# Proven Installation Guide
## Installing and Configuring Proven
This document will guide you through the steps to deploy and configure Proven in Google Cloud using Indicio Proven from the GC Marketplace. The first part of this document is intended to be a “quick start” to get you up and running quickly, then you can look at the indicated appendices for more details if needed.
**Get the most of your Indicio Proven**
Indicio is here to help you on every step of your journey and is offering Google Cloud customers exclusive access and discounts to Indicio’s expert support and training. Get your critical technical questions answered from our experienced support team. Help your development, sales, and marketing teams get up to speed with the fundamentals of the technology and communication of Trusted Digital Ecosystems by taking advantage of our instructor-led workshops and certifications from the [Indicio Academy](https://indicio.tech/indicio-academy/). Learn more about these exclusive discounts and [benefits for Google Cloud customers](http://indicio.tech/proven-sandbox-google-cloud) and [contact us](https://indicio.tech/contact/) today!
## Creating the VM instance (Defaults will work for all items not included in these instructions)
1. Navigate to the Google Cloud Console,
2. Select the project that you want the Proven instance to reside in.
3. In the Navigation Menu (top left), go to **Compute Engine** > **VM Instances**
1. If it’s a new project, click “Enable”
4. Click **CREATE INSTANCE**
1. From the left menu select “**Marketplace**”.
2. In the “**Search Marketplace**” field type “**Proven**” and hit enter.
3. Select “**Indicio Proven**”.
4. Click **GET STARTED** to configure your Proven VM as a trial, or click **LAUNCH** if you have already done the trial.
1. If a trial, agree to the agreements then click **DEPLOY.**
2. For new projects, click “Enable” to enable the required APIs.
5. Change the **Deployment nam**e if desired. This will be the name of your VM instance.
6. Select and record your **Zone** choice for later use.
7. For **Machine type** choose a machine with at least 2 vCPU’s and 4G memory. For example, these defaults should be adequate:
1. Set **Series** to E2
2. Set **Machine type** to e2-medium
8. Under **Boot disk** it is recommended to select a disk at least **50GB** in size. (default)
9. You can set a static IP address later if desired. It is not available for change at this phase unless you have already pre-configured a static IP for use here. (This can be accomplished by creating a static external IP in your default VPC in a separate tab.)
10. Scroll to the bottom, check the box to accept the terms of service, then click **DEPLOY**.
11. After deployment is complete:
1. Note the link for instructions for creating a static IP address if needed (on the right under “Suggested next steps”)
2. In the right panel - **Click on the instance name** to bring up details about the Proven instance you just deployed
3. Click **EDIT**
4. Scroll down to **Networking** and under **Firewalls** check the boxes that will allow HTTP and HTTPS traffic.
5. Click **SAVE**
6. Click **VM instances** (in the left menu)
7. Record the **External IP** address of your Proven instance for later use.
## Configure DNS (see appendix A for an example DNS setup option)
1. Add a DNS entry for Proven.
## Configure the VM
1. Navigate back to the Google Cloud console
2. SSH into the VM 1. Select Compute engine > VM instances Then for \[your-proven-instance] click **SSH**
3. Enter these commands in your instance to make it so that the “proven.service” starts up automatically after every server reboot.
```
cd /opt/indicio/proven-release-docker
sudo systemctl enable proven
```
4. Run this command for Proven.
```
sudo cp staging.env .env
```
5. Run the command `ip a` and record the private ip address of your primary network interface (ens4). This local IP address will be used in the next step.
6. Edit the .env file to fit your environment. -> `sudo vim .env`\
Shown below are the minimal fields needing configured, their default values, and short descriptions. The remaining fields are described in Appendix B.
PROVEN\_ISSUER\_SERVER\_NAME=proven.dev.indiciotech.io\
Use your DNS entry or the IP address for the issuer. Do not include “http\://” or a trailing slash
PROVEN\_ISSUER\_SEED=\
Must be 32 alphanumeric characters. Has to have “--seed “ at the start. If you do not have a seed, you may leave this blank if this is a testing environment and if blank make sure to perform step 7. For a production environment, see Appendix D.
TAILS\_URL=\
Replace the IP address on this line with your local IP address. Leave the port as 6543.
NODE\_ENV=production
PROVEN\_ISSUER\_API\_DB\_PASSWORD=provenapi\
Local database password. For security purposes, this MUST be changed.
