Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients


Skip to end of metadata
Go to start of metadata

Expand/Collapse All

 Cert: Certificate Publication via CM

Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Nexus CM based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication procedure defined on the CM.
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-true

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

 Cert: Create ACME pre-registration order

Description

Use this task to create an ACME pre-registration order in Nexus Certificate Manager. You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package for PRIME 3.12, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}


The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
hmackey


The shared secret to secure the further communication
keyid


Identifies the account
alloweddomains

-


A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate


Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Create ACME account with pre-registration .
 Cert: Create SCEP order request

Description 

Use this task to register or de-register Simple Certificate Enrolment Protocol (SCEP) order requests to Nexus Certificate Manager (CM).

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
certTemplate


Certificate template name which has token procedure and CM information.
commonName


Common name parameter defines the machine by its Fully Qualified Domain Name  (FQDN) for which the auto-enrolment will be processed. Domain name of the machine or server.

It is not possible to have multiple FDQN:s in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

 trueRegistration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState


This value decides whether this is a registration or a de-registration order request at CM.

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Validity value of the request order, either "always" or the number of days. CM defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.
 Cert: Execute PKCS10 Request

Description

Use this task to send a PKCS#10 to the configured CA. Based on the certificate template name, PRIME will approach a CA to request a new X.509 certificate. This certificate will be stored in the PRIME database and will be added to the process map. Certificate templates provide a set of attributes, that allows a fine-grained configuration. 

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
P10RequestFormEntry

p10inputProcess variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

certResultProcess variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

ScmCtServerCertificateP10Certificate template name.
booleanResultWithPEMHeaders-trueConfigures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
 Cert: Extract Certificate Attributes

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryExample ValueDescription
X509Field

Certificate_DataThe name of the field containing the certificate as binary data. It must be contained in the process map.
RSAPublicExponent-Cert_publicExponentField to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.
keySize-Cert_keySizeField to store the key size of the certificate's public key as Integer.
keyType*-Cert_keyTypeField to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!
keyUsage*-Cert_keyUsageField to store the key usages.
extKeyUsage*-Cert_extKeyUsageField to store the extended key usages.
hashAlgorithm*-Cert_hashAlgorithmField to store the hash algorithm name.
validFrom-Cert_validFromField to store the start date of the validity period as Date.
validTo-Cert_validToField to store the end date of the validity period as Date.
subjectDN-Cert_subjectDNField to store the subject distinguished name.
issuerDN-Cert_issuerDNField to store the issuer distinguished name.
certSerialNumber-Cert_serialNumberField to store the serial number.
cdpUrls*-Cert_cdpUrlsField to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.
ocspUrls*-Cert_ocspUrlsField to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.
SAN_EMAIL-Cert_sanEmailField to store the SANs email addresses.
SAN_UPN-Cert_sanUpnField to store the SANs user principal names.
SAN_DNS-Cert_sanDnsField to store the SANs dns names.
SAN_IP-Cert_sanIpField to store the SANs ip addresses.
SAN_URI-Cert_sanUriField to store the SANs uniform resource identifiers.
SAN_GUID-Cert_sanGuidField to store the SANs globally unique identifiers.
SAN_RID-Cert_sanRidField to store the SANs registered IDs.

In case of error

The following parameters are set in case of error:

ParameterMandatoryValueDescription
ExtractionResult*

-

Valid values:

  • success (default)
  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.
  • One of the attributes exceeds 2000 characters (limitation by Activiti).
ExtractionResultErrorMsg*-

Valid values:

  • "Certificate data is empty"
  • "The attribute 'xy' exceeded 2000 characters."
If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

* - These parameters require PRIME 3.12.4 or later.

