Documentation

This section contains comprehensive guides to assist in deploying Mifos, using the software, and getting the most value of out the information you're capturing in Mifos.  It is organized by topic.  You can click through the keywords to browse through related areas on the site in the same subject area or drill down into content by specific audience.

0
Your rating: None

Installation

0
Your rating: None

Windows Installation Guide

The following is a simple step by step walkthrough of downloading and installing a default configuration of the Mifos software along with the required components for Microsoft Windows.  It is meant to provide additional detail to supplement the INSTALL readme. Please follow the configuration guide for additional guidance on configuring Mifos. For Linux or Mac installations, please follow the readme.

*These instructions all refer to installing Mifos locally on your computer; to install it for online access, Mifos must be installed on a connected web server.*

0
Your rating: None

Software Requirements

 

The following required software components to run Mifos are all open source and freely available for download.

  • Java: Mifos is written and developed with the Java 6 SE programming language to successfully run Mifos on your machine requires the Java environment installed.
    • Current Version: JDK 6 Update 24 
    • Note: Only the JRE is needed to run an instance of Mifos for testing, staging, or production.  If you will be developing on Mifos, you must install the JDK)
      • Previous updates before 24 should work fine with Mifos.
  • MySQL Community Edition: To successfully manage and process all of the data within Mifos requires a RDBMS on the back-end.  MySQL must be properly downloaded and configured prior to running Mifos.
  • TomCat: Mifos is a web-based application and requires Apache Tomcat to be run as your Java Servlet container either locally or on your web server.  (Core Windows zip)

*Screenshots on 3rd party pages may be different as pages change often

0
Your rating: None

Set up Folder and Download Mifos

 

Set up Folder

  • Create a folder called Mifos Install to download Mifos and other required components to run Mifos.  We recommend setting up this folder at the root level: (C:\MifosInstall)

1_setup.folder.jpg

Download Mifos

  • Save the Mifos download zip file to this Mifos Install folder.  If you've already saved it elsewhere you can copy and paste it here.  Unzip or extract the contents of the folder here to Mifos Install.  We're going to first install the other required software before installing Mifos.  
0
Your rating: None

Install and Configure Java and Apache Tomcat

 

  • Before you do install a Java SDK, check to see if you have any previous versions of Java installed and uninstall them (unless you need them for something else) - either the JVM (Java Virtual Machine) or the JDK (Developers Kit).

1_java_check.uninstall.jpg

  • I had a previous version installed and had to uninstall it via Start menu->Control Panel->Add/Remove Programs. (ex: I had to remove java 1.4.2.)
  • Download and install the Java SE JDK installer (JDK 6.0)
    • Current version is JDK 6 Update 22 (as of Oct 25, 2010)
    •  Keep in mind that newer release *could* cause changes, so be mindful if something is very new

Java Install - JDK 21

java_install_jdk21_2.JPG

 

Go back to top of the page.

Apache Tomcat

Download Apache Tomcat

  •  Unzip and extract contents of folder to Mifos Install. *IMPORTANT that you extract to here.*

Extract Apache Tomcat

 Go back to top of the page.

0
Your rating: None

Install and Configure MySQL

 

Download MySQL

  •  Double click the downloaded file to begin running the Installer. Select Typical installation and click Next.

 

Install MySQL - Typical Installation

 

  • Click Install. 

 

Install MySQL - Typical

  • Continue clicking Next as prompted.

3_install_db_install.jpg

  • Select Configure the MySQL Server now and click Finish.

Detailed Configuration

  • Click Next and then select Detailed Configuration for Instance Configuration Wizard and click Next.

Configure MySQL

Install DB - Detailed

  • Keep the selection for Developer Machine Under Server Type and click Next.

Configure MySQL - Developer

  • Select Multifunctional Database for Database Usage and click Next.

Configure MySQL - Multifunctional

  •   Select C: Installation Path for InnoDB Tablespace Settings and click Next.

    •  

    Configure MysQL - installation path

    • Select Decision Support (DSS)/OLAP for Number of Concurrent Users and click Next.

    Configure MySQL - OLAP

    • Select Enable TCP/IP Networking, choose Port Number: 3306, select Enable Strict Mode and click Next.

    Configure MySQL - Port

    • Select  Best Support for Multilingualism for Default Character Set.

    Configure MySQL - Language

    • Install as Windows Service. Check to included bin directory in Windows PATH.

    Configure MySQL - Windows Service

    • Set up your root password under security options. Select Modify Security Settings. Enter your root password and confirm it.   You can leave the password as its default, mysql, if you like.  Please note if you make any changes. 

    Install DB - Password - new

    *If you'd previously installed a Mifos database, your window will look like this and you'll need to enter your current root password.

    Configure MySQL - Password

    • Press Execute to start configuration.

    Configure MySQL - Execute

    • Once all configuration settings have been successfully applied, click Finish to close the Wizard.

    Configure MySQL - Finished.

    Go back to top of the page.

     

    Configure MySQL

    Configuring MySQL can be done in a number of different ways:

    • By directly editing values in the my.ini file.
    • Using MySQL GUI Tools or MySQL Workbench 
    • Using MySQL Workbench

    In this example, we're going to configure the MySQL database by directly editing the my.ini file.  MySQL GUI Tools have been phased out and MySQL Workbench can be used if you're administering multiple databases. 

    Configuration by directly editing my.ini file

    • Locate your my.ini file in the folder where MySQL Server has been installed.  My location is: C:\Program Files\MySQL\MySQL Server 5.1

      my.ini_location_small.png

       

    • Open this file to edit it in a text editor like Notepad. 
    • There are six parameters we'll configure:
             max_connections=300
    	         innodb_buffer_pool_size=1024M
    	         innodb_file_per_table
    	         log-error=mysql_error.log
    	         log-slow-queries=mysql_slow_query.log
    	         long_query_time=1
    • Search for max_connections and edit the value to 300.
       
      my.ini_max_connections.png
       
       
    • Search for innodb_buffer_pool_size and edit the value to be set to 1024M

    my.ini_innodb_buffer.size.png

     

    • Scroll to the bottom of the file and enter the following 4 entries on separate lines:
      • innodb_file_per_table
      • long_query_time = 1
      • log-error = mysql_error.log
      • log-slow-queries = mysql_slow_query.log

    my.ini_long_query.png

    • Save changes and close out the my.ini file.  Open up the file one more time to ensure the changes were saved.

    Go back to top of the page.

    Create Mifos Database and Mifos User

    We're now going to enter into the command line to create a MySQL database called mifos and a user for the database called mifos.  This mifos user must exist for the mifos.war file to connect to MySQL
    • Enter the DOS command line. This can be done by entering cmd in the Run window.
     
    initiate_db_cmd.JPG
    • Log in to MySQL using root account.  By default password will be mysql unless you changed it while installing MySQL.  
      • To log in, type:
    mysql -uroot -p
    •  
      • Press enter and you'll be prompted for your password (this is the password you set defined for root while configuring MySQL).  
    login to sql admin.png
     
    •  
      • Once successfully logged in, you should see a screen as follows: 
    successful login.png 
    • Now let's enter the first command to create the database called mifos.  
      • Type the following and press enter (make sure to include semi-colons): 
    CREATE DATABASE mifos;
     
    create database.png
    •  
      • You should see a message that states Query OK, 1 row affected... To confirm the database was successfully created, type the following and press enter:
    show databases;

    successful create databases.png

    • Now let's create the user, mifos, its password, and grant it necessary privileges.
      • The password is determined by the string that follows identified by. For this example, I've made my password nonsecure but you should choose a secure password.  All commands would be different according to which password you select. So the command works like this: GRANT ALL on '<DATABASE NAME>'.* to '<USER ID>'@'<HOST NAME>' identified by '<PASSWORD>'; 
      • Type the following (making necessary change for your password after "identified by") and press enter:
    		GRANT ALL on mifos.* to 'mifos'@'localhost' identified by '<PASSWORD>';

     

    create usere and grant privileges.png
    •  
      • Execute this last command to complete the user creation process. Type the following and press enter:
    		FLUSH PRIVILEGES;
    flush privileges.png
    •  
      • Now let's exit out of MySQL command line by typing exit and pressing enter. 
    exit.png

    Initiate MySQL

    Next we need to initialize the Mifos database, by running the three commands below from the directory that contains this INSTALL file.  These commands assume a database username of "mifos" and in my case I'm using the password "nonsecure".  Adjust them if your database password is different.  

     mysql -D mifos -u mifos -p<PASSWORD> < sql/latest-schema.sql
 mysql -D mifos -u mifos -p<PASSWORD> < sql/latest-data.sql
 mysql -D mifos -u mifos -p<PASSWORD> < sql/init_mifos_password.sql

    • We're still in the DOS command line but will need to cd (change directory) into the directory that contains the INSTALL file.  In my case this was Mifos Install.

    navigate back to directory.png

     

    • Execute the first command (you'll know the command is successfully executed when the command line prompt appears again below). Replace <PASSWORD> with your password: 
      • mysql -D mifos -u mifos -p<PASSWORD> < sql/latest-schema.sql

    intitiate_1.png

    • Execute the second command: 
      • mysql -D mifos -u mifos -p<PASSWORD> < sql/latest-data.sql

    intitiate_1.png

    • Execute the third command: 
      • mysql -D mifos -u mifos -p<PASSWORD> < sql/init_mifos_password.sql

    intitiate_4.png

    • You can now exit out of the command line window by clicking x.  

    Update local.properties file if you changed mysql password for user id mifos.

    • In my example, I used the password of nonsecure for my mysql database.  By default, Mifos expects a database called Mifos with the user id of mifos and password mifos. Since I set my password to to mysql to a different one, unique from mifos, you'll need to customize your local.properties file to specify this new password.
    • Open your local.properties file. It is located in the config folder which is in the same directory where INSTALL is located. 
    • Location of local.properties
    • Highlight the current password of mifos and replace it with your actual password. Save the changes.
    • Local Properties
    • Change Local.Properties
    •  

    Go back to top of the page.

    0
    Your rating: None

    Set up Environment Variables

     

    • Go to My Computer, right click and select Properties.

    Environment Variable Tab

    • Click the Advanced tab. Then click to open Environment Variables. In this next step, we'll be setting system variables, make sure you aren't creating user variables.

    Environment Variable - Systems

    • Set up JAVA_HOME environment variable. 
      • This should be the directory/folder where the JDK is installed.   First, locate where you have the JDK installed. In my example, my JDK was located here: C:\Program Files\Java\jdk1.6.0_21 (Screenshot below shows location of my JDK)

    location java environment variable.png

    •  
      • Under System variables, click New to set up a new variable.  In variable name, enter JAVA_HOME  For Variable value, enter or copy and paste the location of the JDK - in my example - C:\Program Files\Java\jdk1.6.0_21 (this will be unique to wherever you installed the JDK).

    Java variable.png

    • Set up CATALINA_HOME environment variable
      • This time, it should be the directory/folder where the Apache Tomcat is installed (in my example, this is the Mifos Install folder where I previously unzipped it to). The location for my example was C:\Mifos Install\apache-tomcat-6.0.29\apache-tomcat-6.0.29 Once again this will be unique to your instance. Screenshot below shows location of my Apache Tomcat.

    location tomcat variable environment.png

    •  
      • Still under System variables, click New to set up another new variable.  In Variable name, enter CATALINA_HOME For Variable value enter the location of your Apache Tomcat.  In my example, C:\Mifos Install\apache-tomcat-6.0.29\apache-tomcat-6.0.29 (ONCE AGAIN - THIS WILL BE UNIQUE TO YOUR INSTANCE)

    Apache Tomcat variable.png

    • Set up CATALINA_OPTS.
      • Click New. For Variable name, enter: CATALINA_OPTS For Variable value, enter or copy and paste the following (make sure to include the initial hyphen):  -Xms1024M -Xmx1024M -XX:MaxPermSize=256m

    Catalina Opts.png

    • Set up MIFOS_CONF.

      • Since we customized our local.properties file, we need to set up a system variable for MIFOS_CONF so Mifos knows which directory in which to locate the custom local.properties file.

      • In my case, this directory is: C:\Mifos Install\mifos-v1.6.1\mifos-v1.6.1\config  This will be unique to your installation and where you've placed your folders. 

      • Location of confg

      • Click New. For variable name, enter: MIFOS_CONF For Variable value, enter the location of your config folder; in my example: C:\Mifos Install\mifos-v1.6.1\mifos-v1.6.1\config

    • Click OK to save and apply the changes.

    Go back to top of the page.

    0
    Your rating: None

    Install Mifos WAR

     

    The Mifos WAR file is basically a collection of pages and files that comprise the MIfos web application (you can view Wikipedia's definition of a WAR file to learn more).  The Mifos WAR is located in the download package you saved to Mifos Install.

    • Navigate back to the Mifos Install directory.  Click into the mifos_v1.5.0.1 directory.  You will now copy and paste the mifos.war file into the CATALINA_HOME/webapps directory.

    Mifos.war.jpg

    • Locate your CATALINA_HOME directory (it's where you install Apache Tomcat to).  Navigate into the webapps folder and check to see if any of the following temporary directories exist, if so - delete them:
      • CATALINA_HOME/webapps/mifos
      • CATALINA_HOME/work/Catalina/<hostname>/mifos
        • (where <hostname> is the namer of your server)

    web apps.jpg

    (in my example - I had no temporary directories to delete)

    web apps_2.jpg

    • Now let's copy and paste mifos.war into CATALINA_HOME/webapps

    copy_mifos.war.jpg

    Go back to top of the page.

    0
    Your rating: None

    Configure Mifos

    Before running Mifos, you can configure it to support your organizational structure.  Configuration is an important stage to ensure that Mifos meets your business requirements optimally. Because some settings in Mifos can only be changed from their default values once, before Mifos is run for the first time, you should review the default Mifos configuration.  See our Mifos Configuration Guide to learn more about these settings.

    The below steps outline how to use a custom configuration. However, to keep this install simple, I'm going to use the default configuration and make no changes.

    1.  
      1. Using the Default Configuration: A default configuration is provided. If you want to quickly get Mifos up and running to try it out, then no configuration is needed.
      2. Using a Custom Configuration: This is a very important step in setting up Mifos to match your business processes - in Mifos there are a number of one-time settings you must configure properly before running the application for the first time.  Please read over the Mifos Configuration Guide to know the different Mifos parameters you can configure. These include:
        1. Setting your Language and Locale
        2. Accounting settings including your Chart of Accounts for general ledger transactions, rules for interest, rounding, etc. 
        3. Calendar settings including working days, available workflow states, etc. 
        4. Client settings including Officer Hierarchy (whether or not Centers exist)
        5. Process settings such as order of transaction import for M-PESA
        6. Reporting settings such as allowing of back-dated transactions
        7. Trapdoor settings that can only be configured one time. 
        8. If you created a MIFOS_CONF environment variable (directory for Mifos custom configuration files) in the previous step you can now follow the Mifos Configuration Guide for further details and options.  
           
      3. Changing the Default Mifos Configuration: To make changes to the default configuration, edit the file config/applicationConfiguration.custom.properties to the MIFOS_CONF directory defined in the previous step, Step 2.
      4. Changing the Default Database Connection Settings: To use non-default settings for your database connection -- such as a different port number, user name, or password -- edit the file config/local.properties to the MIFOS_CONF directory defined in Step 2.

    Go back to top of the page.

    0
    Your rating: None

    Run Mifos

     

    • Execute Tomcat startup script in CATALINA_HOME/bin
      • Navigate to the bin folder in your CATALINA_HOME directory.
      • Double-click and run the startup.bat script

    Startup.jpg

    •  
      • Tomcat status window should open up showing status of mifos.war being deployed.
      • Mifos.war is completely deployed once you get a message similar to:  “INFO: Server startup in 103984 ms”
    Run Mifos - Script Executed
    •  
      • Alternative, if Tomcat was installed as a service on Windows, navigate to Control Panel >Administrative Tools > Services to verify that the service's status is "Started"
    • Next, visit the base url in a internet browser: http://localhost:8080/mifos
      • username: mifos
      • password: testmifos

    Run Mifos - Browser url

    Log in and success!

    install_mifos.war_i_browser.jpg

     Go back to top of the page.

    0
    Your rating: None

    Ubuntu Installation Guide

    The Ubuntu Install Guide for Mifos is located on our Developer's wiki. 

    0
    Your rating: None

    Using War Files

    This page is not for senior developers.

    ** What is a .WAR file? **

    Easy way to unpack/explode/expand a .war file

    1. Copy the war file into a new directory (to be certain you have a backup of it).

    2. Rename the the file to .zip.
      • Example: rename mifos. war to mifos.zip

    3. Extract the file into a new directory called mifos.

    You can also use unjar. (details to be added)

    The result will be something like these directories:

    • WEB-INF
    • META-INF
    • pages

    What can you do now?

    You can now make changes to files (like task.xml for batch files).

    If you do not know the directory structure well enough to find the file you need, use the Windows Search tool to find the file in the directory.

    You can use the files and deploy mifos

    Instead of just putting a .war file into the deployment directory of your web server, you can put the unpacked files. Using this method, you can change configurations (see above) easily.

    Example:

    Using Jetty as my servlet, I can copy the mifos folder (containing all the files that I expanded out of the .war) into C:\jetty-6.1.5\webapps and run mifos.

    How to create a new war file from your modified files

    If you would rather just unpack the .war, make your changes, and repack the .war, refer to the example below.

    You must have a Java SDK installed for this to work. How to install Java

    ::
    1. Go to the command prompt.
    2. cd c:\my_war_directory
    3. Run C:\my_war_directory>"c:\Program Files\java\jdk1.5.0_13\bin\jar.exe" -cvf mifos.war WEB-INF META-INF pages

    where

    • "my_war_directory" is the directory in which all your files reside.
    • "c:Program Filesjavajdk1.5.0_13binjar.exe" represents the location where your Java SDK is installed.
    • "mifos.war" is the name of your new .war file
    • "WEB-INF META-INF pages" are the names of the directories and files you want in the .war.

    0
    Your rating: None

    Configuration

    Mifos Configuration Guide

    Mifos Configuration

    The following topics are for system administrators and Mifos specialists configuring Mifos who are deploying Mifos.