PROVEN\_ISSUER\_AGENT\_DB\_PASSWORD=provenagent\
Local database password. For security purposes, this MUST be changed.
PROVEN\_ISSUER\_PROXY\_DB\_PASSWORD=provenagent\
Local database password. For security purposes, this MUST be changed.
PROVEN\_ISSUER\_AGENT\_LABEL=Proven\
This is what you want the issuer name to show up as on other agents’ connection list. Change this so that agents can tell the difference between Proven issuers.
PROVEN\_ISSUER\_ENC\_KEY=1ae2e84429d3447aa9aa8e38ea84fa6b\
For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters. Encryption key.
PROVEN\_ADMIN\_PASSWORD=\
Must be added and must be 15 characters long.
PROVEN\_ISSUER\_WEB\_ROOT=\
If you have a DNS name, change localhost to the issuer DNS name with https\://. Otherwise, change it to your VM’s external IP. Do not have a trailing slash.
PROVEN\_ISSUER\_JWT\_SECRET=Zu0gPaBdGSP8dfgoK6C1vlBLaXOh6gGq\
For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.
PROVEN\_ISSUER\_SESSION\_SECRET=Xn2r5u8xjAgD7G39jjdSgVkYp3s6v9y5\
For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.
PROVEN\_ISSUER\_ENC\_KEY=54234625127cb22694ff0e27cc14b685\
For Security purposes, this value MUST be changed. Must be 32 alphanumeric characters.
8. Run the following command:
1. sudo systemctl start proven
2. Start a new SSH window if you want to monitor the progress of the starting of Proven.
1. sudo systemctl status proven
2. On error, return to the original ssh window, wait for the process to stop, then try again.
9. INFORMATIONAL NOTES: “proven.service” is a linux service file that makes it easy to start and stop your proven instance. It usually takes a minute or two for Proven to be ready for use. The following are some tips and FUTURE commands that you can run if you need to manage the proven service,
1. IMPORTANT: Do NOT stop the service in the middle of its initial starting time. You have a chance of interrupting the install process and it will corrupt files that will need to be removed before restarting.
2. **For later use** to stop the proven service: `sudo systemctl stop proven`
3. **For later use** to restart the proven service: `sudo systemctl stop proven` `sudo systemctl start proven`
## Accessing Proven
You should now be able to navigate to your Proven issuer in a web browser, using its DNS Name or ip address.
## (OPTIONAL) In this version of Proven, only the “User” credential is included. If you would like to add more credentials, follow the steps in Appendix C now.
## Creating and Anchoring your Issuer DID
1. If you left the ISSUER seed variable blank during step 4d, this step is required
2. Run the following commands from the google cloud SSH window:
1. **sudo docker-compose -f docker-compose.live.yml exec proven-issuer-api node firstimesetup.js**
2. Agree to the Transaction Author Agreement
3. To anchor the new DID which is now displayed -> open
4. Select the Indicio DemoNet option from the Network dropdown box. DemoNet is the default used in Proven, but please select TestNet if you changed the .env file to that one. You will need to use a different tool if your identity network is not an Indicio network.
5. Copy the new DID and Verkey displayed on the Proven window, to the DID and Verkey fields of the Selfserve form.
6. Click Submit
7. Return to the Proven SSH window and enter ‘y’ to indicate having anchored the Endorser DID.
8. Wait while the Credential definitions are created for you.
9. When you see **Completed**, then press enter to continue.
3. Your Proven instance is now ready to go!
4. To try out Proven with a user credential do the following:
1. Install the latest Holdr+ app on your mobile device.
2. Navigate to your Proven IP address or DNS url.
3. Using your mobile Holdr+ app, scan the QR code displayed.
1. This creates a connection between your mobile device and the Proven Issuer
2. Troubleshooting Tip: If you see "Loading Please wait" for a long time at this point, try refreshing the browser page. If that doesn’t fix the problem then you might have an issue with your DNS setup that is causing the problem.
