9/22/2022 Government Cloud Infrastructure Services (GCIS)

Overview (default.html)

What’s New (announcement.html)

Services Information (services.html)

Getting Started (started.html)

Fund Contribution (contribution.html)

FAQs (faqs.html)

Contact Us (contactus.html)

FAQs
General
Fund Contribution
Infrastructure-as-a-Service (IaaS)
Virtual Machine
Operating System License
Backup Service
Network Services
Platform-as-a-Service (PaaS)
Database-as-a-Service (DBaaS)
Container-as-a-Service (CaaS)
Shared Services
e-Payment Service
File Interchange Service
Notification Service
Messaging Service
PKI Certification Revocation List (CRL) Checking Service
ebXML Document Exchange Service

General

1. What steps should we take if we are interested in using GCIS?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 1/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Before subscriptions of any services of GCIS, you are strongly advised to read the materials in this
website and contact the GCIS Planning and Client Advisory Team to discuss whether GCIS is suitable for
your applications and to provide your resources requirements.

2. What security measures does GCIS provide?

GCIS rides on physically secured data centres (Security Level II compliant). In addition, a 7x24 system
management and operation support service, including security alert monitoring and patching, and intruder
detection (network and host based) systems, is also provided. A security audit exercise will be conducted
at least once every 2 years to ensure sufficient security measures are in place. Please note that the
security audit exercise focuses on the GCIS infrastructure only and will not cover the applications
developed by B/Ds. Since GCIS is a shared platform, application level security should always be
considered and implemented by B/Ds.

B/Ds should note that they should carry out a security risk assessment exercise on the application(s) to
be hosted in the GCIS platform before the launch of the application(s) or any major program release(s).
The exercise should include but is not limited to program code reviews and should be conducted by an
independent assessment team not involved in the design and implementation process. Patches should
be applied to the application software to address relevant security vulnerabilities by B/Ds.

Furthermore, B/Ds are also responsible for conducting security risk assessment of their applications at
least once every 2 years by an independent assessment team not involved in the design and
implementation process.

3. Is there any performance pledge for the availability of the GCIS?

The availability target of GCIS is 99.95%.

4. Given GCIS already has multiple tiers of security measures in place, why are project teams still
required to apply encryption for data containing RESTRICTED or personal or sensitive
information at application level?

We are of the view that appropriate security protections at system and application level which can best
protect the e-government services should be implemented. To safeguard web applications against data-
stealing from Internet through the common cyber-attacks such as SQL Injection and Remote Code
Execution, it is necessary to apply encryption at application level.

5. Can application teams bring in their own hardware to be hosted in GCIS?

Application teams cannot bring in their own hardware.

6. What are the operation services provided by GCIS?

GCIS provides 7x24 operation and support services, the operators will monitor the healthiness of GCIS
infrastructure and provide problem escalation.

TOP

Fund Contribution

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 2/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

1. How can we arrange the fund contribution for the services? Will the same Fund Contribution
Model apply to trading fund departments/agencies?

Fund contribution by B/Ds will be arranged in advance to the OGCIO through allocation warrant for each
financial year. For new project, payment should be arranged through allocation warrant when the testing
environment is delivered to B/D. Trading fund departments/agencies will be charged on a full cost
recovery basis for using services provided by GCIS. These will include (i) non-recurrent costs and (ii)
recurrent costs, and the contribution will generally be higher than those mentioned in the Fund
Contribution Model (contribution.html) for Government B/Ds.

2. How can we terminate the services?

B/Ds contribute the funds in advance for the number of months B/Ds wish to use the GCIS services in
that financial year. The funds contributed by B/D are not refundable. If B/Ds decide to discontinue the
services in next financial year, they should notify us at least three months before the end of the current
financial year by submitting the Project Dismissal Form to GCIS Planning and Client Advisory Team.

3. There is a service subscription item STA - Project Subscription Fee in GCIS Catalogue, when is
the Project Subscription Fee chargeable?

When application teams subscribe their first virtual machine (VM) in IaaS or subscribe to DBaaS for each
project, the Project Subscription Fee is chargeable monthly and it shall be paid in one lump sum for each
financial year. Project Subscription Fee is a mandatory item per project in IaaS and DBaaS. For PaaS
and CaaS, the Project Subscription Fee is already included in the pricing.

The Project Subscription Fee is charged once per project even if multiple services are used (e.g. if both
IaaS and DBaaS are used, the Project Subscription Fee is only charged once).

The Project Subscription Fee is charged once per project even if multiple environments are used.

TOP

Infrastructure-as-a-Service (IaaS)
Virtual Machine

1. Do application teams need to arrange their own anti-virus software?

If application teams have subscribed VOW - Windows Server or VOR – Red Hat Enterprise Linux
provided by GCIS for their VMs, standard anti-virus solution from GCIS will be provided to those VMs by
default. Application teams, however, may deploy their own anti-virus software to fulfil their specific
requirements. Application teams shall notify GCIS team to disable the anti-virus solution provided by
GCIS because two anti-virus solutions may interfere with each other.

If application teams choose to bring in their own operating system, they shall deploy their own anti-virus
solution. In this case, application teams shall bear the licence costs of both their operation system and
anti-virus solution.

2. Does GCIS support processing of confidential level of information?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 3/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

GCIS IaaS supports processing of information up to confidential level.

3. If the sizes of virtual machines offered by GCIS are not suitable for our application, can we
subscribe customised sizes of virtual machines?

No customised size VM is offered in GCIS IaaS. The VM size allowable for subscription can be found in
the prevailing GCIS service catalogue.

4. Can we increase resource subscription if we find that the actual resources utilization exceeds our
original estimation?

Yes. The lead-time required for resources provision depends on the availability of spare system capacity
at the time we receive your request. If spare capacity is available, the lead-time will only be the resources
provision time. If there is no spare capacity, procurement process has to be triggered and it may take
longer time before additional capacity can be made available.

5. What is the meaning of “Replicated” under virtual machine? Can we subscribe “Replicated” if our
application requires “Active-Active” auto-failover service?

There are two types of virtual machines: single site and replicated. Application teams wishing to increase
the availability of their applications shall subscribe replicated VM to achieve disaster recovery.
“Replicated” VM can be referred as “Active-Standby” design.

