WIXLIB

RFP for Raj eSign Digital Signature PlatformeSign online Electronic Signature Service can be effectively used in scenarios where signeddocuments are required to be submitted to service providers – Government, Public or Privatesector. The agencies which stand to benefit from offering eSign online electronic signature arethose that accept large number of signed documents from users.RISL intends to become a Certifying Authority (CA). According to Section 24 of InformationTechnology Act 2000 "a Certifying Authority means an agency that has been granted a license toissue Digital Signature Certificates”. A Certifying Authority is a trusted body whose centralresponsibility is to issue, revoke, renew and provide directories of Digital Certificates.Additionally, a CA may also provide electronic signing (e-Sign) services. An electronic signatureoffers a mechanism to replace manual paper-based signatures with digital ones. By integrating thisservice within their applications and enabling an UID (Aadhaar) holder to electronically sign aform/document anytime, anywhere, and on any device, the Application Service Providers (ASPs)authenticate a user. e-Sign can significantly reduce costs, improve efficiency, and offerconvenience to citizens. They shall also indirectly contribute to the environment by reducing theusage of paper considerably.eSign Online electronic signature service, offers applications a mechanism to replace manualpaper based signatures by integrating this service within their applications. An Aadhaar holdercan electronically sign a form/document anytime, anywhere, and on any device. eSign servicefacilitates significant reduction in paper handling costs, improves efficiency, and offersconvenience to customers.RajCOMP intends to provide Digital Signature Certificates (DSC) to the employees and residents,for promoting e-governance, by building a ‘trusted’ digital environment in the usage of cyberspace, leading towards good and efficient Governance. Besides issuing Digital SignatureCertificates in G2G domain, Online Directory Services for Digital Signature Certificates andCertificate Revocation Lists (CRL), RajCOMP also intends to provide e-Sign (as an ESP or e-SignProvider), OCSP and Time stamping Service through implementation done with this RFP. Therecent modifications in the IT Act have provided for recognition of Aadhaar based e-Sign, this hasmade it possible to use e-Sign technology for a large number of applications. It is expected thatover the next few years e-Sign will be the mainstream authentication tool in the Digital world.2.3 Purpose of the RFPRISL intends to implement Certificate Authority solution. For the above purpose, RISL solicitsproposals from qualified bidders for providing services for Design, Supply, Installation,Commissioning, Implementation and support for CA solution as per CCA guidelines.For the above defined purpose, RISL intends to use its existing Data Centre and shall comply toCCA norms including but not limited to DC and DR Sites. Any work/activity that needs to beconducted in order to use the implemented technology/functionality shall also be a part of thisproject, e.g. Integration with any portal, customizing any script, API or DLL etc.NOTE:Bidders are advised to study this RFP document carefully before submitting their proposals inresponse to this RFP. Submission of a proposal in response to this RFP shall be deemed to havebeen done after careful study and examination of this document with full understanding of itsterms, conditions and implications.Failure to furnish all information required as mentioned in the RFP documents or submission of aproposal not substantially responsive to the RFP documents in every respect will be at the Bidder'srisk and may result in rejection of the proposal.Page 8 of 166

RFP for Raj eSign Digital Signature Platform3. PRE-QUALIFICATION/ ELIGIBILITY CRITERIA A bidder participating in the procurement process shall possess the following minimum Prequalification criteriaS.No.BasicRequirementSpecific Requirements1Legal EntityThe bidder should be a Proprietorship firmduly registered either under the RajasthanShops & Commercial Establishments Act, 1958or any other Act of State/ Union, as applicablefor dealing in the subject matter ofprocurement(Note: A self-certified declaration regardingthe non-applicability of registration to any Actshould be submitted by the bidder)ORA company registered under IndianCompanies Act, 1956ORA partnership firm registered under IndianPartnership Act, 1932.ORA Limited Liability Partnership registeredunder Limited Liability Partnership Act, 2008.2Years ofExistenceThe bidder should be in existence for not lessthan preceding 5 years as on 31.3.2017.3Financial:Turnoverfrom IT/ ITeSAverage Annual Turnover of the bidder fromIT/ ITeS during the last three financial years,i.e., from 2013-14 to 2015-16 (as per the lastpublished audited balance sheets), should beat least Rs. 25,00,00,000, i.e. INR Twenty FiveCrores Only4Financial: NetWorthThe net worth of the bidder, as on March 31,2016 should be Positive.Documents Required 5TechnicalCapabilityPage 9 of 166Copy of validRegistration CertificatesCopy of Certificates ofincorporation CA Certificate with CA’sRegistration Number/Seal CA Certificate with CA’sRegistration Number/SealAnnexure-7 per projectreferenceAndWork CompletionCertificates from theclient; ORWork Order SelfCertificate ofCompletion (Certifiedby the StatutoryAuditor); ORWork Order PhaseCompletion Certificatefrom the client The bidder should have Implemented /Operationalized at least 1, i.e. One IT Project inthe domain of Digital Signatures/DC/ DR witha project value of minimum INR 2,00,00,000i.e. INR Two Crore Only.ORThe bidder should have Implemented /Operationalized 2, i.e. Two IT Projects in thedomain of Digital Signatures/DC/ DR with ajoint/combined project value of minimum INR3,00.00.000 i.e. INR Three Crore OnlyCopy of validRegistration CertificatesCopy of Certificates ofincorporation

