Automatic Credential Renewal/Rotation

[jjeroch]

Summary:

Development of an automated backend logic inside the issuer component for the re-issuance of BPNL and Membership credentials prior to their expiration. The system will incorporate a scheduled job to run nightly, identifying credentials expiring the next day and re-issuing them automatically, while adhering to defined business rules and workflows.

Components:

1. Scheduled Job Implementation

• User Story: Implementation of a scheduled job which is supposed to run each night to identify BPNL and Membership credentials expiring the next day.
• Acceptance Criteria:
  • A job scheduler is in place and configured to execute nightly.
  • The scheduler identifies all credentials that are set to expire the next day.

2. Automatic Re-Issuance Logic

• User Story: The job to identify BPNL and Membership credentials expiring the next day need to get enhanced to automatically re-issue expiring credentials without human intervention, following the necessary business rules.
• Acceptance Criteria:
  • Automated re-issuance process is developed and integrated.
  • The process includes necessary business rules and approval workflows.
  • Credentials are re-issued prior to expiration.

3. Data Privacy and Security Compliance

• User Story: The newly created re-issuance job must ensure that all re-issuance procedures comply with the data privacy and security standards.
• Acceptance Criteria:
  • The re-issuance process is audited for compliance with data privacy and security standards.
  • Any identified vulnerabilities or non-compliances are addressed.

4. Documentation Update

• User Story: As a developer, I should update the system documentation to reflect the changes made by the new re-issuance process.
• Acceptance Criteria:
  • Documentation is updated to include details of the new re-issuance process.
  • Documentation accurately reflects the workflow, business rules, and system interactions.

5. Integration with Existing Systems

• User Story: As a system architect, I need to ensure that the integration of the new re-issuance process does not disrupt existing functionalities.
• Acceptance Criteria:
  • Integration testing is completed to ensure compatibility with existing systems.
  • The new process works in tandem with existing functionalities without causing disruptions.
  • Any conflicts with existing systems are resolved.

---

Test Cases

Scheduled Job Implementation Test Cases

1. TC1: Job Schedule Execution

   • Verify that the scheduled job runs at the specified nightly time without fail.

2. TC2: Credential Expiry Identification

   • Validate that the job accurately identifies all credentials due to expire the next day.

Automatic Re-Issuance Logic Test Cases

1. TC3: Re-Issuance Trigger

   • Confirm that the re-issuance process triggers automatically for credentials expiring the next day.

2. TC4: Approval Workflow Integration

   • Test that the renewal process correctly follows the predefined approval workflows.

3. TC5: Renewal Confirmation

   • Check that users receive confirmation of their credential renewal.

4. TC6: Load Testing

   • Perform load testing to ensure the system can handle a high number of renewals simultaneously.

Data Privacy and Security Compliance Test Cases

1. TC8: Access Control Checks

   • Verify that only authorized personnel/systems have access to the re-issuance process.

2. TC9: Audit Log Accuracy

   • Check that all actions taken by the re-issuance process are accurately logged for audit purposes.

---

Milestones:

1. Design phase completion.
2. Development of scheduled job and re-issuance logic.
3. Initial round of testing (unit and integration).
4. Documentation updates.
5. Security compliance audit.
6. Final testing with edge cases and failure modes.
7. Deployment to production.
8. Monitoring phase and post-deployment review.

Additional information

• [ ] I'm willing to contribute to this feature

[stephanbcbauer]

Hello @jjeroch , @evegufy

Since the feature is a 24.05 feature and the development phase for 24.08 is coming to an end, we need a status on the feature. Can you please update the status?

• [ ] Currently you are assigned (Responsible) → Is this correct? If not, please assign the correct contact person
• [ ] Please check whether the status (backlog, work in progress ...) is set correctly
• [ ] Please comment on the current status of the feature
• [ ] Are all SubTasks (issues from other repositories that deal with the feature) linked? → The easiest way is to mention the feature here in the issue (via the ID) so we can see which teams/repositories are involved.
• [ ] Is there a spillover planned?

If you need any clarification, please get in touch, thank you very much.

Stephan

[jjeroch]

Feature moved to next PI. Implementation was already approved and is supposed to be available by August. Working on the details. Ownership: stays with me; Evelyn and Max will take over the feature review, maintenance, etc.

[Phil91]

@jjeroch we have one huge problem which currently isn't solved. To be able to automatically retrigger the creation we need the credentials of the wallet for the holder. We do have the issuer wallet credential so the reissuance itself isn't a problem. But the import into the holder wallet can't be made since the current process deletes the credentials to be able to communicate with the holder wallet. We could change the process in a way that we don't delete the credential information from the database, which would still leave us with the existing credentials being not existing in the database...

I guess it would make sense to align in a meeting on how that should be solved?

@MaximilianHauer fyi

[MaximilianHauer]

refinement day feedback:

• do we need to expire the credentials and if why would we automatically renew them. shouldn't there be a manual review process inbetween ?