Application teams requiring Active-Active auto failover service should acquire sufficient resources in both
sites, i.e., Production 1 (Prod 1) and Production 2 (Prod 2). The establishment of the high availability
cluster should also be designed and managed by application teams.

6. Is VM fail-over provided when the server hosting the VM fail, would the same VM be launched on
another server automatically?

There are two scenarios:

For planned maintenance on a physical host, all VMs on the affected host will be live migrated to
other physical hosts by GCIS operation team manually.

For unplanned maintenance on a physical host, all VMs on the affected host will be started up
again on other physical hosts within the same cluster by server virtualization infrastructure
automatically. Application teams should, therefore, configure their VMs so that they can resume
their required services automatically after a reboot.

7. Is shared SAN disk supported, e.g., for implementing database cluster?

No, GCIS does not support shared storage that allows multiple VMs to access the same disk storage.

8. Is cross-site replication of SAN storage supported?

GCIS does not offer cross-site replication of SAN storage directly. Instead, service offering such as VM
replication and DBaaS with replication capability is included in the service catalogue.

9. With GCIS provides encrypted disk storage, does it mean application teams need not to
implement encryption to protect their sensitive data?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 4/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

GCIS encryption is provided at storage level. The data in transit is also encrypted during data
transmission between different data centres. Notwithstanding, tenants should encrypt all classified data
and sensitive/personal data at application level before being stored into database/file system or being
transmitting across network. In addition, tenants must regularly review the data security requirements and
data classification of tenants’ applications and update the encryption algorithms and key length on
classified/sensitive/personal data according to the prevailing security guidelines and regulations.

TOP

Operating System License

10. What operating systems are supported in GCIS?

GCIS tested and confirmed its compatibility with the versions of Microsoft Windows Server and Red Hat
Enterprise Linux that could be subscribed by the project team. If the IaaS tenants may opt to bring-in
other operating systems with their own operating system license. Tenants shall test the operating
systems in GCIS testing environment first to confirm the compatibility. Tenants using other operating
systems should consider the compatibility risk.

GCIS will provide and manage the cloud’s hardware infrastructure and support software up to the
hypervisor level. Application teams may bring in, deploy and run their own arbitrary software stack
(including operating systems, system software and application software) on GCIS. This provides
maximum flexibility to application teams in selecting their software and simplifies the management and
support arrangement of their whole software stack. Application teams must consult the vendors of their
software stack to purchase the required license and subscribe the appropriate software support.

11. For VOW option, do application teams need to install the operating systems by themselves?

GCIS OS License Service covers the provision of Windows Server 2016 or 2019 OS license and pre-
installation of the OS image. The software / application running on the IaaS has to be installed, operated
and managed by the application teams.

12. Does GCIS provide non-x86-based servers?

GCIS does not provide non-x86-based servers. GCIS only supports x86-based servers in order to
achieve the maximum economy of scale and hardware independence.

13. How does the GCIS facilitates patch management for Windows and RHEL operating systems of
hosted VMs?

The GCIS facilitates patch management of Windows and RHEL operating systems by timely
downloading the security patches to a repository in GCIS. Application teams can launch update service
on their VMs that are appointed to the designed patch server to proceed with the patch update. Please
note that the patches for the software products other than these two OS, e.g. MS SQL Server, can also
be downloaded through the web proxy server provided by GCIS.

TOP

Backup Service

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 5/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

14. How are backup service provided under GCIS?

Backup service is for the backup of VM image. For GCIS IaaS, only VM-level backup (i.e. whole VM
image, snapshot of the VM) is provided. There is no file / folder / database-level backup.

15. If our data requires retention period of 7 years, is there any backup option available for 7 year
retention?

GCIS backup service provides a maximum of 3 months retention period. For the longer period, we will
provide "Archive" service at the later stage.

TOP

Network Services

16. Under what situation do application teams need to subscribe “N1- Dedicated Network Port for
External Connection”?

Dedicated Network Port for External Connection is for establishing direct physical connection from their
B/Ds premises to GCIS infrastructure. The rental of leased line connection shall be arranged by tenants.
However, tenants should use GNET connection to connect to GCIS unless it is not feasible.

17. How can application teams manage the resources hosted in GCIS?

Application teams can manage and administer their subscribed resources in GCIS remotely through
VPN services. They must subscribe at least one (1) “N4 - VPN token” and at most three (3) “N4 – VPN
token” for testing environment and production environments respectively.

18. Does GCIS provide anti-DDoS facilities?

DoS and DDoS are protected by dedicated Network-based Intrusion Prevention System (NIPS) devices
for individual GCIS environment.

TOP

Platform-as-a-Service (PaaS)

1. When we size the GCIS capacity requirements, should we assume both of the dual active sites
will work to support peak loading?

When sizing the GCIS capacity requirements, project team should assume that one of the dual active
sites will be closed down for maintenance occasionally. Hence, a single site should have sufficient
capacity to support the 3-year peak workload. Project team should monitor the peak utilization and
acquire sufficient GCIS resources if necessary. When running a load test in the testing environment
which was operated in a single site only, load test should be conducted for the full 3-year peak
workload, instead of half of it.

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 6/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

2. May you quote some examples for applications that may best fit for using the services provided
by GCIS PaaS and Shared Service?

GCIS PaaS and Shared Service are best fit for hosting of G2C or G2B Internet facing e-government
applications. The followings are some applicable use:

Application characteristics Applicable features

1. The application needs a web interface The GCIS PaaS provides a centrally managed
for capturing user inputs or delivering shared hosting platform for web applications. A
dynamic content via the Internet testing environment is bundled to facilitate
application development and system load test.

2. The web tier of application system needs The Messaging Service and the PaaS Service of
to communicate with department’s GCIS facilitate exchange of application messages
legacy system(s) for backend processing between web applications and the backend legacy
using a web services interface systems.

3. The application needs to check the The PKI CRL Checking Service of GCIS is
validity of digital certificates against the applicable.
CRL downloaded from RCA according to
their publishing schedules

4. The application needs to send massive, The Notification Service of GCIS using outgoing
scheduled and/or regular notification emails, which allows B/Ds to manage the distribution
emails via the Internet list and message contents, is applicable.