RFP for Raj eSign Digital Signature c RequirementsThe bidder should have a registered number ofi.Service Taxii.Income Tax / Pan numberiii.Sales Taxiv.VAT Registration and VAT Clearancetill December 31, 2016v.PFThe bidder must possess, at the time ofbidding, all of the following valid Certificationi.ISO 9001:2008 or ISO 9001:2015ii.ISO 20000iii.ISO 27001iv.CMMI L3 or higherThe bidder should not be a CA licensed by theCCA for providing CA operations in India.Bidder should not have conflict of interest, orpotential conflict of interest; or any incidentthat materially and adversely affects theRajCOMP Certification Authority's operations.Bidder should: a. not be insolvent, in receivership, bankruptor being wound up, not have its affairsadministered by a court or a judicialofficer, not have its business activitiessuspended and must not be the subject oflegal proceedings for any of the foregoingreasons;b. not have, and their directors and officersnot have, been convicted of any criminaloffence related to their professionalconduct or the making of false statementsor misrepresentations as to theirqualifications to enter into a procurementcontract within a period of three yearspreceding the commencement of theprocurement process, or not have beenotherwise disqualified pursuant todebarment proceedings;c. comply with the code of integrity asspecified in the bidding document.Documents Required Copies of relevantcertificates ofregistration Copy of a validcertificate Declaration on NonJudicial Stamp Paper ofminimum value of INR1000 Only A Self Certified letter asper Annexure-3: SelfDeclarationIn addition to the provisions regarding the qualifications of the bidders as set out in (1) above: 1. the procuring entity shall disqualify a bidder as per the provisions under “Clause: Exclusion/Disqualification of bids in Chapter-5: ITB”; and2. the procuring entity may require a bidder, who was pre-qualified, to demonstrate its qualifications inaccordance with the same criteria used to pre-qualify such bidder. The procuring entity shalldisqualify any bidder that fails to demonstrate its qualifications, if requested to do so. The procuringentity shall promptly notify each bidder requested to demonstrate its qualifications as to whether ornot the bidder has done so to the satisfaction of the procuring entity.Page 10 of 166