    Overview

    The topics assume that you have installed Mifos and configured its third-party applications as described in Installing Mifos, and that you are ready to configure the administrative settings in Mifos. After you configure these settings, your Mifos deployment will be ready for you or someone else to create loan and savings products, add new clients and groups, open accounts for clients and groups, and configure reporting.

    The administrative configuration process involves two groups of settings, which should be configured at two different times:

    • Before you run Mifos: Certain administrative settings can only be configured when Mifos is not running. Among them are settings whose default values you have only one opportunity to change-before you run Mifos for the first time.
    • Before your users access Mifos: There are also administrative settings you should configure before your users access Mifos. You configure these settings via the Mifos user interface, on the Admin tab.

    Note for version 1.0 users: Changes since Mifos version 1.0 include moving install-time settings out of the database and into plain-text files. If you are using Mifos version 1.0, see Configuring Mifos version 1.0.

     

    Before you run Mifos...

    This section describes the install-time settings in Mifos, or those that can only be configured when Mifos is not running. It also describes install-time settings whose values can only be changed to non-default values once, before you run Mifos for the first time.

     

    About the One-Time Settings

    When Mifos runs for the first time, it writes values to its database. Although many of these values can be changed later, some cannot. Specifically, the values from the Chart of Accounts can only be written to the database once. Similarly, TRAPDOOR properties in the application configuration file can only be assigned non-default values once, before you run Mifos for the first time. After that point, a TRAPDOOR property value can only be changed to its default setting.

     

    Using a Custom Chart of Accounts

    The Chart of Accounts used by Mifos can be customized to exclude certain General Ledger (GL) accounts or use a different hierarchy of accounts. Note that you have only one opportunity to make these customizations, before you run Mifos for the first time.

    To customize the Chart of Accounts:

    1. Create a copy of the default Chart of Accounts configuration file that ships with Mifos and name it mifosChartOfAccounts.custom.xml.
    2. Customize mifosChartofAccounts.custom.xml as described in Chart of Accounts.
    3. Mifos 1.6.x and earlier: Place your customized file on the app server classpath before you run your first instance of Mifos in your final, production environment.
    4. Mifos versions greater than 1.6.x and trunk development:: Place your customized file in one of the MifosConfigurationLocations before you run your first instance of Mifos in your final, production environment.

    Note: Once Mifos is deployed, you won't be able to delete GL accounts or change the account hierarchy. See the bulleted lists below for more information.

    After Mifos is deployed, you can only make the following changes to your GL accounts:

    • Add new GL accounts (excluding top-level accounts)
    • Change account names (excluding top-level accounts)

    You cannot make the following GL account changes after Mifos is deployed:

    • Delete GL accounts
    • Create new top-level accounts
    • Modify top-level account names
    • Modify the account hierarchy (moving parents/children)
    • Modify GL codes
     

    Creating your own Financial Action Mappings

    Unlike the Chart of Accounts, financial action mappings can be customized any time Mifos is not running.

    GL accounts are used in conjunction with particular actions. For example, when principal is added to a new loan account (a credit), Mifos choses a GL account based on a mapping. The default mappings that Mifos uses are stored in applicationContext.xml, a file that ships with Mifos. For Mifos to function correctly, all actions must be mapped to an existing GL account.

    To customize the financial action mappings:

    1. Create a file named mifosBeanConfig.custom.xml.
    2. Customize mifosBeanConfig.custom.xml (see the example below).
    3. Mifos 1.6.x and earlier: Place your customized file on the app server classpath before you run your first instance of Mifos in your final, production environment.
    4. Mifos versions greater than 1.6.x and trunk development:: Place your customized file in one of the MifosConfigurationLocations before you run your first instance of Mifos in your final, production environment.
    5. The mappings will take effect once Mifos is restarted.

    Example

    Use the following as a starting point for creating your own mifosBeanConfig.custom.xml:

    		<?xml version="1.0" encoding="UTF-8"?>
<beans
       xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
         http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
    <bean id = "financialRules"
       class="org.mifos.application.accounts.financial.util.helpers.FinancialRules"
       abstract="false" factory-method="getInstance">
       <property name="actionToDebitAccount">
           <map>
               <entry key="PRINCIPALPOSTING" value="11201"/>
               <entry key="INTERESTPOSTING" value="11201"/>
               <entry key="FEEPOSTING" value="11201"/>
               <entry key="PENALTYPOSTING" value="11200"/>
               <entry key="ROUNDING" value="31401"/>
               <entry key="MANDATORYDEPOSIT" value="11201"/>
               <entry key="VOLUNTORYDEPOSIT" value="11201"/>
               <entry key="MANDATORYWITHDRAWAL" value="24000"/>
               <entry key="VOLUNTORYWITHDRAWAL" value="23000"/>
               <entry key="SAVINGS_INTERESTPOSTING" value="41000"/>
               <entry key="DISBURSAL" value="13101"/>
               <entry key="MISCFEEPOSTING" value="11201"/>
               <entry key="MISCPENALTYPOSTING" value="11201"/>
               <entry key="CUSTOMERACCOUNTMISCFEESPOSTING" value="11201"/>
               <entry key="MANDATORYDEPOSIT_ADJUSTMENT" value="24000"/>
               <entry key="VOLUNTORYDEPOSIT_ADJUSTMENT" value="23000"/>
               <entry key="MANDATORYWITHDRAWAL_ADJUSTMENT" value="11201"/>
               <entry key="VOLUNTORYWITHDRAWAL_ADJUSTMENT" value="11201"/>
               <entry key="WRITEOFF" value="13201"/>
               <entry key="RESCHEDULE" value="11201"/>
           </map>
       </property>
       <property name="actionToCreditAccount">
           <map>
               <entry key="PRINCIPALPOSTING" value="13100"/>
               <entry key="INTERESTPOSTING" value="31100"/>
               <entry key="FEEPOSTING" value="31300"/>
               <entry key="PENALTYPOSTING" value="31102"/>
               <entry key="ROUNDING" value="31401"/>
               <entry key="MANDATORYDEPOSIT" value="24000"/>
               <entry key="VOLUNTORYDEPOSIT" value="23000"/>
               <entry key="MANDATORYWITHDRAWAL" value="11201"/>
               <entry key="VOLUNTORYWITHDRAWAL" value="11201"/>
               <entry key="SAVINGS_INTERESTPOSTING" value="24100"/>
               <entry key="DISBURSAL" value="11201"/>
               <entry key="MISCFEEPOSTING" value="31301"/>
               <entry key="MISCPENALTYPOSTING" value="31102"/>
               <entry key="CUSTOMERACCOUNTMISCFEESPOSTING" value="31301"/>
               <entry key="MANDATORYDEPOSIT_ADJUSTMENT" value="11201"/> 
               <entry key="VOLUNTORYDEPOSIT_ADJUSTMENT" value="11201"/>
               <entry key="MANDATORYWITHDRAWAL_ADJUSTMENT" value="24000"/>
               <entry key="VOLUNTORYWITHDRAWAL_ADJUSTMENT" value="23000"/>
               <entry key="WRITEOFF" value="13101"/>
               <entry key="RESCHEDULE" value="13101"/>
           </map>
       </property>
   </bean>
</beans>

    You may notice that other unrelated sections from applicationContext.xml have been omitted. This is intentional. The code that parses this XML configuration file allows for partial changes, and only those settings specific to financial action mappings in mifosBeanConfig.custom.xml can be customized.

    Action names are actually constants in the FinancialActionConstants enum class. All actions must be mapped (except, currently, PENALTYPOSTING and REVERSAL_ADJUSTMENT) because Mifos assumes they are. For example, Mifos expects the mapping to contain a ROUNDING account. If the mapping doesn't exist, the application may crash or corrupt data because it cannot find an account with which to resolve rounded amounts.

    Values may be changed, but they must point to GL account codes as specified in the Chart of Accounts.

     

    Customizing the Application Configuration File

    Mifos ships with a default application configuration file (applicationConfiguration.default.properties) that controls many aspects of how Mifos is set up, including which currency and locale it uses, its accounting rules, and many other important settings. You should never edit this default configuration file directly. Instead, use the file applicationConfiguration.custom.properties to override the values you want to change:

    To use the custom application configuration file:

    1. Open the file applicationConfiguration.custom.properties in the conf folder of the Mifos install package. This file contains all the same properties and values as the default version.
    2. Uncomment the properties whose values you want to change and edit the values. Pay special attention to TRAPDOOR properties.
    3. Mifos 1.2.x and earlier: create a file named applicationConfiguration.custom.properties and place it on the app server classpath .
    4. Mifos versions greater than 1.2.x and trunk development: create a file named applicationConfiguration.custom.properties in one of the MifosConfigurationLocations.
     

    Locale

    The following settings in your applicationConfiguration.custom.properties file control locale in Mifos.

    Language

    In Mifos, settings for country and language work together to create a locale-specific user interface. Choose the language you want first, then use the CountryCode value that must be paired with that language.

    Property name: Localization.LanguageCode
    Mutability: Always
    Options: EN (English), ES (Spanish), FR (French)
    Default: EN

    Use the following table to determine which LanguageCodes and CountryCodes must be paired with one another:




    For locales using this language... use this CountryCode and this LanguageCode
    Spanish ES ES
    French FR FR
    English GB EN

    Example: Setting Localization.LanguageCode to FR and Localization.CountryCode to FR cause Mifos to display a French user interface.

     
    Country

    In Mifos, settings for country and language work together to create a locale-specific user interface. To get the language you want, it's possible that you will have to use a country code that doesn't reflect where Mifos will be installed.

    Property name: Localization.CountryCode
    Mutability: Always
    Options: ES (Spain), FR (France), GB (Great Britain)
    Default: GB

    Use the following table to determine which LanguageCodes and CountryCodes must be paired with one another:




    For locales using this language... use this CountryCode and this LanguageCode
    Spanish ES ES
    French FR FR
    English GB EN

    Example: Setting Localization.LanguageCode to FR and Localization.CountryCode to FR cause Mifos to display a French user interface.

     
    Direction

    If you are using a language that requires right-to-left, this setting can be used to set the direction of the text.  By default, this should be set to auto.  If your locale is set up correctly, the direction should be automatically set and this direction does not need to be changed.

    Property name: Localization.Direction
    Mutability: Always
    Options: auto, ltr, rtl
    Default: auto
     

    Accounting

    The accounting settings in applicationConfiguration.custom.properties tell Mifos which currency you want to use and provide information it needs to calculate repayment schedules, including how many decimal places of precision should be used, and how repayments should be rounded and adjusted.

    Currency

    The currency that Mifos uses.

    This setting causes Mifos to use currency set internally, in its calculations and database. Externally, you will see no effect. The user interface does not display currency symbols ($, £, etc.). This is a known issue.  This sets the default currency in Mifos.  All accounting rules without a currency code on the property applies to the default currency.

    Property name: AccountingRules.CurrencyCode
    Mutability: TRAPDOOR
    Options: 3 letter Alphabetical codes from this list - `ISO 4217 currency codes <http://www.iso.org/iso/support/currency_codes_list-1.htm>`_
    Default: INR

    Example: AccountingRules.CurrencyCode=INR causes Mifos to use the Indian rupee as the currency.

     If you want to use an additional currency for loan products, the setting is used to set an additional currency code.  Use the currency code to set specific rounding rules below for that currency.
    Property name: AccountingRules.AdditionalCurrencyCodes
    Mutability: TRAPDOOR
    Options: any currency code
    Default: none
    Number of interest-bearing days

    The number of days per year that should be used by Mifos in its interest calculations.

    This setting does not apply to meeting scheduling. The meeting calendar always has 365 days. This setting also doesn't apply to fees and penalties calculation and repayment schedule generation. Because of its dependencies, once you configure this setting, you should not change it. For example, in the case of a moratorium, the loan schedule is recalculated, and changing the number of interest-bearing days in a year could change the calculation results.

    Property name: AccountingRules.NumberOfInterestDays
    Mutability: Always
    Options: 360 or 365
    Default: 365

    Example: AccountingRules.NumberOfInterestDays=365 causes Mifos to use 365 days in its interest calculations.

     
    Number of digits after decimal

    The number of digits after the decimal that Mifos will carry for the currency.

    This setting interacts with the rounding mode settings: Rounding mode for currency, Rounding mode for repayments, and Rounding mode for final payment.

    While most MFIs use a value that represents the currency's finest level of precision, some do not. For example, the Tunisian dinar's smallest denomination is the milem, which is 1/1000 of a dinar. Instead of setting AccountingRules.DigitsAfterDecimal to 3, which would represent the dinar's finest level of precision, a Tunisian MFI might set AccountingRules.DigitsAfterDecimal to 2 (1/100 of a dinar).

    Property name: AccountingRules.DigitsAfterDecimal
    Mutability: Always
    Options: 0 - 5
    Default: 1

    Example: If AccountingRules.CurrencyCode=USD and AccountingRules.DigitsAfterDecimal=2, the number of digits Mifos will carry represents the currency's finest level of precision (1/100 of a dollar, or a penny).

    If you want to set a different digits after decimal that Mifos will carry for an additional currency, set another property with the currency code in the property name.  For example, if Mifos has been configured with an additional currency LBP, to set a different digits after decimal that Mifos will cary for LBP, use the property name AccountingRules.DigitsAfterDecimal.LBP.
    Number of digits after decimal for interest

    The number of digits after the decimal that Mifos will carry for interest.

    Property name: AccountingRules.DigitsAfterDecimalForInterest
    Mutability: Always
    Options: 0 - 5
    Default: 5

    If you want to set a different digits after decimal that Mifos will carry for interest in an additional currency, set another property with the currency code in the property name.  For example, if Mifos has been configured with an additional currency LBP, to set a different digits after decimal for interest that Mifos will cary for LBP, use the property name AccountingRules.DigitsAfterDecimalForInterest.LBP.

     
    Number of digits after decimal for cash flow validations

    The number of digits after the decimal that Mifos will carry for cash flow warning threshold.

    Property name: AccountingRules.DigitsAfterDecimalForCashFlowValidations
    Mutability: Always
    Options: 0 - 2
    Default: 2
     
    Maximum interest rate

    The maximum allowable interest rate.

    Unless you're advised otherwise by a Mifos specialist, use the default value for this setting (999).

    Property name: AccountingRules.MaxInterest
    Mutability: Always
    Options: 0 - 999
    Default: 999 (recommended)

    Example: AccountingRules.MaxInterest=999 means that the interest rate Mifos uses for its calculations can be as high as 999%.

     
    Minimum interest rate

    The minimum allowable interest rate.

    Unless you're advised otherwise by a Mifos specialist, use the default value for this setting (0).

    Property name: AccountingRules.MinInterest
    Mutability: Always
    Options: 0 - 999
    Default: 0 (recommended)

    Example: AccountingRules.MinInterest=0 means that the interest rate Mifos uses for its calculations can be as low as 0%.

    Minimum Cash Flow Threshold

    The minimum allowable cash flow threshold

    Property name: AccountingRules.MinCashFlowThreshold
    Mutability: Always
    Options: 0 - 99
    Default: 0

    Example: AccountingRules.MinCashFlowThreshold=0 means that the minimum allowed cash flow threshold for a loan product is 0.

    Minimum Cash Flow Threshold

    The maximum allowable cash flow threshold

    Property name: AccountingRules.MaxCashFlowThreshold
    Mutability: Always
    Options: 0 - 99
    Default: 99

    Example: AccountingRules.MaxCashFlowThreshold=99 means that the maximum allowed cash flow threshold for a loan product is 99.

    Minimum Repayment Capacity
    The minimum allowable Repayment Capacity.
     
    Property name: AccountingRules.MinRepaymentCapacity
    Mutability: always
    Options: 150 - 1000
    Default:: 150
     
    Example: AccountingRules.MinRepaymentCapacity=150 means that the minimum allowed repayment capacity for a loan product is 150.
    Maximum Repayment Capacity
    The maximum allowable Repayment Capacity.
     
    Property name: AccountingRules.MaxRepaymentCapacity
    Mutability: always
    Options: 150 - 1000
    Default:: 1000
     

    Example: AccountingRules.MaxRepaymentCapacity=1000 means that the maximum allowed repayment capacity for a loan product is 1000.

    Minimum Indebtedness Ratio
    The minimum allowable Indebtedness Ratio.
     
    Property name: AccountingRules.MinIndebtednessRatio
    Mutability: always
    Options: 0 - 50
    Default:: 0
     

    Example: AccountingRules.MinIndebtednessRatio=0 means that the mimimum indebtedness ratio for a loan product is 0.

    Maximum Indebtedness Ratio
    The maximum allowable Indebtedness Ratio.
     
     
    Property name: AccountingRules.MaxIndebtednessRatio
    Mutability: always
    Options: 0 - 50
    Default:: 50
     

    Example:AccountingRules.MaxIndebtednessRatio=50 means that the maximum indebtedness ratio for a loan product is 50.
     

    Rounding mode for currency

    How Mifos rounds currency amounts.

    This setting interacts with Number of digits after decimal.

    Property name: AccountingRules.CurrencyRoundingMode
    Mutability: Always
    Options: HALF_UP, FLOOR, CEILING
    Default: HALF_UP

    Example: Assuming that Number of digits after decimal is set to 1, a value of...

    • HALF_UP means that if the discarded digit is 5 or greater, the next digit is rounded up. 42.45 rounds to 42.5. 42.44 rounds to 42.4.
    • FLOOR rounds the amount down to the nearest digit even if the discarded digit is 5 or greater. 42.45 rounds to 42.4.
    • CEILING means that if the discarded digit is anything but zero, the next digit is rounded up. 42.41 rounds to 42.5.
     
    Rounding mode for repayments

    How Mifos rounds repayment amounts when it calculates repayment schedules except for the last scheduled repayment.

    This setting interacts with Number of digits after decimal.

    Property name: AccountingRules.InitialRoundingMode
    Mutability: Always
    Options: HALF_UP, FLOOR, CEILING
    Default: HALF_UP

    Example: Assuming that Number of digits after decimal is set to 2, a value of...

    • HALF_UP means that if the discarded digit is 5 or greater, the next digit is rounded up. 42.485 rounds to 42.49. 42.481 rounds to 42.48.
    • FLOOR rounds the amount down to the nearest digit even if the discarded digit is 5 or greater. 42.486 rounds to 42.48.
    • CEILING means that if the discarded digit is anything but zero, the next digit is rounded up. 42.481 rounds to 42.49.
     
