Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

This article describes standard service tasks that can be used with Smart ID Identity Manager (PRIME).

The default values below are only examples. The values must be configured for the desired behavior of the task.

Expand/Collapse All

Parameters and values

 Optional and mandatory parameters

Mandatory parameters must not be deleted when you configure a Standard service task. Otherwise the task will fail at runtime. (This is because, currently PRIME Designer does not check the existence of mandatory parameters.)

 Default values at design time

For some parameters of the Standard service tasks, default values at design time are documented here. Those default values are only relevant when configuring a new Service task in PRIME Designer. The default value is at this time automatically added as parameter value. It may be changed or the parameter may be deleted by the process designer. In that case, the default value at design time does not have any effect at runtime.

 Default values at runtime

A parameter which is not mandatory may be deleted at design time. At runtime the following default values are in effect, depending on the parameter type:

TypeDefault value at runtime
DateCurrent date, measured to the nearest millisecond
Booleanfalse
(other)null

Standard service tasks

Card Production


 Card Production: Nexus GO Cards order status

Description

Use this task to run a search on the Nexus GO Cards ordering API to get the status of an order which was previously launched through Nexus GO Cards production.

Configuration

To use this task, configure the following delegate expression in your service task:

${caasCardOrderStatusAction}

The following parameters can be configured in PRIME Designer

ParameterMandatorySample valueDescription
orderId


This is the orderId (or requestId) provided by Nexus GO Cards when a cardOrder is placed.
statusVariableKeyName

  • valid
  • pending
  • etc.

Defines the parameter name (for example orderStatus) which will contain the order status defined by the above orderId.

EM_rfIdType-


This parameter determines the variable name for the rfid of type EM.
MIFARE_rfIdType-
This parameter determines the variable name for the rfid of type MIFARE.
HITAG_rfIdType-
This parameter determines the variable name for the rfid of type HITAG.
LEGIC_rfIdType-
This parameter determines the variable name for the rfid of type LEGIC.

When the status order is retrieved from Nexus GO Cards, the RFIDs readouts can have multiple entries for the same type.

For example:

{
    "foundCount": "1",
    "order": {
        "orderId": "3541415",
        "created": "2018-08-29 13:51:02",
        "orderStatus": "Valid",
        "orderStatusId": "1",
        "cardNumber": "BB-1808-636328",
        "layoutId": "147424",
        "productionDate": "2018-08-29",
        "validThru": "2023-08-29",
        "personName": "Demo, Dynamics",
        "readouts": [
            {
                "type": "EM_HEX_LSB",
                "uid": "9876543"
            },
            {
                "type": "EM_HEX_MSB",
                "uid": "12345678"
            }
        ]
    }
}

For these cases, the first value of the same type is used (EM_HEX_LSB and EM_HEX_MSB are considered to be of the same type).

 Card Production: Server Side Card Operation

Description

Use this task to execute card productions on the server side. The service tasks supports execution of encodings via Card SDK or the PRIME-integrated JPKIEncoder. Printing is currently not supported.

Configuration

To use this task, configure the following delegate expression in your service task:

${serverSideCardOperationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
encodingName

PcmEncProduceEmployeeCardName of the encoding description to be executed
cardSDK-trueFlag to configure if the encoding should be executed through the PRIME server directly or through Card SDK. Default is true, which means that the encoding is executed through Card SDK.

Certificates


 Cert: Certificate Publication via CM

Description 

Use this task to trigger a republishing or unpublishing action for a specific certificate on the Nexus CM based on the configured publication procedure.

Configuration

To use this task, configure the following delegate expression in your service task:

${certificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication procedure defined on the CM.
serialnumberField

Certificate_CertSerialName of the field containing the serial number in the datamap.
DataPoolName_Certificate

CertificateDatapool name of certificate.
serialNumberIsDecimal-true

Indicates that the serial number is in decimal format already.

If this field is set to "false" or left out, the serial number will be interpreted as hex format.

 Cert: Create ACME pre-registration order

Description

Use this task to create an ACME pre-registration order in Nexus Certificate Manager. You need to use Smart ID Certificate Manager 8.1 or later.

If you apply the CMSDK 7.18.1 downgrade package for PRIME 3.12, then this task will not be available.

Configuration

To use this task, configure the following delegate expression in your service task:

${acmePreRegistrationTask}


The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
hmackey


The shared secret to secure the further communication
keyid


Identifies the account
alloweddomains

-


A comma-separated list of domains, that the account is allowed to order certificates for.

certificateTemplate


Defines the CA connection and the certificate procedure for pre-registration. For details concerning the procedure, see Create ACME account with pre-registration .
 Cert: Create SCEP order request

Description 

Use this task to register or de-register Simple Certificate Enrolment Protocol (SCEP) order requests to Nexus Certificate Manager (CM).

The task will be executed on server identities and use some details of the server identities for creating order request. The task sends common name and password details for specified token procedure into CM, so that CM will later accept (in case of registration) or reject (in case of de-registration)  SCEP enrolment request from specified clients.

Configuration

To use this task, configure the following delegate expression in your service task:

${scepOrderRequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
certTemplate


Certificate template name which has token procedure and CM information.
commonName


Common name parameter defines the machine by its Fully Qualified Domain Name  (FQDN) for which the auto-enrolment will be processed. Domain name of the machine or server.

It is not possible to have multiple FDQN:s in one registration, that would have to be separate registrations. However, the FQDN does support wildcards, so you could specify the FQDN with something like "test-*.example.com"

enrollReg

 trueRegistration enrolment flag (true/false).
password


Password is used to verify SCEP enrolment requests sent by clients later. So it will be the same password which will be used by clients in SCEP enrolment request.

cpmState


This value decides whether this is a registration or a de-registration order request at CM.

Set to 1000 to trigger a registration, 1001 to trigger a de-registration

validity

Validity value of the request order, either "always" or the number of days. CM defaults to 'always' if not set.
emailAddress

Email address of the responsible person.
ipAddress

IP address of the server of machine.
serialNumber

Serial number of the device if available. It is not mandatory so it can be blank.
 Cert: Execute PKCS10 Request

Description

Use this task to send a PKCS#10 to the configured CA. Based on the certificate template name, PRIME will approach a CA to request a new X.509 certificate. This certificate will be stored in the PRIME database and will be added to the process map. Certificate templates provide a set of attributes, that allows a fine-grained configuration. 

Configuration

To use this task, configure the following delegate expression in your service task:

${executePKCS10RequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
P10RequestFormEntry

p10inputProcess variable containing the bytes of a PKCS#10 request. These bytes are the content of either a PEM encoded or a binary CSR file.
P10RequestFormResult

certResultProcess variable where the certificate file should be returned. The exact form of the certificate can be controlled via booleanResultWithPEMHeaders.
certTemplate

ScmCtServerCertificateP10Certificate template name.
booleanResultWithPEMHeaders-trueConfigures whether the resulting certificate should be the utf-8  bytes of a PEM encoded certificate like 
"-----BEGIN CERTIFICATE----- ..." or the bytes of the plain binary from of the certificate is stored in the field denoted in P10RequestFormResult.
 Cert: Extract Certificate Attributes

Description

Use this task to extract attributes from a certificate. 

Configuration

To use this task, configure the following delegate expression in your service task:

${extractCertAttributesTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryExample ValueDescription
X509Field

Certificate_DataThe name of the field containing the certificate as binary data. It must be contained in the process map.
RSAPublicExponent-Cert_publicExponentField to store the public exponent of RSA certificates as BigInteger. Null for ECC certificates.
keySize-Cert_keySizeField to store the key size of the certificate's public key as Integer.
keyType*-Cert_keyTypeField to store the keyType description. For EC keys this also includes the curve name. Note: the format is subject to change!
keyUsage*-Cert_keyUsageField to store the key usages.
extKeyUsage*-Cert_extKeyUsageField to store the extended key usages.
hashAlgorithm*-Cert_hashAlgorithmField to store the hash algorithm name.
validFrom-Cert_validFromField to store the start date of the validity period as Date.
validTo-Cert_validToField to store the end date of the validity period as Date.
subjectDN-Cert_subjectDNField to store the subject distinguished name.
issuerDN-Cert_issuerDNField to store the issuer distinguished name.
certSerialNumber-Cert_serialNumberField to store the serial number.
cdpUrls*-Cert_cdpUrlsField to store a concatenated string of all CRL distribution point URLs in. They are comma-space-separated.
ocspUrls*-Cert_ocspUrlsField to store a concatenated string of all OCSP responder URLs in. They are comma-space-separated.
SAN_EMAIL-Cert_sanEmailField to store the SANs email addresses.
SAN_UPN-Cert_sanUpnField to store the SANs user principal names.
SAN_DNS-Cert_sanDnsField to store the SANs dns names.
SAN_IP-Cert_sanIpField to store the SANs ip addresses.
SAN_URI-Cert_sanUriField to store the SANs uniform resource identifiers.
SAN_GUID-Cert_sanGuidField to store the SANs globally unique identifiers.
SAN_RID-Cert_sanRidField to store the SANs registered IDs.

In case of error

The following parameters are set in case of error:

ParameterMandatoryValueDescription
ExtractionResult*

-

Valid values:

  • success (default)
  • error

The value is default set to "success".

If one of the following errors occurs, the value is set to "error":

  • The field containing the certificate is empty.
  • One of the attributes exceeds 2000 characters (limitation by Activiti).
ExtractionResultErrorMsg*-

Valid values:

  • "Certificate data is empty"
  • "The attribute 'xy' exceeded 2000 characters."
If one of the errors in "ExtractionResult" occurs, this variable is set to "Certificate data is empty" or to "The attribute 'xy' exceeded 2000 characters."

* - These parameters require PRIME 3.12.4 or later.