5. The application needs to deliver ebXML The ebXML Document Exchange Service of GCIS,
documents over the Internet (over HTTP which acts as a gateway to receive ebXML
and SMTP) documents from external parties and route them to
targeted B/D, and vice versa, if applicable.

3. Is GCIS PaaS ready for IPv6? What should I do to turn on the IPv6 features of the GCIS PaaS?

Yes, GCIS PaaS is IPv6 ready. If you have IPv6 clients with corresponding IPv6 Internet access
connections, you may click the link (http://v6www.egis.gov.hk/v6test.htm) from your IPv6 clients to
access GCIS PaaS IPv6 test page.

IPv6 features of GCIS PaaS may be turned on to allow the public to access the application using IPv6
clients. For applications hosted in GCIS PaaS, an IPv6 environment may be provided in the GCIS PaaS
testing environment for testing of the application. Project team should check if the application is able to
support IPv6 as well as ensure thorough testing of application in the GCIS PaaS testing environment
before enabling the IPv6 features in the production environment.

4. Do the production and testing environments provide 7x24 access?

7x24 service is available in the production site. For testing site, service is available from 0830 to 2300
for Monday - Friday (excluding public holidays), 0830 to 1830 for Saturday (excluding public holidays).
Please note that development service may be stopped outside these service hours.

5. Are drill test and disaster recovery (DR) covered by the services?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 7/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Since GCIS PaaS provides a dual-active site environment, disaster recovery is considered as a site fail-
over. During the drill, the GCIS PaaS testing environment will be used to simulate the site fail-over
scenario.

6. How does GCIS PaaS handle site failure?

GCIS PaaS provides dual-site support, where both the production environments in Tsuen Wan Data
Centre (TWDC) and Transient Data Centre (T2DC) are independently operable in dual-active mode.
GCIS PaaS uses the CCCNS 3-DNS Global Site Load Balancing (GSLB) to distribute all requests for
B/D's e-services to both active sites. When detecting site inaccessibility of one of GCIS PaaS sites by
the CCCNS 3-DNS system, the 3-DNS will dynamically update the DNS entries of GCIS PaaS and
present the surviving site's Internet IP-addresses to all new incoming clients. In case of declaring site
fail-over operation or prolonged system maintenance, manual operations will be involved to re-configure
CCCNS 3-DNS to only return surviving site's Internet IP-addresses to the new incoming clients in order
to minimize the impact to the GCIS PaaS services and B/D applications.

7. We plan to subscribe GCIS PaaS service to host our application. If we need to handle
RESTRICTED information in our application, what shall we do in order to comply with the
requirements of GCIS PaaS?

B/Ds are required to apply encryption at application level for data containing RESTRICTED or personal
or sensitive information prior to storing the data into the file system or database in GCIS PaaS, or
transmitting the data between GCIS PaaS and other systems. B/Ds should apply additional security
measures subject to their departmental/project security policies and the specific security requirements
of their applications.

8. What type of application can I host under the GCIS PaaS?

GCIS PaaS targets to facilitate B/Ds to implement Internet applications with interactive and dynamic
contents, or form submission or require online interaction with public users. Interested B/Ds may contact
us to discuss the application requirements.

9. Do I need to bring in my own hardware? On the other hand, can I bring in my own software?

Under normal circumstances, B/Ds can implement their applications using PaaS without any bring-in
hardware. B/Ds can bring-in Java library running in your JBoss instance provided that B/Ds have valid
licenses of the software and the software is compatible with architecture of the GCIS PaaS. B/Ds need
to discuss with GCIS Planning and Client Advisory Team and GCIS Technical Support Team case by
case.

10. Are the JBoss and MySQL compatible database the only application server and database
software allowed for hosting in the GCIS PaaS? May the B/Ds be allowed to customise their
setting?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 8/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

GCIS PaaS uses open standard software to deliver the service. Currently, GCIS PaaS adopted the
Apache, JBoss and MySQL compatible database software for the web tier, application tier and the
database tier. GCIS PaaS have applied generic settings for Apache and MySQL compatible database
for B/Ds. In case B/Ds wish to customize these settings, they may discuss with the GCIS Planning and
Client Advisory Team. Regarding the application software, i.e. JBoss, it will be brought in and configured
by B/Ds themselves. B/Ds may contact the GCIS Planning and Client Advisory Team if they find their
JBoss settings have compatibility issue with the GCIS PaaS infrastructure.

11. Can a B/D install third party Java libraries in JBoss?

Generally speaking, there is no restriction for B/Ds to install third party Java libraries if B/Ds acquire the
licenses to use the library. However, B/Ds should note that special support may be required for using the
library and it may affect the portability of the application. B/Ds may contact GCIS Planning and Client
Advisory Team to discuss their requirements.

12. Is state-sensitive SSL connection supported in GCIS PaaS?

GCIS PaaS is equipped with Application Delivery Controllers that can provide SSL persistent load
balancing feature for a pool of Web Servers.

13. Is DNS hosting provided in GCIS PaaS? Does it support load balancing such as round robin?

For application of Domain Name (DN) hosting service of OGCIO, please refer to Domain Name Hosting
Service (/content/dn/serv.asp) posted in ITG InfoStation for details.

The DN hosting service of OGCIO also provides the Global Site Load Balancing (GSLB) service. The
GSLB is able to resolve DN of B/D's e-services into two Internet IP addresses of GCIS PaaS dual-active
production sites in round robin basis or in preference ratio.

14. How can we transfer large amount of data to the systems that make use of GCIS PaaS?

It depends on the type of data to be transferred. In general, you can transfer large amount of data by
bringing your content in media of CD-R, CD-RW, DVD-R, DVD-RW and Flash Drive to Operations
Control Centre at 20/F, Tsuen Wan Government Offices. If Flash Drive is used, your data should be
encrypted as the data will be loaded into a control room machine before it can be forwarded to your
application servers. You need to submit a Change Request Form for your data transfer operation and
your data will be scanned for virus before loading into your system.

15. Can I execute some programs such as Perl scripts in the GCIS PaaS Web Server?

Web Servers housed in Internet-facing DMZ are mainly used for establishing SSL connections with
client browsers, storing static html files and forwarding jsp requests to the application servers.
Executables or scripts such as Perl, PHP and CGI scripts are not allowed in the GCIS PaaS Web
Servers.

