Policy Server and Policy Server Proxy installation and configuration

Prerequisites

Hardware requirements

The minimum hardware requirements for the server hosting the marketplace are:

• number of cores: 1

• RAM: 2 GB

• disk: 0.5 GB

Software requirements

• Operating System: Any Linux distribution supported by the Docker Engine and Docker Compose products. For guidance on compatible platforms, see the Docker Compose supported platforms and Docker Engine supported platforms documentation

• Software products:

  • Docker Engine

  • Docker Compose

Deployment steps

There are two ways to install and run the Policy Server: using Docker Compose or the Docker Engine.

Option 1 - Use Docker Compose to install and run the Policy Server

To install and configure the Policy Server, perform the following steps:

1. The Policy Server repository is located here.

1. Change the current directory to docker-compose .

1. Copy .env.example to .env

1. Edit the .env file to set environment variables specific to your configuration (please refer to the Environment Variables chapter for how to set them).

1. Start the Policy Server service

The Policy Server will start in a Docker container and will be accessible via HTTP on port 8001 on the host system.

Option 2 - Use Docker to install and run the Policy Server

To install and configure the marketplace, perform the following steps:

1. The Policy Server repository is located here.

1. Copy .env.example to .env

1. Edit the .env file to set environment variables specific to your configuration (please refer to the Environment Variables chapter for how to set them).

1. Start the Policy Server service.

The Policy Server will start in a Docker container and will be accessible via HTTP on port 8001 on the host system.

Post installation steps

• Deploy the policy server behind a reverse proxy responsible for TLS termination and secure request forwarding. The proxy should enforce HTTPS for all external traffic and route decrypted requests to the internal application port.

• Place the policy server in a network environment that allows outbound communication to the configured OE Node and SSI Verifier.

Environment Variables

Operation Mode

The Policy Server component can run in two modes:

• as an actual Policy Server: implements the Policy Server functionality, as described here;

• as a Policy Server Proxy: implements the Policy Server Proxy functionality, as described here.

Note: While both modes can run within the same component, deploying them on separate servers is recommended to clearly isolate front‑end traffic from back‑end traffic.

MODE_PS

Description: Indicates whether Policy Server mode is enabled.

• Value "1": the Policy Server mode is enabled

• Value "0": the Policy Server mode is disabled

Values: string ("1" or "0")

Example: "1"

Default Value: N/A

MODE_PROXY

Description: Indicates whether Policy Server Proxy mode is enabled.

• Value "1": the Policy Server Proxy mode is enabled

• Value "0": the Policy Server Proxy mode is disabled

Values: string ("1" or "0")

Example: "1"

Default Value: N/A

OE Node

OCEAN_NODE_URL

Description: Sets the base URL of the OE Node used by the policy server. The policy server will receive authorization requests from this OE Node and will send back either an authorization response (allow/deny) or other messages received from the Verifier. Make sure the OE Node has the corresponding POLICY_SERVER_URL variable set to the policy server's URL.

Values: string (URL)

Example: https://ocean-node-vm3.oceanenterprise.io/

Default Value: N/A

SSI Verifier

AUTH_TYPE

Description: Sets the type of authorization used by the policy server. The only possible value now is waltid, meaning that the authorization is based on the walt.id Identity Suite components.

Values: string

Example: waltid

Default Value: waltid

WALTID_VERIFIER_URL

Description: Sets the base URL of the verifier component used by this policy server. For an access request to an asset, the policy server forwards the requested credentials and the verification policies to the verifier component, which initiates a presentation session.

Values: string (URL)

Example: https://verifier2.demo.oceanenterprise.io/

Default Value: N/A

Policy Server Proxy

WALTID_VERIFY_RESPONSE_REDIRECT_URL

Description: Sets the redirect URL for the verify calls performed by the SSI Wallet. The URL must include the base URL of the Policy Server Proxy, followed by /verify/\$id.

Values: string (URL)

Example: https://psproxy1.demo.oceanenterprise.io/verify/\$id/

Default Value: N/A

WALTID_VERIFY_PRESENTATION_DEFINITION_URL

Description: Sets the redirect URL for the presentation definition calls performed by the SSI Wallet. The URL must include the base URL of the Policy Server Proxy, followed by /pd/\$id.

Values: string (URL)

Example: https://psproxy1.demo.oceanenterprise.io/pd/\$id/

Default Value: N/A

Default Verification Policies

The Policy Server can be configured to apply additional static verification policies beyond those provided by the OE Node in a verification request. The verification policies can be applied to the Verifiable Credential presented by the SSI Wallet or to the Verifiable Presentation that embeds the Verifiable Credentials submitted by the SSI Wallet.

The list of static verification policies is available here.

DEFAULT_VC_POLICIES

Description: Sets the default static policies applied to the Verifiable Credentials submitted by the SSI Wallet for verification.

Values: list of strings

Example: "expired","signature","revoked-status-list","not-before"

Default Value: []

DEFAULT_VP_POLICIES

Description: Sets the default static policies applied to the Verifiable Presentation submitted by the SSI Wallet for verification.

Values: list of strings

Example: "expired","signature","revoked-status-list","not-before"

Default Value: []

SSI Verification Response

WALTID_SUCCESS_REDIRECT_URL

Description: Sets the redirect URL to return when all verification policies are passed.

Values: string (URL)

Example: "https://example.com/success?id=$id"

Default Value: ""

WALTID_ERROR_REDIRECT_URL

Description: Sets the redirect URL to return when a verification policy failed.

Values: string (URL)

Example: "https://example.com/error?id=$id"

Default Value: ""

Logs

ENABLE_LOGS

Description: Indicates whether the logging is enabled.

• Value "1": logging is enabled

• Value "0": logging is disabled

Values: string ("1" or "0")

Example: "1"

Default Value: "0"

TCP Port

PORT

Description: Defines the port on which the application listens inside the container. In the docker-compose.yml file, the host port 8001 is mapped to the default container port (3000). In case you changed the default value, make sure you update the port mapping in the docker-compose.yml file.

Values: number

Example: 3000

Default Value: 3000