    Rounding precision for repayments

    The decimal place repayments are rounded to when Mifos calculates the loan repayment schedule.

    The precision you use must be equal to or less precise than what you specify for Number of digits after decimal. This setting does not affect the last repayment use Rounding precision for final payment instead.

    Property name: AccountingRules.InitialRoundOffMultiple
    Mutability: Always
    Options: 1, 0.5, 0.1, 0.01, 0.001
    Default: 1

    Example: If the currency is...

    • INR, a value of 1 rounds to the closest whole rupee.
    • GBP, a value of 0.5 rounds to the closest 50 pence.
    • USD, a value of 0.1 rounds to the closest dime. If Number of digits after decimal is set to 1, this is the limit of precision, even though this currency has a smaller denomination (the penny).

    How rounding interacts with Number of digits after decimal: The value you use for Rounding precision for repayments cannot be more precise than what you use for Number of digits after decimal. For example, you cannot specify 2 for Number of digits after decimal and 0.001 (which requires three digits after the decimal) for Rounding precision for repayments. You can specify 3 for Number of digits after decimal and 0.01 for Rounding precision for repayments. Note that in this latter situation, the amounts stored in the database will use three decimal places but the amounts that you view in the Mifos user interface will use two.

    If you want to set a different Initial Round Off Multiple in an additional currency, set another property with the currency code in the property name.  For example, if Mifos has been configured with an additional currency LBP, to set a different Initial Round Off Multiple, use the property name AccountingRules.InitialRoundOffMultiple.LBP.
    Rounding mode for final payment

    How Mifos rounds the final scheduled repayment.

    See Rounding rules for loan payment schedules for a discussion of why you may choose to use a different rounding mode for the final repayment versus other repayments.

    Property name: AccountingRules.FinalRoundingMode
    Mutability: Always
    Options: HALF_UP, FLOOR, CEILING
    Default: CEILING

    Example: Assuming that Number of digits after decimal is set to 2, a value of...

    • HALF_UP means that if the discarded digit is 5 or greater, the next digit is rounded up. 42.485 rounds to 42.49. 42.481 rounds to 42.48.
    • FLOOR rounds the amount down to the nearest digit even if the discarded digit is 5 or greater. 42.486 rounds to 42.48.
    • CEILING means that if the discarded digit is anything but zero, the next digit is rounded up. 42.481 rounds to 42.49.
     
    Rounding precision for final payment

    The decimal place the final repayment is rounded to when Mifos calculates the loan repayment schedule.

    The decimal place you choose can't have a greater precision than what you specify for Number of digits after decimal. In addition, the degree of precision used for the final repayment cannot be greater than what you use for the other repayments see the examples.  Also, the setting must be greater or equal precision than InitialRoundingOffMultiple.

    Property name: AccountingRules.FinalRoundOffMultiple
    Mutability: Always
    Options: 1, 0.5, 0.1, 0.01, 0.001
    Default: 1

    Example: If the currency is...

    • INR, a value of 1 rounds to the closest whole rupee.
    • GBP, a value of 0.5 rounds to the closest 50 pence.
    • USD, a value of 0.1 rounds to the closest dime. If Number of digits after decimal is set to 1, this is the limit of precision, even though this currency has a smaller unit (the penny).

    How rounding interacts with Number of digits after decimal: The value of Rounding precision for repayments cannot be more precise than that of Number of digits after decimal. For example, you cannot specify 2 for Number of digits after decimal and 0.001 (which requires three digits after the decimal) for Rounding precision for repayments. You can specify 3 for Number of digits after decimal and 0.01 for Rounding precision for repayments. Note that in this latter situation, the amounts stored in the database will use three decimal places but the amounts that you view in the Mifos user interface will use two.

    About the precision used for final repayments: The precision you use for Rounding precision for final payments must be equal to or less precise than the precision you use for Rounding precision for repayments. For example, if you set Rounding precision for repayments to 0.5, you can only set Rounding precision for final repayments to 0.5 or 1 you can't set Rounding precision for final repayment to a finer degree of precision (0.1, 0.01, 0.001).

    If you want to set a different Final Round Off Multiple in an additional currency, set another property with the currency code in the property name.  For example, if Mifos has been configured with an additional currency LBP, to set a different Final Round Off Multiple, use the property name AccountingRules.FinalRoundOffMultiple.LBP.

     

    Calendar

    In Mifos, the fiscal year starts on January 1 and ends December 31. Use the Calendar section of applictionConfiguration.custom.properties to configure other aspects of the MFI's calendar, including which days are working days and how repayment meetings should be handled if a meeting falls on on a non-working day.

     
    Working days

    The days of the week that are workdays.

    Mifos uses the first day you specify as the start of the fiscal week. It uses the days you do not specify as non-workdays. You must specify at least one workday. Each workday you specify should be separated by a comma with no spaces on either side.

    Property name: FiscalCalendarRules.WorkingDays
    Mutability: Always
    Options: MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY
    Default: MONDAY,TUESDAY,WEDNESDAY,THURSDAY,FRIDAY,SATURDAY

    Example: FiscalCalendarRules.WorkingDays=MONDAY,TUESDAY,WEDNESDAY,THURSDAY,FRIDAY,SATURDAY causes Mifos to treat Monday as the start of the fiscal week, for reporting purposes, and Sunday as a non-workday.

     
    Schedule for meeting on non-working day

    How Mifos handles rescheduling a repayment or meeting when it falls on a non-workday.  There is still an existing issue here with same_day option.  Issue MIFOS-2226.

    This property applies to non-workdays.  Mifos can either schedule the repayment or meeting for the same day (regardless of it being a non-workday), the next workday, or the next scheduled meeting or repayment.

    Property name: FiscalCalendarRules.ScheduleMeetingIfNonWorkingDay
    Mutability: Always
    Options: same_day, next_working_day, next_meeting_or_repayment
    Default: same_day

    Example: If FiscalCalendarRules.ScheduleMeetingIfNonWorkingDay=same_day, repayments or meetings that fall on a non-workday will still be scheduled for that day. If the value is set to next_working_day, a repayment or meeting that falls on a non-workday will be rescheduled for the next workday.

     

    Clients

    Use the Client section of applicationConfiguration.custom.properties to refine how Mifos represents the MFI's hierarchy and control which entities can apply for loans.  This section also has settings on client information.

    Center hierarchy exists

    Does the MFI have one or more centers in its hierarchy? By default, Mifos assumes that an office is at the top of the hierarchy, followed by centers, groups, then clients.

    Property name: ClientRules.CenterHierarchyExists
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Example: ClientRules.CenterHierarchyExists=false causes Mifos to use a hierarchy of 1. Office, 2. Groups, and 3. Clients instead of 1. Office, 2. Centers, 3. Groups, and 4. Clients. In other words, with a value of false, Center is excluded from Mifos' representation of the MFI's hierachy. Options involving centers are also removed from the Mifos user interface. For example, the Create new center option is removed from the left navigation bar of the Clients & Accounts tab. 

    Client can exist outside group

    Can clients be independent of groups or must all clients belong to a group? By default, Mifos assumes that a new client can be created without that client needing to be part of a group. Instead, the client need only belong to an office.

    Property name: ClientRules.ClientCanExistOutsideGroup
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Example: ClientRules.ClientCanExistOutsideGroup=true allows you to create a new client that is assigned directly to an office instead of to a group, then to an office. To use this capability, when you are prompted to select a group in the new client creation process, click the link that reads "Click here to continue if group membership is not required for your client".

     
    Group can apply for loan

    Can groups apply for loans in addition to clients or can only clients apply for loans? By default, Mifos assumes that the entity applying for a loan can be a group or a client.

    Property name: ClientRules.GroupCanApplyLoans
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Example: ClientRules.GroupCanApplyLoans=true allows groups, as well as clients, to apply for loans.

    Minimum Age for New Clients

    Set the minimum age for new clients entered into Mifos.  Setting this value to 0 means a minimum age will not be enforced.

    Property name: ClientRules.MinimumAgeForNewClients
    Mutability: Always
    Options: 0 -150
    Default: 0

    Example: ClientRules.MinimumAgeForNewClients=30 when entering a client, if their birthdate shows the client is younger than 30 years old, an error message will be displayed and the client cannot be entered.

    Maximum Age for New Clients

    Set the maximum age for new clients entered into Mifos.  Set this value to 150 if you do not want this enforced.

    Property name: ClientRules.MaximumAgeForNewClients

    Mutability: Always
    Options: 0 -150
    Default: 0

    Example: ClientRules.MaximumAgeForNewClients=60 when entering a client, if their birthdate shows the client is older than 60 years old, an error message will be displayed and the client cannot be entered.

    Process

    Use the Process section in applicationConfiguration.custom.properties to include or exclude optional steps when Mifos creates clients, groups, and accounts.  These settings will be DEPRECATED in the release after Mifos 2.0.

    Client pending approval state enabled
    Property name: ProcessFlow.ClientPendingApprovalStateEnabled
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Workaround for setting to false In the Mifos database, execute the following command: UPDATE CUSTOMER_STATE SET CURRENTLY_IN_USE=0 WHERE STATUS_ID=2;

    To approve a newly added client:

    1. After you create a client in Mifos, click View client details now > Edit client status.
    2. In the <client name> - Change status pane, select Active then enter a Note.
    3. Click Preview > Submit
     
    Group pending approval state enabled

    If you use the default setting (true), an approval step is added to the process of adding a new group. Specifically, instead of a newly added group going straight to Active status, it goes to an Application Pending Approval status. Because of a problem with this property (issue 2252), don't use the properties file to set it to false. Instead, use the workaround below.

    Property name: ProcessFlow.GroupPendingApprovalStateEnabled
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Workaround for setting to false In the Mifos database, execute the following command: UPDATE CUSTOMER_STATE SET CURRENTLY_IN_USE=0 WHERE STATUS_ID=8

    To approve a newly added group:

    1. After you create a group in Mifos, click View group details now > Edit group status.
    2. In the <group name> - Change status pane, select Active and enter a Note.
    3. Click Preview > Submit.
    Loan pending approval state enabled

    If you use the default setting (true), loans will go into pending approval after it is created. If you set this to false, loans are directly approved. We do not recommend this

    Property name: ProcessFlow.LoanPendingApprovalStateEnabled
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Workaround for setting to false In the Mifos database, execute the following command: UPDATE ACCOUNT_STATE SET CURRENTLY_IN_USE=0 WHERE ACCOUNT_STATE_ID=2

    To approve a newly created loan account:

    1. After you create the account in Mifos, click View loan account details now > Edit account status.
    2. In the <account name> - Change status pane, select Application Approved then enter a Note.
    3. Click Preview > Submit.
    Savings pending approval state enabled

    If you use the default setting (true), an approval step is added to the process of creating a new savings account for a group or client. Because of a problem with this property (issue 2252), don't use the properties file to set it to false. Instead, use the workaround below.

    Property name: ProcessFlow.SavingsPendingApprovalStateEnabled
    Mutability: TRAPDOOR
    Options: true (yes), false (no)
    Default: true

    Workaround for setting to false In the Mifos database, execute the following command: UPDATE ACCOUNT_STATE SET CURRENTLY_IN_USE=0 WHERE ACCOUNT_STATE_ID=14

    To approve a newly created savings account:

    1. After you create the account in Mifos, click View savings account details now > Edit account status.
    2. In the <account name> - Change status pane, select Application Approved then enter a Note.
    3. Click Preview > Submit.
     

    Reporting

    Use the Reporting section in applictionConfiguration.custom.properties to customize some of the reporting- and repayment-related capabilities in Mifos.

    Upload Storage Directory

    Allows Mifos to upload both admin documents and report templates at a non-volatile location. A custom upload storage directory is reflected on the System Information page.

    Property name: GeneralConfig.UploadStorageDirectory
    Mutability: Always
    Options: $HOME stands for home directory of the logged in user  character '/' between sub-directories, or an absolute path C:/reports (use forward slash for paths on windows)
    Default: $HOME/.mifos/uploads

    Example:  GeneralConfig.UploadStorageDirectory=C:/reports 

    Allow backdated transactions

    Allows Mifos to accept transactions dated earlier than the current date.

    Property name: BackDatedTransactionsAllowed
    Mutability: Always
    Options: true (yes), false (no)
    Default: true

    Example: BackDatedTransactionsAllowed=true allows users to enter transactions that have dates earlier than the date on which the transactions are entered in Mifos. If the value is set to false, transactions must use the current date.

    Collection sheet data generation

    This setting has no effect--it works with a collection sheet batch job that was disabled in Mifos version 1.1. When the collection sheet batch job is enabled, this setting allows you to generate collection sheet data for a future meeting. The value you specify represents the difference (in days) between the current day and the future meeting day for which you want to generate collection sheet data.

    Property name: CollectionSheet.DaysInAdvance
    Mutability: Always
    Default: 1

    Example: If you set CollectionSheet.DaysInAdvance to 1, the batch job will generate collection sheet data for tomorrow's meetings (1 day from today). If you set it to 2, it will generate data for meetings that happen the day after tomorrow (2 days from today).

    Branch Manager name

    This setting is currently invalid.

    Property name: RolesAndPermissions.BranchManager.RoleName

    Import Transaction Order

    If you are using a plugin in Mifos that needs an order of accounts set for which the transactions should be applied, use this setting. 

    This example is for the MPESA plugin

    Property name: ke.co.safaricom.MPesaXlsImporter.ImportTransactionOrder
    Mutability: Always
    Default: none

    Example:  ke.co.safaricom.MPesaXlsImporter.ImportTransactionOrder = AL1, NL1, SP1

    where AL1, NL1, and SP1 are short names of the products to which you want to apply the transactions to. 

     
    MPESA Max Disbursal Limit

    If you are using the MPESA plugin in Mifos for Loan Disbursals, MPESA has a maximum limit for Loan Disbursals.  The default is at 50000 right now.

    Property name: MPESA.DisbursalMax
    Mutability: Always
    Default: 50000

    Example: MPESA.DisbursalMax=50000
     

    Batch Jobs

    Use the Batch Jobs section in applicationConfiguration.custom.properties to customize the batch job settings in Mifos.

     

    Batch Size for Batch Jobs

    You can set Hibernate cache size for batch jobs. 

    Property name: GeneralConfig.BatchSizeForBatchJobs
    Mutability: Always
    Default: none

    Example:  GeneralConfig.BatchSizeForBatchJobs = 50
     
    Record Committing Size for Batch Jobs
    This is the size of number of accounts to be stored in the database cache before they are committed
     
    Property name: GeneralConfig.RecordCommittingSizeForBatchJobs
    Mutability: Always
    Default: none

    Example:  GeneralConfig.RecordCommittingSizeForBatchJobs = 1000
     

    Adjusting Session Timeout

    By default, Mifos gives users up to 30 minutes of inactivity before it times out their sessions and requires them to log in again. To change this value, edit the following section in the deployment descriptor file, web.xml, which ships in the Mifos WAR at WEB-INF:

    		<session-config>
  <session-timeout>30</session-timeout>
</session-config>
     

    Scheduling Batch Jobs

    The data that you and other Mifos users work with is maintained by batch jobs, which are a series of scripts that are executed on the computer where Mifos is installed. These scripts perform calculations, act on the Mifos database, and ensure, for example, that the repayment information entered in Mifos today is reflected in the reports that are generated tomorrow. Keep the following tips in mind with regard to batch jobs:

    • By default, the Mifos batch jobs are scheduled to run every day at midnight.
    • For the batch jobs to run, the computer where Mifos is installed must be running.
    • If a user is logged in when the batch jobs start to run, they will be automatically logged out. No logins are permitted until the batch jobs complete.
    • Reports that are generated before the batch jobs are complete will not reflect the results of the batch jobs.

    Batch jobs are scheduled in task.xml. In Mifos version 1.3 and later, task.xml is placed in one of the MifosConfigurationLocations. In earlier versions, task.xml can be customized by editing the Mifos WAR (WEB-INF/classes/org/mifos/framework/util/resources/batchjobs).

    There is a 'Batch Jobs' page to display information about configured batch jobs. You can check the latest batch job status, its next start time and trigger details. Moreover, you can start selected batch jobs on-demand.

    See Managing Batch Jobs in Mifos for more information.

    Customizing your Database Connection

    Mifos version 1.2.x and older

    You can customize various aspects of your database connection, such as which host to connect to, the database name, your user name and password, as well as the connection pool settings, by placing a file called deploymifosDB.properties on the app server classpath while Mifos is not running. A sample of this file is in the Mifos install package, in the conf folder.

    Note: The file deploymifosDB.properties is based on hibernate.properties. If the latter changes in a future release of Mifos, your copy of deploymifosDB.properties may also require changes.

    Mifos versions greater than 1.2.x and upgrades

    See MigratingToPostV12DatabaseConfiguration for modifying your database connection if you upgrade from version 1.2.x to 1.3.x (or later). See LocalPropertiesFile if you've started with Mifos version 1.3.x (or later, including trunk development builds).

     

    Database-Configured Settings

    Some Mifos features are configured directly in the database. The settings described below are located in the config_key_value_integer table in the Mifos schema:

    • Loan Schedule Independent of Meeting (LSIM) allows loan payments to be scheduled independent of the meeting schedule. This feature is disabled by default. Note that this feature has some known issues (see issue 2005). To enable this feature, set the flag for repaymentSchedulesIndependentOfMeetingIsEnabled to 1 and apply your change.
    • The value for Minimum Days Between Disbursal and First Repayment is used when Loan Schedule Independent of Meeting is enabled. This setting determines how tight the interval can be between disbursing a loan and requiring the first repayment for same. The default value is 1, which ensures that a loan disbursal and the first repayment can never be less than one day apart.
    • The value for Maximum Days Between Disbursal and First Repayment Day is used when Loan Schedule Independent of Meeting is enabled. This setting limits the number of days that can pass between disbursing a loan and requiring the first repayment for same. The default value is 365.
    • Loan with Individual Monitoring can be used when a group opens a loan account. It lets you specify, at disbursal time, how much of the total loan amount each group member will receive. This feature is disabled by default. To enable it, set the flag for loanIndividualMonitoringIsEnabled to 1.
     