4. Change the IP address in your browser by adding “/admin” to the end of it.
5. Login using the following credentials:
1. Username: admin
2. Password:
6. You should now see the Issuer admin interface.
7. Click on CONTACTS in the left menu
8. Click on the most recent contact.
9. Under choose credential, select “user”
1. Hint: if the “user” option is not in the list, refresh the page and try again
10. Fill in the fields
11. Click “Send”
12. You should now see a notification of a new credential on your mobile device (go to the home screen to see notifications on Holdr+)
13. Click “view” to view the credential offer.
14. Scroll to the bottom of the Credential offer and click “Accept”
15. After the credential is added to your wallet, click ‘Done’.
16. You now have Proven Issuer working!
## Appendix A - DNS Setup Example
To setup DNS for Proven on Google’s Cloud DNS, (by creating a new subdomain of your existing domain) do the following:
1. Go to GCP’s **Cloud DNS** section in **Network services** (Navigation Menu > Networking > Network Services > Cloud DNS)
2. Click **Create Zone** if a new Zone is desired. Otherwise, if a zone is already created, click on the zone name then skip to step 3.
1. Give the zone a name. This name is just how it will appear in the list and need not necessarily match the new subdomain.
2. For **DNS name,** enter a new subdomain. (In the example configuration below, using the domain dev.indiciotech.io means we want to create a new **dev** subdomain of the existing indiciotech.io domain)
3. Click **Create**
4. Here’s an example configuration:
5.
6. To “activate” this new subdomain in GC, you need to register the subdomain in your existing domain (i.e. at your registrar).
1. Click the name of the new zone you just created.
2. Click on **REGISTRAR SETUP** (upper right of the screen) to find the items needing added to the new NS record, then add the domain’s DNS Name Server entries to your registrar.
3. Click **Add Standard**
1. Create a DNS Name for proven and record it for later use (e.g. proven.dev.indiciotech.io)
2. Defaults are okay
3. Set the “IPv4 Address” to the “External IP address” of the VM you created earlier.
4. Click “Create”
## Appendix B - Environment file variable descriptions plus an example file.
1. Full list of .env file variable descriptions
PROVEN\_ISSUER\_SSL\_DOMAIN\_PATH=\
Path to Issuer SSL certificate. If not defined, creates a self-signed cert. If using certbot, leave blank before running certbot.
PROVEN\_ISSUER\_SERVER\_NAME=proven.dev.indiciotech.io\
Use your DNS entry for the issuer in place of “localhost.” Do not include “http\://” or a trailing slash
PROVEN\_ISSUER\_HTTPS\_PORT=443\
The port that the issuer uses for https connections.
PROVEN\_ISSUER\_HTTP\_PORT=80\
The port that the issuer uses for http connections.
GENESIS\_URL=<
The URL to the Genesis pool file. Must be a URL. Do not include a trailing slash. The default connects to the testnet, make sure to adjust this for the network you are connecting to.
PROVEN\_ISSUER\_SEED=\
Must be 32 alphanumeric characters. Has to have “--seed “ at the start. Typically only used in Live environments.
TEST\_SEED=\
Must be 32 alphanumeric characters. Has to have “--seed “ at the start. Not necessary.
TAILS\_URL=\
Replace the IP address with your local IP address on this line.
DISABLE\_SSL\_CHECK=true NODE\_ENV=development\
Possible values: production, development
GOVERNANCE\_PATH=\
Where governance details are downloaded from. Can use DNS name, but typically left as localhost.
PROVEN\_ISSUER\_API\_DB\_HOST=db\
Local database
PROVEN\_ISSUER\_API\_DB=provenapi\
Local database
PROVEN\_ISSUER\_API\_DB\_USERNAME=provenapi\
Local database
PROVEN\_ISSUER\_API\_DB\_PASSWORD=provenapi\
Local database
PROVEN\_ISSUER\_AGENT\_DB=provenagent\
Local database
PROVEN\_ISSUER\_AGENT\_DB\_HOST=db\
Local database
PROVEN\_ISSUER\_AGENT\_DB\_USERNAME=provenagent\
Local database
PROVEN\_ISSUER\_AGENT\_DB\_PASSWORD=provenagent\
Local database
PROVEN\_ISSUER\_AGENT\_ADMIN\_DB\_USERNAME=development\
Local database
PROVEN\_ISSUER\_AGENT\_ADMIN\_DB\_PASSWORD=development\
Local database
PROVEN\_ISSUER\_AGENT\_LABEL=Proven\
This is what you want the issuer name to show up as on other agents’ connection list.
PROVEN\_ISSUER\_ENC\_KEY=1ae2e84429d3447aa9aa8e38ea84fa6b\
Encryption key. Must be 32 alphanumeric characters.
PROVEN\_ISSUER\_PROXY\_DB=postgres\://provenproxy:provenproxy\@db:5432/provenproxy
PROVEN\_ISSUER\_WEB\_ROOT=\
If you have a DNS name, change localhost to the issuer DNS name with https\://. Otherwise, change it to your VM’s external IP. Do not have a trailing slash.
