AWS Marketplace

Installing and Configuring Proven

This document will guide you through the steps to deploy and configure Proven in Google Cloud using Indicio Proven from the GC Marketplace. The first part of this document is intended to be a “quick start” to get you up and running quickly, then you can look at the indicated appendices for more details if needed.

Creating the VM instance (Defaults will work for all items not included in these instructions)

  1. Navigate to the Google Cloud Console, https://console.cloud.google.com/

  2. Select the project that you want the Proven instance to reside in.

  3. In the Navigation Menu (top left), go to Compute Engine > VM Instances

    1. If it’s a new project, click “Enable”

  4. Click CREATE INSTANCE

    1. From the left menu select “Marketplace”.

    2. In the “Search Marketplace” field type “Proven” and hit enter.

    3. Select “Indicio Proven”.

    4. Click GET STARTED to configure your Proven VM as a trial, or click LAUNCH if you have already done the trial.

      1. If a trial, agree to the agreements then click DEPLOY.

      2. For new projects, click “Enable” to enable the required APIs.

  5. Change the Deployment name if desired. This will be the name of your VM instance.

  6. Select and record your Zone choice for later use.

  7. For Machine type choose a machine with at least 2 vCPU’s and 4G memory. For example, these defaults should be adequate:

    1. Set Series to E2

    2. Set Machine type to e2-medium

  8. Under Boot disk it is recommended to select a disk at least 50GB in size. (default)

  9. You can set a static IP address later if desired. It is not available for change at this phase unless you have already pre-configured a static IP for use here. (This can be accomplished by creating a static external IP in your default VPC in a separate tab.)

  10. Scroll to the bottom, check the box to accept the terms of service, then click DEPLOY.

  11. After deployment is complete:

    1. Note the link for instructions for creating a static IP address if needed (on the right under “Suggested next steps”)

    2. In the right panel - Click on the instance name to bring up details about the Proven instance you just deployed

    3. Click EDIT

    4. Scroll down to Networking and under Firewalls check the boxes that will allow HTTP and HTTPS traffic.

    5. Click SAVE

    6. Click VM instances (in the left menu)

    7. Record the External IP address of your Proven instance for later use.

Configure DNS (see appendix A for an example DNS setup option)

  1. Add a DNS entry for Proven.

Configure the VM

  1. Navigate back to the Google Cloud console

  2. SSH into the VM 1. Select Compute engine > VM instances Then for [your-proven-instance] click SSH

  3. Enter these commands in your instance to make it so that the “proven.service” starts up automatically after every server reboot.

     cd /opt/indicio/proven-release-docker
 sudo systemctl enable proven

  4. Run this command for Proven.

     sudo cp staging.env .env

  5. Run the command ip a and record the private ip address of your primary network interface (ens4). This local IP address will be used in the next step.

  6. Edit the .env file to fit your environment. -> sudo vim .env Shown below are the minimal fields needing configured, their default values, and short descriptions. The remaining fields are described in Appendix B.

PROVEN_ISSUER_SERVER_NAME=proven.dev.indiciotech.io Use your DNS entry or the IP address for the issuer. Do not include “http://” or a trailing slash

PROVEN_ISSUER_SEED= Must be 32 alphanumeric characters. Has to have “--seed “ at the start. If you do not have a seed, you may leave this blank if this is a testing environment and if blank make sure to perform step 7. For a production environment, see Appendix D.

TAILS_URL=http://10.128.15.205:6543 Replace the IP address on this line with your local IP address. Leave the port as 6543.

NODE_ENV=production

PROVEN_ISSUER_API_DB_PASSWORD=provenapi Local database password. For security purposes, this MUST be changed.

PROVEN_ISSUER_AGENT_DB_PASSWORD=provenagent Local database password. For security purposes, this MUST be changed.

PROVEN_ISSUER_PROXY_DB_PASSWORD=provenagent Local database password. For security purposes, this MUST be changed.

PROVEN_ISSUER_AGENT_LABEL=Proven This is what you want the issuer name to show up as on other agents’ connection list. Change this so that agents can tell the difference between Proven issuers.

PROVEN_ISSUER_ENC_KEY=1ae2e84429d3447aa9aa8e38ea84fa6b For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters. Encryption key.

PROVEN_ADMIN_PASSWORD= Must be added and must be 15 characters long.

PROVEN_ISSUER_WEB_ROOT=https://proven.dev.indiciotech.io If you have a DNS name, change localhost to the issuer DNS name with https://. Otherwise, change it to your VM’s external IP. Do not have a trailing slash.

PROVEN_ISSUER_JWT_SECRET=Zu0gPaBdGSP8dfgoK6C1vlBLaXOh6gGq For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.

PROVEN_ISSUER_SESSION_SECRET=Xn2r5u8xjAgD7G39jjdSgVkYp3s6v9y5 For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.

