Page tree

Do you want an overview on Nexus' solutions,
customer cases, contact information and more?

__

__

Skip to end of metadata
Go to start of metadata
 Cert: Certificate Publication via CM

Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Nexus CM based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication procedure defined on the CM.
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-true

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

 Cert: Create SCEP order request

Description 

Use this task to register or de-register Simple Certificate Enrolment Protocol (SCEP) order requests to Nexus Certificate Manager (CM).

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
certTemplate


Certificate template name which has token procedure and CM information.
commonName


Common name parameter defines the machine by its Fully Qualified Domain Name  (FQDN) for which the auto-enrolment will be processed. Domain name of the machine or server.

It is not possible to have multiple FDQN:s in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

 trueRegistration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState


This value decides whether this is a registration or a de-registration order request at CM.

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Validity value of the request order, either "always" or the number of days. CM defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.
 Cert: Execute PKCS10 Request

Description

Use this task to send a PKCS#10 to the configured CA. Based on the certificate template name, PRIME will approach a CA to request a new X.509 certificate. This certificate will be stored in the PRIME database and will be added to the process map. Certificate templates provide a set of attributes, that allows a fine-grained configuration. 

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
P10RequestFormEntry

p10inputProcess variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

certResultProcess variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

ScmCtServerCertificateP10Certificate template name.
booleanResultWithPEMHeaders-trueConfigures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
 Cert: Extract PKCS#10 Attributes From Request

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in PRIME Designer

ParameterMandatorySample ValueDescription
P10RequestFormEntry

p10inputProcess variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.
 Cert: Load Key History List

Description

Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if card ICCSN is provided by process map. This thumbprint will be saved into process map if it is available into the database.

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault valueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Fetch the IDs of the latest <count> certificates.

processVariable


The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ICCSN


Fetch ICCSN.

To use this task, select it in PRIME Designer and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

 Cert: PGP Soft Token

Description

Use this task to archive and/or recover PGP certificates from Nexus Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault value / ExampleDescription
requestAndArchive

true (default value)If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in PRIME, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalCnif requestAndArchive true ${Person_FirstName} ${Person_LastName} (one single line)Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSanEmailif requestAndArchive true${Person_Email}Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSurname- ${Person_LastName}Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalGivenName- ${Person_FirstName}Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

true (default value)If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in PRIME
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in CM, though)
 Cert: Request & Recover PKCS#12 Soft Token

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault valueDescription
p12PasswordField

TruePassword for the generated PKCS#12 container. There are actions to create one.
recoverCerts

TrueWhether recovery should be executed.
processVariablerequired, if recoverCerts = true
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-
Certificate template used for recovery. Not necessary for some CAs.
requestCert
TrueWhether a new certificate should be requested (Plain request).
certTemplaterequired, if requestCert = true
Certificate template used for requesting the new certificate.
keyArchival

TrueWhether the created key are archived in the CA.
mailDefinitionName-
If empty no mail is sent.
encryptionCertificates-
The core object descriptor list of the certificates used for email encryption.
p12RefField-
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

ErrorMessageField to store the human readable message in case of error.
errorTypeField

ErrorTypeField to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

CertsToRevokeIn case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
 Cert: Trigger PGP Certificates Publication

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Nexus Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on CM.
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which PRIME assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the PRIME certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.