16. Is there any monitoring service provided to my application hosted in GCIS PaaS?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 9/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Yes. GCIS Operation Control Centre provides 7x24 services to monitor the system and network
healthiness for production environment. In addition, application errors/messages can also be monitored
and reported to the corresponding B/Ds maintenance teams if B/Ds applications write their error
messages in the format as required by the GCIS PaaS.

17. If my application requires uploading of attachments by the public, how can virus scanning be
carried out on these attachments?

If your application program saves the file to the file system of GCIS PaaS application server, virus
scanning will be performed automatically on the concerned files.

18. How can I deploy my applications to GCIS PaaS?

You may access GCIS PaaS Administration servers by SSH client programs (e.g. PuTTY) through
Internet via GCIS PaaS SSL-VPN service, and then connect to Application servers or Network File
System (NFS) servers. Database client program (e.g. MySQL client) is pre-installed in the application
server for B/Ds to manipulate database objects and data. For deploying static web content files such as
html pages and images to the Web servers in GCIS PaaS, you should copy the files to the NFS servers.

19. Is there any load test tool available for testing my applications?

JMeter is available as the load test tool in the load test environment for testing the applications. You
need to reserve the load test environment in advance for the testing.

20. What kind of fail-over behavior of my applications hosted in GCIS PaaS application server
should be tested?

GCIS PaaS is a dual-active site environment with local resilience (clustered) application servers and
local hot-stand-by DB. You are recommended to perform the following failover tests:

Local Application Servers Resilience and Faileover Test

This test can be conducted in both testing and production environment by disabling the
application software instance on one of the clustered application servers;

Site Failover Test

This test can only be conducted in production environment because the testing environment does
not have 2 sites;
Testing against GSLB can be conducted by blocking public IP site by site to verify that all traffic is
diverted to the alternative site automatically.
For Site Independent Mode applications, data in the failure site will be made available in the
working site as a separate database instance and you need to collect the data from the working
site for further processing. In this case, fail-over test is not necessary because B/Ds can simply
test the data collection procedures in testing environment.
For Shared DB Mode applications, the database instance on the primary site can be switched
over to the secondary site in case of site failover. All application servers should be able to
connect to the database at the secondary site automatically. B/Ds can conduct a simulation test
to ensure application servers’ connection pool will connect to the recovered database instance
upon changing the DNS record of the database service.

Please note that the tests to be conducted vary with the architectural design of the applications.

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 10/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

21. How to book load test environment?

All GCIS PaaS projects are required to pass load test before they can be launched for production.

Project teams may run load test during 6:00 p.m. - 11:00 p.m. Monday to Friday (except public holidays)
in GCIS PaaS testing environment. Since load tests are run in a controlled environment with
performance and resource utilization measured, project teams are required to book load test timeslot for
running load test. While project teams are running their load test, the GCIS Technical support team will
monitor and measure various GCIS PaaS resources utilization, such as CPU, memory, bandwidth, TCP,
etc.

Projects using GCIS PaaS hosting service can adopt the GCIS PaaS load test tool to generate
transaction volume and measure response time. To use the GCIS PaaS load test tool, project teams
would need to prepare the load test script and trial run the load test in advance. Project teams should
prepare and trial run their load test script during office hour 10:00 a.m. - 6:00 p.m. Monday to Friday
(except public holidays) in GCIS PaaS testing environment. Advance booking is required.

B/D can book the load test environment via the GCIS PaaS Self Service Administrative Portal. B/Ds
should note the following:

Project teams must submit their load test plan to the GCIS Planning and Client Advisory Team
before they try to reserve the first load test timeslot (a project team that does not have a load test
plan is not ready for load test yet).
Project teams are allowed to have at most 3 outstanding bookings at any time.
If a project team knows that it will not be able to use a booked load test timeslot (e.g. the
application is not ready for load test yet), the project team must cancel the booked timeslot at
least 2 working days in advance (so that other project teams may use the timeslot for load test or
the GCIS Technical support team can use the timeslot for maintenance work).

Seeking CCC's Approval

If B/D is going to use the load test environment for conducting load test with traffic comes from the
Internet environment outside GCIS PaaS, it is required to seek CCC's approval at least 5 working days
prior to your first load test timeslot. Please fill in the checklist
(/content/gcis/docs/CCC_Checklist_for_load_test.doc) provided by CCC and send it to following staff to
seek approval.

To: Marty KY LAM/OGCIO ([email protected])

YF LAU/OGCIO ([email protected])

Cc: Assistant Manager CCC Administration/OGCIO

([email protected])
Manette KM CHOI/OGCIO ([email protected])

22. What is required if a project team wants to carry out vulnerability scanning on application in
GCIS PaaS for security risk assessment/audit?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 11/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

When carrying out vulnerability scanning on applications hosted in GCIS PaaS for security risk
assessment/audit, please note that approval from CCC should also be sought beforehand similar to the
arrangement of load test.

Please fill in the checklist

(/content/gcis/docs/CCC_Checklist_for_security_risk_assessment_and_audit.doc) provided by CCC
and send it to following staff to seek approval.

To: Marty KY LAM/OGCIO ([email protected])

YF LAU/OGCIO ([email protected])

Cc: Assistant Manager CCC Administration/OGCIO

([email protected])
Manette KM CHOI/OGCIO ([email protected])

B/D needs to submit Request for Security Risk Assessment and Audit via the GCIS Self Service Portal,
with attachment of the completed checklist as approved by CCC for reference.

23. What kinds of data backup are provided by GCIS PaaS?

Backup will be broadly divided into two types, GCIS PaaS Database and File System of GCIS PaaS
servers.

GCIS PaaS Database

Full backup will be performed every day.

File System of GCIS PaaS servers

Full backup will be performed on every Sunday. Incremental backup will be performed on other
days.

The retention periods of backup for both GCIS PaaS database and servers are:

31 cycles of daily backup,

12 cycles of weekly backup.

Generally, backup of database will start at 00:00 while backup of file system will start at 02:00. Backup
jobs are expected to complete in the morning of the same day, the exact end time depends on the data
size.