     

    Before your users access Mifos...

    After you define the administrative settings that can only be configured when Mifos is not running (including the one-time settings), it's time to configure some of the settings on the Admin tab in Mifos. Not every setting on the Admin tab is described here, just the fundamental ones that must be configured before another Mifos system user defines items like products, clients, groups, accounts, meeting schedules, and surveys.

     

    Starting Mifos

    To access the settings on the Admin tab, you need to start the Mifos application.

    To start Mifos:

    1. Execute the Tomcat script named startup.sh/.bat in CATALINA_HOME/bin (for example, C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin), or if Tomcat was installed as a service on Windows, navigate to Control Panel > Administrative Tools > Services to verify that the status of the Mifos service is Started.
    2. Next, visit http:///localhost:8080//mifos in a web browser.
    3. Enter mifos as your Username and testmifos as your Password.
     

    Customizing the User Interface

    The options in the Data Display and Rules group allow you to customize certain labels and list-box items, hide or require certain fields, and define new fields for additional information you want to collect.

     

    User Interface Labels

    To define labels:

    1. On the Admin tab, click the Define labels link under Data Display and Rules.
    2. Edit the label name you want to change.
    3. Click Submit.
     

    List Box Items (Look-Up Options)

    You can use Define Look-Up Options to populate the contents of list boxes. Once you add a look-up option and Mifos is in production, you should not remove it because it may be in use. Additional look-up options can be added after Mifos is in production.

    To create new list box items or edit existing items:

    1. On the Admin tab, click Define Look-up Options.
    2. Add or edit the options.
    3. Click Submit
     

    Required and Hidden Fields

    Use the Define mandatory/hidden fields link to designate which fields are viewable in various parts of Mifos, which are required, and which are hidden. Some sites that have interfaced with other systems have found the External id field useful as a required field.

    To make a field viewable, required, or hidden:

    1. On the Admin tab, click the Define mandatory/hidden fields link.
    2. Make your selections. If both the Hidden and Mandatory check boxes are cleared, the field is viewable and users can supply information for it, but it is not required. If the Mandatory check box is selected, a user cannot submit their changes without filling in that option. If Hidden is selected, the field is not within view.
    3. Click Submit.
     

    Create Additional Fields

    Use the Define additional fields option to create a new user interface option, for example, to collect information from clients that isn't already requested by Mifos. Use the View additional fields option to see which new options have already been created.

    To create a new field:

    1. On the Admin tab, click Define additional fields.
    2. Select the Mifos category under which your new field will appear. If you select Clients, for example, your new field will appear in the user interface options for new client creation.
    3. Provide text for the new label and whether the field's value is numerical or text. Optionally, you can also designate whether the field is mandatory and you can provide a default value for the option.
    4. Click Preview > Submit.
    5. To view your new field, click View additional fields then select the category.
     

    Defining Office Hierarchy

    Office hierarchy is Mifos' view of how your MFI is organized. Mifos uses the office hierarchy information you provide for a wide variety of essential actions, including creating users defining new clients and groups, managing transactions, and reporting. At minimum, Mifos requires two levels of hierarchy: a Head Office, provided by default (Mifos HO), and at least one Branch Office. At maximum, there can be five levels: Head Office, Regional Office, Sub-Regional Office, Area Office, and Branch Office.

    Defining office hierarchy in Mifos involves first removing office types that aren't represented in your organization and then adding those offices that are.

    To remove office types:

    1. On the Admin tab in Mifos, click the View office hierarchy link under Offices.
    2. Clear the check box(es) for office types that don't represent your MFI's organization. For example, if one or more Division offices aren't in your oganization's structure, clear the Division check box. You cannot remove Head Office and Branch Office as office types. They are required.
    3. Click Preview > Submit.

    To add offices:

    1. On the Admin tab, click the Define a new office link under Offices.
    2. Provide information for the new office. Any office types you removed in the above procedure are absent from the Office type list. You can only have one Head Office.
    3. Click Preview > Submit.
     

    Creating Roles

    After you define your MFI's office hierarchy in Mifos, it's time to create roles, which are collections of actions that a user can perform in Mifos.

    To create a role:

    1. On the Admin tab, click Manage roles and permissions under System users.
    2. Note that the Admin role is the only pre-defined role. Click the new Role link to create a new role.
    3. Provide a Role Name and select actions or groups of actions that a person can perform in this role.
    4. Click Preview > Submit.
     

    Creating Users

    Once you define roles in Mifos you can create the users who will be assigned those roles. There are two types of users in Mifos: Loan Officers or Non-Loan Officers. A Loan Officer can only belong to a Branch Office.

    To create a user:

    1. On the Admin tab, click Define new system user under System users.
    2. Click the office to which the user will belong.
    3. Provide information for the user, including their User Hierarchy (Non-Loan Officer or Loan Officer).
    4. Add Role(s) that the user will perform.
    5. Click Preview > Submit.
     

    Configuring Payment Types

    Mifos uses Cash as the default value for accepted payments.

    To specify a different or additional payment type: On the Admin tab under Data Display and Rules, click Define Lookup options.  Payment Modes can be added or changed here.

    To specify what payment types are accepted for each type of transaction: On the Admin tab under Organization Preferences, click Define accepted payment types.

     

    Setting Lateness and Dormancy Definitions

    Before loan and savings products can be defined, the default loan lateness and savings dormancy definitions should be reviewed and changed, if necessary. Both of these settings are configured on the Admin tab via the View lateness/dormancy definition link.

    • The loan lateness definition is the number of days of non-payment that can pass before Mifos changes a loan account's status from Active in good standing to Active-Bad Standing. The default value is 10 days.
    • The savings dormancy definition is the number of days of inactivity after which Mifos changes the status of a savings account from Active to On Hold. The default value is 30 days.
     

    Defining Holidays

    So that it can correctly calculate repayment schedules, Mifos needs to know what your MFI's holidays are and how you would like repayments handled if a repayment happens to fall on a holiday. Mifos can either schedule the repayment for the same day (regardless of it being a holiday), the next workday, or the next scheduled meeting or repayment. Note that in Mifos, holidays are different from non-workdays.

    To define a holiday:

    1. On the Admin tab, click Define new holidays under Organization Preferences.
    2. Provide information about the holiday and select a Repayment Rule.
    3. Click Preview > Submit.
     

    Information on Reporting and PPI Surveys

    As a system administrator you may also be reponsible for setting up reports for your users and adding a PPI survey to your deployment. Use the following links for more information:

    • Reporting in Mifos: Describes how to use BIRT (Business Intelligence Reporting Tools) to build and upload non-standard reports.
    • PPI Survey Conventions: Adding a PPI survey must be done at the source code level and requires assistance from a Mifos specialist. Use this link to learn about some of the requirements.

     

    0
    Your rating: None

    Mifos Configuration Locations

    See Mifos Configuration Locations on the developer wiki.
    0
    Your rating: None

    Upgrades

    Upgrading Mifos

    Guide on how to upgrade Mifos to a new version.

    The goal of this document is to serve as a general guideline for the steps to be followed when upgrading a customer to a new version of Mifos.

    Preparation Before Upgrade

    Before upgrading to a new version, collect the following information about the existing environment:

    1. Review version-specific upgrade instructions.
    2. Screen shot of the System Info page. This includes Mifos revision, DB revision, etc.
    3. Note server's environment usage - disk space available, memory available, CPU usage when current Mifos deployment is running.
    4. Note environment settings for Java including JAVA_HOME and JAVA_OPTS.
    5. Review the Mifos install guide to determine if the upgrade will require updates to supporting tools such as MySQL, Java, and BIRT. 
    6. Determine if upgrade is going to increment the Database revision. This will impact the rollback procedure. Need to document roll back procedure for both cases - DB version the same revision, and DB version triggers a DB upgrade. For documentation on manual MySQL database upgrades, please visit our wiki. 
    7. Backup BIRT reports
    8. Backup MySQL data

    Verification and Validation in Test Environment

    1. Install any necessary updates to supporting tools.
    2. Download Mifos upgrade and deploy on a test server that has a copy of the latest production data.
    3. Check system info page to confirm newer war has been deployed on test server.
    4. Monitor batch job processes on test server.
    5. Execute selected User Acceptance Tests to ensure functionality is working.

    Deploy in Production

    1. Schedule production deployment with users.
    2. Stop tomcat
    3. Backup MySQL data
    4. Install any necessary updates to supporting tools.
    5. Move existing mifos.war file from $CATALINA_HOME/webapps to safe backup location.
    6. Deploy new war file to $CATALINA_HOME/webapps.
    7. Delete $CATALINA_HOME/webapps/mifos .
    8. Delete $CATALINA_HOME/work/Catalina/localhost/mifos .
    9. Start Tomcat.
    10. Check system info page to confirm newer war has been deployed on production server.
    11. Restore BIRT reports that might have been removed during deployment of new war file.
    12. Monitor batch job processes on production server.
    13. Execute selected User Acceptance Tests to ensure functionality it working.

    Document and Monitor Upgrade

    1. Send upgrade results to your customer support representative to record your current environment.
    2. After users are back on the system, check log files for unexpected errors after upgrade.

    Version-specific Upgrade Instructions

    Version-specific upgrade instructions are maintained on our our wiki on MifosForge. 

    Upgrading from version 1.1.x or 1.2.x to version 1.3

    Upgrading from version 1.3 to version 1.4

    Upgrading from version 1.4 to version 1.5

    Upgrading from version 1.5 to version 1.6

    Upgrading from Mifos 1.6 to Mifos 2.0

     
     
    0
    Your rating: None

    Accounting Integration

    Overview of approach to integrating your accounting package with Mifos

    Mifos provides provides the flexibility  to provide integration between portfolio and transaction management across your MIS and accounting systems.  By providing full support for the general ledger, a fully customizable chart of accounts, and a transactional export mechanism in multiple formats, all financial and accounting data can be exported into your accounting system sychronizing the data between the two.

    The presentation below outlines several options for integrating Mifos with your accounting system that have been put in practice by MFIs throughout our community.

    In this section we'll also post the tools, techniques, and implementations that customers and community members have used to integrate Mifos with their external accounting system. 
    Accounting Integration in Mifos
     
     
     
    0
    Your rating: None

    Community Proof of Concepts

    Examples of semi-automated integrations of Mifos with accounting softwares

    Have you integrated your accounting package with Mifos? Want to share what you did with the community?  Please upload files for your accounting integration here and add a brief description by copying, pasting and following the sample format at the bottom of the page. 

    Mifos Peachtree Accounting Integration Proof of Concept

    Description: Through a simple PERL script which generates a .csv file of the general ledger data extracted from Mifos, this proof of concept demonstrates how one can automate the flow of data from Mifos into Peachtree via its import tool. 
    Accounting packages: Peachtree
    Programming language: PERL Scripts
    Contributor: Kay Chau, Grameen Foundation, Seattle, WA
    Customers Using: Please list if this is being used (or planned to be used) by any MFI customers
    Date Last Updated: Oct. 3, 2009 
    Proof of Concept Page: Please click here to view a Youtube video of the POC or download the .mp4 video.
     

    CrossTalk

    Description: CrossTalk is a GUI tool that helps design a custom chart of accounts and financial action mappings for Mifos, and exports accounting entries for transaction data in custom formats for import into another accounting package.
    Accounting packages: Tally and Peachtree will be supported initially
    Programming language: Microsoft C# 
    Contributor: krishnan m, Pune, India
    Customers Using: Release planned for September 2009
    Date Last Updated: 22nd August, 2009
    Proof of Concept Page: Please click here to view a screencast of CrossTalk, design documentation, and an RFC. 

    Sample Accounting POC

    Description: Please describe here how your accounting integration was built, what data it exports, how it integrates with Mifos and any links to additional relevant documentation
    Accounting packages: Please list what accounting packages this integrates to
    Programming language: List what languages this is coded or scripted in. 
    Contributor: Please list your name, title, and location
    Customers Using: Please list if this is being used (or planned to be used) by any MFI customers
    Date Last Updated: Please list the date this was last updated to keep relevant for our users. 
    Proof of Concept Page: Link to separate page and documentation
    0
    Your rating: None

    Crosstalk

    Information concerning the CrossTalk tool for accounting integration with Tally

    CrossTalk is a GUI tool that assists accounting integration with Mifos by exporting data in the format your accounting package will be happy with.

    Work on CrossTalk was begun in August, 2009

    Current information concerning CrossTalk:

    2. An early preview, as a screencast
    3. A design document (needs updating, as the code has been re-organized a great deal since this version of the design document)

    This information has been provided to request your feedback.
    Please feel free to edit this page and the documents and/or send feedback to kmlist [AT] yahoo [DOT] in OR to the developers mailing list.

    0
    Your rating: None

    Customer Accounting Systems

    Listing of accounting software used by Mifos customers

    What accounting system are you using? Please let us know in the comments section below.  Please list the name of your MFI, country, clients served, and current system:

     

    MFI country clients served current accounting system
    Grameen Koota India 450,000 Tally
    enda Tunisia 130,000 Sigma 
    Jitegemea Kenya 6,700 Pastel
    KEEF Kenya 13,500  Pastel
    ASOMI India  33,000 Tally
    Adhikar India 100,000 Tally
    SECDEP Philippines 8,000 Microsoft Excel 
     Al Majmoua Lebanon  16,000  Dolphin 
    Digamber Finance India 2,500 Tally
           

     

     

    Notes on Accounting/Cash Management for Current Customers

    Enda - Tunisia

    Uses a microsoft-based in-house developed application to mimic cash management at their branches. This is reconciled manually with Mifos at the end of the day which is a time consuming process that has led to delays in finalizing financial and operations reports. 

    KMBI - Philippines

    KMBI is implementing MS Dynamics and will be extracting data from Mifos and consolidating into the accounting systems.  Will be re-defining the accounting processes soon. At present, cash flow and bank reconciliation procedures are done manually, using Excel spreadsheets. The end objective is to produce the weekly cash flow/position report and perform bank recon procedures in Dynamics.  

    PAWDEP - Kenya

    PAWDEP is in the process of evaluating accounting solutions, they too will be extracting data from Mifos and consolidating into accounting system.  At present, using Loan Performer.  They input all cash receipts, disbursements and petty cash expenses in Loan Performer and are able to generate very simple (transactional) reports.  However, since they do not have a real accounting system, the process stops there and everything is manual from thereon.  They are looking at, more or less, the same setup as KMBI.

    Tally in India

    In India, we are also importing data from Mifos and posting them as vouchers in Tally.  We are using the built in cash management module in Tally to support the bank reconciliation process and also to support generation of P/L and B/S by branch.   Tally maintains a cash book where one can define bank accounts.  Since Mifos does not support bank accounts, we are looking at using the capability of Tally to be able to post and segregate the Mifos transactions into the proper bank accounts.  

    Grameen Koota

    Grameen Koota has built their own module - something that looks similar to Mifos that takes into account simple cash activities at the branch.  Previously when they were at 80 branches, they were still doing integration by hand and sent reports monthly to the HO.

    Cash Management Process

    Currently no standard process flow for cash management for our customers at the moment.  The MFIs that we have seen have varied processes and varied banking practices (this is the main challenge) and so it is difficult to define a generic process for cash management.

    Most Important Cash Management Needs

    1. To know the cash position by branch and consolidated (not to wait 10 days for this but to have this daily, if possible) 
    2. To be able to track deposits and disbursements for each depository bank that they have
    3. To be able to move funds between depository banks of branches and head office and keep track of these movements
    4. To be able to perform bank reconciliation properly, given no. 2
    5. Petty cash management 
    0
    Your rating: None

    Deployment Guide

    4
    Your rating: None Average: 4 (1 vote)

    Reporting

    0
    Your rating: None

    Built-in Standard Reports

    Built-in Mifos Report Templates

    Mifos ships with a set of five report templates that have been built using BIRT, a GUI tool used to design reports. Users can use these report templates as is, they can edit templates to suit their own needs by changing the layout or adding/removing fields, or they can build their own reports. Report templates are grouped into categories that can be defined and edited by users with the appropriate permissions. A user can attach permissions to a report to specify who can view, edit, and categorize the report.

    Generate a report. A user generates a report by selecting it from the Reports tab. The data included in the report is based on the user’s data scope and the parameters entered when generating the report. The report is displayed in PDF format, which can be downloaded. Accessing and using these reports does not require that BIRT (Business Intelligence and Reporting Tools) be installed. More information regarding the generation of each built-in Mifos report is provided later in this section.

    Edit a report category. Mifos ships with a standard set of report categories that are used to organize report templates. These can be viewed, edited, deleted, and added to from the Admin tab. Report templates are assigned to categories and displayed under these categories on the Report tab.

    Build a new report. Users can design and build their own report templates using either Java or SQL. They first need to download and install BIRT. For step-by-step instructions on how to build a report template in BIRT, see http://www.mifos.org/developers/wiki/HowToCreateBIRTReport.

    Customizing Built-in Reports

    MFIs can customize reports that ship with Mifos in the following ways:

    • Add/remove data fields displayed on reports
    • Add permanent field-level filters to the reports. For example, exclude a particular loan product from all loan portfolio calculations
    • Add filters to an existing field. For example, for a data field that displays the total outstanding loan amount, an MFI can add a filter so that the field displays the total outstanding loan amount for women clients. Users can also use custom fields as a way to filter information in a report.
    • Change the report layout by, for example, switching from a horizontal to vertical orientation or adding organizational logos or changing the report title.

    MFIs can also hide reports that are not used, so that they do not appear on the Reports tab.

    The report templates that ship with Mifos are described in the following paragraphs.

    Overview of the Standard Reports

    • Collection Sheet Report: Helps Loan Officers organize and prepare for their repayment collection meetings with clients and groups.
    • Branch Cash Confirmation Report: Assists management and accounting in tracking daily cash inflows and outflows.
    • Branch Progress Report: Helps management monitor office progress.
    • GL Report (Mifos 1.6.x): Lists transactions by GL code
    • Detailed Aging Portfolio at Risk (Mifos 1.6.x):

    You generate reports from the Reports tab. To change how the reports appear on the Reports tab or to edit the appearance of the reports themselves (by editing or creating your own reports templates), use the View report templates and Upload report templates links under Manage Reports on the Admin tab.