 Cert: Extract PKCS#10 Attributes From Request

Description

Use this task to extract all subject DN attributes, as well as the SAN attributes from a PKCS#10 request. The parameter value of P10RequestFormEntry has to match the symbolic name of the field in the PKCS10RequestEntryForm where the CSR file is uploaded. The extracted attributes will be put into the process data map under keys <valueOfP10RequestFormEntry><attributeName>, for example, PKCS10RequestFormEntryCn for the default value of P10RequestFormEntry and CN attribute or PKCS10RequestFormEntrySANEMAIL for San Email.

Configuration

To use this task, configure the following delegate expression in your service task:

${extractPKCS10AttributesFromRequestTask}

The following parameters can be configured in PRIME Designer

ParameterMandatoryValueDescription
P10RequestFormEntry

Example value:

  • p10input

Process variable containing the content of a CSR file as an array of bytes. The CSR file might be either PEM encoded or binary.

Extracted attributes

Subject DN attributesPrefixResult
  • Email = E
  • Common Name = CN
  • Country = C
  • Organisation = O
  • Title = T
  • Surname = SURNAME
  • State = ST
  • Given Name = GIVENNAME
  • Organisation Unit = OU
  • Serial Number = SN
  • Unique Identifier = UID
  • Street = STREET

PKCS10RequestFormEntry

  • PKCS10RequestFormEntryE
  • PKCS10RequestFormEntryCN
  • PKCS10RequestFormEntryC
  • PKCS10RequestFormEntryO
  • PKCS10RequestFormEntryT
  • PKCS10RequestFormEntrySURNAME
  • PKCS10RequestFormEntryST
  • PKCS10RequestFormEntryGIVENNAME
  • PKCS10RequestFormEntryOU
  • PKCS10RequestFormEntrySN
  • PKCS10RequestFormEntryUID
  • PKCS10RequestFormEntrySTREET

SAN attributes

PrefixResult
  • SAN EMAIL = SANEMAIL
  • SAN GUID = SANGUID
  • SAN DNS = SANDNS
  • SAN UPN = SANUPN
  • SAN IP = SANIP
  • SAN RID = SANRID
PKCS10RequestFormEntry
  • PKCS10RequestFormEntrySANEMAIL
  • PKCS10RequestFormEntrySANGUID
  • PKCS10RequestFormEntrySANDNS
  • PKCS10RequestFormEntrySANUPN
  • PKCS10RequestFormEntrySANIP
  • PKCS10RequestFormEntrySANRID
Other attributesPrefixResult
  • Key size
  • Algorithm (+ curve)*
  • HashAlgorithm
  • (as boolean) = the signature is valid
PKCS10RequestFormEntry
  • PKCS10RequestFormEntryKeySize
  • PKCS10RequestFormEntryKeyType
  • PKCS10RequestFormEntryHashAlgorithm
  • PKCS10RequestFormEntrySignatureValid

*Extracting the curve name currently does not work if multiple PRIME apps like Designer and Explorer run on the same Tomcat instance due to a classloader issue with JCE providers. In that case only the algorithm name is shown ("ECDSA") without the curve appended.

 Cert: Load Key History List

Description

Use this task to fetch the IDs of the latest certificates to be recovered and put them in the process map in a format suitable for key recovery. The user whose certificates will be fetched, is the user found in the process map. The certificates that will be fetched are the <count> latest certificates of type <certTemplate> related via ObjectRelations directly to the user or related over a Card to the user.

SKI (Secure Key Injection): It will look for associated cards of the person and retrieve thumbprint information if the card ICCSN is provided in the process map. This thumbprint will be saved into the process map if it is available in the database.

Configuration

To use this task, configure the following delegate expression in your service task:

${prepareDataForCertificateKeyRecoveryTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryExample valueDescription
certTemplates


A comma separated list of the certificate core template names of the certificates to be recovered.
count


Fetch the IDs of the latest <count> certificates.

processVariable


The process variable name where to put the IDs. The default value is "Certificate_CoreObjects". This default is taken from the action-beans.xml, bean id="keyArchivalRequestPreProcessor" and bean id="certificateKeyRecovery", bean/[@id="keyArchivalRequestPreProcessor"]/property/[@name="coreObjectIDKey"}/@value. You should use this default, unless there is an urgent requirement for changing it.

DataPoolName_Certificate


The datapool name of the Certificate core object.
DataPoolName_Person


The datapool name of the Person core object.
DataPoolName_Card


The datapool name of the Card core object.
ObjectRelationType
Example value: 
Default, Deputy

A comma separated list of related object types between Persons, Cards and Certificates (e.g. Default, Deputy).

When this value is provided then the task will load only a person's certificates with matching relations into the process variable, otherwise it will load certificates with all available relation types.

This is a general white-list, which does not distinguish between the objects involved in a relation, like Person<>Card, Person<>Certificate, Card<>Certificate, etc. Therefore you have to be very careful in constructing the relations to avoid accidental recovery of unwanted certificates.

Example

Let's assume that no direct Person<>Certificate relations exist (because no soft tokens and only cards were produced) and all Person<>Card relations use the type "Default". Then "Default" has to be part of the list. Otherwise no card could be found, and thus also no certificates of the card.

Let's also assume that some Card<>Certificate relations also use the type "Default", but you only want to recover those with type "User".

Then you will have a problem, because ObjectRelationType=Default, User will recover both types, and ObjectRelationType=User will recover nothing, as the parent relation between Person<>Card does not match.

To avoid this, make sure that all Card<>Certificate relations use a dedicated type. Soft token certificates related directly to a person will always use the default type, so they should not use the same certificate template as the ones on a card, if you do not want to include them.

To use this task, select it in PRIME Designer and configure the above parameters. No bean configuration is required. In a later action you must perform the Key Recovery.

 Cert: PGP Soft Token

Description

Use this task to archive and/or recover PGP certificates from Nexus Certificate Manager.

Configuration

To use this task, configure the following delegate expression in your service task:

${executePgpSoftTokenAction}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault value / ExampleDescription
requestAndArchive

true (default value)If true, then a new PGP keys will be requested and archived (you cannot request new keys that are not archived)
passwordField

Person_PasswordRefName of secret field in which the password for encrypting the secret keyrings is provided
archivalTemplateif requestAndArchive true PkiBoPgpCert

Name of the PGP archival certificate template configured in PRIME, must match the config of ${prepareDataForCertificateKeyRecoveryTask}

archivalCnif requestAndArchive true ${Person_FirstName} ${Person_LastName} (one single line)Expression that defines the CN sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSanEmailif requestAndArchive true${Person_Email}Expression that defines the SAN_EMAIL sent with the PGP key archival request, mandatory part of the PGP user ID created by CM
archivalSurname- ${Person_LastName}Expression that defines the SURNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalGivenName- ${Person_FirstName}Expression that defines the GIVENNAME sent with the PGP key archival request, optional part of the PGP user ID created by CM
archivalSubjectSerialNumberPrefix-${Person_UPN}Expression that defines an optional prefix for the generated subjectSerialNumber, so the final SSN may look something like this: "MyResolvedPrefixc97cb0de-
4774-454c-8568-82fbcd6ee710"
recover

true (default value)If true, then existing PGP keys for the user will be recovered
recoveryTemplateif recover truePkiBoPgpRecoveryName of the PGP recovery certificate template configured in PRIME
certificatesForRecoveryif recover true Certificate_CoreObjects

Process var containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover

mailDefinitionNameif publicKeyringsField and secretKeyringsField missing PGP Softtoken MailName of the mail definition for the PGP softtoken mail (no mail will be sent if this is missing)
mailEncryptionCertificates- Certificate_EncProcess var containing the core object descriptor list of the certificates, which will be used to encrypt the softoken mail.
publicKeyringsFieldif mailDefinitionName missingPublicPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored public keyring data (a new secret field entry is created and its ref saved to the processmap)
secretKeyringsFieldif mailDefinitionName missing SecretPgpKeyRefForDownloadName of the process var into which to save the secret field reference of the ASCII-armored secret keyring data (a new secret field entry is created and its ref saved to the processmap)
errorMessageField

ErrorMessage (default value)Name of the process var into which the BpmnError message is saved if one is thrown
errorTypeField

ErrorType (default value)Name of the process var into which the BpmnError type is saved if one is thrown
ssnsIssuedNotPropagatedField

SubjectSerialNumbersIssuedNotPropagated (default value)Name of the process var into which a list of issued but not propagated subjectSerialNumbers is saved if a BpmnError is thrown (you could use this information to unpublish, this might require additional lookups in CM, though)
 Cert: Request & Recover PKCS#12 Soft Token

Description

Use this task to query a certificate from a certificate authority, put it into a PKCS#12 Container and either save it to secret field store or send it via email. There are two ways to query the data base:

  • Recover the certificates found in process variable.
  • Request a new certificate (using a plain request).

Both methods can be combined or used independently. If no certificate is queried the task will fail.

Due to [https://bugs.openjdk.java.net/browse/JDK-8214513] the generated PKCS#12 keystores can not be opened with java < 11.0.3 unless BouncyCastle (BC) is used as a KeyStore provider.

