Page tree

Are you looking for the latest documentation for the current versions of Nexus' products?

Version: 21.04.2

Release Date: 2021-09-14

The Smart ID 21.04.2 release provides updates in Identity Manager, Self-Service, Digital Access and Physical Access. Messaging provides minor improvements and bugfixes only. All components also provide several bugfixes and library updates to ensure high quality and security.

Smart ID compatibility

Smart ID 21.04.2 is compatible with the following component versions: 

Detailed feature list


Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

Improved ActivitiCleaner performance

By adding additional DB indices, the performance of the ActivitiCleaner is improved. Especially when running on large databases.



Allow override of predefined filters in search task

When using a search config that contains predefined filter values in the "Execute Search" service task, it is now possible to override the predefined values with new values in the service task. 



Support for certificates with multi-value SAN attributes for login

Improved certificate-based login implementation. It is now possible to log in with certificates that have a multi-value SAN attribute, for example, multiple email addresses or multiple User Principal Names (UPNs), in the certificate. The login process will iterate through the values until one has a unique match to a user.



Ansible way of deployment for Digital Access

It is now possible to deploy a fresh instance of Digital Access using Ansible in RHEL 8 with Podman as the containerization tool. See here for more information: Deploy Digital Access on RHEL 8 using Ansible and Podman.



Flag added to log SCIM API requests

A flag (PA_DEBUGLOG) has been added to log SCIM API requests to help debugging if an Identity Manager request is not correct. By default this flag is set to False so that it doesn’t log all the request data when not necessary. The flag is defined in the smartid.env file. Set the flag to True if required.


Corrected bugs

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

In case of SAML, if the users logged after a certain time period, they where redirected to the access point portal instead of to the SP resource. This has now been fixed.



Added connection timeout and read timeout for BankID and Freja eID. 

The default values can be modified by setting the java properties:

  • Dcom.httpclient.connection.timeout=2000
  • Dcom.httpclient.readwrite.timeout=5000


Fixed Null pointer exception when doing SAML authentication with forceAuthn enabled.


DA-522Fixed Null pointer exception when user session does not exist.X


Due to a thread crash, session cleanup activity gets interrupted in the policy service and eventually all the limit of concurrent session got exhausted. Fixed the null pointer exception in timer manager thread.


DA-535Sign message for SAML request is now getting passed to IDP when Digital Access acts as a proxy.X

DA-598Fixed the null pointer exception when Hermod gives a callback to Digital Access for expired profile.X

DA-466Added missing security headers in access point, admin, policy and distribution services. Added CSP header to be configurable.X

DA-418Updated online help for SAML "Use latest used authentication method".X


EntitlementAssignment gets deleted when the same entitlement assignment is deleted and added again. This has been fixed.



Filters on groups were not working as expected. This has been fixed.


Improved error handling in BPMN History cleanup. When an error occurs, the cleanup job will no longer be interrupted. Instead it will continue with the rest of the cleanup.



When creating new records via the (client-side) CSV import task, the object history entries were not always updated. This has been fixed.



Fixed an issue when adding Expressions, (for example OR or RegEx), dynamically via a data map into an unequal filter in the search config.



When uploading CSV files on the client-side via the upload button, empty lines in the CSV files were misinterpreted and this could lead to wrong results in the system. This has now been fixed by ignoring empty lines.



When running the ActivitiHistoryCleaner background job, open "CallActiviti" instances was missed. This has now been fixed by including the CallActiviti instances in the clean-up.



Fixed an issue when executing multi-level searches in batch orders.



Fixed an issue when enrolling certificates on mobile app or Virtual Smart Card (VSC) in combination with Microsoft ADCS (missing key size parameter). 



When doing concurrent Smart card production in multiple Identity Manager Operator clients, the system could run into an error due to concurrency. This has been fixed.



Fixed an issue when validating date fields with "not before" condition in user forms.



Fixed an issue about authentication profiles in the Identity Manager (IDM) migration tool.



When logging in with SAML, the IP address of the client was not added to the user context, as it is done for other authentication profiles. This has been fixed. Now the client IP address is also available with SAML.



Fixed logging in Microsoft ADCS PKI connector when getting concurrent requests.



The searches behind search buttons got executed immediately in Smart ID Self-Service. This could cause issues when getting large search results. This has been fixed. Now the search needs to be executed manually by the user, to enable filter criteria to be entered and thereby limit the search results.



Smart ID Self-Service always showed binary objects as if they had content, even if an object was empty. This made it impossible to differentiate between binary fields with and without content in the Smart ID Self-Service UI. This has now been fixed.



Keep-a-live is set in seconds in the configuration, but must be returned in milliseconds in the code. This was not working correctly and is now fixed.


Configuration refresh using the actuator/refresh endpoint and remote HermodCfgServer polling at the same time was not working. This is now fixed.


Handling job distribution when scaling down number of instances from 2 to 1 was not working in a correct way. This is now fixed.


Release announcement

Only Docker deployment is supported for the Smart ID components Identity Manager, Physical Access, Digital Access and Messaging. For full instructions, see 21.04.2 - Deploy Smart ID.

From Smart ID 20.11 and on, components now only have the Smart ID version number and not the different component version numbers. For information on previous releases, see Nexus Documentation Archive.

For details on the updated Smart ID configurations and deployment configurations, see here: 


Smart ID deployment configuration release note
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.

## [Release 21.04.2-2021-09-13]
### Added
- HTTPS support for Physical Access integra. [DEVOPS-1211]
- Environment variable to control debug logging in Physical Access SCIMAPI. [DEVOPS-1211]
### Changed
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Change Import Logger to correct class. [DEVOPS-1143]
- RabbitMQ now uses external docker image. [DEVOPS-1211]

## [Release 21.04.1-2021-07-02]

### Changed
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Updated SmartID version to 21.04.1

### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-06-10]

### Added
- Added some Let's Encrypt root certificates. [DEVOPS-971]

### Changed
- Fixed some copy issues in the script.
- Changed the default selfservice config to include auth methods params example.
- Update Language files for IDM. [DEVOPS-1067]

### Removed
- Removed expired Let's Encrypt certificates. [DEVOPS-971]

## [Release 21.04.0-2021-05-28]

### Added
- Added new Let's Encrypt cert. [DEVOPS-946]
- Added hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-05-20]

### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed
- IDM DB will no longer be initialized through script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD_* properties to MESSAGING_*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-22]

### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [2020.11.1-2021-02-18]
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+.
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2020-12-22]

### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin. 
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `` script.
- Moved seflservice to a separate docker-compose file.

### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated ``:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed
- Removed ``, it is included in

Known issues

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

copy_files script is broken in 21.04.2

When restarting Identity Manager Admin or Identity Manager Operator, the container won't be able to restart and log an error "java.nio.file.FileAlreadyExistsException". The workaround in this case is to recreate the container instead of just restarting it. This can be achieved by running the command "docker-compose up -d --force-recreate".



Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.