request Receipt messages on successful Signature requests
All MSSPs also provide a ETSI 102 207 roaming standard API interface for routing messages between interconnected Mobile Signature Service Providers (MSSPs) in an service Mesh.
Kiuru REST plays the role of a gateway between relying application providers and the AE MSSP. Kiuru REST provides a simplified JSON API for Application Providers. Kiuru REST converts JSON requests into SOAP protocol, filling any missing information with functional default values. Similarly, SOAP responses are converted into JSON responses before onward delivery to the originating application provider.
For more information, see Kiuru REST API Product Factsheet and Kiuru REST API documentation.
The MSS Registration (MReg) API is an administration API provided by the Kiuru ME MSSP and available as a SOAP and JSON APIs. MReg is designed as an interoperable extension to ETSI TS 102 204 standard, and it includes all the basic functions required to run a Registration Authority (RA).
Kiuru MSSP supports the clustering of servers for higher performance and availability. Servers in a clustered system share the same database, and traffic is divided between them by a load balancer. The load balancer also detects MSSP failures and redirects traffic accordingly. In a clustered setup, HomeMSSPs are in one cluster and AE MSSPs are in another.
Kiuru MSSP supports e.g. F5 BIGIP/Radware Alteon load balancers or Apache proxy for mutual TLS authentication, which is a mandatory requirement in the ETSI TS 102 204 standard. Complete system high-availability also requires redundant databases and load balancers.
Geo-redundancy support for Kiuru MSSPs enables service providers to have secondary service sites to which traffic can be redirected in case of unexpected malfunctions. Mobile Signature Services are expected to maintain a high degree of availability at all times, so in the event that an unpredictable event stops the primary site from working, service is maintained in a geographically separate location.
ME MSSPs replicate operational data from the primary site periodically to the secondary site as a precaution.
See our blog post on geo-redundancy for more information