Prerequisites

  1. A running Lissi Agent instance deployed using Docker-Compose (see here)

  2. Access to the Docker image (is granted via a personal access token)

Setup

1. Update the Lissi Agent Configuration

Update the ~/app/server/docker-compose.yml

Add the lissi-verifier service:

lissi-verifier:
  container_name: lissi-verifier
  image: "${LISSI_VERIFIER_IMAGE}"
  ports:
      - "127.0.0.1:8888:8080"
  environment:
      - KEYCLOAK_AUTHSERVERURL=${KEYCLOAK_AUTH_SERVER_URL}
      - LISSIAGENT_URL=http://lissi-agent-controller:9080/ctrl/api/v1.0
      - LISSIAGENT_TENANT-ID=${LISSI_VERIFIER_TENANT_ID}
      - LISSIAGENT_WEBHOOK-API-KEY=${LISSI_VERIFIER_WEBHOOK_API_KEY}
  depends_on:
      - aries-cloud-agent
  networks:
      - lissi-agent-network
      - lissi-keycloak-network
  logging:
      driver: "json-file"
      options:
          max-file: "5"
          max-size: "50m"
  restart: on-failure
CODE

Modify the aries-cloud-agent startup parameters and add a second --webhook-url parameter as shown in line 10:

aries-cloud-agent:
  container_name: aries-cloud-agent
  image: ${ACAPY_IMAGE}
  entrypoint: /bin/bash
  command: [
          "-c",
          "sleep 10;
          aca-py start \
          [...]
          --webhook-url 'http://lissi-verifier:8080/api/acapy-webhook#$LISSI_VERIFIER_WEBHOOK_API_KEY' \
          [...]
      ]
CODE

Update ~/app/client/nginx.conf

Add a server context at the bottom of the file:

server {
  server_name verifier.NGINX_HOST_PLACEHOLDER;
  listen 8443 ssl http2;
  listen [::]:8443 ssl http2;

  # security configs (see https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)
  # do not display the nginx version number
  server_tokens off;
  # prevent potential DoS attacks
  client_body_buffer_size 1k;
  client_header_buffer_size 1k;
  # upload images with max 1 MB size possible!
  client_max_body_size 1000k;
  large_client_header_buffers 4 4k; # min 4k are required after update to NGINX version 20.0

  ssl_buffer_size 8k;
  ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

  # exclude TLSv1 and TLSv1.1 (unsafe)
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

  ssl_ecdh_curve secp384r1;
  ssl_session_tickets off;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4;

  ssl_certificate /etc/letsencrypt/live/NGINX_HOST_PLACEHOLDER/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/NGINX_HOST_PLACEHOLDER/privkey.pem;

  root /opt/app-root/src;
  index index.html index.htm;

  gzip on;
  gzip_min_length 1000;
  gzip_proxied expired no-cache no-store private auth;
  gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;

 # Lissi Verifier WebSocket
  location ^~ /stomp {
    proxy_pass http://lissi-verifier:8080;

    # WebSocket support (nginx 1.4)
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_read_timeout 10m;
    proxy_set_header Origin "";
  }

  # Lissi Verifier API
  location / {
    limit_except GET HEAD POST { deny all; }
    proxy_pass http://lissi-verifier:8080;
  }
}
CODE

Update the ~/app/client/letsencrypt/create-cert-staging.sh

Replace -d ${SERVER_PUB_DOMAIN_NAME} with:

-d ${SERVER_PUB_DOMAIN_NAME} \
-d verifier.${SERVER_PUB_DOMAIN_NAME}
CODE

Update the ~/app/client/letsencrypt/create-cert.sh

Replace -d ${SERVER_PUB_DOMAIN_NAME} with:

-d ${SERVER_PUB_DOMAIN_NAME} \
-d verifier.${SERVER_PUB_DOMAIN_NAME}
CODE

2. Update the .profile

Add the following parameters to the ~/.profile

export LISSI_VERIFIER_IMAGE="milissi.azurecr.io/lissi-verifier:X.X.X"
export LISSI_VERIFIER_TENANT_ID="default_tenant"
export LISSI_VERIFIER_WEBHOOK_API_KEY="<RANDOM_KEY>"
CODE

LISSI_VERIFIER_TENANT_ID determines the tenant that the Lissi Verifier will connect to. The Lissi Verifer will only show proof templates from this tenant.

3. Start the Lissi Verifier

source ~/.profile

cd ~/app/client
./manage.sh stop

cd ~/app/server
./manage.sh stop

cd ~/app/keycloak
./manage.sh stop

cd ~/app
sh install-lissi.sh
CODE

During the installation process, you need to manually confirm (U)pdate certificate/(C)cancel with U.

Test the Lissi Verifier

Access your Lissi Verifier instance via https://verifier.<your-domain> and log in with the same credentials used to access the Lissi Agent.