Packets Failing During Biometric Verification with System Exception

Johnny · March 4, 2026, 3:58pm

@ashok,
Those are all the logs for a single packet, I will appreciate your response. Thank you.

Regards,

John George

Johnny · March 4, 2026, 4:11pm

SinglePacketLog

I also attached(kindly click on SinglePacketLog above) a link for you to download the logs for easy access

Regards,

John

ashok · March 6, 2026, 7:10am

Hi @Johnny
As per the below logs from data share :

“System Error: DAT-SER-001
Message: Not allowed to generate new key pair for other domains or not allowed to generate base key**“

It appears that the ABIS certificate may have expired. Could we please check the ABIS certificate in the Key Manager database? If it has expired, could you please renew it and then try processing the packet again.

Johnny · March 6, 2026, 1:50pm

Hello @ashok ,

Thank you so very much for your response, kindly find below what I found:

mosip_keymgr=# SELECT
mosip_keymgr-# id,
mosip_keymgr-# app_id,
mosip_keymgr-# ref_id,
mosip_keymgr-# key_gen_dtimes,
mosip_keymgr-# key_expire_dtimes,
mosip_keymgr-# status_code,
mosip_keymgr-# cert_thumbprint
mosip_keymgr-# FROM keymgr.key_alias
mosip_keymgr-# WHERE ref_id LIKE ‘%abis%’
mosip_keymgr-# OR ref_id LIKE ‘%datashare%’
mosip_keymgr-# OR ref_id LIKE ‘%mpartner%’
mosip_keymgr-# OR app_id LIKE ‘%datashare%’;
id | app_id | ref_id | key_gen_dtimes | key_expire_dtimes | status_code |
cert_thumbprint
--------------------------------------±---------±--------------------------±---------------------------±---------------------------±------------±---------

mosip_keymgr=# SELECT
mosip_keymgr-# app_id,
mosip_keymgr-# ref_id,
mosip_keymgr-# key_gen_dtimes,
mosip_keymgr-# key_expire_dtimes,
mosip_keymgr-# status_code,
mosip_keymgr-# cert_thumbprint
mosip_keymgr-# FROM keymgr.key_alias
mosip_keymgr-# WHERE ref_id = ‘mpartner-default-abis’;
app_id | ref_id | key_gen_dtimes | key_expire_dtimes | status_code | cert_thumbprint
--------±-------±---------------±------------------±------------±----------------
(0 rows)

mosip_keymgr=# SELECT
mosip_keymgr-# app_id,
mosip_keymgr-# ref_id,
mosip_keymgr-# key_expire_dtimes,
mosip_keymgr-# CURRENT_TIMESTAMP as current_time,
mosip_keymgr-# CASE
mosip_keymgr-# WHEN key_expire_dtimes < CURRENT_TIMESTAMP THEN ‘EXPIRED’
mosip_keymgr-# WHEN key_expire_dtimes < CURRENT_TIMESTAMP + INTERVAL ‘30 days’ THEN ‘EXPIRING SOON’
mosip_keymgr-# ELSE ‘VALID’
mosip_keymgr-# END as status
mosip_keymgr-# FROM keymgr.key_alias
mosip_keymgr-# WHERE key_expire_dtimes < CURRENT_TIMESTAMP + INTERVAL ‘30 days’
mosip_keymgr-# ORDER BY key_expire_dtimes;
app_id | ref_id | key_expire_dtimes | current_time | status
---------±-------±---------------------------±------------------------------±--------
PARTNER | test | 2026-02-11 23:05:40.933001 | 2026-03-06 13:34:32.188637+00 | EXPIRED
(1 row)

