Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.


This article includes updates for Smart ID 23.04.4.

Expand/Collapse All

Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Smart ID Certificate Manager (CM) based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
publicationProcedure

Example value:

  • CertEP CA Certificate to AD (Enrollment Services)
Publication procedure defined on Smart ID Certificate Manager (CM).
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-

Valid values:

  • true (default)
  • false

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

Description

Use this task to create an ACME pre-registration order in Smart ID Certificate Manager (CM). You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}


The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
hmackey


The shared secret to secure the further communication
keyid


Identifies the account
alloweddomains

-


A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate


Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Example: ACME configuration in Protocol Gateway.

Description 

Use this task to register or de-register CMP order requests in Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) CMP enrollment request from specified clients. This service task parameters can be extended for other certificate attributes, which are listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${cmpOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate

Example:
  • MyCmpRegTemplate
Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

password

-


Optional password used to verify CMP enrollment requests sent by clients later. So it will be the same password which will be used by clients in CMP enrollment request.

state

Valid values:

  • Open (default)
  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity-

Valid values:

  • always (default if not set)
  • number of days
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description 

Use this task to register or de-register Enrollment over Secure Transport (EST) order requests to Smart ID Certificate Manager (CM).

The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration) EST enrollment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

If you apply the CMSDK 7.18.1 downgrade package, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${estOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName

Example value:

Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

userName

-


User name which is allowed to make EST request.
password


Password is used to verify EST enrollment requests sent by clients later. So it will be the same password which will be used by clients in EST enrollment request.

state

Valid values:

  • Open (default)
  • Closed

This value decides whether this is a registration ("Open") or a de-registration ("Closed") order request at Smart ID Certificate Manager (CM).

It is a drop down value list with "Open" and "Closed" options, "Open" is selected by default.

validity-

Valid values:

  • always (default if not set)
  • number of days
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.
realm-

Example value:

  • est-realm
realm details

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description 

Use this task to register or de-register Simple Certificate Enrollment Protocol (SCEP) order requests to Smart ID Certificate Manager (CM). 

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients. This service task parameters can be extended for other  certificate attributes which is listed below.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
certTemplate


Certificate template name which has token procedure and Smart ID Certificate Manager (CM) information.
commonName


Common name parameter identifies the machine by its Fully Qualified Domain Name (FQDN) for which the auto-enrollment will be processed.

It is not possible to have multiple FQDNs in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

Valid values:

  • true
  • false
Registration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState

Valid values:

  • 1000
  • 1001

This value decides whether this is a registration or a de-registration order request at Smart ID Certificate Manager (CM).

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Valid values:

  • always (default)
  • <number of days>
Validity value of the request order, either "always" or the number of days. Smart ID Certificate Manager (CM) defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.

Info

Task parameters can be dynamically extended for other certificate attributes in following naming convention. Attribute names are not case sensitive however its expected to have exact name as shown below.

  • country
  • commonname
  • emailaddress
  • dmd
  • givenname
  • initials
  • keyprocedureid
  • locality
  • organisation
  • organizationidentifier
  • pseudonym
  • title
  • uniqueidentifier
  • surname
  • telephonenumber
  • street
  • stateorprovince
  • postalcode
  • encoding
  • othernameoid
  • othernameencoding
  • othernamevalue

Following attributes can be provided as single value or multiple values as comma separated values.

  • organisationunit
  • postaladdress
  • sanemailaddress
  • ipaddress
  • dns
  • directory
  • uri
  • registeredid

Description

Use this task to send a PKCS#10 to the configured CA. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input
Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

Example value:

  • certResult
Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
P7ResponseField-

Example value:

  • certChain
Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name.
booleanResultWithPEMHeaders-

Example value:

  • true
Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
  • Error Code = CommonError
           - This BPMN Error code appears when there is a problem with crafting the p10 request.

In versions 3.12.5 and 20.06.0 this task was named Cert: Execute Plain Request with delegate expression ${executePlainRequestTask} .

Processes referencing the old expression have to be adjusted when updating to a newer version like 3.12.8 / 20.06.1 / 3.13.0.

Description

Note

This task works with Smart ID Certificate Manager (CM) only. Other certificate authorities are not compatible.