RFP for Raj eSign Digital Signature Platform4. SCOPE OF WORK, DELIVERABLES & TIMELINES4.1 Need and BenefitsRISL becoming a Certifying Authority will be hugely beneficial to the public for availinggovernment services through digitally signing and also with the facility of e-Sign as this will cutshort the turnaround time for processing applications on paper.For offering fully paperless citizen services, mass adoption of digital signature is necessary. Asimple to use online service is required to allow everyone to have the ability to digitally signelectronic documents.In current scenario where lots of government services are moving towards online mode, digitalsignatures are required for ease of operation. Different stakeholders in various services viz G2G,G2B, G2C, G2E require digital signatures for electronic authentication.Further DoIT&C, GoR as a State Registrar of UIDAI has already commenced Aadhaar e-KYCservices. In lieu of future landscape of services offered by government (G2G, G2B, G2C, G2E), itwill be pertinent that RISL takes initiative to become Certifying Authority under Controller ofCertifying Authorities, MeitY, GoI and offer Digital Signatures to applicants including e-Signservices which are electronically signed based on Aadhaar authentication. Also Time stamping& OCSP services shall be a part of the project.4.2 Stakeholders and their involvement4.2.1 Application Service Provider- An organization or an entity using eSign service as part oftheir application to electronically sign the content. Example: Govt. Departments, Banks,other public/ private organizations.4.2.2 End User- Any individual using the application of ASP and represents himself/ herself forsigning the document under legal framework. Also a resident holding the Aadhaar numberand applicant/ subscriber for digital certificate.4.2.3 Certifying Authority- An organization (RISL) licensed under CCA which issues DigitalSignature Certificate and carries out allied CA operations. RISL shall engage with CCAauthorized auditors for Audit and obtain approval for ESP/CA system to start eSign & timestamping services and CA operations.4.2.4 Digital Signature Issuance authority & e-Sign service provider- Trusted Third Party asper the definitions of Second Schedule of Information Technology Act to provide eSignservice. To begin with ESP is a Licensed Certifying Authority (CA). RISL intends to becomeCA to provide digital signature issuance authority, e-Sign service provider & time stampingservices.4.2.5 Controller of Certifying Authorities (CCA) - CCA shall conduct an audit before providinglicense of certifying Authority (CA) to RISL based on compliance on security guidelines forCA operations.4.2.6 UIDAI- Provide unique identity to all Indian residents. Provides e-KYC authenticationservice to registered KUAs. Authentication services shall be provided by DoIT&C (StateRegistrar) which is KUA under UIDAI.Page 11 of 166

RFP for Raj eSign Digital Signature Platform4.3 Scope of Work4.3.1 Logical FrameworkThe Scope of the work for the project “Raj eSign Digital Signature Platform” hasbeen divided broadly into multiple components, as represented below:-Raj eSign Platform – Logical Framework4.3.2 GeographyThe geographical scope of the Project will be at Rajasthan State Data Centre site inJaipur, Rajasthan and a DR site in Jodhpur. The solution should consist of a minimumof all components described in this document.Page 12 of 166

RFP for Raj eSign Digital Signature Platform4.3.3 Logical Setup of Primary Site at RSDC4.3.4 Logical Setup of DR Site at JodhpurPage 13 of 166

RFP for Raj eSign Digital Signature Platform4.3.5 Infrastructure SetupThe Raj eSign Platform infrastructure design shall be done with a perspective ofsecuring the infrastructure in a multi zone manner. The idea is to secure the facilityfrom a physical and logical security. To ensure physical security separate zones shallbe created with independent access controls for each zone corresponding to class ofsecurity required. To ensure logical security, each such zone shall have independentsystems, logical separation and security using inter-zone Firewall devices with zonewise management control.This would ensure that personnel required to work on a specific zone would have tophysically access that zone and work exclusively in that zone. Zones shall beinterconnected but are not remotely accessible from other zones. Each Zone shall beseparated by a set of NGFW. The Network shall hop from the web zone to Secure Zoneto the Core Zone in a layered manner. Each zone shall have its own firewalls and finallyreduces visibility for the core zone to the most filtered traffic.The Infrastructure shall be divided in Zones as below:o Primary Site Core CA Zone Secure Zone Web/Monitoring Zone Test Zoneo Disaster Recovery Site CA/eSign Zone Other Zone4.3.6 Common InfrastructureThe following components are common across all zones. Each zone will have zonespecific components of the following services / hardware. LDAP / Authentication Server Antivirus Server Log Collector / Storage / Forwarder EMS Collector / Storage / Forwarder DB Server instances of the above systems Backup Server Tape Backup System (Standalone / Library) NGFW Switches4.3.7 Core CA ZoneThe core CA zone shall be the most secure zone in the infrastructure. This zone shallhouse the most critical systems of the infrastructure. Components of the Core Zoneshall be as below: eSign CA Traditional CA SSL CA HSM NPL Time Devices Telephone Link for Time Devices CA related Servers( LDAP / DB / OCSP / TSA )Page 14 of 166