All backup completed in local site will be replicated to the remote site through network. The data backup
will be used to recover and resume GCIS PaaS database and file system of GCIS PaaS servers in case
of GCIS PaaS events (e.g. DR drill, server migration) or infrastructure incidents.

24. Is backup service included in the Standard PaaS Hosting Plan?

Standard PaaS Hosting Plan has already bundled backup service.

TOP

Database-as-a-Service (DBaaS)

1. What is “MySQL-compatible database”?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 12/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

The database used in DBaaS is fully MySQL-compatible. The current product used is MariaDB, which is
built on open-source MySQL code.

2. What is the backup retention period for database instances hosted in GCIS DBaaS? What is the
cost?

Backup is a bundled service in DBaaS. The backup retention period is 30 days.

TOP

Container-as-a-Service (CaaS)

1. What are the benefits of subscribing GCIS CaaS?

If B/Ds opt to use GCIS CaaS, B/Ds can be benefited from the following:

subscribe GCIS CaaS Plans based on the resource requirements of their application only (no need
to concern about the system resources for the operation of container hosting platform);

build and deploy their applications on GCIS CaaS shortly after subscribing GCIS CaaS;

save system resources and staff efforts for the operations of container hosting platform, e.g.

administration and management of container

platform level 7x24 monitoring and operation services
dual-active production environment
patching and upgrade on the platform
platform level performance tuning
platform level security protection
backup and restore
selection, procurement and installation of platform software

2. What resources are covered by GCIS CaaS plans?

There are two plans offered by GCIS CaaS, i.e. Standard Hosting Plan (CP) and Storage Plan (CS),
providing different resources as explained below:

GCIS CaaS is provided in the three GCIS sites - testing site and dual-active production sites, i.e.
production 1 (Prod 1) and production 2 (Prod 2) sites.

GCIS CaaS has two environments:

"GCIS CaaS Production Environment" - the GCIS CaaS Production environment in the dual-
active production sites; and
"GCIS CaaS Development and Testing Environment" - the GCIS CaaS Development and
Testing environment in the single testing site.
Each Standard Hosting Plan (CP) covers 1/2 vCPU, 2 GB RAM and 2.5 GB disk storage in each of
the two dual-active production sites and testing site.

Each Storage Plan (CS) covers additional 10 GB disk storage per environment.

3. How to estimate the number of plan required by a project?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 13/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

In estimating the number of plan required by a project, B/Ds should note that

the total resources subscribed by a B/D project, i.e. vCPU, RAM and disk storage, are shared
among all containers of the project. All running containers can consume resources up to the
quotas assigned according to the subscription of the project; and

system resources for the operation of container hosting platform, e.g. container scheduling,
security protection, backup and disaster recovery for platform/site failure, etc., has already been
catered by GCIS CaaS.

As such, B/Ds can estimate the total resources required by all containers of their application system, e.g.
CPU for container execution, the resources (vCPU, RAM and disk storage) required by containers related
to application deployment (CI/CD), application data size and its retention etc. and then make subscription
accordingly.

4. What services are provided by GCIS CaaS?

GCIS CaaS provides two environments operating in three GCIS sites to tenants as shown below:

Environment Site

GCIS CaaS Production Environment Dual-active Production Sites:

GCIS Production 1 Site (Prod 1)
GCIS Production 2 Site (Prod 2)

GCIS CaaS Development and Testing Environment GCIS Testing Site

Dual-active production sites architecture is adopted for GCIS CaaS Production Environment. The
container clusters of GCIS CaaS Production Environment in the two GCIS production sites are separated
and independent. The container cluster of GCIS CaaS Development and Testing Environment in GCIS
Testing Site is separated from the container clusters of GCIS CaaS Production Environment in GCIS
production sites too.

Below are major service components and their software products provided on each container cluster for
B/Ds hosting their applications:

Service Component Software Product

Container Hosting and Kubernetes based container hosting and orchestration platform
Orchestration supporting linux-based container only
(Red Hat OpenShift is used currently)

Container Security Prisma Cloud Compute Edition

(formerly called Twistlock)

Container Runtime CRI-O

Service Mesh Istio based Service Mesh tool

(Red Hat OpenShift Service Mesh is used currently)

Container Image Registry Docker Registry, Nexus Repository Manager

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 14/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

5. What application architecture should be adopted for the application to be hosted in GCIS CaaS so
that the benefits offered by GCIS CaaS can be utilized?

To fully utilize the benefits offered by GCIS CaaS, B/Ds should adopt microservices architecture for their
applications with the following characteristics:

Application logic is served in distributed service components (services). By ‘distributed’, it means

each service is in its own process which is individually deployable and scalable. Communication
with services is performed via network. In GCIS CaaS, the service components should be
deployed as containers.

Service exposes its function as APIs which are programmatically consumed by other services. In
GCIS CaaS, the API should be implemented in RESTful style.

Service-to-service communications are managed by Service Mesh pattern. In GCIS CaaS, Istio
based Service Mesh tool is provided to facilitate service-to-service communications.

Beside, GCIS CaaS adopts Kubernetes (K8s) for container hosting and orchestration. When B/D project
team sets the number of replica of a pod to 2 or more, K8s will maintain the desired state, i.e. 2 replicas
or more, in the container cluster at all times and thus provide high availability for the container in local
site.

Finally, dual-active production sites architecture is adopted for GCIS CaaS Production Environment and
the container clusters of GCIS CaaS Production Environment in the two GCIS production sites are
separated and independent. B/Ds should deploy same application pods in both sites so that when failure
is encountered in one of the production sites, B/Ds’ applications can continuously provide services to
users with the other production site so that high availability at site level can be achieved.

6. Is B/D allowed to bring in software and use it in B/D’s container image(s) and container(s) hosted
in B/D’s container hosting namespace provided by GCIS CaaS?

B/Ds can bring-in container images from trusted sources and other software provided there are sufficient
licenses and software subscriptions, if applicable, for the software and the software is compatible with the
GCIS CaaS architecture.

7. Is the OS of Container Image in GCIS CaaS automatically updated and how is the update
arrangement?

GCIS CaaS support team will update the Host OS of GCIS CaaS servers and it is tenant's responsibility
to update the OS in their container image(s).

8. If the container application hosted in GCIS CaaS requires to use database, any recommendation
on where should the database be hosted?

