Release Date: 2020-04-15
For information on how to upgrade from PRIME 3.11 to 3.12, read this instruction: Upgrade from PRIME 3.11 to PRIME 3.12.
Main new features
Improvements regarding SAML
- Improved usability of SAML configuration
- Possibility for multiple Service Providers
- New authentication profile combining SAML and LDAP
Object relation types
Object Relation Types are introduced so that you can have more information about the purpose and type of object relations.
There is a new standard service task that can be used to register devices/services for ACME certificate enrollment via Nexus Certificate Manager of version 8.1 and later.
Detailed feature list
|Jira ticket number||Description|
External PKI Connector support removed
All supported PKI connectors in PRIME have been moved into the PRIME application as internal connectors. The old external PKI (separate WAR file connected via HTTPS) is no longer supported. The functionality is obsolete and has therefore been removed.
eIDAS compliant card with Gemalto MD940 chip supported
With this release, eIDAS compliant encoding of smart cards with Gemalto MD940 chips is supported via the Safenet Pkcs#11 Middleware. Specifically accessing the second card slot to write the signing certificate is now implemented.
Introducing Object Relation Types
So far, PRIME can set up relations between any objects in the systems (for example, cards connected to a person, certificates on cards, requests related to persons etc.). Sometimes, it is necessary to have more information about the purpose and type of the relations - for example, are you owner of the object, responsible (e.g. for a key) etc. With this new feature, custom types can be defined that can be set when the object relations are established. And also, it is possible to filter in search configs on certain object types so that PRIME can limit the view for certain user groups to relations of a certain type. See Set up search configuration in Identity Manager
Improved standard service task "Core Objects: Drop relations"
The existing standard service task to drop object relations has been improved. In former releases, it was only possible to drop all relations to all other objects of a certain type. Now it is possible to select a specific object (for example, one single card that is linked to a user) and drop the corresponding relation. See "Core Objects: Drop Relation" in Standard service tasks in Identity Manager.
Certificate provisioning to Windows Certificate store supported
PRIME now supports certificate provisioning to Windows Certificate store via Personal Desktop App. An end user can request or recover a certificate via Self-Service, the Pkcs#12 Softtoken can be delivered directly into the user's Windows Certificate store.
Support for new certificate attribute for eIDAS compliance
This release supports the new Organization Identifier (OID 220.127.116.11) certificate attribute that is required for eIDAS compliant certificates. Currently it is supported in combination with Smart ID Certificate Manager or EJBCA.
ACME registration in Nexus Certificate Manager
With Certificate Manager 8.1, certificate enrollment via ACME has been introduced. PRIME provides a new standard service task to register devices/services for ACME certificate enrollment via CM version >= 8.1. See "Cert: Create ACME pre-registration order" in Standard service tasks in Identity Manager.
Automatic data conversion in BatchSync improvements
Basic type conversions that do not require any additional configuration (for example, numbers from source to string in target) will be done automatically now.
Typical use case: import a number from a text file into a numeric database field.
Revised SAML configuration and added support for multiple Service Providers
The whole SAML configuration in PRIME Designer has been revised and simplified. There are less parameters to configure, and the process is now easier to understand. At the same time possibility to set up multiple Service Providers (SP) for Nexus PRIME has been introduced. For example, Self-Service vs. Explorer, or if different Explorer instances need to be identified by the Identity Provider (IDP). See Enable two-factor authentication to Identity Manager clients via SAML federation.
Cosmo 8.2 cards with Idemia middleware supported
This release of PRIME supports the Cosmo 8.2 smart cards with the latest version of Idemia Pkcs#11 middleware.
New standard service task allows to load specific properties into the BPMN process
PRIME allows to set general purpose, custom properties in the Admin area of Explorer. This service task allows to load specific properties into the BPMN process, to use the corresponding parameters during process execution. See "Process: Load value(s) of SystemProperties into process map" in Standard service tasks in Identity Manager.
New standard service task allows to validate data field via a regular expression
A new standard service task has been introduced to validate any data field in a process via a regular expression. See "Process: Validate a value in the Process Map against a regular expression" in Standard service tasks in Identity Manager.