    Collection Sheet Report

    Loan officers use collection sheets, generated through the Mifos reporting feature, to identify the amount to be collected in the field from each client/group on meeting day or scheduled payment day. Information for the collection sheets is stored in a table listing the amounts that need to be collected from each client, including loan repayments, fees, penalties, recommended savings amounts, and any other dues that need to be collected. The reports also provide the amount of money that should be disbursed to each client at the meeting. The sheets are generated by selecting the Collection Sheet Report link from the Reports tab, and then selecting the branch, loan officer, and loan product for the report.

    The repayment figures on a collection sheet cannot be updated after the meeting day. If a collection sheet is generated for a past meeting day, the system will still display the status of each account prior to collections made at the meeting.

    To generate a Collection Sheet Report:

    1. On the Reports tab, click Collection Sheet Report.
    2. Select values for Branch, Loan Officer and Center.
    3. Enter the date of the meeting for which you want to run a report.
    4. Click Generate.

    To create your own Collection Sheet Report template:

    1. On the Admin tab, click View report templates under Manage Reports.
    2. To use the default Collection Sheet Report as a starting point for creating your own template, click the Download link for Collection Sheet Report.
    3. Save CollectionSheetReport.rptdesign locally.
    4. Open the above file in BIRT RCP Designer and give it a new name, thus preserving a backup.
    5. Edit your version of the .rptdesign file in BIRT.
    6. In Mifos, use the Upload link under Manage Reports on the Admin tab to upload your new report template.

    Branch Cash Confirmation Report

    The Branch Cash Confirmation Report lists a branch's daily cash inflows and outflows and is used to tally the day's accounting books. This report is typically used by management as well as accounting departments. 

    The report is filtered by branch office and lists total per loan product of amounts for principal, interest, fees, and total, and the same for what's due and what's in arrears for a certain date. 

    To generate a Branch Cash Confirmation Report:

    1. On the Reports tab, click Branch Cash Confirmation Report.
    2. Select a Branch.
    3. Enter a date.
    4. Click Generate.

    To create your own Branch Cash Confirmation Report template:

    1. On the Admin tab, click View report templates under Manage Reports.
    2. To use the default Branch Cash Confirmation Report template as a starting point for creating your own template, click the Download link for Branch Cash Confirmation Report.
    3. Save BranchCashConfirmationReport.rptdesign locally.
    4. Open the above file in BIRT RCP Designer and give it a new name, thus preserving a backup.
    5. Edit your new .rptdesign file in BIRT.
    6. In Mifos, use the Upload link under Manage Reports on the Admin tab to upload your new report template.

    Note: Currently this report is hardcoded to extract data from a database named 'mifos'.  If you have changed the name of the Mifos database, the report needs to be updated with the correct database.

    Branch Progress Report

     

    This branch-level report is consumed by the management and serves as a valuable aid in monitoring the progress of the office and making forward-looking decisions. It can be generated for any data in the past allowing comparative studies and trend analyses. It consists of a summary of active members and PAR, a detailed PAR analysis showing those loans at risk and in arrears, a breakdown of total funds disbursed and collected across our portfolio of loan products, and finally an assessment of staff based on number of clients handled, loans disbursed, and amount in arrears.

    Mockup/Spec: Branch Progress Report Mockup

    Sample PDF: Sample Branch Progress Report

    To generate a Branch Progress Report:

    1. On the Reports tab, click Branch Progress Report.
    2. Select a Branch.
    3. Enter the date as of which you want information.
    4. Click Generate.

    To create your own Branch Progress Report template:

    1. On the Admin tab, click View report templates under Manage Reports.
    2. To use the default Branch Progress Report template as a starting point for creating your own template, click the Download link for Branch Progress Report.
    3. Save BranchProgressReport.rptdesign locally.
    4. Open the above file in BIRT RCP Designer and give it a new name, thus preserving a backup.
    5. Edit your version of the .rptdesign file in BIRT.
    6. In Mifos, use the Upload link under Manage Reports on the Admin tab to upload your new report template.

     

    Detailed Aging Portfolio at Risk Report

    This report lists all loans that match the selected parameters and are in Active bad standing.

    A user with the appropriate permissions selects this report from the Reports tab. The user then specifies the parameters for the report, including the Branch Office, the Loan Officer, and the Loan Product. The choices displayed for the Loan Product include all loan products that exist for the entire MFI, including inactive ones, since there can still be active loan accounts for inactive products. The choices available for Branch Office and Loan Officer depend on the user’s data scope, as follows:

    • If the user is a loan officer, then the Branch Office defaults to the user’s branch and the loan officer name defaults to the name of the user.
    • If the user is a branch manager, the Branch Office defaults to the user’s branch and the Loan Officer defaults to All; the user can then select a specific Loan Officer from the list.
    • If the user belongs to the head office, he/she must first select a Branch Office. Once selected, the Loan Officer choices consist of that branch’s loan officers. The default is All.

    When the user clicks Generate, a report in PDF format is generated that displays all loans for the selected branch that are in active-bad standing, per loan product if one has been specified. If there are no loans in Active-bad standing, the error message “No results found” is displayed.

    Mockup / Spec: 

    Sample PDF: Detailed Aging Portfolio at Risk Report (.pdf)

     

    General Ledger Report

    This report is defined at the branch level.  The output is a daily summary of the financial transactions to the each of the GL accounts, including a breakdown of the debit and credit transactions to each account.  When running the report, the user specifies the branch and a date range for which to run the report.  The report will provide a summary for each day in that date range.  

    The user can then take this report and manually enter the summarized general ledger transactions into their accounting software. 

    Mockup / Spec:

    Sample PDF: General Ledger Report (.pdf)

     

    0
    Your rating: None

    Building your own Reports

    Documentation on building custom user-specific reports in the various reporting solutions (Pentaho, BIRT, Jasper)

    0
    Your rating: None

    Building Reports in BIRT

    Installing BIRT

    To customize the standard reports provided by default with Mifos or to create your own reports, you will need to download and install version 2.1.2 of the BIRT RCP (Rich Client Platform) Report Designer from Eclipse. The RCP version is required because it produces reports in the version (3.2.6) supported by the BIRT Report Viewer provided with Mifos. It also simplifies the Eclipse user interface so that only essential screens and options are presented.

    To install BIRT:

    1. Download, free of charge, the BIRT RCP Report Designer version 2.1.2.
    2. Accept the default installation location (for example, C:\Program Files\birt-rcp).

    Creating your own Reports

    Designing your Reports

    Designing your own report starts with planning it on paper or in a spreadsheet application like Excel. See the following sample: report designed in Excel.

    Data Extraction and Mifos

    If you are creating your own report, the data in the report can be extracted one of two ways:

    • Using an SQL query (recommended): In this approach, you create a new report in BIRT that includes an SQL query that you provide. When the report is generated, data is extracted over a database connection. The topics below describe this approach and assume a working knowledge of SQL.
    • Using a direct software connection: You can also use a direct software connection (or, in BIRT terminology, a scripted data source) to extract data. In this approach, BIRT interacts with the business logic layer in Mifos' Java code. Java knowledge is required. For more information, see Creating A BIRT Report Using A Scripted DataSource.

    For a technical overview on how BIRT interacts with Mifos, see Current Reports Architecture.

    Extracting Data Using SQL

    To create a custom report that uses SQL to extract data, use the procedure below. For help with steps you perform in BIRT, see the following in the BIRT RCP Designer online help: BIRT Report Developer Guide > Field Guide to BIRT > Learning the Basics > Tutorial 1: Building a Simple Listing Report.

    1. Open a new report in BIRT RCP Designer.
    2. Create a data source in BIRT, using the following values in the New Data Source wizard:
    • Data Source Name: Mifos Data Source
    • Driver Class: com.mysql.jdbc.Driver (what to do if this driver isn't listed)
    • Database URL: jdbc:mysql://localhost:3306/mifos (if you're creating reports locally)
    • User Name: root
    • Password: the default is mysql
    • JNDI URL: leave blank
    1. In the Query tool of your choice, write the SQL query. See SQL Query Tips for more information.
    2. In BIRT, create a data set. In the Query window, paste in the query you wrote in step 3.
    3. Create one or more input parameters in BIRT. See About Input Parameters below for more information.

    If com.mysql.jdbc.Driver isn't listed

    If com.mysql.jdbc.Driver isn't listed, download it from http://dev.mysql.com/downloads/connector/j/5.0.html and place the file mysql-connector-java-5.1.5.bin.jar in ...\mifos\build\src_pkg\WEB-INF\platform\plugins\ where ... is the path to your Mifos working copy. For example, on Windows: C:\subversion\projects\mifos-trunk\mifos\build\src_pkg\WEB-INF\platform\plugins, on Mac OS X or GNU/Linux: /home/user/svn/mifos-trunk/mifos/build/src_pkg/WEB-INF/platform/plugins/.

    SQL Query Tips

    As you write your query, keep the following in mind:

    • Look at the Mifos database: Using the sample report you designed in Excel and an application like MySQL Query Browser, view the tables and their columns in the Mifos database to determine what you need. The automatically generated Mifos schema diagrams are another resource. Pick the database link that corresponds to your Mifos database version. To determine your Mifos database version, run the following command on your Mifos database: select * from database_version
    • Sequence is important: Put your SQL query fields in the same order in which you want them to appear in your report.
    • Hash sign not recognized: BIRT does not recognize the hash sign (#). To include comments, use the following characters: /* comment */
    • Finish your query: Make sure your query is final before you paste it into the data set you'll create in step 4.

    About Input Parameters

    An input parameter is a value entered by the user. A series of input parameters, called cascading parameters, can dynamically filter, or constrain, the next option's possible values. The Collection Sheet Report uses cascading paramters.

    For steps on how to create input parameters (or in BIRT terminology, data-set parameters) see the following section in the BIRT RCP Designer online help: BIRT Report Developer Guide > Field Guide to BIRT > Enabling the User to Filter Data.

    Creating a Receipt Template (Administrative Documents)

    The Administrative Documents feature in Mifos allows you to generate a receipt for an account -- without having to use the Reports tab. You can also use this feature to generate other administrative documents specific to an account, such as vouchers and passbooks.

    To create a receipt template:

    1. In BIRT, open a new template. You do not need to specify a data source -- the Mifos database will be automatically used.
    2. Use the following parameters, in the following order:
    • userId
    • account_id
    • reportName
    1. In Mifos, upload the template using the Upload new Admin document link on the Admin tab. A receipt link will automatically appear on client loan account pages. Note the template must be a BIRT report design document which has an extension of '.rptdesign'.

    When you click an account's receipt link, the system automatically passes in the account ID of the loan account and generates a receipt, based on the BIRT template design you uploaded.

    Localizing your Report

    To add labels in another language:

    1. With your report loaded in BIRT RCP Designer, click the Layout tab.
    2. Select your report by clicking white space or a margin in your report.
    3. In the Property Editor window on the bottom, select Resources.
    4. Add resources using the following naming convention: [file name]_[language]_[country].properties. For example: EndaTransactionReport_fr_FR.properties and EndaTransactionReport_en_US.properties

    Tips for populating the properties file(s):

    • Take the raw column names, such as customer_name, government_id, etc., and add them to the .properties file(s). You can get them from the output columns in the data set or from the xml in the XML Source tab.
    • If you've already re-named the column headers with user-friendly names, you can type them into the .properties file.
    • Column header text must exactly match the text in the .properties file.
    • To run the report in BIRT RCP Designer in a specific locale, on the Windows menu of BIRT RCP Designer click Preferences > Report Design > Preview > Choose your locale. Note that the file name suffix must correspond to the locale. See Java locale naming conventions.

    Uploading and Editing your Report

    To upload and view your report:

    1. On the Admin tab in Mifos, click Upload report templates under Manage Reports.
    2. Provide the report name, choose the Reports tab category under which you want your report to appear, then click Preview > Submit.
    3. To view the report, click your report's name on the Reports tab, select and/or enter the parameters, then click Generate.

    To edit your report:

    1. On the Admin tab, click the View report templates under Manage Reports.
    2. Click Edit.

    Controlling Access to Reports

    Mifos allows you to control two things related to report security:

    • What Mifos users can do with reports (download, edit, delete, etc.).
    • Which report data users can see.

    You handle the first by associating report-related actions with specific user roles. You handle the second by incorporating one or more parameters in your report that are based on organizational hierarchy.

    Associating Report Actions with a Role

    To manage the permissions related to a report:

    1. Ensure that you are logged in as admin.
    2. On the Admin tab, click Manage roles and permissions under Manage Organization.
    3. Choose a role or create a new one.
    4. Select or clear the report permissions you want associated with that role.
    5. Click Submit.

    Hierarchy and Data Scoping

    If a report has parameters based on organizational hierarchy, a user's access to that report is affected by her position in the organization's hierarchy. For example, if a user is assigned to the Head Office, which is the top of the hierarchy, she can see all report data. If a user is assigned to Branch A, she can only see data for Branch A. If a user is a loan officer, she can only see data for her clients.

    0
    Your rating: None

    Understanding Mifos Data Model

    Tips on navigating Mifos data schema and database to run MySQL queries and build new reports.

    The Mifos Data Model can be tricky to understand.  Understanding the Mifos data model including the Mifos production database schema, Mifos Data Warehouse schema and where information lies in what tables is essential to building reports and extracting data.

    Linked to from this page are several resources to help you identify where to look for certain client and portfolio information that is stored in Mifos' MySQL Database.

    Mifos Data Schema

    A visualization of the tables in the Mifos database can be accessed from this Schemaspy output of the database

    SQL Query Repository

    On our developer wiki on MifosForge, we've created a repository of MySQL queries that are helpful in building out new custom reports in Pentaho, extracting data needed by management and Mifos users, and pulling out information from the Mifos database. Sample queries include number of loans outstanding, branchwise number of loans disbursed and amount disbured during period, etc.

    0
    Your rating: None

    BIRT Reports

    0
    Your rating: None

    BIRT Training Guide

    A BIRT training session put together for ENDA in June, 2008

    1. Database Exercises - An introduction to creating reports in BIRT, starting with writing SQL.  It also describes some of the key Mifos tables - customer, account, loan account, and loan schedule.
    2. Building the Approval Form in BIRT - This presentation explains how to create the query for a basic report called the Approval Form, then how to build the report in BIRT. See related files Approval Form with Cascading Report Parameters & Approval Form with Hidden and Cascading Report Parameters
    3. Aggregation Training - Explains how to add grouping and aggregation functions to a BIRT report.  Sample Report: Aggregation Demonstration Report
    4. Charts Training - Introduces creating charts in BIRT.  Sample Report: Chart Demonstration Report
    0
    Your rating: None

    Troubleshooting

    Troubleshooting

    A Common BIRT Error

    The following error indicates that you are using a BIRT extension of Eclipse, instead of the BIRT RCP:

    		ERROR [STDERR] Caused by: Error.DesignFileException.INVALID_XML - 1 errors found!
1.)  (line = 0, tag = null)
org.eclipse.birt.report.model.parser.DesignParserException
(code =  Error.DesignParserException.UNSUPPORTED_VERSION, message : The report
file of version "3.2.14" is not supported.)

    To resolve this error, install the BIRT RCP.

    Known Issues

    • The names of the branch, LoanOfficer, and loan product parameter that Mifos gets from the database are in alphabetical order, but in the BIRT parameter list, it has no order. This is due to a bug in BIRT that has been fixed in the latest BIRT 2.1.3 build.
    • According to the business logic, the best choice for the "loan number" column in report 1 is globalAccountNum. loan account id, another logical choice, is a sequential number in the database, each loan account id corresponds to one account. loan account id means nothing outside the Mifos database; !globalAccountNum does.
    • The method, "!getTotalPrincipleAmountInArrears" does not consider lateness, it only returns the principal that is overdue.
    • The default value of Branch parameter is "BSK", but the default value of LoanOfficer parameter is null.
    • LoanOfficer and LoanProduct should display "All".
    0
    Your rating: None

    Jasper Reports

    0
    Your rating: None

    Pentaho Reports

    0
    Your rating: None

    System Administration

    0
    Your rating: None

    Logging and Monitoring

    This is the starting point for information on maintaining and monitoring servers running Mifos in production. 

    0
    Your rating: None

    Logger Configuration

     

    System administrators can configure Mifos to log appropriate information about what the application is doing. Mifos uses the Apache Log4J 1.2 logging system. Log4J allows us to increase or decrease the information that is logged by setting the log level (INFO, WARN, DEBUG, FATAL, etc.) we are interested in. Only messages at this level of severity or higher will be logged.

    The logger configuration is done using the loggerconfiguration.xml file.

    • For versions 1.3 or later, this file can be placed in the .mifos directory - see MifosConfigurationLocations for more information. Make a copy of the existing loggerconfiguration.xml frommifos/src/main/resources/org/mifos/config/resources/loggerconfiguration.xml (loggerconfiguration.xml in the Mifos web svn viewer.)
    • For versions 1.2 and before, this file must be placed on the application server classpath atorg/mifos/framework/util/resources/loggerresources/loggerconfiguration.xml. If you are using Tomcat, the directory would be $CATALINA_HOME/lib/org/mifos/framework/util/resources/loggerresources/ (parent directories must be created). (loggerconfiguration.xml in the Mifos web svn viewer.)

    To set a loglevel for a particular component, you can configure a category by adding XML that looks like this (if it exists, just change the existing XML):

    <category name="org.mifos.application.collectionsheet"> 
  <priority value="INFO"/> 
</category>

    To log every JSP hit (only available in v1.3 and later), add:

    <category name="org.mifos.framework.struts"> 
  <priority value="INFO"/> 
</category>

    You might see lots of noise for warn messages from org.hibernate.engine.StatefulPersistenceContext?.ProxyWarnLog?, to suppress these warning use

    <category name="org.hibernate.engine.StatefulPersistenceContext.ProxyWarnLog" additivity="true">
   <priority value="ERROR"/>
</category>

    An explanation of this behavior is given here https://forum.hibernate.org/viewtopic.php?p=2404391

    Logging in the 1.2.x Releases

    • For versions after 1.2.2, logging org.mifos.application.bulkentry component is set to INFO. This means the application will log detailed information about page views and which records are being saved to the database for the Collection Sheet Entry system. You can override this logging by setting the the priority to a higher level, like WARN.
    0
    Your rating: None

    Monitoring Servers with OpenNMS

    DEPRECATED

     

    1   Intro

    OpenNMS is an open source network management platform that uses--among other protocols--Simple Network Management Protocol (SNMP) to monitor severs. It can be configured to send emails notifications out when disk usage is too high or when the server is thrashing, etc.

