Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.

Version: 22.04.3

Release date: 2022-10-12

The Smart ID 22.04.3 release provides updates, improvements, and bug fixes for the components included to ensure high quality and security.

Upgrade Smart ID

See Upgrade Smart ID with general information regarding upgrading Smart ID. See also specific information regarding upgrade from 21.10 to 22.04: Upgrade Smart ID Identity Manager from 21.10 to 22.04.

Smart ID compatibility

Smart ID 22.04.3 is compatible with the following component versions: 

Detailed feature list


Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

Search for entity reference ID

Two new parameters for "Execute Search Task" have been introduced to be able to search for a certain object via the (internal) entity reference ID, provided by the process map. For more information, see "Process: Execute Search Task" in Process - Standard service tasks in Identity Manager.



Improved logging for BPMN-history cleaner

Improved logging on debug level for the BPMN-history cleaner background job.



Minidriver AdminKeys on TCOS cards

This release supports management of Minidriver-AdminKeys and corresponding challenge-response mechanisms for TCOS3 cards in combination with TCOS3 middleware. For more information, see Encoding using T-Systems TCOS middleware in Identity Manager.



Added certificate filtering in case of Smart ID mobile and desktop authentication. For more details related to the filter and the extended property, see Signature filtering for Smart ID authentication.



Upgraded Tomcat version to v9.0.65



Added ability to pass the certificate attributes in the SAML response back to the service provider when Digital Access acts as Identity Provider (IDP) in case of Personal Desktop and Personal mobile authentication. 



Added a field for SAML SLO URL in the admin UI when a Service Provider (SP) is configured manually with Digital Access acting as IDP. 



Add one more encoding method for SP while sending the Subject parameter - Url Safe Base 64. This will url safe base 64 encode the subject in the SAML response.



Added support for Oracle database, see Smart ID deployment recommendations.


Added externalId as query url parameter in content provider callback. 


Swagger configuration changed in updated swaggerV3 and it is enabled by default, see Install Hermod.


The sqlserver jdbc driver has ssl encryption enabled by default. To disable it, see "Example: cod-hermod.yml" in the Hermod configuration in Install Hermod.


The endpoint info is disabled by default in the updated java spring 2.7.1, see Install Hermod how to enable.


Corrected bugs

Jira ticket noDescriptionDigital AccessIdentity Manager & Self-ServicePhysical AccessMessaging

There was an issue where the "CA proxy" (used for the ADCS PKI connector) accepted expired server certificates as long as the client certificate was valid. This has been fixed.



There was an issue where a blank (black) page sometimes was shown in the content area of Smart ID Self-Service, after a process from "possible actions" completed. This has been fixed.



Certain keys could not be recovered with the ADCS connector. This has been fixed.



When opening the search in a self-service user form which had a full CoreObject List, the items from the list in the form did not get pre-selected in the search. This has been fixed.



There was an issue where the post-login process worked with username/password authentication, but not when SAML authentication was used in Smart ID Self Service. This has been fixed.



Date conversions in the mapping tasks provided the wrong results when NULL or empty values where provided as input values. This has been fixed.



Fixed an issue in the web session handling when running card production tasks in asynchronous multi-instance BPMN processes.



There was an issue where the Smart ID Agent initially worked, but then after a certain time, when checking the connection, it failed to reconnect and might cause the Identity Manager Operator to hang. This has been fixed.



There was an issue where open tasks sometimes got duplicated in the Open Tasks list in Identity Manager Operator. This has been fixed.



There was an issue where read-only fields in Smart ID Self-Service forms could be changed by editing the html source code in the debug mode of the browser. This has been fixed.



Fixed an error in searches, when searching for "null" or empty values on external JDBC data sources.



When using post-login processes, there was an issue for some users where the role assignment did not work correctly due to conflicting internal user/role IDs. This has been fixed. 



The PGP recovery task did not support CoreObject Descriptor Lists (only CoreObject ID). This has been fixed.



There was an issue with the Fetch-Entitlements task in Identity Manager throwing an "IllegalArgumentException". This has been fixed.



Some missing French translations were added in Identity Manager Admin UI.



There was an issue where some "BatchSync" jobs could not be executed due to duplicate keys in the internal job table. This has been fixed.



Fixed a version conflict related to "JAXWS" web service library, which caused connection issues to third party web services in some rare cases.