Use this task to send a certificate request based on extracted PKCS#10 data (via Cert: Extract PKCS#10 Attributes From Request) combined with certificate template data. Mapped Certificate data-pool field values in the certificate template can be populated with extracted PKCS#10 data or set to custom values. Based on the configured certificate template a new X.509 certificate will be requested from the CA. The issued certificate will be stored in the Identity Manager database and will be added to the process map. Certificate templates provide a set of attributes, which allows fine-grained configuration.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeModifiedPKCS10RequestTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input
Process variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

Example value:

  • certResult
Process variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

Example value:

  • ScmCtServerCertificateP10
Certificate template name.
booleanResultWithPEMHeaders-

Example value:

  • true
Configures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
P7ResponseField        -

Example value:

  • certChain
Process variable where the certificate chain should be returned. The certificate chain will be formatted as a PKCS#7 container.

There are three types of BPMN error thrown when we have issue while requesting certificate from CA.

  • Error Code = CaConnectionFailed 
            - This BPMN Error code appears when we have any connection issue with CA.
  • Error Code = CaRequestFailed
           - This BPMN Error code appears when we have other CA related issue e.g. key size , same key usage etc.
  • Error Code = CommonError
           - This BPMN Error code appears when there is a problem with crafting the p10 request.

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryExample ValueDescription
X509Field

Certificate_DataThe name of the field containing the certificate as binary data. It must be contained in the process map.
RSAPublicExponent-CERTpublicExponentField to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.
keySize-CERTkeySizeField to store the key size of the certificate's public key as Integer.
keyType*-CERTkeyTypeField to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!
keyUsage*-CERTkeyUsageField to store the key usages.
extKeyUsage*-CERTextKeyUsageField to store the extended key usages.
hashAlgorithm*-CERThashAlgorithmField to store the hash algorithm name.
validFrom-CERTvalidFromField to store the start date of the validity period as Date.
validTo-CERTvalidToField to store the end date of the validity period as Date.
subjectDN-CERTsubjectDNField to store the subject distinguished name.
issuerDN-CERTissuerDNField to store the issuer distinguished name.
certSerialNumber-CERTserialNumberField to store the serial number.
cdpUrls*-CERTcdpUrlsField to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.
ocspUrls*-CERTocspUrlsField to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.
SAN_EMAIL-CERTsanEmailField to store the SAN email addresses.
SAN_UPN-CERTsanUpnField to store the SAN user principal names.
SAN_DNS-CERTsanDnsField to store the SAN dns names.
SAN_IP-CERTsanIpField to store the SAN ip addresses.
SAN_URI-CERTsanUriField to store the SAN uniform resource identifiers.
SAN_GUID-CERTsanGuidField to store the SAN globally unique identifiers.
SAN_RID-CERTsanRidField to store the SAN registered IDs.
SAN_KRB5PRINCIPALNAME-CERTsanKrb5Principal

Field to store the SAN Kerberos 5 principal names.
The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

{"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

NameTypes are defined in RFC-4120, section 7.5.8 .

GIVENNAME-CertDnGIVENNAMEField to store the given name.
SURNAME-CertDnSURNAMEField to store the surname.
NAME-CertDnNAMEField to store the name.
GENERATION-CertDnGENERATIONField to store the generation.
C-CertDnCField to store the country.
CN-CertDnCNField to store the common name.
L-CertDnLField to store the locality.
O-CertDnOField to store the organization.
OU-CertDnOUField to store the organizational unit.
ST-CertDnSTField to store the state.
INITIALS-CertDnINITIALSField to store the initials.
TITLE-CertDnTITLEField to store the title.
E-CertDnEMAILField to store the email adress (from DN).
PSEUDONYM-CertDnPSEUDONYMField to store the pseudonym.
DNQ-CertDnDNQField to store the DN qualifier.
USER_ID-CertDnUSERIDField to store the user ID.
TELEPHONE_NUMBER-CertDnTELField to store the telephone number.
POSTAL_CODE-CertDnPOSTALCODEField to store the postal code.
POSTAL_ADDRESS-CertDnPOSTALADDRField to store the postal address.
STREET-CertDnSTREETField to store the street.
NAME-CertDnNAMEField to st
UNIQUE_IDENTIFIER-CertDnUNIQUEIDField to store the unique identifier.
SN-CertDnSERIALField to store the DN serial number.
ORGANIZATION_IDENTIFIER-CertDnORGIDField to store the organisation identifier.
DC-CertDnDCField to store the domain component.

