ECC keys for Smart Card encoding

Nexus PRIME now supports ECC keys on smart cards. ECC keys can be created on the chip or imported for encryption certificates so that all standard use cases can be covered in a similar way like with RSA keys.

Note that support of EEC keys and corresponding ECC algorithms depends on the features that are provided by the smart cards and the corresponding middleware.

QuoVadis Standard PKI Connector

With this release, PRIME introduces a new standard PKI connector to the trust center: "QuoVadis". With the QuoVadis connector, all typical standard use cases can be covered depending on the account that the customer has at QuoVadis.

KeyBackup for Encryption keys is part of the connector, but  will be done via a Nexus Key Management solution that requires a separate license.

Generic search filters for date/time

The Search Configurations now support generic search filters for date/time fields. It is now possible to add expressions, like ${today.plusDays(30)}, in the search filter to search for cards or certificates that are about to expire. This mechanism can also be used to delete old records automatically via Batch Sync to fulfill GDPR requirements.

Deleting old object history

With the previous release, a validation frame for the signed object history was introduced, so that an administrator can limit the validation to a certain time frame (for example, only validate the last x years). To complete this functionality, the possibility to delete records that are outside the validation frame is now introduced, to align with the GDPR requirements.

Nexus PRIME Designer moved to HTML

With PRIME 3.9, PRIME Designer is now a pure HTML5 application. On the one hand the technology changed from Java Webstart to HTML, on the other hand also the look and feel was updated to a modern HTML style. PRIME Designer therefore will run now in an up to date HTML5-browser without requiring a local Java on the client.

The old Webstart Designer is no longer available in PRIME 3.9.

Data Source configuration made more user friendly

The setup of the internal data sources in the data pool configuration was revised and made more user friendly. Labels are updated and unnecessary objects are removed.

Standard Service Task cleanup

PRIME provides a set of standard service tasks (so called "parametrized actions") that can be used in the process, for example, to create random PINs, link objects, issue certificates etc. The naming of the tasks was changed to more user friendly descriptions and also some deprecated task were removed so that is easier to find the right task in the list.

FIPS compliant keys in ADCS connector

When using ADCS as PKI in PRIME, the RSA keys for encryption certificates are created in the ADCS connector on the server, in order to do a key backup in ADCS. These keys are now FIPS complaint so that virtual smart cards on TPM 2.0 can be used as well with PRIME.

Introducing new PRIME User Self Service Portal

A new User Self Service Portal (USSP) for PRIME was introduced. It is a completely new application with new UI framework, improved user experience and updated style. The USSP version that comes with PRIME 3.9 provides basic functionalities like starting processes, navigation through "my items", like cards, certificates and personal data. A few features from the old self service are still missing (like searching buttons, SAML authentication and smart card operations) and will be provided with the next version. For that reason, the old self service portal can still be used in parallel in PRIME 3.9 and will be deprecated with the next release.

User friendly item lists in PRIME Designer

With this release all listings of configuration items in Designer (like Search Config, Forms, Datapool etc.) was updated and aligned. Now all lists contain at least the symbolic name and the corresponding translation, to the currently used language. Items that have an optional description field will show this as well.

Added SAN support for encryption certificates in ADCS

The ADCS connector in PRIME had a limitation, that SAN attributes were only supported for authentication and signing certificates. This has now been improved, so that for all certificate types, a SAN (like upn or rfc822name) can be set.

Introducing Virtual Smart Card solution with Nexus Personal

The new Windows 10 Nexus Personal App introduces a Virtual Smart Card (VSC) functionality. Nexus PRIME provides standard workflows for VSC based on Nexus Personal.

Configuration of SAML authentication moved to PRIME Designer

With PRIME 3.9, the configuration of the SAML authentication profile was simplified. All configuration is now moved to the Designer UI, and is therefore more user friendly. Also - since the configuration is then stored in the database - SAML is now completely tenant-aware and can easily be deployed via configuration export.

Server side support for Java 11

With PRIME 3.9, Java 11 can be used on the server side. Due to the changed licensing model of Oracle, Nexus is focusing on OpenJDK Java support and therefore recommends this as the primary Java platform from now on. Nevertheless, Oracle Java 8 and 11 are still supported.

Note that PRIME components that require a client side Java (like Webstart Explorer and PKI Encoder), still relies on Oracle Java 8.

Supporting all available CRL reasons for CM via state graph

It is now possible to configure all CRL reasons that are available in CM as a certificate state in the PRIME state graph. These states can be selected in the revocation process and passed to the PKI accordingly.

Updated Bewator Omnis Connector

The PACS connector to Bewator Omnis was updated to the latest version.

Standard PACS Connector to Unison

With PRIME 3.9, a new Standard Connector to Pacom Unison was introduced.

PRIME PACS Backend supports MS SQL

With this release, the PACS connector backend was revised, restructured and removed dependencies from the predecessor product IDC. With these changes, the PACS backend can now run also in MS SQL database.

Updated PACS connector to Integra

With this release, the connector to Bravida Integra was upgraded. The connector now uses the latest API EasyConnect V2.

Introducing access rules for Smart ID Physical Access

With this release, standard workflows for managing access rules for Physical Entitlement Management (Smart ID Physical Access) are provided. Access rules provide the possibility to automatically assign entitlements in the PACS based on a certain rule set. For example, a specific field in the user record or based on Access Groups that are linked to the Access Rule.

Introducing access groups for Smart ID Physical Access

With this release, access groups as added as a new feature to the standard workflows for Physical Entitlement Management (Smart ID Physical Access). Access groups can be created, deleted and modified. The access groups are used to bundle a certain group of people (for example, teams, organizations, locations) so that - based on an access rule - this group of people will automatically get assigned an entitlement in the PACS.

CRED-6044

Drag&Drop of data pool fields in Process Configuration of Standard Service Tasks did not work properly. This is fixed now.

CRED-6462

In the data pool configuration, the display name in the field list is now sortable.

Editable init value in search configuration was not working. This is fixed now.

Missing translation of object state in related object view is fixed.

Fixed certificate request parsing when request contains an upper case IPv6 address in SAN IP.

Fixed updating of creation and modification date in CoreObjects when saving.

Aligned revoke states of ADCS Connector with PRIME standard workflows.

The standard service task to create PDFs did not resolve encrypted fields. This is fixed now.

Fixed timeout message in USSP. It showed an empty popup message.