B/Ds are recommended to adopt GCIS DBaaS which provides comprehensive solutions including
automated database administration (e.g. provisioning, backup and patching etc.), better performance,
resilience and high availability. Alternatively, B/Ds can consider using IaaS for database hosting that
offers the greatest flexibility.

TOP

Shared Services
https://itginfo.ccgo.hksarg/content/gcis/faqs.html 15/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

1. Is there any limit on the subscription for the traffic of shared services?

Basically, there is no limit on the traffic volume of shared services. With a view that the GCIS can serve
as many B/Ds as possible, it is not expected that a few projects will consume all the GCIS resources.
When a B/D acquires the GCIS shared services, the GCIS Planning and Client Advisory Team will
discuss with the B/D its requirement and suggest the appropriate subscription of service plan.

TOP

e-Payment Service

2. Do I need to sign any agreement or contract with the Payment Service provider?

For PPSB, B/Ds need to procure the PPSB service in accordance with Store Procurement Regulation
(SPR), and an agreement shall be signed between EPSCO and the B/D. For online credit card
payment, B/Ds may simply use the contract arranged by the Treasury.

3. If my department has additional e-government services that need to use PPSB after signing the
contract with EPSCO, do I need to conduct another PPSB service procurement for the new e-
government services? What steps do I need to go through?

If you have additional e-government services that need to use PPSB after signing the contract with
EPSCO, you can add these additional e-government services through contract variation according to
SPR 520. As long as the accumulated value of the service is within your department’s direct purchase
authority (DPA),an officer at directorate level can approve the variation (see SPR Appendix V(B),
Section C, I, (i)). A letter would then be sent to EPSCO for their signing to confirm the variation. Please
consult your Supplies Section on the detailed procedures. On the other hand, you can also include e-
government services that are still under planning into Part B of Scheme 6 in the Ancillary Agreement to
avoid such contract variation in the future. The setup charge in respect of each of these additional e-
government services will only be chargeable upon successful completion of the Acceptance Tests in
respect of each such additional e-government service.

4. What is the Type of Service (服務類別) and Merchant Name (商⼾名稱) shown on the payment
method selection page based on?

The Type of Service (服務類別) shown on the payment method selection page comes from the GCIS
PaaS Shared Services Configuration Document Section C9-4 "Application Name in GCIS PaaS" (see
figure 1) for the corresponding language.

The Merchant Name ( 商 ⼾ 名 稱 ) shown on the payment method selection page comes from the
"Merchant Name to be shown on payment gateway screen" field on BOCHK's Merchant Account Setup
Request Form (see figure 2). This Merchant Name is always in English and will be shown on BOCHK's
credit card payment page that captures the card number and expiry date from the user. That is,
regardless of whether the BOCHK credit card payment page is in Traditional Chinese or Simplified
Chinese, the Merchant Name is displayed in English. The display of both the "Type of Service (服務類
別 )" and "Merchant Name ( 商 ⼾ 名 稱 )" on the GCIS PaaS payment method selection page serves to
inform the user the relationship between a "Type of Service (服務類別)" in Chinese versus a "Merchant
Name (商⼾名稱)" in English.

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 16/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

To facilitate the configuration of the GCIS PaaS testing environment, the B/D project team is required to
repeat the "Merchant Name (商⼾名稱)" on the GCIS PaaS Shared Services Configuration Document
Section C9-4. Ultimately, the B/D project team should ensure that the same text is used for :

the "Merchant Name to be shown on payment gateway screen" field on BOCHK's Merchant
Account Setup Request Form; and
"Merchant Name (商⼾名稱)" on the GCIS PaaS Shared Services Configuration Document
Section C9-4.

Note:

Under Traditional and Simplified Chinese, the 商⼾名稱 will still show the "Merchant Name to be
shown on payment gateway screen" in English.
Under English, if the Merchant Name is the same as Type of Service, then the Merchant Name
will not be shown.

Figure 1: Sample of section C9-4 of the GCIS PaaS Shared Services Configuration Document

Figure 2: Sample of BOCHK's Merchant Account Setup Request Form

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 17/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

For example, based on the sample values shown in figure 1 & 2, it will show the payment method
selection page as follows (figure 3):

Figure 3:Sample Payment Method Selection Page

5. What is the Merchant Name (商⼾名稱) shown on the PPS payment page based on?

The Merchant Name (商⼾名稱) shown on the PPS payment page comes from the GCIS PaaS Shared
Services Configuration Document Section C9-4 "Application Name in GCIS PaaS" (see figure 4).

Figure 4: Sample of section C9-4 of the GCIS PaaS Shared Services Configuration Document

The following is the sample PPS Payment Page (Figure 5).

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 18/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Figure 5: Sample PPS Payment Page

6. What is the Merchant Name (商⼾名稱) shown on the Credit Card FI's payment page based on?

The Merchant Name ( 商 ⼾ 名 稱 ) shown on the BOCHK's payment page comes from the "Merchant
Name to be shown on payment gateway screen" field on BOCHK's Merchant Account Setup Request
Form (see figure 6).

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 19/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Figure 6: Sample of Credit Card FI payment page

7. Some payment transactions record "not found" (NOTF) payment status in the PSDR. What does
it mean and how should public enquiries on such transaction be handled?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 20/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

When a transaction is re-directed to the FI's payment gateway, in some cases, due to various reasons, it
may never return within the pre-agreed timeout period. The transaction would be incomplete pending a
payment recovery process to synchronize with the payment status recorded in the FI's payment
gateway. When your e-Service performs payment recovery, and the transaction could not be found in
the FI's payment gateway, a "NOTF" payment status would be returned. There are many possible
reasons for a "NOTF" status (e.g. user chose not to proceed with the payment and closed the browser
after re-directed to the FI's payment gateway, or user encountered network problem when accessing
FI's web page, etc). The chance of "NOTF" payment status for payment via digital wallet should be rare,
but it is not impossible.

As explained above, a "NOTF" payment status is usually a normal case that does not require further
investigation unless large amount of "NOTF" cases were found within a short period of time. If a large
amount of "NOTF" cases were found within a short period of time, you can report the cases to BOCHK
and GCIS PaaS 7 x 24 Operation Help Desk to check if there was system error during the period.