Improved security for soft tokens
The security has been improved for all use cases issuing Pkcs#12 soft tokens in Nexus PRIME. By default, all soft tokens are now encrypted with an AES-256 key. For applications that can not handle AES-256, there is now a parameter available in the standard soft token service task to change the encryption to another algorithm. See "Cert: Request & Recover PKCS#12 Soft Token" in Standard service tasks in Identity Manager.
New authentication profile combining SAML and LDAP
Besides the current SAML authentiction we introduced a new authentication profile that combines a SAML-based authentcation with LDAP. This means that the authentication itself is done via the SAML ticket, and authorization is done via LDAP Groups, so that assigning certain roles to users in PRIME can be managed via the directory service. See Set up authentication profile in Identity Manager.
Introduced general process properties
In some cases, PRIME users want to set global parameters that will be used in every BPMN process. Therefore we introduced a new section in the Properties configuration in PRIME Explorer for these values. A "timeout duration" is now default, which can be used to define a global parameter, used to terminate pending processes after a certain time. See Set up timeout duration for processes in Identity Manager
Standard service task: X.509 certificate parsing
This PRIME release introduces an new standard service task that can be used to extract data out of a X.509 certificate (for example, Subject DN, key size, Validity or RSA public exponent). The available attributes can then be processed in further steps of the BPMN flow. See "Cert: Extract Certificate Attributes" in Standard service tasks in Identity Manager.
Support for latest release of Nexus Certificate Manager
This release of Nexus PRIME supports Smart ID Certificate Manager 8.1.
Extended Standard service task for Certificate Request parsing
The existing standard service task "Cert: Extract Pkcs#10 Attributes From Request" has been extended. Now it is possible to extract key length, key type, hash algorithm and the signature of the Pkcs#10 request can be verified. See "Cert: Extract Pkcs#10 Attributes From Request" in Standard service tasks in Identity Manager.
Show connector status in PACS admin panel
The PACS admin panel has been improved. The current connector status (active, inactive, last ping etc.) for each connected PACS system can now be displayed.
Sending Audit Flag to Salto PACS
The PACS connector to Salto has been improved: It is now possible to configure if an "audit flag" is sent as part of the provisioning requests. This automatically activates the audit functionality in Salto for the specific user. See Set up integration with Salto.
Sending emails failed when attachment was configured but no attachment data was present. This is fixed now, email will be sent anyway.
Fixed error handling on certificate login in PRIME Explorer. User will get an error message instead of getting redirected to username/password page when certificate login fails.
Fixed an issue in the error handling of the "Change State in CA" process task.
Fixed a setting of friendly name when issuing Pkcs#12 soft token.
Fixed an issue in certificate validation when using certificate based authentication.
Fixed a padding issue of RSA keys when recovering certificates from a PKI.
Fixed an issue with config export of authentication token in the Messaging Server configuration.
Fixed multi-value support for SAN_DNS and SAN_IP attributes in the D-Trust connector.
Fixed an issue when opening Personal Desktop App via PRIME Explorer with the latest version of Chrome.
Improved error handling when misconfigured CA config/certificate templates are executed in an encoding.
The "Create PDF" standard service task didn't resolve encrypted fields. This has been fixed.
Improved error handling when receiving response from Messaging Server. More meaningful error states are provided now.
Fixed an issue when receiving certificates via distribution rules from Nexus Certificate Manager.
Fixed error handling when using encoding descriptions without field mapping.
Fixed an issue when using Boolean attributes in LDAP searches.
Invoking ordinary datapool fields from process map in a search filter didn't work in PRIME Self-Service. This has been fixed.
Fixed an issue when using multi-level search in batch orders.
It was not possible to delete specific certificates on a smart card without deleting the corresponding keys. This has been fixed.
Fixed translation of "meta fields" (like object status, Template name etc.) in PRIME Self-Service.
Fixed an issue when PDF creation (via standard service task "Create PDF") is triggered in a PRIME Self-Service process.
Fixed an issue with download of Pkcs#12 soft token files in PRIME Explorer and PRIME Self-Service.
Fixed an issue with download of PDF files in PRIME Self-Service.
Fixed an issue when showing object lists in in PRIME Self-Service.
It did not work to request issuing CA certificates via Pkcs#10 upload. This has been fixed.
Important notes on this release
- Removed support for Java 8 and Tomcat 8.5.
- For new and updated standard service tasks, see a list in Upgrade from PRIME 3.11 to PRIME 3.12.
For information on limitations, see Limitations for Identity Manager.
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.