  • Windows can open the generated P12.
  • Java with Boucycastle can open the generated P12.
  • Java >= 11.0.3 without BC can open the generated keystores, however the encoding parameters selected in the softtoken task must be supported by the SUN KeyStore provider. The defaults are not supported. You must use for example:
    • Encryption algorithm: PBE with SHA-1 and 3-key triple DES with CBC (OID: 1.2.840.113549.1.12.1.3)
    • PRF: HMac with SHA-1 (OID: 1.2.840.113549.2.7)
    • Hashing algorithm: SHA-1 (OID: 1.3.14.3.2.26)
  • Nexus Personal Desktop Client can import the generated P12, however versions up to at least 5.2.3 require the weaker algorithms shown above for Java without BC
  • Nexus Personal Desktop App can import the generated P12, however versions up to at least 1.3.6 require the weaker algorithms shown above for Java without BC

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSoftTokenRequestAndRecovery2}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
p12PasswordField

Valid values:

  • true (default)
  • false
Password for the generated PKCS#12 container. There are actions to create one.
recoverCerts

Valid values:

  • true (default)
  • false
Whether recovery should be executed.
processVariableIf recoverCerts = true

Example value:

  • Certificate_CoreObjects
Process variable containing the core object ID (or list of IDs) or core object descriptor list of the certificates to recover. 
recoveryTemplate-

Example value:

  • Revocery
Certificate template used for recovery. Not necessary for some CAs.
requestCert

Valid values:

  • true (default)
  • false
Whether a new certificate should be requested (Plain request).
certTemplateIf requestCert = true

Example value:

  • MyCertTemplate
Certificate template used for requesting the new certificate.
keyArchival

Valid values:

  • true (default)
  • false
Whether the created key are archived in the CA.
mailDefinitionName-

Example value:

  • MyMailDefinition
If empty, no mail is sent.
encryptionCertificates-


The core object descriptor list of the certificates used for email encryption.
p12RefField-

Example value:

  • Person_Softtoken
Field to store PKCS#12 container in Base64 encoding.
errorMessageField

Example value:

  • ErrorMessage
Field to store the human readable message in case of error.
errorTypeField

Example value:

  • ErrorType
Field to store error type (ERROR, CA_ERROR or MAIL_ERROR).
certsToRevokeField

Example value:

  • CertsToRevoke
In case of error, the newly created certificates are stored as list of core object ids. These certificates can in turn be revoked by the process if desired.
p12EncryptionAlgo-

Default value:

  • AES 256 with CBC (OID: 2.16.840.1.101.3.4.1.42)
The encryption algorithm to use for the PKCS#12 keystore.
p12EncryptionIterations-

Default value:

  • 100000
The encryption iterations
p12PseudoRandomFunction-

Default value:

  • HMac with SHA-256 (OID: 1.2.840.113549.2.9)
The PRF to use for the PKCS#12 keystore
p12HashAlgo-

Default value:

  • SHA-256 (OID: 2.16.840.1.101.3.4.2.1)
The hashing (MAC) algorithm to use for the PKCS#12 keystore
p12HashIterations-

Default value:

  • 100000
The hashing (MAC) iterations
 Cert: Trigger PGP Certificates Publication

Description

Use this task to trigger a republishing or unpublishing action for a specific PGP certificate on Nexus Certificate Manager (CM), based on the configured publication procedure.

PGP publication requires either CM 7.18.0 with hotfix 7.18.0.2 applied, CM 7.18.1 with hotfix 7.18.1.1 applied or any later version. Officially supported in PRIME 3.10.

Configuration

To use this task, configure the following delegate expression in your service task:

${pgpCertificatesPublicationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
publicationProcedure

CertEP CA Certificate to AD (Enrollment Services)Publication- or unpublication procedure defined on CM.
serialnumberField

Certificate_CertSerial

Name of the field containing the serial number in the datamap. This is the subject serial number which PRIME assigns when requesting a PGP certificate. It is stored in place of an X509 certificate serial number in the PRIME certificate object.

DataPoolName_Certificate

CertificateDatapool name of certificate.

Core Objects


 Core Objects: Check Relation

Description

Use this task to check if a relation between two core objects exists. The names of both data pools have to be provided. The direction of the relation is not relevant, meaning that source and destination may be exchanged.

Configuration

To use this task, configure the following delegate expression in your service task:

${checkObjectRelationParametrizedTask}


The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
sourceDataPoolName


The name of the source data pool that is used to check the relation with the destination data pool.

destinationDataPoolName


The name of the destination data pool that is used to check the relation with the source data pool.
resultVariable


The name of the field indicating if a relation between the source and destination data pool exists. Contains either a "true" or "false" value.

"True" means that the objects are related to each other. "False" means that there is no relation between them.

 Core Objects: Create Relation

Description

Use this task to create a relation between two core objects.

Object Relations tab

In this tab you manage the object relation types. A default entry is already set per tenant. Exactly one configuration must be the default configuration which is used when saving data, see Set up process, the Save Data task.

Include these two fields in an object relations configuration:

  • Name: name of the object relation type
  • Default: determines if this configuration should be the default configuration

Configuration

To use this task, configure the following delegate expression in your service task:

${createRelationParametrizedJavaDelegate}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription

source


Data pool name of the source of the relation, which has to be created. The core template name of this data pool will be saved in the database.

destination


Data pool name of the target of the relation, which has to be created. The core template name of this data pool will be saved in the database.

includeRelationTypeToCompareOfObjects

Valid values:

  • true
  • false (default at design time) 

Flag indicating if the relation type should be included when searching if the relation already exists.

exceptionIsThrownIfRelationAlreadyExists

Valid values:

  • true (default at design time)
  • false

Flag indicating how the application reacts if the relation already exists. If set to "true" then throw Exception, else do nothing.

relationType

Default
Type of the relation. The object relation type must exist or an exception is thrown.
 Core Objects: Drop Relation

Description

Use this task to remove existing relations between objects. The removal applies for all relations between one specific object and either:

  • a single second object or
  • all other objects belonging to the same template.

Furthermore it is independently possible to restrict the removal to relations of a specific type.

Example: An employee started working with a replacement card. Later he or she receives an employee card. The connection to the re-usable replacement card can then be removed.

Configuration

To use this task, configure the following delegate expression in your service task: 

${dropRelationsParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription

dataPoolName


Data pool name of the object whose relation shall be removed.

secondDataPoolName-
Data pool name of the second single object.
coreTemplateName-
Name of a template. Relations to all objects belonging to this template are removed.

objectType



Deprecated. This parameter has the same meaning as coreTemplateName and is only provided for downgrade compatibility.

relationType-
When configured, only relations of the specified type are removed.

Either secondDataPoolName or coreTemplateName must be provided but not both of them.

 Core Objects: Expiry Check

Description

Use this task to find core objects (for example, soft tokens), that will expire within a given time range.

Configuration

To use this task, configure the following delegate expression in your service task:

${coreObjectExpiryCheckParameterizedTask}

 The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription

coreTemplateNameList


Comma separated list of core template names that shall be the base of the search.
fieldName


Name of the data pool field that indicates the expiration date, for example, ValidTo. The data pool must belong to the core template(s) mentioned above.
offsetInDays


The offset in days before the related core objects expire.

The base is the field specified by fieldName, for example ValidTo. If you provide a value for offsetInDays, then logically it is

ValidTo - offsetInDays = dateToFindSofttoken

  • If dateToFindSofttokens is still in the future compared to the currentDate, then the soft token will not be found.
  • If dateToFindSofttokens is equal to the current date or if it is in the past, then the soft tokens will be found.

Example:

Expiry date of a soft token is 31st March 2017. If the offsetInDays is set to 30, the service task will only find the soft token with the beginning of 1st March 2017.

coreObjectIdListVariableName-CoreObject_Ids

Name of the variable containing the core objects that were found during the search. It contains only the core object ids.

Example: PcmDpCertificate_Coreobjects

Meta_CoreObjectState_Field


Name of the data pool field that indicates the state of the core object. The data pool must belong to the core template(s) mentioned above.

Example: Meta_CoreObjectState_PstmDpCertificate or Meta_CoreObjectState_BaseDpEmployee

Meta_CoreObjectState_Value


The actual state that shall be used for filtering the search.

Example: issued, active etc.

Credentials


 Credentials: Calculate Minidriver Offline Unblocking Response

Description 

Use this task to generate a response using the card manager key and a challenge for the offline unblocking process.

Configuration

To use this task, configure the following delegate expression in your service task:

${challengeResponseGeneratorTask}

 The following parameter can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
CardManagerKeyField


The name of the field that needs to hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
ChallengeField


The challenge provided by Windows or a 3rd party tool, such as "CV act sc interface manager" in case of Cryptovision.
ResponseField


The response is generated by this task to support unblocking.
DisableDerivation-false

Set to "true" if you want to use the CardManagerKey directly as challenge/response key instead of deriving one.

This is relevant for non-Cryptovision middlewares (for example, CardOS or Gemalto), where we directly use a 3DES CardManagerKey instead of a 2DES key from which the actual challenge/response key is derived.

If the field is absent, derivation is enabled and a 2DES CardManagerKey is expected.

DisableDerivationField-

If present, points to a field containing the (override) value of DisableDerivation.

If both DisableDerivation and DisableDerivationField are present and the referenced field contains a value, the latter takes precedence. This is mainly intended for deployments that deal with multiple middlewares, which require different DisableDerivation values (for example CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

 Credentials: Create Minidriver Card Manager Key

Description 

Use this task to generate a 2DES / 3DES key as card manager key for minidriver compatible cards. The value generated is saved in an encrypted field.

Configuration

To use this task, configure the following delegate expression in your service task:

${cardManagerKeyProviderTask}

 The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
passwordFieldName


The name of the field that should hold the reference value to the card manager key (for example, Card_CardManagerKey). Must be a reference field.
blockCount-2Desired key length in blocks of 8 bytes. By default 2DES keys (2 blocks, 16 bytes) are generated.
If you generate keys for CardOS or Gemalto, set the parameter to 3 so 3DES keys (3 blocks, 24 bytes) are generated instead.
This distinction is needed since for Cryptovision, multiple keys are derived, including the challenge/response key from a 2DES key.
For CardOS and Gemalto the challenge/response key is generated directly, and the key needs to be 3DES.
blockCountFieldName-
If given, it points to a field containing the (override) value of blockCount.
If both blockCount and blockCountFieldName are present and the referenced field contains a value, the latter takes precedence.
This is mainly intended for deployments that deal with multiple middlewares which require different blockCount values (for example, CV + CardOS).