PROVEN_ISSUER_ENC_KEY=54234625127cb22694ff0e27cc14b685 For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.

  1. For an example of a configured .env file, please see Appendix B.

  2. Run the following command:

    1. sudo systemctl start proven

    2. Start a new SSH window if you want to monitor the progress of the starting of Proven.

      1. sudo systemctl status proven

      2. On error, return to the original ssh window, wait for the process to stop, then try again.

  3. INFORMATIONAL NOTES: “proven.service” is a linux service file that makes it easy to start and stop your proven instance. It usually takes a minute or two for Proven to be ready for use. The following are some tips and FUTURE commands that you can run if you need to manage the proven service,

    1. IMPORTANT: Do NOT stop the service in the middle of its initial starting time. You have a chance of interrupting the install process and it will corrupt files that will need to be removed before restarting.

    2. For later use to stop the proven service: sudo systemctl stop proven

    3. For later use to restart the proven service: sudo systemctl stop proven sudo systemctl start proven

Accessing Proven

You should now be able to navigate to your Proven issuer in a web browser, using its DNS Name or ip address.

(OPTIONAL) In this version of Proven, only the “User” credential is included. If you would like to add more credentials, follow the steps in Appendix C now.

Creating and Anchoring your Issuer DID

  1. If you left the ISSUER seed variable blank during step 4d, this step is required

  2. Run the following commands from the google cloud SSH window:

    1. sudo docker-compose -f docker-compose.live.yml exec proven-issuer-api node firstimesetup.js

    2. Agree to the Transaction Author Agreement

    3. To anchor the new DID which is now displayed -> open https://selfserve.indiciotech.io

    4. Select the Indicio DemoNet option from the Network dropdown box. DemoNet is the default used in Proven, but please select TestNet if you changed the .env file to that one. You will need to use a different tool if your identity network is not an Indicio network.

    5. Copy the new DID and Verkey displayed on the Proven window, to the DID and Verkey fields of the Selfserve form.

    6. Click Submit

    7. Return to the Proven SSH window and enter ‘y’ to indicate having anchored the Endorser DID.

    8. Wait while the Credential definitions are created for you.

    9. When you see Completed, then press enter to continue.

  3. Your Proven instance is now ready to go!

  4. To try out Proven with a user credential do the following:

    1. Install the latest Holdr+ app on your mobile device.

    2. Navigate to your Proven IP address or DNS url.

    3. Using your mobile Holdr+ app, scan the QR code displayed.

      1. This creates a connection between your mobile device and the Proven Issuer

      2. Troubleshooting Tip: If you see "Loading Please wait" for a long time at this point, try refreshing the browser page. If that doesn’t fix the problem then you might have an issue with your DNS setup that is causing the problem.

    4. Change the IP address in your browser by adding “/admin” to the end of it.

    5. Login using the following credentials:

      1. Username: admin

      2. Password:

    6. You should now see the Issuer admin interface.

    7. Click on CONTACTS in the left menu

    8. Click on the most recent contact.

    9. Under choose credential, select “user”

      1. Hint: if the “user” option is not in the list, refresh the page and try again

    10. Fill in the fields

    11. Click “Send”

    12. You should now see a notification of a new credential on your mobile device (go to the home screen to see notifications on Holdr+)

    13. Click “view” to view the credential offer.

    14. Scroll to the bottom of the Credential offer and click “Accept”

    15. After the credential is added to your wallet, click ‘Done’.

    16. You now have Proven Issuer working!

Appendix A - DNS Setup Example

To setup DNS for Proven on Google’s Cloud DNS, (by creating a new subdomain of your existing domain) do the following:

  1. Go to GCP’s Cloud DNS section in Network services (Navigation Menu > Networking > Network Services > Cloud DNS)

  2. Click Create Zone if a new Zone is desired. Otherwise, if a zone is already created, click on the zone name then skip to step 3.

    1. Give the zone a name. This name is just how it will appear in the list and need not necessarily match the new subdomain.

    2. For DNS name, enter a new subdomain. (In the example configuration below, using the domain dev.indiciotech.io means we want to create a new dev subdomain of the existing indiciotech.io domain)

    3. Click Create

    4. Here’s an example configuration:

    6. To “activate” this new subdomain in GC, you need to register the subdomain in your existing domain (i.e. at your registrar).

      1. Click the name of the new zone you just created.

      2. Click on REGISTRAR SETUP (upper right of the screen) to find the items needing added to the new NS record, then add the domain’s DNS Name Server entries to your registrar.

  3. Click Add Standard

    1. Create a DNS Name for proven and record it for later use (e.g. proven.dev.indiciotech.io)

    2. Defaults are okay

    3. Set the “IPv4 Address” to the “External IP address” of the VM you created earlier.

    4. Click “Create”

Appendix B - Environment file variable descriptions plus an example file.