If non-datapool target fields are used for extracted attributes, then you will run into problems when extracting multiple instances of the same attribute (e.g. multiple OUs).

Example:

Your DN is as follows: DN=hello, OU=firstOrg, OU=secondOrg

Your target variable for the OU parameter is: DnOrgUnit

This results in two variable assignments:

  • DnOrgUnit = firstOrg
  • DnOrgUnit_1 = secondOrg

The issue here is that DnOrgUnit_1 contains an underscore despite not being a Datapool-field.
This will cause it being misinterpreted as being field 1 of the datapool DnOrgUnit instead of a a standard process variable named DnOrgUnit_1.

To avoid this, either make sure all your target fields are datapool fields, or use additional service tasks that copy the values into proper named fields before further processing.

You can, for example, use the Process: Set Value of Variable in Process Map task and set the following parameters:

  • variableName: DNattrOU1
  • variableValue: ${DNattrOU_1}

In case of error

The following parameters are set in case of error:

ParameterMandatoryValueDescription
ExtractionResult*

-

Valid values:

  • success (default)
  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.
  • One of the attributes exceeds 2000 characters (limitation by Activiti).
ExtractionResultErrorMsg*-

Valid values:

  • "Certificate data is empty"
  • "The attribute 'xy' exceeded 2000 characters."
If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

* - These parameters require PRIME 3.12.4 or later.

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in Identity Manager Admin

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributesPrefixResult
  • Email = E
  • Common Name = CN
  • Country = C
  • Organisation = O
  • Title = T
  • Surname = SURNAME
  • State = ST
  • Given Name = GIVENNAME
  • Organisation Unit = OU
  • Serial Number = SN
  • Unique Identifier = UID
  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE
  • PKCS10RequestFormEntryCN
  • PKCS10RequestFormEntryC
  • PKCS10RequestFormEntryO
  • PKCS10RequestFormEntryT
  • PKCS10RequestFormEntrySURNAME
  • PKCS10RequestFormEntryST
  • PKCS10RequestFormEntryGIVENNAME
  • PKCS10RequestFormEntryOU
  • PKCS10RequestFormEntrySN
  • PKCS10RequestFormEntryUID
  • PKCS10RequestFormEntrySTREET

SAN attributes

PrefixResult
  • SAN EMAIL = SANEMAIL
  • SAN GUID = SANGUID
  • SAN DNS = SANDNS
  • SAN UPN = SANUPN
  • SAN IP = SANIP
  • SAN RID = SANRID
  • SAN KRB5PRINCIPALNAME = SANKRB5PRINCIPALNAME
PKCS10RequestFormEntry
  • PKCS10RequestFormEntrySANEMAIL
  • PKCS10RequestFormEntrySANGUID
  • PKCS10RequestFormEntrySANDNS
  • PKCS10RequestFormEntrySANUPN
  • PKCS10RequestFormEntrySANIP
  • PKCS10RequestFormEntrySANRID
  • PKCS10RequestFormEntrySANKRB5PRINCIPALNAME
    • The result is a "comma-space"-separated list of JSON objects, each representing one Kerberos 5 principal name, as shown in the example below:

      {"realm":"DATACENTER","nameType":4,"nameComponents":["myservice","myhost"]}, {"realm":"DEV","nameType":1,"nameComponents":["alice"]}, {"realm":"DEV","nameType":1,"nameComponents":["bob"]}

      NameTypes are defined in RFC-4120, section 7.5.8 .

Other attributesPrefixResult
  • Key size
  • Algorithm (+ curve)*
  • HashAlgorithm
  • (as boolean) = the signature is valid
PKCS10RequestFormEntry
  • PKCS10RequestFormEntryKeySize
  • PKCS10RequestFormEntryKeyType
  • PKCS10RequestFormEntryHashAlgorithm
  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if Identity Manager and Identity Manager Admin run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

Description

Loads the certificate history of a user, as a list of the certificates' Core Object IDs, into the process map, in order to recover these certificates in a later step. The relevant certificates are identified by the <certTemplates> types and the ObjectRelations either directly to the user, or via a related card. The list is ordered by 'validTo'-date descending, and the number of provided certificates can be limited by <count>. The task is intended to be a simple way to implement standard recovery cases. More special cases can be done via SearchConfigurations. Recovery supports simple Core Object ID lists, like provided here, or CoreObjectDescriptor-lists provided by Processes: Execute Search Tasks.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database. 