The following dependencies must be configured in the Spring configuration:

DependencyDescription
secretRefValueGeneratorResponsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

 Credentials: Create PIN and PUK

Description

Use this task to generate a value for PIN and PUK according to certain rules (length, allowed characters) and to archive those values for later retrieval during card production or for PIN letter printing.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePinAndPukParameterizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
pinFieldName


The name of the field that shall hold the reference value to the archived PIN.
pukFieldName


The name of the field that shall hold the reference value to the archived PUK.
pinLength-4The desired length of the PIN.
pukLength8The desired length of the PUK.
pinAllowedCharacters0123456789Describes the characters to be used for generating the PIN value.
pukAllowedCharacters-0123456789Describes the characters to be used for generating the PUK value.
 Credentials: Create Random Password

Description

Use this task to generate a password or another secret and to archive the value for later retrieval during card production or for PIN letter printing. The secret value is also hashed and stored in a separate field for easier comparison. The hash algorithm is defined in Spring since it must be the same as the one that is used for checking the passwords during login.

Configuration

To use this task, configure the following delegate expression in your service task:

${generateAndArchivePasswordWithMaxLengthAndAllowedCharactersTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
passwordFieldName-
The name of the field that should hold the reference value to the archived password. Must be a reference field.

passwordHashFieldName

-
The name of the field that should hold the hashed value of the password. The hash algorithm is defined in Spring. The data pool field must be of type password
passwordLength

8The desired length of the generated password.
passwordAllowedCharacters

0123456789Describes the characters to be used for generating the password value.

The following dependencies must be configured in Spring:

DependencyDescription
passwordHashGeneratorThe generator that is responsible for generating the hash value of the secret value. This is the place to define the hash algorithm.

secretRefValueGenerator

Responsible for generating the reference value that is used to keep the reference to the secret value in the secret field store.

secretFieldsArchiver

Responsible for archiving the secrets into the secret field store.

Hybrid Access Gateway


 HAG: User Provisioning

Description

Use this task to provision a user to Hybrid Access Gateway (HAG). The task consists of two phases:

  • In the first phase the user will be created or updated. This will always be done.

    If you do not set a validFrom field, the user always gets the current date as a valid from value in HAG.

  • The second phase is about locking or unlocking the user:
    1. If the current state of the CoreObject matches a state in the lockedStates configuration, the user will be locked.
      • If Personal Mobile is configured, all Personal Mobile profiles that the uses has will be deleted.
    2. If the current state of the CoreObject matches a state in the unlockedStates configuration, the user will be unlocked.
      • If Personal Mobile is configured, the binary array of the barcode image (jpg) will be available in "personalimage". If locking of the user failed, the processmap will not contain the barcode "personalimage"

Configuration

To use this task, configure the following delegate expression in your service task:

${provisionUserToHagParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription

coreTemplateName


The name of the coreTemplate from which the current coreObject state shall be retrieved.
challengePin-

Example value:

  • 111111 (default)
The default PIN for synchronized authentication of the user in HAG.
emailField-
The name of the datamap field which contains the email of the user.
hagUrl

Example value:

The SOAP URL of the UserAccount service in HAG.
locationDNField-
The datamap field which contains the ldap dn to the desired user. If this is set the user will be connected to LDAP in HAG as well.
lockedStates

Example value:

  • "disabled,blacklisted,arrested"
A comma separated list of states from the stategraph of the user which mean "locked" in HAG.
unlockedStates

Example value:

  • "active"
A comma separated list of states from the stategraph of the user which mean "unlocked" in HAG.
userEnabledPerDefault-

Valid values:

  • true
  • false
If set to "true" the user will automatically be enabled in HAG. If not set it is handled as "true".
userNameField


The datamap field which contains the user name that shall be provisioned to HAG.
smsNumberField-
The datamap field which contains the phone/sms number of the user.
validFromField-


The datamap field which contains the validFrom information. If it's not set or the value of the field is null the current Date will be used as this is a mandatory parameter in HAG.
validToField-
The datamap field which contains the validTo information.

authenticationMethods

-

Valid values:

  • SYNC (default)
  • empty string
  • PM
  • SYNC,PM

The authentication methods which will be provided to HAG. Allowed are SYNC (=Synchronized Authentication) and PM (= Personal Mobile). Empty is possible too. Both can be configured too using comma separation.

If PM is configured, the barcode Image (jpg) from the HAG response will be put to the process map with the fixed key "personalimage". If the creation fails, the field in the process map is not touched.

pmStatus

Valid values:

  • activate

  • deactivate

What status Personal Mobile should get. If an invalid status is configured, the status in PM is not changed.

Login


 Login: Find and Authenticate Core Object

Description

Use this task to search for a core object and create an AuthenticatedUser which is passed to the datamap with the key "AuthenticatedUser".

Configuration

To use this task, configure the following delegate expression in your service task:

${findAndAuthenticateCoreObjectParameterizedDelegate}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
principalFieldName


The field name of the unique identifier of the CoreObject, for example. "Email"
coreTemplateNames


The CoreTemplate names in which the CoreObject shall be searched for. The search starts with the first name in the list, for example, "Person,Employee,CleanupPerson".

The task can be defined as follows:

Spring configuration
    <bean name="findAndAuthenticateCoreObjectParameterizedAction" class="de.vps.act.action.login.FindAndAuthenticateCoreObjectParameterizedAction">
        <property name="coreObjectSearchManager" ref="coreObjectSearchManager"/>
        <property name="authenticationProvider" ref="userPasswordCoreObjectAuthenticationProvider" />
        <property name="authProfileProvider" ref="authProfileProvider" />
        <property name="dataPoolProvider" ref="dataPoolProvider" />
        <property name="coreTemplateProvider" ref="coreTemplateProvider" />
    </bean>

    <bean id="findAndAuthenticateCoreObjectParameterizedDelegate" class="de.vps.act.processexecution.delegation.TaskParametrizedActionBasedJavaDelegate">
        <property name="taskParameterExtractor" ref="taskParameterExtractor" />
        <property name="action" ref="findAndAuthenticateCoreObjectParameterizedAction" />
    </bean>

PACS


 PACS: Assign Entitlement

Description

Use this task to assign an entitlement to a person.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets an entitlement assigned.
  • The 'Entitlement'. This is an entity in PRIME which represents an entitlement (or 'access profile') at the PACS system.
  • The 'Assignment'. This is an entity that stores properties of the assignment request and attributes returned from the PACS system (like the external id). Usually an 'Assignment' will be stored as Request.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsAssignEntitlementParametrizedTask}

The following parameters can be configured in PRIME Designer: 

 ParameterMandatoryDefault valueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName

falseThe name of the data pool for core objects, that stores the assignment, for example, 'Request'.
entitlementAssignmentExternalIdFieldName


The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

For Exos there is no assignment object or id, therefore a fake id will be generated, which contains the ids of the person and of the entitlement (<personnelnumber>_<entitlementRefId>).

targetEntity


The assignment is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the assignment is done on the person entity. By providing any other values, the assignment is done on the access rule.

 PACS: Create Group Membership

Description

Use this task to create a group membership in PACS Backend. Group membership means, assigning an existing person to an existing group.

The task works on three different core objects:

  • The 'Person'. This is the identity which gets a group assigned.
  • The 'Group'. This is an entity in PRIME which represents an group at the PACS system.
  • The 'Membership'. This is an entity that stores properties of the membership request and attributes returned from the PACS system (like the external id).

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateGroupMembershipParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName


The name of the data pool for core objects, that stores the group membership, for example, 'Request'.
groupMembershipExternalIdFieldName


The field name of the above data pool, where the external id of the membership is stored, for example, 'ExternalId'.

 PACS: Create or Update Card

Description 

Use this task to send a request to PACS to create (if non existent) or to update (if exists) a card.

For Exos, the external id field is used to identify if the card is new. If this field is empty the create method is called, otherwise the update method is called. While creating, the id field is set to the cardNumbers value.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdateCardParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription

pacsName


The name of the PACS system to communicate with.

cardStateFieldName


The card data pool field name where PRIME stores the state of the person, for example, 'Meta_CoreObjectState_PcmDpEmployeeCard'.

cardActiveStates


A comma separated list of supported active card states in PRIME, for example, 'active,enabled'.
cardType-
Optional. The type of a card. PACS Backend accepts two types: 'mifare' and 'em'.
 PACS: Create or Update Person

Description

Use this action to send a request to PACS to create (if non existent) or to update (if exists) a person.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsCreateOrUpdatePersonParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription

pacsName


The name of the PACS system to communicate with.

personStateFieldName


The person data pool field name where PRIME stores the state of the person, for example, 'Meta_CoreObjectState_BaseDpEmployee'.

personStates


A comma separated list of supported active person states in PRIME, for example, 'active,enabled'.
 PACS: Fetch Entitlements

Description

Use this action to fetch entitlements of a given type or several types from a PACS system. Currently supported: KABA Exos and PACS Backend. The fetched entitlements are stored as core objects.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsFetchEntitlementsParametrizedTask}

 The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
coreTemplateName


The name of the core template in which the entitlements shall be stored.
entitlementTypesField-

The name of the data pool for core objects, that store the assignment with the external id, for example, 'Request'.

listOfEntitlementTypes-

The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

coreObjectDescriptorOutputField-

 PACS: Manage Access Groups

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) a group.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithGroupParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
pacsName


The name of the core template in which the entitlements shall be stored.
deleteFlag

falseFlag for indicating whether the group should be created/updated (false) or if the group should be deleted (true).
 PACS: Manage Access Rules

Description

Use this task to send a request to PACS to create (if non existent), update (if exists) and delete (if exists) an access rule.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsDealWithAccessRuleParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.
deleteFlag

falseFlag for indicating whether the access rule should be created/updated (false) or if the access rule should be deleted (true).
 PACS: Withdraw Entitlement

Description

Use this task to withdraw an entitlement from a person.