mosip_keymgr=# SELECT
mosip_keymgr-# app_id,
mosip_keymgr-# ref_id,
mosip_keymgr-# key_gen_dtimes,
mosip_keymgr-# mosip_keymgr-# status_code
mosip_keymgr-# mosip_keymgr-# mosip_keymgr-# LIMIT 20;
app_id | ------------------------ ROOT | KERNEL PRE_REGISTRATION | REGISTRATION | REGISTRATION_PROCESSOR | ID_REPO | KERNEL RESIDENT | PMS | ADMIN_SERVICES | DIGITAL_CARD | COMPLIANCE_TOOLKIT | RESIDENT COMPLIANCE_TOOLKIT PRE_REGISTRATION REGISTRATION PARTNER REGISTRATION PARTNER PARTNER (20 rows) key_expire_dtimes,
FROM keymgr.key_alias
WHERE ref_id IS NOT NULL
ref_id | key_gen_dtimes | key_expire_dtimes | status_code
±--------------------------±---------------------------±---------------------------±------------
| 2025-10-18 19:38:59.354598 | 2033-10-16 19:38:59.354598 |
| SIGN | 2025-10-18 19:38:59.923357 | 2028-10-17 19:38:59.923357 |
| 2025-10-18 19:39:00.39997 | 2028-10-17 19:39:00.39997 |
| 2025-10-18 19:39:01.121987 | 2028-10-17 19:39:01.121987 |
| 2025-10-18 19:39:02.021636 | 2028-10-17 19:39:02.021636 |
| 2025-10-18 19:39:03.088481 | 2028-10-17 19:39:03.088481 |
| IDENTITY_CACHE | 2025-10-18 19:39:04.020208 | 2030-10-17 19:39:04.020208 |
| 2025-10-18 19:40:06.801408 | 2028-10-17 19:40:06.801408 |
| 2025-10-18 19:40:08.210785 | 2029-10-17 19:40:08.210785 |
| 2025-10-18 19:40:09.622212 | 2028-10-17 19:40:09.622212 |
| 2025-10-18 19:40:11.585608 | 2028-10-17 19:40:11.585608 |
| 2025-10-18 19:40:13.693484 | 2028-10-17 19:40:13.693484 |
| mpartner-default-resident | 2025-10-18 19:40:16.917218 | 2027-10-18 19:40:16.917218 |
| COMP-FIR | 2025-10-18 19:40:17.833941 | 2027-10-18 19:40:17.833941 |
| INDIVIDUAL | 2025-10-21 18:20:47.83145 | 2027-10-21 18:20:47.83145 |
| 10001_10000 | 2026-01-30 11:25:13.336085 | 2028-01-30 11:25:13.336085 |
| userpartner | 2026-02-03 18:45:28 | 2027-02-03 18:45:28 |
| 10001_10001 | 2026-02-11 21:36:48.536041 | 2028-02-11 21:36:48.536041 |
| test | 2026-02-11 23:06:25 | 2026-02-11 23:05:40.933001 |
| test | 2026-02-11 23:06:40 | 2027-02-11 23:06:40 |

mosip_keymgr=# SELECT
mosip_keymgr-# cert_id,
mosip_keymgr-# organization_name,
mosip_keymgr-# partner_domain,
mosip_keymgr-# cert_subject,
mosip_keymgr-# cert_issuer,
mosip_keymgr-# cert_not_before,
mosip_keymgr-# cert_not_after,
mosip_keymgr-# cert_thumbprint
mosip_keymgr-# FROM keymgr.partner_cert_store
mosip_keymgr-# WHERE organization_name LIKE ‘%abis%’
mosip_keymgr-# OR partner_domain = ‘ABIS’
mosip_keymgr-# OR organization_name LIKE ‘%mpartner%’
mosip_keymgr-# OR cert_subject LIKE ‘%abis%’;
cert_id | organization_name | partner_domain | cert_subject | cert_issuer | cert_not_before | cert_not_after | cert_thumbprint
---------±------------------±---------------±-------------±------------±----------------±---------------±----------------
(0 rows)

mosip_keymgr=# SELECT
mosip_keymgr-# organization_name,
mosip_keymgr-# partner_domain,
mosip_keymgr-# cert_not_after,
mosip_keymgr-# cr_dtimes
mosip_keymgr-# FROM keymgr.partner_cert_store
mosip_keymgr-# ORDER BY cr_dtimes DESC
mosip_keymgr-# LIMIT 10;
organization_name | partner_domain | cert_not_after | cr_dtimes
-------------------±---------------±--------------------±---------------------------
identiko | DEVICE | 2028-11-07 22:42:56 | 2026-02-11 23:06:40.842283
identiko | DEVICE | 2028-11-07 22:42:56 | 2026-02-11 23:06:26.079488
devicepartner1 | DEVICE | 2028-10-30 18:27:40 | 2026-02-03 18:45:28.629278
(3 rows)

mosip_keymgr=# SELECT
mosip_keymgr-# organization_name,
mosip_keymgr-# partner_domain,
mosip_keymgr-# cert_not_after,
mosip_keymgr-# CURRENT_TIMESTAMP as current_time
mosip_keymgr-# FROM keymgr.partner_cert_store
mosip_keymgr-# WHERE cert_not_after < CURRENT_TIMESTAMP
mosip_keymgr-# ORDER BY cert_not_after;
organization_name | partner_domain | cert_not_after | current_time
-------------------±---------------±---------------±-------------
(0 rows)

mosip_keymgr=# SELECT
mosip_keymgr-# organization_name,
mosip_keymgr-# partner_domain,
mosip_keymgr-# cert_not_after,
mosip_keymgr-# cert_subject
mosip_keymgr-# FROM keymgr.partner_cert_store
mosip_keymgr-# WHERE organization_name LIKE ‘%mpartner%’ OR cert_subject LIKE ‘%mpartner%’;
organization_name | partner_domain | cert_not_after | cert_subject
-------------------±---------------±---------------±-------------
(0 rows)

No ABIS-related certificates found in any of the key store tables
The only expired certificate found is for PARTNER/test (expired on Feb 11, 2026), which is unrelated to ABIS
Other certificates are valid including mpartner-default-resident (expires 2027)
Query for mpartner-default-abis returned 0 rows

Regards,

John George

Johnny · March 6, 2026, 2:00pm

You can find a link to an attached file showing clearly the query result I executed:

Key Manager Database

Regards,

John George

Johnny · March 11, 2026, 11:46am

Hi @ashok ,

Trust you are good, just following up, if there is any update.