PROVEN\_ISSUER\_JWT\_SECRET=Zu0gPaBdGSP8dfgoK6C1vlBLaXOh6gGq\
Must be 32 alphanumeric characters.
PROVEN\_ISSUER\_SESSION\_SECRET=Xn2r5u8xjAgD7G39jjdSgVkYp3s6v9y5\
Must be 32 alphanumeric characters.
PROVEN\_ISSUER\_ENC\_KEY=54234625127cb22694ff0e27cc14b685\
Must be 32 alphanumeric characters.
ISSUER\_RECAPTCHA\_SITEKEY=\
Paste in your saved recaptcha site key that you created in step 3
ISSUER\_RECAPTCHA\_SECRETKEY=\
Paste in your saved recaptcha secret key that you created in step 3
SCHEMA\_USER=Gj39gdivhMneKBaamMsX7P:2:User:1.0
## Appendix C - Add a new credential type
Proven ships with just a User credential by default. The following details the instructions for adding a new credential type to the list of credentials managed by your instance of Proven. These instructions just include the method needed for altering the Proven configuration to include an existing schema and do not include the instructions for building and adding a schema to an identity network. Please contact for more information.
These instructions are an example of how to add an employment schema to your instance of Proven.
1. Find the Schema ID of the credential you would like to add to Proven.
1. For this example, we use the employment schema **4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0** which is from the Indicio DemoNet.
2. Update the environment file with the schema:
1. **sudo vi .env**
2. Add a line right after the SCHEMA\_USER line
1. **SCHEMA\_EMPLOYMENT=4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0**
3. Save and exit
3. Update the common-services.yml file to pass the schema variable to the proven-issuer-api service:
1. **sudo vi common-services.yml**
2. Locate the line containing **SCHEMA\_USER** in the file. (It’s about a third of the way through the file.)
3. Below that line, add the following line:
1. **- SCHEMA\_EMPLOYMENT=${SCHEMA\_EMPLOYMENT}**
4. Save and exit
4. Update the schema definition files with the new schema:
1. **sudo vi config/proven-issuer-api/schemas.json**\
{\
"schemas": \[\
{\
"id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0"\
},\
{\
"id": "4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0"\
}\
]\
}
2. **sudo vi config/proven-issuer-api/schemas-verification.json**\
{\
"schemaList": \[\
{\
"verification\_label": "User - Full Disclosure",\
"schema\_id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0",\
"schema\_attributes": \[\
"username",\
"user\_email",\
"user\_id",\
"user\_roles"\
]\
},\
{\
"verification\_label": "User - Username and User Email",\
"schema\_id": "Gj39gdivhMneKBaamMsX7P:2:User:1.0",\
"schema\_attributes": \[\
"username",\
"user\_email"\
]\
},\
{\
"verification\_label": "Employment - Full Disclosure",\
"schema\_id": "4rZRryzpji8LUwuvKRVdzU:2:Employment:1.0",\
"schema\_attributes": \[\
"employer\_region",\
"employment\_type",\
"employee\_given\_names",\
"employer\_country",\
"employment\_postal\_code",\
"employment\_start\_date",\
"employer\_postal\_code",\
"employment\_country",\
"employment\_role",\
"employer\_city",\
"employer\_address",\
"employment\_role\_description",\
"employee\_surnames",\
"employer\_name",\
"employment\_city",\
"employment\_region",\
"employment\_address"\
]\
}\
]\
}
3. Save and exit
5. WARNING: The following commands do a complete reset of your Proven Agent. This means that all of your previous connections and issued credentials will no longer be accessible. This also means that you might need to re-anchor a new DID to the ledger (unless you are using a static DID in the .env file). If you are adding the new credential type before starting Proven for the first time, then you can ignore this warning and ignore the following steps.
6. Reset your proven agent so that the new credential schema will be usable by your Proven agent:
1. **sudo systemctl stop proven**
2. **sudo docker-compose -f docker-compose.live.yml down -v**
3. **sudo rm -rf postgres-db**
4. **sudo systemctl start proven**
7. Return to main instructions and continue.
## Appendix D - Issuer DID setup
For help with setting up your own Issuer DID, please contact us:
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.indicio.tech/infrastructure/google-cloud-installs/proven-installation-guide.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.