Initialization values for hidden fields were not written into the process map anymore. This has been fixed.



Fixed the js warning in the built-in script GenericForm.html.



Fixed the issue with the need to have the password authentication mechanism enabled for delegated user-storage users in admin.



Memory handling changed when doing a publish in Administration Service, reducing required memory and improving the performance.



Fixed a null pointer exception when updating Authentication Servers for the Personal Mobile/Personal Desktop authentication mechanism. 



[Nexus GO] Digital Access Policy Service REST endpoint: rest/v1.0/saml/authnrequest handled requests very slowly and caused a high CPU usage. This is fixed by reading from the cache instead of the xml.



Fixed a null pointer exception when doing SAML authentication in Digital Access 6.1.4.



Upgrading Digital Access from 6.0.5 to higher versions updates the Internal host values to names instead of IP, which should not be the case for deployments other than Swarm.



Fixed an error causing Policy Service to crash, instead of crashing, Policy Service will now log a warning message indicating there is an invalid expression that needs to be amended via Administration Service UI.



In case of Digital Access upgrade from 6.1.3 to 6.2.0, the BankID version was not getting updated to v5.1. This has been fixed. 



Fixed an issue with OpenID Connect userinfo endpoint where the service incorrectly removed the end-user session after completion.



Fixed the issue where the OCSP server was not getting contacted in case of personal mobile/desktop authentication.



Added Siport refactoring for improving performance.


Release announcement

For details on the updated Smart ID configurations and deployment configurations, see here: 


Smart ID deployment configuration release note
All notable changes to this project will be documented in this file. Be aware that the [Unreleased] features are not yet available in the official tagged builds.  

## [Release 22.10.0-2022-09-20]

### Added

- Added ContentProviderJWSSigner descriptor in signencrypt.xml. [CRED-12232]
- Added to renew end-entity certs.


  - This only works if you (re-)bootstrap with the updated, as the old version discarded data required for renewal.
  - Re-bootstrapping will invalidate any encrypted secrets and history signatures in IDM due to chaning the keys.
  - Re-bootstrapping will also overwrite the certificates and keys in the docker deployment folder, so make a backup first,
    so you can use the respective tools for re-signing and re-encrypting existing history/secrets.

### Changed

- automatically (re-)start mailhog
- fixed naming of traefik rules for mobile-iron
- Changed to retain keypairs and CA metadata, so we can enable renewal (see above).
- Removed cRLSign attribute from ca.conf to avoid issues with failing CRL checks.

  NOTE: This only has an effect on newly bootstrapped CAs. 

## [Release 22.04.0-2022-05-05]

- Added Mobile Iron Docker image. [CRED-11817]
- Added new properties for MI image in smartid.env. [CRED-11817]

### Changed

- Changed properties for Nexus GO Cards API V2. [CRED-12951]

## [Release 21.10-2021-11-09]

### Added

- Added Digicert Global Root CA certificate. [CRED-11688]
- Added some Let's Encrypt root certificates. [DEVOPS-971]
- Added documentation for maxProfiles option to hermod-conf.yml
- Added `.yamllint` file to set default YAML linting config. [DEVOPS-1085]
- Added volume mapping for logs folder in IDM and Self Service. [DEVOPS-403]
- Fixed cacerts folder permissions in script.
- Added support for docker compose v2 command in script.

### Changed

- New properties for CAAS credentials in smartid.env (placeholders must be replaced before using Nexus GO Cards). [CRED-11688]
- Fixed some copy issues in the script.
- Changed the default selfservice config to include auth methods params example.
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Fixed typo. [DEVOPS-1090]
- Replaced Self-Service `IDM_URL`, `INSTANCE_ID`, `IDM_TENANT` by `APPLICATION_YAML` json. [DEVOPS-1127]
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Fixed YAML format. [DEVOPS-1085]
- IDM and SelfService now support custom translations and do not require mapping the whole translation files again. See doc for more info. [DEVOPS-1118]
- Change Import Logger to correct class [DEVOPS-1143]
- Switched to new image naming for IDM
  - `nexus-prime/explorer` changed to `smartid/identitymanager/operator`
  - `nexus-prime/designer` changed to `smartid/identitymanager/admin`
  - `nexus-prime/tenant` changed to `smartid/identitymanager/tenant`
  - `nexus-prime/updatedb` changed to `smartid/identitymanager/updatedb`
  - `nexus-prime/ussp2` changed to `smartid/selfservice`
- Changed Smart ID version to 21.10.0