If a customer enquiry is related to a payment transaction with a "NOTF" payment status, you can inform
the customer that the payment was not successful and the customer can try the transaction again. If the
customer reported that their payment failed at some specific screen, you may wish to walk through the
payment steps with the customer and identify which screen the customer encountered problem. It is
possible that it was only a usage problem, in which case you would be able to guide your customer
through it. If a non-usage problem is found at a particular screen:

For problem at the GCIS PaaS payment method selection page or BOCHK/PPS's payment web page,
your application support team can try to reproduce the problem and report the case, with screen dump,
to the GCIS 7 x 24 Help Desk for follow-up.

For problem at the credit card issuing bank's web page, please advise the credit card holder to report
the case to the corresponding card issuing bank.

If the problem cannot be reproduced, it is possible that the problem is related to the configuration of the
customer's workstation. In this case, you may wish to suggest the customer to try your e-Service at
some other workstation which can meet the System Requirements for GovHK Online Services. You may
also wish to collect the detailed configuration of the customer's workstation for further reference.

8. Sometimes, a public user had successfully inputted the credit card information into the payment
gateway, but his transaction was rejected by Verified by VISA (VBV)/MasterCard SecureCode
during payment authentication. Why did it happen? How should the public enquiries on such
transactions be handled?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 21/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Verified by VISA and MasterCard SecureCode are methods employed by credit card associations and
financial institutions to prevent fraudulent usage of credit cards. After a card holder has input the credit
card information into the payment gateway, his/her browser will be directed to the web site of the card
issuing bank where he/she is required to input the password or other identity information to complete
the secure code authentication.

Before a card holder can enjoy the online payment services secured by VBV/MasterCard SecureCode,
he/she has to register the secure code authentication service with the card issuing bank. However, the
card holder may not be able to use the payment service immediately as the registration may not be
effective immediately.

If the card holder has several unsuccessful login attempts, the card issuing bank may lock his account
and the card holder needs to contact the card issuing bank to reset the password.

Credit card online payment via digital wallet use specific authentication methods, such as fingerprint
authentication and PIN, instead of VBV and MasterCard SecureCode. However the card issuing bank
still has the authority to reject any online payment request made by digital wallet.

In fact, different card issuing banks may have different policies to implement the payment authorization,
and these banks, for personal privacy reasons, release very limited information about the reasons for
rejecting payment requests. If your end users need more information about such cases, you may
suggest them approaching the card issuing banks directly.

9. Any transaction amount limit for credit card payment via digital wallet?

A configuration of allowable minimum and maximum transaction payment amount is available in GCIS
PaaS for each e-Service. Payment requests with transaction amount out of the allowable range will be
rejected by GCIS PaaS. If B/Ds would like to change the configuration, please approach GCIS Planning
and Client Advisory Team for assistance.

Besides, the credit card issuing bank may have policy to limit the payment amount of each card holder
for online payment via digital wallet. If end users need more information of their payment limits, you may
suggest them to contact the card issuing banks directly.

10. What are the credit card brands supported for online payment via digital wallet?

Visa and MasterCard are the two credit card brands currently supported for online payment via digital
wallet through GCIS e-payment service.

TOP

File Interchange Service

11. I have subscribed to the File Interchange Service. How may my application integrate with it?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 22/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

GCIS File Interchange Service provides functions for file and folder manipulation to a pre-defined target
group via WebDAV and REST interfaces. B/Ds can use the service to build their applications that
require file and folder manipulation features.

As the WebDAV and REST interfaces of the GCIS File Interchange Service are accessed through the
HTTPS protocol, calling these interfaces is not bound to a specific programming language, library or
tool. Depending on the programming language used, B/Ds should evaluate and choose an appropriate
library to call the interfaces.

12. I would like to exchange file with restricted data, how should I handle it?

For restricted data, users are required to encrypt files before upload (using MS Office, WinZip, etc), i.e.
end-to-end encryption.

13. If I have an application that needs to exchange information with another department using File
Interchange Service (FIS), should both departments subscribe the FIS?

Only the department providing the file for exchange is required to subscribe the FIS, which could
distribute one of the FIS user accounts to the target department. The target department would make use
of the user account to download the file via FIS Web GUI or its own application system.

14. I have subscribed one Shared Services Plan but has not used up 5GB as entitled, could I share
the storage with File Interchange Service?

No, as the implementation of File Interchange Service is different from that of other Shared Services,
the storage of FIS cannot be shared. B/Ds need to subscribe one more Shared Services Plan in order to
use FIS.

TOP

Notification Service

15. I have subscribed to the Notification Service. How may the application integrate with the
Notification Service?

Web Service interfaces of the Notification Service provide functions such as subscription list
maintenance, bulk data upload and ad-hoc/schedule submission of outgoing email jobs. Both Simple
Object Access Protocol (SOAP) interface and RESTful interface are supported to make Web Service
calls to the Notification Service from your applications. You can choose any programming language
compatible with the above standards and build the Web Services interfaces for your applications. If you
are using Java as your programming language, helper classes are available from the GCIS Planning
and Client Advisory Team to save some of your programming effort for making Web service call to
Notification service.

16. After subscribing the Notification Service, can my application hosted in GCIS PaaS access the
GCIS PaaS SMTP servers?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 23/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Notification Service provides both GUI interface and Web Services interface for B/Ds to prepare their
outgoing email contents. Your application can send outgoing email by making Web Services call to the
Notification Web Services.

17. For email delivery via Internet, some major email service providers check source IP against
email sender domain to make sure the sender domain is genuine. What do we need to do to
facilitate such checking?

For Notification Service - Internet email, B/Ds should host SPF records for their outgoing email domains
as some of the mail service providers will validate the sender domains of the emails by means of SPF
records. Those emails without proper SPF records will likely to be blocked or placed in the spam folder
of the recipient's mail boxes.

The final records should include the following:

v=spf1 ... include:spf-1.egis.gov.hk ...
v=spf2.0/pra ... include:spf-2.egis.gov.hk ...

GCIS PaaS Notification Service supports DomainKeys Identified Mail(DKIM) in sending out notification
emails. B/Ds should add the following DNS records for their outgoing email domains.