    The following instructions will show you how to sent up monitoring/notification when a disk is 90% full.

    2   Installing OpenNMS

    Steps to take during install/configuration:

    • follow install instructions
    • modify Service discovery and polling configuration (see below)
    • change org.opennms.core.utils.fromAddress to the email address of your choice in /etc/opennms/javamail-configuration.properties. This is the email address that OpenNMS will use to send out notification emails when a monitored server is having technical difficulties.
    • turned on notifications (Admin -> Notification Status: On)

    2.1   Adding servers to OpenNMS to monitor

    • Login as admin user
    • Admin -> Configure Discovery

    From here you can add a range of IP addresses to monitor.

    2.2   Adding or removing email address which receive outage notifications

    • Login as admin user
    • Admin -> Configure Notifications -> Configure Destination Paths
    • select Email-Admin and click Edit button below
    • click Edit button on right
    • click Add address on right (alternatively, select one and click "remove"
    • click "Next >>>" on left
    • click "Next >>>" again
    • click Finish

    If you mess up at any time (before clicking Finish), just navigate to a different page.

    Also note the "Initial delay" setting... if service is restored before the initial delay, notifications are not sent.

    2.3   Scheduled Outages

    Scheduling downtime will avoid false outage emails.

    • Login as admin user
    • Admin -> Scheduled Outages
    • Pick a name that describes why the outage will occur
    • Specify Nodes, Type, and Time, then check "All notifications"

    2.4   Service discovery and polling configuration

    Using this guide you can map your services on OpenNMS. For example, let's say that you run a service on your server named My Service and you would like OpenNMS to know about it so that it can monitor if the service goes down. You would monitor your OpenNMS configuration files like so:

    		<!-- added to capsd-configuration.xml -->
<protocol-plugin protocol="My Service" class-name="org.opennms.netmgt.capsd.plugins.HttpPlugin" scan="on">
    <property key="port" value="80" />
    <property key="timeout" value="3000" />
    <property key="retry" value="2" />
    <parameter key="url" value="/my-url/" />
    <property key="max-ret-code" value="202" />
</protocol-plugin>
 
<!-- added to poller-configuration.xml --> 
<service name="My Service" interval="300000" user-defined="false" status="on">
    <parameter key="port" value="80" />
    <parameter key="timeout" value="10000" />
    <parameter key="retry" value="3" />
    <parameter key="url" value="/my-url/" />
    <parameter key="ds-name" value="myService" />
</service>
<monitor service="Pootle" class-name="org.opennms.netmgt.poller.monitors.HttpMonitor" />

    If capsd-configuration is changed (for example, to add properties to a protocol plugin to make sure it is only discovered on hosts actually running that service), it may be necessary to manually delete corresponding rows in ifservices (those that map the service to a particular interface).

    Instead of telling OpenNMS "this services runs on this IP address", you generally tell it "here is how you recognize a service, and here is a list of IP addresses... figure it out!" While it is possible to be more explicit about what services run where, with a proper service discovery and polling configuration, less manual maintenance is required.

    2.5   Path outages

    OpenNMS supports a feature designed to suppress outage notifications if, for instance, a WAN link between the OpenNMS server and remote (monitored) servers goes down.

    3   Installing SNMP

    Now that you have OpenNMS installed, you will need to install SNMP on all the computers that you will be monitoring.

    3.1   Install Net-SNMP

    Install Net-SNMP. Net-SNMP is a suite of SNMP applications that you will use to configure SNMP on the computer that you want to monitored. If you are on a debian based system, you can install Net-SNMP by opening a terminal and typing: apt-get install snmp libsnmp-dev snmpd.

    3.2   Set up your snmpd.conf file

    snmpd.conf holds the configuration settings for SNMP. You can either edit the file directly by modifying /etc/snmp/snmpd.conf or by using the snmpconf configuration utility. Detailed information about snmpd.conf can be found here.

    An example of a barebones snmpd.conf is:

    		rocommunity public default .1
disk /

    This sets the read only community name to public and gives it access to viewing the whole SNMP tree. This means that anyone who tries to connect to this computer and use the public community will be able to read any SNMP value on it.

    The second line tells SNMP that / is the root directory of a disk that we would like to monitor.

    Now that you have correctly configured SNMP, if you type snmpwalk -On -v 2c -c public localhost 1.3.6.1.4.1.2021.9 into your commandline, you should see it print out a bunch of information on /.

    3.3   Setting up SNMP for outside access

    In order for OpenNMS to be able to read SNMP values from your server, you will have to perform one last step. Edit /etc/default/snmpd to say:

    		SNMPDRUN=yes
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid'

    All done! Now try connecting to your server on the computer that is running OpenNMS by typing: snmpwalk -On -v 2c -c public SERVER system except replace SERVER with the ip address or hostname of the server where SNMP was just installed.

    4   Setting up disk usage monitoring

    In this section, we will discuss how to set up disk usage monitoring in OpenNMS.

    4.1   Becoming familiar with the OpenNMS configuration files

    These configuration files are in the /etc/opennms/ directory and are important for understanding for disk monitoring.

    • datacollection-config.xml: This file is where OIDs are mapped to names that OpenNMS can understand. You may want to look at this document for more information on OIDs. If you search this document for "ns-dsk" you will be find where it maps disk OIDs to aliases.
    • thresholds.xml: This file is where thresholds are sent for events. For example, let's say you want to monitor if the disk usage ever gets to be above 90%. This is where you would set this threshold of 90%. In this file you will also set a second threshold, called the rearm threshold. Once the disk usage hits 90%, an event will be created to notify you. As long as it says above 90%, no new events will be made about it because that would be redundant. The threshold is "rearmed" (ie it can be triggered again) once the disk usage goes below the rearm threshold, which might be something like 75%.
    • eventconf.xml: As mentioned earlier, events are created once thresholds are exceeded. The event configuration file points to other event files. Each event file holds different kinds of events, and you will want to make to hold your custom events.
    • notifications.xml: This file contains the configuration for sending out email notifications for events. Events will simply show up in the OpenNMS web interface and never send out email notifications unless you configure this file as well.
    • notifd-configuration.xml: This file contains the configuration for automatic notification acknowledgments. You acknowledgment events via the web interface and by doing, so you clear it from the queue of events. Most events have a matching event (ie if disk usage goes above the threshold, an event will be made warning you that the disk usage is too high. When it goes back under the rearm threshold, a new event will be made to say that the disk recovered). As a result, if you set up automatic acknowledgments, if you acknowledge the second event (ie the rearm), the first event will automatically be acknowledged. Setting up notifications like this requires less code than setting them up without automatic notifications and so may be preferable. We'll give both ways to set up notifications in the following sections.

    4.2   Modifying the thresholds.xml file

    There should already be an entry in your thresholds file for disk usage. It should look something like this:

    		<threshold type="high" ds-type="dskIndex" value="90.0"
        rearm="75.0" trigger="2" ds-label="ns-dskPath" ds-name="ns-dskPercent"/>

    This mans that if the ns-dskPercent exceeds 90, then an event will be made. If it goes back lower than 75, the threshold will be rearmed.

    You will want to add your own custom threshold and rearm UEIs (Unique Event Identifier). Without custom UEIs, disk usage will be handled like all the other events that have thresholds of type high. This means that if you want to notification emails whenever there is high disk usage, you will have to turn on email notifications for all events with thresholds of type high. You probably do not want notifications for all high events, so let's go ahead and create custom threshold and rearm UEIs:

    		<threshold type="high" ds-type="dskIndex" value="90.0"
        rearm="75.0" trigger="2" ds-label="ns-dskPath" ds-name="ns-dskPercent"
        triggeredUEI="uei.opennms.org/YOURCOMPANY/ns-dskPercent-high"
        rearmedUEI="uei.opennms.org/YOURCOMPANY/ns-dskPercent-rearm" />

    Obviously, you will want to replace YOURCOMPANY with your company's name.

    4.3   Creating your custom event file

    Okay now we will need to create a custom event file that will have events for our custom UEIs that we created. An advantage to creating custom UEIs is that we can write customized descriptions. The ones that OpenNMS has by default are pretty generic and hard to read and so when you read the event message in the web interface, it is hard to understand what it means at first.

    Create a file in the events directory of your OpenNMS installation directory called YOURCOMPANY.events.xml where YOURCOMPANY is your company's name.

    		<?xml version="1.0" encoding="UTF-8"?>
<events xmlns="http://xmlns.opennms.org/xsd/eventconf">
    <event>
      <uei xmlns="">uei.opennms.org/grameen/ns-dskPercent-high</uei>
      <event-label xmlns="">Disk Usage Too High</event-label>
      <descr xmlns="">The disk usage on %parm[label]% on interface %interface% is too high.
          It is %parm[value]% percent full, which exceeds the high threshold of %parm[threshold]% percent.</descr>
      <logmsg dest="logndisplay">The disk usage on %parm[label]% on interface %interface% is too high.</logmsg>
      <severity xmlns="">Minor</severity>
      <alarm-data reduction-key="%uei%!%nodeid%!%parm[label]%" alarm-type="1" auto-clean="false" />
   </event>
   <event>
      <uei xmlns="">uei.opennms.org/YOURCOMPANY/ns-dskPercent-rearm</uei>
      <event-label xmlns="">Disk Usage Too High - Re-Armed</event-label>
      <descr xmlns="">Threshold rearmed for the disk usage for %parm[label]% on interface %interface.
           It was rearmed because the disk usage is less than or equal to the rearm threshold of %param[rearm]%.</descr>
      <logmsg dest="logndisplay">Threshold rearmed for the disk usage for %parm[label]% on interface %interface.</logmsg>
      <severity xmlns="">Normal</severity>
      <alarm-data
           clear-key="uei.opennms.org/YOURCOMPANY/ns-dskPercent-high!%nodeid%!%parm[label]%"
           reduction-key="%uei%:%nodeid%:%parm[label]%" alarm-type="2" auto-clean="true" />
   </event>
</events>

    %parm[label]% is the name of the disk you are monitoring, ie "/". %parm[value]% is the percentage that the disk is full. %parm[threshold]% is the threshold (ie 90%). %interface% is the interfact that this is happening on (ie the IP address of the computer). And %parm[rearm]% is the rearm threshold (ie 75%).

    The descr is the long description message that you see if you click on the event in the web interface. The logmsg is just the short message you see if you preview events in the web interface.

    4.4   Modifying the eventconf.xml file

    Now we need to put an entry into the event configuration file that says "look for our custom event file".

    In the second to last line in the file (above </events>) you should put:

    <event-file>events/YOURCOMPANY.events.xml</event-file>

    This will point to our custom file. You will have to replace YOURCOMPANY with your company's name.

    4.5   Modifying your notifications.xml file

    Now we have set up events but we have not set up email notifications for our events. In the second to last line (above </notifications>) you should put:

    		<notification name="Disk Usage Too High" status="on" writeable="yes">
     <uei xmlns="">uei.opennms.org/YOURCOMPANY/ns-dskPercent-high</uei>
     <description xmlns="">The disk usage for a monitored device is too high.</description>
     <rule xmlns="">IPADDR != '0.0.0.0'</rule>
     <destinationPath xmlns="">Email-Admin</destinationPath>
     <text-message xmlns="">The disk usage on %parm[label]% on interface %interface% is too high.
         It is %parm[value]% percent full, which exceeds the high threshold of %parm[threshold]% percent.</text-message>
     <subject xmlns="">Notice #%noticeid%: The disk usage on %parm[label]% on interface %interface% is too high.</subject>
</notification>

    You will have to replace YOURCOMPANY with your company's name.

    The status "on" option means that it is set to send out emails. (If you want to turn off notifications for this event temporarily, you can set it to "off"). The destinationPath is the saved email address that you want to send emails to. (See the "Adding or removing email address which receive outage notifications" section above).

    As mentioned in the notifd-configuration.xml section above, you can set up automatic acknowledgments, but you may not want to. Automatic acknowledgments require less code, but if you would like every acknowledgment to be acknowledged manually, then you will want to go ahead with entering a notification entry for rearm events:

    		<notification name="Disk Usage Too High Rearmed" status="on" writeable="yes">
     <uei xmlns="">uei.opennms.org/YOURCOMPANY/ns-dskPercent-rearm</uei>
     <description xmlns="">A monitored device has recovered from a high disk usage</description>
     <rule xmlns="">IPADDR != '0.0.0.0'</rule>
     <destinationPath xmlns="">Email-Admin</destinationPath>
     <text-message xmlns="">Threshold rearmed for the disk usage for %parm[label]% on interface %interface.
        It was rearmed because the disk usage is less than or equal to the rearm threshold of %param[rearm]%.</text-message>
     <subject xmlns="">Notice #%noticeid%: Low Threshold Rearmed for %parm[ds]% on node %nodelabel%.</subject>
 </notification>

    4.6   Modifying your notifd-configuration.xml file

    If you would like automatic acknowledgment instead, you will have to enter this in the line before there is an entry for <queue>:

    		<auto-acknowledge resolution-prefix="RESOLVED: "
    uei="uei.opennms.org/YOURCOMPANY/ns-dskPercent-rearm" acknowledge="uei.opennms.org/YOURCOMPANY/ns-dskPercent-high">
    <match xmlns="">interfaceid</match>
</auto-acknowledge>

    You will have to replace YOURCOMPANY with your company's name. This will tell it to make an email that has "RESOLVED" in the subject line when the interface of second event (the ns-dskPercent-rearm) matches interface that the first event (ns-dskPercent-high) was seen on.

    0
    Your rating: None

    Managing Batch Jobs

    A guide to running batch jobs and processes in Mifos

    Overview of Batch Jobs

    Batch processes (also known as cron jobs on Unix-based systems) are a series of back-end jobs on a computer that are executed through predefined scripts. Mifos currently has 9 of these batch processes which are scheduled to run nightly. The server must be running for the batch jobs to run.

    Mifos users will be automatically logged out when batch jobs run, and no logins are permitted until the batch jobs complete. 

    A message displays on the login screen indicating that cron jobs are running.  The recommendation is to run batch jobs after business hours.

    Reports run before batch jobs have been completed will not reflect the results of the batch jobs.

    Mifos Batch Jobs

    Please see Batch Jobs for a functional description of all batch jobs in Mifos.

    Setup and Configuration

    First, see the configuration guide.

    To change the batch job schedule in Mifos v1.3 or later, a custom task.xml can be copied out of source control and placed in one of the MifosConfigurationLocations. For earlier versions, you must follow the procedures below. If you have not worked with .war files, please refer to the UsingWarFiles wiki page.

    Options for Changing .WAR Files

    You must modify Mifos configuration files and then re-deploy the Mifos.  You can accomplish this task in two ways.  The option you choose will depend on how you deployed Mifos and what you feel comfortable doing.

    1) Unpack the .war file into the web server directory and modify the files.

    • Directions for unpacking .war files and using full directories in your servlet (Jetty, Tomcat, JBoss) can be found on the UsingWarFiles wiki page

    2) Unpack the .war, modify the files, create a new .war, and redeploy the .war file.

    Steps to modify  and repack .war files

    1) Unpack the.war file (see UsingWarFiles wiki page)
    2) Make the changes the the files as specified below.
    3) Rebuild the .war file using jar (see UsingWarFiles wiki page).
    4) Deploy the new .war file into the web server deploy directory

    Changing Batch Schedules

    Batch jobs are configured in task.xml.

    • There is a 'Batch Jobs' page to display information about configured batch jobs.
    • The above batch jobs run sequentially.
    • The initial starting time can be set in task.xml mentioned above.
    • Currently,  task.xml is configured by default to run every night at midnight.
    • The time is based on the server's system time.  On a Windows machine, system time will likely be local time.

    To change the batch jobs (you should review the items above on .war file options first):

    1. Stop Mifos application on the web server.
    2. Make the changes to task.xml. Please see Quartz Batch Jobs page for more details.

    Monitoring

    Batch Jobs can be managed in Mifos under Batch Jobs in the Admin section.  The Batch Job Scheduler is Active by default.  The Scheduler can be put in Stand-by Mode by clicking Suspend. 

    This section also allows running of each batch job individually.  Select the tasks to run, and click on Run Selected Tasks to run the batch jobs immediately.  Each scheduled task is listed with the following information:

    Property Description
    Next Start Lists when the next start time is for the scheduled task
    Previous Start Previous Start time for the scheduled task
    Most recent successful run Last successful Start time for the scheduled task (displayed only when the previous scheduled task run failed)
    Task Type CronTrigger or SimpleTrigger
    Task Priority Order in all batch jobs of which it is run.  If it is all the same, then it is just run in the order listed in the table.  Lower number takes higher priority and will be run first
    Previous run status Completed or Failed (also a detailed failure reason can be displayed here, if available)
    Cron expression (only for CronTrigger) Expression which determines when batch job should be started (Please read Cron Trigger Tutorial for a more detailed documentation)
    Repeat interval (only for SimpleTrigger) Number of milliseconds between successive batch job runs

     

    0
    Your rating: None

    Security

    0
    Your rating: None

    Security Overview

    Background

    This page is intended to gather information about network, application, and operating system security; to discuss strengths, weaknesses, and implementation details.

    Why Do We Need It?

    Mifos contains personal and financial data, which is often carried between the Mifos Server and users over the network. These data must be protected from unintended disclosure.

    Overview

    Ideally, the database and application servers would be on different subnets.

    Network

    Virtual Private Network

    A VPN normally provides secure, encrypted traffic over the Internet between nodes. See this Wikipedia page for lots of information.

    In the case of Mifos, one node will be the Mifos Server and others would be either single workstations or a group of workstation on an office LAN.

    There are commercial options, but the one considered here is OpenVPN with the OpenVPN GUI client installed on Windows workstations.

    This is a TLS/SSL VPN. The other main option is IPSec, with Openswan as an example. We have tried both and now use OpenVPN.