  • For PACS Backend there has to be a Request with the entitlement assignment id in the process map.
  • For KABA Exos there has to be a Person with the PersonnelNumber and an Entitlement with the EntitlementRefId in the process map.

The task works only on the core object 'Assignment'. This is an entity that stores the external id of the EntitlementAssignment within PACS Backend. Usually a Request is used to hold this information.

Configuration

To use this task, configure the following delegate expression in your service task:

${pacsWithdrawEntitlementParametrizedTask}

The following parameters can be configured in PRIME Designer: 

 ParameterMandatoryDefault valueDescription
pacsName


The name of the PACS system to communicate with.
entitlementAssignmentDataPoolName


The name of the data pool for core objects, that store the assignment with the external id, for example, 'Request'.
entitlementAssignmentExternalIdFieldName


The field name of the above data pool, where the external id of the assignment is stored, for example, 'ExternalId'.

targetEntity


The withdrawal is done on either a person or an access rule. By providing values such as 'person' or 'PERSON' (all letter are handled as lower case) the withdrawal is done on the person entity. By providing any other values, the withdrawal is done on the access rule.

 PACS: Withdraw Group Membership

Description

Use this task to withdraw a group membership in PACS Backend.

Configuration

To use this task, configure the following delegate expression in your service task. There has to be a Request with the group membership id in the process map.

${pacsWithdrawGroupMembershipParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
pacsName


The name of the PACS system to communicate with.

groupMembershipDataPoolName


The name of the data pool for core objects, that stores the group membership, for example, 'Request'.
groupMembershipExternalIdFieldName


The field name of the above data pool, where the external id of the membership is stored, for example, 'ExternalId'.

Personal Messaging


 Personal Messaging: Create Key on Personal Mobile

Description

Use this task to provision a new profile or update an existing one, overwriting existing keys. The task will create the keys needed for the "Personal Messaging: Install Certificates on Personal Mobile" task.

The task will generate the following PKCS#10 request templates:

  • Signature Certificate (optional)
  • Authentication Certificate (optional)
  • Device Encryption (used to secure the communication with Personal Mobile)

These requests will then be sent to the mobile phone and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. PRIME will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR", "AUTH_P10_VAR" and "DEVICE_ENC_P10_VAR". If a new profile was created, PRIME will also put the new profileId into the process map under the key "profileId".

After this task is executed, you need to request certificates using the requests stored in the process variables "SIG_P10_VAR" and "AUTH_P10_VAR" before proceeding to "Personal Messaging: Install Certificates on Personal Mobile" task. Store the requested certificates into the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodKeyCreationTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

Example value:

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-
Signature certificate template.
authCertificateTemplate-
Authentication certificate template.
profileName

If new profile

Leave empty (when updating a profile)

Profile name for Personal Messaging. Will be displayed in the Personal Mobile App. Leave empty if you want to update an existing profile.
serverName

If new profile


Name of the server that issued the provisioning request.
qrResultField

If new profile

Example value:

  • QR_CODE_VAR
Process variable to put the resulting url. This url may be converted to a QR-Code for the Personal Mobile App by using GenerateQRCodeParametrizedAction.
profileIdIf update profile

Leave empty (for new profile)

Id of the Personal Mobile profile that will be updated with new keys. Leave empty if you want to provision a new profile.

storagePriority

Valid values:

  • APP (for Personal Mobile, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of certificates. MDM is replaced by EXT, however MDM is still supported.
 Personal Messaging: Install Certificates on Personal Mobile

Description 

This task requests and installs certificates that were prepared using the "Personal Messaging: Create Key on Personal Mobile" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Personal Messaging: Create Key on Personal Mobile" task and stored them as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using the prepareDataForCertificateKeyRecoveryTask.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Authentication Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Personal Mobile'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodInstallCertificatesTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate-

${SIG_VAR}

The signature certificate.
authenticationCertificate-

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Personal Messaging: Create Key on Personal Mobile" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Personal Messaging: Create Key on Personal Mobile' task.
serverName


Name of the server that issued the provisioning request.
encryptionCertificate-
Encryption certificate template.
recoveryCertificate-
Recovery certificate template.
processVariable-
Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField


Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
storagePriority

Valid values:

  • APP (for Personal Mobile, default)
  • EXT (for Mobile Iron device)
  • MDM (replaced by EXT, but still supported)
Storage priority of encryption certificates. MDM is replaced by EXT, however MDM is still supported.
 Personal Messaging: Create Key on Virtual Smart Card

Description

Use this task to create up to three template PKCS#10 requests that can be used to request certificates needed for the "Personal Messaging: Install Certificates On Virtual Smart Card" task.

Use this task to create up to three template PKCS#10 requests:

  • Signature Certificate (if template name is provided)
  • Authentication Certificate (if template name is provided)
  • Device Encryption (always, used to secure the communication with Personal Desktop App)

These requests will then be sent to Personal Desktop App and transformed into new PKCS#10 requests (with keypairs generated on the client but keeping all subject data). The new requests will then be sent to the message catching intermediate event identified by the parameter 'messageName'. PRIME will put these PKCS#10 requests into the process map under the keys "SIG_P10_VAR" and "AUTH_P10_VAR".

This task can only provision a new profile - updating an existing profile is currently only supported in Personal Mobile at this time, not in Personal Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodKeyCreationTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
messagingServer

Example value:

  • MessagingServer
The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName

Example value:

  • p10PreparationCallback
The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid

Example value:

  • ${Person_Email}
UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMesageField

Example value: 

  • ErrorMessage
Process variable to put the error message in case of failure.
errorTypeField

Example value: 

  • ErrorType
Process variable to put the error type in case of failure.
signCertificateTemplate-

Example value:

  • Sign-Certificate
Certificate template of the signature certificate.
authCertificateTemplate-

Example value:

  • Authentication-Certificate
Certificate template of the authentication certificate.
profileName

Example value:

  • EmployeeProfile
Profile name for Personal Messaging. Will be displayed in Personal Desktop.
serverName

Example value:

  • localhost or messaging server name

Name of the server that issued the provisioning request.

plugoutResultField

Example value: 

  • plugoutUri
Process variable to put the resulting Personal Plugout URI that will open Personal Desktop App on the client machine.
adminKey

Example value: 

  • ${Card_CardManagerKey}

The secret field reference of 24-byte 3DES admin key in HEX format. The key can also be set directly as plain hex value for testing.

Note: Personal Desktop's own default is 123456781234567812345678123456781234567812345678, but you must make sure PRIME always defines the value!

smartCardId

Example Value: 

  • ${Card_VscId}
Virtual smartcard id. Usually it will be created via a dedicated number-range.
provisionReader


Valid values:

  • CreateTPM
  • FreeTPM
  • RenewTPM 
  • 0TPM/1TPM..../15TPM
  • CreateTPM (create a new VSC on the TPM) 
  • FreeTPM (use first free VSC on the TPM) .
  • RenewTPM Use this option to renew existing TPM certificates.
  • 0TPM / 1TPM / ... / 15TPM  Specific VSC on the TPM can be also used for installing certificates.

The value is passed as-is to Personal Desktop App.

pinMinLength

Example value:

  • 6
Min. length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.minlength)
pinMaxLength

Example value:

  • 15
Max length of the VSC PIN (Windows API allows 4-127 characters,
see https://docs.microsoft.com/en-us/uwp/api/windows.devices.smartcards.smartcardpinpolicy.maxlength)
pinUppercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether uppercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinLowercase

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether lowercase chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinDigits

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether digits in the PIN are ALLOWED / DISALLOWED / REQUIRED
pinSpecialChars

Valid values:

  • ALLOWED (default)
  • DISALLOWED
  • REQUIRED
Whether special chars in the PIN are ALLOWED / DISALLOWED / REQUIRED
oldAdminKey-

-

This field only makes sense in case the "FreeTPM" provisionReader is configured. If provided, it will change the VSC's admin key. "oldAdminkey" must hold the old admin key and "adminKey" must hold the new admin key.

For example, default admin key of 010203040506070801020304050607080102030405060708 when you create VSC from Tpmvscmgr tool.

storagePriority

Valid values:

  • VSC (for Personal Desktop App, default)
Storage priority of keys.
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.
 Personal Messaging: Install Certificates on Virtual Smart Card

Description

This task requests and installs certificates that were prepared using the "Personal Messaging: Create Key on Virtual Smart Card" task.

As a prerequisite

  • you must already have requested certificates with the authentication and signature certification requests generated by the "Personal Messaging: Create Key on Virtual Smart Card" task. Store the certificates as process variables.
  • if you want to perform certificate recovery, you must prepare the data for that using the prepareDataForCertificateKeyRecoveryTask.