### Removed

- Removed Self-Service config.json file. [DEVOPS-945]
- Removed expired Let's Encrypt certificates. [DEVOPS-971]
- Removed translation files for IDM and SelfService. [DEVOPS-1118]

## [Release 21.04.2-2021-09-13]
### Added
- HTTPS support for Physical Access integra. [DEVOPS-1211]
- Environment variable to control debug logging in Physical Access SCIMAPI. [DEVOPS-1211]
### Changed
- Set logging driver to json-file (the default one) for all containers explicitly [DEVOPS-1136]
- Change Import Logger to correct class. [DEVOPS-1143]
- RabbitMQ now uses external docker image. [DEVOPS-1211]

## [Release 21.04.1-2021-07-02]

### Changed
- It is now possible to change IDM language settings via system properties. [DEVOPS-860]
- It is now possible to change Self-Service configuration via `CONFIG_JSON` environment variable. [DEVOPS-945]
- Updated SmartID version to 21.04.1

### Removed
- Removed Self-Service config.json file. [DEVOPS-945]
- Removed hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-06-10]

### Added
- Added some Let's Encrypt root certificates. [DEVOPS-971]

### Changed
- Fixed some copy issues in the script.
- Changed the default selfservice config to include auth methods params example.
- Update Language files for IDM. [DEVOPS-1067]

### Removed
- Removed expired Let's Encrypt certificates. [DEVOPS-971]

## [Release 21.04.0-2021-05-28]

### Added
- Added new Let's Encrypt cert. [DEVOPS-946]
- Added hotfixes for 21.04.0 for [DEVOPS-970] [DEVOPS-974] [CRED-10768]

## [Release 21.04.0-2021-05-20]

### Added
- Default values for Selfservice tenant id and instance id. [DEVOPS-738]
- Added example format for MSSQL everywhere we build the DB URL (`${DBHOST}/${XX_DB_NAME}`) because MSSQL requires a different URL format. [DEVOPS-737]
- Include SANs from CSR in bootstrap TLS cert in `bootstrap/conf/ca.conf`.
- Generate tls certificate for non-treafik setup in `bootstrap/`.
- Log4j2 config and template for json layout [DEVOPS-758]
- Datadog agent compose file, with some examples, see nexus and datadog documentation if you want to use it [DEVOPS-759]
- Added a check in `` that exits the script if user didn't fill the mandatory properties in `smartid.env` (thoose with <XX> value pattern). [DEVOPS-759]
- Added Physical Access Interflex PACS. [DEVOPS-752]

### Changed
- IDM DB will no longer be initialized through script. Initialisation has to be done manually by starting container in identitymanager/updatedb. [DEVOPS-739]
- Rename containers to use dash instead of underscore, so containerName can work for DNS lookup (underscore is not allowed in DNS names).
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align idm update db naming to use the name "updatedb" everywhere
  WARNING! This can cause issues if you use the new config with existing containers using the old names!
- Align digital access directory names with service names
- fix bootstrap cert folder permissions in init script
- Changed all HERMOD_* properties to MESSAGING_*. [DEVOPS-751]
- Moved each component's respective config into their own config folder. [DEVOPS-751]
- Made all volume mappings static in compose file, no more properties. [DEVOPS-751]
- Reorganized smartid.env to be split by component, making it easier to find component related properties. [DEVOPS-751]
- Internal ports (inside docker) are now static in the compose file. [DEVOPS-751]
- Moved postgres related properties outside smartid.env, because it is a separate tool not meant for production. [DEVOPS-751]
- Renamed service names in compose files to match their container name. [DEVOPS-751]
- Changed traefik version to 2.4.8. [DEVOPS-638]
- Changed file extension of generated certificates from `.base64` to `.cer`.
- Updated translation files for IDM. [DEVOPS-761]
- Updated Messaging config for 21.04 (Hermod version 3.1.1). [DEVOPS-802]
- Changed chmod command to give permission 700 instead of 600, because hermod needs execute permission.
- Updated SmartID version to 21.04

### Fixed
- Fixed typos in the strings that are echoed to the user during the initialisation. [DEVOPS-646]

### Removed
- Removed unused properties in smartid.env. [DEVOPS-751]
- Removed unused ports for Physical Access. [DEVOPS-752]
- Removed Physical Access config files. Configuration is now handled using environment variables. [DEVOPS-752]
- Removed TZ from all docker-compose files. Since it is set in `smartid.env` which is mapped using `env_file`, declaring the variable a second time in `env` was not necessary.