RFP for Raj eSign Digital Signature Platform4.3.7.1 Suggestive List of VM in Core CA ZonePrimary Site - CA Zone VM ClusterCA VMsTraditional CA VMsCommon Servers CA and Signing Server RA Server Master LDAP Server for SitewiseAuthentication MySQL Database for CA LDAP Server Backup LDAP Server for MySQL Database for RA OCSP and TSA ServerAuthentication MySQL Database for OCSP Virtual Machine Managementand TSASystem CA Offline Anti-Virus VM EMS Server Collector Log Collector Server Database Server for Log / EMSCollector4.3.8 Secure/eSign ZoneThe Secure/eSign zone shall house eSign-connected servers and Subscriber datarelated systems and Subscriber Data, Accounting Systems, etc. Components of theeSign Zone shall be as below: eSign Servers HSM DB Servers for the above systems4.3.8.1 Suggestive List of VM in Secure/eSign ZonePrimary Site - eSign Zone VM ClustereSign CA VMsTraditional CA VMsCommon Servers CAandSigning eSign Server ZoneLDAPforServerAuthentication LDAP Server MySQL Database for VirtualMachineCAManagement System MySQL Database for Anti-Virus VMeSign EMS Server Collector eSign Server Log Collector Server CA Offline Database Server for Log /EMS Collector4.3.9 Web ZoneThe Secure Zone is the outward facing zone and sits at the perimeter. External world orsystems facing and connecting to the outside world terminate on this zone. The Secure Zonehouses: eSign Application Server CA Application Server CA Application DB Email ServerPage 15 of 166

RFP for Raj eSign Digital Signature Platform4.3.9.1 Suggestive List of VM in Web ZonePrimary Site – Web Zone VM ClusterWeb Facing ServersCommon Servers CA Application ServereSign Application ServerDatabase Server for CAeSign DB ServerMail ServerZone LDAP for AuthenticationVirtual Machine Management SystemAnti-Virus VMEMS Server CollectorEmail ServerLog Collector ServerDatabase Server for Log / EMS Collector4.3.10 Monitoring ZoneThe monitoring zone accumulates all the information from zone level systems andpresents them to a single Interface. All logs and EMS related data accumulates here.This Zone contains the highest amount of data. Central Log Server Central EMS Server Internal Help Desk Systems SLA Monitoring Master AV Server Firewall Management Server CCTV Monitoring Access Control Server Dual Drive Tape Library4.3.10.1 Suggestive List of VM in Monitoring ZonePrimary Site – Monitoring Zone VM ClusterMonitoring related ServersCommon Servers Master EMS ServerMaster Log ServerDatabase Server for EMS / Log Server /Ticketing etc.Help Desk / Support Ticketing ServerCentralized UTM / Firewall Management ServerCentral Switch / Storage / Mgmt ServerZone LDAP for AuthenticationVirtual Machine Management SystemAnti-Virus VM4.3.11 Disaster Recovery SiteTo reduce the footprint, the DR site envisages consisting of two zones instead of thethree zones as at the Primary site. The database replication shall be in the log shippingmethod or automated via tool and shall be configured accordingly, while the VM willneed to be migrated using appropriate technologies as supplied by the bidder.To crunch the three zones from the Primary site to Disaster recovery the two zones areenvisaged to be segregated by differentiating critical servers and other servers.The critical servers shall include all data and content related to CA, eSign, SubscriberData, etc. All data as well as database has to be replicated to the Core Zone at the DRSite.Page 16 of 166

RFP for Raj eSign Digital Signature PlatformThe other zone shall contain replicated data of all logs, EMS, Service desk, etc.4.3.11.1 Indicative list of Virtual Machines in DR Site – CA ZoneDisaster Recovery Site – CA Zone VM ClusterStatusLive/ StandbyVM ClustereSign CA VMseSign CA ServerStandbyOCSP ServerStandbyTime Stamping ServerStandbyDatabase Server for eSign CALiveSeparate LDAP Server for eSign CA (OpenLDAP / MS AD)LiveTraditional CA VMsCA ServerStandbySSL CA ServerStandbyOCSP ServerStandbyTime Stamping ServerStandbyDatabase Server for CA and SSL CA ServerLiveSeparate LDAP Server for CA ( OpenLDAP / MS AD )LiveCommon ServersZone LDAP for AuthenticationLiveVirtual Machine Management SystemLiveAnti-Virus VMLiveEMS Server CollectorLiveLog Collector ServerLiveDatabase Server for Log / EMS CollectorLive4.3.11.2 Indicative list of Virtual Machines in DR Site – CA ZoneReplicated/ ocalLocalLocalLocalDisaster Recov

eSign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents by authenticating signer using Aadhaar eKYC services. With this service, any Aadhaar holder can digitally sign an electronic document without having to obtain a physical digital signature dongle.