Release Date: 2018-12-14
Nexus is proud to announce the availability of Nexus PRIME 3.9.
Main new features
Virtual smart card functionality
The new Windows 10 Smart ID Desktop App introduces a Virtual Smart Card (VSC) functionality. Nexus PRIME provides standard workflows for VSC based on Nexus Personal.
New PRIME Designer user interface
Identity Manager Admin is now a pure HTML5 application and the old webstart Designer is no longer available in PRIME 3.9. This means that PRIME Designer will now run on each up-to-date web browser without requiring a local Java. The usability of PRIME Designer is also improved in several areas.
New User Self-Service Portal
With this release a brand new PRIME User Self-Service Portal (USSP) is introduced. It contains updated technology, brand new look and feel, simplified configuration and improved usability.
Detailed feature list
|JIRA ticket no||Description|
ECC keys for Smart Card encoding
Nexus PRIME now supports ECC keys on smart cards. ECC keys can be created on the chip or imported for encryption certificates so that all standard use cases can be covered in a similar way like with RSA keys.
Note that support of EEC keys and corresponding ECC algorithms depends on the features that are provided by the smart cards and the corresponding middleware.
QuoVadis Standard PKI Connector
With this release, PRIME introduces a new standard PKI connector to the trust center: "QuoVadis". With the QuoVadis connector, all typical standard use cases can be covered depending on the account that the customer has at QuoVadis.
KeyBackup for Encryption keys is part of the connector, but will be done via a Nexus Key Management solution that requires a separate license.
Generic search filters for date/time
The Search Configurations now support generic search filters for date/time fields. It is now possible to add expressions, like
Deleting old object history
With the previous release, a validation frame for the signed object history was introduced, so that an administrator can limit the validation to a certain time frame (for example, only validate the last x years). To complete this functionality, the possibility to delete records that are outside the validation frame is now introduced, to align with the GDPR requirements.
Nexus PRIME Designer moved to HTML
With PRIME 3.9, PRIME Designer is now a pure HTML5 application. On the one hand the technology changed from Java Webstart to HTML, on the other hand also the look and feel was updated to a modern HTML style. PRIME Designer therefore will run now in an up to date HTML5-browser without requiring a local Java on the client.
The old Webstart Designer is no longer available in PRIME 3.9.
Data Source configuration made more user friendly
The setup of the internal data sources in the data pool configuration was revised and made more user friendly. Labels are updated and unnecessary objects are removed.
Standard Service Task cleanup
PRIME provides a set of standard service tasks (so called "parametrized actions") that can be used in the process, for example, to create random PINs, link objects, issue certificates etc. The naming of the tasks was changed to more user friendly descriptions and also some deprecated task were removed so that is easier to find the right task in the list.
FIPS compliant keys in ADCS connector
When using ADCS as PKI in PRIME, the RSA keys for encryption certificates are created in the ADCS connector on the server, in order to do a key backup in ADCS. These keys are now FIPS complaint so that virtual smart cards on TPM 2.0 can be used as well with PRIME.
Introducing new PRIME User Self Service Portal
A new User Self Service Portal (USSP) for PRIME was introduced. It is a completely new application with new UI framework, improved user experience and updated style. The USSP version that comes with PRIME 3.9 provides basic functionalities like starting processes, navigation through "my items", like cards, certificates and personal data. A few features from the old self service are still missing (like searching buttons, SAML authentication and smart card operations) and will be provided with the next version. For that reason, the old self service portal can still be used in parallel in PRIME 3.9 and will be deprecated with the next release.
User friendly item lists in PRIME Designer
With this release all listings of configuration items in Designer (like Search Config, Forms, Datapool etc.) was updated and aligned. Now all lists contain at least the symbolic name and the corresponding translation, to the currently used language. Items that have an optional description field will show this as well.
Added SAN support for encryption certificates in ADCS
The ADCS connector in PRIME had a limitation, that SAN attributes were only supported for authentication and signing certificates. This has now been improved, so that for all certificate types, a SAN (like upn or rfc822name) can be set.
Introducing Virtual Smart Card solution with Nexus Personal
The new Windows 10 Nexus Personal App introduces a Virtual Smart Card (VSC) functionality. Nexus PRIME provides standard workflows for VSC based on Nexus Personal.
Configuration of SAML authentication moved to PRIME Designer
With PRIME 3.9, the configuration of the SAML authentication profile was simplified. All configuration is now moved to the Designer UI, and is therefore more user friendly. Also - since the configuration is then stored in the database - SAML is now completely tenant-aware and can easily be deployed via configuration export.