Regards,

John

ashok · March 12, 2026, 9:18am

Hi @Johnny

As per the data shared, the below query is executed which limit the data set to 20 rows. This could be the reason for not getting the abis certificate related details.

SELECT app_id, ref_id, key_gen_dtimes,key_expire_dtimes,status_code FROM keymgr.key_alias WHERE ref_id IS NOT NULL LIMIT 20;

Please execute the below query and check whether we have abis related certificate in the key manager database:

SELECT * FROM keymgr.key_alias WHERE ref_id = 'mpartner-default-abis';

Johnny · March 12, 2026, 9:53am

Hello @ashok ,

Thank you for your response.

I’ve run the exact queries you suggested and other queries also, and the results are conclusive:

segun@mosip-wireguardbastionhost1:~$ kubectl exec -n postgres -it postgres-postgresql-0 – psql -U postgres -d mosip_keymgr
Password for user postgres:
psql (15.4)
Type “help” for help.

mosip_keymgr=# SELECT
mosip_keymgr-# app_id,
mosip_keymgr-# ref_id,
mosip_keymgr-# key_gen_dtimes,
mosip_keymgr-# key_expire_dtimes,
mosip_keymgr-# status_code
mosip_keymgr-# FROM keymgr.key_alias
mosip_keymgr-# WHERE ref_id LIKE ‘%abis%’
mosip_keymgr-# OR ref_id LIKE ‘%mpartner%’
mosip_keymgr-# OR app_id LIKE ‘%abis%’;
app_id | ref_id | key_gen_dtimes | key_expire_dtimes | status_code
----------±--------------------------±---------------------------±---------------------------±------------
RESIDENT | mpartner-default-resident | 2025-10-18 19:40:16.917218 | 2027-10-18 19:40:16.917218 |
(1 row)

mosip_keymgr=# SELECT
mosip_keymgr-# organization_name,
mosip_keymgr-# partner_domain,
mosip_keymgr-# cert_not_after,
mosip_keymgr-# cr_dtimes
mosip_keymgr-# FROM keymgr.partner_cert_store
mosip_keymgr-# WHERE organization_name LIKE ‘%abis%’
mosip_keymgr-# OR partner_domain = ‘ABIS’
mosip_keymgr-# OR organization_name LIKE ‘%mpartner%’;
organization_name | partner_domain | cert_not_after | cr_dtimes
-------------------±---------------±---------------±----------
(0 rows)

mosip_keymgr=# SELECT COUNT(*) FROM keymgr.key_alias;

count

(1 row)

ashok · March 13, 2026, 7:37am

Hi @Johnny
Looks like abis certificate is not configured in the environment. Please refer the below document:

github.com/mosip/mosip-infra

deployment/sandbox-v2/docs/abiscert.md

1.2.0

# Abis certificate exchange guide so that it will be able to decrypt the packets

* Below are the steps which needed to be followed for abis certificate exchange once after the depoloyment is done.

- Authenticate yourself and get authorization token from authmanager swagger. Also adding the request after that which can be used.. please update the domain name in the request.

  * 1. SWAGGER URL:- ```https://minibox.mosip.net/v1/authmanager/swagger-ui.html#/authmanager/clientIdSecretKeyUsingPOST ```  hit authmanager section in try-out section.
	```
	{
	  "id": "string",
	  "metadata": {},
	  "request": {
	    "appId": "ida",
	    "clientId": "mosip-ida-client",
	    "secretKey": "abc123"
	  },
	  "requesttime": "2018-12-10T06:12:52.994Z",
	  "version": "string"
	}
	```

This file has been truncated. show original

Best regards,
MOSIP Team

Topic		Replies	Views
Biographic verification failing	3	22	March 2, 2026
Packets-failing-during-biometric-verification-with-system-exception Support	2	17	April 15, 2026
"Packet creation failed due to internal error" on the registration client Support regclient	9	106	September 13, 2025
Regproc some group(1,2,3,6) pod failure Support regclient	12	298	September 22, 2023
Regclient packet upload is failing at QUALITY_CHECKER Developer	9	402	September 29, 2023

Packets Failing During Biometric Verification with System Exception

mosip_keymgr=# SELECT COUNT(*) FROM keymgr.key_alias;

Related topics