Visit Nexus to get an overview of Nexus' solutions, read customer cases, access the latest news, and more.

Version: 3.11

Release Date: 2019-11-07


Smart ID Identity Manager 3.11 has been released today. 

For information on how to upgrade from PRIME 3.10 to 3.11, read this instruction: Upgrade from PRIME 3.10 to PRIME 3.11.

Main new features

Removed Java for PKI encoding in PRIME Explorer

With this release, the last steps are made to remove Java from the clients: PKI encoding in PRIME Explorer is now also possible via Personal Desktop App.

Data Sync Proxy improved

The Data Sync Proxy, the PRIME component to sync data sources remote via HTTPS connections, has been improved. It can now be configured easily in PRIME Designer, and it is possible to set up the proxy per data source. You can now decide which data source that is connected in the local network and which shall go to a remote server.

New admin UI for PACS connector configuration

The Nexus PRIME PACS backend has a new configuration user interface. All PACS connector configuration can now easily be managed on an HTML5 frontend. You can establish the connections to new PACS system and also manage custom configuration parameters for each single PACS system in the UI.

Detailed feature list


JIRA ticket noDescription

EJBCA connector included in PRIME standards

EJBCA connector is now included in the new PKI architecture as an "internal connector". Besides improved security and simplified installation this also means that all standard workflows will work out of the box. Key Backup/ Key Recovery is done via Nexus Certificate Manager (CM) (similar as with D-Trust and Quovadis). For more information, see Integrate Identity Manager with EJBCA connector


Improved logging for BPMN Save Service

Improved logging for BPMN Save Service for better troubleshooting: user and core object ID and template name can now be logged.


Added standard service task for requesting order status

Added a standard service task to receive feedback from Nexus GO Cards production. With this service task PRIME can update (for example, via a Batch Sync Job running periodically) the ordering status and RFID chip serials when production is done. See "Card Production: Nexus GO order status" in Card Production - Standard service tasks in Identity Manager.


Listing of assigned user roles has been added

A new view-based data source has been added to the Data Pool configuration. Based on this, a list of all roles, assigned to users (Person CoreObjects) can be created via Search Configuration/Extended Search.


Added standard service task to execute searches

Added a standard service task that can execute search configurations in processes. Result lists will be available in the process map. This service task replaces the searches in beans.xml, and therefore simplifies process search significantly. The old bean-based search still works for compatibility reasons, but it is highly recommended to use the new standard service task instead. See "Process: Execute Search Task" in Process - Standard service tasks in Identity Manager.


PKI encoding in PRIME Explorer executed via Personal Desktop App

PKI encoding tasks (production task and Card Job) in PRIME Explorer, that do not rely on Card SDK, are now executed via Personal Desktop App.


Improved configuration of Assert uniqueness standard service task

The configuration of filter criteria in the Assert uniqueness standard service task has been improved. Parameters can now be added dynamically in the configuration, and each filter criteria can be configured in a separate parameter. See "Process: Assert Uniqueness Task" in Process - Standard service tasks in Identity Manager for the new configuration.


DataSyncProxy can be configured per Data Pool

In previous releases, it was only possible to activate the DataSyncProxy (to connect, for example, from a PRIME cloud service to a local data source) system wide. With this release, the DataSyncProxy can be activated easily in PRIME Designer per Data Pool, so that you can choose which data sources should be connected directly or via the proxy. Read more here: Smart ID Agent (DataSyncProxy) in Identity Manager.


Added standard service task to receive domain list from QuoVadis

To issue TLS server certificates from QuoVadis, allowed domains need to be registered in the QuoVadis account. To do the validation of domain names as early as possible in the request process, the list of valid domains can be received via this service task from the QuoVadis account and stored in a corresponding lookup table. See "Save domain list into PRIME" in Miscellaneous standard service tasks in Identity Manager.


Standard service task configuration supports drop-down lists

Sometimes service task configuration relies on other configuration items (for example, referencing a search configuration) that in previous versions had to be entered manually. Standard service tasks now supports drop-down lists to easily select these linked configurations. In this release this can be used for the new "Process: Execute Search Task" in Process - Standard service tasks in Identity Manager and for all tasks in Smart ID Messaging - Standard service tasks in Identity Manager.