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Maximum number of certificate ids to be provided via this task.

processVariable

Certificate_CoreObjects or PcmDpCertificate_CoreObjects

Variable name in the process map, where the certificate Core Object IDs should be provided for subsequent recovery.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ObjectRelationType
Example value: 
  • Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

To use this task, select it in Identity Manager Admin and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

Description

Use this task to archive and/or recover PGP certificates from Smart ID Certificate Manager (CM).

When new certificates are requested, the values will be taken from the certificate template configured under "archivalTemplate". The following attributes can be set:

AttributeDescription

Common Name (CN)

Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Email (SAN_EMAIL)

Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by Certificate Manager.

Surname (SURNAME)

Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Givenname (GIVENNAME)

Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
requestAndArchive

Valid values:

  • true (default)
  • false
If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in Identity Manager, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

Valid values:

  • true (default)
  • false
If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in Identity Manager
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in Smart ID Certificate Manager (CM), though)

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.
  • Java with Boucycastle can open the generated P12.
  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
  • Nexus Personal Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in Identity Manager Admin: 

ParameterMandatoryValueDescription
p12PasswordField

Example value:

  • Person_PasswordRef
Password variable field for the generated PKCS#12 container. There are actions to create one.
recoverCerts

Valid values:

  • true (default)
  • false
Whether recovery should be executed.
processVariableIf recoverCerts = true

Example value:

  • Certificate_CoreObjects
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-

Example value:

  • Revocery
Certificate template used for recovery. Not necessary for some CAs.
requestCert

Valid values:

  • true (default)
  • false
Whether a new certificate should be requested (Plain request).
certTemplateIf requestCert = true

Example value:

  • MyCertTemplate
Certificate template used for requesting the new certificate.
includeChain-

Valid values:

  • true (default)
  • false
If present and set to false, the certificate chain is skipped and only end-entity certificates will be included.
keyArchival

Valid values:

  • true (default)
  • false
Whether the created key are archived in the CA.
mailDefinitionName-

Example value:

  • MyMailDefinition
If empty, no mail is sent.
encryptionCertificates-


The core object descriptor list of the certificates used for email encryption.
p12RefField-

Example value:

  • Person_Softtoken
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

Example value:

  • ErrorMessage
Field to store the human readable message in case of error.
errorTypeField

Example value:

  • ErrorType
Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

Example value:

  • CertsToRevoke
In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
p12EncryptionAlgo-

Valid values:

  • PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)
The encryption algorithm to use for the PKCS#12 keystore.
p12EncryptionIterations-

Default value:

  • 100000
The encryption iterations
p12PseudoRandomFunction-

Valid values:

  • HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    HMac with SHA-256 (OID: 1.2.840.113549.2.9)

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)
The PRF to use for the PKCS#12 keystore
p12HashAlgo-

Valid values:

  • SHA-1 (OID: 1.3.14.3.2.26)
  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)
The hashing (MAC) algorithm to use for the PKCS#12 keystore
p12HashIterations-

Default value:

  • 100000
The hashing (MAC) iterations

Description

Use this task to update the certificate state against the certificate CRL distribution point. This task takes the CoreObjectDescriptor list for the Certificate object and updates each certificate state based upon the provided CRL distribution points. 

Configuration

To use this task, configure the following delegate expression in your service task:

${updateCertificateStateFromCRLTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
coreObjectDescriptorList

Example value (resolved from variable):

  • ${Certificate_CoreObjectDescriptors}
Core object descriptor list of the Certificate Object.

Revocation State Mapping

Revocation reasons must be configured in Identity Manager Operator before using this feature. Transitions must be aligned with the certificate state graph. Identity Manager validates the transition for each CRL entry based upon specified system property mapping and state graph.

