Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes how to install and configure the Unison Pacom Service, to enable integration between Smart ID Identity Manager (PRIME) Physical Access and Unison Pacom. 

Unison is an Access Control System provided by Pacom and managed by a GUI and a web service on the server and the service interacts with Unison through the wcf service.

After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Unison.

For details on which data can be imported and exported from Unison Pacom, see About import and export to Physical Access.


Expand/Collapse All

Prerequisites

 Prerequisites

The following prerequisites apply:

  • Physical Access is installed. See here.
  • Unison Pacom is installed.
  • The wcf service is installed.
  • The Message Queue Server must be running.

Configure Unison Pacom Service

The service is configured in the configuration table in the Physical Access database and in the configuration file. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

 Set parameters in the configuration file

The configuration file is named UnisonService.exe.config.

To set parameters in the PACS connector service configuration file:

  1. Open the .exe.config file for editing. The file must be located in the same folder as the .exe file.
  2. Edit any parameters in the appSettings section. For more information, see the table below.
  3. Save and exit the file.
ParameterRequired or OptionalDescription

appSettings >
SystemId

Required

The ID of the service. This ID is used when retrieving configuration from the database and must be unique. If running several instances of the service each instance must have a unique ID which means they must also have their own configuration in the database.

This parameter must be configured before installing the service.

appSettings >
PollInterval

Required

The number of seconds between each poll. Note that this is not the number of seconds to wait between polls, the wait time will be adjusted depending on how long each poll takes. 

Default value: 30 seconds.

appSettings >
DBType
Optional

Indicates which database will be used. This database type can be MYSQL or MSSQL.

Default value: MSSQL.

appSettings >
ConnectionString

Required

A connection string to the Physical Access database, as configured in Install Physical Access in Identity Manager. The connection string pattern depends on DBType.

Example connection string for DbType MYSQL
server=localhost;userid=user;password=password;database=pascard
Example connection string for DbType MSSQL
Data Source=localhost SQLEXPRESS;Initial Catalog=Prime_Backend;Integrated Security=True;

Client >
endpoint address

Required for RCO and Integra

The endpoint address needs to be changed to point to the service.

Example: endpoint address for RCO
http://localhost/AdminService/M5AdminService.asmx

 Apply configuration

To apply the configuration in the PACS connector service:

  1. Insert the default configuration in the database, by running the service with the config parameter, for example:

    Example: Run Integra service with config parameter
    IntegraService.exe config
  2. If the service is already installed, it must be restarted for the configuration to be applied. See Restart PACS connector service.

 Configure database

To change the database configuration:

  1. Open the PACS admin panel:
    1. Go to the folder \PACS_Backend.
    2. Doubleclick on the shortcut pacs_adminpanel.
      The admin panel opens in a browser. 
  2. Log in as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  3. Click on a system to do updates.
    All database entries are listed. 
  4. To update an entry, click on the icon. Edit as needed and then click Update
  5. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription
serverstringRequired

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.

usernamestringRequired

Username of message queue server.

Default value: “guest”

passwordstringRequired

Password of message queue server.

Default value: “guest”

systemstringRequired

Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription
updatesPerPollintOptional

The maximum number of messages read from the message queue.

Default: 100

group: unison

keyData typeRequired or OptionalDescription
hoststringRequired

The hostname and path to the Unison.AccessService. The path should always point to the .svc file for the service.

usernamestringRequiredThe username to use when connecting to the Unison Service.
passwordstringRequiredThe password to use when connecting to the Unison Service.
cardmaxlengthstringRequiredThis is maximum length of card number which we send to Unison. This is default setting in case of access profile setting is not available.
identifiertypestringRequiredThis is the type of identifier of access token. This setting indicates which type of identifier we want to use for card number.
personnumberfieldstringRequiredThis the unique value of person which is used to send on unison side to represent person uniquely.
layoutidentifiertypestringRequiredThe layoutidentifiertype is used to set identifier type of layout. This setting is required to configure access profiles.

Example

IdGroupIndexKeysystemvalue
1general0updatesPerPollUnison100
2unison0hostUnisonhttp://my.company.com/Unison.AccessService
3unison0usernameUnisonadmin
4unison0passwordUnisonadmin

group: cardformatmappings

The optional setting cardformatmappings can be used to configure access profiles. If cardformatmappings is used, then all its settings are required to be configured, otherwise the connector will throw an error. This setting directly depends on the setting layoutidentifiertype.

keyData typeRequired or OptionalDescription
layout stringRequired

This is the value of the identifierType which we have configured in setting layoutidentifiertype.