  1. Full list of .env file variable descriptions

PROVEN_ISSUER_SSL_DOMAIN_PATH=

Path to Issuer SSL certificate. If not defined, creates a self-signed cert. If using certbot, leave blank before running certbot.

PROVEN_ISSUER_SERVER_NAME=proven.dev.indiciotech.io

Use your DNS entry for the issuer in place of “localhost.” Do not include “http://” or a trailing slash

PROVEN_ISSUER_HTTPS_PORT=443

The port that the issuer uses for https connections.

PROVEN_ISSUER_HTTP_PORT=80

The port that the issuer uses for http connections.

GENESIS_URL=https://raw.githubusercontent.com/Indicio-tech/indicio-network/main

/genesis_files/pool_transactions_testnet_genesis

The URL to the Genesis pool file. Must be a URL. Do not include a trailing slash. The default connects to the testnet, make sure to adjust this for the network you are connecting to.

PROVEN_ISSUER_SEED=

Must be 32 alphanumeric characters. Has to have “--seed “ at the start. Typically only used in Live environments.

TEST_SEED=

Must be 32 alphanumeric characters. Has to have “--seed “ at the start. Not necessary.

TAILS_URL=http://10.128.15.205:6543

Replace the IP address with your local IP address on this line.

DISABLE_SSL_CHECK=true

NODE_ENV=development

Possible values: production, development

GOVERNANCE_PATH=http://localhost:3100/api/governance-framework

Where governance details are downloaded from. Can use DNS name, but typically left as localhost.

PROVEN_ISSUER_API_DB_HOST=db

Local database

PROVEN_ISSUER_API_DB=provenapi

Local database

PROVEN_ISSUER_API_DB_USERNAME=provenapi

Local database

PROVEN_ISSUER_API_DB_PASSWORD=provenapi

Local database

PROVEN_ISSUER_AGENT_DB=provenagent

Local database

PROVEN_ISSUER_AGENT_DB_HOST=db

Local database

PROVEN_ISSUER_AGENT_DB_USERNAME=provenagent

Local database

PROVEN_ISSUER_AGENT_DB_PASSWORD=provenagent

Local database

PROVEN_ISSUER_AGENT_ADMIN_DB_USERNAME=development

Local database

PROVEN_ISSUER_AGENT_ADMIN_DB_PASSWORD=development

Local database

PROVEN_ISSUER_AGENT_LABEL=Proven

This is what you want the issuer name to show up as on other agents’ connection list.

PROVEN_ISSUER_ENC_KEY=1ae2e84429d3447aa9aa8e38ea84fa6b

Encryption key. Must be 32 alphanumeric characters.

PROVEN_ISSUER_PROXY_DB=postgres://provenproxy:provenproxy@db:5432/provenproxy

PROVEN_ISSUER_WEB_ROOT=https://issuer.dev.indiciotech.io

If you have a DNS name, change localhost to the issuer DNS name with https://. Otherwise, change it to your VM’s external IP. Do not have a trailing slash.

PROVEN_ISSUER_JWT_SECRET=Zu0gPaBdGSP8dfgoK6C1vlBLaXOh6gGq

Must be 32 alphanumeric characters.

PROVEN_ISSUER_SESSION_SECRET=Xn2r5u8xjAgD7G39jjdSgVkYp3s6v9y5

Must be 32 alphanumeric characters.

PROVEN_ISSUER_ENC_KEY=54234625127cb22694ff0e27cc14b685

Must be 32 alphanumeric characters.

ISSUER_RECAPTCHA_SITEKEY=

Paste in your saved recaptcha site key that you created in step 3

ISSUER_RECAPTCHA_SECRETKEY=

Paste in your saved recaptcha secret key that you created in step 3

SCHEMA_USER=Gj39gdivhMneKBaamMsX7P:2:User:1.0

Here is an example of a configured .env:

PROVEN_ISSUER_SSL_DOMAIN_PATH=

PROVEN_ISSUER_SERVER_NAME=issuer-proven-test.dev.indiciotech.io

PROVEN_ISSUER_HTTPS_PORT=443

PROVEN_ISSUER_HTTP_PORT=80

PROVEN_SESSION_MAXAGE=86400000

WDS_SOCKET_PORT=0

WDS_SOCKET_HOST=0.0.0.0

WDS_SOCKET_PATH=sockjs-node

GENESIS_URL=https://raw.githubusercontent.com/Indicio-tech/indicio-network/main/genesis_files/pool_transactions_demonet_genesis