Use this task to install a number of certificates on the mobile phone:

  • Signature Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Authentication Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Device Encryption Certificate, will be bound to the key pair created by 'Personal Messaging: Create Key on Virtual Smart Card'.
  • Encryption Certificate created with key archival.
  • Any number of recovered certificates.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodInstallCertificatesTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid


UserId for Personal Messaging. This will be shown to user on the mobile phone, to verify the correct data is provided.
errorMessageField

ErrorMessage

Process variable to put the error message in case of failure.
errorTypeField

ErrorType

Process variable to put the error type in case of failure.
signatureCertificate

${SIG_VAR}

The signature certificate.
authenticationCertificate

${AUTH_VAR}

The authentication certificate.
deviceEncryptionP10

${DEVICE_ENC_P10_VAR}

The PKCS#10 request for the Device Encryption Certificate, created by the "Personal Messaging: Create Key on Virtual Smart Card" task.
profileId

${profileId}

The id of the profile under which to store the certificates. This is initially provided by the 'Personal Messaging: Create Key on Virtual Smart Card' task.
serverName


Name of the server that issued the provisioning request.

encryptionCertificate

Encryption certificate template.
recoveryCertificate

Recovery certificate template.
processVariable

Variable name which holds Core object ids list or Core object descriptor list of certificates to be recovered.
p12PasswordField


Reference field where the created password is stored. This password is used for all PKCS#12 containers in this communication. There are a number of actions for creating passwords.
smartCardId

${Card_VscId}

Virtual smartcard id. Usually it will be created via a dedicated number-range.
storagePriority

Valid values:

  • VSC (for Personal Desktop App, default)
Storage priority of encryption certificate. 
desktopKeyProtectionLevel

Valid values:

  • NONE (default)
  • CONSENT
  • PASSWORD
  • BIOMETRICS

Specifies the key protection level at OS key store. It is only used in case of OS storage priority. 

  • NONE - No strong key protection.
  • CONSENT - The user is notified through a dialog box when the private key is created or used.
  • PASSWORD - The user is prompted to enter a password for the key when the key is created or used.
  • BIOMETRICS - The user is prompted to enter a fingerprint verification for the key when the key is created or used.
 Personal Messaging: Delete Virtual Smart Card Profile

Description

Use this task to delete a virtual smart card profile managed by Personal Desktop App on a TPM and also to delete all Personal Messaging mailboxes for a specific user id.

This task can be used in the following ways:

Delete Virtual Smart Card profile on Personal Desktop App and Personal Messaging

To do this, specify a specific profile id and set the confirmation flag to true. All other parameters must be provided as well.

This task can be executed on a smart card profile which contains information about smart card id, profile id and card manager key (admin key).

The request will be sent to Personal Desktop App, which will delete the profile identified by the specified profile id and smart card id. Personal Desktop App will also change the card's admin key to the new value provided. The result will be sent to the message catching intermediate event identified by the parameter 'messageName'. After receiving a successful response from Personal Desktop App, Personal Messaging also deletes the mailbox and forwards the same response back to PRIME.

Delete mailbox on Personal Messaging only

To do this, set the confirmation flag to false. Smart card id and keys can be omitted.

Personal Messaging will delete either a specific mailbox when a profile id is provided or all mailboxes of the specified user id when the profile id is absent. The profiles themselves within Personal Desktop App will be retained, as the deletion request will not be forwarded to Personal Desktop App.

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodDeleteProfileTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

when confirmation flag is true

${Card_ProfileId}

Id of the profile to be deleted, as created via 'Personal Messaging: Create Virtual Smart Card Key'.

smartCardId

when profileId provided and confirmation flag is true

${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
plugoutUrl

when profileId provided and confirmation flag is true

plugoutUrl

Process variable to put the resulting Personal Plugout URI that will open Personal Desktop App on the client machine.

userid

${Person_Email}

UserId for Personal Messaging. This is shown to the user on the mobile phone, to verify that the correct data is provided.
adminKey

when profileId provided and confirmation flag is true


The secret field reference of the new 24-byte 3DES admin key to be set, in HEX format. The key can also be set directly as plain hex value for testing.

oldAdminKey

when profileId provided and confirmation flag is true

${Card_CardManagerKey}

The secret field reference of the 24-byte 3DES current admin key, in HEX format. The key can also be set directly as plain hex value for testing.

confirmation

true

Messaging Server will forward the delete profile request to Personal Desktop App when this set to true.

 Personal Messaging: Start Connection for Personal Desktop App Scripting

Description

Use this task to start a connection to Personal Messaging. With this connection, scripts can be executed. Finally, the connection needs to be closed.

Once the connection is established you receive a boxId and a plugoutUrl which can be used to start Personal Desktop App and connect it to the corresponding box on Personal Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartConnectionParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
plugoutUrl


Process variable to put the plugout url.
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName

The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Execute Script in Personal Desktop App

Description

Use this service task to execute a script in Personal Desktop App. The script needs to be passed as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}]

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodExecuteScriptParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
scriptCommands


Process variable containing the script commands. The commands need to be formatted as a JSON array (for example: [{"type":"APDU", "data":"00A4040000", "response":".*(9000)"}])
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Close connection for Personal Desktop App Scripting

Description

Use this service task to close a scripting connection to Personal Messaging.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndConnectionParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
boxId


Process variable to put the boxId.
messageToUser

An optional message to the user which will be displayed in Personal Desktop App.
messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
 Personal Messaging: Initiate PIN Reset on Virtual Smart Card

Description

Use this task to initiate a pin reset on a virtual smart card.

Once the operation is confirmed by the user through the Personal Desktop App, PRIME will receive a challenge that needs to be encrypted via the card manager key in order to authorize the pin reset. The challenge will be set in the process variable "challenge".

After this task is executed, use the "Credentials: Calculate Minidriver Offline Unblocking Response" task to encrypt the challenge stored in the process variable "challenge" and store the encrypted challenge in the process variable "encryptedChallenge". Then you can proceed to the "Personal Messaging: Complete PIN Reset on Virtual Smart Card" task.

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodStartPinResetTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
userid

 ${Person_Email}

UserId for Personal Messaging. This is shown to the user on the mobile phone, to verify that the correct data is provided.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

 ${Card_ProfileId}Id of the profile whose pin to change, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
smartCardId

 ${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
boxId

 boxIdProcess variable to put the boxId. This will be needed to complete the PIN reset.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

 Personal Messaging: Complete PIN Reset on Virtual Smart Card

Description

Use this task to complete a pin reset on a virtual smart card. Once the PIN is reset by the Personal Desktop App, PRIME will receive an event indicating success or failure of the operation.

As a prerequisite you must have encrypted the challenge received in the "Personal Messaging: Initiate PIN Reset on Virtual Smart Card" task

Configuration

To use this task, configure the following delegate expression in your service task:

${hermodEndPinResetAction}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.

messageName


The name of the intermediate message catching event that will be triggered by Personal Messaging.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId

${Card_ProfileId}Id of the profile whose pin to change, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
smartCardId

${Card_VscId}Id of the virtual smartcard, as created via 'Personal Messaging: Create Virtual Smart Card Key'.
boxId

${boxId}The boxId that was created with 'Personal Messaging: Request PIN Reset on Virtual Smart Card'
response

${encryptedChallenge}The challenge received in the callback of 'Personal Messaging: Request PIN Reset on Virtual Smart Card' encrypted with the card manager key of this VSC using 'Credentials: Calculate Minidriver Offline Unblocking Response'.
 Personal Messaging: Send Ping Request to Personal Desktop App

Description

Use this task to retrieve profile and device information of virtual smart cards that are managed by Personal Desktop App.

You can request information of a virtual smart card or of a single virtual smart card profile.

The task will put a "commandId" value into a process variable which must be used for polling the response using "Personal Messaging: Poll Ping Response from Personal Messaging".

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingRequestTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
profileId



If provided, restrict requested information to this profile. ProfileId values are created in the 'Personal Messaging: Create Virtual Smart Card Key' task.
plugoutUrl

 plugoutUrl

Process variable to put the plugout url.

userid


tmp

UserId for Personal Messaging. If a profileId parameter is set, this must match the userid provided when the profile was requested. Otherwise any value will do.

deviceInfo

true

Request device information.

profileInfo

true

Request profile information.

commandId

commandIdProcess variable to put the commandId value, which is needed for polling in the "Personal Messaging: Poll Ping Response from Personal Messaging" task.
 Personal Messaging: Poll Ping Response from Personal Messaging

Description

Use this task to poll a ping response from Personal Messaging based upon the 'commandId' (which was created at the ping request to Personal Messaging).

Execute this task after a ping request to Personal Messaging. It polls the message from Personal Messaging, based upon the provided command id. After receiving the response from Personal Messaging it stores the profile and device Information into configured service task parameters. 

Configuration

To use this task, configure the following delegate expression in your service task:

${pxVscHermodPingResponsePollingTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault ValueDescription
messagingServer


The name of the Personal Messaging configuration as defined in PRIME Designer. This configuration provides data (url, authentication token, lifespan and timeout) needed for the Personal Messaging connection.
errorMessageField

ErrorMessageProcess variable to put the error message in case of failure.
errorTypeField

ErrorTypeProcess variable to put the error type in case of failure.
commandId

${commandId}CommandId which was received by the "Personal Messaging: Send Ping Request to Personal Desktop App" task, needed for polling.
profileInfo

profileInfoProcess variable to put the profile information.
deviceInfo

deviceInfoProcess variable to put the device information.

Process


 Process: Assert Uniqueness Task

Description

Use this task to run a search configuration and trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed" if a uniqueness criteria is not met. The event might cause a different process flow.

Configuration

To use this task, configure the following delegate expression in your service task:

${assertUniquenessParameterizedTask}

 The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription
searchConfigName


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

minCount-

The minimum number of objects that should be found.

If the search finds less than minCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

maxCount-

The maximum number of objects that should be found.

If the search finds more than maxCount objects, the action will trigger an ErrorBoundaryEvent with error code "uniquenessTestFailed". Although neither minCount nor maxCount are mandatory, at least one of them must be specified.

resultVariableName-

resultCount (used if nothing is specified)

Specifies where the number of found objects will be stored in the data map. 

The value is stored whether the condition is met or not. If no resultVariableName is specified, 'resultCount' is used as a default name.