## [Release 20.11.2-2021-03-22]

### Added
- If you say Yes to the question if Digital Access shall be deployed in the host, it will make it possible for the containers to listen on 80 and 443. [DEVOPS-540]

### Changed
- Bump SmartID version to 20.11.2
- Updated IDM translation files with newer ones. [DEVOPS-561]
- Adjust volumes for hermod certificates. [DEVOPS-651]
- Removed Selfservice hotfixes introduced in previous release. [DEVOPS-626]

### Fixed
- Fixed tenant startup by removing mapped sign encrypt configuration, so it uses the default one from inside the container. Since IDM Tenant uses less certificates, the same config as IDM operator or admin cannot be used.[DEVOPS-640]
- Fixed the script used in IDM operator, admin and tenant [DEVOPS-692] + [DEVOPS-656]

## [2020.11.1-2021-02-18]
### Added
- Added issuing and root CA certificates to IDM containers for config signing (These certs should NEVER be used for production). [DEVOPS-549]
- Added hotfix for SelfService -> IDM connection [DEVOPS-626] Has to be removed with 20.11.2+.
### Changed
- Update sign-encrypt engine to the newest state. [DEVOPS-549]
- Update version number to 20.11.1

## [Release 20.11.0-2020-12-22]

### Added
- Added support for selfservice branding. [DEVOPS-471]
- Added log4j volume mapping for idm containers. [DEVOPS-470]

### Changed
- Updated traefik version to 2.3.4 [DEVOPS-464]
- Renamed selfservice container from "idm_selfservice" to "selfservice".
- Renamed all environment variables starting with "IDM_SELFSERVICE_x" to "SELFSERVICE_x".
- Changed Hermod config to disable by default some end-points and to hide sensitive data in logs. [DEVOPS-484]
- Improved the `` script to handle dynamically all docker-compose stop commands and to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Improved the `` script to work regardless of where the script is called from.
- Renamed `idm-selfservice-language.json` to `idm-selfservice-config.json`.

### Fixed
- Fixed volume mapping for selfservice tomcat server.xml by using a separate variable than identitymanager.
- Fixed French translations for IDM and Selfservice.

## [Release 20.11.0-2020-12-07]

### Added
- Added `postgres/init/init-smartid-databases.sql` so that Physical Access database is created when starting up postgres. The "pauser" is created, and a default password is set.
- Added LE CA Certificate to cacerts. [DEVOPS-455]
- Added AJP port variables in smartid.env and use them in identitymanager docker-compose files. Also added AJP Connector in `config/idm-tomcat-server.xml`, which has to be enabled manually (and port set accordingly). [DEVOPS-348]
- Add following new features to the identitymanager docker-compose files: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new system properties environment variable
  - Support for new DB properties environment variables
  - Support for new spring bean volume mapping. See `IDM_VOLUME_PATH_SPRING` in `smartid.env`.
  - Support for new jars volume mapping. See `IDM_VOLUME_PATH_LIBS` in `smartid.env`.
  - Support for new class files volume mapping. See `IDM_VOLUME_PATH_CLASSES` in `smartid.env`.
- Add following new features to the selfservice docker-compose file: [DEVOPS-406]
  - Support for new CA store volume mapping
  - Support for new IDM url environment variable
- Added adminer as tool [DEVOPS-407]
- Added maxVersion for TLS to be 1.2 due to compatibility issues with some mobile devices. [DEVOPS-413]

### Changed
- Changed smartid version to 20.11.0.
- Moved "/certs/boostrap" to "/boostrap".
- Changed postgres version in smartid.env from 9.6.18 to 12.5. [DEVOPS-431]
- Split identity manager containers into their own docker-compose files: [DEVOPS-382]
  - Added `identitymanager/admin/docker-compose.yml`
  - Added `identitymanager/tenant/docker-compose.yml`
  - Added `identitymanager/init-db/docker-compose.yml`
  - Added `identitymanager/operator/docker-compose.yml`
- Adapted `init-/`, and paths inside `smartid.env` and some docker-compose files to fit new docker-compose yaml files. [DEVOPS-382]
- Change the script to ask if traefik is going to be used as Ingress/proxy. [DEVOPS-408]
- Changed in `config/hermod-conf.yml` some values to <IDM-HOST-HERE> and <DA-HOST-HERE> on client samples.