PROVEN_ISSUER_SEED=

TEST_SEED=

TAILS_URL=http://10.128.15.205:6543

DISABLE_SSL_CHECK=true

NODE_ENV=development

GOVERNANCE_PATH=http://localhost:3100/api/governance-framework

PROVEN_ISSUER_API_DB_HOST=db

PROVEN_ISSUER_API_DB=provenapi

PROVEN_ISSUER_API_DB_USERNAME=provenapi

PROVEN_ISSUER_API_DB_PASSWORD=provenapi

PROVEN_ISSUER_AGENT_DB=provenagent

PROVEN_ISSUER_AGENT_DB_HOST=db

PROVEN_ISSUER_AGENT_DB_USERNAME=provenagent

PROVEN_ISSUER_AGENT_DB_PASSWORD=provenagent

PROVEN_ISSUER_AGENT_ADMIN_DB_USERNAME=development

PROVEN_ISSUER_AGENT_ADMIN_DB_PASSWORD=development

PROVEN_ISSUER_AGENT_LABEL=Proven

PROVEN_ISSUER_ENC_KEY=1ae2e84429d3447aa9aa8e38ea84fa6b

PROVEN_ISSUER_PROXY_DB=postgres://provenproxy:provenproxy@db:5432/provenproxy

PROVEN_ISSUER_WEB_ROOT=https://issuer-proven-test.dev.indiciotech.io

PROVEN_ISSUER_JWT_SECRET=Zu0gPaBdGSP8dfgoK6C1vlBLaXOh6gGq

PROVEN_ISSUER_SESSION_SECRET=Xn2r5u8xjAgD7G39jjdSgVkYp3s6v9y5

PROVEN_ISSUER_ENC_KEY=54234625127cb22694ff0e27cc14b685

ISSUER_RECAPTCHA_SITEKEY=6LcokwUmAAAAAOg8mC4bXpRObIMVpB6LsFvzty3e

ISSUER_RECAPTCHA_SECRETKEY=6LcokwUmAAAAAIcuLhLZ_Vgd_6TUhOj0E9QcBAXS

SCHEMA_USER=Gj39gdivhMneKBaamMsX7P:2:User:1.0

Appendix C - Add a new credential type

Proven ships with just a User credential by default. The following details the instructions for adding a new credential type to the list of credentials managed by your instance of Proven. These instructions just include the method needed for altering the Proven configuration to include an existing schema and do not include the instructions for building and adding a schema to an identity network. Please contact [email protected] for more information.

These instructions are an example of how to add an employment schema to your instance of Proven.

  1. Find the Schema ID of the credential you would like to add to Proven.

    1. For this example, we use the employment schema 4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0 which is from the Indicio DemoNet.

  2. Update the environment file with the schema:

    1. sudo vi .env

    2. Add a line right after the SCHEMA_USER line

      1. SCHEMA_EMPLOYMENT=4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0

    3. Save and exit

  3. Update the common-services.yml file to pass the schema variable to the proven-issuer-api service:

    1. sudo vi common-services.yml

    2. Locate the line containing SCHEMA_USER in the file. (It’s about a third of the way through the file.)

    3. Below that line, add the following line:

      1. - SCHEMA_EMPLOYMENT=${SCHEMA_EMPLOYMENT}

    4. Save and exit

  4. Update the schema definition files with the new schema:

    1. sudo vi config/proven-issuer-api/schemas.json { "schemas": [ { "id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0" }, { "id": "4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0" } ] }

    2. sudo vi config/proven-issuer-api/schemas-verification.json { "schemaList": [ { "verification_label": "User - Full Disclosure", "schema_id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0", "schema_attributes": [ "username", "user_email", "user_id", "user_roles" ] }, { "verification_label": "User - Username and User Email", "schema_id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0", "schema_attributes": [ "username", "user_email" ] }, { "verification_label": "Employment - Full Disclosure", "schema_id": "4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0", "schema_attributes": [ "employer_region", "employment_type", "employee_given_names", "employer_country", "employment_postal_code", "employment_start_date", "employer_postal_code", "employment_country", "employment_role", "employer_city", "employer_address", "employment_role_description", "employee_surnames", "employer_name", "employment_city", "employment_region", "employment_address" ] } ] }

    3. Save and exit

  5. WARNING: The following commands do a complete reset of your Proven Agent. This means that all of your previous connections and issued credentials will no longer be accessible. This also means that you might need to re-anchor a new DID to the ledger (unless you are using a static DID in the .env file). If you are adding the new credential type before starting Proven for the first time, then you can ignore this warning and ignore the following steps.

  6. Reset your proven agent so that the new credential schema will be usable by your Proven agent:

    1. sudo systemctl stop proven

    2. sudo docker-compose -f docker-compose.live.yml down -v

    3. sudo rm -rf postgres-db

    4. sudo systemctl start proven

  7. Return to main instructions and continue.

Appendix D - Issuer DID setup

For help with setting up your own Issuer DID, please contact us: [email protected]

Copyright 2025 Indicio PBC

PreviousAWS InstallNextGoogle Cloud Installs

Last updated

Was this helpful?