    Referring to the diagram, the users make their VPN connection to the firewall, then they use an internal IP address within the VPN session to connect to resources on the network. Suitable firewall rules are required.

    How To Build an OpenVPN Network

    Two options will be covered:

    A hybrid network combining both options can also be set up if you have a combination of remote sites with multiple computers and single-PC sites or mobile users.

    TLS/SSL (HTTPS)

    This is one of the most common ways to secure information in a browser session, and gives the familiar padlock icon to show a page is secure.

    Data is encrypted to a reasonable level - banks trust it - making interception of confidential information unlikely.

    Users are familiar with it: they will be used to seeing the padlock when they visit secure sites.

    The downside is that the MFI will need a server certificate, which costs money and may be an inhibiting factor.

    Free certificates are available CACert is an example, but their root certificate is not included in mainstream browsers and needs user intervention to install.

    Referring to the diagram, the users' sessions are directed to the web server or reverse proxy by the firewall and the traffic is decrypted there.

    Please see CertsAndSSL and this mailing list post for hints on forcing all Mifos requests through SSL when using the Tomcat servlet container.

    IP Limiting

    The IP addresses of the nodes allowed to connect to Mifos are defined in advance.

    I'll put in some more analysis later, but believe this to be the weakest option for a few reasons including:

    • Data is not encrypted unless some other mechanism is employed
    • It will fail for dynamic IP addresses, typical of dial-up or ADSL links

    Brainstorm/Summary

    • server security (database and application servers)
      • firewall only allows necessary connections, for example: MySQL and SSH
      • nonstandard ports used for SSH and MySQL services and/or denyhosts/fail2ban/tcp_wrapper rules to prevent brute-force attacks
      • only allow key-based authentication for remote SSH login
      • sudo used for all root access
      • tripwire for binary integrity checking (makes sure no programs change)
      • apparmor for mandatory system access controls
      • frequent audits of login attempts
      • VPN used between database and application servers, if co-located
      • frequent auditing and continual monitoring of CPU, memory, and disk
      • security updates for system software applied as available
    • application server (Tomcat)
      • secure connection via TLS/SSL (https)
      • only allowed IPs can connect (optional)
      • run as non-root user
    • database server (MySQL)
      • strong root password is set
      • encrypt all database traffic with SSL
      • connection from application only by non-root user with only the necessary permissions
      • run as non-root user
    • Data Center
      • Physical security standards | Information security standards ISO27k | Data center - SAS 70 Type I | Type II
    • external to Mifos / organizational
      • email communication between branches
        • always digitally signed with PGP or S/MIME
        • signed and encrypted when sensitive information is present
    0
    Your rating: None

    Certs and SSL

    0
    Your rating: None

    Security Recommendations

    1   Introduction

    TODO: security goals, see threat model

    2   Architectural Overview

    See the Mifos Architecture diagrams. These recommendations are based on the next generation system architecture.

    2.1   Security Overview

    TODO: outline security architecture fitting inside of Mifos' architecture.

    3   Security Recommendations

    TODO: the following list will be changed significantly by 27-AUG-2009.

    3.1   Security Components

    TODO: Here are the security components and how they work.

    3.1.1   Roles, activities and permissions

    TODO: Mifos uses a "bitmap" of roles and permissions that allows a user to perform actions that can be fine grained filtered.

    3.1.4   Physical security

    (Rationale: Micro-finance organizations and their branches can be very small and run out of an apartment or other available location, and operate in remote areas. It is likely that computing infrastructure has less-than-ideal location and is an easy target for theft, especially for hardware such as memory. Comment: perhaps this and other 'why' statements should move to the threat model or another location)

    1. Secure the servers and any network equipment that hosts Mifos and related software, using an enclosure (ideally, a rack) under lock-and-key.
    2. Any tapes or media used to store data backup from Mifos and related software must be stored safely and access restricted only to personnel authorized to use them.
    3. An asset register must be maintained that has information concerning hardware as well as media used to host Mifos

    3.1.5   Password Policies

    (formatting may be off for now...krishnan)

    #. Mifos default user password reset At the moment, the default user 'mifos' (having 'Admin' privileges) is not forced to change the first-use password, whereas other users are. Include this user within all policies for other users, including forced change of first-use password.

    #. Add self-service password reset Self-service password reset is the ability for a user to regain access to the system in the event they cannot recall their password. By setting up (a few) challenge-response questions, they can verify identity to the system which then allows them to set a new password.

    (Considering that most MFIs? do not have in-house e-mail, and that Mifos does not currently support e-mail communication with staff, it seems impractical for Mifos to try and e-mail users with change password links or reminders.)

    #. Add password aging Have Mifos force users to change passwords at a particular frequency (configurable for the organization by an administrator). The chosen frequency can only vary between certain hard limits (such as a lower limit of one week and an upper limit of 90 days). Only accept new passwords that differ from the existing password by a certain number of characters.

    #. User education about password policies Include a blurb that provides brief information about password policies within Mifos on relevant screens.

    (FUTURE) #. Provide a facility for administrators to review an exception log An exception log captures and reports events that may be considered suspicious.

    3.1.6   Deployment Recommendations

    (For now, we will include both packaging as well as installation recommendations here. Do we need to talk about deployment in different environments?...krishnan)

    1. Basic

    Add simple recommendations to secure the server, including a list of services to allow, a recommended firewall policy, and access via key pairs for administrators on the server, a policy concerning the application of patches, etc.

    Bundle a default self-signed certificate to use with Mifos out-of-the-box.

    Include simple instructions to generate and use public and private key pairs, to generate and install a self-signed SSL certificate, and to generate a CSR for obtaining certificates from a public Certificate Authority

    1. Changes to packaging and installation process

    Considering that Mifos may be deployed for organizations and locations that may lack the necessary skills to secure an installation, it is recommended to make relatively simple additions to the installation procedure for Mifos to secure it, such that users would have to deviate from the recommended installation to operate Mifos in an insecure fashion.

    #. Use SSL to access Mifos All user access via the browser must use SSL, at least in production environments.

    #. Secure communication between the Mifos web and database servers Setup SSL security in MySQL? and tunnel communication between the Mifos Java application and MySQL? using SSL certificates. (To

    1. Clean up all installation documentation and default configuration files to not use 'suggested' passwords (like 'mifos'). Any automated installation process that may be developed should prompt for a choice of credentials, rather than assume defaults.

    4   Threat Mitigation

    TODO: Please see Prioritized Threat Tables in the ThreatModel for mitigation mechanisms.

    (Krishnan to add material following Password Policies and Deployment Recommendations)

     

    0
    Your rating: None

    Threat model

    1   Introduction

    This document is an outline of the attacker's goals and capabilities that we need to consider for Mifos security. The threats in this document can be used to develop the Mifos security recommendations document.

    2   Scope

    Threats to the following components of a typical Mifos deployment are considered:

    1. User (Loan Officer),
    2. Network,
    3. Web Server,
    4. Database.

    The following threats are considered out of the scope of this document:

    1. Attacks involving physical access to a system hosting the Mifos software.
    2. Attacks on an underlying system hosting Mifos such as attacks on a virtual machine running a Mifos instance.
    3. Attacks on other systems using a Mifos database as a resource to build victims profiles.

    Note0: A stretch goal could be to make it hard to attackers to use the data in the database.

    Note1: Informative notes on the physical security of the system can be inserted.

    Note2: There's not much we can do to prevent attacks on other systems by using the data on a Mifos database beyond telling people not to use the same username/password on Mifos that they have on other systems.

    3   Scenarios

    3.1   Typical usage scenario

    The following steps outline in chronological order a new user (a Loan Officer) being added to the system and using it. These were extracted from the Mifos user manual.

    1. A new loan officer (LO) is assigned to a particular center (sub division of a branch).
    2. An account is created at the Head Office, and login credentials are sent to the LO via email.
    3. (Optionally) Assigns a 'custom' role with permissions to perform certain other actions.
    4. The new LO logs in for the first time (and is required to change the first-use password before proceeding any further)

    There is no additional setup steps and the Loan Officer can proceed to immediately add clients. The Loan Officer does the following:

    1. Create an account for a client
    2. Create or select a group (up to 30 people) for the new client
    3. Enters information about the new client
    4. Issues loans, which begins to track immediately
    5. Disburses the actual monetary loan

    The typical administration setup scenario for new Loan Officer are as follows:

    1. Admin->new system user
    2. Assign the Loan Officer to a center

    See chapter 3 of users guide for more details (comment: the user guide is outdated...)

    3.1.1   Example deployment scenario

    Physical outline: Two colocated machines

    1. One Web/Application server (Linux or Windows)
    2. One Database server (Linux or Windows)

    Network access:

    The web/application server allows incoming connections from the outside world on the following ports

    1. RDP (Windows) or SSH (Linux)
    2. HTTP
    3. HTTPS

    The database server allows incoming connections from the outside world on the following ports:

    1. RDP (Windows) or SSH (Linux)

    Additionally, the firewall allows incoming connections from the web/application server to the database server on the following ports:

    1. MySQL (3306)

    Depending on the environment and OS used, additional ports may be opened between the web/application server in the DMZ and a server in the secure subnet such as DNS, NTP, etc.

    The web/application server and the database server are on different subnets, typically with the web/application server in the DMZ and the database server in a secure subnet, behind a firewall allowing the connections above.

    Note3: Mifos is not connected to any financial systems, it is only used to track transactions that were made in the real world. Thus, the attacker's incentive is now based on identity theft, competitive advantage and denial of service. A successful attacker would have enough information to deplete a client's bank account.

    Note4: Recommend a method to minimize the threat of initial login credential compromise. E.g., if the initial credentials have to be sent via email, make Mifos automatically create a password that is intentionally hard to remember, thus giving the user an incentive to change the password. Recommend good password policy

    Note4.5: ssh must use private/public key pairs. Password authentication and root log on must be disabled.

    Note5: For additional scenarios, see the Mifos user manual.

    4   Threats

    [TODO This section needs some clean up]?

    What property do we want to ensure, against what adversary?

    1. Transactions about loans, savings
    2. Personal identification of clients (borrowers)
    3. Data privacy for personal data and financial transaction trails for customers
    4. Proprietary and competitive information
    5. loan/savings totals
    6. repayment rates

    Attackers

    Who is the adversary?

    1. internal user (attempting fraud)
    2. recently fired loan officer (DoS)
    3. identity thieves (client's information)
    4. competitor businesses (loan information)

    4.1   Attacker's Goals

    1. impersonation of clients (drain account, money laundering, payment of illegal activities)
    2. Malicious defacement or other damage to reputation
    3. Information leading to competitive advantages
    4. Identity theft
    5. Denial of Service

    4.1.1   Attacks against a client

    1. Obtain an individual's loan information
    2. Obtain an individual's bank account information
    3. Obtain an individual's personal identity information

    4.1.2   Attacks against a loan officer

    1. Obtain multiple clients loan information
    2. Obtain multiple clients bank account information
    3. Obtain multiple clients personal identity information

    4.1.3   Attacks against a system

    1. Retrieve information existing accounts (See client and loan officer attacks above) to gain competitive advantage
    2. Deny service

    4.2   Prioritized Threat Tables

    4.2.1   User (Loan Officer) Based Threats





    User Centric Threats
    Code Priority Threat Mitigation
    1-1 1 Compromised Loan Officer login credentials (either by the LO or during transit from Head office) force password change upon first login. (see Mifos user manual chapter 1.3)
    1-2 3 Compromised client bank account information (depends on 1-1)  
    1-3 2 Compromised client identity information (SSN; gov ID; address; phone; email) (depends on 1-1)  
    1-4 4 Compromised client loan information (subset of 1-2?)  
    1-5 8 Inaccessible system due to malicious activities  
    1-6 5 Scavenging of old data (leads to thread 1-1; 1-2 and 1-3) Secure deletion of old storage hardware (best practices)
    1-7 7 Activity analysis  
    1-8 6 Loss of equipment containing private information. (e.g. laptop stolen with password saved in browser) good password policies. (e.g. first letter in random phrase. Don't save password in browser.)
    1-9 N/A Loss of equipment containing private information. (e.g. laptop stolen with password saved in browser) Same as 1-8

    4.2.2   Database and Application Centric Threats





    Database and Application Centric Threats
    Code Priority Threat Mitigation
    2-1 1 compromise of backup user Perform backups from a secure box using only secured communication channels.
    2-2 2 Compromise of backup user's private key  
    2-3 3 SQL injection Sanitize inputs
    2-4 4 Access to execute arbitrary code (from limited account and root) Ensure system is fully patched (good patching policies). Open only ports that are absolutely necessary and time limiting them as needed.
    2-5 5 Access to read data. (remote) Any malicious user with access inside the firewall and credentials to the database. (local) Theft of physical hardware hosting the database.  
    2-6 6 Access to write (tamper) data. (Same as 2-5)  
    2-7 7 Access to destroy data (subset of 2-6) regular offline backups
    2-8 8 Compromise of data flowing between the web server and the database. Requires that the attacker has access to at least the DMZ network protect data between web server and db. TLS tunnel?
    2-9 9 Compromise of backup data  
    2-10 10 Configuration error best practices document

    4.2.3   Web Server Centric Threats





    Web Server Centric Threats
    Code Priority Threat Mitigation
    3-1 1 Access to replace valid software with malicious one  
    3-2   (subset of 3-1) Access to execute resident code (from limited account and root)  
    3-3   (repeat of 3-2) Access to execute arbitrary code (from limited account and root)  
    3-4 2 compromised Operating System good patching policy.
    3-5 3 Access to read data (secret configuration; e.g. SQL creds)  
    3-6   (same as 3-6) compromise of Mifos software Good backup policy
    3-7 4 Exploitation of side vectors to get to Mifos data. In a central hosted cloud Mifos would probably run in a virtual machine. A malicious process with access to another virtual machine on the same physical machine could do some damage depending on strong the checks on the hypervisor are. Another side vector is Tomcat. A vulnerability in that software could lead to a compromise of Mifos data to no fault of Mifos. Secure policy on virtualized components. Strip down all unnecessary software (recommend baseline like PCS) semi-automatic software update mechanism. (Tough. Need to avoid loss of service due to patching on very heterogeneous networks.)
    3-8 5 Software error (bug)  
    3-9 6 Configuration error. (Leaving default tomcat page...etc)  
    3-10 7 Unauthorized remote access to server. Typically through compromised credentials of maintenance and support staff. web server account set to a limited one with privs only to complete tasks needed.
    3-11   (repeat of 3-10) Compromise of administrative credential (e.g. administrator; software update; remote administrator)  
    3-12 8 Scavenging of old server (physical machine)  
    3-13 9 Physical theft of server or parts thereof.  
    3-14 10 Loss or compromise of Logs remote storage of critical logging information. Note: sanitize log info. print user ID and not what the user typed.

    4.2.4   Network Centric Threats





    Network Centric Threats
    Code Priority Threat Mitigation
    4-1 1 Eavesdropping of information use TLS
    4-2   (subset of 4-1) Modification (tampering) of information  
    4-3   (subset of 4-1) Replay of information  
    4-4 2 Man in the Middle during legitimate communication appropriate warning messages. CAcert? and don't ignore warning. Bullet proof docs for installation and maintenance of certs to minimize (or eliminate warning messages)
    4-5 4 compromise of credentials for remote maintenance  
    4-6 8 Corruption of time information to falsify timestamps Authenticated NTP with NIST. http://tf.nist.gov/service/auth_ntp.htm
    4-7 9 Exploitation of side vectors (other running programs) to get to Mifos data. Firewall with only port 80 (if necessary) and 443 open. Put Web server in DMZ.
    4-8 10 Denial of service  
    4-9   (subset of 4-8) Flooding of requests [TODO define requests]?  
    4-10   (subset of 3-8) Vector for remote exploitation. (Software bug)  

    5   Open Questions

    1. Is there enough information in Mifos for an attacker to deplete a client's bank account?
    2. What is a typical deployment scenario?
    3. What is a typical use case?
    4. Can we divide deployment into security categories (low, medium, high) to customize security requirements?
    5. RDP ports open to the outside world? VPN then RDP? logs?
    6. What is the motivation of an attacker

    6   Glossary

    • Activity analysis: The fact that a pipe (even secured) was established leaks information. Moreover, the frequency and timing of packets sent over that pipe leaks information as well.
    • Man in the Middle (MIM, MITM): An attacker sitting between the client and the server, pretending to be the client to the server and pretending to be the server to the client while being able to see and tamper with any information between the legitimate client and server.

    7   References and tools

    0
    Your rating: None

    Workstation Open VPN

    How to set up OpenVPN to support Windows Workstations

    Objective

    To provide encrypted and authenticated connectivity between remote workstations and a central server.

    /images/Network.jpg/image_preview

    Background

    The HOWTO is based on the work log from a recent installation and this was used for another implementation currently under test.

    Environment

    Server

    This has been installed on Debian etch and should work on Debian-based distributions such as Ubuntu.

    There are HOWTOs on the Internet for Red Hat/Fedora. I would expect them to work for CentOS as well, but we have no suitable system to test them.

    Workstations

    Windows XP Pro SP2 and SP3. Testing will be undertaken on Vista and a Linux workstation in the near future.

    Note: We are currently running under an Administrator account on the Windows workstations. This is not good practice and we will be testing the instructions for running under a normal account shortly.

    Assumptions

    You have a working Linux system connected to the network and are able to make firewall changes to open the necessary port, configure forwarding and so on.

    As a minimum, you will need to open UDP port 1194 and, if the OpenVPN server is on a different box to the firewall, redirect port 1194 to that server.

    Our installations have OpenVPN on the firewall.

    You have a way of finding your server on the Internet

    In our case we have a DNS record like vpn.example.org pointing to the external IP address of the VPN server. To further complicate matters the server is connected to the Internet via an ADSL modem and the IP address changes at our ISP's whim. We use ddclient to maintain a record at DynDNS.org, so vpn.example.org is a CNAME record pointing to the DynDNS A record which points to our dynamic IP address. With me so far?

    You can see this in real life by doing this:

    	dig mifos.kula.co.nz

    Recommendations

    Your internal network should use a RFC 1918 private address range for devices that are not directly exposed to the Internet.

    You should assign a suitable address range for the VPN - we'll need this later.