### Removed
- Removed MSSQL from deployment package, since Physical Access now support postgres. [DEVOPS-448]
- Removed unnecessary variables in `smartid.env`.
- Removed identitymanager compose docker-compose file. [DEVOPS-382]
- Removed entrypoint definition from identitymanager docker-compose files. [DEVOPS-406]
- Removed pgAdmin and portainer and its variables from smartid.env. [DEVOPS-407]
- Removed modern and old options for tls in `config/traefik/traefik-tls.yml`. [DEVOPS-413]
- Removed TRAEFIK_TLS_OPTION from smartid.env. [DEVOPS-413]
- Removed identitymanager spring beans because we changed how handle them.
- Removed samples.

## [Release 20.06.1-2020-10-27]

### Added
- Added port forwarding to hermod container in the messaging docker-compose file.
- Added spring bean files for identitymanager in `config/idm/spring_operation` and spring_admin. 
- Added translation files for identitymanager in `config/idm/translation_id`m and for selfservice in `config/idm/translation_selfservice`.
- It is now possible to enable Strict SNI using TRAEFIK_TLS_STRICTSNI=true

### Changed
- changed smartid version to 20.06.1.
- Changed HERMOD_DOMAIN_PREFIX from "mb" to "messaging".
- Changed the DB init/update script behavior, can be controlled with `IDM_DBUPDATE_SCRIPT` in smartid.env.
- Changed `traefik-tls.toml` file to YAML and used variables from .env file. Possibility to change TLS certificate file names TRAEFIK_TLS_DEFAULT_CERTIFICATE and TRAEFIK_TLS_DEFAULT_CERTIFICATEKEY.
- Improved the `` script.
- Moved seflservice to a separate docker-compose file.

### Fixed
- Fixed the jdbc url for `config/da-admin-customize.conf`.

### Removed
- Dropped `restart: always` for identittymanager init-db.
- Removed explicit DBHOST naming in `smartid.env` to force user to set its own value.

## [Release 20.06.0-2020-09-28]

### Added
- Added possibility to add custom-beans for IDM Operator and Admin, in `config/idm`.
- Added possibility to change translation for IDM Operator, Admin, Selfservice and Tenant.
- Added IDM_DB_QUARTZ example for MSSQL, Oracle and DB2.
- Added `container_name` for all containers in:
  - identitymanager/docker-compose.yml
  - traefik/docker-compose.yml
- Added docker hostname for postgresdb DB_HOST in `postgres/docker-compose.yml`, this will make test deployment work from start.
- Added docker hostname for mssqldb PA_DB_HOST in `mssql/docker-compose.yml`.
- Added `restart: always` to all containers. All containers will the start up after re-boot, if they have been started once before.
- Included SAML example files for IDM in `/samples/idm_saml`.

### Changed
- Changed smartid version to 20.06.0.
- Changed explorer/operator url in `idm-selfservice-application.yml`.
- Changed location of Identity Manager SAML samples files from `/docker/compose/examples` to `/samples/idm_saml`.
- Updated ``:
  - Now check if docker and docker-compose are installed, if not the script will exit.
  - Now asks if the deployment is a production deployment, if "Yes", the script will complete and deployment configuration can be done. If "No":
    - Ask if postgres and/or mssql shall be deployed and started.

### Fixed
- Moved comments in `smartid.env` file to be on a separate line instead of behind the value. This was breaking the applications since comments would be evaluated as part of the value.
- Fixed `` so that it works properly on CentOS.
- Fixed a typo for variable `IDM_DB_QUARTZ`.
- Fixed typo in idm-operator container in `identitymanager/docker-compose.yml`, in the path to the castore.jks.

## Removed
- Removed ``, it is included in


Contact Information

For information regarding support, training and other services in your area, please visit our website at


Nexus offers maintenance and support services for Smart ID components to customers and partners. For more information, please refer to the Nexus Technical Support at, or contact your local sales representative.