Server side support for Java 11
With PRIME 3.9, Java 11 can be used on the server side. Due to the changed licensing model of Oracle, Nexus is focusing on OpenJDK Java support and therefore recommends this as the primary Java platform from now on. Nevertheless, Oracle Java 8 and 11 are still supported.
Note that PRIME components that require a client side Java (like Webstart Explorer and PKI Encoder), still relies on Oracle Java 8.
Supporting all available CRL reasons for CM via state graph
It is now possible to configure all CRL reasons that are available in CM as a certificate state in the PRIME state graph. These states can be selected in the revocation process and passed to the PKI accordingly.
Updated Bewator Omnis Connector
The PACS connector to Bewator Omnis was updated to the latest version.
Standard PACS Connector to Unison
With PRIME 3.9, a new Standard Connector to Pacom Unison was introduced.
PRIME PACS Backend supports MS SQL
With this release, the PACS connector backend was revised, restructured and removed dependencies from the predecessor product IDC. With these changes, the PACS backend can now run also in MS SQL database.
Updated PACS connector to Integra
With this release, the connector to Bravida Integra was upgraded. The connector now uses the latest API EasyConnect V2.
Introducing access rules for Smart ID Physical Access
With this release, standard workflows for managing access rules for Physical Entitlement Management (Smart ID Physical Access) are provided. Access rules provide the possibility to automatically assign entitlements in the PACS based on a certain rule set. For example, a specific field in the user record or based on Access Groups that are linked to the Access Rule.
Introducing access groups for Smart ID Physical Access
With this release, access groups as added as a new feature to the standard workflows for Physical Entitlement Management (Smart ID Physical Access). Access groups can be created, deleted and modified. The access groups are used to bundle a certain group of people (for example, teams, organizations, locations) so that - based on an access rule - this group of people will automatically get assigned an entitlement in the PACS.
|JIRA ticket no||Description|
Drag&Drop of data pool fields in Process Configuration of Standard Service Tasks did not work properly. This is fixed now.
|Implemented missing dependency check to search configuration when deleting a data pool.|
In the data pool configuration, the display name in the field list is now sortable.
Editable init value in search configuration was not working. This is fixed now.
Missing translation of object state in related object view is fixed.
Fixed certificate request parsing when request contains an upper case IPv6 address in SAN IP.
Fixed updating of creation and modification date in CoreObjects when saving.
Aligned revoke states of ADCS Connector with PRIME standard workflows.
The standard service task to create PDFs did not resolve encrypted fields. This is fixed now.
Fixed timeout message in USSP. It showed an empty popup message.
|CRED-7249||Fixed mandatory field validation for read-only fields in User Self Service portal.|
|CRED-7252||Fixed success popup after config upload in PRIME Designer.|
|CRED-7302||Fixed special character issue during smart card encoding with ADCS.|
|CRED-7323||Added card serial number as optional value in softtoken certificate requests when using Nexus CM.|
|CRED-7347||DN values, containing a comma did not work with ADCS connector (for example, CN= Doe, John). This has been fixed.|
|CRED-7356||In the last release the DB config templates in database.properties accidentally contained a trailing blank in the DB type. This lead to errors during startup. The blank character is now removed.|
|CRED-7369||Fixed issue when uploading Pkcs#10 request for server certificates with more than 10 SAN DNS entries.|
|CRED-7374||Login error page redirect did not work if USSP runs behind a proxy. A new configuration item was introduced in config.xml, so that the corresponding error page could be set there explicitly.|
|CRED-7394||Fixed problem when requesting P12 server certificates without SAN attributes.|
|CRED-7406||Fixed wrong export format when exporting dateTime field from Postgres to CSV.|
|CRED-7439||Fixed limitation with large card layout files. Now card layouts up to 20 MB size can be used.|
|CRED-7457||Fixed handling of SAN DNS entries in certificate request for more than 8 DNS values per request.|
|CRED-7505||Solved issues when using multiple LDAP authentication profiles and when combining with SAML.|
|CRED-7520||Fixed grouping of search results in PDF reports.|
|CRED-7678||Fixed error response handling in Smart Card Encoder.|
Important notes on this release
From PRIME 3.9, Java 11 (preferably OpenJDK 11) is supported on the server-side.
From PRIME 3.10, all Java client technologies will be completely removed, including the java-based PRIME Explorer and PKI Encoder client. The PKI Encoder client will be replaced with technology based on Nexus Personal / Messaging Server.
For information on limitations, see Limitations for Identity Manager.
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Nexus offers maintenance and support services for Nexus PRIME to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.