<Datapool_Field>-

For configuring search fields, add a parameter for each search field. The name of the parameter should be the full name of the datapool field. The value has to contain the filter condition and value, separated by a colon symbol.

For example:

EQUALS:${Person_PersonnelNumber}
GREATER_THAN:${now}
CONTAINS:st

If the underlying data source of the search configuration does not allow to query just the number of result objects, only as less objects as possible are fetched, but enough to find violations of minCount or maxCount. If the number of found objects equals to the upper limit, that was searched for, it is not possible to decide whether there are more objects. In such cases a hint is logged in debug mode:

"The search has been restricted to 2 object(s) for performance reasons, but there might exist more objects".

 Process: Copy Values of LoggedIn User to Process Map

Description

Use this task to copy information about the currently logged in user to the process data map. Since the parameters are optional, only those parameters where a value is provided are copied to the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${copyValuesOfLoggedInUserToProcessMapParameterizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription

userNameOutputField

-

userinfoUsername

The output field of the datamap which will contain the user name.

userFullNameOutputField

-

userinfoUserFullName

The output field of the datamap which will contain the user's full name.

userIdOutputField

-

userinfoUserid

The output field of the datamap which will contain the user id.

userIpAdressOutputField

-

userinfoIpAddress

The output field of the datamap which will contain the user's IP address.

userAuthProfileTypeOutputField

-

userinfoAuthprofileType

The output field of the datamap which will contain the users AuthProfileType (Enum is passed).

userExplorerInstanceIdOutputField

-

userinfoExplorerInstanceId

The output field of the datamap which will contain the user's explorer instance id if logged in through explorer.

userUsspInstanceIdOutputField

-

userinfoUsspInstanceId

The output field of the datamap which will contain the user's user self service portal (ussp) instance id if logged in through ussp.
userRolesOutputField-userinfoUserRoles

The output field of the datamap which will contain the user's assigned roles as a list. This is not meant to be used for the GUI and may result in issues. Use this, for example, in gateways like this:

${userinfoUserRoles.contains("Administrator") == true}
 Process: Delete Secret Field

Description

Use this task to delete a secret field from secret field store and clear the reference to it.

Configuration

To use this task, configure the following delegate expression in your service task:

${deleteSecretField}

 The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault valueDescription
referenceField


The field to be deleted in secret field store.
 Process: Execute script

Description

Use this task to execute a script and put the result variables to the process map.

Configuration

To use this task, configure the following delegate expression in your service task: 

${executeScriptTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription

scriptName


The name of the script.
 Process: Execute Search Task

Description

Use this task to run a search configuration and put the result to the map as core object descriptor list or as the complete object.

If the number of search results is equal to or more than maxCount this is logged in the Tomcat log file.

Configuration

To use this task, configure the following delegate expression in your service task:

${executeSearchParameterizedTask}

 The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription
searchConfigName

-


Defines the search configuration that should be used to count objects.

During process execution the user must have the permission to execute the search configuration. It is possible to use a search configuration that searches over multiple levels.

maxCount


The maximum number of objects that should be found.
resultVariableName-
  • CoreObjectDescriptorList

Specifies the name of a variable of the data map, where the CoreObjectDescriptorList of the found objects is stored.

copyValuesOfFirstResult-

Valid values:

  • true
  • false (default)
This parameter decides whether the first found object is put completely to the map (true) or if the CoreObjectDescriptorList is put to the map (false). If set to true, resultVariableName will be ignored. maxCount will be ignored too and set to 1.
<Datapool_Field>-

<CONDITION>:<value>

Examples:

  • EQUALS:true
  • STARTS_WITH:${processVariable}

Valid CONDITIONS:

  • EQUALS
  • NOT_EQUALS
  • GREATER_THAN
  • GREATER_EQUALS
  • LESS_THAN
  • LESS_EQUALS
  • STARTS_WITH
  • ENDS_WITH
  • CONTAINS
  • SOUNDEX
  • EMPTY
  • NOT_EMPTY

Allowed multiple times, for each search field of the search config. Filter condition and value shall be separated by a colon symbol, like this, <CONDITION>:<value>.

  1. Drag&drop a datapool-field into the Service Task definition, to create a filter, for example, OrderNumber, see (1) in the screenshot.
  2. To make it work, you must add the datapool field name as a prefix, for example, SclmDpOrder_OrderNumbersee (2) in the screenshot.

    Every filter that is added as <Datapool_Field> MUST exist in the used SearchConfig, otherwise it will not be added when the search task is executed.

  3. For the value, a condition is needed, in the screenshot "EQUALS".

 Process: Find Next Possible States

This action works only in context with batch orders.

Description

Use this task to find the next possible/valid states to a given core object state. If the multiple selected core objects (in a batch order) do have different states (for example active, inactive), an ErrorBoundaryEvent will be triggered.

 Configuration

To use this task, configure the following delegate expression in your service task:

${findNextPossibleStates}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryDefault valueDescription

dataPoolName


The datapool name of the underlying batch order.
resturnField


The name of the variable containing all the possible states (which were found).

The task can be defined as follows:

Spring configuration
<bean id="findNextPossibleStatesAction" class="de.vps.act.processexecution.state.FindNextPossibleStatesAction">
   <property name="coreTemplateProvider" ref="coreTemplateProvider"/>
   <property name="stateGraphDefinitionManager" ref="stateGraphDefinitionManager"/>
   <property name="coreObjectDAO" ref="coreObjectDAO"/>
</bean>

<bean id="findNextPossibleStates" parent="parameterizedTask">
   <property name="action" ref="findNextPossibleStatesAction" />
</bean>
 Process: Load Entity

Description

Use this task to load an entity into the process map.

Given a datapool, a field, the field's value and optionally a core template, the matching entity will be loaded. If more than one entity matches, no entities will be added to the process map. A process variable loadEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadEntityParameterizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatorySample ValueDescription
EntityDataPool


The name of the entity's datapool.
EntityAttribute


The attribute of the entity that must match a certain value.
EntityAttributeValue


The value that EntityAttribute must match. Most of the time, an expression will be used here.
EntityCoreObject

 


The core template of the entity. This limits the search to objects of this core template.
 Process: Load Entity on Certificate Attribute

Description 

This task expects a certificate in the process map and loads an entity from the DB, based on a value of the certificate. You configure what kind of entity (Person, Server etc) and which certificate field should match which field of the entity. A case insensitive search is performed. If exactly one entity is found, it will be added to the process map. If more that one entity is found, no entities will be added to the process map. A process variable loadCertificateMatchingEntityResultCount will hold the number of the found entities. Any value other than 1 can be considered an error.

This task can be used to establish an objectRelation between the certificate and an entity.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadCertificateMatchingEntityParameterizedTask}

 The following parameters can be configured in PRIME Designer: 

Values are case sensitive.


ParameterMandatoryDefault ValueDescription

certificateDataPoolName

CertificateThe name of the certificate's datapool.

certificateDataFieldName

DataThe name of the field of the certificate's datapool that holds the binary certificate.
certificateAttribute

SAN_UPNThe field of the certificate whose value must match the entity. SAN values are prefixed with "SAN_". Possible values: any one of de.nexus.pkiutils.certificate.DNs or any one of de.nexus.pkiutils.certificate.SANs. Currently that allows the following possibilities: DN_C, DN_CN, DN_DNQ, DN_E, DN_L, DN_O, DN_OU, DN_SN, DN_ST, DN_UID, DN_STREET, DN_INITIALS, DN_POSTAL_ADDRESS, DN_POSTAL_CODE, DN_TELEPHONE_NUMBER, DN_TITLE, DN_SURNAME, DN_GIVENNAME, SAN_EMAIL, SAN_UPN, SAN_DNS, SAN_IP, SAN_URI, SAN_GUID, SAN_RID.
entityDataPoolName

PersonThe datapool of the entity to loadCertificateMatchingEntityParameterizedTask
entityDataPoolFieldName

EmailThe name of the field of the entity's datapool that must match the certificate's field value.
entityCoreTemplateName-PersonThe core template of the entity. This limits the search to objects of this core template.
 Process: Load values of SystemProperties into process map

Description

Use this task to load one or more values of SystemProperties, which are configured in the PRIME Explorer Admin tab, into fields of the process map.

Configuration

To use this task, configure the following delegate expression in your service task:

${loadSystemPropertyIntoProcessmapParametrizedTask}

 The following parameters can be configured in PRIME Designer, they can be added with the '+'-button, each row sets one system property into the target field:

ParameterMandatoryValueDescription

targetFieldName

Name of systemProperty to load

Combination of target field and system property.

A system property is defined of <contextid>.<propertyName>.

 Process: Removing Variable

Description

Use this task to remove a variable from the data map of the process.

Configuration

To use this task, configure the following delegate expression in your service task:

${variableRemovingParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryDefault valueDescription
variableName


The name of the variable, which should be removed from the process map
 Process: Set Value of Variable in Process Map

Description

Use this task to set a variable to a desired value, including an empty string or null.

Configuration

To use this task, configure the following delegate expression in your service task:

${setValueOfVariableInProcessMapParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryDefault valueDescription
variableName


The name of the variable whose value should change in the process map
variableValue-
The new value for the variable
setToNull-
If set to true, the variable's value will be set to null.
setToEmptyString-
If set to true, the variable's value will be set to an empty string.

Be sure to configure exactly only one of variableValue, setToNull and setToEmptyString. Otherwise an Exception is thrown.

 Process: Validate a value in the Process Map against a regular expression

Description

Use this task to validate a value in the process data map against a regular expression. The result is saved as true/false in the process data map.