Forms headlines are simplified and aligned

Headlines used in forms (for PRIME Self-Service, PRIME Explorer, for processes or CoreObject views) are now simplified and more user friendly.


Ongoing Virtual Smartcard provisioning not sent to the Open Tasks list

A parameter was introduced that prevents BPMN engine from sending an ongoing Virtual Smartcard provisioning to the Open Tasks list.


Added standard service task to execute script tasks

A standard service task has been added that can execute a script task (for example, Groovy, BeanShell). This can be useful for BatchSync Jobs to avoid using BPMN processes. Small changes (for example, string concatenation or changing format of field values can now be done in a (fast) script instead of using less performant BPMN processes. See "Process: Execute script" in Process - Standard service tasks in Identity Manager.


Introducing new admin UI for PACS backend

PRIME PACS Backend now provides a user friendly web frontend to configure and manage the different PACS systems. The user interface includes standard connection settings but you can also manage PACS specific settings and features.


Using BatchSync instead of BPMN timer process

Replaced all BPMN timer processes in the standard packages with BatchSync Jobs to make configuration changes easier for administrators.


Introduced new search service task in standard packages

Replaced all bean-based "searchexecutors" in the standard  packages with the new standard search service task.

Corrected bugs

JIRA ticket noDescription
CRED-8226There was an issue in the standard service task "Process: Copy Values of LoggedIn User to Process Map" when using it with LDAP/certificate-based authentication.

Fixed NullPointerException in change password dialog when leaving new password blank.

CRED-8447Fixed size of check boxes in PRIME Self-Service. Style is now aligned to the other form elements.

The log file "velocityEngine" was not needed and was removed.

CRED-8560There was an issue with date conversion when accessing Datasources via DataSync Proxy.
CRED-8562Fixed an issue when deleting a tenant.

In PRIME Self-Service, an issue with translation of template names and process IDs has been fixed.

CRED-8632The polling time in DFN PKI Connector has been increased.
CRED-8633Fixed an issue in the session handling during PKI card encoding. The encoding was running in unhandled error state when swapping the cards during the card production process.
CRED-8663Fixed handling of internal corObject id in data pool configuration. Data pool granted direct access read/write to this field. This has been changed.
CRED-8685Fixed an issue with ECC certificate provisioning when running multiple PRIME Explorer instances on one Tomcat.
CRED-8686When using coreObject result lists in user forms there were empty records when using multiple searches with different core templates. This has been fixed now.
CRED-8696There was an issue with translation of custom buttons in user forms in PRIME Self-Service.
CRED-8702There was an issue with max length field validation in user forms in PRIME self-service.
CRED-8738Fixed an issue with multi-threading in number ranges.
CRED-8844Fixed an issue when deleting a Tenant.
IDC-1317Fixed an issue with entitlement withdrawal in Access Rules.
IDC-1327Fixed a performance issue when sending entitlement requests to the message queue.
PRSM-77Fixed an issue with the error handling when requesting entitlements in the Physical Access package.
PRSM-142Fixed an issue with broken dependencies when uploading the Digital ID softtoken package.
PRSM-192There was an issue in the softtoken recovery process.
PRSM-194Fixed permission setting in Digital ID package: removed "Lock Certificates" process from PRIME Self-Service dashboard.
PRSM-206Added "forgot password" link to PRIME Self-Service login page in default configuration.
PRSM-210Fixed an issue with withdrawal of non-personal cards when employee record gets locked.
PRSM-212Fixed an issue with withdrawal of non-personal cards in Smart ID Physical Access package.
PRSM-214Fixed an issue with the error handling when creating Entitlement Approvers and Responsibles in the Physical Access Package.
PRSM-220Fixed some translations in the softtoken replacement process.
PRSM-225Fixed some broken dependencies and removed dead links in PRIME modules packages.

Release announcement

Important notes on this release

Several beans in the custom beans files have been removed. Therefore, the PRIME configuration must be updated. For more information, see Upgrade from PRIME 3.10 to PRIME 3.11.


For information on limitations, see Limitations for Identity Manager.


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.