Follow these steps in Identity Manager Operator to open the revocation reason mapping settings:

  1. Go to the ADMIN tab.
  2. Select Configure system properties.
  3. Select CA Revocation Reason Mapping

This configuration is tenant-specific, but not stategraph-specific! It is highly recommended to use a common state graph for all certificate configs within one tenant.

Keep your certificate state graph as simple as possible to avoid ambiguities, as you can map from multiple IDM states to the same revocation reason, but for the reverse mapping of revocation reason to IDM state you have to pick a single value.

For example, if you have both inactive and locked as IDM states and they both map to the revocation reason unspecified, then you have to decide whether an incoming CRL entry with reason unspecified shall set the IDM state to inactive or locked.
In such a case it is best to consolidate to a single IDM state per relevant revocation reason.

Example:

Revocation statePossible IDM Certificate state Mapping
Certificate or key compromisedinactive
Temporary revokedtemporary.inactive
Certificate supersededinactive
Reason not specifiedinactive
Remove certificate from listactive
Certification Authority compromisedinactive
 Information about certificate has changedinactive
Certificate is no longer usedinactive
Right withdrawninactive

Description

Use this task to revoke an existing certificate. This task needs to be executed on a Certificate object or with Certificate data available in the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${revokeCertificateTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

certificateDataPool

Example value (fixed):

  • Certificate

Example value (resolved from variable):

  • ${certDataPool}
Certificate data pool name. Default Certificate data pool is "Certificate".

targetState

Example value (fixed):

  • Temporary Inactive

Example value (resolved from variable):

  • ${certState}

Target state of certificate

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Smart ID Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on Smart ID Certificate Manager (CM).
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which Identity Manager assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the Identity Manager certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.

Description

Use this task to check against Online Certificate Status Protocol (OCSP)/Certificate Revocation Lists (CRL) that a certificate is valid. OCSP and/or CRL information must be included in a valid certificate. For OCSP, the issuer must be trusted by Identity Manager Operator.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkX509ValidityTask}

The following parameters can be configured in Identity Manager Admin:

ParameterMandatoryValueDescription

certificateBinary

Example value:

  • Certificate_Data

Field of the datamap where the certificates binary is placed.

isValidityConfirmed

Example value:

  • isValidityConfirmed

Name of the field where the result is written into the datamap.

Possible values:

  • true (Certificate validity confirmed)
  • false (Certificate validity not confirmed)

revocationDate


Example value:

  • revocationDate
Name of the field where the revocation date is written into the datamap if the certificate is revoked.

resultInfo


Example value:

  • resultInfo

Name of the field where the message from the validation result is written into the datamap.

The resultInfo can contain the following content:

  • The certificate is valid.

  • The certificate is revoked.
  • The certificate is invalid or could not be validated.

resultInfoOCSP


Example value:

  • resultInfoOCSP

Name of the field where the message from the validation result of the OCSP is written into the datamap (if available).

The resultInfoOCSP can contain the following content: 

  • OCSP_NO_AUTHORITY_INFO_ACCESS: No responder URI in the certificate.

  • OCSP_RESPONDER_UNREACHABLE: The OCSP responder is offline.

  • OCSP_CERTIFICATE_TO_BE_CHECKED_INVALID: CA or entity certificate is broken.
  • OCSP_INVALID_URL: The OCSP URL is invalid.
  • OCSP_INVALID_ANSWER: The OCSP response is broken.
  • CERT_STATUS_REVOKED: The certificate is revoked.
  • CERT_STATUS_UNKNOWN: The certificate is unknown.

resultInfoCRL


Example values:

  • resultInfoCRL

Name of the field where the message from the validation result of the CRL is written into the datamap (if available).

The resultInfoCRL can contain the following content: 

  • CERT_ERROR_CRLLOCATION: Could not fetch or create CRL from the given location.
  • CERT_REVOKED: The CRL check resulted in a revoked certificate.
  • CRL_ERROR_VERIFICATION: The CRL signature could not be verified because of a broken truststore.
  • CRL_UNTRUSTED: The CRL is untrusted.
  • CRL_ERROR_VERIFICATION: An exception was thrown while trying to verify the CRL signature.
  • CRL_COULD_NOT_BE_FETCHED_FROM_CDP_URI: The CRL could not be fetched from CDP URI.