Example
The connector will fetch the value of layout from access token identifiers, for example, Standard Magnetkort, and search in the configuration group cardformatmappings for the same value of layout, that is, Standard Magnetkort. If this setting is found, then the card will be exported with this configuration.

profilestringRequiredThe unison card profile to use when matching profiles to the Unison Service. For matching profile name, the profile key is assigned to the card.
identifiertypesstringRequired

A comma-separated list of identifier types to match in access token identifiers. If a complete list exists in the identifier, then the only system will transfer the data in the associated fields. Otherwise the card will be marked with errors. 

By default, the system will use the default profile from Unison with identifiertype and cardmaxlength configurations to transfer access tokens to Unison.

keyData typeDescription
fieldnamesstring

A comma-separated list of unison system fields to transfer data. System will match predefined types CardNumber, SystemNumber, VersionNumber and MiscNumber.

formatstring

A comma-separated list of access token format types to validate encoding format for the associated profile. The System will match predefined types Hex, Dec and Binary.

lengthstring

A comma-separated list of lengths of identifier types to validate the length of access tokens identifier.

Example

The table below shows a sample configuration of an access profile called Standard Magnetkort. The access token identifiers are configured in the following way:

"Identifiers": [
   {"type": "mifare","value": "999809"},
   {"type": "Layout","value": "Standard Magnetkort"},
   {"type": "SystemNumber","value": "100000"},
   {"type": "VersionNumber","value": "01"}
]
IdGroupIndexKeysystemvalue
14cardformatmappings0layoutUnisonStandard Magnetkort
15cardformatmappings0profileUnisonStandard Magnetkort
16cardformatmappings0identifiertypesUnisonmifare,SystemNumber,VersionNumber
17cardformatmappings0formatUnisonDec,Dec,Dec
18cardformatmappings0lengthUnison6,6,2
19cardformatmappings0fieldnamesUnisonCardNumber,SystemNumber,VersionNumber

In the cardformatmappings configuration, remove extra spaces from key and value and make sure that all keys are in lowercase.

group: userfieldmappings

This mapping is used to export values of user related objects such as User, Email, Address, Phone and Useradditionalfields table fields to Unison fields. For exporting user table fields configuration settings will be combination of Table_name.column_name, field_id_of_Unison and for rest of the table it will be Table_name.value_type, field_id_of_Unison.

IdGroupIndexKeysystemvalue
20unison.export1userfieldmappingsUnisonphone.mobile,1
21unison.export1userfieldmappingsUnisonAddress.work,2
22unison.export1userfieldmappingsUnisonEmail.work,3
23unison.export1userfieldmappingsUnisonuseradditionalfield.category,4
24unison.export1userfieldmappingsUnisonuser.ssn,5
25unison.export1userfieldmappingsUnisonuser.title,6
 Unison Pacom field mapping

The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration. 

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1givenname (givenName)firstName (förnamn)
2familyname (FamilyName)lastName (efternamn)
3pin (Pin)pinCode (PIN)
4Collection of multiple fields of User,email,address,phone and emailfields(Fields defined in UI)

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1CardNumber (identifiers-type-value)CardNumber (Kortnummer)
2Configuration Card Profile (identifiers-type-value)ProfileKey (kort profil)
3assigneeId(assignee)UserKey(User)
4Configuration Card Profile (identifiers-type-value)SystemNumber (Systemnummer)
5

Configuration Card Profile (identifiers-type-value)

VersionNumber(Versionsnummer)
6Variable “Misc-” + AccessTokenIDMiscNumber (Not on UI)

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Unison service: 

SR NoPhysical Access field (Web API)Unison field (UI)
1assigneeid (assignee -value)userKey (Selected User Name)
2entitlementid (entitlement-value)groupKey (Group Name)
3validfrom (ValidFrom)validFrom (giltig fr.o.m.)
4validto (ValidTo)validTo (giltig t.o.m.)

Install Unison Pacom service

 Install service

The installation file is named UnisonService.exe.

Before installing the PACS connector service, make sure that the configuration is done and inserted in the database, to avoid errors. 

To install the PACS connector service:

  1. Run the .exe file with the install argument from a command prompt with administrator privileges, for example:

    Example: Install Bravida Integra service
    IntegraService.exe install

If you wish to do any changes in the configuration file or database configuration after installing the service, then you must uninstall the service first using the uninstall flag, then change the configuration and then install the service again. 

Restart Unison Pacom service 

 Restart service

The service SystemId is Unison

To restart the PACS connector service, do either of the following ways:

  1. On Windows, restart using Microsoft Services:
    1. Open Services by search or by using Run and typing services.msc.

    2. Search for the service, right-click on it and select Restart.

  2. Restart using command line:
    1. Open a command-line interface with administrator privileges.
    2. Stop the service with the following command: 

      Net stop <SystemId>
    3. Start the service with the following command:

      Net start <SystemId>

Example: Restart in command-line interface