 Cert: Extract PKCS#10 Attributes From Request

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in PRIME Designer

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributesPrefixResult
  • Email = E
  • Common Name = CN
  • Country = C
  • Organisation = O
  • Title = T
  • Surname = SURNAME
  • State = ST
  • Given Name = GIVENNAME
  • Organisation Unit = OU
  • Serial Number = SN
  • Unique Identifier = UID
  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE
  • PKCS10RequestFormEntryCN
  • PKCS10RequestFormEntryC
  • PKCS10RequestFormEntryO
  • PKCS10RequestFormEntryT
  • PKCS10RequestFormEntrySURNAME
  • PKCS10RequestFormEntryST
  • PKCS10RequestFormEntryGIVENNAME
  • PKCS10RequestFormEntryOU
  • PKCS10RequestFormEntrySN
  • PKCS10RequestFormEntryUID
  • PKCS10RequestFormEntrySTREET

SAN attributes

PrefixResult
  • SAN EMAIL = SANEMAIL
  • SAN GUID = SANGUID
  • SAN DNS = SANDNS
  • SAN UPN = SANUPN
  • SAN IP = SANIP
  • SAN RID = SANRID
PKCS10RequestFormEntry
  • PKCS10RequestFormEntrySANEMAIL
  • PKCS10RequestFormEntrySANGUID
  • PKCS10RequestFormEntrySANDNS
  • PKCS10RequestFormEntrySANUPN
  • PKCS10RequestFormEntrySANIP
  • PKCS10RequestFormEntrySANRID
Other attributesPrefixResult
  • Key size
  • Algorithm (+ curve)*
  • HashAlgorithm
  • (as boolean) = the signature is valid
PKCS10RequestFormEntry
  • PKCS10RequestFormEntryKeySize
  • PKCS10RequestFormEntryKeyType
  • PKCS10RequestFormEntryHashAlgorithm
  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if multiple PRIME apps like Designer and Explorer run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

 Cert: Load Key History List

Description

Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database.

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryExample valueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Fetch the IDs of the latest <count> certificates.

processVariable


The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ObjectRelationType
Example value: 
Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

To use this task, select it in PRIME Designer and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

 Cert: PGP Soft Token

Description

Use this task to archive and/or recover PGP certificates from Nexus Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault value / ExampleDescription
requestAndArchive

true (default value)If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in PRIME, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalCnif requestAndArchive true ${Person_FirstName} ${Person_LastName} (one single line)Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSanEmailif requestAndArchive true${Person_Email}Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSurname- ${Person_LastName}Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalGivenName- ${Person_FirstName}Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

true (default value)If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in PRIME
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in CM, though)
 Cert: Request & Recover PKCS#12 Soft Token

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.
  • Java with Boucycastle can open the generated P12.
  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
  • Nexus Personal Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
p12PasswordField

Valid values:

  • true (default)
  • false
Password for the generated PKCS#12 container. There are actions to create one.
recoverCerts

Valid values:

  • true (default)
  • false
Whether recovery should be executed.
processVariableIf recoverCerts = true

Example value:

  • Certificate_CoreObjects
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-

Example value:

  • Revocery
Certificate template used for recovery. Not necessary for some CAs.
requestCert

Valid values:

  • true (default)
  • false
Whether a new certificate should be requested (Plain request).
certTemplateIf requestCert = true

Example value:

  • MyCertTemplate
Certificate template used for requesting the new certificate.
keyArchival

Valid values:

  • true (default)
  • false
Whether the created key are archived in the CA.
mailDefinitionName-

Example value:

  • MyMailDefinition
If empty, no mail is sent.
encryptionCertificates-


The core object descriptor list of the certificates used for email encryption.
p12RefField-

Example value:

  • Person_Softtoken
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

Example value:

  • ErrorMessage
Field to store the human readable message in case of error.
errorTypeField

Example value:

  • ErrorType
Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

Example value:

  • CertsToRevoke
In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
p12EncryptionAlgo-

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)
The encryption algorithm to use for the PKCS#12 keystore.
p12EncryptionIterations-

Default value:

  • 100000
The encryption iterations
p12PseudoRandomFunction-

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)
The PRF to use for the PKCS#12 keystore
p12HashAlgo-

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)
The hashing (MAC) algorithm to use for the PKCS#12 keystore
p12HashIterations-

Default value:

  • 100000
The hashing (MAC) iterations
 Cert: Trigger PGP Certificates Publication

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Nexus Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on CM.
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which PRIME assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the PRIME certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.