Configuration

To use this task, configure the following delegate expression in your service task:

${validateFieldWithRegexParameterizedTask}

The following parameters can be configured in PRIME Designer:

 ParameterMandatoryValueDescription
variableName

Example value:

  • Text string, free of choice

Field in the process data map whose value (or list of values) is checked with the regular expression.

resultVariableName

Example value:

  • Text string, free of choice, example: "ProcessVarCNRegexResult"

Field in the process data map where the result of the validation is saved as Boolean ("true" when regex matches, "false" if not).

regex

Example value:

  • See examples in drop down list
  • Can also be edited free
The regular expression, which the field value must match.
variableMustExist-

Valid values (Boolean):

  • true
  • false (default at design time)
If true, validation fails if map has no entry for the variable described in variableName.
delimiter-

Example values:

  • "," (colon)
  • ";" (semi colon)

Can be defined if the value in variableName contains a list which is separated with a delimiter. For example: "value1; value2; value3"

If delimiter is defined, the value is treated as a list of multiple values, and every value is validated.

trim-

Valid values (Boolean):

  • true
  • false (default at design time)

If true, any whitespace before and after the value in variableName is removed before validation.

Example:

  • if " value " then "value" is validated. Every value in a list is trimmed, if delimiter is defined.
caseSensitive-

Valid values (Boolean):

  • true (default at design time)
  • false

If true, the validation does differentiate between lowercase and uppercase characters.

Miscellaneous


 Create ICS Calendar File

Description

Use this task to create an .ics file and store it in the data map.  

Configuration

To use this task, configure the following delegate expression in your service task: 

${createIcsFileParametrizedTask}

The following parameters can be configured in PRIME Designer: 

ParameterMandatory

Default value

Description
subject


The subject of the event.
location


The location of the event.
startTime


The start time of the event.
endTime


The end time of the event.
targetField-ics_calendarSpecified where the .ics file shall be stored in the data map.
allDayEvent-falseIf set to "true" the event will be shown as an allDay event.
content


Defines the content of the event.

See following example as a reference:


 Create PDF

Description

Use this task to create a pdf and store it in the datamap. The pdf will be generated from a Jasper Reports template.

Configuration

To use this task, configure the following delegate expression in your service task:

${generatePdfParametrizedTask}

 The following parameters can be configured in PRIME Designer: 

ParameterMandatoryDefault valueDescription
reportName


The name of the Jasper Report. Must be available in PRIME Designer.
fieldName


The datamap field to which the pdf will be stored (as a byte[]).
 Create QR Code

Description 

Use this task to take a valid URL from the datamap and generate a QR code from it. 

Configuration

To use this task, configure the following delegate expression in your service task:

${generateQRCodeTask}

 The following parameters can be configured in PRIME Designer: 

ParameterMandatorySample ValueDescription

QRCodeLinkField

Person_HomepageDescribes the data map field in which the link is stored to create a QR code from.

QRCodeOutputField

outputThe name of the output field to which the QR code ("jpg", byte[]) will be stored.
 Image Export

Description

Use this task to export an image from the datamap into a file location on the hard drive (Server side).

Configuration

To use this task, configure the following delegate expression in your service task: 

${exportImageJavaDelegate}

The following parameters can be configured in PRIME Designer: 

ParameterMandatoryValueDescription
exportFilePath

Example value:

  • C:/TEMP
Defines the folder into which the image shall be exported.
exportFileBaseName

Example value:

  • ${Person_FirstName}_${Person_LastName}
Defines the base of the exported image. The export will append a time stamp so that it will result in, for example: John_Doe_2019-11-20_10-52-19.jpg
exportDataMapTargetField

Example value:

  • Person_Photo
Defines the datamap field from which the action should export the image.
 Image Resize

Description

Use this task to define a ParametrizedAction which is capable of downsizing pictures inside of a Process.

Configuration

To use this task, configure the following delegate expression in your service task:

${resizeImageJavaDelegate}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
dataPoolSourceField


The datapool field in which the source image is stored.
dataPoolTargetField


The datapool field in which the target image shall be stored.
imageWidthInPx


The desired image width of the target image in px.
imageHeightInPx


The desired image height of the target image in px.
maxBinarySizeInKB-

Defines the maximum size the output file shall be. When the resize doesn't lead to the desired size, the action will perform a quality shrink (defined by spring parameter "qualityStep") as long as the size matches the size given by this parameter.

keepRatio

true

Boolean flag which indicates weather the aspect ratio of the image should be kept or not.

  • If set to true and the picture is in landscape format the dimensions are: (width = imageWithInPx | height = smaller than imageHeightInPx)
  • If set to true and the picture is in portrait format the dimensions are: (width = smaller than imageWidthInPx | height = imageHeightInPx)
qualityDescreaseStep-0.05Indicates the quality decrease step when trying to minimize the quality to reach the desired maxBinarySizeInKB.


This is a flowchart of the task:

 Import CSV File

Description

Use this task to import a csv file from the client machine.

The csv file has these restrictions:

  • It has to contain headers
  • The headers have to equal the datapool fields of the datapool of the target core template
  • The separator has to be a comma

  • The format for dates has to be dd-mm-yyyy

  • The format for time values has to be hh:mm:ss
  • The format for datetime values has to be dd-mm-yyyy-hh-mm-ss

Configuration

To use this task, configure the following delegate expression in your service task:

${importIdentitiesFromCSVTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
csvField


The field which contains the binary of the csv file. You can use a Binary Field in a Datapool, see Binary Data for information on how to configure this in a form, or a Variable Binary Field, see Field Configuration for information on how to configure this in a form.
targetCoreTemplateName


The core template name which should be used for the new core objects. This should be based on a DAO based Datapool.

commaSeparatedListOfUniqueIdentifiers


Comma separated list of the fields which identify the uniqueness of an object.
maxNumberOfEntriesInCSV

This can be used to limit the number of core objects. If it's set and there are more entries in the csv, an Exception will be thrown.

 Save domain list into PRIME

Description

Use this task to save account domain list from QuoVadis CA into PRIME lookup table. This task deletes old domain list entry and creates fresh entry into configured lookup table.

Prerequisites

Create a lookup table-based datapool and core template name for storing the domain list information into PRIME.

Datapool

  1. The datapool must have the fields with the described names as shown in this figure. This field names are fixed and taken from DomainInfo response.

  2. Configure the datapool datasource as lookup table as shown in this figure:

       

Lookup table

  1. Create a lookup table which belongs to the Domain data pool. Any state graph can be assigned to this lookup table. 

       

Configuration

To use this task, configure the following delegate expression in your service task:

${quoVadisDomainListUpdateParametrizedTask}

The following parameters can be configured in PRIME Designer:

ParameterMandatoryValueDescription
quoVadisConnection


QuoVadis connection name.
coreTemplateName


The core template name which should be used for the new core objects. This core template should consist of lookup table type DomainList Datapool.

 Validate Uploaded Photos

Description

Use this task to validate the uploaded photos. This task is compatible with FaceVACS-SDK 9.4.0.

Follow these steps:

  1. Install FaceVACS-SDK 9.4.0 on server.
  2. Import the valid license to sdk, see FaceVACS documentation.
  3. Copy the frsdkjava-9.4.0.jar in %TOMCATE_DIR%/lib. Normally the jar file is located in %FVSDK_9_4_0_DIR%/lib/x86_64/msc_14.1-sse4_crtdll/.
  4. The native library jfrsdkjni-9.4.0.dll has to be setup in TOMCAT. For example, set the CATALINA_OPTS in catalina.bat:
    • SET CATALINA_OPTS=-Djava.library.path="C:\FVSDK_9_4_0\lib\x86_64\msc_14.1-sse4_crtdll;C:/FVSDK_9_4_0/lib/x86_64/share"

Configuration

To use this task, configure the following delegate expression in your service task:

${cognitecFaceVACSValidationParametrizedTask}

The FRSDK configuration file have to be configured in the faceVACSObjectsCreater bean (needed at runtime). This file can be located in "%INSTALLDIR%/etc/frsdk.cfg".

Example
<bean id="cognitecFaceVACSValidationParametrizedAction" class="de.vps.act.action.photo.validation.CognitecFaceVACSValidationParametrizedAction">
    <property name="faceVACSChecker">
        <bean class="de.vps.act.action.photo.validation.FaceVACSChecker">
            <property name="faceVACSObjectsCreator" ref="faceVACSObjectsCreator" />
        </bean>
    </property>
</bean>
 
<bean id="faceVACSObjectsCreator" class="de.vps.act.action.photo.validation.FaceVACSObjectsCreator">
    <constructor-arg value="C:/FVSDK_9_4_0/etc/frsdk.cfg" />
</bean>

The following parameters can be configured in PRIME Designer:

ParameterMandatoryDefault valueDescription
outputFieldName


On which variable the result of checking will be available in data map.
photoFieldName


Photo field name in data map.
checkColor-falseReturns true if the portrait characteristics are based on color and false if they are based on Gray scale (intensity) image.
checkNaturalSkinColour-falseNatural colours in face region. Returns true if the face region has natural colors, otherwise false.
checkFrontal-falseThe face is considered frontal if the rotation of the head is less than +/-5 degrees from frontal for yaw and pitch and if roll angle of head is less then +/-8 degrees.
checkEyesOpen-falseReturns true if both eyes of the person are open.
checkEyesGazeFrontal-falseReturns true if the person’s eyes are looking frontal to the camera.
checkEyesNotRed-falseReturns true if both eyes pupils are not detected as red.
checkNoTintedGlasses-falseAccording to ISO 19794-5:2005 section 7.2.11 and best recommendations glasses should not be tinted.
checkSharp-falseReturns true if the face area (from chin to crown and from left to right ear) fits the focus and depth in field characteristics(see ISO 19794-5:2005 section 7.3.3).
checkMouthClosed-falseReturns true if mouth is closed according to ISO 19794-5:2005 section 7.2.3 and appendix A 2.2.1