For testing environment,

egisdctr-16-01._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

C
gKCAQEAnq637dBZwTx62yLIkah+K1ut0S8UpWCmXJMMg3TWoB1UmUnti8R2OiCJfdPMfr8GEv5JkG
SdR3FTu6iGYNv5t1KVqqXreh
45oaFlBqKi6v4QkDaP7HaNof2FgZUo7yp3PEZyyghLuibPluI++6mQJPg7cLhbGWqdxP0Zw7lzY5JQYh
FUk9ECUy9THxUFll1M0TF
1k6rkjjCWnow3K27u/l+zaQtzuluyFp9e4AeT4rcx9MGBzC0SJgEDJC3NHp3lYmIAyiX6XS5KEOpINtwH3
6tAYEwLQ2UBrtSlrSaC
2TpLbLtAzcp2p6Z4akXuIk+zPxzkFMimRkq2Sft1PH3UQQIDAQAB"

For production environment,

egis-16-01._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCg

KCAQEAzPCLNlENl4oCRQIlyeMp0Rao6EMApV6o/PdzkjGF/qli2iQKX0SKeK701WlUuu/nm63dc2ouI5f
GLTp7BH+yLv8GnJjPs
5E8K6p7N8aRp7bf41n5NNmCSQDyQQ3ccEnZZhindF4fj7VXRACMfzCMH6MAPNJ8S2Yjl8limXtBuDX
mwGrnSBNU+p53Lww2cnVA
65sQu02RNMpA4+rxZCZL7PXmoOrctjgmloAfftymyibC0fqgcclwuEs9EGjEBqPHrxCEuLX/xbwsGPcTvs
FoFcPG1HfgYAvt1TI
eECWM+RKGuOhyVuvIPLGuPgmXy183IGs8N/ybhSVtbRBC+sTCIwIDAQAB"

TOP

Messaging Service

18. If I have an application that needs to exchange information with the application of another
department using Messaging Service, should both departments join the Messaging Service?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 24/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Yes. When two applications communicate with each other through the Messaging Service, at least two
end points under separate accounts will be set up and the respective B/Ds will be separately charged.
For projects involving multiple B/Ds, participating B/Ds will be required to set up end points for their
applications.

19. Is it necessary for us to set up a server in our department in order to use the Messaging
Service?

It depends on the purpose and requirement of your application. If your application needs to respond
immediately to a request, you may setup a Web Services to serve the request synchronously through
RPC messaging mode. Otherwise, you may setup a client machine to poll your messages and then
process the requests through store-and-forward messaging mode.

20. What messaging modes are supported in Messaging Service?

GCIS Messaging Service uses Web Services for all Messaging Service calls. RPC messaging mode
and store-and-forward messaging mode are supported. B/Ds can choose either one to exchange
messages with other B/Ds. RPC messaging mode means the message sender will wait for the response
after sending the message to the recipient via the Messaging Service, while store-and-forward
messaging mode will store the request at GCIS first, and the response from the message recipient will
be returned to the sender through a separate network session via the Messaging Service.

21. What message format is supported in Messaging Service?

The Messaging Service supports SOAP and RESTful Web Services calls. For SOAP Web Services,
RPC messaging mode supports both SOAP 1.1 and 1.2 standards and store-and-forward messaging
mode supports SOAP 1.1 standard. For RESTful Web Services, JAX-RS 2.0 standard is supported by
GCIS. The Messaging Service will route messages to the message recipient(s) according to information
in the header blocks. Other useful information such as message ID, timestamp, etc. will be updated to
the header block when the message is delivered to the message recipient. B/Ds can store their
application data in the message body or as attachments according to their requirements.

22. Can Messaging Service support sending messages to multiple departments?

The Messaging Service supports multiple-recipients, it will route messages to the recipients defined in
the message header.

23. Can I use Messaging Service to exchange data with external parties through Internet?

No. Messaging Service is only targeted for data exchanges among B/Ds which have network
connections to GNET.

24. I have subscribed to the Messaging Service. How may my application integrate with the
Messaging Service?

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 25/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

The Messaging Service rides on Web Services interface. These interfaces support two kinds of Web
Services call – SOAP and RESTful. To make SOAP Web Services calls to GCIS, request messages
should conform to the W3C's SOAP as well as the WSDL of the corresponding services provided by
GCIS. To make RESTful Web Services calls to GCIS, request messages should conform to JAX-RS as
well as the WADL of the corresponding services (for RPC), or OpenAPI (for store-and-forward) provided
by GCIS. B/Ds are free to choose any programming languages compatible with the above standards. If
the programming language is Java, helper classes are available from GCIS Planning and Client
Advisory Team to facilitate your development in using Messaging Service.

25. How would it be if a surge of messaging traffic, which exceeds the subscribed bandwidth
entitlement of an application, is recorded in some months during a year?

The GCIS infrastructure has sufficient and flexible capacities to handle surging of messaging traffic.
There will be no service interruption to the application. The GCIS technical support team will monitor the
messaging service usage and advise the concerned B/D to subscribe additional service plans if its
utilization continually reaches its limit.

TOP

PKI Certification Revocation List (CRL) Checking Service

26. How can I test suspended or revoked certificates in testing environment?

Firstly, please obtain testing CRL with the suspended or revoked certificates from the Certification
Authorities (CA). And then contact GCIS Planning and Client Advisory Team to book the testing
environment. Please also submit a change request via GCIS Self Service Portal specifying the testing
period and with attachment of the testing CRL for configuration.

TOP

ebXML Document Exchange Service

27. What should I do if I receive an email saying that GCIS ebXML Document Exchange Service
failed to send an ebXML message to an external party?

Please check whether the corresponding external party has any network problem, for example, is the
external party server running? Is there any relocation work in progress? etc. If the problem still persists,
please contact GCIS Planning and Client Advisory Team for further actions.

28. I am using ebXML service to send messages to my external parties. If there is a new third party
or any update for existing party, what should be done on GCIS side?

If there is any change for the external party, please submit a change request via GCIS Self Service
Portal with the updated Shared Services Configuration Document (SCD) attached.

TOP

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 26/27
9/22/2022 Government Cloud Infrastructure Services (GCIS)

Last revision date: 21 September 2022

https://itginfo.ccgo.hksarg/content/gcis/faqs.html 27/27