    Server Configuration

    In the lines below <network name> corresponds to example.com - your domain name - and <server name> to vpn.example.com - the external name of your VPN server.

    All commands are run as root.

    Install OpenVPN:

    	apt-get install openvpn

    The openvpn process will have been started by the installation.

    Stop it while we set up the server:

    	/etc/init.d/openvpn stop

    Copy the sample server.conf file to /etc/openvpn, unpack it, and edit to match your local configuration with the editor of your choice:

    No vi/emacs flamewars, please!

    	cd /etc/openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz .
gunzip server.conf.gz
vi server.conf
    • change the line starting server to match the VPN subnet you chose above. In our case it is server 10.19.3.0 255.255.255.0.
    • change the line starting push to push a route to the clients so they can reach subnets behind the server. In our case we want to access a Samba server with Windows shares in a DMZ on the 10.19.1.0 subnet: push "route 10.19.1.0 255.255.255.0".
    • we recommend that you leave the line ;duplicate-cn alone. It will make for more work later, as each client will need its own certificate, but makes it trivial to cancel access for an individual client.

    Copy the easy-rsa directory to /etc/openvpn

    	cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

    Build a new CA cert using easy-rsa:

    Note: there is a space between "." and "vars". I missed it the first time.

    	cd /etc/openvpn/easy-rsa
. vars
./clean-all
./build-ca
cp keys/ca* ..

    Build a server key:

    	./build-key-server <server name>
(commonName: <server name>)
cp keys/<server name>.{key,crt} ..
cd ..
ln -s <server name>.crt server.crt
ln -s <server name>.key server.key

    Generate Diffie Hellman parameters:

    	./build-dh
cp keys/dh1024.pem ..

    Test by running:

    	cd /etc/openvpn
openvpn server.conf

    Expect to see something like this:

    	Sat Jul 26 13:41:58 2008 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Sat Jul 26 13:41:58 2008 Diffie-Hellman initialized with 1024 bit key
Sat Jul 26 13:41:58 2008 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 26 13:41:58 2008 TUN/TAP device tun0 opened
Sat Jul 26 13:41:58 2008 ifconfig tun0 10.19.3.1 pointopoint 10.19.3.2 mtu 1500
Sat Jul 26 13:41:58 2008 route add -net 10.19.3.0 netmask 255.255.255.0 gw 10.19.3.2
Sat Jul 26 13:41:58 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jul 26 13:41:58 2008 GID set to nogroup
Sat Jul 26 13:41:58 2008 UID set to nobody
Sat Jul 26 13:41:58 2008 UDPv4 link local (bound): [undef]:1194
Sat Jul 26 13:41:58 2008 UDPv4 link remote: [undef]
Sat Jul 26 13:41:58 2008 MULTI: multi_init called, r=256 v=256
Sat Jul 26 13:41:58 2008 IFCONFIG POOL: base=10.19.3.4 size=62
Sat Jul 26 13:41:58 2008 IFCONFIG POOL LIST
Sat Jul 26 13:41:58 2008 Initialization Sequence Completed

    Control-C to cancel and then start it properly:

    	/etc/init.d/openvpn start

    Workstation Configuration

    On the Server

    Create a simple client config for based on the sample:

    		cd /etc/openvpn
mkdir clients
cd clients
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf .

    Edit to suit:

    		vi client.conf
    • change the line starting remote to include <server name> as above - this is how the client finds the server. For example: remote vpn.example.com 1194.
    • as I connect to multiple clients, I change ca ca.crt to ca <server name>-ca.crt with a corresponding change noted below at [1].
    • I think that's all we changed, but make sure the tun and proto lines match your server.

    Build workstation keys for betty:

    		cd /etc/openvpn/easy-rsa
./build-key betty.<network name>
(commonName: betty.<network name>)

    Create certificates and other client files:

    		cd /etc/openvpn/clients
mkdir betty
cd betty
cp ../client.conf mv <server name>.ovpn
cp /etc/openvpn/ca.crt . [1]
cp /etc/openvpn/easy-rsa/keys/betty.<network name>.{crt,key} .
mv betty.<network name>.crt client.crt
mv betty.<network name>.key client.key

    [1] In my case, this will be:

    		cp /etc/openvpn/ca.crt <server name>-ca.crt

    as per the comment above.

    On the Workstation

    Download and install the OpenVPN GUI Client

    Copy the files from the server in /etc/openvpn/clients/betty to C:\Program Files\OpenVPN\config.

    The OpenVPN GUI client should be running in the system tray.

    Click right on its icon, then select your target server from the context menu and then "Connect".

    Viola!

    If it doesn't work, it's the firewall, dummy. At least it was for me. I could establish a VPN connection immediately, but couldn't connect to any resources. The answer was that the firewall didn't allow traffic from the DMZ back to the VPN.

    I can now connect to network shares in the DMZ and access an internal web server.

    Server Firewall Rules

    We use iptables on our servers. The following lines should give you the flavour:

    Create /etc/ipmasq/rules/V00OpenVpn.rul

    For the network discussed above, where eth0 is the external interface, the contents will be:

    		# OpenVPN

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

# Allow TUN interface connections to get out
iptables -A OUTPUT -o tun+ -j ACCEPT

# We want to allow routing from OpenVPN tunnels.
iptables -t nat -A POSTROUTING -o eth0 -s 10.19.3.0/255.255.255.0 -j MASQUERAD
iptables -A FORWARD -i tun+ -o eth0 -s 10.19.3.0/255.255.255.0 -j ACCEPT
    0
    Your rating: None

    Data Migration

    Here we cover some tips and strategies for migrating data from a legacy system into Mifos.  

    Migration Dependencies

    Data Description Dependencies
    Mifos Config Information Includes database settings, properties files, localization settings, definition of office hierarchy, additional fields, look up options etc None
    Office & Related Information Includes details of the head office and the various branches Config Info
    Personnel& Related Information Includes details of all the users of the system Config & Office Info
    Customer & Related Information Includes the details of the customers of the MFI Config,Office & Personnel Info

    Manual Data Entry

    Before beginning any data migration you should evaluate what pieces of data may be better served by doing manual data entry.  Most of this has something to do with the Admin screen in Mifos, but there may be other areas to consider as well. 

    The following is a list of some of the areas you should consider entering in manually before beginning your data migration.

    No. Fees Related actions from Admin Screen Notes
    1 Define a new fee Mifos Tables Hit are : FEES, FEE_FREQUENCY
     
    No. Product Related actions from Admin screen Notes
    1 Define Product Categories If necessary
    2 Define new Loan/Savings Product  
    3 Define Product Mix  
     
    No. Office & Personnel Related actions from Admin screen Notes
    1 Define a New office Office Details
    2 Define Office Hierarchy  
    3 Define new System User Personnel Details
    4 Manage Roles and Permissions  
     
    No. Defining Additional Data from Admin screen Notes
    1 Define Additional Fields The extra information (data fields) in the MFI Legacy system that need to be captured in Mifos are defined here
    2 Define Look up Options The drop down values for certain data fields are defined here
    3 Define Labels Any existing Labels on the UI of the application are changed here
    4 Define Mandatory Fields Fields are tagged as Mandatory or Hidden here
     
    No. DB Configuration Notes
    1 Localization Settings : Language http://www.mifos.org/developers/wiki/ConfiguringMifos#application-wide-i...
    applicationConfiguration.custom.properties
    2 Application Settings Enable features that are required in this DB table: config_key_value_integer
    3 View Organization Settings Link from the Admin Screen applicationConfiguration.default.properties
    4 Custom properties applicationConfiguration.custom.properties
    5 Office Hierarchy of the MFI Part of the DB Settings & properties files settings.
    It can also be set using Admin Tab--> Define Office Hierarchy
    6 Holiday Configuration Admin Screen --> Define new holidays. Define repayment rules for each holiday.
    Repayment rules are not loan specific in Mifos, 
    7 GL Codes GL Codes can only be added, the codes shipped with Mifos  cannot be modified.
    For more details refer to - http://mifos.org/developers/wiki/ConfiguringMifos#using-a-custom-chart-of-accounts

     

    Inserting Customer data

    The following is a list of the tables one must insert data into in order to successfully create a customer.

     

    No. UI Action Tables Affected - Inserts and Updates Notes
    1 Create a Customer insert into CUSTOMER Data from UI
    One Entry per Customer
        insert into CUSTOMER_DETAIL Data from UI
    One Entry per Customer
        insert into CUSTOMER_ADDRESS_DETAIL Address Data from UI
    One Entry per Customer
        insert into CUSTOMER_NAME_DETAIL Client's & Dependant's Name Detail from UI
    Two Entries per Customer (for the Client and Spouse/Father)
        Insert into CUSTOMER_CUSTOM_FIELD Additional Data from the source as defined will be stored here
    Entries per Customer is dependent on the number of additional fields defined
        insert into ACCOUNT A customer account is created
    Can have more than one entry per Customer
        insert into CUSTOMER_ACCOUNT Contains list of Customer accounts created
        insert into CUSTOMER_MEETING Based on the meeting schedule of the group/center which he is a part of or for a client who is not part any group/center a separate customer meeting is created
    One Entry per Customer
        insert into CUSTOMER_SCHEDULE Based on the meeting schedule of the group & the MFI  Holiday schedule , a repayment schedule for 10 installments in created when a client is created
        insert into CLIENT_PERF_HISTORY or GROUP_PERF_HISTORY Mifos inserts 2 metrics namely total active loans & last loan amt. The other Metrics are calculated on the fly in the Mifos code, there are no inserts made to the DB
    One Entry per Customer
     
    2 Edit Customer Status insert into CUSTOMER_NOTE Note captured from UI
    Can have more than one entry per Customer
        insert into CUSTOMER_FLAG_DETAIL The reason for closing a customer is captured
    One entry per Customer
        insert into CHANGE_LOG An entry is made when any existing information is updated
    One Entry per Submit Action
        insert into CHANGE_LOG_DETAIL Details of the actual fields updated is captured here
    More than one entry per Submit action.Number of entries depends on the number of fields changed
        update CUSTOMER Update the details that were changed
     
    3 Move a Customer from One Group/Center to another insert into CUSTOMER_HIERARCHY An Entry is made to track Customer movement between groups/centers within the same office or between offices.
    Can have more than one entry per hierarchy per customer.
    Only one active hierarchy exists for a customer at any point of time
        insert into CUSTOMER_MOVEMENT An Entry is made to track Customer movement between offices
    Can have more than one entry per customer per movement
    Only one active movement  exists for a customer at any point of time
        update CUSTOMER Update the details that were changed
     
    4 Edit MFI information insert into CHANGE_LOG An entry is made when any existing information is updated
    One Entry per Submit Action
        insert into CHANGE_LOG_DETAIL Details of the actual fields updated is captured here
    More than one entry per Submit action.Number of entries depends on the number of fields changed
        Update CUSTOMER Update the details that were changed
     
    5 Edit personal information insert into CHANGE_LOG An entry is made when any existing information is updated
    One Entry per Submit Action
        insert into CHANGE_LOG_DETAIL Details of the actual fields updated is captured here
    More than one entry per Submit action.Number of entries depends on the number of fields changed
        update CUSTOMER Update the details that were changed
        update CUSTOMER_DETAIL Update the details that were changed
        update CUSTOMER_NAME_DETAIL Update the details that were changed

    Note:

    1. customer_detail.business_activities is the business activity of the client which is defined in the look up options as a drop down.
    2. loan-account.business_activities_id is the loan purpose of the loan.
    3. Any change in information should be entered into CHANGE_LOG & CHANGE_LOG_DETAIL to keep track of historical data.

    Excel Import Formats for migrating Customer Data & Maps between Excel Format - Mifos DB tables

    The Customer Data has been classified into two sections

    If the Office & Personnel data has not been manually entered, the following files can be used to migrate the data.

    Inserting Loan data

    Here is a list of the tables one must insert data into to successfully make a loan

     

    No. UI Action Tables Affected - Inserts and Updates Notes
    1 Create a Loan insert into MEETING inserts a new record for loan account but the details are the same as
        insert into RECURRENCE_DETAIL  
        insert into RECUR_ON_DAY  
        insert into ACCOUNT  
        insert into LOAN_ACCOUNT Data From UI
        insert into ACCOUNT_FEES Fees that are applied at the time of loan creation
        insert into ACCOUNT_STATUS_CHANGE_HISTORY  
        insert into LOAN_SUMMARY  
        insert into LOAN_PERF_HISTORY  
        insert into MAX_MIN_LOAN_AMOUNT  
        insert into MAX_MIN_NO_OF_INSTALL  
        insert into LOAN_SCHEDULE One Entry per installment
        insert into LOAN_FEE_SCHEDULE One Entry per installment
     
    2 Edit Account status insert into ACCOUNT_NOTES Stores the notes entered in the UI while changing account state
        insert into ACCOUNT_STATUS_CHANGE_HISTORY  
        update ACCOUNT  
        insert into CHANGE_LOG  
        insert into CHANGE_LOG_DETAIL Number of entries depend on the number of fields changed
     
    3 Edit Account Information update ACCOUNT  
        update LOAN_ACCOUNT  
        update LOAN_SUMMARY  
    0
    Your rating: None

    Data Migration Tips

    You’ve evaluated Mifos, checked out all its functionality, like what you see and are now preparing to roll it out. Only one problem, how to get data from your old system into Mifos.  Seems simple enough, loans are loans, clients are clients, etc. Just move it over right?   

    If only it were that simple.

    Imagine if you were trying to take an engine out of a car and stick it in a pickup truck. Or even worse, imagine it was a lawnmower engine you were trying to move!  What may seem like a simple task, even with a simple source database, can quickly turn into quite an ordeal.  You may have to deal with things like:

    • Bad design, both functionaly and data modeling wise
    • Bugs in the original system leading to bad data
    • Missing data requirements
    • Bad or dirty data
    • Calculation differences
    • Differing degrees in accuracy
    • Differing states for loans, clients, transactions, etc

    Essentially you are taking one design and trying to move it to another, and without some standard set (Which I don’t believe there is any at the moment), you are guaranteed to have issues. 

    This is not meant to scare you off, but rather provide you a reality check.  Take for instance a data migration we are currently working on.  We have three full time people working on it, two developers and an Analyst.  In addition to that there is also the client and I and we're each spending quite a few hours each week attempting to resolve the issues that come up.  Development time will be somewhere between two to two and a half months, but beforehand both the development team and I spend quite a few weeks doing an initial analysis.  And the analysis is still going on, the Analyst has been working full time since researching every possible issue and figuring out the best solution, trying to stay ahead of the developers.  Added all together, there is probably somewhere between three to four months of work, spread across five people. 

    And the source database was simple, out of some 60+ tables we’re only working with about 25 actual tables and out of those, only six really hold relevant data, most every other table is a reference table or holds only a few pieces of information.  What all are we migrating?  Just Clients, Groups, Loans and Transactions.  Everything else we setup manually (Office Hierarchy, all users (400+), config, etc). 

    Gets worse.  We’re also working with a moving target.  We have to constantly update the mapping files (between the source and Mifos system) for users and offices everytime we make changes.   We are creating a set of queries to run before doing migrations to try and suss out every possible type of dirty data that may have appeared between development and the migration.   It can't really helped, the MFI has to make forward progress even as we put these scripts together.

    In just this last week, much like all other weeks, there were 17 issues we had to resolve.  When we’re lucky, it may take five or ten minutes to determine the right strategy, or maybe 20 minutes to resolve some bad data in the source database (and even then, if its a data issue, we often have to update our starting Mifos database and the source db, and send off updates to the developers!).  When we’re not, it can take a lot longer.  One issue this week required a 45 minute call, on top of quite a few emails exchanged and hours upon hours of research.

    Here are some examples of some of the issues we come across:

    • The source database does not match transactions with installments in the payment schedule.  This means we’re having to develop a complex set of logical tests to determine which transactions go with what payments, especially since the dates aren’t reliable (in this instance, lots of clients make their payments before the due date).  We have to deal with partial payments, over payments, early repayments of loans, written off loans (calculating back what payments were written off), etc.
    • When repaying loans, Mifos and the source calculated it differently.  The source would charge the interest still left, Mifos wouldn’t (as the loan is paying off early).  So we had to figure out how to get around this in a way and still model it so they could pull meaningful reports off it
    • Missing client data in the source database:  Things like spouse information, poverty status, meeting schedule date
    • In Mifos, a client is linked directly to a loan officer.  Not so in the source, the client is linked to a loan and loans are linked to a loan officer, so we had to backtrack to figure this out.  Seems simple?  What if the client does not have a loan?  Who do they get assigned to?  What if the client has loans under different loan officers?  How do we determine which loan to use for determining who is the appropriate loan officer?
    • Groups in the source database tend to be transitory, may be part of a group for one loan and not after.  In Mifos, this is not the case, most groups are set to be groups for awhile.  So we’ve had to determine the proper strategies for how we track customer movement between groups, opening and closing of groups, etc.  Additionally, groups are tracked through loans, so we had to go through them again.  Normally you would think it would make sense to move clients and groups together at the same time, not so in this case.  Made more sense to do clients first and then move groups with loans.
    • My favorite.  Source system has three different interests that can be added to a loan, while Mifos allows for one.  Through some testing and validation we determined that when all three of the interests were calculated the same way as Mifos (off a declining balance), we could easily add them together to determine the rate.  The problem is at one time one of the interests was calculated differently, meaning we couldn’t do that.  The solution?  Copy over the transactions, add up all the interest collected and determine the exact interest rate that way.

    Those are just six examples, and remember, on an average week we had 17 issues to resolve!  And timing can be critical because sometimes the developers won’t find an issue until they run right into it and may be blocked until you can provide a solution. 

    The thing with data migrations is you simply cannot figure everything out before hand, or rather you’d probably spend twice as long as if you were to just do it.  It’s an iterative process, its extremely explorative and half the time you won’t find something until you start working with it directly.  That, unfortunately, makes it hard to plan for, but there is not much that can be done.  Fortunately, we’re collecting more and more information about moving data into Mifos, mapping what is required for creating clients, groups, loans, etc.  That should help reduce some of the time required.

    In the end, data migrations are completely do-able and nothing to be scared of, just make sure you plan very, very conservatively.

    Ryan, Mifos Program Manager

    0
    Your rating: None